what is this new "mnsvc.exe"?

[dongky]

In my startup, i noticed that there's this file called mnsvc.exe
The reason i'm concerned about this is that i always get an alert from ZoneAlarm detecting this executable. From what i see from ZA's log file, mnsvc.exe tries to connect to the internet repeatedly after being blocked.
I just checked the properties of this file and it looks like it was created last wed, apr. 10

Also, just this evening, my desktop icons suddenly turned into white-colored, concrete-like blocks. It changed this following type of icons:
My Computer icon
My Documents icon
Recycle Bin icon
.pdf files
.bat files
.txt files
.zip files
.lnk files(shortcuts)

icons that didn't change:
Network Neighborhood icon
folder icon
.exe files
.reg files
.doc files
.xls files
.html files
no extension files (unix-type files)


Has anybody experienced this. Are there any solution? thanks

 

[minendo]

Can you provide us with more information please? OS and system specs may be helpful. I could not find any information about mnsvc.exe, the closest program name I could find was mqsvc.exe.

 

[WarCon]

Bugtoaster (some kind of crash prevention software) lists the file, but doesn't list any pertinent info with it.

Here's a link to bugtoaster's page with that file. (It happens to be a page with known files that can crash kernal32.dll).

I couldn't find any other reference to it.

 

[Reapomann]

I just noticed it was put on to my machine - it's date is 4/14. I was playing an online game and it started to lag to beat all hell. There was three other files that were placed with it: ausvc.exe, bvt.exe, and absr.exe. These files were put into the system to start up on boot, i let nothing but 3 files start up on my comp when I do a fresh boot, so these new ones were not hard to pick out. They were all placed onto the computer within 8 minutes of each other.

I also found a powerpoint program (directory.asp) that lists these files and an html page (dir(1).htm) that was located in my temp internet file that gives this info when i opened it:
;11010111000 [pkg] base = http://www.wwws1.com/ rel = 2164/1.0.0.0/mnsvc.pkg [/pkg] [pkg] base = http://www.wwws1.com/ rel = 2020/1.4.2.307/auupg.pkg [/pkg] [pkg] base = http://www.wwws1.com/ rel = 2002/2.0.0.9/bvt.pkg [/pkg] [pkg] base = http://www.wwws1.com/ rel = 2004/1.0.0.8/absr.pkg [/pkg] putting in www.wwws1.com/rel takes you to a search engine page with a bunch of links on it Is this some new adware/spyware program that puts itself on your computer without ever prompting you?

In addition there was a backup file (mbtcd.bak) and a log file (absr.lgc) that was also created at the same time as the others.

I did a find file search for the 14th and found all these things at the same approx. time.

I have disabled the programs from starting.

Searching for all of the files only came up with the mnsvc.exe link to this forum.

 

[WarCon]

ausvc.exe seems to come from http://install.bestoftheweb.com/au/ausvc.exe, so I would guess that it is spyware. Man this spyware crap is getting as bad as viruses, especially if like my above link suggests that the mnsvc.exe is a known source of crashes. It should be illegal under those circumstances.

 

[Abner]

I'm on a 2K box, the file resides in my WINNT folder, I can not delete it from within windows, going to attempt in DOS.
It was created 4/17, I've been tracking through my IE history to see where I may have picked it up from, the only conclusion I've reached thus far is that it hitched a ride on an ad popup. I've asked my security guru about it, with no response as of yet.

 

[mortepa]

This executable is distributed when installing Gator software...which is an option when installing the Webshots screensaver program. It will put the executable into the C:\WINNT folder. Sometimes we were able to delete the MNSVC.EXE file and sometimes not...don't know what determines this. Also, make sure you remove all entries in your registry of course...I hope this helped some of you!

- Paul

 

Norton Anti-Virus detected mnsvc.exe, ausvc.exe, and absr.exe all as a backdoor.trojan horse program. I have found them on two machines at work. You need to update your AV signatures and remove these files. You will probably have to do it in safe mode as well as make Registry edits.

 

[Abner]

my security guru believes it to be a backdoor trojan of some sort, I also verified which site I picked it up from.

 

[Cyanic]

It appears that this is a backdoor, infected by trojan. Does anyone who has been infected know what application you got this from or website you were visiting? Symantec and TrendMicro have just been alerted to this and I will post their results to you all here. Norton antivirus picks these files up through its heuristics rather than a known signatures, and identifies them as Backdoor.Trojan and Downloader.Trojan

 

[Rhi]

OOOOOOOHHH that GATOR BS PISSESS MEE OFFF.

I started getting pop-ups out of nowhere, and my desktop was looking funky sometimes. Weird crashes of explorer as well. I started hunting and found out that Gator's software had been installed, (I got it from installing DIVX 5.1 or something). The Gator program will not let you remove it unless you uninstall the program that accompanied it. Needless to say DIVX is gone. No more problems.

-Rhi

 

[mortepa]

One note about Gator:
The latest versions do not include the MNSVC.EXE file that we have been experiencing. When I ran it previously the other day, it was an earlier version packaged in conjunction with another software package.

One more note about this MNSVC.EXE file:
It has now propagated itself into almost a dozen of our workstations already in the last week. I KNOW we can't be the only ones with it happening this frequently. It makes me seriously concerned since there is nothing out there on this problem except what is mentioned here!

It will be interesting when we hear those results from Symantec and Trendmicro!

 

[Cyanic]

Im not sure if this is Gator, but it sure acts like it. We just did some tests to see what is going on. It is launched by a file called ausvc.exe. It then opens a http connection to www.wwws1.com (66.186.13.5) and a get request for /2002/2.0.0.9/bvt.pkg It keeps this behavior up loading several other files. Anyway it loads bvt.exe and ausvc.exe and quiets down. We tried to see if PestPatol or AdAware noticed it, they didn't. Then we removed the files and reg settings by hand. We're still waiting to here from the virus guys, but they didn't care much about gator, so may not care much about this. Well its Friday, and I'm going home. I let y'all know if I find out anything else next week.

I'd still like to know where my users are getting this from.

 

[Abner]

I picked it up from a pop-up at http://camelot.allakhazam.com

 

[Cyanic]

More stuff on this.

http://online.securityfocus.com/archive/100/268423

 

[AreEss64]

ID'd positive as spyware several weeks ago. Latest ref file for AdAware catches it AFAIK. It has some worm-like behaviour too, and I've caught word that some may be infected with various nasty little virii. Has a HIGH tendency to screw your entire installation if you try to kill it, supposedly, but I can't confirm. Seems to install using known IE security holes, how cute! Gotta stop browsing those free porn sites, guys.

 

[corkyg]

I am pretty sure it is NOT Gator. I have Gator on all my systems and have used it for nearly two years. I did a complete system file search for MSNSVC.EXE and nada! I believe it is a Trojan you picked up at some site.

 

[AreEss64]

Oh, no, it's NOT Gator. Should have said that. I'm honestly not positive WHAT it is. It seems to be a combo that some ad company may have cooked up to report back to multiple places, to get more income somehow. :/

 

[Cyanic]

All right, Symantec is finally taking this seriously. They had changed their signatures to ignore this pest, and said that is was only simple spyware. After further analysis and tons of calls from other enterprise customers, they are taking this seriously and have renamed this pest to Backdoor.Autoupder, strange name indeed. Anyway here is the total breakdown at their site.

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.autoupder.html

 

[Sandiclaws]

I discovered mnsvc.exe (Backdoor autoupder) last night while running my updated norton...............To the best of my ability, relying on date and time created.......I may have received it as I downloaded an ecard I received from "an express greeting for you" site on April 11,2002 at 12:53pm est.........or a pop-up during that visit to the site ( i don't recall if there were pop-ups or not and I sure am not going to go back to see........lolol). Last night after my norton notified my about this mnsvc.exe virus, I tried to delete the mnsvc.exe...........couldn't because it said windows was using that program........tried to quarentine it..........couldn't...........so I just waited until this morning........ran a "find" for it and now it only appears as mnsvc (no exe. after it). Scanned this with Norton and it reported nothing. So bottom line, I am clueless about the entire mess. I too am getting very frequent requests from my ZoneAlarm to access mnsvc ........which I am, of course, not allowing.........I've even gone so far as to tell the norton to never allow access to it. I did visit the Norton site and as I was reading their directions for removing it and the possible problems removal could cause..........well, this was the point where I started to wonder if it would just be easier to buy a new computer or stop using the internet entirely.................YIKES!! Sure wish I could go back in time on this one...............a greeting card that perhaps came with a very unwanted gift

 

[Sandiclaws]

oops.......mistake on my last post...........I should have said that I had gone so far as to tell my "ZoneZlarm" to never access the mnsvc deal. Sorry for the mistake......but right now my brain is fried from this stuff

 

[Sandiclaws]

just incase it matters to anyone.............the exact name of the ecard site was "Expressit Greetings"......and it came from this site or a pop up at this site.........I'm positive of that!!

 

[Harvey]

<< Also, just this evening, my desktop icons suddenly turned into white-colored, concrete-like blocks. It changed this following type of icons >>

This may be a different effect. I sometimes run several browsers at once. I have seen this, before, in Netscape 4.7x after being on line for awhile. Just guessing, but it may also have something to do with my vid card. I have been using only TNT2 chipset cards, lately, so I have not had a chance to verify whether this is related.

BTW, Netscape 6.22 rocks!