Malware mvsr32.exe - What is it? - Tech Support Forums

Chuckiechan · February 27th, 2007, 11:10 AM

It keeps asking Zone Alarm for permission to contact the internet, so I "killed" it. I've done a variety of Trojan and Virus scans and nothing comes up.

More Info: the IP it is trying to reach is 66.60.130.2DNS Anyone know where this is? Note: there is a : between the 2 and the D - If I put it in I get a Smiley Face...

I've done a system search and nothing comes up.

I did a Google search and the results are not in English and the translator isn't doing a very good job.

I can't find an English description to tell me how to remove it.

Any ideas?

BluesMan1 · February 28th, 2007, 04:31 AM

CW Shredder worth a try: http://www.intermute.com/spysubtract..._download.html

Ad Aware SE Personnal: http://www.lavasoftusa.com/

Spybot: http://www.safer-networking.org/en/download/index.html

Hijack This, create a log: http://www.spywareinfo.com/~merijn/programs.php

Copy the log here and analyze it: http://hijackthis.de/index.php

You can also use some online tools: http://housecall.trendmicro.com/

I'm sure that you'll get more tools from the people here also.......

Good Luck

Micro Bean · February 28th, 2007, 04:36 AM

surely seem like a spyware program that got installed cant be so positive though I have seen that somewhere....I think the reason its trying to connect You know how when you get tons of ad popups those are the programs that cause it mainly the spyware progs So I believe its that I will look into it and try to remember what it was.

nomaxim · February 28th, 2007, 07:30 AM

The IP comes back through a WhoIs look-up as;

Quote:

IP Information 66.60.130.2
OrgName: Surewest Internet
OrgID: SURW
Address: P.O. Box 969
City: Roseville
StateProv: CA
PostalCode: 95678
Country: US
NetRange: 66.60.128.0 - 66.60.191.255
CIDR: 66.60.128.0/18
NetName: SUREWEST-INTERNET
NetHandle: NET-66-60-128-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.SUREWEST.NET
NameServer: NS2.SUREWEST.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2001-01-03
Updated: 2002-10-24

RTechHandle: ZR32-ARIN
RTechName: DNS Admin
RTechPhone: +1-916-772-5000
RTechEmail: dnsadmin @ surewest.net

OrgAbuseHandle: ABUSE57-ARIN
OrgAbuseName: Abuse Department
OrgAbusePhone: +1-916-772-5000
OrgAbuseEmail: abuse @ surewest.net

OrgNOCHandle: ZR32-ARIN
OrgNOCName: DNS Admin
OrgNOCPhone: +1-916-772-5000
OrgNOCEmail: dnsadmin @ surewest.net

OrgTechHandle: ZR32-ARIN
OrgTechName: DNS Admin
OrgTechPhone: +1-916-772-5000
OrgTechEmail: dnsadmin @ surewest.net

E-mails addy edited, remove spaces.

Wouldn't by chance be your ISP would it?

Chuckiechan · February 28th, 2007, 12:29 PM

That's me...

What does "Abuse" mean?

The message I get a boot up when I take ZA off "kill" is:

mvsr32.exe is trying to modify a driver or service: WSCSVC

Oddly, it doesn't appear to reside on my system under the file name of mvsr32.exe. I wonder if it belongs to my ISP?

I'll be back in town Friday...

Chuckiechan · March 3rd, 2007, 02:54 PM

Well, after much research I went into the registry and killed it. It's dead and presumably gone.... asleep until the next Torrent download....Zzzzz