Suspicious file => msmapi32.exe

[MadScientist]

I'm just posting a recent experience with a friends infected computer.

In summary, I could not get rid of the infection mentioned by others on this forum, including the systray notification about "antispyware update needed" etc., even after doing everything posted in the threads on this forum.

I noticed the file c:\Windows\System32\msmapi32.exe . When I renamed and moved this file, I was able to disinfect the machine for the first time. This file was missed by SpyBot, Ad-Aware, CWshredder, Avast antivirus, BHODemon, etc. (all with updated definitions, then the most thorough scan modes in safe mode).

I also ran Activescan (pandasoftware) and Housecall (TrendMicro).

More detail:

Bottom line is I could completely "clean" the machine in safe mode using all of these programs, but when I would re-boot into standard WindowsXP, exactly 9 instinces of coolwwwsearch variants (CWShredder), 39 BHOs (BHODemon), and numerous SpyBot S&D, Ad-Aware, and Avast files found WITHOUT even being connected to the internet! Renaming/moving msmapi32.exe solved the issue. Note that I first had to kill the process msmapi32.exe before I could rename/move it.

Thanks, and I hope this helps the team,

MadScientist

[Yodama]

thanks for reporting, I have found 3 variants of this file and I am going to add it to our detection database.