1

Running a cloud server on Rackspace: Windows Server 2008 R2 x64 (4 GB Standard Instance) It hosts sql server, IIS, and serves our application to users. It has been fine for months/years. Last night through this morning, it was "jammed" at 100% cpu usage, couldn't remote in, etc. Finally got in through emergency console and rebooted.

Server and sites will come up but CPU usage keeps going to 100% and server is becoming unresponsive every 30-60 min. Two weird questions:

  1. Looking at the server's task manager seems to unclog it. Yes, looking not doing anything. I get reports the server is hanging, I remote in and pull up task manager and I see system idle go back to 80's and 90's.

  2. There is a file, msiexev.exe from s:\windows\security that keeps popping up on task manager and takes 50% of the processor load at least. I do not know what this file is, but it keeps reappearing when I kill the process. I even deleted the file from its folder (into recycle bin) but it reappeared in its folder and in task manager.

I have disabled the windows installer service just in case. I read that msiexec is an install utility, but searches for msiexeV are coming up empty. Any ideas?

Thanks!

Mike
  • 11
  • 2
  • I think it's some recent exploit. I, too, have found the exact same thing. The process is being created (in my case at least) by `wuauser.exe` located in `Windows\Prefetch`. There's also a strange task scheduled in Task Scheduler. It seems to have been created this Monday? VirusTotal also lists the files as infected, and "first seen" dates are pretty recent. What's worrying is that, in our case, it hit out TMG server. Admittedly, TMG is old. But still.... BTW, I'm from Poland and we're not using Rackspace, so... – Shaamaan Apr 27 '17 at 22:09
  • msiexeC (with a C, not a V) is indeed the Windows Installer. You're saying V, so that's something entirely unrelated. – Matthew Wetmore Apr 28 '17 at 20:34

1 Answers1

3

If the file is literally called 'msiexev.exe' (with a V), you've been infected with some sort of malware. And when you login and open task manager, it's basically trying to hide itself by backing off whatever it was doing.

Time to create a new instance and restore from backup.

Ryan Bolger
  • 16,472
  • 3
  • 40
  • 59