Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MsiInstaller pops up many times when loading windows xp


  • This topic is locked This topic is locked
6 replies to this topic

#1 rlt7500

rlt7500

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 19 July 2009 - 01:08 AM

Everytime I boot up, I get the MSiInstaller window that pops up and says it's trying to install something, but then goes away. It then pops up again and does this 18-19 times, then it stops and I can continue.

This is the MsiInstaller Application Warning in Event Viewer

Detection of product '{D65D3265-88E9-48E2-A200-A6FA2D530C83}', feature 'SupportingFiles' failed during request for component '{D2D7B4BF-6CCA-11D5-8B3F-00105A9846E9}'

After some research, I found a directory on my computer called:
C:\WINDOWS\Installer\{D65D3265-88E9-48E2-A200-A6FA2D530C83}

Searching for this string, I found that it could be related to a Malware or something, but I can't seem to get rid of it and I don't know what program I could have installed, but didn't (possibly) uninstall correctly.

I have at least one program that will NOT uninstall out of the Windows Add/Remove programs list and that is:
Retail Pro v8

Windows Install Clean Up does not show this program in the list, but it does show some things that don't make sence. One thing is simply called "Setup [3.06.134]".

Below is the copy of the DDS.txt file reqired to paste in. Here it goes...


DDS (Ver_09-06-26.01) - NTFSx86
Run by Richard Taylor at 22:44:34.98 on Sat 07/18/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1243 [GMT -7:00]

AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\InterVideo\Common\Bin\WinRemote.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\java.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Richard Taylor\Desktop\dds.scr
C:\WINDOWS\system32\taskmgr.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\ntos.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {abc42510-9b22-41c1-9dcd-8182a2d07c63} - BHO
BHO: Catcher Class: {adecbed6-0366-4377-a739-e69dfba04663} - c:\program files\moyea\flv downloader\MoyeaCth.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} -
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [<NO NAME>]
uRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
mRun: [WINREMOTE] "c:\program files\intervideo\common\bin\WinRemote.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [LELA] "c:\program files\linksys\linksys easylink advisor\Linksys EasyLink Advisor.exe" /minimized
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tmmoni~1.lnk - c:\program files\arcsoft\totalmedia 3\TMMonitor.exe
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
IE: Download all by Net Transport - c:\program files\nettransport 2\NTAddList.html
IE: Download by Net Transport - c:\program files\nettransport 2\NTAddLink.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {fb5f1910-f110-11d2-bb9e-00c04f795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: metrolist.net
Trusted Zone: mybittorrent.com\www
Trusted Zone: rapmls.com
Trusted Zone: statementlook.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {32564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv8dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1219118340390
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CBD8B1CB-2F5F-415F-93E8-A297B33DCBB2} - hxxp://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/cpucheck_1_0_0_4.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {e06e2e99-0aa1-11d4-aba6-0060082aa75c} -
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: igfxcui - igfxsrvc.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll

============= SERVICES / DRIVERS ===============

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]
R2 linksysupdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-6-26 204800]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-12-31 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2008-12-31 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-1-2 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2008-12-31 677128]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-12-31 335376]
S1 51da86ba;51da86ba;c:\windows\system32\drivers\51da86ba.sys --> c:\windows\system32\drivers\51da86ba.sys [?]
S2 dtappserv;DevTrack Application Server;c:\program files\techexcel\dtserver\appserver\dtappsrv.exe --> c:\program files\techexcel\dtserver\appserver\DTAppSrv.exe [?]
S2 MSSQL$RETSDATA;MSSQL$RETSDATA;c:\program files\microsoft sql server\mssql$retsdata\binn\sqlservr.exe -sretsdata --> c:\program files\microsoft sql server\mssql$retsdata\binn\sqlservr.exe -sRETSDATA [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-1-25 42000]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2004-12-27 7424]
S3 SliceDisk5;SliceDisk5;c:\program files\a-ff find and mount\slicedisk.sys [2009-1-15 10240]
S3 SQLAgent$RETSDATA;SQLAgent$RETSDATA;c:\program files\microsoft sql server\mssql$retsdata\binn\sqlagent.exe -i retsdata --> c:\program files\microsoft sql server\mssql$retsdata\binn\sqlagent.EXE -i RETSDATA [?]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2008-1-25 25088]

=============== Created Last 30 ================

2009-07-17 22:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Team MediaPortal
2009-07-17 22:50 <DIR> --d----- c:\program files\Team MediaPortal
2009-07-17 22:49 <DIR> --d----- c:\program files\MySQL
2009-07-17 22:33 <DIR> --d----- c:\program files\Devnz
2009-07-15 23:05 <DIR> --dsh--- c:\documents and settings\richard taylor\IECompatCache
2009-07-12 22:47 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-12 22:47 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-07-12 22:46 21,504 a------- c:\windows\system32\drivers\hidserv.dll
2009-07-08 22:20 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-07-07 23:56 <DIR> --dsh--- c:\documents and settings\richard taylor\IETldCache
2009-07-07 23:54 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-07-07 23:54 <DIR> --d----- c:\windows\ie8updates
2009-07-07 23:52 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-07-07 23:52 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-07-07 23:49 <DIR> -cd-h--- c:\windows\ie8
2009-07-01 23:42 <DIR> --d----- c:\windows\system32\XPSViewer
2009-07-01 23:41 <DIR> --d----- C:\9c59add00498597327c7f89523
2009-07-01 23:30 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-01 23:30 73,728 a------- c:\windows\system32\javacpl.cpl
2009-07-01 23:10 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-06-30 22:37 <DIR> --d----- c:\program files\GCC4243N_fw
2009-06-30 22:23 27,496 a------- c:\windows\system32\mucltui.dll.mui

==================== Find3M ====================

2009-05-22 01:02 225,296 a------- c:\windows\system32\drivers\tmxpflt.sys
2009-05-22 01:00 36,368 a------- c:\windows\system32\drivers\tmpreflt.sys
2009-05-22 00:45 1,220,120 a------- c:\windows\system32\drivers\vsapint.sys
2009-05-12 22:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-09 01:14 1,418,120 a------- c:\windows\system32\wdfcoinstaller01005.dll
2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll
2008-07-20 01:18 87,608 a------- c:\docume~1\richar~1\applic~1\inst.exe
2008-07-20 01:18 47,360 a------- c:\docume~1\richar~1\applic~1\pcouffin.sys
2006-12-14 11:24 81,920 a------- c:\docume~1\richar~1\applic~1\ezpinst.exe
2006-09-12 15:28 439,296 a------- c:\documents and settings\richard taylor\remote.exe
2008-08-25 22:16 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2008-08-25 22:16 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2008-08-25 22:16 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 22:45:02.95 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:05:53 PM

Posted 29 July 2009 - 11:30 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Shannon

#3 rlt7500

rlt7500
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 30 July 2009 - 12:35 AM

Here is my new log file requested. Thanks in advance for all your help. Richard T.
Attached is also the zipped up "Attach.txt" file.

DDS (Ver_09-06-26.01) - NTFSx86
Run by Richard Taylor at 22:24:35.80 on Wed 07/29/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2038.1200 [GMT -7:00]

AV: Trend Micro Internet Security *On-access scanning enabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\InterVideo\Common\Bin\WinRemote.exe
svchost.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\ArcSoft\TotalMedia 3\TMMonitor.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Team MediaPortal\MediaPortal TV Server\TVService.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\Internet Security\UfNavi.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Richard Taylor\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\ntos.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {abc42510-9b22-41c1-9dcd-8182a2d07c63} - BHO
BHO: Catcher Class: {adecbed6-0366-4377-a739-e69dfba04663} - c:\program files\moyea\flv downloader\MoyeaCth.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} -
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [<NO NAME>]
uRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
mRun: [WINREMOTE] "c:\program files\intervideo\common\bin\WinRemote.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [LELA] "c:\program files\linksys\linksys easylink advisor\Linksys EasyLink Advisor.exe" /minimized
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tmmoni~1.lnk - c:\program files\arcsoft\totalmedia 3\TMMonitor.exe
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
IE: Download all by Net Transport - c:\program files\nettransport 2\NTAddList.html
IE: Download by Net Transport - c:\program files\nettransport 2\NTAddLink.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {fb5f1910-f110-11d2-bb9e-00c04f795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: metrolist.net
Trusted Zone: mybittorrent.com\www
Trusted Zone: rapmls.com
Trusted Zone: statementlook.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {32564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv8dmo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1219118340390
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CBD8B1CB-2F5F-415F-93E8-A297B33DCBB2} - hxxp://entriq.vo.llnwd.net/o1/NBCUniversal/cabs/cpucheck_1_0_0_4.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
DPF: {e06e2e99-0aa1-11d4-aba6-0060082aa75c} -
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: igfxcui - igfxsrvc.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, mcenspc.dll

============= SERVICES / DRIVERS ===============

R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]
R2 linksysupdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-6-26 204800]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-12-31 50192]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2008-12-31 497008]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-1-2 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2008-12-31 677128]
R2 TVService;TVService;c:\program files\team mediaportal\mediaportal tv server\TvService.exe [2009-6-26 180224]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-12-31 335376]
S1 51da86ba;51da86ba;c:\windows\system32\drivers\51da86ba.sys --> c:\windows\system32\drivers\51da86ba.sys [?]
S2 dtappserv;DevTrack Application Server;c:\program files\techexcel\dtserver\appserver\dtappsrv.exe --> c:\program files\techexcel\dtserver\appserver\DTAppSrv.exe [?]
S2 MSSQL$RETSDATA;MSSQL$RETSDATA;c:\program files\microsoft sql server\mssql$retsdata\binn\sqlservr.exe -sretsdata --> c:\program files\microsoft sql server\mssql$retsdata\binn\sqlservr.exe -sRETSDATA [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-1-25 42000]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2004-12-27 7424]
S3 SliceDisk5;SliceDisk5;c:\program files\a-ff find and mount\slicedisk.sys [2009-1-15 10240]
S3 SQLAgent$RETSDATA;SQLAgent$RETSDATA;c:\program files\microsoft sql server\mssql$retsdata\binn\sqlagent.exe -i retsdata --> c:\program files\microsoft sql server\mssql$retsdata\binn\sqlagent.EXE -i RETSDATA [?]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2008-1-25 25088]

=============== Created Last 30 ================

2009-07-19 00:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MySQL
2009-07-17 22:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Team MediaPortal
2009-07-17 22:50 <DIR> --d----- c:\program files\Team MediaPortal
2009-07-17 22:49 <DIR> --d----- c:\program files\MySQL
2009-07-17 22:33 <DIR> --d----- c:\program files\Devnz
2009-07-15 23:05 <DIR> --dsh--- c:\documents and settings\richard taylor\IECompatCache
2009-07-12 22:47 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-12 22:47 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-07-12 22:46 21,504 a------- c:\windows\system32\drivers\hidserv.dll
2009-07-08 22:20 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-07-07 23:56 <DIR> --dsh--- c:\documents and settings\richard taylor\IETldCache
2009-07-07 23:54 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-07-07 23:54 <DIR> --d----- c:\windows\ie8updates
2009-07-07 23:52 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-07-07 23:52 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-07-07 23:49 <DIR> -cd-h--- c:\windows\ie8
2009-07-01 23:42 <DIR> --d----- c:\windows\system32\XPSViewer
2009-07-01 23:41 <DIR> --d----- C:\9c59add00498597327c7f89523
2009-07-01 23:30 410,984 a------- c:\windows\system32\deploytk.dll
2009-07-01 23:30 73,728 a------- c:\windows\system32\javacpl.cpl
2009-07-01 23:10 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-06-30 22:37 <DIR> --d----- c:\program files\GCC4243N_fw
2009-06-30 22:23 27,496 a------- c:\windows\system32\mucltui.dll.mui

==================== Find3M ====================

2009-05-12 22:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-09 01:14 1,418,120 a------- c:\windows\system32\wdfcoinstaller01005.dll
2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll
2008-07-20 01:18 87,608 a------- c:\docume~1\richar~1\applic~1\inst.exe
2008-07-20 01:18 47,360 a------- c:\docume~1\richar~1\applic~1\pcouffin.sys
2006-12-14 11:24 81,920 a------- c:\docume~1\richar~1\applic~1\ezpinst.exe
2006-09-12 15:28 439,296 a------- c:\documents and settings\richard taylor\remote.exe
2008-08-25 22:16 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2008-08-25 22:16 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2008-08-25 22:16 32,768 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 22:25:37.62 ===============

Attached Files



#4 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:05:53 PM

Posted 30 July 2009 - 08:33 AM

I have an active topic in need of help:

rlt7500
http://www.bleepingcomputer.com/forums/t/242720/msiinstaller-pops-up-many-times-when-loading-windows-xp/

Comments: Everytime I boot up, I get the MSiInstaller window that pops up and says it's trying to install something, but then goes away. It then pops up again and does this 18-19 times, then it stops and I can continue.
Shannon

#5 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:05:53 PM

Posted 02 August 2009 - 08:20 PM

Hi-

I am going to be helping you. It will take a while to process your logs due to research that must be done. Please give me some time to look them over and I will post back soon. :thumbup2:
Shannon

#6 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:05:53 PM

Posted 04 August 2009 - 01:25 PM

Hi-

Before we work on the MSiInstaller problem, we need to talk about an identified malware infection on your computer. It is a backdor trojan. A backdoor trojan can allow hackers to remotely control your computer, steal critical system and personal information and download and execute files.
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be to reformat the hard drive and reinstall the operating system. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
If you wish to continue, let's get started on cleaning up your machine.


Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Please print out and follow these instructions: "How to use SDFix". The SDFix download is at the bottom of the first page of the instructions.
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to re-enable your anti-virus and other security programs before connecting to the Internet.
Please download Malwarebytes' Anti-Malware from HERE.

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and next to Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 or 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Now, need to download and run HighjackThis
Click here to download HijackThis.

Select Download HijackThis Installer and download it to your Desktop.
Double click on the HJTInstall.exe icon to start the program.
Install to the default - C:\Program Files\Trend Micro\HijackThis.
After the final dialogue box, it will launch HijackThis.

Click on the scan button. It will scan and then ask you to save the log.
Save the log, and post the entire log, the Malwarebytes log, and the SDFix log to me in your next reply.
Shannon

#7 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:53 PM

Posted 11 August 2009 - 06:39 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users