Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

virus gone; msiexec still runs on .exe execution


  • Please log in to reply
12 replies to this topic

#1 barockteer

barockteer

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 30 August 2010 - 06:26 AM

Here’s my story:


Pentium 4 running XP Home SP3. Antivirus is Kaspersky Internet Security 2010.

Had an infection of Trojan.Win32.Agent.etxw and Packed.Win32.Krap.hc, which Kaspersky detected and cleaned.

After this, I had the following side effect symptoms:

When running a program such as foo.exe, which had an ini file associated with it foo.ini, Windows Installer msiexec.exe would run and attempt to do an install from a hijacked application. The installer would fail because Kaspersky had deleted the install package.

I have since completely removed the hijacked application and all files and references to it. I have cleaned all references to it out of the registry.

Now when running foo.exe, msiexec still runs but fails because it cannot find the referenced install package. Msiexec stays running in task manager. This is an annoyance but not a critical issue that I would like to resolve.


I posted to the virus forum; received a reply and performed a lot of cleaning; my guru over there says my system is clean but I should post here for help fixing this ongoing problem. My original post is:

http://www.bleepingcomputer.com/forums/topic339782.html

Thanks - any help appreciated

Edited by barockteer, 30 August 2010 - 06:27 AM.


BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:10:28 AM

Posted 30 August 2010 - 07:42 AM

You could very well be still infected with something.

#3 hamluis

hamluis

    Moderator


  • Moderator
  • 55,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:05:28 AM

Posted 30 August 2010 - 09:12 AM

Msiexec.exe, if bonafide, is a Windows Installer file.

If you are trying to install any program using the Windows Installer, this process should run.

What is the exact onscreen message you receive concerning this file?

Louis

#4 barockteer

barockteer
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 30 August 2010 - 12:02 PM

I get the regulation Windows Installer box appearing briefly, then it disappears. I get an error in the event log saying msiexec can't find the specified installation file. msiexec stays running in the task manager.

#5 hamluis

hamluis

    Moderator


  • Moderator
  • 55,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:05:28 AM

Posted 30 August 2010 - 12:14 PM

OK, thanks.

Go to your Event Viewer...and double-click on the msiexec error...post all the detail. Then double-click it and post the additional details provided.

Are you running the 4.5 version of Windows Installer?

http://www.microsoft.com/downloads/details...;displaylang=en

Louis

#6 barockteer

barockteer
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 30 August 2010 - 04:06 PM

Event Type: Warning
Event Source: MsiInstaller
Event Category: None
Event ID: 1001
Date: 8/30/2010
Time: 5:01:30 PM
User: JIMINY\Tony
Computer: JIMINY
Description:
Detection of product '{647E6B9D-58A1-42B4-955C-BC6CD4F0E9FE}', feature 'ScannedProject' failed during request for component '{397D1013-A762-11D2-B97E-006097C4DE24}'

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.





...The product 647E6B9D-58A1-42B4-955C-BC6CD4F0E9FE was the hijacked application, and it has since been entirely scrubbed from the computer, including all corresponding registry entries.

#7 hamluis

hamluis

    Moderator


  • Moderator
  • 55,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:05:28 AM

Posted 30 August 2010 - 04:35 PM

Pardon my ignorance (I do my best, with what I have :thumbsup:)...but what was this "hijacked application"?

<<...and it has since been entirely scrubbed from the computer>>

OK...but how do you explain a referernce to non-existent registry entry?

BTW...that's a warnng, not an error. Warnings usually call for no user action, informational in nature...while errors are deemed to be more important.

Have you taken a look at your startup items...using a tool like AutoRuns for Windows - http://technet.microsoft.com/en-us/sysinte...s/bb963902.aspx ?

Louis

#8 barockteer

barockteer
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 30 August 2010 - 05:27 PM

The original post has more background info. A virus hijacked a legit application as a place to deposit its spores, and then called msiexec to install it. Somehow, the virus also previously modified the system so msiexec would run when any .exe file (using an ini file) was run.

I have checked the startup list and it all looks legit...

#9 hamluis

hamluis

    Moderator


  • Moderator
  • 55,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:05:28 AM

Posted 30 August 2010 - 06:11 PM

Well...have you tried removing Windows Installer?

First...go to a command prompt...then type msiexec /? and post the top line (version) reported.

If it reads 4.5.6001.22159, then you have Version 4.5 (what you should have).

If you don't have 4.5 installed...try installing it and see if that changes anything.

http://www.microsoft.com/downloads/details...ang=en#filelist, the x86 download is for XP.

http://support.microsoft.com/kb/555175

I don't suggest using the Cleanup Utility, http://www.thewindowsclub.com/microsoft-re...cleanup-utility.

Louis

Edited by hamluis, 30 August 2010 - 06:19 PM.


#10 barockteer

barockteer
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 31 August 2010 - 12:27 PM

I did have an old version of msiexec; I updated to the latest; no change in behaviour. I don't think it's msiexec itself; rather some other piece of corrupted code is executing a command line which calls msiexec...

#11 hamluis

hamluis

    Moderator


  • Moderator
  • 55,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:05:28 AM

Posted 31 August 2010 - 12:36 PM

Well...if it's not in startups...and you have no idea about wording...I'd say that your chances of finding are pretty slim.

But...I'm not a coder, just a simple user.

I suppose that you could attempt a repair install or run the sfc /scannow command...but those only impact system files.

Louis

#12 barockteer

barockteer
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:28 AM

Posted 31 August 2010 - 12:50 PM

I was thinking a repair install was my best bet, and I'll probably do that after I transfer stuff off the machine to a new one.

What is the sfc / scannow?

#13 hamluis

hamluis

    Moderator


  • Moderator
  • 55,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:05:28 AM

Posted 31 August 2010 - 01:15 PM

How To Use Sfc.exe To Repair System Files - http://www.bleepingcomputer.com/forums/topic43051.html

Just an alternative way to replace missing/damaged system files, as long as users realize that the version of XP on the system...and on the CD...are one and the same.

Using a CD containing a prior version (example, I have SP3 installed but CD only reflects SP2 or SP1 or none at all) will (IME) result in a somewhat scrambled system or a clean install.

I would just do a clean install myself...after any serious malware incident.

Louis




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users