Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

msiexec.exe virus?


  • Please log in to reply
8 replies to this topic

#1 TroubledA

TroubledA

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 12 June 2011 - 10:33 PM

Hello everybody. I am new to this forum, and do not know much about it, but it looks like you guys can help me with my problem. I have been having a lot of viruses recently, and I this one called msiexec.exe virus keeps sending me requests for full control of my computer. When I exit out of it normally, it just pops right back up, and I have to go to task manager to close it. I tracked down the folder it comes from, and this is what it looks like-
[img][IMG]http://img863.imageshack.us/img863/9507/virusq.jpg[/IMG]
Uploaded with ImageShack.us[/img]
I tried deleting it and sending it to the recycling bin, then permanently deleting it, but it keeps coming back... Please help me with this problem..

Edited by hamluis, 13 June 2011 - 07:41 AM.
Moved from Vista to Am I Infected.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:35 AM

Posted 13 June 2011 - 08:03 AM

MsiExec.exe is related to the Windows Installer. Your Image Shack link is not working for me.

Determining whether a file is malware or a legitimate process usually depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a legitimate or critical system file. However, it then places itself in a different location (folder) than where the legitimate file resides and runs from there. Another technique is for the process to alter the registry and add itself as a Startup program or service so that it can run automatically each time the computer is booted. A file's properties may give a clue to identifying it. Right-click on the file, choose Properties and examine the General and Version tabs.

Get a second opinion. Go to one of the following online services that analyzes suspicious files:In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis. If you get a message saying "File has already been analyzed", click Reanalyze file now.
-- Post back with the results of the file analysis.

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Double-click on the setup file to install, then follow these instructions for doing a Quick Scan in normal mode.
  • Don't forget to check for database definition updates through the program's interface (preferable method) before scanning.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • After completing the scan, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab .
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 invision

invision

  • Members
  • 91 posts
  • OFFLINE
  •  
  • Local time:06:35 AM

Posted 13 June 2011 - 08:41 AM

Hello everybody. I am new to this forum, and do not know much about it, but it looks like you guys can help me with my problem. I have been having a lot of viruses recently, and I this one called msiexec.exe virus keeps sending me requests for full control of my computer. When I exit out of it normally, it just pops right back up, and I have to go to task manager to close it. I tracked down the folder it comes from, and this is what it looks like-
[img][IMG]http://img863.imageshack.us/img863/9507/virusq.jpg[/IMG]
Uploaded with ImageShack.us[/img]
I tried deleting it and sending it to the recycling bin, then permanently deleting it, but it keeps coming back... Please help me with this problem..


[IMG]http://img863.imageshack.us/img863/9507/virusq.jpg[/IMG]



Looking at the screenshot you submitted that file doesn't belong there. Follow the instructions above to make sure the PC is clean.

Edited by invision, 13 June 2011 - 08:42 AM.


#4 TroubledA

TroubledA
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 13 June 2011 - 03:40 PM

Thanks for the fast reply guys. I actually tried deleting it again yesterday, after I posted this message, and so far, it hasn't made another copy of itself. I thought it would come back again like it did yesterday, but it's not, so I can't submit it to VirusTotal yet. Hopefully it stays this way. Thanks for your advice! I'll be sure to follow the directions if it comes back.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:35 AM

Posted 13 June 2011 - 04:14 PM

You should perform the scans anyone. The problem with some types of malware is that they have the ability to download other malicious files to your system which you are unaware of.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 TroubledA

TroubledA
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 13 June 2011 - 05:28 PM

I just tried the quick scan and flash scan, but both came up with nothing wrong. These are the logs:
Quick Scan:
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6850

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19048

6/13/2011 3:04:18 PM
mbam-log-2011-06-13 (15-04-18).txt

Scan type: Quick scan
Objects scanned: 192433
Time elapsed: 4 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Flash Scan:
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6850

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19048

6/13/2011 3:25:50 PM
mbam-log-2011-06-13 (15-25-50).txt

Scan type: Flash scan
Objects scanned: 153574
Time elapsed: 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

But I kept getting pop ups from mbam that it's blocking a connection from a port. Here's the log for that-
14:59:34 ahn MESSAGE Protection started successfully
14:59:39 ahn MESSAGE IP Protection started successfully
15:10:43 ahn IP-BLOCK 212.117.164.142 (Type: outgoing, Port: 51169, Process: utorrent.exe)
15:10:59 ahn IP-BLOCK 89.28.41.80 (Type: outgoing, Port: 51169, Process: utorrent.exe)
15:26:05 ahn IP-BLOCK 212.117.164.142 (Type: outgoing, Port: 51169, Process: utorrent.exe)
15:26:21 ahn IP-BLOCK 89.28.41.80 (Type: outgoing, Port: 51169, Process: utorrent.exe)

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:35 AM

Posted 13 June 2011 - 05:39 PM

IP Protection (malicious website blocking) is part of the Protection Module and works after it is enabled. When attempting to go to a malicious website, Malwarebytes will block the attempt and provide an alert. Some legitimate programs on your computer have access to the Internet and that action can also trigger an IP alert. These events are stored in the "protection-log". Your firewall should be able to give you a list of such programs so you can confirm if they are legitimate. IP Protection is also designed to block incoming connections it determines to be malicious.

Information that explains IP Protection feature can be found in the Malwarebytes Anti-Malware IP Protection FAQs.

What does IP Protection do?
IP Protection provides an additional layer of security for your computer, by preventing access to known malicious IP addresses and IP ranges...

What does this notification mean?
This notification means quite simply, that an IP address has been blocked. It does NOT necessarily mean you are infected, it simply means a program on your computer (e.g. your browser, IM program, P2P program etc), tried accessing a malicious IP address...

Other FAQs about IP Protection
How does it do this?
How does it inform you?
I got an alert and I wasn't even surfing, how's that happen?
I received a notification on a safe site, why?
How do I disable this?
I got an alert for an IP or website I think is safe, how can I report it?
Does the IP Protection replace my firewall?
Where do I find the IP Protection logs?
How can I add an IP so it won't be detected and can access a site I need to?[/b]


You can investigate IP addresses and gather additional information at:
If you are using peer-to-peer (P2P) file sharing programs (i.e. Limewire, eMule, Kontiki, BitTorrent, uTorrent, BitLord, BitLord, BearShare, Azureus/Vuze, etc) or an (IM) client, be aware they can trigger alerts. Why? Because these kind of programs are a security risk which can make your system susceptible to a smörgåsbord of malware infections and remote attacks. Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The best way to eliminate these risks is to avoid using P2P applications.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 TroubledA

TroubledA
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:35 AM

Posted 13 June 2011 - 05:48 PM

Thanks for the information! I deleted every single result of uTorrent I could find in RegEdit, so hopefully, no more viruses for me! Thanks for your help!

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,476 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:35 AM

Posted 14 June 2011 - 06:13 AM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users