Note installed, via CD hijack this, for data, can send any that are ID'd for help. This thing has chewed up machine pretty good. REFORMAT is NOT an option as data on PC would take months to rebuild. and if copied might take virus-worm with it as no idea of where it resides..
Have scanned registry with mD5 from other sites, found some worm, virus. but this one refuses to die. I suspect more widespread them most think as it disables dsl at PC level, but connections remain fine,can ping etc but DNS on www. DO NOT recommend running AV's as they are NOT effective in finding it. DETAILS FOLLOW
Sep 5 I think I got a virus from email marked as Urgent, from old friend so I opened it. I THINK that was source as had a odd canned message about "virus warning" deleted but it seems not in time. Then got two more of same so probably was source, days later got another one on "not an issues" etc from another person that was on email list, seems still going on. I told them to remove my name email until they cleared it up and to NOT reply to my message.
.End result of virus.
SERIOUS: It shut down PC to DSL earthnet card to dsl router as internet connection is fine. When I try to go online first get message "MS Installing SCAN" and it proceeds as if in normal install mode. Noted on WR 2.2 (What's Running) this "Install" starts via ms install and ID's self as msiexec.exe and is exact copy of msiexec,exe. Install, looks like uses msi to mask itself, as a install runs down to point it asks for CD.. WHEN I "Cancel" install, simply restarts self and even does it after using task manger to "end task". NOTE when starting in safe mode, it will flash as attempt to run, but will not go. Safe with network will NOT concoct in same manner as "normal" will not..
My internet connection is via 4 hookup dsl router, other two PCs on it works fine. This is ole 1998 PCm win98 and not a lot of HD-memory-etc. I pulled other one off the DSL to prevent spread as this one is networked to it, a back up if all else fails I kept handy, this PC is on same dsl router, DSL HW is not an issue. Infected PC will ping OK, Now left with virus may be after TCP or such. DO NOT know how to test TCP etc, but did reinstall new earthnet card config. Have heard where this can set up a "hidden" address or such but have NO idea of what that is or how to check it out, as supposedly can conflict TCP or router? Ideas there? But not core issue as it would not start "install" when I try to go online.
NOTE infected PC CANNOT get "connected' but all www-emails-etc are DSN"s "cannot find server". Tried everything so far, virus scans AVAST COMODO were there, they will NOT find it.. manually cleaned "Trojans-hijacker-tracking etc from registry active x, ran mawlare and avg via CD made off other machine. Ran a regedit listing of backdoor etc I got off www sites, it found a few issues but virus still there.
ANY ideas, "format" is not an option. Do NOT recommend any "run virus scan from //// as PC wiill NOT go on line, all has to be from CD that copies off other PC, OK? NOTE when I run "WR2.2 (whats running SW) I can see the thing come through msiexec.exe as a sub routine. You cannot delete msi as it comes back. Something starts msi and uses copy to mask itself.. as the "msi" I see as subroutine from msi (legit( is exact copy, shut it down and whatever runs under it goes away, for a time. It seems to have a timer as goes more destructive and after 1-2 hours goes into shut down restart loop.. When in 'SAFE" I can see "MS Install" flash on but is shut off or not allowed to start..
IDEAS as spent ONE week trying about all I can find.. Have heard it does same to wireless etc. HELP
- Follow via:
- RSS
- Email Alert
Question
Answers (5)
0
Votes
Antivirus and Antispyware
You can try following programs:
Stinger from http://vil.nai.com/vil/stinger/.
AVG from http://free.avg.com/download-avg-anti-virus-free-edition.
Malware Bytes Antimalware from http://www.malwarebytes.org/mbam.php.
Stinger from http://vil.nai.com/vil/stinger/.
AVG from http://free.avg.com/download-avg-anti-virus-free-edition.
Malware Bytes Antimalware from http://www.malwarebytes.org/mbam.php.
17th Sep 2009
Replies
READ ORIG POST, AV does NOT pick it up, tht is NOT a solution
hmmmmm!
17th Sep 2009
Boot into safe mode and check aal the auto startups in msconfig. Disable everything you don't exactly need. Check that system restore in disabled. delete every instance of msiexec.exe
Disable the windows installer service.
shutdown the pc and unplug power cord, remove battery on motherboard and extract your memmory and reset the jumpers. wait 5 minutes. put back together.
Reboot in normal mode and see if it still comes up. If yes, you're screwed, if not, fire everything you have, even the av's that didn't work before at it. reboot with windows cd and choose repair.
Reboot in normal mode and allow windows installer again.
Disable the windows installer service.
shutdown the pc and unplug power cord, remove battery on motherboard and extract your memmory and reset the jumpers. wait 5 minutes. put back together.
Reboot in normal mode and see if it still comes up. If yes, you're screwed, if not, fire everything you have, even the av's that didn't work before at it. reboot with windows cd and choose repair.
Reboot in normal mode and allow windows installer again.
El_Duce
18th Sep 2009
This is not a HW issue, Please present reason and rational for mechanical messing about with HW.,THIS IS Microsoft Install msiexec.exe masking,NOT a MSI Mother Board or HW issue. So why the Mech work on HW? BIOS memory etc all is fine.
hmmmmm!
18th Sep 2009
Because it may allow any residual bits to fade out since the RAM is volatile memory and can not store information without voltage applied. Resetting the BIOS will cause the computer to tally the RAM when it is next powered on.
SKDTech
19th Sep 2009
0
Votes
Boot from a Live CD
if you can build yourself a bartPE or WinPE cd with an up to date antivirus/malware.
Do it from a clean PC.
If not possible you may find some linux security distributions that will allow you much the same.
boot from said CD, mount the infected hard drive.
run a virus scan (local or from the internet) and/or delete all instances of the offending msiexec.exe file
bartpe : http://www.nu2.nu/pebuilder/
knoppix-std : http://www.knoppix-std.org/
Do it from a clean PC.
If not possible you may find some linux security distributions that will allow you much the same.
boot from said CD, mount the infected hard drive.
run a virus scan (local or from the internet) and/or delete all instances of the offending msiexec.exe file
bartpe : http://www.nu2.nu/pebuilder/
knoppix-std : http://www.knoppix-std.org/
18th Sep 2009
0
Votes
Couple of thoughts
I doubt that msiexec.exe is the actual virus. It is more likely that what ever is trying to install is using the msiexec to install itself.
Having said that, your event logs should give you a clue as to the name of the offender.
I would also download a root kit revealer to check the system, gmer is pretty good.
Consider running malwarebytes and super-antispyware in safe mode. You may need to install the latter in a normal desktop, but you may also download their updated definitions as a seperate exe.
Having said that, your event logs should give you a clue as to the name of the offender.
I would also download a root kit revealer to check the system, gmer is pretty good.
Consider running malwarebytes and super-antispyware in safe mode. You may need to install the latter in a normal desktop, but you may also download their updated definitions as a seperate exe.
18th Sep 2009
Replies
IHAVE RUN ALL KINDS OF ANTVIRUS,SCANS, etc. NONE show anything. As stated can run WR2.2 (whats working( and can see it download off msiexec,exe, I can at same time see the box "Micorosoft Install Scan" go one screen, ONLY in Safe Mode does it not run, but I can see it try to start and fail to start in Safe Mode. I have run ALL scans in both normal and safe modes, system restore in off. I have run about every "detection' SW that can be loaded on CD and run on the machine. NOTE the virus shut off the www connections with some sort of DNS (Server not found)Note PING and such shows all is fine with network adaptors and four place DSL router is fine, other PCs working OK>
I have seen other posts on WWW about same thing, and some I know are having same issues. Not being widely reported as the PC is off line so most cannot report it. Bud ikn NE took his machine to repair, ALL systems checked out OK, they think it is a new virus as so far none ID'd it.
QUESTION as if worse comes to worse and no fix found? PC is loaded with valuable files, was a storage and work machine, IS ther ANY WAY to find protected spot in disc to place files if one reformats drive AKA send them to a protected spot in drive that is kept form reformat and reload of XP process? I never heard of any but maybe someone has?
Read the initial post, we have tried everything so far and loaded up all kinds of SW to help. Can furnish any Hijack This report asked for. but so far nothing Odd shows up, and I may be missing some as been beating on this for two weeks.
Open for ideas and remember the infected PC will NOT go on line. It is NOT a HW problem.
If HT report wanted let me know which one, sys scan or startup or what...This is a worm or something that goes off anytime you try for www, email, etc and runs the MS INSTALL to make it,,, kill it with task mgr and it comes right back. File search shows NO odd msiexec.exe files.. all look like MS files down to same size..
So which Hijack log might show it. Have to run it on infected PC, then copy to CD and cut and paste to here.. Odd thing about it is after about 2 hours it starts a loop pf restarts which get progressively smaller in each load, and will NOT respond to shut off or even shut off button on unit? Have to pull power to shut down.. others had same issue??? Have heard of worms-virus that did same a few years back.. do not know names...
IDEAS? as way beyond me, and most it seems.
Have tried boot off CD.
I have seen other posts on WWW about same thing, and some I know are having same issues. Not being widely reported as the PC is off line so most cannot report it. Bud ikn NE took his machine to repair, ALL systems checked out OK, they think it is a new virus as so far none ID'd it.
QUESTION as if worse comes to worse and no fix found? PC is loaded with valuable files, was a storage and work machine, IS ther ANY WAY to find protected spot in disc to place files if one reformats drive AKA send them to a protected spot in drive that is kept form reformat and reload of XP process? I never heard of any but maybe someone has?
Read the initial post, we have tried everything so far and loaded up all kinds of SW to help. Can furnish any Hijack This report asked for. but so far nothing Odd shows up, and I may be missing some as been beating on this for two weeks.
Open for ideas and remember the infected PC will NOT go on line. It is NOT a HW problem.
If HT report wanted let me know which one, sys scan or startup or what...This is a worm or something that goes off anytime you try for www, email, etc and runs the MS INSTALL to make it,,, kill it with task mgr and it comes right back. File search shows NO odd msiexec.exe files.. all look like MS files down to same size..
So which Hijack log might show it. Have to run it on infected PC, then copy to CD and cut and paste to here.. Odd thing about it is after about 2 hours it starts a loop pf restarts which get progressively smaller in each load, and will NOT respond to shut off or even shut off button on unit? Have to pull power to shut down.. others had same issue??? Have heard of worms-virus that did same a few years back.. do not know names...
IDEAS? as way beyond me, and most it seems.
Have tried boot off CD.
hmmmmm!
18th Sep 2009
If it is as insidious as you are saying and you have truly tried everything to get rid of it then your only remaining option is to nuke the drive and do a completely fresh reinstall. If you have recent known good backups of the data you need to save then you should use those to restore from as any data currently on the machine is suspect
SKDTech
19th Sep 2009
NOt reread orig message HW IS OK. Thanks for advise but this on above your pay grade. Seems others, Desk and Lap tops were having same virus worm or ??? issue.. Again thanmks for ideas but they do not respond to orig post.
hmmmmm!
19th Sep 2009
...so please be respectful of those who are offering suggestions, even if it doesn't seem like they are reading every word of your problem description.
"Be careful whose advice you buy, but be patient with those who supply it."
"Be careful whose advice you buy, but be patient with those who supply it."
DaveBecker
19th Sep 2009
I was not rude, but he was out of his knowledge base. Further he and most that enjoy problem solving must learn, and for some it takes years...
T solve a issue, problem or or or ...
The most important thing to solve. is first, you must "Listen (or read) very well and then, question better!
I had thanked him, as was posted. But obviously he needs a bit of time in basic solving 101, a learned process. Rule two is you cannot solve anything you do not know or understand as core issue. AKA Listen well and question better..... a learned process.
T solve a issue, problem or or or ...
The most important thing to solve. is first, you must "Listen (or read) very well and then, question better!
I had thanked him, as was posted. But obviously he needs a bit of time in basic solving 101, a learned process. Rule two is you cannot solve anything you do not know or understand as core issue. AKA Listen well and question better..... a learned process.
hmmmmm!
20th Sep 2009
0
Votes
Post the
HJT log. Are you sure that something like defender is not trying to install.
Edit:
What AV are you running, are you using a firewall?
Edit:
What AV are you running, are you using a firewall?
Updated - 19th Sep 2009
Replies
All is exactly stated in orig message, hence the detail level given. I can see the thing start via Whatis Running Ver. 2.2, it comes our as new subset of msiexec.exe and is same in all details, then screen displays Microsoft Installer Scan and goes though what appears to be "normal install of "Scan" (what ever that is?_ to point of asking for CD etc. When canceled it simply restarts self.. and will run is you attempt to go to any on line sites, mail etc. Am going to run the MS Clean Up Install utility today, and see what that does as really acts like a "incomplete install", but is not as that would NOT shut off PC to network adapter, oddly it will still run ping testing and reports all is fine. Is one of three on a DCL router and others work fine, I have taken it off line for now to prevent it from sending to others or to send emails on own as it seems to have been infected via email as in orig message. NOTE others have had same thing happen and local repair shop has had two or three brought in for check out with same issue and NO HW problems. All HW systems in the infected PC check out OK.
Will leave it off line until issue resolved but since it will not allow www hook up that is already there. It did seem to open door to many trojans etc before I took it off line as manual scans of acitve x showed all kinds of stuff there, was running AVAST and no issues, and had COMODO there and turned it on now cannot delete it.. but shut down AVAST as to not have conflicts, all scans run in safe mode and when in safe mode the virus seems to no run, unless I go safe with network as it still blocks network.. but install will not start. I have read of a "hidden network adapter address" etc that can mimic issue of not connecting but not a clue where to find that file, such happens when you remove network adapter and install new one which I tried to assure it was NOT a NW or address issue..am running manual address in NW as it will not "go to automatic find for address via router"
Will try to removed COMODO but it refuses to uninstall so far. Machine will remain off line. Will run RSIT ver of HJ Log back one or perhaps two months.
Will leave it off line until issue resolved but since it will not allow www hook up that is already there. It did seem to open door to many trojans etc before I took it off line as manual scans of acitve x showed all kinds of stuff there, was running AVAST and no issues, and had COMODO there and turned it on now cannot delete it.. but shut down AVAST as to not have conflicts, all scans run in safe mode and when in safe mode the virus seems to no run, unless I go safe with network as it still blocks network.. but install will not start. I have read of a "hidden network adapter address" etc that can mimic issue of not connecting but not a clue where to find that file, such happens when you remove network adapter and install new one which I tried to assure it was NOT a NW or address issue..am running manual address in NW as it will not "go to automatic find for address via router"
Will try to removed COMODO but it refuses to uninstall so far. Machine will remain off line. Will run RSIT ver of HJ Log back one or perhaps two months.
hmmmmm!
20th Sep 2009
As you clearly do not understand what you are talking about at all, and you will not do as others have suggested, what do you want? A magic wand?
Disconnect from your network (router, whatever), boot into safe mode, install, update and run MBAM - there is a link in a previous post. If you won't even try, no one can help. Because a different scanner, or entirely different type of scanner, did not work previously in the manner in which you used it, it does not mean that the suggestions made in this thread will not work.
Just because you don't understand the logic behind a procedure, it doesn't mean that the logic and reason do not exist. Since it is clear from your first post that you don't understand what you are doing, why not just take the help offered. Or take the computer to be serviced - your choice.
Disconnect from your network (router, whatever), boot into safe mode, install, update and run MBAM - there is a link in a previous post. If you won't even try, no one can help. Because a different scanner, or entirely different type of scanner, did not work previously in the manner in which you used it, it does not mean that the suggestions made in this thread will not work.
Just because you don't understand the logic behind a procedure, it doesn't mean that the logic and reason do not exist. Since it is clear from your first post that you don't understand what you are doing, why not just take the help offered. Or take the computer to be serviced - your choice.
seanferd
20th Sep 2009
0
Votes
how to remove msiexecs.exe virus
Please read the topic of how to remove msiexecs.exe virus
Updated - 13th Jun 2011
