Question

Locked

msiexec.exe NASTY VIRUS

By hmmmmm! ·
Note installed, via CD hijack this, for data, can send any that are ID'd for help. This thing has chewed up machine pretty good. REFORMAT is NOT an option as data on PC would take months to rebuild. and if copied might take virus-worm with it as no idea of where it resides..
Have scanned registry with mD5 from other sites, found some worm, virus. but this one refuses to die. I suspect more widespread them most think as it disables dsl at PC level, but connections remain fine,can ping etc but DNS on www. DO NOT recommend running AV's as they are NOT effective in finding it. DETAILS FOLLOW
Sep 5 I think I got a virus from email marked as Urgent, from old friend so I opened it. I THINK that was source as had a odd canned message about "virus warning" deleted but it seems not in time. Then got two more of same so probably was source, days later got another one on "not an issues" etc from another person that was on email list, seems still going on. I told them to remove my name email until they cleared it up and to NOT reply to my message.
.End result of virus.
SERIOUS: It shut down PC to DSL earthnet card to dsl router as internet connection is fine. When I try to go online first get message "MS Installing SCAN" and it proceeds as if in normal install mode. Noted on WR 2.2 (What's Running) this "Install" starts via ms install and ID's self as msiexec.exe and is exact copy of msiexec,exe. Install, looks like uses msi to mask itself, as a install runs down to point it asks for CD.. WHEN I "Cancel" install, simply restarts self and even does it after using task manger to "end task". NOTE when starting in safe mode, it will flash as attempt to run, but will not go. Safe with network will NOT concoct in same manner as "normal" will not..

My internet connection is via 4 hookup dsl router, other two PCs on it works fine. This is ole 1998 PCm win98 and not a lot of HD-memory-etc. I pulled other one off the DSL to prevent spread as this one is networked to it, a back up if all else fails I kept handy, this PC is on same dsl router, DSL HW is not an issue. Infected PC will ping OK, Now left with virus may be after TCP or such. DO NOT know how to test TCP etc, but did reinstall new earthnet card config. Have heard where this can set up a "hidden" address or such but have NO idea of what that is or how to check it out, as supposedly can conflict TCP or router? Ideas there? But not core issue as it would not start "install" when I try to go online.

NOTE infected PC CANNOT get "connected' but all www-emails-etc are DSN"s "cannot find server". Tried everything so far, virus scans AVAST COMODO were there, they will NOT find it.. manually cleaned "Trojans-hijacker-tracking etc from registry active x, ran mawlare and avg via CD made off other machine. Ran a regedit listing of backdoor etc I got off www sites, it found a few issues but virus still there.

ANY ideas, "format" is not an option. Do NOT recommend any "run virus scan from //// as PC wiill NOT go on line, all has to be from CD that copies off other PC, OK? NOTE when I run "WR2.2 (whats running SW) I can see the thing come through msiexec.exe as a sub routine. You cannot delete msi as it comes back. Something starts msi and uses copy to mask itself.. as the "msi" I see as subroutine from msi (legit( is exact copy, shut it down and whatever runs under it goes away, for a time. It seems to have a timer as goes more destructive and after 1-2 hours goes into shut down restart loop.. When in 'SAFE" I can see "MS Install" flash on but is shut off or not allowed to start..
IDEAS as spent ONE week trying about all I can find.. Have heard it does same to wireless etc. HELP

This conversation is currently closed to new comments.

17 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Antivirus and Antispyware

by p.j.hutchison In reply to msiexec.exe NASTY VIRUS
Collapse -

MSIEXEC etc

by hmmmmm! In reply to Antivirus and Antispyware

READ ORIG POST, AV does NOT pick it up, tht is NOT a solution

Collapse -

maybe

by El_Duce In reply to MSIEXEC etc

Boot into safe mode and check aal the auto startups in msconfig. Disable everything you don't exactly need. Check that system restore in disabled. delete every instance of msiexec.exe

Disable the windows installer service.
shutdown the pc and unplug power cord, remove battery on motherboard and extract your memmory and reset the jumpers. wait 5 minutes. put back together.
Reboot in normal mode and see if it still comes up. If yes, you're screwed, if not, fire everything you have, even the av's that didn't work before at it. reboot with windows cd and choose repair.

Reboot in normal mode and allow windows installer again.

Collapse -

What is logic and why HW issues

by hmmmmm! In reply to maybe

This is not a HW issue, Please present reason and rational for mechanical messing about with HW.,THIS IS Microsoft Install msiexec.exe masking,NOT a MSI Mother Board or HW issue. So why the Mech work on HW? BIOS memory etc all is fine.

Collapse -

Why the HW breakdown

by SKDTech In reply to What is logic and why HW ...

Because it may allow any residual bits to fade out since the RAM is volatile memory and can not store information without voltage applied. Resetting the BIOS will cause the computer to tally the RAM when it is next powered on.

Collapse -

Boot from a Live CD

by grassiap In reply to msiexec.exe NASTY VIRUS

if you can build yourself a bartPE or WinPE cd with an up to date antivirus/malware.
Do it from a clean PC.
If not possible you may find some linux security distributions that will allow you much the same.

boot from said CD, mount the infected hard drive.
run a virus scan (local or from the internet) and/or delete all instances of the offending msiexec.exe file

bartpe : http://www.nu2.nu/pebuilder/
knoppix-std : http://www.knoppix-std.org/

Collapse -

Couple of thoughts

by IC-IT In reply to msiexec.exe NASTY VIRUS

I doubt that msiexec.exe is the actual virus. It is more likely that what ever is trying to install is using the msiexec to install itself.
Having said that, your event logs should give you a clue as to the name of the offender.

I would also download a root kit revealer to check the system, gmer is pretty good.

Consider running malwarebytes and super-antispyware in safe mode. You may need to install the latter in a normal desktop, but you may also download their updated definitions as a seperate exe.

Collapse -

msiexec is masking

by hmmmmm! In reply to Couple of thoughts

IHAVE RUN ALL KINDS OF ANTVIRUS,SCANS, etc. NONE show anything. As stated can run WR2.2 (whats working( and can see it download off msiexec,exe, I can at same time see the box "Micorosoft Install Scan" go one screen, ONLY in Safe Mode does it not run, but I can see it try to start and fail to start in Safe Mode. I have run ALL scans in both normal and safe modes, system restore in off. I have run about every "detection' SW that can be loaded on CD and run on the machine. NOTE the virus shut off the www connections with some sort of DNS (Server not found)Note PING and such shows all is fine with network adaptors and four place DSL router is fine, other PCs working OK>
I have seen other posts on WWW about same thing, and some I know are having same issues. Not being widely reported as the PC is off line so most cannot report it. Bud ikn NE took his machine to repair, ALL systems checked out OK, they think it is a new virus as so far none ID'd it.
QUESTION as if worse comes to worse and no fix found? PC is loaded with valuable files, was a storage and work machine, IS ther ANY WAY to find protected spot in disc to place files if one reformats drive AKA send them to a protected spot in drive that is kept form reformat and reload of XP process? I never heard of any but maybe someone has?
Read the initial post, we have tried everything so far and loaded up all kinds of SW to help. Can furnish any Hijack This report asked for. but so far nothing Odd shows up, and I may be missing some as been beating on this for two weeks.
Open for ideas and remember the infected PC will NOT go on line. It is NOT a HW problem.
If HT report wanted let me know which one, sys scan or startup or what...This is a worm or something that goes off anytime you try for www, email, etc and runs the MS INSTALL to make it,,, kill it with task mgr and it comes right back. File search shows NO odd msiexec.exe files.. all look like MS files down to same size..
So which Hijack log might show it. Have to run it on infected PC, then copy to CD and cut and paste to here.. Odd thing about it is after about 2 hours it starts a loop pf restarts which get progressively smaller in each load, and will NOT respond to shut off or even shut off button on unit? Have to pull power to shut down.. others had same issue??? Have heard of worms-virus that did same a few years back.. do not know names...
IDEAS? as way beyond me, and most it seems.
Have tried boot off CD.

Collapse -

If this virus is that bad

by SKDTech In reply to msiexec is masking

If it is as insidious as you are saying and you have truly tried everything to get rid of it then your only remaining option is to nuke the drive and do a completely fresh reinstall. If you have recent known good backups of the data you need to save then you should use those to restore from as any data currently on the machine is suspect

Collapse -

NOT A BIOS/HW FORMATE etc issue

by hmmmmm! In reply to If this virus is that bad

NOt reread orig message HW IS OK. Thanks for advise but this on above your pay grade. Seems others, Desk and Lap tops were having same virus worm or ??? issue.. Again thanmks for ideas but they do not respond to orig post.

Back to Networks Forum
17 total posts (Page 1 of 2)   01 | 02   Next

Hardware Forums