Msiexec.exe is Infected!!!

xblade12100

Guest

« Reply #30 on: February 10, 2008, 21:50:18 »

Reg HKLM\SOFTWARE\Classes\VLC.m2v@ VLC media file (.m2v)
Reg HKLM\SOFTWARE\Classes\VLC.m2v\DefaultIcon
Reg HKLM\SOFTWARE\Classes\VLC.m2v\DefaultIcon@ "C:\Program Files\VideoLAN\VLC\vlc.exe",0
Reg HKLM\SOFTWARE\Classes\VLC.m2v\shell
Reg HKLM\SOFTWARE\Classes\VLC.m2v\shell@ Play
Reg HKLM\SOFTWARE\Classes\VLC.m2v\shell\Play
Reg HKLM\SOFTWARE\Classes\VLC.m2v\shell\Play\command
Reg HKLM\SOFTWARE\Classes\VLC.m2v\shell\Play\command@ "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "%1"
Reg HKLM\SOFTWARE\Classes\VLC.m3u@ VLC media file (.m3u)
Reg HKLM\SOFTWARE\Classes\VLC.m3u\DefaultIcon
Reg HKLM\SOFTWARE\Classes\VLC.m3u\DefaultIcon@ "C:\Program Files\VideoLAN\VLC\vlc.exe",0
Reg HKLM\SOFTWARE\Classes\VLC.m3u\shell
Reg HKLM\SOFTWARE\Classes\VLC.m3u\shell@ Play
Reg HKLM\SOFTWARE\Classes\VLC.m3u\shell\Play
Reg HKLM\SOFTWARE\Classes\VLC.m3u\shell\Play\command
Reg HKLM\SOFTWARE\Classes\VLC.m3u\shell\Play\command@ "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "%1"
Reg HKLM\SOFTWARE\Classes\VLC.mka@ VLC media file (.mka)
Reg HKLM\SOFTWARE\Classes\VLC.mka\DefaultIcon
Reg HKLM\SOFTWARE\Classes\VLC.mka\DefaultIcon@ "C:\Program Files\VideoLAN\VLC\vlc.exe",0
Reg HKLM\SOFTWARE\Classes\VLC.mka\shell
Reg HKLM\SOFTWARE\Classes\VLC.mka\shell@ Play
Reg HKLM\SOFTWARE\Classes\VLC.mka\shell\Play
Reg HKLM\SOFTWARE\Classes\VLC.mka\shell\Play\command
Reg HKLM\SOFTWARE\Classes\VLC.mka\shell\Play\command@ "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "%1"
Reg HKLM\SOFTWARE\Classes\VLC.mkv@ VLC media file (.mkv)
Reg HKLM\SOFTWARE\Classes\VLC.mkv\DefaultIcon
Reg HKLM\SOFTWARE\Classes\VLC.mkv\DefaultIcon@ "C:\Program Files\VideoLAN\VLC\vlc.exe",0
Reg HKLM\SOFTWARE\Classes\VLC.mkv\shell
Reg HKLM\SOFTWARE\Classes\VLC.mkv\shell@ Play
Reg HKLM\SOFTWARE\Classes\VLC.mkv\shell\Play
Reg HKLM\SOFTWARE\Classes\VLC.mkv\shell\Play\command
Reg HKLM\SOFTWARE\Classes\VLC.mkv\shell\Play\command@ "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "%1"
Reg HKLM\SOFTWARE\Classes\VLC.mov@ VLC media file (.mov)
Reg HKLM\SOFTWARE\Classes\VLC.mov\DefaultIcon
Reg HKLM\SOFTWARE\Classes\VLC.mov\DefaultIcon@ "C:\Program Files\VideoLAN\VLC\vlc.exe",0
Reg HKLM\SOFTWARE\Classes\VLC.mov\shell
Reg HKLM\SOFTWARE\Classes\VLC.mov\shell@ Play
Reg HKLM\SOFTWARE\Classes\VLC.mov\shell\Play
Reg HKLM\SOFTWARE\Classes\VLC.mov\shell\Play\command
Reg HKLM\SOFTWARE\Classes\VLC.mov\shell\Play\command@ "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "%1"
Reg HKLM\SOFTWARE\Classes\VLC.mp1@ VLC media file (.mp1)
Reg HKLM\SOFTWARE\Classes\VLC.mp1\DefaultIcon
Reg HKLM\SOFTWARE\Classes\VLC.mp1\DefaultIcon@ "C:\Program Files\VideoLAN\VLC\vlc.exe",0
Reg HKLM\SOFTWARE\Classes\VLC.mp1\shell
Reg HKLM\SOFTWARE\Classes\VLC.mp1\shell@ Play
Reg HKLM\SOFTWARE\Classes\VLC.mp1\shell\Play
Reg HKLM\SOFTWARE\Classes\VLC.mp1\shell\Play\command
Reg HKLM\SOFTWARE\Classes\VLC.mp1\shell\Play\command@ "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "%1"
Reg HKLM\SOFTWARE\Classes\VLC.mp2@ VLC media file (.mp2)
Reg HKLM\SOFTWARE\Classes\VLC.mp2\DefaultIcon
Reg HKLM\SOFTWARE\Classes\VLC.mp2\DefaultIcon@ "C:\Program Files\VideoLAN\VLC\vlc.exe",0
Reg HKLM\SOFTWARE\Classes\VLC.mp2\shell
Reg HKLM\SOFTWARE\Classes\VLC.mp2\shell@ Play
Reg HKLM\SOFTWARE\Classes\VLC.mp2\shell\Play
Reg HKLM\SOFTWARE\Classes\VLC.mp2\shell\Play\command
Reg HKLM\SOFTWARE\Classes\VLC.mp2\shell\Play\command@ "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "%1"
Reg HKLM\SOFTWARE\Classes\VLC.mp3@ VLC media file (.mp3)
Reg HKLM\SOFTWARE\Classes\VLC.mp3\DefaultIcon
Reg HKLM\SOFTWARE\Classes\VLC.mp3\DefaultIcon@ "C:\Program Files\VideoLAN\VLC\vlc.exe",0
Reg HKLM\SOFTWARE\Classes\VLC.mp3\shell
Reg HKLM\SOFTWARE\Classes\VLC.mp3\shell@ Play
Reg HKLM\SOFTWARE\Classes\VLC.mp3\shell\Play
Reg HKLM\SOFTWARE\Classes\VLC.mp3\shell\Play\command
Reg HKLM\SOFTWARE\Classes\VLC.mp3\shell\Play\command@ "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "%1"
Reg HKLM\SOFTWARE\Classes\VLC.mp4@ VLC media file (.mp4)
Reg HKLM\SOFTWARE\Classes\VLC.mp4\DefaultIcon
Reg HKLM\SOFTWARE\Classes\VLC.mp4\DefaultIcon@ "C:\Program Files\VideoLAN\VLC\vlc.exe",0
Reg HKLM\SOFTWARE\Classes\VLC.mp4\shell
Reg HKLM\SOFTWARE\Classes\VLC.mp4\shell@ Play
Reg HKLM\SOFTWARE\Classes\VLC.mp4\shell\Play
Reg HKLM\SOFTWARE\Classes\VLC.mp4\shell\Play\command
Reg HKLM\SOFTWARE\Classes\VLC.mp4\shell\Play\command@ "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "%1"
Reg HKLM\SOFTWARE\Classes\VLC.mpeg@ VLC media file (.mpeg)
Reg HKLM\SOFTWARE\Classes\VLC.mpeg\DefaultIcon
Reg HKLM\SOFTWARE\Classes\VLC.mpeg\DefaultIcon@ "C:\Program Files\VideoLAN\VLC\vlc.exe",0
Reg HKLM\SOFTWARE\Classes\VLC.mpeg\shell
Reg HKLM\SOFTWARE\Classes\VLC.mpeg\shell@ Play
Reg HKLM\SOFTWARE\Classes\VLC.mpeg\shell\Play
Reg HKLM\SOFTWARE\Classes\VLC.mpeg\shell\Play\command
Reg HKLM\SOFTWARE\Classes\VLC.mpeg\shell\Play\command@ "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "%1"
Reg HKLM\SOFTWARE\Classes\VLC.mpeg1@ VLC media file (.mpeg1)
Reg HKLM\SOFTWARE\Classes\VLC.mpeg1\DefaultIcon
Reg HKLM\SOFTWARE\Classes\VLC.mpeg1\DefaultIcon@ "C:\Program Files\VideoLAN\VLC\vlc.exe",0
Reg HKLM\SOFTWARE\Classes\VLC.mpeg1\shell
Reg HKLM\SOFTWARE\Classes\VLC.mpeg1\shell@ Play
Reg HKLM\SOFTWARE\Classes\VLC.mpeg1\shell\Play
Reg HKLM\SOFTWARE\Classes\VLC.mpeg1\shell\Play\command
Reg HKLM\SOFTWARE\Classes\VLC.mpeg1\shell\Play\command@ "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "%1"
Reg HKLM\SOFTWARE\Classes\VLC.mpeg2@ VLC media file (.mpeg2)
Reg HKLM\SOFTWARE\Classes\VLC.mpeg2\DefaultIcon
Reg HKLM\SOFTWARE\Classes\VLC.mpeg2\DefaultIcon@ "C:\Program Files\VideoLAN\VLC\vlc.exe",0
Reg HKLM\SOFTWARE\Classes\VLC.mpeg2\shell
Reg HKLM\SOFTWARE\Classes\VLC.mpeg2\shell@ Play
Reg HKLM\SOFTWARE\Classes\VLC.mpeg2\shell\Play
Reg HKLM\SOFTWARE\Classes\VLC.mpeg2\shell\Play\command
Reg HKLM\SOFTWARE\Classes\VLC.mpeg2\shell\Play\command@ "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "%1"
Reg HKLM\SOFTWARE\Classes\VLC.mpeg4@ VLC media file (.mpeg4)
Reg HKLM\SOFTWARE\Classes\VLC.mpeg4\DefaultIcon
Reg HKLM\SOFTWARE\Classes\VLC.mpeg4\DefaultIcon@ "C:\Program Files\VideoLAN\VLC\vlc.exe",0
Reg HKLM\SOFTWARE\Classes\VLC.mpeg4\shell
Reg HKLM\SOFTWARE\Classes\VLC.mpeg4\shell@ Play
Reg HKLM\SOFTWARE\Classes\VLC.mpeg4\shell\Play
Reg HKLM\SOFTWARE\Classes\VLC.mpeg4\shell\Play\command
Reg HKLM\SOFTWARE\Classes\VLC.mpeg4\shell\Play\command@ "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "%1"
Reg HKLM\SOFTWARE\Classes\VLC.mpg@ VLC media file (.mpg)
Reg HKLM\SOFTWARE\Classes\VLC.mpg\DefaultIcon
Reg HKLM\SOFTWARE\Classes\VLC.mpg\DefaultIcon@ "C:\Program Files\VideoLAN\VLC\vlc.exe",0
Reg HKLM\SOFTWARE\Classes\VLC.mpg\shell
Reg HKLM\SOFTWARE\Classes\VLC.mpg\shell@ Play
Reg HKLM\SOFTWARE\Classes\VLC.mpg\shell\Play
Reg HKLM\SOFTWARE\Classes\VLC.mpg\shell\Play\command
Reg HKLM\SOFTWARE\Classes\VLC.mpg\shell\Play\command@ "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "%1"
Reg HKLM\SOFTWARE\Classes\VLC.ogg@ VLC media file (.ogg)
Reg HKLM\SOFTWARE\Classes\VLC.ogg\DefaultIcon
Reg HKLM\SOFTWARE\Classes\VLC.ogg\DefaultIcon@ "C:\Program Files\VideoLAN\VLC\vlc.exe",0
Reg HKLM\SOFTWARE\Classes\VLC.ogg\shell
Reg HKLM\SOFTWARE\Classes\VLC.ogg\shell@ Play
Reg HKLM\SOFTWARE\Classes\VLC.ogg\shell\Play
Reg HKLM\SOFTWARE\Classes\VLC.ogg\shell\Play\command
Reg HKLM\SOFTWARE\Classes\VLC.ogg\shell\Play\command@ "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "%1"
Reg HKLM\SOFTWARE\Classes\VLC.ogm@ VLC media file (.ogm)
Reg HKLM\SOFTWARE\Classes\VLC.ogm\DefaultIcon
Reg HKLM\SOFTWARE\Classes\VLC.ogm\DefaultIcon@ "C:\Program Files\VideoLAN\VLC\vlc.exe",0
Reg HKLM\SOFTWARE\Classes\VLC.ogm\shell
Reg HKLM\SOFTWARE\Classes\VLC.ogm\shell@ Play
Reg HKLM\SOFTWARE\Classes\VLC.ogm\shell\Play
Reg HKLM\SOFTWARE\Classes\VLC.ogm\shell\Play\command
Reg HKLM\SOFTWARE\Classes\VLC.ogm\shell\Play\command@ "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "%1"
Reg HKLM\SOFTWARE\Classes\VLC.pls@ VLC media file (.pls)
Reg HKLM\SOFTWARE\Classes\VLC.pls\DefaultIcon
Reg HKLM\SOFTWARE\Classes\VLC.pls\DefaultIcon@ "C:\Program Files\VideoLAN\VLC\vlc.exe",0
Reg HKLM\SOFTWARE\Classes\VLC.pls\shell
Reg HKLM\SOFTWARE\Classes\VLC.pls\shell@ Play
Reg HKLM\SOFTWARE\Classes\VLC.pls\shell\Play
Reg HKLM\SOFTWARE\Classes\VLC.pls\shell\Play\command
Reg HKLM\SOFTWARE\Classes\VLC.pls\shell\Play\command@ "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "%1"
Reg HKLM\SOFTWARE\Classes\VLC.ps@ VLC media file (.ps)
Reg HKLM\SOFTWARE\Classes\VLC.ps\DefaultIcon
Reg HKLM\SOFTWARE\Classes\VLC.ps\DefaultIcon@ "C:\Program Files\VideoLAN\VLC\vlc.exe",0
Reg HKLM\SOFTWARE\Classes\VLC.ps\shell
Reg HKLM\SOFTWARE\Classes\VLC.ps\shell@ Play
Reg HKLM\SOFTWARE\Classes\VLC.ps\shell\Play
Reg HKLM\SOFTWARE\Classes\VLC.ps\shell\Play\command
Reg HKLM\SOFTWARE\Classes\VLC.ps\shell\Play\command@ "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "%1"
Reg HKLM\SOFTWARE\Classes\VLC.spx@ VLC media file (.spx)
Reg HKLM\SOFTWARE\Classes\VLC.spx\DefaultIcon
Reg HKLM\SOFTWARE\Classes\VLC.spx\DefaultIcon@ "C:\Program Files\VideoLAN\VLC\vlc.exe",0
Reg HKLM\SOFTWARE\Classes\VLC.spx\shell
Reg HKLM\SOFTWARE\Classes\VLC.spx\shell@ Play
Reg HKLM\SOFTWARE\Classes\VLC.spx\shell\Play
Reg HKLM\SOFTWARE\Classes\VLC.spx\shell\Play\command
Reg HKLM\SOFTWARE\Classes\VLC.spx\shell\Play\command@ "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "%1"
Reg HKLM\SOFTWARE\Classes\VLC.ts@ VLC media file (.ts)
Reg HKLM\SOFTWARE\Classes\VLC.ts\DefaultIcon
Reg HKLM\SOFTWARE\Classes\VLC.ts\DefaultIcon@ "C:\Program Files\VideoLAN\VLC\vlc.exe",0
Reg HKLM\SOFTWARE\Classes\VLC.ts\shell
Reg HKLM\SOFTWARE\Classes\VLC.ts\shell@ Play
Reg HKLM\SOFTWARE\Classes\VLC.ts\shell\Play
Reg HKLM\SOFTWARE\Classes\VLC.ts\shell\Play\command
Reg HKLM\SOFTWARE\Classes\VLC.ts\shell\Play\command@ "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "%1"
Reg HKLM\SOFTWARE\Classes\VLC.vlc@ VLC media file (.vlc)
Reg HKLM\SOFTWARE\Classes\VLC.vlc\DefaultIcon
Reg HKLM\SOFTWARE\Classes\VLC.vlc\DefaultIcon@ "C:\Program Files\VideoLAN\VLC\vlc.exe",0
Reg HKLM\SOFTWARE\Classes\VLC.vlc\shell
Reg HKLM\SOFTWARE\Classes\VLC.vlc\shell@ Play
Reg HKLM\SOFTWARE\Classes\VLC.vlc\shell\Play
Reg HKLM\SOFTWARE\Classes\VLC.vlc\shell\Play\command
Reg HKLM\SOFTWARE\Classes\VLC.vlc\shell\Play\command@ "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "%1"
Reg HKLM\SOFTWARE\Classes\VLC.vob@ VLC media file (.vob)
Reg HKLM\SOFTWARE\Classes\VLC.vob\DefaultIcon
Reg HKLM\SOFTWARE\Classes\VLC.vob\DefaultIcon@ "C:\Program Files\VideoLAN\VLC\vlc.exe",0
Reg HKLM\SOFTWARE\Classes\VLC.vob\shell
Reg HKLM\SOFTWARE\Classes\VLC.vob\shell@ Play
Reg HKLM\SOFTWARE\Classes\VLC.vob\shell\Play
Reg HKLM\SOFTWARE\Classes\VLC.vob\shell\Play\command
Reg HKLM\SOFTWARE\Classes\VLC.vob\shell\Play\command@ "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "%1"
Reg HKLM\SOFTWARE\Classes\VLC.wav@ VLC media file (.wav)
Reg HKLM\SOFTWARE\Classes\VLC.wav\DefaultIcon
Reg HKLM\SOFTWARE\Classes\VLC.wav\DefaultIcon@ "C:\Program Files\VideoLAN\VLC\vlc.exe",0
Reg HKLM\SOFTWARE\Classes\VLC.wav\shell
Reg HKLM\SOFTWARE\Classes\VLC.wav\shell@ Play
Reg HKLM\SOFTWARE\Classes\VLC.wav\shell\Play
Reg HKLM\SOFTWARE\Classes\VLC.wav\shell\Play\command
Reg HKLM\SOFTWARE\Classes\VLC.wav\shell\Play\command@ "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "%1"
Reg HKLM\SOFTWARE\Classes\VLC.wma@ VLC media file (.wma)
Reg HKLM\SOFTWARE\Classes\VLC.wma\DefaultIcon
Reg HKLM\SOFTWARE\Classes\VLC.wma\DefaultIcon@ "C:\Program Files\VideoLAN\VLC\vlc.exe",0
Reg HKLM\SOFTWARE\Classes\VLC.wma\shell
Reg HKLM\SOFTWARE\Classes\VLC.wma\shell@ Play
Reg HKLM\SOFTWARE\Classes\VLC.wma\shell\Play
Reg HKLM\SOFTWARE\Classes\VLC.wma\shell\Play\command
Reg HKLM\SOFTWARE\Classes\VLC.wma\shell\Play\command@ "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "%1"
Reg HKLM\SOFTWARE\Classes\VLC.wmv@ VLC media file (.wmv)
Reg HKLM\SOFTWARE\Classes\VLC.wmv\DefaultIcon
Reg HKLM\SOFTWARE\Classes\VLC.wmv\DefaultIcon@ "C:\Program Files\VideoLAN\VLC\vlc.exe",0
Reg HKLM\SOFTWARE\Classes\VLC.wmv\shell
Reg HKLM\SOFTWARE\Classes\VLC.wmv\shell@ Play
Reg HKLM\SOFTWARE\Classes\VLC.wmv\shell\Play
Reg HKLM\SOFTWARE\Classes\VLC.wmv\shell\Play\command
Reg HKLM\SOFTWARE\Classes\VLC.wmv\shell\Play\command@ "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "%1"
Reg HKLM\SOFTWARE\Classes\vslfile@ vsl file
Reg HKLM\SOFTWARE\Classes\vslfile\shell
Reg HKLM\SOFTWARE\Classes\vslfile\shell\open
Reg HKLM\SOFTWARE\Classes\{1370B317-616D0-504D4-BD371-52A2539C56954}@ SpHDv&Wdkoeo.

---- EOF - GMER 1.0.14 ----


	Report to moderator Logged

xblade12100

Guest

Re: Msiexec.exe is Infected!!!

« Reply #31 on: February 10, 2008, 21:51:46 »

new HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:41:59 PM, on 2/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\mantispm.exe
C:\Program Files\Safari\Safari.exe
C:\Documents and Settings\Jim\Desktop\Logs\RootkitRevealer.exe
C:\Documents and Settings\Jim\Desktop\Logs\RootkitRevealer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rogers.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B8A7839C-51E8-4067-ADA3-CA74BABC1976} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\RunOnce: [CleanUp!] C:\PROGRA~1\CleanUp!\CleanUp.exe /WindowsRestart
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MEL - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Jim\LOCALS~1\Temp\MEL.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WSUB - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Jim\LOCALS~1\Temp\WSUB.exe

--
End of file - 9377 bytes

F- Blacklight Scan

02/11/08 14:54:49 [Info]: BlackLight Engine 1.0.67 initialized
02/11/08 14:54:49 [Info]: OS: 5.1 build 2600 (Service Pack 2)
02/11/08 14:54:49 [Note]: 7019 4
02/11/08 14:54:49 [Note]: 7005 0
02/11/08 14:54:52 [Note]: 7006 0
02/11/08 14:54:55 [Note]: 7011 1120
02/11/08 14:54:55 [Note]: 7026 0
02/11/08 14:54:55 [Note]: 7026 0
02/11/08 14:55:00 [Note]: FSRAW library version 1.7.1024
02/11/08 15:06:03 [Note]: 2000 1012
02/11/08 15:07:19 [Note]: 7007 0


	Report to moderator Logged

xblade12100

Guest

Re: Msiexec.exe is Infected!!!

« Reply #32 on: February 10, 2008, 21:54:06 »

By the way do you know what the problem is yet because while I was scanning withRootkit Revealer, AVG found another Trojan, Thanx, Hijack This Uninstall list:

Ad-Aware 2007
Adobe Acrobat 4.0
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Flash CS3
Adobe Flash CS3 Professional
Adobe Flash Player 9 Plugin
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Reader 8.1.1
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Shockwave Player
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AnvSoft iPod Movie Maker 2.0
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI Parental Control
ATI Remote Wonder 3.01
ATI TV Settings
avast! Antivirus
AVG 7.5
AVG Anti-Rootkit Free
CamStudio
CamStudio Lossless Codec
CD/DVD-ROM Generator 1.20
CinemaForge
CleanUp!
DivX Content Uploader
DivX Web Player
Doom 3
DVD Decrypter (Remove Only)
FXhome EffectsLab Pro (remove only)
GUIDE PLUS+(TM) for Windows® System - ATI
Guitar Hero Explorer
Guitar Pro 5.2
Half-Life(R) 2
HijackThis 2.0.2
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
ImgBurn (Remove Only)
iTunes
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1
LimeWire 4.15.3
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MoviePod
Mozilla Firefox (2.0.0.11)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
NVIDIA Drivers
Opera 9.25
PDF Settings
PowerCinema 3.0 - ATI Edition
QuickTime
Real Alternative 1.52
RealPlayer
Rhapsody Player Engine
Rhapsody Player Engine
Rogers Yahoo! Applications
Safari
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
SpywareBlaster v3.5.1
Steam(TM)
Super Screen Recorder 4.0
System Requirements Lab
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB914882)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB923845)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
VideoLAN VLC media player 0.8.6d
Viewpoint Media Player
ViewSonic Monitor Drivers
Virtools 3D Life Player
VS2005 Redistributable Package
WinAVI Video Converter 9.0
Windows Communication Foundation
Windows Defender
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
WolfTeam International
Yahoo! Anti-Spy
YouTube Uploader
ZoneAlarm Security Suite


	Report to moderator Logged

xblade12100

Guest

Re: Msiexec.exe is Infected!!!

« Reply #33 on: February 10, 2008, 22:04:07 »

also for somereason, when it is time for windows update, Zone say's that a file or Programis Very high and Trying to get to the internet and Windows updates don't work, What should I do? The file is very, Long and has a bunch of numbers, (more than 20)


	Report to moderator Logged

Ruby

Authorized Users

Offline

Posts: 1064

Re: Msiexec.exe is Infected!!!

« Reply #34 on: February 10, 2008, 23:21:55 »

Quote

while I was scanning withRootkit Revealer, AVG found another Trojan

which Trojan? Does this trojan have a name? Which file - which path? I need all information.

So let's go on.

Step 1
Use the Uninstall Cleaner 1.0 to uninstall Ad-Aware 2007, we don't need it now, you may want to install it again later, when your system is cleaned up.

Step 2
Download Dr.Web CureIt
Save it to your desktop.
Don't use it now.

Step 3
Disconnect to the Internet! Close/disable all anti virus and anti malware programs, all guards so they do not interfere with the running of Dr.Web CureIt and make sure you are disconnected from the net, unplug the cable if need be before starting Dr.Web CureIt. Close all applications, browser, windows. Nothing may be done, once Dr.Web CureIt is started.

Step 4
Reboot your machine into "Safe Mode" using the F8 key. To do this, restart your computer and after hearing your computer beep once during startup (before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Step 5

Doubleclick the drweb-cureit.exe file and allow to run the express
scan

This will scan the files currently running in memory and when something is
found, click the yes button when it asks you if you want to cure it. This
is only a short scan.

Once the short scan has finished, mark the drives that you want to scan.

Select all drives. A red dot shows which drives have been chosen.

Click the green arrow at the right, and the scan will start.

Click 'Yes to all'if it asks if you want to cure/move the file.

When the scan has finished, look if you can click next icon next to the files
found:

If so, click it and then click the next icon right below and select Move
incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it
can't be cured. (this in case if we need samples)

After selecting, in the Dr.Web CureIt menu on top, click file and
choose save report list

Save the report to your desktop. The report will be called DrWeb.csv

Close Dr.Web Cureit.

Reboot your computer!! Because it could be possible that files in use will be
moved/deleted during reboot.

After reboot, post the contents of the log from Dr.Web you saved
previously in your next reply along with a new DSS log.

Remember to enable any disabled antivirus etc BEFORE reconnecting to the net.

Step 6
On the Desktop, right-click My Computer > Click Properties > Click the System Restore tab.
Check Turn off System Restore > Click Apply, and then click OK.
Restart the computer.
To create a new restore point:
On the Desktop, right-click My Computer > Click Properties > Click the System Restore tab.
Check Turn on System Restore > Click Apply, and then click OK.


	Report to moderator Logged

xblade12100

Guest

Re: Msiexec.exe is Infected!!!

« Reply #35 on: February 11, 2008, 01:40:21 »

Hey Ruby, here is that log you wanted!

[attachment deleted by admin]


	Report to moderator Logged

Ruby

Authorized Users

Offline

Posts: 1064

Re: Msiexec.exe is Infected!!!

« Reply #36 on: February 11, 2008, 17:05:02 »

OK, let's go on....

Please read these instructions carefully and print them out or save them as a .txt-file.
Be sure to follow ALL instructions!
Follow these steps in proper sequence.

Step 1
This procedure terminates the running malware process.

1. Open Windows Task Manager.
2. In the list of running programs*, locate the malware file.
3. Select the detected file, then press either the End Task or the End Process button, depending on the version of Windows on your system.
4. To check if the malware process has been terminated, close Task Manager, and then open it again.
5. Close Task Manager:

-> WinSys.exe

*NOTE: Since Windows Task Manager may not show certain processes, you can use a third party process viewer such as Process Explorer to terminate the malware process.

Step 2
On the Desktop, right-click My Computer > Click Properties > Click the System Restore tab >
Check Turn off System Restore > Click Apply, and then click OK > Restart the computer >
On the Desktop, right-click My Computer > Click Properties > Click the System Restore tab >
Check Turn on System Restore > Click Apply, and then click OK

Step 3
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing at startup.
(You can also take Registrar Registry Manager 5.56.)

Open Registry Editor.
Click Start > Run, type REGEDIT, then press Enter.

Navigate to the following key:
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSys]

Delete this entry:
C:\WINDOWS\system32\WinSys.exe

Delete this Registry Key:
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSys]

Close Registry Editor.

Step 4
Run HijackThis-> config -> misc tools --> delete a file on reboot, look for:

C:\WINDOWS\system32\WinSys.exe

answer the question to reboot your system with "YES"
Restart your machine.

Step 5
Download Registry Search 1.20

Quote

Download and extract the contents of the zip file.
Double-click the icon for RegSearch.exe to launch the program.
Enter the string WinSys to search for and click "OK".
After completion Notepad will be opened with all the found instances of the string.
The resulting file is saved in the same location as RegSearch.exe.

You may want to copy the content of this textfile to your thread.

Step 6
Download Avira AntiVir® PersonalEdition Classic
Double-Click the antivir_workstation_win7u_en_h.exe
Accept > Wait for the installation of the program > Reboot your machine > next >
accept the terms of the License agreement > accept that Avira may only be used on private machines > next
> use Complete Install > Update AntiVir online

Step 7
Uninstall Avast with its avast! uninstall utility
Please be sure not to use any other AntiVirus than Avira AntiVir.
You need to uninstall all other AntiVirus (Norton Antivirus) programs, otherwise your system can crash.

Step 8
Have a look to our Avira AntiVir® Tutorial
to learn how to configure the program, please follow my instructions in this Tutorial.

Step 9
Once you are done, reboot your machine into "Safe Mode" using the F8 key. To do this, restart your computer and after hearing your computer beep once during startup (before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Step 10
Use the Option "Scan system now", take a complete scan of whole your machine.
Close all applications, all windows, your Browser.
Please be patient it will last some time.
Please use the Option to "Move to quarantine" for every malware which is found on your system.

Step 11
Reboot your machine to normal mode when the scan is done.
Post back the content of your Avira AntiVir logfile and all other logs.


	Report to moderator Logged

xblade12100

Guest

Re: Msiexec.exe is Infected!!!

« Reply #37 on: February 13, 2008, 00:18:32 »

Registry Editor was good, the system restore was good and the virus scan but i couldn't:

Get the Windows Task Manager or that other program to find WinSys.exe

Didn't find the file to delete on start up

[attachment deleted by admin]


	Report to moderator Logged

Ruby

Authorized Users

Offline

Posts: 1064

Re: Msiexec.exe is Infected!!!

« Reply #38 on: February 13, 2008, 06:25:26 »

Please read these instructions carefully and print them out!
Be sure to follow ALL instructions!
Follow these steps.

Step 1
Please uninstall all old version of Java:

Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1

visit this website www.java.com, do the Java-test there. Load down the actual version of Java, install it, restart your system. Please uninstall all old versions of Java > control panel > add/ remove programs > if you don't succeed, use a good working German tool to get rid of the old versions of Java
Uninstall Cleaner 1.0 > restart your machine.

Step 2

Download Malwarebytes' StartUpLite 1.07

Save it to your desktop

Doubleclick the StartUpLite.exe, to run it

You will get a list of all programs which do NOT need to be used in StartUp.

You can easily delete all these entries with 'Continue'.

(you may also want to chose which programs you like to stay in StartUp)[/li][/list]

That's a very easy way to speed up your machine.

Step 3
Turn off system restore by following instructions here:
http://www.thespykiller.co.uk/index.php?page=8
That will purge the restore folder and clear any malware that has been put in there.
Then reboot & then re-enable system restore & create a new restore point.
Now Empty Recycle bin on desktop.

Step 4
Run DSS and make us see a fresh DSS Log


	Report to moderator Logged

xblade12100

Guest

Re: Msiexec.exe is Infected!!!

« Reply #39 on: February 13, 2008, 21:15:53 »

Hey, Here is that log you wanted!

[attachment deleted by admin]


	Report to moderator Logged

Pages: 1 2 3 [4] 5 6 7 8 9 ... 16 Go Up

The Spykiller > Spyware & Malware removal and General computer help > Malware removal and help > Topic: Msiexec.exe is Infected!!!

« previous next »

Welcome to The Spykiller

INSTRUCTIONS - Read This Before Posting For Malware Removal Help

You have come to The Spykiller for help because your Antivirus or Antispyware hasn't been able to fix your problem.

Modern Malware is so involved and difficult to fix that it takes a very long time and a lot of hard work to read all the logs posted here and research and prepare the fixes for you.
In many cases each part of the fix takes about 30 minutes to prepare, so a large part of my time is spent helping you

Would you do all this for nothing?

I run this site to help raise funds for Hedgehog Rescue

Please donate if I have helped you or you have found this site useful.

You can donate safely and securely by using the PayPal service, just click on one of the buttons below.

Any amount no matter how small is gratefully accepted and needed to ensure we keep the Rescue Centre running

Welcome to The Spykiller

INSTRUCTIONS - Read This Before Posting For Malware Removal Help

You have come to The Spykiller for help because your Antivirus or Antispyware hasn't been able to fix your problem.

Modern Malware is so involved and difficult to fix that it takes a very long time and a lot of hard work to read all the logs posted here and research and prepare the fixes for you. In many cases each part of the fix takes about 30 minutes to prepare, so a large part of my time is spent helping you

Would you do all this for nothing?

I run this site to help raise funds for Hedgehog Rescue

Please donate if I have helped you or you have found this site useful.

You can donate safely and securely by using the PayPal service, just click on one of the buttons below.

Any amount no matter how small is gratefully accepted and needed to ensure we keep the Rescue Centre running

Modern Malware is so involved and difficult to fix that it takes a very long time and a lot of hard work to read all the logs posted here and research and prepare the fixes for you.
In many cases each part of the fix takes about 30 minutes to prepare, so a large part of my time is spent helping you