• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.
Sign in to follow this  
Followers 0
Highlander

msiexec.exe trojan?

2 posts in this topic

Heres the Deal~

 

I'm a tech. User fell prey to hijack that trojaned in some sort of msiexec.exe corruption or exploit. After I ran removal stuff the msiexec.exe prog. wont shut down and appears to be triggering a bogus Office Upgrade (Office /3000) that fails but seems to trigger more problems.

 

I ran all the basics: Spybot, Spywareblaster, Housecall Virus Scan [found 5 Trojan_ZN exe's], ran CWS Shredder - found several items, ran HJT & deleted several items. Some of which came back.

 

Here are the startup & HJT log files:

 

 

 

Logfile of HijackThis v1.97.2

Scan saved at 8:36:39 AM, on 7/12/2004

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\technesis\enterprise\service\tnSvcNT.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\SOUNDMAN.EXE

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe

C:\WINNT\Technesis\Workstation\Sprint\TnWinPr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINNT\system32\msiexec.exe

C:\WINNT\system32\taskmgr.exe

I:\IT Support\Security Tools\Advanced Tools\Hijack This\HijackThis.exe

 

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [TNStart] C:\WINNT\Technesis\WorkStation\Start\Tnstart.exe

O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe

O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe

O9 - Extra button: Related (HKLM)

O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab

O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\Land Desktop R2\AcDcToday.ocx

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7890.5528472222

O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (NOXLATE) - file://C:\Program Files\Land Desktop R2\InstFred.ocx

O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Land Desktop R2\AcPreview.ocx

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BESI.local

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BESI.local

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BESI.local

 

 

 

StartupList report, 7/12/2004, 8:31:46 AM

StartupList version: 1.52

Started from : I:\IT Support\Security Tools\Advanced Tools\Hijack This\StartupList.EXE

Detected: Windows 2000 SP4 (WinNT 5.00.2195)

Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)

* Using default options

==================================================

 

Running processes:

 

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe

C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

C:\WINNT\system32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\technesis\enterprise\service\tnSvcNT.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\WINNT\SOUNDMAN.EXE

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe

C:\WINNT\Technesis\Workstation\Sprint\TnWinPr.exe

C:\WINNT\system32\taskmgr.exe

-----> C:\WINNT\system32\msiexec.exe <------- SUSPECT file!!

I:\IT Support\Security Tools\Advanced Tools\Hijack This\StartupList.exe

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINNT\system32\userinit.exe,

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

Synchronization Manager = mobsync.exe /logon

SoundMan = SOUNDMAN.EXE

NeroCheck = C:\WINNT\system32\\NeroCheck.exe

InCD = C:\Program Files\Ahead\InCD\InCD.exe

TNStart = C:\WINNT\Technesis\WorkStation\Start\Tnstart.exe

vptray = C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

ctfmon.exe = ctfmon.exe

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

 

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

 

Shell & screensaver key from Registry:

 

Shell=Explorer.exe

SCRNSAVE.EXE=(NONE)

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

 

Enumerating Browser Helper Objects:

 

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[Autodesk MapGuide ActiveX Control]

InProcServer32 = C:\Program Files\Autodesk\MapGuide Viewer\MgAxCtrl.dll

CODEBASE = http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab

 

[AcDcToday Control]

InProcServer32 = C:\WINNT\DOWNLO~1\ACDCTO~1.OCX

CODEBASE = file://C:\Program Files\Land Desktop R2\AcDcToday.ocx

 

[update Class]

InProcServer32 = C:\WINNT\System32\iuctl.dll

CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...7890.5528472222

 

[NOXLATE]

InProcServer32 = C:\WINNT\DOWNLO~1\InstFred.ocx

CODEBASE = file://C:\Program Files\Land Desktop R2\InstFred.ocx

 

[AcPreview Control]

InProcServer32 = C:\WINNT\DOWNLO~1\ACPREV~1.OCX

CODEBASE = file://C:\Program Files\Land Desktop R2\AcPreview.ocx

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll

WebCheck: C:\WINNT\system32\webcheck.dll

SysTray: stobject.dll

 

--------------------------------------------------

End of report, 4,600 bytes

Report generated in 0.016 seconds

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Thanks for your help! I will watch for comments in the forum and on the board~

Highlander

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0