Jump to content


Photo

msiexec.exe trojan?


  • Please log in to reply
1 reply to this topic

#1 Highlander

Highlander

    Member

  • Full Member
  • Pip
  • 3 posts

Posted 12 July 2004 - 01:36 PM

Heres the Deal~

I'm a tech. User fell prey to hijack that trojaned in some sort of msiexec.exe corruption or exploit. After I ran removal stuff the msiexec.exe prog. wont shut down and appears to be triggering a bogus Office Upgrade (Office /3000) that fails but seems to trigger more problems.

I ran all the basics: Spybot, Spywareblaster, Housecall Virus Scan [found 5 Trojan_ZN exe's], ran CWS Shredder - found several items, ran HJT & deleted several items. Some of which came back.

Here are the startup & HJT log files:



Logfile of HijackThis v1.97.2
Scan saved at 8:36:39 AM, on 7/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\technesis\enterprise\service\tnSvcNT.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\WINNT\Technesis\Workstation\Sprint\TnWinPr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\msiexec.exe
C:\WINNT\system32\taskmgr.exe
I:\IT Support\Security Tools\Advanced Tools\Hijack This\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TNStart] C:\WINNT\Technesis\WorkStation\Start\Tnstart.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa....in/mgaxctrl.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\Land Desktop R2\AcDcToday.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7890.5528472222
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (NOXLATE) - file://C:\Program Files\Land Desktop R2\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Land Desktop R2\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = BESI.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = BESI.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = BESI.local



StartupList report, 7/12/2004, 8:31:46 AM
StartupList version: 1.52
Started from : I:\IT Support\Security Tools\Advanced Tools\Hijack This\StartupList.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\technesis\enterprise\service\tnSvcNT.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\WINNT\Technesis\Workstation\Sprint\TnWinPr.exe
C:\WINNT\system32\taskmgr.exe
-----> C:\WINNT\system32\msiexec.exe <------- SUSPECT file!!
I:\IT Support\Security Tools\Advanced Tools\Hijack This\StartupList.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
SoundMan = SOUNDMAN.EXE
NeroCheck = C:\WINNT\system32\\NeroCheck.exe
InCD = C:\Program Files\Ahead\InCD\InCD.exe
TNStart = C:\WINNT\Technesis\WorkStation\Start\Tnstart.exe
vptray = C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = ctfmon.exe

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=(NONE)
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Download Program Files:

[Autodesk MapGuide ActiveX Control]
InProcServer32 = C:\Program Files\Autodesk\MapGuide Viewer\MgAxCtrl.dll
CODEBASE = http://www.maricopa....in/mgaxctrl.cab

[AcDcToday Control]
InProcServer32 = C:\WINNT\DOWNLO~1\ACDCTO~1.OCX
CODEBASE = file://C:\Program Files\Land Desktop R2\AcDcToday.ocx

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupd...7890.5528472222

[NOXLATE]
InProcServer32 = C:\WINNT\DOWNLO~1\InstFred.ocx
CODEBASE = file://C:\Program Files\Land Desktop R2\InstFred.ocx

[AcPreview Control]
InProcServer32 = C:\WINNT\DOWNLO~1\ACPREV~1.OCX
CODEBASE = file://C:\Program Files\Land Desktop R2\AcPreview.ocx

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\system32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 4,600 bytes
Report generated in 0.016 seconds

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thanks for your help! I will watch for comments in the forum and on the board~
Highlander

#2 sikshot

sikshot

    K-Mang

  • Full Member
  • Pip
  • 20 posts

Posted 19 November 2004 - 03:31 AM

Did you figure out how to properly fix this because I am suffering this problem too.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button