Malware Removal Instructions

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Wednesday, 29 June 2011

Remove Msiexec.exe Trojan (Uninstall Guide)

Posted on 11:58 by Unknown
In the last few weeks we've heard numerous cases of people getting User Account Control (UAC) notifications asking them to allow msiexec.exe tu run. When we got the first e-mail, we thought that the user is experiencing system error but after quite a bit of research we found out that it was a Trojan horse masquerading as msiexec.exe. The Trojan was located in Users directory: C:\Users\[UserName]\msiexec.exe.
User Account Control
Do you want to allow the following program from an
unknown publisher to make changes to this computer?
Program name: msiexec.exe
Publisher: Unknown
File origin: Hard drive on this computer


The legitimate msiexec.exe program that interprets packages and installs products is located in C:\Windows\System32 folder. But the problem is that cyber criminals try to avoid antivirus detections and confuse users by giving a malicious program the same name of some other legit programs. And when you do a Google search on the word 'msiexec.exe', you're presented with a list of results saying that it's a legitimate Windows program. In this case, the file location of the malicious msiexec.exe program (C:\Users\[UserName]\msiexec.exe) clearly indicates that it pretends to be something it's not. You can upload suspicious files to VirusTotal or Jotti to see if your suspicions were correct.

The malicious msiexec.exe downloads additional malware onto your computer. Even if you delete it manually, it may reappear after you reboot your computer. That's why we strongly recommend you to scan your computer with anti-malware software.

Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this virus from your computer.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

Important! Do not delete the legitimate msiexec.exe located in C:\Windows\System32 folder.

If you need help removing the msiexec.exe Trojan horse, please a comment below. Good luck and be safe online!

Associated Msiexec.exe files and registry values:

Files:
  • C:\Windows\System32\strmdll32.dll
  • C:\Windows\System32\mycomput32.exe
  • C:\Windows\System32\SYSTEM32\55274-640-2001945-237251270C.manifest
  • C:\Windows\System32\SYSTEM32\55274-640-2001945-237251270S.manifest
  • C:\Windows\System32WINDIR%\SYSTEM32\avicap3232.dll
  • C:\Windows\System32\SYSTEM32\55274-640-2001945-237251270P.manifest
  • C:\Windows\System32\SYSTEM32\248321536
  • C:\Windows\System32\SYSTEM32\msorcl3232.exe
  • %Temp%\WER11.tmp
  • %Temp%\2BA98D.dmp
%Temp% refers to:
C:\Documents and Settings\[UserName]\Local Settings\Temp (in Windows 2000/XP)
C:\Users\[UserName]\AppData\Local\Temp (in Windows Vista & Windows 7)
  • HKEY_CURRENT_USER\SOFTWARE\
  • HKEY_CURRENT_USER\SOFTWARE\IVEDHGVTFU\
  • HKEY_CURRENT_USER\SOFTWARE\IVEDHGVTFU\CLSID\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\.FSHARPROJ\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\.FSHARPROJ\PERSISTENTHANDLER\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{167D8C11-D0F7-4D4A-94FF-1B727D3CFC51}\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{167D8C11-D0F7-4D4A-94FF-1B727D3CFC51}\INPROCSERVER32\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{53FBF74C-ACD3-8E42-3397-A342CEE0B972}\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{53FBF74C-ACD3-8E42-3397-A342CEE0B972}\INPROCSERVER32\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{CA80A1DF-1993-458D-B1C5-8893EC9E5770}\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\IVEDHGVTFU\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\IVEDHGVTFU\CLSID\
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{167D8C11-D0F7-4D4A-94FF-1B727D3CFC51}\
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{53FBF74C-ACD3-8E42-3397-A342CEE0B972}\
  • HKEY_USERS\.DEFAULT\SOFTWARE\IVEDHGVTFU\
  • HKEY_USERS\.DEFAULT\SOFTWARE\IVEDHGVTFU\CLSID\
Share the knowledge:
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in Trojans | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • What is wrtc.exe and how to remove it?
    wrtc.exe - by Perion Network Ltd. What is wrtc.exe? wrtc.exe is a part of IncrediMail software, digitally signed by Perion Network Ltd. This...
  • Remove ShopperReports (Uninstall Guide)
    ShopperReports is defined as adware or a potentially unwanted program that displays marketing related results in a side pane of the browser...
  • Trojan.MBRlock, Внимание! Ваш компьютер заблокирован
    Trojan.MBRlock is a very disturbing piece of malicious code which infects the master boot record (MBR) and prevents Windows from starting. ...
  • False Positive: Ikarus and Comodo detecting TDSSKiller as a Trojan horse
    This awkward moment when you realize that your favorite rootkit removal utility is detected as malware. I probably wouldn't even have no...
  • Remove RiskTool.Win32.BitCoinMiner (Uninstall Guide)
    RiskTool.Win32.BitCoinMiner is a risk tool or potentially unwanted application that may use your computer's resources to generate bitco...
  • Remove Rattlingsearchsystem.com (Uninstall Guide)
    Rattlingsearchsystem.com is a ZeroAccess/Sirefef rootkit-related browser hijacker that redirects users to shady websites while searching on...
  • Remove TR/ATRAPS.Gen2, removal instructions
    Cyber crooks and third parties that buy stolen data are increasingly using more and more sophisticated techniques, in a variety of different...
  • Remove Ask Search and Ask Toolbar (Uninstall Guide)
    Ask Search and Ask Toolbar are very often incorrectly classified as virus/spyware that may cause search redirects. The majority of us pref...
  • How to remove 'TidyNetwork' adware virus from your computer
    As internet users most of us have seen those irritating little pop-up windows that are advertising something that we normally have little or...
  • Remove Windows Attention Utility (Uninstall Guide)
    Windows Attention Utility is a rogue security application that generates misleading warnings about nonexistent viruses and attempts to lure...

Categories

  • Adware
  • Answers
  • Antivirus software
  • Browser Hijackers
  • Cloud Computing
  • Fake Alerts
  • Giveaways
  • Hoax
  • How-To
  • IaaS
  • Internet
  • Malicious websites
  • Malware
  • PaaS
  • Parental Controls
  • Passwords
  • Phishing
  • Process Information
  • Ransomware
  • Rogue programs
  • Rootkits
  • SaaS
  • Security Advisories
  • Spam
  • Spyware
  • Trojans
  • Viruses
  • Web Browsers
  • Worms

Blog Archive

  • ►  2013 (173)
    • ►  December (6)
    • ►  November (13)
    • ►  October (11)
    • ►  September (20)
    • ►  August (4)
    • ►  July (17)
    • ►  June (31)
    • ►  May (25)
    • ►  April (15)
    • ►  March (17)
    • ►  February (7)
    • ►  January (7)
  • ►  2012 (86)
    • ►  November (2)
    • ►  October (4)
    • ►  September (6)
    • ►  August (6)
    • ►  July (11)
    • ►  June (1)
    • ►  May (5)
    • ►  April (7)
    • ►  March (7)
    • ►  February (17)
    • ►  January (20)
  • ▼  2011 (239)
    • ►  December (8)
    • ►  November (18)
    • ►  October (21)
    • ►  September (24)
    • ►  August (28)
    • ►  July (32)
    • ▼  June (16)
      • Remove Msiexec.exe Trojan (Uninstall Guide)
      • Remove Android.Ggtracker (Uninstall Guide)
      • Remove QuestScan (Uninstall Guide)
      • Remove Android.Tonclank (Uninstall Guide)
      • Remove Android.Lightdd (Uninstall Guide)
      • Remove METROPOLITAN POLICE Ransomware (Uninstall G...
      • Remove Windows XP Repair (Uninstall Guide)
      • Remove ShopperReports (Uninstall Guide)
      • Remove Windows XP Restore (Uninstall Guide)
      • How to Remove "Security Protection" (Uninstall Guide)
      • How to Remove Milestone Antivirus (Uninstall Guide)
      • Remove Vista Antispyware 2012, Win 7 Internet Secu...
      • Remove Trojan-BNK.Win32.Keylogger.gen (Uninstall G...
      • Remove XP Antispyware 2012, XP Internet Security 2...
      • How to Remove Security Essentials Ultimate Pack (U...
      • Parental Controls and Internet Filters
    • ►  May (23)
    • ►  April (15)
    • ►  March (16)
    • ►  February (9)
    • ►  January (29)
  • ►  2010 (2)
    • ►  December (2)
Powered by Blogger.

About Me

Unknown
View my complete profile