Malware Removal Instructions

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Wednesday, 29 June 2011

Remove Msiexec.exe Trojan (Uninstall Guide)

Posted on 11:58 by Unknown
In the last few weeks we've heard numerous cases of people getting User Account Control (UAC) notifications asking them to allow msiexec.exe tu run. When we got the first e-mail, we thought that the user is experiencing system error but after quite a bit of research we found out that it was a Trojan horse masquerading as msiexec.exe. The Trojan was located in Users directory: C:\Users\[UserName]\msiexec.exe.
User Account Control
Do you want to allow the following program from an
unknown publisher to make changes to this computer?
Program name: msiexec.exe
Publisher: Unknown
File origin: Hard drive on this computer


The legitimate msiexec.exe program that interprets packages and installs products is located in C:\Windows\System32 folder. But the problem is that cyber criminals try to avoid antivirus detections and confuse users by giving a malicious program the same name of some other legit programs. And when you do a Google search on the word 'msiexec.exe', you're presented with a list of results saying that it's a legitimate Windows program. In this case, the file location of the malicious msiexec.exe program (C:\Users\[UserName]\msiexec.exe) clearly indicates that it pretends to be something it's not. You can upload suspicious files to VirusTotal or Jotti to see if your suspicions were correct.

The malicious msiexec.exe downloads additional malware onto your computer. Even if you delete it manually, it may reappear after you reboot your computer. That's why we strongly recommend you to scan your computer with anti-malware software.

Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this virus from your computer.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

Important! Do not delete the legitimate msiexec.exe located in C:\Windows\System32 folder.

If you need help removing the msiexec.exe Trojan horse, please a comment below. Good luck and be safe online!

Associated Msiexec.exe files and registry values:

Files:
  • C:\Windows\System32\strmdll32.dll
  • C:\Windows\System32\mycomput32.exe
  • C:\Windows\System32\SYSTEM32\55274-640-2001945-237251270C.manifest
  • C:\Windows\System32\SYSTEM32\55274-640-2001945-237251270S.manifest
  • C:\Windows\System32WINDIR%\SYSTEM32\avicap3232.dll
  • C:\Windows\System32\SYSTEM32\55274-640-2001945-237251270P.manifest
  • C:\Windows\System32\SYSTEM32\248321536
  • C:\Windows\System32\SYSTEM32\msorcl3232.exe
  • %Temp%\WER11.tmp
  • %Temp%\2BA98D.dmp
%Temp% refers to:
C:\Documents and Settings\[UserName]\Local Settings\Temp (in Windows 2000/XP)
C:\Users\[UserName]\AppData\Local\Temp (in Windows Vista & Windows 7)
  • HKEY_CURRENT_USER\SOFTWARE\
  • HKEY_CURRENT_USER\SOFTWARE\IVEDHGVTFU\
  • HKEY_CURRENT_USER\SOFTWARE\IVEDHGVTFU\CLSID\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\.FSHARPROJ\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\.FSHARPROJ\PERSISTENTHANDLER\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{167D8C11-D0F7-4D4A-94FF-1B727D3CFC51}\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{167D8C11-D0F7-4D4A-94FF-1B727D3CFC51}\INPROCSERVER32\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{53FBF74C-ACD3-8E42-3397-A342CEE0B972}\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{53FBF74C-ACD3-8E42-3397-A342CEE0B972}\INPROCSERVER32\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{CA80A1DF-1993-458D-B1C5-8893EC9E5770}\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\IVEDHGVTFU\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\IVEDHGVTFU\CLSID\
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{167D8C11-D0F7-4D4A-94FF-1B727D3CFC51}\
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{53FBF74C-ACD3-8E42-3397-A342CEE0B972}\
  • HKEY_USERS\.DEFAULT\SOFTWARE\IVEDHGVTFU\
  • HKEY_USERS\.DEFAULT\SOFTWARE\IVEDHGVTFU\CLSID\
Share the knowledge:
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in Trojans | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Remove Ask Search and Ask Toolbar (Uninstall Guide)
    Ask Search and Ask Toolbar are very often incorrectly classified as virus/spyware that may cause search redirects. The majority of us pref...
  • Facebook Security and Privacy Best Practices
    Facebook is the most popular social networking site. Nearly all of my friends have Facebook accounts. They log on to Facebook at least a cou...
  • What is wrtc.exe and how to remove it?
    wrtc.exe - by Perion Network Ltd. What is wrtc.exe? wrtc.exe is a part of IncrediMail software, digitally signed by Perion Network Ltd. This...
  • Smartphone Security: Using Your Mobile Phone Safely
    Smartphone is like a little copy of your computer with lots of personal information: photos, text messages, access to e-mail account and oth...
  • Remove ShopperReports (Uninstall Guide)
    ShopperReports is defined as adware or a potentially unwanted program that displays marketing related results in a side pane of the browser...
  • Antispyis.com and other Antivirus Scan related domains
    New additions of misleading websites which promote a rogue security application called Antivirus Scan. antispyis.com afantispy.net softwaree...
  • Trojan.MBRlock, Внимание! Ваш компьютер заблокирован
    Trojan.MBRlock is a very disturbing piece of malicious code which infects the master boot record (MBR) and prevents Windows from starting. ...
  • False Positive: Ikarus and Comodo detecting TDSSKiller as a Trojan horse
    This awkward moment when you realize that your favorite rootkit removal utility is detected as malware. I probably wouldn't even have no...
  • Antivired.com and other Antivirus Monitor Related Domains
    Just a short note about several malicious domains related to the Antivirus Monitor fraud. This rogue anti-virus program reports non-existent...
  • WebCake Adware Removal Guide
    If you’re reading this it is very likely that your computer is infected with WebCake adware which displays extremely obnoxious and intrusiv...

Categories

  • Adware
  • Answers
  • Antivirus software
  • Browser Hijackers
  • Cloud Computing
  • Fake Alerts
  • Giveaways
  • Hoax
  • How-To
  • IaaS
  • Internet
  • Malicious websites
  • Malware
  • PaaS
  • Parental Controls
  • Passwords
  • Phishing
  • Process Information
  • Ransomware
  • Rogue programs
  • Rootkits
  • SaaS
  • Security Advisories
  • Spam
  • Spyware
  • Trojans
  • Viruses
  • Web Browsers
  • Worms

Blog Archive

  • ►  2013 (173)
    • ►  December (6)
    • ►  November (13)
    • ►  October (11)
    • ►  September (20)
    • ►  August (4)
    • ►  July (17)
    • ►  June (31)
    • ►  May (25)
    • ►  April (15)
    • ►  March (17)
    • ►  February (7)
    • ►  January (7)
  • ►  2012 (86)
    • ►  November (2)
    • ►  October (4)
    • ►  September (6)
    • ►  August (6)
    • ►  July (11)
    • ►  June (1)
    • ►  May (5)
    • ►  April (7)
    • ►  March (7)
    • ►  February (17)
    • ►  January (20)
  • ▼  2011 (239)
    • ►  December (8)
    • ►  November (18)
    • ►  October (21)
    • ►  September (24)
    • ►  August (28)
    • ►  July (32)
    • ▼  June (16)
      • Remove Msiexec.exe Trojan (Uninstall Guide)
      • Remove Android.Ggtracker (Uninstall Guide)
      • Remove QuestScan (Uninstall Guide)
      • Remove Android.Tonclank (Uninstall Guide)
      • Remove Android.Lightdd (Uninstall Guide)
      • Remove METROPOLITAN POLICE Ransomware (Uninstall G...
      • Remove Windows XP Repair (Uninstall Guide)
      • Remove ShopperReports (Uninstall Guide)
      • Remove Windows XP Restore (Uninstall Guide)
      • How to Remove "Security Protection" (Uninstall Guide)
      • How to Remove Milestone Antivirus (Uninstall Guide)
      • Remove Vista Antispyware 2012, Win 7 Internet Secu...
      • Remove Trojan-BNK.Win32.Keylogger.gen (Uninstall G...
      • Remove XP Antispyware 2012, XP Internet Security 2...
      • How to Remove Security Essentials Ultimate Pack (U...
      • Parental Controls and Internet Filters
    • ►  May (23)
    • ►  April (15)
    • ►  March (16)
    • ►  February (9)
    • ►  January (29)
  • ►  2010 (2)
    • ►  December (2)
Powered by Blogger.

About Me

Unknown
View my complete profile