MSIEXEC.EXE Infected ??

Greetings to all. Something strange has started happening to my PC the last day or so, and I was wondering if anyone has seen these symptoms before. OS is Win2000.

  1. Mouse pointer became very erratic, mostly only in Opera.

  2. Printer quit working, re-installation did nothing, after several
    attempts, it suddenly started working again.

  3. When lauching My Computer, Control Panel, or Search from the Start bar, …\system32\msiexec.exe starts, but instead of getting the appropriate new window, a launcher would start telling me that it was trying to install Adobe Acrobat 7.0, which is already installed. Not only that, but the new install window would open 4 times, requiring 4 cancellations. This action does not occur every time, maybe once every 3 to 5 trys.

Avast is up to date, but the scans see nothing.
Rest of the PC seems to be OK but hard to tell.

This strange activity started yesterday after the erratic mouse activity in Opera. I thought it was a stability problem with Opera (wouldn’t be the first), and upgraded to v9.1, but at that time I received a notice that a new Java update was available also, which I accepted, maybe to my detriment. The Java appeared to come from Sun, but was busy at that time, and didn’t document it like I should have.

Thanks for any advice you can provide. At this point I’m presuming this is a Rustock/Rootkit manifestation, but would like any information that can be provided before I start.

Thanks for any words of wisdom.

Billcito.

Maybe it would be better uninstall version 7 and get the new version 8.
Microsoft released a tool that could ‘clean’ the Add/Remove Programs applet and other Registry keys in order to make .msi files to work. You need to use the tool, install the ‘faulty’ application again and they uninstall. In this case, version 7 of Acrobat.
The tool is… here… I’ll Google… http://support.microsoft.com/?scid=kb%3Ben-us%3B290301&x=20&y=15

Try to visit this page http://www.antirootkit.com/software/index.htm for antirootkit detection, removal & protection.

Full computer on-line scanning:
Kaspersky
Trendmicro housecall
Ewido
F-Secure
Spysweeper

Thanks Tech for the Installer update nfo.

Can you tell me if the Installer update will require the entire list of programs it finds to be reinstalled?, or just those that you select. The list was almost the entire computer, and the MS message wasn’t clear in that respect.

Update:

  1. There is no SAFE mode to boot into.

  2. Each of the online scan sources you listed has a problem. The bug seems to infect the msiexec.exe program such that the downloads are slowed to impossible to download and/or install. When MSIE is required to run the Java and ActiveX scanners, the MSIE program begins to adjust token priviliges in a repetitive endless loop. This is blocked by the TINY firewall, but chews up 98% of processor time. Java, although installed as mentioned in my first post, was required to be reinstalled which could not be done due to endless loops of writing to the same few registry files.

  3. TINY also is telling me that Yahoo messenger files, ymsgr.exe and Logitech Webcam files, elkctrl.exe, are now injecting code into other processes upon boot up.

I’ve now wasted 2 days on this. If anyone has any ideas about what may cause these symptoms and can save me a few hours, it would be appreciated.

MS tool gets the list of installed programs.
You (the user) delete the specific entry that is bringing trouble, manually. Let the others there, unchecked, of course…
You start the installation again and you uninstall the program later.
The tool is only a ‘database’ corrector, in order to allow you to uninstall and install again.

SafeMode (repeatedly press F8 while booting): http://support.microsoft.com/default.aspx?scid=kb;en-us;315222
Or download a freeware application to do so: http://www.snapfiles.com/get/bootsafe.html

You can download in another computer but most probably you won’t be able to run (install) them even in Safe Mode.

Strange… specially the last one, I don’t know what is that executable file…

I’m trying but, sorry, I’m not an expert on cleaning… :-[

Tech,

Thanks again for your suggestions and time. They were greatly appreciated. Unfortunately, at this point all is dead. Everything deteriorated very rapidly yesterday until the BIOS self-destructed, no POST, nada.

The thing walked right past the latest updates of AVAST HE, maybe even modifying it also, since several scans produced nothing. With the TINY firewall, I could see it, but just couldn’t take action fast enough. Will start from scratch.

Again, muito obrigado por tudo.

Billcito

PS - No SAFE mode meant that the machine would not enter a SAFE mode, only would come to a halt shorty after starting the process, as if it had been disconnected by the virus/worm whatever, but assume it to be a result of the infection.

You’re welcome. De nada :wink:

Maybe you can plug this HDD in another computer and make a backup of some documents, leaving the executables and installed programs behind…