Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Wednesday, June 29, 2011

Remove Msiexec.exe Trojan (Uninstall Guide)

Tell your friends:
In the last few weeks we've heard numerous cases of people getting User Account Control (UAC) notifications asking them to allow msiexec.exe tu run. When we got the first e-mail, we thought that the user is experiencing system error but after quite a bit of research we found out that it was a Trojan horse masquerading as msiexec.exe. The Trojan was located in Users directory: C:\Users\[UserName]\msiexec.exe.
User Account Control
Do you want to allow the following program from an
unknown publisher to make changes to this computer?
Program name: msiexec.exe
Publisher: Unknown
File origin: Hard drive on this computer


The legitimate msiexec.exe program that interprets packages and installs products is located in C:\Windows\System32 folder. But the problem is that cyber criminals try to avoid antivirus detections and confuse users by giving a malicious program the same name of some other legit programs. And when you do a Google search on the word 'msiexec.exe', you're presented with a list of results saying that it's a legitimate Windows program. In this case, the file location of the malicious msiexec.exe program (C:\Users\[UserName]\msiexec.exe) clearly indicates that it pretends to be something it's not. You can upload suspicious files to VirusTotal or Jotti to see if your suspicions were correct.

The malicious msiexec.exe downloads additional malware onto your computer. Even if you delete it manually, it may reappear after you reboot your computer. That's why we strongly recommend you to scan your computer with anti-malware software.

Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this virus from your computer.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

Important! Do not delete the legitimate msiexec.exe located in C:\Windows\System32 folder.

If you need help removing the msiexec.exe Trojan horse, please a comment below. Good luck and be safe online!


Associated Msiexec.exe files and registry values:

Files:
  • C:\Windows\System32\strmdll32.dll
  • C:\Windows\System32\mycomput32.exe
  • C:\Windows\System32\SYSTEM32\55274-640-2001945-237251270C.manifest
  • C:\Windows\System32\SYSTEM32\55274-640-2001945-237251270S.manifest
  • C:\Windows\System32WINDIR%\SYSTEM32\avicap3232.dll
  • C:\Windows\System32\SYSTEM32\55274-640-2001945-237251270P.manifest
  • C:\Windows\System32\SYSTEM32\248321536
  • C:\Windows\System32\SYSTEM32\msorcl3232.exe
  • %Temp%\WER11.tmp
  • %Temp%\2BA98D.dmp
%Temp% refers to:
C:\Documents and Settings\[UserName]\Local Settings\Temp (in Windows 2000/XP)
C:\Users\[UserName]\AppData\Local\Temp (in Windows Vista & Windows 7)
  • HKEY_CURRENT_USER\SOFTWARE\
  • HKEY_CURRENT_USER\SOFTWARE\IVEDHGVTFU\
  • HKEY_CURRENT_USER\SOFTWARE\IVEDHGVTFU\CLSID\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\.FSHARPROJ\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\.FSHARPROJ\PERSISTENTHANDLER\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{167D8C11-D0F7-4D4A-94FF-1B727D3CFC51}\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{167D8C11-D0F7-4D4A-94FF-1B727D3CFC51}\INPROCSERVER32\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{53FBF74C-ACD3-8E42-3397-A342CEE0B972}\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{53FBF74C-ACD3-8E42-3397-A342CEE0B972}\INPROCSERVER32\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{CA80A1DF-1993-458D-B1C5-8893EC9E5770}\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\IVEDHGVTFU\
  • HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\IVEDHGVTFU\CLSID\
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{167D8C11-D0F7-4D4A-94FF-1B727D3CFC51}\
  • HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{53FBF74C-ACD3-8E42-3397-A342CEE0B972}\
  • HKEY_USERS\.DEFAULT\SOFTWARE\IVEDHGVTFU\
  • HKEY_USERS\.DEFAULT\SOFTWARE\IVEDHGVTFU\CLSID\
Share the knowledge:

14 comments:

Anonymous said...

Hi, I am having this exact problem. I tried to remove it manually in the 'User name'/AppData/Local/Temp folder, but I restarted my computer and it returned. I have scanned the computer with AVG 2011 Free addition. I scanned it with MalwareBytes Anti-malware. I have been searching for hours on how to remove this trojan. Is there anything you could tell me that could help me? It seems to not be recognized by the MalwareBytes Anti-malware that you suggested. I even found the file, right clicked it, and clicked "Scan with MalwareBytes Anti-Malware"

I would greatly appreciate any help. Thank you so much!

Anonymous said...

I manually deleted it and it reappeared the next day. My antivirus software (panda) isn't picking it up as malware as a virus but a couple other antivirus softwares did when I ran the file through virscan.org. I haven't let it run on my computer yet. How can I get rid of it?

Anonymous said...

same problem please help!

Anonymous said...

This is the exact problem that I've been encountering and I've followed the instructions and scanned it with the superantispyware complete with updates. However the scan only picked up tracking cookies and made me reboot my computer. After i rebooted msiexec.exe was asking again for permission. It just keeps coming back. like the anonymous above me, i manually delete it from the temp folder which temporarily solves the problem...until i restart my computer. Please help!! (By the way this is the first site where I found this exact problem so thank you)

Admin said...

C:\Users\[UserName]\msiexec.exe, you should delete this file manually too, not only those in Temp folder. Besides, there might be related malicious files in C:\Windows\System32 folder, for example:

C:\Windows\System32\strmdll32.dll
C:\Windows\System32\mycomput32.exe

However, it's too risky to delete such files manually as the Trojan might infected the legitimate files as well. I suggest you to scan your computer with multiple malware removal tools. Hitman Pro is one of may favourites.

Good luck!

Anonymous said...

Had this exact problem and I was suspicious of it. Found lots of information by googling it saying that it was safe. I still had my doubts. Came across this site and I'm glad I didn't just let it install. Thanks to the post above me I tried Hitman Pro at the link in the article and it indeed identified the malware and removed it. It was still prompting me to let it update but I clicked no and it went away.

I have yet to see if it returns when I restart.

Anonymous said...

Yes! Thank you so much for your help. I downloaded SUPERAntiSpyware and it worked. It hasn't come back. Really appreciate it!

Anonymous said...

I deleted msiexec.exe but I can't deleted it iesysprep32 and api-ms-win-core-memory-|1-1-032 because those are open in the memory.
how I can close those file please some body can help me, thanks

Anonymous said...

Thanks for this post. I spent a day trying to figure out what it was and how to get rid of it. It was finally recognized by Malware, second free application I tried after my Norton 360 did not detect. Here's an excerpt from the log file.

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7033

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

7/6/2011 12:28:24 PM
mbam-log-2011-07-06 (12-28-24).txt

Scan type: Quick scan
Objects scanned: 178577
Time elapsed: 5 minute(s), 47 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\-333844151 (Trojan.Tracur) -> Value: -333844151 -> Quarantined and deleted successfully.

Anonymous said...

Hi,
I think I have this virus on my computer too, my internet has gone into emergency mode and therefore I cannot use it. Im running Malwarebytes' Anti Malware scan now but I dont pay for it so dont know if its going to work. If it doesnt what else can i do?? As I cant even download any other malware things off the internet. PLEASE HELP!

Anonymous said...

Hi,
I am having the exact same problem as those above. I dont pay for any of the malware removal software and therefore dont think ts going to fix my problem. What can I do? I wuld download aome software off of the internet but due to the virus I am obviously unable to do so. PLEASE HELP!

Admin said...

Please reboot your computer in safe mode with networking and download this tool called TDSSKiller by Kaspersky. I'm pretty sure you've got infected by a rootkit. You must remove it before running any anti-malware software. Good luck!

Anonymous said...

I think I have a similar problem, But I'm not quite sure. Would this matter give me problems when uninstalling and installing programs? For example, I am having endless problems trying to get itunes to recognize my ipod, I have uninstedlled then installed X amount of times. When uninstalling some of the Apple software an error with something about msiexec.exe appears. I have installed the suggested superantispyware, but when i try to run it all that loads up is the blue header at the top...Any suggestions much appreciated.
Thanks!

Anonymous said...



HELLO THERE!!! I AM ALSO HAVING THIS SAME PROBLEM WITH YOU BUT THE ONLY DIFFERENCE IS THAT IT IS NOT "Msiexec.exe" its file name is "Explorer.EXE" AND I COULN'T FIND IT. AS YOU CAN SEE THIS "Explorer.EXE" DIFFERENT FROM THE "explorer.exe" THAT WE HAVE IN OUR PROGRAM.

HOW CAN I REMOVE THIS FILE...THANKS FOR HELP IF THERE IS SOMEONE WHO CAN HELP ME...