msiexec.exe malware issue amongst other issues

[gheddleson]

hello there.. What a nightmare. I've been having serious issues with my old Vista computer I use
for my database with my work at home job and it stores basically my whole life. So I really need
this computer and it CANNOT GO DOWN.

I won't bombard you with all the issues at once but the most pressing first and the one that I think
is causing the most issues right away. .... I noticed my computer being pegged at 100 CPU with jumps
down to 40 at times and then going back up. I noticed the file msiexec.exe in Task Manager having high
CPU usage so I read up on it and found out that it can be compromised by a virus making an exact
name file and placing it in another directory. I searched and sure enough msiexec.exe is where it should
be in /Windows/System32/msiexe.exe AND IT'S ALSO in /Windows/Installer/{0C7DD44-3328-4737-A49B-F4017F53C8C1} . I assume that is not supposed to be there. So.... if not, how do I get it off, as I read it
can be deleted but them comes right back at times.

With my computer being extremely slow for weeks I've done at least 20 male-ware / virus scans
and it never picked it up but it did pick up others but many of them came back and I can only guess
it's because the msiexe.exe didn't fully get deleted so I'd like to start there....

So.. Do I just delete it ? Would that work ?

Gerald

 

[argus]

Scan with Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

[gheddleson]

Sorry it's taken so long computer SO SLOW. Each click I do takes me one minute or longer until the computer catches up with itself...as stated before I think there is much more going on here but started with this. Also I'd like to add about once or twice a day I'll get about 5 tabs that open and it's a redirect site that wants your business and if I remember correctly the address something like wwwp2pp.com or p2p.com.. sorry, don't remember..

Anways, here are the files..

 

[argus]

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

​

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

 

[gheddleson]

Uggh, my computer is painfully slow... by this rate, I'll be up all night just doing this.

I just wanted to "interrupt" our regular scheduled programming to say and write this in this thread
before I forgot....
My CPU is pegged at 100% and I'm seeing CMD.EXE (2) Processes using up (EACH)
about 30 - 35% CPU . Also seeing some strange ones I've never seen in the TM before such as
the CMD.EXE (btw NO Command windows are open) and CSRSS (using some cpu also).. Just wanted to throw that in there.. I'll post that fixlog.txt here shortly.

 

[gheddleson]

Thanks for all your help still..

Here is the file. Computer still seems unresponsive for 20 or 30 seconds at a time when copying files, opening folders, etc, etc

 

[gheddleson]

Argus ,

EMERGENCY!!!! i dont' know what was in the file you had me download and do but now I CANNOT OPEN my Outlook express
Something about can't find certain files and the data could be in orphan accounts? and cant find a MSQ.dll file (or something
to that nature). I rely on this computer for my work and this is DEVISTATING. Did I lose my data?? I couldn't help but read that text file I uploaded and from what I saw it looked like outlook express folders were moved around or manipulated ?????? HELP !!!!! What did that FIXLIST DO to my computer !! ??

 

[argus]

Your system was full of malware.

What is exactly written when you turn on Outlook?

 

[gheddleson]

(outlook express, just to clarify, Not OutLook)

Windows mail cannot be started. Teh application was unable to open the windows mail message store.
windows Mail was unable to locate its message database. If you've moved the database files to a new location, click OK to reset the database path to that location. Otherwise, click Cancel to proceed, any existing messages found will be available under Orphaned Accounts. (0,00000000, 1008) (Here I can click OK or Cancel).. ???

I understand I may have had maleware but I could still read my mail I hope the mail folders were not erased. This would be totally devistating. Windows Mail could not be started because MSOE.DLL could not be initialized.

 

[gheddleson]

Good Morning Argus..

This is weird.. I try and type msconfig.exe or cmd.exe or ANYTHING in the Start / Run box and nothing happens. I hit search everywhere and it doesn't find any of these? It doesn't do anything when I type anything in that box. No search, nothing. It's like I'm typing something in Notepad.exe.. BUT, for example, if I go to Start -- Accessories --- Notepad , it works and comes right up. But if I use the run box for msconfig / cmd, etc nothing works. I have to click the Search Everywhere / Search Internet and I chose Search Everywhere.

***EDIT**

*Argus, . I did a search (by typing Inbox and Sent Items in the search box under START but it won't search I have click click on "search Everywhere". So somethign fishy is going on there.. BUT... I have located my sent and inbox under C:/Users/gheddleson/AppData/Local/Microsoft/Windows Mail/Local Folders/Inbox
Something needs to be put back to the way it was before. Something in the structure (?) (Yes, I have no idea what I'm talking about) seems to have been messed up , or... ?When I try and tell Windows Mail where the folders are it says I maybe out of disk space or out of memory and then it gives me that MSQE.dll error again. I can see all my mail folders like (inbox, outbox, sent, etc etc) but I can't seem to get my outlook express to even work properly.
Very sorry for the long post.

 

[argus]

See here

http://support.microsoft.com/kb/245419

 

[argus]

Download

Malwarebytes Anti-Rootkit to your desktop.

• Double-click the icon to start the tool.
• It will ask you where to extract it, then it will start.
• Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
• Click in the introduction screen "next" to continue.
• Click in the following screen "Update" to obtain the latest malware definitions.
• Once the update is complete select "Next" and click "Scan".
• When the scan is finished and no malware has been found select "Exit".
• If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
• Open the MBAR folder and paste the content of the following files in your next reply:
  • "mbar-log-{date} (xx-xx-xx).txt"
  • "system-log.txt"

 

[gheddleson]

Great, now my internet explorer doesn't work.
oops, didn't see what you posted. let me try that.

Thanks for your continued support Argus, will donate
when I can when we get this running !!

 

[argus]

Re-enable downloads in Internet Explorer

1. Close all Internet Explorer windows.
2. Press the Windows key
   
   + R.
3. Type inetcpl.cpl into the Open field and click OK. This will open Internet Properties (otherwise known as Internet Options).
   
   
   
   
   Figure 1-1
   
   
4. Click the Security tab
   
   Reset all zones to default level.
   
   
   
   
   Figure 1-2
   
   
5. When you are finished, click OK to save your changes.

I need MBAR log

 

[argus]

If You have any doubt about my expert knowledge, please forward this Fixlist to any person You find is apropriate to see. You will see that only ilegitimate entries are deleted. Not even one legitimate.
You need to know that cleaning process is very tough and dangerous, especially on systems like Your system is, with such amount of malwares inside it.
If this system is important to You, You should do regular backup BEFORE problems occure. I do my best to save system in complete, but its not always possible.
Also, its not smart to use OE like mail client, because that mail client is not supported by Microsoft since april, 7 months ago! Can You imagine how many "security holes" it have?
I will give my best to fix Your system but You need to be aware of problems that can happend.
If You didnt do any backup, than, is smart to remove Your hdd from system, connect it to external storage or another PC and backup all what is important to You.
Also, let me know, what mail You use on OW mail client (gmail, msn, yahoo...).



Always have one (and no more than one!) AntiVirus program! In this case having more of them will not provide you with better protection - instead they may cause slowness, lock-ups and even mark another ones as harmful, leading to leave your system unstable and even damaged.

This is your system

HKLM Group Policy restriction on software: C:\Program Files\Common Files\Symantec Shared <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Alwil Software <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\McAfee <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\BitDefender <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\ESET <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\Lavasoft <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION
HKLM Group Policy restriction on software: C:\Program Files\AVG <====== ATTENTION

Uninstall tools link

https://singularlabs.com/uninstallers/security-software/

 

[gheddleson]

Argus,

I don't doubt your expertise one bit. To be honest, I'm just very frightened at the moment
that I've lost my data. I've got my database backed up but not emails. And I really need those to work ...

Here is the Mbarlog and yes, it found 22 malewares. Looks like the msiexec file is a major culprit.. What is our next step ?

Thanks for your continued help !

 

[gheddleson]

Argus, regarding your post above. I did have all my data backed up on drive "K" which is an external drive but 2 weeks ago
somehow I caught the "Cryptolocker" virus and it encrypted all my files on drive K. I have since deleted it but it's encrypted
a lot of files. I have since downloaded and use "I drive" to backup my database and I was in the process of trying to backup
my email information but the computer was just TOO SLOW to do any work. So I need to get my computer up and running
again before I do the back up...

This is also why I have so many antivirus and maleware on my computer because non would find it except finally eset.

 

[gheddleson]

I also tried to remove the A/V programs above and it did remove a few but others would not uninstall like (AVG, Adaware, eset)
it would not complete uninstall because no connection (???) and others there was nothing there it said? So I went as far as I could with that using the uninstall tools you provided.

for webmail I use geraldheddleson@gmail.com

 

[gheddleson]

Argus, on step five below I have a question..(cut and paste numbered it different, sorry)
In the folder under Identities i have a value that reads {846FA80Bxxxxxxxxxsxx}
when I click on that {846xxxxx} I see "Username" with data that says Main Backup.
However when I click on "Identities" itself I see a name of "Last Username" with "Main Identity" in the data field.

Do I click on the one that says Main Identity (Last Username) (step 5)?

 

[gheddleson]

Did I lose you Argus ? I seem to be stuck at the "Delete the Identities Subkey" step.
It's not clear to me (at least) what Im supposed to delete. What is the "in the right pane,
click the Identities Subkey." ???