Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
OK I know that I have a virus becasue something has modified system.ini - can somebody tell me what it is and how to remove it? I don't have any virus scanners!! Here is the problem line out of a HijackThis Log HijackThis Log...
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\SYSTEM\MSIEXECX16.exe
F1 - win.ini: run=C:\WINDOWS\SYSTEM\MSIEXECX16.exeif you want a full log please ask and I will post it. Thanks.
Hi David,
You really should have virus protection. There are free ones out there, like AVG Anti-virus or what about doing some online scans, with Panda or housecall.
Tanja
0 
Oh, and you should read the post by Dog further down called "Input please". It is great, about how to stay safe.
Tanja
0
Free online scan......
http://housecall.trendmicro.com/housecall/start_corp.aspThen get a free AV.....
www.grisoft.com
Don't install an AV till you are virus free or the AV will not recognize the installed virus.
0
hi david,
for starters, you can check the 2 F entries, that being F0, and F1, make sure that you have nothing running, then hit Fix Checked. When done, reboot, and find the file MSIEXECX16.exe in your C:windows/system directory and delete it.
reboot, get the latest definitions for your A-V, and scan your machine.
for more info on trojans, go to www.thepublicworks.com, security section, wilder.org, pcflank.com etc
all the best,
murve
0
Thanks for the reply. Just a quick update.
1 - I cannot find msiexecx16.exe in any folder. Show all files is appearing.
2 - It is running as soon as the machine startes and then it dissapears?!?!
3 - How can I delete it if it is not there?
Thanks
0
Here is the information you requested. (Please see bottom of message for a few extra symptoms of what the virus is doing..
Logfile of HijackThis v1.97.7
Scan saved at 12:13:37, on 14/02/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 SP1 (5.00.2614.3500)Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\INETSRV\INETINFO.exe
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.exe
C:\WINDOWS\SYSTEM\MSTASK.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\SYSTEM\HIDSERV.exe
C:\WINDOWS\SYSTEM\MSDTCW.exe
C:\WINDOWS\SYSTEM\RPCSS.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\LOADQM.exe
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.exe
C:\PROGRAM FILES\BTOPENWORLD\DIALBTISURFTIME.exe
C:\WINDOWS\SYSTEM\RNAAPP.exe
C:\WINDOWS\SYSTEM\TAPISRV.exe
C:\PROGRAM FILES\NETSCAPE\NETSCAPE\NETSCP.exe
C:\WINDOWS\PERSONAL\HIJACK THIS\HIJACKTHIS.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Openworld
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\SYSTEM\MSIEXECX16.exe
F1 - win.ini: run=C:\WINDOWS\SYSTEM\MSIEXECX16.exe
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.worldusa.com"); (C:\Program Files\Netscape\Users\00dav\prefs.js)
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\FDCATCH.DLL
O2 - BHO: (no name) - {EA7F9A52-0A05-11D2-98C5-00104B7229C2} - C:\PROGRAM FILES\WAVETOP\BIN\WAVEIE.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL (file missing)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D} - C:\PROGRA~1\GAMERI~1\GAMEBAR\GAMEBAR.DLL
O3 - Toolbar: GAMEBAR - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D} - C:\PROGRA~1\GAMERI~1\GAMEBAR\GAMEBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [OEMCleanup] C:\WINDOWS\OPTIONS\OEMRESET.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WebScan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.exe -k
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.exe /AUTORUN
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [MSDTC] msdtcw -start
O4 - HKLM\..\RunServices: [inetinfo.exe] C:\WINDOWS\SYSTEM\inetsrv\inetinfo.exe -e w3svc
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .gob: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPchatplay.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: {BF4FC0C7-4387-4D18-AD86-DF33DDDE33C7} - http://www.smarterchild.com/mssetup/websetup.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/templates/btwebcontrol013.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37863.5269444444
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.sc-server1.bt.com/broadband/MotivePreQual.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {4BEE3896-4820-48D1-85EA-5A9A9ECD3D95} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
OK - I have run Ad-Aware 6 (it didn't find anything but some cookies but Spybot will not run (illegal operation). I have already tried fixing the win.ini and system.ini but they keep returning and I cannot find the file msiexecx16.exe anywhere on the drive?!Please help!! Also every time Windows is restrted two folders are launched: c:\program which is empty and c:\windows\system (yes I know what it is but the starnge thing is where it should say system on the left hand side it displays "%THISDIRNAME%" without the speech marks. Can you help? I don't paticularly want to re-format the drive and start from scratch...
0
hi david,
put a check next to these, check fix, make sure you don't have anything running, reboot when finished:C:\PROGRAM FILES\BTOPENWORLD\DIALBTISURFTIME.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Openworld
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\SYSTEM\MSIEXECX16.exe
F1 - win.ini: run=C:\WINDOWS\SYSTEM\MSIEXECX16.exeO2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\FDCATCH.DLL
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D} - C:\PROGRA~1\GAMERI~1\GAMEBAR\GAMEBAR.DLL
O3 - Toolbar: GAMEBAR - {4E7BD74F-2B8D-469E-C0FF-FD69B994BD7D} - C:\PROGRA~1\GAMERI~1\GAMEBAR\GAMEBAR.DLL
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/templates/btwebcontrol013.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.sc-server1.bt.com/broadband/MotivePreQual.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.sc-server1.bt.com/broadband/MotivePreQual.cabonce done look for files:
C:\WINDOWS\SYSTEM\MSIEXECX16.exe
C:\PROGRAM FILES\BTOPENWORLD\DIALBTISURFTIME.exe
C:\PROGRA~1\FRESHD~1\FRESHD~1\FDCATCH.DLL
delete all these files and or directories
then if you are using an A-V get new definitions, and scan your machine
also delete your temp internet files including all offline content, and all of your cookies in cookie folder.
hope this helps, all the best,
murve
0
hi david,
should read "delete files or folders"
sorry, for the typo, ate to much chocolate, and am chasing my cat!
murve
0
Thanks for the help but I just have one query. Deleting dialbtisurftime.exe would probably mean losing my connection to the internet becasue that file is my internet dialer from BT. Shouldn't all of the BT stuff be linked to my BT connection??
0
hi david,
my apologies, leave out these files:
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/templates/btwebcontrol013.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.sc-server1.bt.com/broadband/MotivePreQual.cab
and dialbtisurftime.exeall the best,
murve
0
Thanks for your help - but I cannot find msiexecx16.exe anywhere. It is not to be seen and I have selected view all friles but it still doesn't appear. But it is running when the PC starts even though it stops running as you can see by the log above after the computer has been running for a bit?? What is this? Plus there is no virus in the memory and the problem lines keep appearing - how can I delete a file which isn't there?
0
hi david,
if you can go into the registry:
hit your start button
hit the run button
in the box type in regedit
your registry tree will open up
go to the hot key local machine
hit the + and it should open up
go to software & hit the + and it should open up
scroll down to microsoft and hit the + and it should open up
scroll down to windows and hit the + and it should open up
go to current version scroll down to your run services and open each, if you see in lets say the run directory a value on the right hand side that says C:\WINDOWS\SYSTEM\MSIEXECX16.exe
right click on this value and click delete.
reboot your machine, then go back to your run button, and type in msconfig.
once there, hit the win.ini tab button, go to the windows check box, hit the + and there you will find Run= and Load=
Run should equal nothing, and Load should equal nothing
in your case you will find Run=C:\WINDOWS\SYSTEM\MSIEXECX16.exe
Load=C:\WINDOWS\SYSTEM\MSIEXECX16.exe
you must delete everything from the exe to the = symbol so that Run=
and Load=
the same goes for the System.ini tab:
go to boot and hit the + symbol
locate Shell=Explorer.exe
in your case you will see:
Shell=Explorer.exe C:\WINDOWS\SYSTEM\MSIEXECX16.exe
you must edit this so that Shell=Explorer.exe and nothing else
so in both cases you will use the edit button seen that msconfig box.
then if you can locate that file in c:\windows\system delete it.if you are not comfortable with working the registry, or in msconfig, go to www.thepublicworks.com security section and go to the free anti-trojan section and link to Ants there you can get the free A2 anti trojan. get the newest definitions and scan your computer it should find and delete what you are looking for.
all the best,
murve
0
Take note of the Spybot error when it comes up. It will be a missing file that you can do a google search for and download. Did it the other day for a friend who runs 98SE. Darned if I can remember what it was or where I ended up downloading it from.........
D4
0
OK I have done all thhat you said and still nothing. No malware found during the scan. No program in the system directory. This is just exasperating me. Is there any way that it can autodelete and then re-create itself every time the computer starts up? Im getting really confused. Hoc can there be a virus there one minute and not the next?
0
hi david,
you probably have the Backdoor OptixP-13 Trojan
Download a trial version of Sophos anti-virus get the latest definitions and scan your computer.
hope this helps,
murve
0
OK thanks for all the help but still no joy. All I can do to stop the virus at the moment is cancel the process when the computer comes on. But each time I restart - its there again. There is nothing in the registry about this file in the places you mentioned and it seems like you are right about the name. Is there anything I can do becasue the file still doesn't show up in the system folder!
But there is one mention in the registry which just states its name. Its in:
HKEY_USERS/.DEFAULT/SOFTWARE/MICROSOFT/WINDOWS/CURRENT VERSION/EXPLORER/DOC FIND SPEC MRU
I dont know if thats any good but it simply says G/MSIEXECX16 but it is alongside other legit names like F/MSIEXEC and I/BT. Anything I can do guys?
0
hi david,
yes by all means delete the value for the most recently used(MRU)file: G/MSIEXECX16
just right click on that value and hit delete. don't delete the other values
by the way if you want to scan your computer online try the Hauri Online Scanner at www.hauriusa.net, its supposed to be a good one.
all the best,
murve
0
david,
the full url for the hauri online detection service is:
http://www.globalhauri.com/html/onlineservice/livecall.html
murve
0  |
 Downloader.MSCache help
|
Spybot - BackWeb Lite?
|
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
