roboto358 Posted December 13, 2016 ID:1079860 Share Posted December 13, 2016 I have been fighting with a combination of msiinstaller.exe and hotfix.exe, as they have been constantly using up my cpu. They managed to trash my :c and so I have resorted to using :D. Recently, they have become active on my d drive, and so im resorting to asking for help or advice on what to do. If someone could give me some insight, that would be great. Link to post Share on other sites More sharing options...
kevinf80 Posted December 13, 2016 ID:1079922 Share Posted December 13, 2016 Hello roboto358 and welcome to Malwarebytes, Run the following and post the two produced logs.... Download Farbar Recovery Scan Tool and save it to your desktop. Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.htmlNote: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Be aware FRST must be run from an account with Administrator status... Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans" Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach that log to your reply. Thank you, Kevin Link to post Share on other sites More sharing options...
roboto358 Posted December 13, 2016 Author ID:1079933 Share Posted December 13, 2016 OK, I downloaded and made the copies last night, so I uploaded them now. Addition.txt FRST.txt Link to post Share on other sites More sharing options...
kevinf80 Posted December 13, 2016 ID:1079947 Share Posted December 13, 2016 Why was your system running in Safe Mode with Networking... will it run in Normal mode...? Link to post Share on other sites More sharing options...
roboto358 Posted December 13, 2016 Author ID:1079952 Share Posted December 13, 2016 (edited) It will work in normal mode, I booted in safe yesterday, because I wanted to system restore, I had been working on a assignment for college, and the malicious programs successfully downloaded something that prompted me to restart my computer. Edited December 13, 2016 by roboto358 Link to post Share on other sites More sharing options...
roboto358 Posted December 13, 2016 Author ID:1079954 Share Posted December 13, 2016 Ill boot in normal and repost both of the docs, Im guessing thats what you will have me do. Link to post Share on other sites More sharing options...
roboto358 Posted December 13, 2016 Author ID:1079972 Share Posted December 13, 2016 Here we are FRST.txt Addition.txt Link to post Share on other sites More sharing options...
kevinf80 Posted December 13, 2016 ID:1080010 Share Posted December 13, 2016 Thanks for those logs, continue please: Read the following link before we continue and run Combofix:ComboFix usage, Questions, Help? - Look here Next, Download Combofix from either of the following links :-http://download.bleepingcomputer.com/sUBs/ComboFix.exehttp://www.infospyware.net/antimalware/combofix/ Ensure that Combofix is saved directly to the Desktop <--- Very important Disable all security programs as they will have a negative effect on Combofix, instructions available here http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask. Close any open browsers and any other programs you might have running Double click the icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator) Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required. If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes. When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review ****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze **** Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here http://thespykiller.co.uk/index.php?page=20 why disabling autoruns is recommended. *EXTRA NOTES* If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so. If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted) Post the log in next reply please... Kevin Link to post Share on other sites More sharing options...
roboto358 Posted December 13, 2016 Author ID:1080025 Share Posted December 13, 2016 Here you are. Also just so you know, during the scan it said I lacked some proper files, and I needed to connect it to the internet, not wirelessly, so I did, but it still aborted. It still scanned but it said that it wouldnt be as indepth as it could. log.txt Link to post Share on other sites More sharing options...
kevinf80 Posted December 13, 2016 ID:1080054 Share Posted December 13, 2016 Run FRST one more time: Type the following in the edit box after "Search:". i8042prt.sys Click Search Files button and post the log (Search.txt) it makes to your reply. Link to post Share on other sites More sharing options...
roboto358 Posted December 13, 2016 Author ID:1080059 Share Posted December 13, 2016 Ok there you go, sorry about the late response. Search.txt Link to post Share on other sites More sharing options...
kevinf80 Posted December 13, 2016 ID:1080063 Share Posted December 13, 2016 So as Combofix states for i8042prt.sys there are no entries on your system, FRST search confirms same. That is a keyboard and mouse driver, What is the current status of your system, are there any remaining issues/concerns.... Link to post Share on other sites More sharing options...
roboto358 Posted December 14, 2016 Author ID:1080072 Share Posted December 14, 2016 I constantly have a unindentified program trying to install itself on my computer, this has happened every time Ive switched between safe and normal because whenever I leave it on normal programs run, those programs try to run. Ive noticed they only seem to activate at night, yesterday my computer was clean entirely until about 12 am at night, when msiinstaller, hotfix and many other programs started running. (the logs Ive given you have been only run on the normal mode, not safe.) Also I searched for msiexec and hotfix, and they are still existing, whenever I try to remove msiexec it recopies itself in system 32. Link to post Share on other sites More sharing options...
roboto358 Posted December 14, 2016 Author ID:1080074 Share Posted December 14, 2016 I apologize if it seems like Im ungrateful, because I appreciate anything you can tell me 100% mate Link to post Share on other sites More sharing options...
roboto358 Posted December 14, 2016 Author ID:1080085 Share Posted December 14, 2016 If it helps, ive narrowed the autostart location of the device that keeps trying to install itself on my computer using process explorer. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VmApplet If I could figure out the root of the processes that run in the background, I think I could solve it. The key offenders are definately hotfix, msiexec, and msiinstaller. Link to post Share on other sites More sharing options...
roboto358 Posted December 14, 2016 Author ID:1080088 Share Posted December 14, 2016 I just remembered, that firefox itself had been infected before, could that be the thing installing processes in the background? it sometimes tries to open links whenever I click things on my computer, other than the things I mentioned, Nothing else has been infected. Link to post Share on other sites More sharing options...
kevinf80 Posted December 14, 2016 ID:1080183 Share Posted December 14, 2016 msiexec is a system file, if running from the system32 folder is usually not maliciousmsi installer The MSI file format used by Windows Installer is used specifically for installation. This differs from the exe format used to run installers, those are simply executable files that can be programmed to run any number of tasks. The MSI file format stores installation information in an installation package, often with the files to be installed themselves.hotfix this is a quote from wikipedia......"A hotfix or Quick Fix Engineering update (QFE update) is a single, cumulative package that includes information (often in the form of one or more files) that is used to address a problem in a software product (i.e., a software bug). Typically, hotfixes are made to address a specific customer situation." A hotfix can come in as a windows update, and be installed at a pre-determined time if set, as you are running XP I would not expect that to be happening.... Next, Make a "Clean" install Firefox: Use the following link for instructions how to back up your bookmarks, same link can be used to import saved Bookmarks:https://support.mozilla.org/en-US/kb/export-firefox-bookmarks-to-backup-or-transfer Next, Go here: http://www.mozilla.org/en-US/ download save the latest version of Firefox.. We will install this later... Next, Lets totally remove Firefox and start over. Go here: https://support.mozilla.org/en-US/kb/uninstall-firefox-from-your-computer and follow those instructions... Ensure when the uninstall completes to navigate to and delete the firefox installation folder (if present): (32-bit Windows) C:\Program Files\Mozilla Firefox (64-bit Windows) C:\Program Files (x86)\Mozilla Firefox It is essential the installation folder is removed. Re-boot your system when that is completed.... Next, To remove all remaining data and profile information... Press "Windows key + R" to open the Run box In the Run box, type in or copy and paste %APPDATA% Click OK. A Windows Explorer window will appear. In this window, choose/open in succession Mozilla > Firefox > Profiles. Select Delete on each entry in reverse, eg Profiles > Delete. Firefox > Delete. Mozilla > Delete. Re-boot your system when complete! Next, Use the Mozilla Firefox installer to reinstall your Browser.... When Firefox is installed and open select these keys together :- Ctrl - Shift - A that will access Addons manger, this gives access to find addons/extensions, use, start, stop or disable those features etc.... Ensure to use search to find and install AdBlock plus, Flashblock and DrWeb Anti-Virus Link Checker plus any other addons you normally use.... Next, With your system in Normal mode run ESET online AV scan, this is a very thorough scan that may take several hours to complete....Scan with ESET Online Scanner This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox. Temporary disable your AntiVirus and AntiSpyware protection - instructions here. Please visit ESET Online Scanner website. Click there Run ESET Online Scanner. If using Internet Explorer: Accept the Terms of Use and click Start. Allow the running of add-on. If using Mozilla Firefox or Google Chrome: Download esetsmartinstaller_enu.exe that you'll be given link to. Double click esetsmartinstaller_enu.exe. Allow the Terms of Use and click Start. To perform the scan: Select "Enable detection of potentially unwanted applications" Make sure that Remove found threats is unchecked. Scan archives is checked. In Advanced Settings: Scan for potentially unwanted applications, Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked. Under “Enable Stealth Technology select “Change” select any extra drives in that window. Click Start The program will begin to download it's virus database. The speed may vary depending on your Internet connection. When completed, the program will begin to scan. This may take several hours. Please, be patient. Do not do anything on your machine as it may interrupt the scan. When the scan is done, click Finish. A logfile will be created at C:\Program Files (x86)\ESET\ESET Online Scanner. Open it using Notepad. Please include this logfile in your next reply. Don't forget to re-enable security software! Link to post Share on other sites More sharing options...
roboto358 Posted December 14, 2016 Author ID:1080365 Share Posted December 14, 2016 It finished, and I went to copy the logfile, but it didnt make it, I googled the issue and apparently eset has been doing this alot recently. Anyways, If I copy the threats it found, (after it finishes scanning again) would this be useful? Link to post Share on other sites More sharing options...
kevinf80 Posted December 14, 2016 ID:1080369 Share Posted December 14, 2016 Logs usually saved here: "C:\Program Files\ESET\EsetOnlineScanner\log.txt" (on 64-bit systems this directory will be "C:\Program Files (x86)\ESET\Esetonlinescanner\log.txt") Link to post Share on other sites More sharing options...
roboto358 Posted December 14, 2016 Author ID:1080393 Share Posted December 14, 2016 logf.txt Link to post Share on other sites More sharing options...
roboto358 Posted December 14, 2016 Author ID:1080394 Share Posted December 14, 2016 This is a copy of the scan, it asked if I wanted to create a save to text doc and it saved it to notepad. Link to post Share on other sites More sharing options...
kevinf80 Posted December 14, 2016 ID:1080428 Share Posted December 14, 2016 Run ESET again as you did before, this time we need to remove all found entries...... To perform the scan: Select "Enable detection of potentially unwanted applications" Make sure that Remove found threats is checked. Scan archives is checked. In Advanced Settings: Scan for potentially unwanted applications, Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked. Under “Enable Stealth Technology select “Change” select any extra drives in that window. Click Start The program will begin to download it's virus database. The speed may vary depending on your Internet connection. When completed, the program will begin to scan. This may take several hours. Please, be patient. Do not do anything on your machine as it may interrupt the scan. When the scan is done, click Finish. A logfile will be created at C:\Program Files (x86)\ESET\ESET Online Scanner. Open it using Notepad. Please include this logfile in your next reply. Don't forget to re-enable security software! Link to post Share on other sites More sharing options...
roboto358 Posted December 15, 2016 Author ID:1080481 Share Posted December 15, 2016 Ok, last time it gave me the option of making a log, because it found threats, the scan finally finished, and it said it found no threats, it also didnt allow me the option of creating a log like last time. Finally, I went to the directory that you said it makes a log but there wasnt a new one there. Link to post Share on other sites More sharing options...
kevinf80 Posted December 15, 2016 ID:1080585 Share Posted December 15, 2016 Ok lets go again with FRST... The ESET log did show many entries as infected, most were already in quarantine of AdwCleaner so were safe. Lets move the others with FRST as follows: Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file" NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Open FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. Let me see that log, also give an update on any remaining issues or concerns.. Thank you, Kevin... Fixlist.txt Link to post Share on other sites More sharing options...
kevinf80 Posted December 15, 2016 ID:1080588 Share Posted December 15, 2016 Ok lets go again with FRST... The ESET log did show many entries as infected, most were already in quarantine of AdwCleaner so were safe. Lets move the others with FRST as follows: Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file" NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Open FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. Let me see that log, also give an update on any remaining issues or concerns.. Thank you, Kevin... Fixlist.txt Link to post Share on other sites More sharing options...
Recommended Posts