msiexec.exe
Although msiexec.exe (all in lowercase) is an important Windows component, files that use the name Msiexec.exe (first letter in uppercase) may be PC threats that are using this name to avoid suspicion. If you see a Msiexec.exe file on your computer and have reason to suspect that it may be harmful, use appropriate anti-virus software to scan and remove Msiexec.exe, if necessary. Accidentally deleting a real msiexec.exe file instead of deleting fake Msiexec.exe files can cause serious damage to Windows. The majority of threats that use system component names like Msiexec.exe will hide themselves in the Windows system directory and may be backdoor trojans, viruses or worms.
Telltale Warnings of a Msiexec.exe Threat
Many different threats have been seen using Msiexec.exe and other Windows component file names to avoid being detected; some other native Windows files that may be used for disguises include svchost.exe, explorer.exe and iexplore.exe. In almost all cases, Msiexec.exe and other threats will also place their files in a sub-folder of the Windows directory to make it look as though they're real Windows components.
The most direct way of recognizing a Msiexec.exe threat is by noting the file name. The native Windows installation tool 'msiexec.exe' is always named in all lowercase, with the exception of Windows prefetch files that use all uppercase instead. Any other variation of this file name, including Msiexec.exe, is almost certainly a threat, particularly if the file is concealed in an obscure or system-critical location like the Windows directory.
This naming rule doesn't apply to the Windows Registry, where the msiexec.exe file and its affiliated Windows service may be referenced with the name MsiExec.exe and similarly minor variations.
Another method of noting a possible Msiexec.exe threat is to monitor your ongoing memory processes. The Windows Task Manager, which is accessible via Ctrl+Alt+Del, contains a list of all active memory processes. The default msiexec.exe memory process will never be active unless you're in the middle of using an installation package, but a fake Msiexec.exe threat may remain active at other times or even all the time.
One final way to determine a possible Msiexec.exe threat is to right-click the file, select Properties and examine the Version tab details. A real msiexec.exe, unlike a fake Msiexec.exe, will always contain various fields that indicate its origin from the Microsoft Corporation.
What Happens If You Catch a Fake Msiexec.exe Hiding in Your Folders
Since any threat can be named Msiexec.exe, there are no hard details on the type of infection that can occur with a malicious Msiexec.exe file. However, some types of threats are more likely to use a Msiexec.exe-based hiding technique than others.
- Many backdoor trojans will pretend to be system components like Msiexec.exe. Backdoor trojans will attack your PC's security by disabling or hindering your firewall, opening ports and making contact with remote criminals. These types of Msiexec.exe threats are a leading cause of DDoS attacks, Remote Administration Tool-based damage and password theft via keyloggers.
- Msiexec.exe is also one of many possible disguises that are often used by Trojan droppers. These types of Msiexec.exe Trojans will focus on installing other malicious software onto your PC and don't require your consent to do this. Common files installed by Trojan droppers (known by the term 'payload') include rogue security software (e.g. XP Antivirus 2012, Win 7 Security 2012, Personal Shield Pro), keyboard input-recording spyware and web browser hijackers.
As is always the case with such advanced threats, you should uninstall Msiexec.exe threats by using anti-malware programs that can determine the difference between genuine and fake Windows components without trouble.
File System Modifications
- The following files were created in the system:
# File Name 1 %Temp%\2BA98D.dmp 2 %Temp%\WER11.tmp 3 C:\Windows\System32\mycomput32.exe 4 C:\Windows\System32\strmdll32.dll 5 C:\Windows\System32\SYSTEM32\248321536 6 C:\Windows\System32\SYSTEM32\55274-640-2001945-237251270C.manifest 7 C:\Windows\System32\SYSTEM32\55274-640-2001945-237251270P.manifest 8 C:\Windows\System32\SYSTEM32\55274-640-2001945-237251270S.manifest 9 C:\Windows\System32\SYSTEM32\msorcl3232.exe 10 C:\Windows\System32WINDIR%\SYSTEM32\avicap3232.dll 11 msiexec.exe
Registry Modifications
- The following newly produced Registry Values are:
HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\SOFTWARE\HKEY_CURRENT_USER\SOFTWARE\IVEDHGVTFU\HKEY_CURRENT_USER\SOFTWARE\IVEDHGVTFU\CLSID\HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\.FSHARPROJ\HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\.FSHARPROJ\PERSISTENTHANDLER\HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{167D8C11-D0F7-4D4A-94FF-1B727D3CFC51}\HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{167D8C11-D0F7-4D4A-94FF-1B727D3CFC51}\INPROCSERVER32\HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{53FBF74C-ACD3-8E42-3397-A342CEE0B972}\HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{53FBF74C-ACD3-8E42-3397-A342CEE0B972}\INPROCSERVER32\HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\CLSID\{CA80A1DF-1993-458D-B1C5-8893EC9E5770}\HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\IVEDHGVTFU\HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\IVEDHGVTFU\CLSID\HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{167D8C11-D0F7-4D4A-94FF-1B727D3CFC51}\HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{53FBF74C-ACD3-8E42-3397-A342CEE0B972}\HKEY_USERS\.DEFAULT\SOFTWARE\IVEDHGVTFU\HKEY_USERS\.DEFAULT\SOFTWARE\IVEDHGVTFU\CLSID\
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.