New Trojan Horse: msiexec16.exe
- Thread starter epic
- 23 comments
- 6,657 views
- 2,223
- Miami
more info..
This version of Optix Pro kills:
ANTIVIRUS : ( 72 programs )
===========================
Acceleration Software AV
Anti-Trojan,
AntiVir
AntiVir (German)
AntiViral Toolkit Pro
AntiVirus ExPert 2000 (AVX) ( aka : Bitdefender )
ANTS
AnVir
AT AVS
avast!4 Home Edition
avast!4 Professional Edition
AVG
AVG 6.0 Free Edition
BitDefender ( aka : Anti-virus Expert )
BullGuard
Cheyenne AntiVirus
Command
Doctor Solomon AVS
Doctor Web for Windows ( memory scanner )
eScan Free
eScorcher AntiVirus version 1.7
eTrust Antivirus
F-Prot Antivirus TM
F-Secure
G-Data AntiVirenKit ( German Program )
German Process Viewer
InoculateIT Personal Edition
Integrity Master
InVircible
Kaspersky
LockDown
Lockdown Pro
MailDefense Standard 3.0
McAfee
neolog
NOD
NOD32
Norman
Norton AntiVirus
Panda
Panda Antivirus
Panda Antivirus 6.0 Platinum
Panda Titanium
PC Door Guard
pc-cillin ( aka : TrendMicro Antivirus )
PER Antivirus ( espanol language )
PestPatrol
Protector Plus Antivirus Software
Quick Heal
RAV
SBABR 3.12
SOLO
Sophos
Spy X
Swat it
Tauscan
TDS
T-FAK Trojan Remover
The Cleaner
TrendMicro
Trojan Hunter 3.5
Trojan Remover
Trojan Scan Engine
TrojanCheck 6
TrojanHunter
Vexira
Vexira Antivirus
ViRobot Expert
VirusBuster
VirusNet PC
wild file goback
WinRoute pro 4.2
FIREWALL : ( 35 firewall )
===========================
3B Personal Firewall Pro
Agnitum Outpost Free
Agnitum Outpost PRO
Armor2net Personal Firewall
AtGuard
BlackIce
ConSeal PC Firewall
Deerfield Personal Firewall
eTrust Firewall
GData Firewall
German Process Viewer
Kaspersky Anti Hacker 1.0
Kerio Firewall
Lockdown Pro/free
LookNStop
mcafee firewall
McAfee Internet Security
Net Barrier firewall
Net Protect
Norton firewall
Outpost Firewall
Panda (Built-In)
PC Cillin 2003 personal firewall
Pc-Cillin (Built-In)
Private Firewall 3
Sphinx
Steganos Online Shield
Sygate Personal Firewall
sygate personal pro
TGB::BOB! Firewall Personnel v 2.31E
Tiny Personal Firewall
WinGate
Winroute
WinXP Firewall
Zonealarm Pro/free
Server:
c:\WINDOWS\SYSTEM\msiexec16.exe
size: 925.395 bytes
port: 3410 TCP
startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "GLSetIT32"
This version of Optix Pro kills:
ANTIVIRUS : ( 72 programs )
===========================
Acceleration Software AV
Anti-Trojan,
AntiVir
AntiVir (German)
AntiViral Toolkit Pro
AntiVirus ExPert 2000 (AVX) ( aka : Bitdefender )
ANTS
AnVir
AT AVS
avast!4 Home Edition
avast!4 Professional Edition
AVG
AVG 6.0 Free Edition
BitDefender ( aka : Anti-virus Expert )
BullGuard
Cheyenne AntiVirus
Command
Doctor Solomon AVS
Doctor Web for Windows ( memory scanner )
eScan Free
eScorcher AntiVirus version 1.7
eTrust Antivirus
F-Prot Antivirus TM
F-Secure
G-Data AntiVirenKit ( German Program )
German Process Viewer
InoculateIT Personal Edition
Integrity Master
InVircible
Kaspersky
LockDown
Lockdown Pro
MailDefense Standard 3.0
McAfee
neolog
NOD
NOD32
Norman
Norton AntiVirus
Panda
Panda Antivirus
Panda Antivirus 6.0 Platinum
Panda Titanium
PC Door Guard
pc-cillin ( aka : TrendMicro Antivirus )
PER Antivirus ( espanol language )
PestPatrol
Protector Plus Antivirus Software
Quick Heal
RAV
SBABR 3.12
SOLO
Sophos
Spy X
Swat it
Tauscan
TDS
T-FAK Trojan Remover
The Cleaner
TrendMicro
Trojan Hunter 3.5
Trojan Remover
Trojan Scan Engine
TrojanCheck 6
TrojanHunter
Vexira
Vexira Antivirus
ViRobot Expert
VirusBuster
VirusNet PC
wild file goback
WinRoute pro 4.2
FIREWALL : ( 35 firewall )
===========================
3B Personal Firewall Pro
Agnitum Outpost Free
Agnitum Outpost PRO
Armor2net Personal Firewall
AtGuard
BlackIce
ConSeal PC Firewall
Deerfield Personal Firewall
eTrust Firewall
GData Firewall
German Process Viewer
Kaspersky Anti Hacker 1.0
Kerio Firewall
Lockdown Pro/free
LookNStop
mcafee firewall
McAfee Internet Security
Net Barrier firewall
Net Protect
Norton firewall
Outpost Firewall
Panda (Built-In)
PC Cillin 2003 personal firewall
Pc-Cillin (Built-In)
Private Firewall 3
Sphinx
Steganos Online Shield
Sygate Personal Firewall
sygate personal pro
TGB::BOB! Firewall Personnel v 2.31E
Tiny Personal Firewall
WinGate
Winroute
WinXP Firewall
Zonealarm Pro/free
Server:
c:\WINDOWS\SYSTEM\msiexec16.exe
size: 925.395 bytes
port: 3410 TCP
startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "GLSetIT32"
- 12,993
- USA! USA!
Idiots can't write Trojan Horses. Not any that I know, at least.
- 2,491
Ick, that's not cool.
- 12,993
- USA! USA!
Run your virus program and it will get rid of it for you.
- 2,223
- Miami
and if that doesnt work do it manually.
Locations are these.
c:\WINDOWS\SYSTEM\msiexec16.exe
inside the registry... start run > regedit
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "GLSetIT32"
HKEY_LOCAL_MACHINE\Software\Microsoft\RAS Autodial\Control
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings "EnableAutodial"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\Windows\CurrentVersion\Internet Settings "EnableAutodial"
Locations are these.
c:\WINDOWS\SYSTEM\msiexec16.exe
inside the registry... start run > regedit
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "GLSetIT32"
HKEY_LOCAL_MACHINE\Software\Microsoft\RAS Autodial\Control
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings "EnableAutodial"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\Windows\CurrentVersion\Internet Settings "EnableAutodial"
Hello, I NEED YOUR HELP!!!!!!!!
I've tried to take out this Trojan out of my AUTOSTART
and rebooted. This was a terrible mistake. Now i get everytime the same '' is not a valid integer value'' message. What can i do now? I can't start regedit and I'm not able to start any EXE file.
HELP me PLEASE!!!!!!
I've tried to take out this Trojan out of my AUTOSTART
and rebooted. This was a terrible mistake. Now i get everytime the same '' is not a valid integer value'' message. What can i do now? I can't start regedit and I'm not able to start any EXE file.
HELP me PLEASE!!!!!!
Please do not under estimate this trojan.
I got this (don't know when), but, less than 2 weeks ago.
Mine seems like a new version. I'm on XP Pro SP1.
The only reason my PC was running fine (except being slow) was I am behind a extremely tight BSD firewall. It blocked all inbound traffic. The only outbound port allowed is to the proxy where everything is screened again. So, pretty sure, all my private infos are safe.
I have Adaware (quite recent), also AVG (up to date to this morning), + ICF. Still none of these caught it.
It does NOT show if you run regedit. Not under Run nor RunServices keys.
It does NOT show in explorer (even when you turn, show all, extensions, show all system files options on in your Explorer). Followed the advise on Norton. After reboot it came back.
Then what I did was, after end tasking msiexec16.exe, open up a cmd window. Then use the "reg" command line registry editor to query that key. Yup. The GLSetIT32 is under HKLM ... Run & RunServices. They are not displayed if you viewed it with Regedit or Regedt32. Yes. I logged in as Admin. Very strange.
Anyway, finally got rid of that bugger via reg on command line. So, be weary of what you cannot see via GUI.
Anyway, I think a lot of everyday office users would not even know it is there. Very spooky.
Don't trust too much on AV products. I ran AVG + Trend Micro Online. Both turned up with NOTHING!
Now, my PC is fast again :-). Anyway, hope that helps someone. I'm just so happy to got rid of this just now.
== reinstalling OS is never an option (too lazy me
) ==
I got this (don't know when), but, less than 2 weeks ago.
Mine seems like a new version. I'm on XP Pro SP1.
The only reason my PC was running fine (except being slow) was I am behind a extremely tight BSD firewall. It blocked all inbound traffic. The only outbound port allowed is to the proxy where everything is screened again. So, pretty sure, all my private infos are safe.
I have Adaware (quite recent), also AVG (up to date to this morning), + ICF. Still none of these caught it.
It does NOT show if you run regedit. Not under Run nor RunServices keys.
It does NOT show in explorer (even when you turn, show all, extensions, show all system files options on in your Explorer). Followed the advise on Norton. After reboot it came back.
Then what I did was, after end tasking msiexec16.exe, open up a cmd window. Then use the "reg" command line registry editor to query that key. Yup. The GLSetIT32 is under HKLM ... Run & RunServices. They are not displayed if you viewed it with Regedit or Regedt32. Yes. I logged in as Admin. Very strange.
Anyway, finally got rid of that bugger via reg on command line. So, be weary of what you cannot see via GUI.
Anyway, I think a lot of everyday office users would not even know it is there. Very spooky.
Don't trust too much on AV products. I ran AVG + Trend Micro Online. Both turned up with NOTHING!
Now, my PC is fast again :-). Anyway, hope that helps someone. I'm just so happy to got rid of this just now.
== reinstalling OS is never an option (too lazy me
) ==
- 140
a little off topic...
but what do you guys think is the best software out there to protect your computer agains viruses and all the other junk, norton, mcaffe???
-Spets
but what do you guys think is the best software out there to protect your computer agains viruses and all the other junk, norton, mcaffe???
-Spets
- 2,491
Norton Systemworks 2003 and Personal Firewall have worked well for me. The menus are a bit confusing at first though. IMO, Symantec could have made the menus more streamlined.
i have the optix virus (cos some cunbt sent me it via IRC) and yes, it doesnt not show up in any reg keys in windows. its knocked out XP firewall and my norton2003 AV /PF and i cant install anything else atm. there was an "msiexec.exe" in my system folderwhich i deleted in safe mode, however the virus still appears to have a process on startup. im unsure how to use the dos based "reg" cmd
also, there was 3 files that turned up on file search, one was the exe which is gone. one is msieftp.dll which i am not sure about, and a file in c:\windows\preftech\ called MSIEXEC16 -043e53b9.pf
i am unaware of any company called preftech and me having installed thier software in the past, and this file seems to reproduce itself if i decide to delete it.
please could i get a short set of instruction, or even just a helpful link on using the dos based reg cmd or to any information on these other files that may have something to do with it.
also, there was 3 files that turned up on file search, one was the exe which is gone. one is msieftp.dll which i am not sure about, and a file in c:\windows\preftech\ called MSIEXEC16 -043e53b9.pf
i am unaware of any company called preftech and me having installed thier software in the past, and this file seems to reproduce itself if i decide to delete it.
please could i get a short set of instruction, or even just a helpful link on using the dos based reg cmd or to any information on these other files that may have something to do with it.
Since you sound like you know what ur talking about, I
figured I'd ask you a question.
My sister was messing around with my home PC and
downloaded some bs which led to me getting infected with
a virus.
msiexec16.exe
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.optixpro.14.html
After about 2 hours of ****in around with it, I finally
got rid of it. But now when xp starts, i can't open any
programs, and the shortcuts on the desktop and the start
menu don't work.
"Windows cannot find (null)..."
"Windows cannot find 'C:\....'"
It says either one of the above when I try to open any
type of program. (Kazaa, Word, Notepad, Calc.)
I can only open files and folders for some reason. I
opened "___.doc" and the document opened in Word fine,
like normal. Then I tried going to the source folder to
open MS WordXP.exe, but it still told me it couldn't
find it, EVEN THOUGH I AM STARING RIGHT AT IT!
What could be the problem?
figured I'd ask you a question.
My sister was messing around with my home PC and
downloaded some bs which led to me getting infected with
a virus.
msiexec16.exe
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.optixpro.14.html
After about 2 hours of ****in around with it, I finally
got rid of it. But now when xp starts, i can't open any
programs, and the shortcuts on the desktop and the start
menu don't work.
"Windows cannot find (null)..."
"Windows cannot find 'C:\....'"
It says either one of the above when I try to open any
type of program. (Kazaa, Word, Notepad, Calc.)
I can only open files and folders for some reason. I
opened "___.doc" and the document opened in Word fine,
like normal. Then I tried going to the source folder to
open MS WordXP.exe, but it still told me it couldn't
find it, EVEN THOUGH I AM STARING RIGHT AT IT!
What could be the problem?
jesuus its not a week old. i have this **** from veryy long time. i didnt know that its a virys, now i know.
ive just made a format to my c:\ and with fresh copy of windowsxp sp1 i still have that **** + DLLHOST.EXE that when i connect to internet uses 100% of my pc.i simply deleted it and its not a problem anymore byt that msiexec16.exe is a total crash. i dont know but when i install 3dsmax 6 it crashes during instalation. in the instalatian dir theare is a folder called msi. now i dont know what to do, this directory is a dir from the program.
tell me how to klean my pc. i just had a formattt and its still theare i think its in the windows.by the way chek your task manager for DLLHOST.EXE. that is big ****.
ive just made a format to my c:\ and with fresh copy of windowsxp sp1 i still have that **** + DLLHOST.EXE that when i connect to internet uses 100% of my pc.i simply deleted it and its not a problem anymore byt that msiexec16.exe is a total crash. i dont know but when i install 3dsmax 6 it crashes during instalation. in the instalatian dir theare is a folder called msi. now i dont know what to do, this directory is a dir from the program.
tell me how to klean my pc. i just had a formattt and its still theare i think its in the windows.by the way chek your task manager for DLLHOST.EXE. that is big ****.
Sorry for reviving such an old thread, but this post may help someone who finds this thread in a Google search on this Trojan(as I did).
As newbiedoo mentioned this trojan is a ***** to get rid of. The registry key that you need to remove doesn't show in regedit, and the files won't show up either(EVEN IF you turn on hidden and system files). Here's how to delete the key using "reg" on Windows XP Pro. As always, use this information at your own risk. Any damage you do to your system is YOUR responsibility
First, restart your PC and hit F8 while it is booting to take you to the boot menu. Choose the boot option "Safe Mode With Command Prompt".
For user id, choose Administrator
In the command prompt box that comes up type the following EXACTLY, it is cASe SeNsiTIvE!!
reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v GLSetIT32
^^^^^^^^^^
The message board is wrapping the line above, but it should be ONE LINE. (I.E. Dont' hit "enter" until after GLSetIT32)
That should do it. Hit CTRL ALT DELETE and choose shutdown, restart.
When Windows XP comes up, you will now be able to see those hidden files in system32 and can delete them. Also, I had an entry in Win.ini that I had to clean, so you might want to check that out, too.
Hope this helps someone. It took me 3 hours to figure this one out
As newbiedoo mentioned this trojan is a ***** to get rid of. The registry key that you need to remove doesn't show in regedit, and the files won't show up either(EVEN IF you turn on hidden and system files). Here's how to delete the key using "reg" on Windows XP Pro. As always, use this information at your own risk. Any damage you do to your system is YOUR responsibility
First, restart your PC and hit F8 while it is booting to take you to the boot menu. Choose the boot option "Safe Mode With Command Prompt".
For user id, choose Administrator
In the command prompt box that comes up type the following EXACTLY, it is cASe SeNsiTIvE!!
reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v GLSetIT32
^^^^^^^^^^
The message board is wrapping the line above, but it should be ONE LINE. (I.E. Dont' hit "enter" until after GLSetIT32)
That should do it. Hit CTRL ALT DELETE and choose shutdown, restart.
When Windows XP comes up, you will now be able to see those hidden files in system32 and can delete them. Also, I had an entry in Win.ini that I had to clean, so you might want to check that out, too.
Hope this helps someone. It took me 3 hours to figure this one out
Ummmm...huh? 
I'm not sure what you guys are talking about. The Optix Trojan/Virus is all over the net. You'll find it in all sorts of files. The one I got was embedded in an EXE file renamed as a vid.
I couldn't find a Virus program that could effectively remove it. None seemed to be able to remove those damned registry entries. So, XP's built in "reg" command line registry editor seems to be the only way to eliminate it...
I'm not sure what you guys are talking about. The Optix Trojan/Virus is all over the net. You'll find it in all sorts of files. The one I got was embedded in an EXE file renamed as a vid.
I couldn't find a Virus program that could effectively remove it. None seemed to be able to remove those damned registry entries. So, XP's built in "reg" command line registry editor seems to be the only way to eliminate it...
Similar threads
