by Bryon D Beilman
msiexec.exe - This is one of those applications that you may see running when you install software and is an important file. It is typically found in C:Windowssystem32 directory. But what about msiexecs.exe ? Well, I discovered this when someone I know needed help with their PC because they "Couldn't get to the Internet". Before I describe what is is, I wanted to mention that it didn't look right to me, but to the casual untrained user, it looks very similar to msiexec.exe and if you google msiexecs, you might even get references to the real one. This is on purpose, to fool the user. Now in this case Windows 7 was smart enough to realize that when they tried to launch a browser and instead it was launching msiexec.exe -sb first, and the application was not a signed and valid app, it warned them. Did that keep them from moving forward? "Heck no, just click through it?"
It turns out that this is a pretty bad piece of malware. What is surprising to me was that their antivirus was up to date and a scan did not discover it. MalwareBytes, one of my favorite antimalware programs also did not catch it.
What happens is that they got this program c:windowssystem32msiexecs.exe installed as a malware and then there were bogus Registry entries put in
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsBrowser/Debugger
Under Browser,they had every known browser (Internet explorer, firefox, opera, chrome) with one entry in the registry for each.
If you removed the file, the browser still didn't work,because it could not find the file referenced in the registry. If you did let it through, it most likely grabbed your information, opened a door to another host and shared your information with the world.
It turns out that deleting the file AND removing each of the registry entries fixed the issue, but it was done by hand and not by any leading antivirus/anti-malware program.
Beware of things that look similar to something normal and be safe and wise, don't click through things that Microsoft and security programs are trying to warn and protect you.