1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

msiexec.exe starting itself after each reboot

Discussion in 'Windows XP' started by m2stech, Jul 7, 2009.

Thread Status:
Not open for further replies.
Advertisement
  1. m2stech

    m2stech Thread Starter

    Joined:
    Jul 7, 2009
    Messages:
    11
    I have this bothersome msiexec.exe which automatically starts after each reboot without installing anything, is there any way to know which file it is accessing to install so that i can delete it ?!

    thanks
     
  2. Curly

    Curly

    Joined:
    Apr 1, 2002
    Messages:
    1,249
    Try setting the Windows Installer service to start manually. Start the Services snap-in by following these steps:

    Start > run > services.msc

    Double-click Windows Installer. Next to Startup type, select Manual. Click Apply. Next to Service status, click the Stop button. Click OK.

    Let us know if this works.
     
  3. m2stech

    m2stech Thread Starter

    Joined:
    Jul 7, 2009
    Messages:
    11
    Strangely it was already on Manual, so I also tried Automatic but the same problem.
    just something I realized right now is that after I end task msiexec from task manager if I go to any forum based on vbulletin (eg. forum.techguy.org) then msiexec will start just like after a reboot ! :eek:
     
  4. Curly

    Curly

    Joined:
    Apr 1, 2002
    Messages:
    1,249
  5. m2stech

    m2stech Thread Starter

    Joined:
    Jul 7, 2009
    Messages:
    11
    yeah I had this program but no benefit, it can only delete my Adobe,nero,office,java,nokia and some other essential programs.
    So you don't have any idea how to find the file which is causing msiexec to start ?
     
  6. m2stech

    m2stech Thread Starter

    Joined:
    Jul 7, 2009
    Messages:
    11
    so? anyone ?
     
  7. sludge3000

    sludge3000

    Joined:
    Oct 9, 2008
    Messages:
    342
    Hi m2stech,
    After starting you computer and you have seen that the service is running go Start > Run then type in CMD. In the command prompt type tasklist /svc (please note the space between the 't' and the '/') this should bring up a list of the running processes and any files/drivers/processes/tasks/etc running on them. Post back with the results for msiexec.exe.

    As it is set to manual start in services it suggests something is requesting the process to start. Go back to the services console as suggested before. Right click on the Windows Installer service and select Properties then click on the Dependencies tab. Please list all services mentioned here and state whether they are in the top box or bottom box.
     
  8. m2stech

    m2stech Thread Starter

    Joined:
    Jul 7, 2009
    Messages:
    11

    I put a screenshot of things you told me to do:

    [​IMG]


    also here's my hijackthis log file:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:22:09 PM, on 7/9/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\WINDOWS\Explorer.EXE
    D:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
    D:\WINDOWS\system32\Rundll32.exe
    D:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
    D:\Program Files\D-Link\D-Link Wireless 108G DWA-120\AirPlusCFG.exe
    D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    D:\WINDOWS\system32\RUNDLL32.EXE
    D:\Program Files\Common Files\Real\Update_OB\realsched.exe
    D:\Program Files\COMODO\COMODO Internet Security\cfp.exe
    D:\Program Files\Java\jre6\bin\jusched.exe
    D:\WINDOWS\system32\ctfmon.exe
    D:\Program Files\DAEMON Tools Pro\DTProAgent.exe
    D:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
    D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    D:\Program Files\Java\jre6\bin\jqs.exe
    D:\WINDOWS\system32\nvsvc32.exe
    D:\WINDOWS\system32\PnkBstrA.exe
    D:\WINDOWS\system32\PnkBstrB.exe
    D:\Program Files\CyberLink\Shared files\RichVideo.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\system32\UTSCSI.EXE
    D:\WINDOWS\system32\msiexec.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\cmd.exe
    D:\WINDOWS\system32\wuauclt.exe
    D:\WINDOWS\system32\mmc.exe
    D:\Program Files\Mozilla Firefox\firefox.exe
    D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - D:\Program Files\GetRight\xx2gr.dll
    O2 - BHO: InlineSearchHandleHotKey - {B6FFE2AE-4D12-451F-B457-FE6125FFB1CF} - D:\Program Files\IEForge\Inline Search\InlineSearch.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [JMB36X IDE Setup] D:\WINDOWS\JM\JMInsIDE.exe
    O4 - HKLM\..\Run: [36X Raid Configurer] D:\WINDOWS\system32\JMRaidSetup.exe boot
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [CTSysVol] D:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [LanguageShortcut] "D:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
    O4 - HKLM\..\Run: [ANIWZCS2Service] D:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
    O4 - HKLM\..\Run: [D-Link D-Link Wireless 108G DWA-120] D:\Program Files\D-Link\D-Link Wireless 108G DWA-120\AirPlusCFG.exe
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [COMODO Internet Security] "D:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [ISUSPM Startup] D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "D:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
    O4 - HKCU\..\Run: [AlcoholAutomount] "D:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
    O8 - Extra context menu item: Download with GetRight - D:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Open with GetRight Browser - D:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - D:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - D:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235220991500
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1235220971328
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15108/CTPID.cab
    O20 - AppInit_DLLs: D:\WINDOWS\system32\guard32.dll
    O21 - SSODL: cfgsmartsh - {4B52B2BB-BF82-6664-CEAA-037139706107} - (no file)
    O22 - SharedTaskScheduler: epistylar - {917f93bf-6714-4e11-8982-59db2e0f88fc} - (no file)
    O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - D:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - D:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
    O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - D:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
    O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
    O23 - Service: ESET Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - D:\Program Files\D-Link\D-Link Wireless 108G DWA-120\JSWUtil\jswpsapi.exe
    O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: PnkBstrB - Unknown owner - D:\WINDOWS\system32\PnkBstrB.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - D:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: ServiceLayer - Nokia. - D:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)
    O23 - Service: StarWind AE Service (StarWindServiceAE) - Unknown owner - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe (file missing)
    O23 - Service: CLCV0 (UTSCSI) - Unknown owner - D:\WINDOWS\system32\UTSCSI.EXE

    --
    End of file - 10418 bytes
     
  9. sludge3000

    sludge3000

    Joined:
    Oct 9, 2008
    Messages:
    342
    I'm no expert with HJT logs but there doesn't appear to be anything particularly suspicious there.

    Can you try changing the service from manual start to disabled to see if this brings up any error messages. Hopefully these messages will hint as to what is trying to run the installer.
     
  10. minimustangs

    minimustangs

    Joined:
    Jul 5, 2009
    Messages:
    253
    I've seen this behavior (msiexec.exe starting automatically) a few times related to Malware crap, but have also seen it related to HP printer s/w that is damaged, most notably when something happens to NetFramework files (as in they were removed/damaged).

    S~
     
  11. m2stech

    m2stech Thread Starter

    Joined:
    Jul 7, 2009
    Messages:
    11
    so I disabled it didn't get msiexec after reboot and it was about 5 secs faster!
    I don't have any error messages at all

    I already have .net 2.0 sp1/ .net 3.0 sp1 /.net 3.5
    I don't have an HP printer and my nod32 is keeping my pc clean
     
  12. sludge3000

    sludge3000

    Joined:
    Oct 9, 2008
    Messages:
    342
    Well that's good news. Although you may have the .netframework files as minimustangs said they could be damaged.

    At least it's resolved the issue but you should be aware that this service is required for many kinds of windows installation so you may have to manually restart the service should you have problems installing anything.

    If you are happy with this solution then please marked the thread as solved or state if you would like to find another way around it.
     
  13. m2stech

    m2stech Thread Starter

    Joined:
    Jul 7, 2009
    Messages:
    11
    thanks for your help, but unfortunately my issue is still not solved!

    maybe it's better if I say the whole story from beginning:
    I got this problem about 5 months ago, when I changed the registry of a trial program (to reset the time limit, but didn't work),so far no problems, then few days later I wanted to install a corrupted old CD game for my small sister (which my pc freezed in the middle of installation and had to reset the pc) after that I got this msiexec.exe at windows startup trying to install the program that I played with its registry, I even completely deleted any remaining trace of that program and the game from both the installed folder and windows registry, but didn't solved the problem only caused the installer to appear without installing anything, so I gave up, but after few weeks and after installing some random games and applications then surprisingly the installer disappeared by itself, 4 months passed until early this week when I updated my "Comodo Firewall" from version 3.09 to 3.10 then suddenly the installer reappeared at windows startup and I'm like :confused:
    hope this gives a clue.
     
  14. sludge3000

    sludge3000

    Joined:
    Oct 9, 2008
    Messages:
    342
    So you wish to completely remove all traces of the program which you tinkered with in the registry and the corrupted program yes?

    You should always backup the registry before palying with it as changing something in the registry can cause unforseen consequences which may not be noticed for ....... a couple of months. Please download ERUNT http://www.larshederer.homepage.t-online.de/erunt/ and make a full backup of your registry as it is now before we continue.

    What are the names of the two programs?
     
  15. m2stech

    m2stech Thread Starter

    Joined:
    Jul 7, 2009
    Messages:
    11
    yea, but I already removed all traces of those programs, I'm sure nothing is remained.
    maybe there is something triggering the installer (such as updating my comodo firewall which needed a restart after completion of the update as I mentioned above) due to a conflict or something...

    the name of the tinkered program is "Aroma software Greenrain 2.5" (a program related to pharmacy) and I think the game was a Barbie game which I don't remember exactly since I threw it into garbage after what happened...
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/841202