MSI15.tmp?

[BSEagle1]

Two of our machines are doing something rather peculiar: On bootup, once the desktop displays, the file 'MSI15.tmp' tries to open itself. I searched on Google and found nothing relating to this issue...so I don't think it's a virus.

Anyone have any ideas?

 

[mechBgon]

Do you have antivirus software running routinely? If so, what brand and what precise version/year? Maybe just hit Quote and replace the sample info below with your own info:

[*]OS AND SECURITY

• Operating System WindowsXP Professional
• Service Pack SP2
• Internet connection Cable
• Hardware firewall Netgear RP614 router
• Software firewall WindowsXP firewall
• Antivirus Norton Antivirus 2004

 

[BSEagle1]

Sure. Here ya go...

Originally posted by: mechBgon

[*]OS AND SECURITY

• Operating System WindowsXP Home
• Service Pack SP2
• Internet connection Cable
• Hardware firewall Linksys BEFSR81
• Software firewall PC-cillin Internet Security 2005 (XP Firewall disabled)
• Antivirus Trend Micro PC-cillin Internet Security 2005

 

[mechBgon]

Interesting. Having weird files try to open themselves for no apparent reason makes a guy think "virus." I assume you did a virus update & scan already and came up clean?

One thing you could try is this: right-click this link and Save Target As. It's a text file and shows how to get a McAfee command-line scanner. Download the scanner and unzip it as instructed, then restart in Safe Mode and fire off the scanner as shown. That gets you a second company's opinion on the virus angle.

Also, if you want, email me a copy of the file at tmcfadden omnicast net if you can find it, and I'll run it through a Kaspersky scan.

edit: also, if you could post a HijackThis log... HJT download

 

[BSEagle1]

Here's the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:09:20 PM, on 10/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.falcon-nw.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.falcon-nw.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.falcon-nw.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda...86/client/wuweb_site.cab?1126939493359
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


See anything suspicious? I looked over it and didn't see anything that sounded malicious. Also, the Mcafee scanner didn't find anything virus-wise...though it did find something it calls a 'non-critical error'. I'll run the same tests on the other computer later; the guy who owns it is trying to learn more about computers, so this should be fun for him

 

[Rilex]

Do you have anything attempting to install (visibly or not) on login?

 

[BSEagle1]

Nope...and no harddrive activity after initial loading.

I'll try having them uninstall a couple of the more recent things they've put on...maybe that has something to do with it.

 

[tyanni]

http://www.serverwatch.com/tutorials/article.php/1495761

Appears related to microsoft... has he installed anything from them recently, like office?

Tim

 

[mechBgon]

I plopped the HJT output into http://hijackthis.de and one item that it was ??? about is this:

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

"Table Manager?" We got a restaurant goin' on in there or something? Any idea what this is?

 

[BSEagle1]

Update:

I found out what it was when I was taking another look through the System Configuration utility. Apparently, it's a file related to the Registration program for the game Indigo Prophecy. I had asked the user of one of the machines to uninstall it and see if that helped...guess he didn't First time I looked through the Config utility I was only looking under Services...totally neglected to check the Startup tab.

So, unchecked it, and it's all good.