Okay

I don't have any questions no. Thank you for the help Aura.

Well no signs of it so far. I believe it's been taken care of. If something comes up , I'll come back , but it seems clean for the moment. Thanks a lot for the help.

Well hopefully it's over. I'll try and wait until the end of Sunday. If the file doesn't come back , then I think it'll be safe to assume we got rid of it somehow.

I have ran a scan but nothing was detected. Almost like the infection disappeared out of nowhere. I guess it's over , but I'm more confused than sure at this point. mblog.txt

Here it is. Fixlog.txt

So far no , I'm going to wait until the end of the weekend and see if it comes back then , it would usually create itself on Saturday

I'll check and give you the answer as soon as it creates back

Process explorer was running these past few days , so no it didn't. Something like that or the task manager seems to keep it away from recreating itself

Well I don't know what options we have left , I hope we can get rid of this some way.

I was able to send the file with Dropbox. It was my only available alternative to send the file. https://www.dropbox.com/s/vwgc5nsgzyeqm65/Logfile.zip?dl=0 reg.exe isn't running anymore since it was starting to take too much CPU , so I unfortunately had to kill the process. It happened around 4-6 AM if I remember correctly.

Process monitor was still running however the file is almost 5 GB. I don't think I'll be able to send it

I also noticed a few minutes ago that reg.exe and conhost.exe run and take around 20% of my CPU. I don't know if that's normal or not since I have not seen them before but I prefer telling just incase.

Nope , the mod was already uninstalled. As well as the game.

Unfortunately I don't think the msdt folder will recreate itself with process monitor on. Or at least I have not been able to make it recreate itself even when leaving the computer inactive.

Sure thing. Here you go. Autorun.zip

I did yes for a few of my games.

It has been difficult to get the files , but here they are. It duplicate itself based on inactivity. (between 20 to 30 minutes) and creates this file. I have added one more FRST and Addition while the Mstsvc and mstlenet were running in that case you need them. It seems to be hazardous due to what it does to my computer so careful with what you'll do with them. Hoping for your response very soon Aura , thank you for your time. msdt.zip FRST.txt Addition.txt

While the folder hasn't recreated itself yet (much to my surprise) I have been able to find a screenshot I took earlier before deleting it's content. These are all the files that were present in the msdt folder. Sorry for the low quality , it was taken in safe mode with 800x600 as the resolution.

The folder may take time to recreate as it only happens during computer inactivity from what I've seen. If you can give me 10 minutes to an hour I should be able to give it to you. In the meantime , here are the logs from the Search Registry. Farbar Recovery Scan Tool (x64) Version: 10.02.2018 02 Exécuté par Azumi (11-02-2018 01:09:40) Exécuté depuis C:\Users\Azumi\Downloads Mode d'amorçage: Normal ================== Chercher Registre: "mstlenet;msftsvc;msdt" =========== ===================== Résultats de recherche pour "mstlenet" ========== [HKEY_USERS\S-1-5-21-71829229-4040056195-3008265457-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache] "C:\Windows\System32\msdt\mstlenet.exe"="mstlenet" ===================== Résultats de recherche pour "msftsvc" ========== [HKEY_USERS\S-1-5-21-71829229-4040056195-3008265457-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache] "C:\Windows\System32\msdt\msftsvc.exe"="msftsvc" ===================== Résultats de recherche pour "msdt" ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CID\25c54639-2259-4627-9855-3f759f0c9538\Description] ""="MSDTCXATM" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CID\2a2d1281-f2a9-451e-990f-421d50a7a823\CustomProperties\LOG\Path] ""="C:\Windows\system32\MSDtc" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CID\2a2d1281-f2a9-451e-990f-421d50a7a823\Description] ""="MSDTC" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CID\4d30d4d2-0c0d-4707-b04f-c7e19e2bc602\Description] ""="MSDTCTIPGW" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CID\d3acf2b9-783b-4107-8285-19a5b5b67f9e\Description] ""="MSDTCUIS" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CID.Local\25c54639-2259-4627-9855-3f759f0c9538\Description] ""="MSDTCXATM" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CID.Local\2a2d1281-f2a9-451e-990f-421d50a7a823\CustomProperties\LOG\Path] ""="C:\Windows\system32\MSDtc" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CID.Local\2a2d1281-f2a9-451e-990f-421d50a7a823\Description] ""="MSDTC" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CID.Local\4d30d4d2-0c0d-4707-b04f-c7e19e2bc602\Description] ""="MSDTCTIPGW" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CID.Local\d3acf2b9-783b-4107-8285-19a5b5b67f9e\Description] ""="MSDTCUIS" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CID.Local\d5554a38-bb02-40cc-a46e-21d3627b3a32\Description] ""="MSDTCKTMRM" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01458CF0-A1A2-11D1-8F85-00600895E7D5}\InprocServer32] ""="%systemroot%\system32\msdtctm.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{193B4137-0480-11D1-97DA-00C04FB9618A}\InprocServer32] ""="%systemroot%\system32\msdtcprx.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1d16438c-54dc-404f-83a9-c041e77a32dd}\InprocServer32] ""="%systemroot%\system32\msdtcuiu.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f09b058-f3fd-4a9d-a8ba-a8a05f8fe283}\InprocServer32] ""="%systemroot%\system32\msdtcuiu.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2f893820-7089-46cc-a6e8-c4aae45f151b}\InprocServer32] ""="%systemroot%\system32\msdtcuiu.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37de7045-5056-456f-8409-c871e0f8b0e0}\InprocServer32] ""="%systemroot%\system32\msdtctm.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{39F8D76B-0928-11D1-97DF-00C04FB9618A}\InprocServer32] ""="%systemroot%\system32\msdtcprx.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3BBE95A4-C53F-11d1-B3A2-00A0C9083365}\InprocServer32] ""="%systemroot%\system32\msdtctm.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3BBE95DA-C53F-11d1-B3A2-00A0C9083365}\InprocServer32] ""="%systemroot%\system32\msdtctm.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3BBE95F5-C53F-11d1-B3A2-00A0C9083365}\InprocServer32] ""="%systemroot%\system32\msdtctm.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3BBE95FB-C53F-11d1-B3A2-00A0C9083365}\InprocServer32] ""="%systemroot%\system32\msdtctm.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3BBE95FE-C53F-11d1-B3A2-00A0C9083365}\InprocServer32] ""="%systemroot%\system32\msdtctm.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5408B2F0-C816-11D1-8F99-00600895E7D5}\InprocServer32] ""="%systemroot%\system32\msdtctm.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B18AB61-091D-11D1-97DF-00C04FB9618A}\InprocServer32] ""="%systemroot%\system32\msdtcprx.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5D9DD151-65F4-11CE-900D-00AA00445589}\InprocServer32] ""="%systemroot%\system32\msdtcprx.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{842D84C9-C347-11D1-8F64-00C04FB611C7}\InprocServer32] ""="%systemroot%\system32\msdtctm.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9cfc6d75-e648-47a8-9ea0-fb0907558952}\InprocServer32] ""="%systemroot%\system32\msdtcuiu.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\shell\starthomegrouptroubleshooter\command] ""="%SystemRoot%\System32\msdt.exe -id HomegroupDiagnostic" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CA38D8DA-C75D-11D1-8F99-00600895E7D5}\InprocServer32] ""="%systemroot%\system32\msdtctm.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CA38D8DB-C75D-11D1-8F99-00600895E7D5}\InprocServer32] ""="%systemroot%\system32\msdtctm.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Diagnostic.Cabinet] "FriendlyTypeName"="@%SystemRoot%\system32\msdt.exe,-10012" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Diagnostic.Cabinet\DefaultIcon] ""="%SystemRoot%\system32\msdt.exe,-10013" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Diagnostic.Cabinet\shell\open\command] ""="%SystemRoot%\system32\msdt.exe /cab "%1"" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Diagnostic.Config] "FriendlyTypeName"="@%SystemRoot%\system32\msdt.exe,-10014" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Diagnostic.Config\DefaultIcon] ""="%SystemRoot%\system32\msdt.exe,-10015" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Diagnostic.Config\shell\open\command] ""="%SystemRoot%\system32\msdt.exe /path "%1"" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Diagnostic.Document] "FriendlyTypeName"="@%SystemRoot%\system32\msdt.exe,-10010" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Diagnostic.Document\DefaultIcon] ""="%SystemRoot%\system32\msdt.exe,-10011" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Diagnostic.Document\shell\open\command] ""="%SystemRoot%\system32\msdt.exe /path "%1"" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OLETransactionManagers] "DefaultTM"="MSDTC" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OLETransactionManagers\MSDTC] [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OLETransactionManagers\MSDTC] "DLL"="MSDTCPRX.DLL" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{193B4137-0480-11D1-97DA-00C04FB9618A}\InprocServer32] ""="%systemroot%\system32\msdtcprx.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1d16438c-54dc-404f-83a9-c041e77a32dd}\InprocServer32] ""="%systemroot%\system32\msdtcuiu.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f09b058-f3fd-4a9d-a8ba-a8a05f8fe283}\InprocServer32] ""="%systemroot%\system32\msdtcuiu.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2f893820-7089-46cc-a6e8-c4aae45f151b}\InprocServer32] ""="%systemroot%\system32\msdtcuiu.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39F8D76B-0928-11D1-97DF-00C04FB9618A}\InprocServer32] ""="%systemroot%\system32\msdtcprx.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5B18AB61-091D-11D1-97DF-00C04FB9618A}\InprocServer32] ""="%systemroot%\system32\msdtcprx.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D9DD151-65F4-11CE-900D-00AA00445589}\InprocServer32] ""="%systemroot%\system32\msdtcprx.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9cfc6d75-e648-47a8-9ea0-fb0907558952}\InprocServer32] ""="%systemroot%\system32\msdtcuiu.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\shell\starthomegrouptroubleshooter\command] ""="%SystemRoot%\System32\msdt.exe -id HomegroupDiagnostic" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{130c40f0-1bcb-4852-8b63-291cf90a600b}] "AppName"="msdt.exe" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Sysprep\Cleanup] "{79b40229-f48c-7547-16d3-ec814bdc5adc}"="C:\Windows\system32\msdtcprx.dll,SysPrepDtcCleanup" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Sysprep\Generalize] "{79b40229-f48c-7547-1eb2-96b7091aa28f}"="C:\Windows\system32\msdtcprx.dll,SysPrepDtcGeneralize" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Sysprep\Specialize] "{79b40229-f48c-7547-35a2-cee9227ca977}"="C:\Windows\system32\msdtcprx.dll,SysPrepDtcSpecialize" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-msdt-adm.resources_31bf3856ad364e35_fr-fr_299431a3e0fcd67f] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-msdt-adm_31bf3856ad364e35_none_2b598ac6e262a7ab] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-msdt-events_31bf3856ad364e35_none_1607c757bd57c30c] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-msdt.resources_31bf3856ad364e35_fr-fr_89e726d2b39834b8] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-msdt_31bf3856ad364e35_none_ce5a521ccbef0152] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_networking-mpssvc-rules-msdtc_31bf3856ad364e35_none_4761b54bbcc898ba] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\wow64_microsoft-windows-msdt.resources_31bf3856ad364e35_fr-fr_943bd124e7f8f6b3] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\wow64_microsoft-windows-msdt_31bf3856ad364e35_none_d8aefc6f004fc34d] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{155cb334-3d7f-4ff1-b107-df8afc3c0363}] ""="Microsoft-Windows-MSDTC Client 2" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{155cb334-3d7f-4ff1-b107-df8afc3c0363}] "ResourceFileName"="%SystemRoot%\system32\msdtcVSp1res.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{155cb334-3d7f-4ff1-b107-df8afc3c0363}] "MessageFileName"="%SystemRoot%\system32\msdtcVSp1res.dll"

Excuse me for the few errors in my text , I mean I've been trying to stop the process from running.

Hello Laura and thank you for helping me with this situation. Yes this is where the files/folders would be located. I deleted the files before running the FRST since it was a few hours I've been training to somehow stop the process from running. I can let them come back (since they always do anyway) and run the FRST then if needed.

Hello everyone. I recently noticed I was infected by some sort of malware. The files seem to be located in System 32 and recreate themselves if removed. 2 files in particular are a problem though the files contain others which I unfortunately didn't note down as I'm writing this. First , mstlenet.exe which blocks access to the task manager and forbids to program like process explorer to shut down the exe. The other msftsvc.exe which pumps 40% of the CPU (there's sometimes a 2nd one). All the files are packaged within System32 in a file called Msdt. I could really use some help as not even Malwarebytes or the Antivirus detects it. All my attempt to remove or contain have failed as the files just recreate themselves if the computer goes inactive for a while. I await your answer. Thank you for your time. FRST.txt Addition.txt