Jump to content

Malware hiding in System32


Okay
 Share

Recommended Posts

Hello everyone. I recently noticed I was infected by some sort of malware. The files seem to be located in System 32 and recreate themselves if removed.

2 files in particular are a problem though the files contain others which I unfortunately didn't note down as I'm writing this.

First , mstlenet.exe which blocks access to the task manager and forbids to program like process explorer to shut down the exe.

The other msftsvc.exe which pumps 40% of the CPU (there's sometimes a 2nd one).

All the files are packaged within System32 in a file called Msdt.

 

I could really use some help as not even Malwarebytes or the Antivirus detects it. All my attempt to remove or contain have failed as the files just recreate themselves if the computer goes inactive for a while.

 

I await your answer. Thank you for your time.

FRST.txt

Addition.txt

Link to post
Share on other sites

Hi Okay :)

My name is Aura and I'll be assisting you with your malware issue. Since we'll be working together, you can call me Aura or Yoan, which is my real name, it's up to you! Now that we've broke the ice, I'll just ask you a few things during the time we'll be working together to clean your system and get it back to an operational state.

  • As you'll notice, the logs we are asking for here are quite lenghty, so it's normal for me to not reply exactly after you post them. This is because I need some time to analyse them and then act accordingly. However, I'll always reply within 24 hours, 48 hours at most if something unexpected happens
  • As long as I'm assisting you on Malwarebytes Forums, in this thread, I'll ask you to not seek assistance anywhere else for any issue related to the system we are working on. If you have an issue, question, etc. about your computer, please ask it in this thread and I'll assist you
  • The same principle applies to any modifications you make to your system, I would like you to ask me before you do any manipulations that aren't in the instructions I posted. This is to ensure that we are operating in sync and I know exactly what's happening on your system
  • If you aren't sure about an instruction I'm giving you, ask me about it. This is to ensure that the clean-up process goes without any issue. I'll answer you and even give you more precise instructions/explanations if you need. There's no shame in asking questions here, better be safe than sorry!
  • If you don't reply to your thread within 3 days, I'll bump this thread to let you know that I'm waiting for you. If you don't reply after 5 days, it'll be closed. If you return after that period, you can send me a PM to get it unlocked and we'll continue where we left off;
  • Since malware can work quickly, we want to get rid of them as fast as we can, before they make unknown changes to the system. This being said, I would appreciate if you could reply to this thread within 24 hours of me posting. This way, we'll have a good clean-up rhythm and the chances of complications will be reduced
  • I'm against any form of pirated, illegal and counterfeit software and material. So if you have any installed on your system, I'll ask you to uninstall them right now. You don't have to tell me if you indeed had some or not, I'll give you the benefit of the doubt. Plus, this would be against Malwarebytes Forums's rules
  • In the end, you are the one asking for assistance here. So if you wish to go a different way during the clean-up, like format and reinstall Windows, you are free to do so. I would appreciate you to let me know about it first, and if you need, I can also assist you in the process
  • I would appreciate if you were to stay with me until the end, which means, until I declare your system clean. Just because your system isn't behaving weirdly anymore, or is running better than before, it doesn't mean that the infection is completely gone
    This being said, I have a full time job so sometimes it'll take longer for me to reply to you. Don't worry, you'll be my first priority as soon as I get home and have time to look at your thread


This being said, it's time to clean-up some malware, so let's get started, shall we? :)

Just so I can get this straight, this is where the files/folders would be located?

C:\Windows\system32\msdt
C:\Windows\system32\msdt\mstlenet.exe
C:\Windows\system32\msdt\msftsvc.exe


Did you delete the files and folder before running FRST?
Link to post
Share on other sites

Hello Laura and thank you for helping me with this situation.

 

Yes this is where the files/folders would be located.

I deleted the files before running the FRST since it was a few hours I've been training to somehow stop the process from running.

I can let them come back (since they always do anyway) and run the FRST then if needed.

Link to post
Share on other sites

Alright. Well, as soon as the folder gets created again, can you .zip it and attach it here for me? In the meantime, let's do a bit of research of our own.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Registry Search
Follow the instructions below to download and execute a Registry search on your system with FRST, and provide the log in your next reply.

  • Right-click on the executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds
  • In the Search text area, copy and paste the following:
    mstlenet;msftsvc;msdt
  • Once done, click on the Search Registry button and wait for FRST to finish the search
  • On completion, a log will open in Notepad. Copy and paste its content in your next reply

Link to post
Share on other sites

The folder may take time to recreate as it only happens during computer inactivity from what I've seen. If you can give me 10 minutes to an hour I should be able to give it to you.

In the meantime , here are the logs from the Search Registry.

Farbar Recovery Scan Tool (x64) Version: 10.02.2018 02
Exécuté par Azumi (11-02-2018 01:09:40)
Exécuté depuis C:\Users\Azumi\Downloads
Mode d'amorçage: Normal

================== Chercher Registre: "mstlenet;msftsvc;msdt" ===========


===================== Résultats de recherche pour "mstlenet" ==========

[HKEY_USERS\S-1-5-21-71829229-4040056195-3008265457-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Windows\System32\msdt\mstlenet.exe"="mstlenet"


===================== Résultats de recherche pour "msftsvc" ==========

[HKEY_USERS\S-1-5-21-71829229-4040056195-3008265457-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"C:\Windows\System32\msdt\msftsvc.exe"="msftsvc"


===================== Résultats de recherche pour "msdt" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CID\25c54639-2259-4627-9855-3f759f0c9538\Description]
""="MSDTCXATM"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CID\2a2d1281-f2a9-451e-990f-421d50a7a823\CustomProperties\LOG\Path]
""="C:\Windows\system32\MSDtc"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CID\2a2d1281-f2a9-451e-990f-421d50a7a823\Description]
""="MSDTC"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CID\4d30d4d2-0c0d-4707-b04f-c7e19e2bc602\Description]
""="MSDTCTIPGW"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CID\d3acf2b9-783b-4107-8285-19a5b5b67f9e\Description]
""="MSDTCUIS"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CID.Local\25c54639-2259-4627-9855-3f759f0c9538\Description]
""="MSDTCXATM"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CID.Local\2a2d1281-f2a9-451e-990f-421d50a7a823\CustomProperties\LOG\Path]
""="C:\Windows\system32\MSDtc"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CID.Local\2a2d1281-f2a9-451e-990f-421d50a7a823\Description]
""="MSDTC"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CID.Local\4d30d4d2-0c0d-4707-b04f-c7e19e2bc602\Description]
""="MSDTCTIPGW"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CID.Local\d3acf2b9-783b-4107-8285-19a5b5b67f9e\Description]
""="MSDTCUIS"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CID.Local\d5554a38-bb02-40cc-a46e-21d3627b3a32\Description]
""="MSDTCKTMRM"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01458CF0-A1A2-11D1-8F85-00600895E7D5}\InprocServer32]
""="%systemroot%\system32\msdtctm.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{193B4137-0480-11D1-97DA-00C04FB9618A}\InprocServer32]
""="%systemroot%\system32\msdtcprx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1d16438c-54dc-404f-83a9-c041e77a32dd}\InprocServer32]
""="%systemroot%\system32\msdtcuiu.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f09b058-f3fd-4a9d-a8ba-a8a05f8fe283}\InprocServer32]
""="%systemroot%\system32\msdtcuiu.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2f893820-7089-46cc-a6e8-c4aae45f151b}\InprocServer32]
""="%systemroot%\system32\msdtcuiu.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{37de7045-5056-456f-8409-c871e0f8b0e0}\InprocServer32]
""="%systemroot%\system32\msdtctm.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{39F8D76B-0928-11D1-97DF-00C04FB9618A}\InprocServer32]
""="%systemroot%\system32\msdtcprx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3BBE95A4-C53F-11d1-B3A2-00A0C9083365}\InprocServer32]
""="%systemroot%\system32\msdtctm.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3BBE95DA-C53F-11d1-B3A2-00A0C9083365}\InprocServer32]
""="%systemroot%\system32\msdtctm.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3BBE95F5-C53F-11d1-B3A2-00A0C9083365}\InprocServer32]
""="%systemroot%\system32\msdtctm.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3BBE95FB-C53F-11d1-B3A2-00A0C9083365}\InprocServer32]
""="%systemroot%\system32\msdtctm.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3BBE95FE-C53F-11d1-B3A2-00A0C9083365}\InprocServer32]
""="%systemroot%\system32\msdtctm.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5408B2F0-C816-11D1-8F99-00600895E7D5}\InprocServer32]
""="%systemroot%\system32\msdtctm.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B18AB61-091D-11D1-97DF-00C04FB9618A}\InprocServer32]
""="%systemroot%\system32\msdtcprx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5D9DD151-65F4-11CE-900D-00AA00445589}\InprocServer32]
""="%systemroot%\system32\msdtcprx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{842D84C9-C347-11D1-8F64-00C04FB611C7}\InprocServer32]
""="%systemroot%\system32\msdtctm.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9cfc6d75-e648-47a8-9ea0-fb0907558952}\InprocServer32]
""="%systemroot%\system32\msdtcuiu.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\shell\starthomegrouptroubleshooter\command]
""="%SystemRoot%\System32\msdt.exe -id HomegroupDiagnostic"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CA38D8DA-C75D-11D1-8F99-00600895E7D5}\InprocServer32]
""="%systemroot%\system32\msdtctm.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CA38D8DB-C75D-11D1-8F99-00600895E7D5}\InprocServer32]
""="%systemroot%\system32\msdtctm.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Diagnostic.Cabinet]
"FriendlyTypeName"="@%SystemRoot%\system32\msdt.exe,-10012"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Diagnostic.Cabinet\DefaultIcon]
""="%SystemRoot%\system32\msdt.exe,-10013"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Diagnostic.Cabinet\shell\open\command]
""="%SystemRoot%\system32\msdt.exe /cab "%1""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Diagnostic.Config]
"FriendlyTypeName"="@%SystemRoot%\system32\msdt.exe,-10014"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Diagnostic.Config\DefaultIcon]
""="%SystemRoot%\system32\msdt.exe,-10015"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Diagnostic.Config\shell\open\command]
""="%SystemRoot%\system32\msdt.exe /path "%1""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Diagnostic.Document]
"FriendlyTypeName"="@%SystemRoot%\system32\msdt.exe,-10010"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Diagnostic.Document\DefaultIcon]
""="%SystemRoot%\system32\msdt.exe,-10011"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Diagnostic.Document\shell\open\command]
""="%SystemRoot%\system32\msdt.exe /path "%1""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OLETransactionManagers]
"DefaultTM"="MSDTC"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OLETransactionManagers\MSDTC]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OLETransactionManagers\MSDTC]
"DLL"="MSDTCPRX.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{193B4137-0480-11D1-97DA-00C04FB9618A}\InprocServer32]
""="%systemroot%\system32\msdtcprx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1d16438c-54dc-404f-83a9-c041e77a32dd}\InprocServer32]
""="%systemroot%\system32\msdtcuiu.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1f09b058-f3fd-4a9d-a8ba-a8a05f8fe283}\InprocServer32]
""="%systemroot%\system32\msdtcuiu.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2f893820-7089-46cc-a6e8-c4aae45f151b}\InprocServer32]
""="%systemroot%\system32\msdtcuiu.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39F8D76B-0928-11D1-97DF-00C04FB9618A}\InprocServer32]
""="%systemroot%\system32\msdtcprx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5B18AB61-091D-11D1-97DF-00C04FB9618A}\InprocServer32]
""="%systemroot%\system32\msdtcprx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5D9DD151-65F4-11CE-900D-00AA00445589}\InprocServer32]
""="%systemroot%\system32\msdtcprx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9cfc6d75-e648-47a8-9ea0-fb0907558952}\InprocServer32]
""="%systemroot%\system32\msdtcuiu.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B4FB3F98-C1EA-428d-A78A-D1F5659CBA93}\shell\starthomegrouptroubleshooter\command]
""="%SystemRoot%\System32\msdt.exe -id HomegroupDiagnostic"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{130c40f0-1bcb-4852-8b63-291cf90a600b}]
"AppName"="msdt.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Sysprep\Cleanup]
"{79b40229-f48c-7547-16d3-ec814bdc5adc}"="C:\Windows\system32\msdtcprx.dll,SysPrepDtcCleanup"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Sysprep\Generalize]
"{79b40229-f48c-7547-1eb2-96b7091aa28f}"="C:\Windows\system32\msdtcprx.dll,SysPrepDtcGeneralize"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Sysprep\Specialize]
"{79b40229-f48c-7547-35a2-cee9227ca977}"="C:\Windows\system32\msdtcprx.dll,SysPrepDtcSpecialize"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-msdt-adm.resources_31bf3856ad364e35_fr-fr_299431a3e0fcd67f]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-msdt-adm_31bf3856ad364e35_none_2b598ac6e262a7ab]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-msdt-events_31bf3856ad364e35_none_1607c757bd57c30c]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-msdt.resources_31bf3856ad364e35_fr-fr_89e726d2b39834b8]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_microsoft-windows-msdt_31bf3856ad364e35_none_ce5a521ccbef0152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\amd64_networking-mpssvc-rules-msdtc_31bf3856ad364e35_none_4761b54bbcc898ba]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\wow64_microsoft-windows-msdt.resources_31bf3856ad364e35_fr-fr_943bd124e7f8f6b3]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\wow64_microsoft-windows-msdt_31bf3856ad364e35_none_d8aefc6f004fc34d]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{155cb334-3d7f-4ff1-b107-df8afc3c0363}]
""="Microsoft-Windows-MSDTC Client 2"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{155cb334-3d7f-4ff1-b107-df8afc3c0363}]
"ResourceFileName"="%SystemRoot%\system32\msdtcVSp1res.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{155cb334-3d7f-4ff1-b107-df8afc3c0363}]
"MessageFileName"="%SystemRoot%\system32\msdtcVSp1res.dll"

Link to post
Share on other sites

While the folder hasn't recreated itself yet (much to my surprise) I have been able to find a screenshot I took earlier before deleting it's content.

These are all the files that were present in the msdt folder.

Sorry for the low quality , it was taken in safe mode with 800x600 as the resolution.dbe1c5e515abc4d95fc4f1c0da59fd16.thumb.png.2227b62e698a8f8b5143cdfc7245c255.png

Link to post
Share on other sites

It has been difficult to get the files , but here they are. It duplicate itself based on inactivity. (between 20 to 30 minutes) and creates this file.

I have added one more FRST and Addition while the Mstsvc and mstlenet were running in that case you need them.

It seems to be hazardous due to what it does to my computer so careful with what you'll do with them.

 

Hoping for your response very soon Aura , thank you for your time.

msdt.zip

FRST.txt

Addition.txt

Link to post
Share on other sites

Can you PM me the links to the mods you downloaded in the last days? Maybe the ones you downloaded right before noticing the infection? Trying to find a dropper for this infection, and if I can, I'll infect my VM and see how the infection works. This way, I'll be able to remove it easily.

Link to post
Share on other sites

Also, follow the instructions below.

sUc2qjf.pngAutoruns - Start-up Entries
Follow the instructions below to give me an Autoruns log containing your start-up entries:

  • Download Autoruns.zip from the Sysinternals Suite webpage
  • Extract the content of the Autoruns.zip folder where you want, then go in the folder, right-click on Autoruns.exe and select Run as Administrator
  • Accept the EULA on opening, then wait for all the entries to load
  • Click on File then Save and save the file to a location easily accessible as a .arn (Autoruns) file
  • Right-click on the file you saved and select Send to followed by Compressed (zipped) folder
  • Attach the .zip file on your next post, or if it says that it's too big, upload it on SendSpace and post the download URL for it here

Link to post
Share on other sites

Alright, follow the instructions below.

Delete the msdt folder before though.

2Pmortn.pngProcess Monitor - Capture

  • Download Process Monitor from Sysinternal Suite, and extract the ProcessMonitor.zip file;
  • Right-click on Procmon.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Wait for the program to start capturing events (you'll see entries appears very fast);
  • Now, wait for the msdt folder to be created in C:\Windows\System32
  • Once done, click on the little magnifying lense button to stop the capture;
    xdIAVkH.png
  • Click on the File menu, followed by Save... and save the logfile (by default it'll be saved in the ProcessMonitor folder);
  • Right-click on the ProcMon trace file you saved (.pml file), select Send to and Compressed archive (.zip);
  • Attach that .zip file in your next reply;

 

Link to post
Share on other sites

And just to confirm, if you close Process Explorer and the Task Manager, is it getting created back in 20 mins? If so, I'll send the Mod you sent me to the Research Team, as I'll need their expertise to analyse that infection.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.