Jump to content

mszus.exe - the undetected mystery


Recommended Posts

Hi. Trying to locate what creates [drive letter].lnk on my usb flash drives. If my drives are empty and I reconnect them, everything is normal. If I transfer files, unplug and replug, the usb flash is infected with a Worm that Malwarebytes is able to detect. No access after quarantine of course, otherwise it's just one extra open window with the transfered files unharmed.

I have scanned everything, checked Registry, running processes, tried anything suggested with no success. I only found this one, no info about it, no detection, nothing. CMD visible only.

Kindly asking for instructions on how to proceed in order to find out what this is. Thanks in advance.

 

Spoiler

1673968652_WTFISDIS2.thumb.png.dc8c278e91bf28ee498ad355a19d6d17.png

Spoiler

explorer_LwTYvGYzzo.thumb.png.71b9f4d6ac4eaf490a7d3a97aab67261.png

 

Link to post
Share on other sites

Hiya r00tk1t and welcome to Malwarebytes,

Can you post the most recent log from Malwarebytes which shows what was detected when usb was loaded...

To get the log from Malwarebytes do the following:
 
  • Open Malwarebytes
  • Click on the Detection History tab > from main interface.
  • Then click on "History" that will open to a historical list
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Text file (*.txt), then name the file and save to a place of choice, recommend "Desktop" then attach to reply


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status... If English is not your primary language Right click on FRST/FRST64 and rename FRSTEnglish/FRST64English

 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
    user posted image
     
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.


Let me see those logs in your reply...

Thank you,

Kevin....
  • Thanks 1
Link to post
Share on other sites

Hi Kevin, thank you for your welcome and your time. Let me clear something up: after making this post there was a scheduled scan (June 1st @ 1:00 AM) which for the first time detected the registry value I found manually. 

I examined the logs for a while and what I found interesting is that Malwarebytes reports this:

Registry Value: 1
Trojan.Agent, HKU\S-1-5-21-2912645279-1161820344-2244976762-1001\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS|LOAD, Quarantined, 511, 209093, 1.0.41193, , ame

and FRST reports this:

HKU\S-1-5-21-2912645279-1161820344-2244976762-1001\...\MountPoints2: F - F:\Autorun.exe
HKU\S-1-5-21-2912645279-1161820344-2244976762-1001\...\MountPoints2: {81f5ce77-81bd-11e5-b183-806e6f6e6963} - D:\Setup.EXE

F,D both internal HDD drives with no detections.

Scan detection usb dev K.txt RTP detection usb dev J.txt Scan REG detection.txt FRST.txt Addition.txt

Link to post
Share on other sites

Hiya r00tk1t,

Thanks for those logs, can you do the following and let me know the outcome...

Can you upload mszus.exe to VirusTotal to have it checked out...

You will need to show hidden files/folders for access...

https://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/

Upload a File to Virustotal

Go to http://www.virustotal.com/
 
  • Click the Choose file button
  • Navigate to the file C:\ProgramData\mszus.exe
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the URL address back here please.

Thank you,

Kevin.

Edited by kevinf80
Link to post
Share on other sites

Hey, that's the best part. ProgramData is a hidden folder as you know, there is no .exe file in the Windows Explorer as you can see in the first screenshot. I can only see the existence of it in CMD using "dir /A" since the .exe is hidden as well.

Link to post
Share on other sites

It shows up in the FRST logs...

Quote

==================== Files in the root of some directories ========

2010-11-21 06:24 - 2010-11-21 06:24 - 103346944 ___SH () C:\ProgramData\mszus.exe
2021-05-13 22:12 - 2021-05-23 21:04 - 000024576 _____ () C:\Users\M1NDK\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2019-04-08 19:20 - 2021-05-31 19:28 - 000007640 _____ () C:\Users\M1NDK\AppData\Local\resmon.resmoncfg

 

I can use FRST to have it checked at VirusTotal, I would rather have confirmation that it is malicious before removal...

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.
 
Thanks,
 
Kevin..

fixlist.txt

Link to post
Share on other sites

UPDATE:

This is the first time I see something like this. So I visited virustotal, browsed to ProgramData, file still not visible so I tried to type the file name. Voila! I just uploaded a ghost .exe to virustotal! XD

Here is the link: https://www.virustotal.com/gui/file/eec3e78a28f4b6582c76ff5d9f9e86ac720535b01b9065d74ac5b3f7f2b13510/detection

FIle shows up in cmd and tools yes, but not visually. This bothers me so much. How can I grab it? Will cmd tools work in any case? If anything, before removing it I want to obtain it and compress it for possible future analysis since I'm the only one with this exe and no info was found anywhere.

Link to post
Share on other sites

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. Also attach the created zip file...

fixlist.txt

Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.