msdtc.exe Detected - FP?

Discussion in 'NOD32 version 2 Forum' started by Capp, Mar 9, 2009.

Thread Status:
Not open for further replies.
  1. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    I got an email notification from my server at work today. Apparently, something is being flagged as a baddie:
    3/8/2009 23:58:47 PM - NOD32 Kernel Threat Alert triggered on SBSERVER: c:\windows\system32\msdtc.exe is infected with a variant of Win32/Kryptik.JX trojan.


    According to what I've found online:

    "msdtc.exe" belongs to Microsoft Distributed Transaction Coordinator. The Microsoft Distributed Transaction Coordinator is a transaction manager which permits client applications to include several different sources of data in one transaction and which then coordinates committing the distributed transaction across all the servers that are enlisted in the transaction. MSDTC runs on all Windows platforms and is installed by applications which need to use it, such as the Microsoft"s Personal Web Server, or Microsoft SQL Server.


    I haven't added or removed anything from the server in over a year so that file has already been there for awhile.

    Is this a FP?
     
  2. Leer

    Leer Registered Member

    Joined:
    May 14, 2007
    Posts:
    12
    I believe it is. I just received the same across the network and checked the files with virustotal.com and jotti. Only NOD32 is showing a positive. Maybe they are just faster today.

    actmovie.exe
    dllhost.exe
    msdtc.exe

    are all showing postive so far. Live files and in the servicepack folder.
     
    Last edited: Mar 9, 2009
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
  4. maznos

    maznos Registered Member

    Joined:
    Mar 9, 2009
    Posts:
    1
    My system reported the followinf files:
    actmovie.exe
    dmremote.exe
    mqsvc.exe
    nddeapir.exe
    ping.exe
    progman.exe
    stimon.exe
    comereg.exe

    it looks a "bad difinition" update to me
     
  5. Leer

    Leer Registered Member

    Joined:
    May 14, 2007
    Posts:
    12
    Thanks Marcos,

    Anyway to issue a command to restore the files or is a manual process only?
     
  6. sputnik451

    sputnik451 Registered Member

    Joined:
    Jul 27, 2004
    Posts:
    17
    thanks to eset for v quick fix
     
  7. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
  8. TheFourthFerret

    TheFourthFerret Registered Member

    Joined:
    Aug 15, 2007
    Posts:
    2
    I have two separate clients with network environments who have reported that the msdtc.exe and dllhost.exe files have automatically restored from quarantine. One of which, I have confirmed myself on both a workstation and the actual mirror server, which were showing the quarantined files earlier, no longer have those files listed, and they are back in the System32 directory.

    Both sites are running version 2.7. Contrary to what I've read about needing to either restore manually or wait for a network tool, do the recent update versions (3920 and up) actually automatically restore the files in 2.7 as well?
     
  9. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    748
    Location:
    UK
    I got this and didnt have to recover files since I had it not auto clean virus.

    However I have a new problem, NOD32 keeps bugging me to submit the files even tho my quarintine is empty.

    It seems I have 3 choices.

    (a) submit the files manually this one time
    (b) submit and auto submit in future so dont get prompted again
    (c) or hit cancel but it will then prompt me again later

    How do I not submit and tell it to never prompt me again?
     
  10. SG1

    SG1 Registered Member

    Joined:
    Jan 16, 2003
    Posts:
    430
    Got some of those too, last night.

    NOD32 reared its red eye - a rare event - & informed me that my PC had a case of the "heebie-jeebies" re some new strain of something or other which I should send off to the lab for analysis.

    After NOD32 pounced on whatever, did its thing - I no longer had functioning shadow volume copy so I could return to doing backups which I'd started the day before.

    Ideas on what "VIP" system files got smoked here, so I can fix this?

    * Have a router, security apps out the wazoo here, and we safe surf only so I trust this was just another FP? I hope, I hope. (?!)

    ** From what I read here - sounds like NOD32(?) will put the files back, or I should check that?

    Thanks,
     

    Attached Files:

  11. Biscuit

    Biscuit Registered Member

    Joined:
    May 26, 2006
    Posts:
    978
    Location:
    Isle of Man
  12. SG1

    SG1 Registered Member

    Joined:
    Jan 16, 2003
    Posts:
    430
    Biscuit (and others) --

    Bless your bippies - thanks for info as I HOPED that it was an FP, but "VIP" system files tagged/whisked away, could be a possible trainwreck waiting to happen. Scary stuff, that.

    Thanks, ;-)
     
  13. Stealthman

    Stealthman Registered Member

    Joined:
    Aug 11, 2007
    Posts:
    23
    Location:
    Dublin, Ireland
    just coming in late to this thread but here's my 2c, 4 what it's worth...

    on a remote network that we monitor nightly, monday 09/03/09 jI saw three files detected & quarantined by ess, thought it was strange as this particular pc is the very least used on that particular network & absolutely no-one had been using it that day at all. thought i'd delete the files from quarantine anyhow & carry on with the nightly checks - all ok until we ran the backup which wouldn't even start running! major problem as this backs up all others in the network!

    After checking loads of things, including reading the pr from eset on the fp & realising that those were the 3 i'd deleted :eek: :eek: , I searched the pc & found the files in their original locations, hummm o_O still no backup running, then realised that the gold shield denoting MS backups was in the systray, odd as that had been checked half an hr before & nothing required! :( :(

    Decided that i'd do the (4) critical updates one at a time, did the 1st (Security update KB960225) & test the backup - guess what ? it ran ok :D :D :D oh happy days! not sure exactly what difference this made but the backups worked ok last night & again tonight.... :0

    Hope maybe this points someone in the right direction...

    Jtk
     
  14. Alith

    Alith Registered Member

    Joined:
    Oct 30, 2004
    Posts:
    69
    I have eset AV 3.0.684.0 (yes I'm going to update :) with heuristics 1092
    I understand this will restore the quarantine files back to their original location. I still have these files listed in detected threats. Can I delete them?

    I also checked my event vwr.
    Event Type: Information
    Event Source: Windows File Protection
    Event Category: None
    Event ID: 64003
    Date: 3/8/2009
    Time: 11:01:54 PM
    User: N/A
    Computer: TRIXIE
    Description:
    File replacement was attempted on the protected system file msdtc.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is unknown.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    Event Type: Information
    Event Source: Windows File Protection
    Event Category: None
    Event ID: 64003
    Date: 3/8/2009
    Time: 11:01:47 PM
    User: N/A
    Computer: TRIXIE
    Description:
    File replacement was attempted on the protected system file dllhost.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is unknown.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    I gather this means I do not need to do anything further, unless you recommend running SFC?
     
  15. WizardMaster

    WizardMaster Registered Member

    Joined:
    Sep 24, 2006
    Posts:
    27
    Location:
    Auckland, NZ
    Yup, same mine too was MSDTC.exe caught by NOD32 v2.7 from SBS2003. I thought, I never download any 3rd party software in the Server. But MS Windows Automatic Update bought download and installed. I think NOD32 caught the MSDTC.exe was false alarm. I never seen this before since 2005 long times. Now, I put "Excludes" for MSDTC.exe file in AMON. There won't alert again. I pleased the NOD32 v2.7 mirror & Exchange server still strong as well.
     
Thread Status:
Not open for further replies.