Unsigned WinTab32.dll in \System32

[NooX]

Hi guys, please help me dissect this - I made a sigcheck -u -e C:\Windows\System32 and the following file was found:



Submitted the file to malshare:



No Yara hits either. It seems benign but I took a closer look anyway due to the owner being "TODO: <公司名>".

After some searching I found this info on another file from the same company:

Malware scan of SE61T-UserTools.exe (TODO: <产品名>) e2d2ca1f0dcb8b9b8fdeae096f5323f2a0617a7e - herdProtect

herdProtect antiviru scan for the file SE61T-UserTools.exe (SHA-1 e2d2ca1f0dcb8b9b8fdeae096f5323f2a0617a7e). 39 of 68 antivirus programs detected se61t-usertools.exe as malicious software.

www.herdprotect.com

this is what I don't like about this at all: "The file is infected by a polymorphic file infector virus."

Because they use polymorphic techniques, the hashes aren't known, that's why the file looks benign on every machine and is just sitting there, waiting for something. Am I correct to assume so?

I took a look at it in a hex editor but there's too much info and I don't really know what should I be looking for.

Please advise

 

[nasdaq]

Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===


I found a possible solution for you at this Microsoft site.

Redirecting

Read the suggested answer by Prakhar_Khare, Microsoft Agent | Moderator
===

Let me know if you need additional help.

 

[NooX]

Hi nasdaq, thanks for the reply.

I don't really have a problem per se - I just have an unsigned executable in my \system32

I was wondering more about how would I go about finding out malicious code within it, in case the hash of the file was obfuscated by being a polymorphic and is not being picked up by AVs or Yara rules.

 

[nasdaq]

Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Read carefully the inructions on this page.

Issues with WinTab32 DLL File
Issues with WinTab32 DLL File

Now before you proceed in installing the download file pay attention to the item 5 in the page which reads

Search the Wintab32.dll file in the C:\WINDOWS\SysWOW64 folder and delete the wintab32.dll file in the said folder.

I would save the copy of my wintab32.dd in the presently in the folder C:\WINDOWS\SysWOW64 folder .

Just copy the file to a temporary folder.

Now follow the directives on the page. Restart the computer normally.
If any things goes wrong then you you have a copy of the old file to re-use instead of the new downloaded file.

p.s.

You can also register the problematic file by registering the file in C:\WINDOWS\SysWOW64\wintab32.dl

You will find the instructions here:

Redirecting

If you need any help before proceeing pease ask..