Whenever I boot up my PC, Avast flags tcqqtwikpows.sys (which is located in c:/windows/temp) as a suspicious file. If I delete the file, it shows up again after a reboot. I can’t tell if this is malware or not, but I can’t find any reference to it on Google or otherwise. Does anyone know what this is, and how I can remove it permanently if it is malware? It doesn’t show up under a malwarebytes scan so I’m not positive it is. thx!
A search for this filename results in zero hits, I would certainly consider it suspicious at the very least.
You say if you delete the file, are you sending it to the Avast Quarantine or manually deleting it ?
Could you attach a screen grab of said alert next time it pops up?
Both. Avast always quarantines it, but if I go and delete it, it always reappears and then AVAST flags it again. I’ve tried a BUNCH of malware scans (malawarebytes, rkill, TDSSKiller, Rogue Killer, and eset) and nothing turns up, but AVAST flags it every time. Wondering if it’s a crypto miner or something but not sure how to dig it out.
This file is unknown, so no one will detect it.
Submit this file to VirusTotal.com. By doing this you will enable the malware industry to become aware of this unknown .sys file. https://www.virustotal.com/gui/home/upload
Recommend capturing the actual alert box when it shows again and attaching it here in your next reply.
The reason this file is suspicious is because of where Avast detects it: TEMP folder. No .sys file should resided in the TEMP folder.
Yeah, I suspected as much. But nothing flags them other than AVAST. I just submitted these files to the Virustotal page you listed and it flagged them from 1 vendor (1 security vendor and 1 sandbox flagged this file as malicious) which was Acronis. The rest didn’t. Not sure what to make of this?
Wait.
You have more than one file being detected?
Please provide an url (website) link to VT.com so we can see your file(s).
Here’s the screen grab
Thanks for attached.
Now we can see what you are seeing.
Alert box states that Avast Self-defense was triggered and blocked this threat. This would likely mean an action by this file caused Avast to defend and protect itself from being disabled or modified by this file. Which is why you are getting this alert.
Next, can you post a link to your Virus Total scan?
Here’s a link to the system file upload. Both files had the same url link. Both gave me the same result.
https://www.virustotal.com/gui/file/11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
Thank you for that.
Actual file name appears to be ‘WinRing0.sys’ with a file hash of ‘11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5’.
This is important information.
See:
https://www.hybrid-analysis.com/sample/11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5/5f522ae23fea84253a2c4f05
https://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/ (Not necessarily connected to your detection) but feature of ‘WinRing0.sys’ used.
https://news.sophos.com/en-us/2021/01/21/mrbminer-cryptojacking-to-bypass-international-sanctions/ Could be this type of malware.
You should head over to https://www.bleepingcomputer.com and ask for help at their virus forums to ensure your system is clean.
You can also report your file as a false positive to Avast here: https://www.avast.com/false-positive-file-form.php#pc
You should expect a reply in two days or so.
Submit a link for the second file please.