On a client’s computer, Avast found a rootkit located at system32~.exe. It was removed successfully. System is XP Home SR3.
Any background for this file?
Well all I can say is that it isn’t named conventionally using the tilde ~ character isn’t normal, the same is true of just using a single character name, often seen in malware file naming.
A google serch is what I would normally suggest on a detected file name but this doesn’t bring up anything useful, mostly totally unrelated.
Yes, I tried Google and others and could find nothing useful. I was just hoping someone else had seen this also.
If you scan your computer at boot time or thoroughly into Windows, will any infection reappear?
If so, can you submit the file to www.virustotal.com?
Remember, sending files to Chest (if available) for further analysis is better than direct removing.
Well the only other clue would have been if it were given a malware name, but that wasn’t mentioned. Or as Tech mentions analysis at VT which would come up with other aliases for the malware that could be searched on.
If this was detected during the anti-rootkit scan (8 minutes after boot) then it could have been detected by heuristic anti-rootkit method, so might not be a recognised malware name. Again no info on when it was detected or by what scan.
If it was detected conventionally (by signature) either on-access (standard shield) or on-demand scan then the avast log viewer should contain info on the detection including the malware name.
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe
Even searching on the malware name is often a hit and miss affair as there is no standardisation on naming malware, so it could have many aliases.
The complete scan is currently being run. Since the client is 350 miles away, I am helping by the phone. They are to call me back when the full scan completes or another virus is found.
When the rootkit was found, the delete option did work, it appears. I do know that Avast us up-to-date as I had them upgrade on Sunday.
I’ll report back with the results of the full scan as soon as I know something. I am also going to get them to run MBAM shortly.
@ DavidR
I believe it was the standard shield as the computer was on for over an hour and they were surfing the net. They called me after ignoring the first warning but we caught the second time.
Update:
It is definitely malware and I will email them MBAM and the browser just got gets hijacked.
~.exe is related to a backdoor trojan. Something called Win32.Backdoor.Agent.
Try renaming the MBAM setup file before installing it, malware could be looking out for it.
Update:
I attempted to have the client download MBAM. They could not due to malware popups etc. I then emailed them the program, got it installed and executed. The quick scan found 28 items. Rebooted and now running the full MBAM scan.
More after the next phone call.
Added: I did try renaming etc to no avail. I zipped the file first and emailed the zip. Then I had the client unblock the zip and extract the setup file.
You are fortunate the client is a little more computer savy than most. MBAM generates a log, if you have them send you that it may give you a handle on the malware and if anything else needs to be done.
Actually I have a lot of patience. LOL
MBAM saved the day. The log was emailed to me. Most of the malware was VUNDO.H
Full scan by MBAM found one system restore bad and it and I took care of that.
I want to thank all for your help.
You’re welcome.
To Vundo cleaning, please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens, click the Scan for Vundo button.
Once it’s done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from “Click the
Scan for Vundo button.” when VundoFix appears at reboot.
A log will be produced which you can post in your next response.
I’ll take note. The only problem I foresee is that MBAM is needed to run in order toknow that Vundo cleanup is required. In my case today, MBAM (first quick then full) did the job completely.
Well a HiJackThis log could also show suspect entries which may be Vundo, but I find it is often better to run MBAM and SAS to get rid of as much dross before running HJT. Not to mention MBAM is quite good on the Vundo detections as is SAS.
I did think of HijackThis but dismissed it as too difficult to get my client to run it via the phone.
Later today, I will get them to allow Remote Desktop and I will poke around myself.
I prefer MBAM over SAS only because SAS finds cookies which would only alarm my client more. I only run SAS myself after MBAM.
Well for the SAS scan to be truly effective you would want the user to tick all the boxes in the Preferences, Scanning Control tab and if you had to do that then having them uncheck the ‘Scan for tracking cookies’ I have that disabled on my scans.
An image would be helpful for people to follow, easier than complex instructions ;D
I agree about SAS. However I have found that my clients can run MBAM right out of the box and hence I usually select MBAM first. The scan also runs faster than SAS and the client doesn’t mind it. Also SAS suggests an uninstall before an upfdate to the program. No problem for me but for a distant client …
Yes MBAM is much faster but it is difficult to pin down exactly what is scanned and the depth, though MBAM reports scanning more files, etc.
I have never had to uninstall SAS when installing an update to my recollection it will do that automatically from the update process (though it has been a while). If you check the MBAM forum, it too recommends uninstalling the old version but that too does that as part of the update and you have to restart MBAM and check for updates again. So neither are perfect in that regard.
But I appreciate the problems with a remote client, etc.
I have this file on my computer. It was found using heuristic methods. It said it was a back door. It recommended “ignore” so I still have it. If I scan the file right now, Avast! reports nothing, but perhaps because the program was updated before I rescanned.
Am I at threat? I read over this whole thread, but I don’t follow everything. Was ~.exe a virus/backdoor? Or was Avast! wrong in saying it was a threat? I can submit the file to anyone who wishes to view it.
Thanks for your time,