I get an avast warning window when I switch on my computer. It says “Suspicious File Found!
File name: C:WINDOWS\SYSTEM32\a.exe
Type: Rootkit: hidden process
Recommended action: Ignore.”

When I click “Ignore”, I am told that avast has detected a virus and recommends restarting computer and letting avast scan all my data. I am reluctant to click “Yes” as I have already run a scan earlier in the day, during which I deleted one or two alleged viruses. I wondered if I should just delete the file without running a scan. But how do I know if it is really a virus or something that I need to keep?
Grateful for any advice.
Alison

I would certainly say it looks suspicious based only on its single character file name, add to the its location in the system32 folder to me only makes that more suspicious.

avast in this case is being cautious because it is in a system folder with the normal potential for killing a system file (which I don’t believe this is). I would a) allow the file to be sent to avast when detected as I believe this is probably the most important thing and b) do the scan as suggested.

I doubt that anything would be found on the scan as it would be done using conventional signature detection methods as I don’t believe there is a signature for this (sending to avast as in point a for analysis helps in this regard), but it is worth doing the scan.

The anti-rootkit scan takes place 8 minutes after boot and it is this which I believe detected this and it used a heuristic method (not conventional signature) to detect this suspect file.

Deletion isn’t really a good first option (you have none left), ‘first do no harm’ don’t delete, send virus to the chest and investigate. But in the case of an anti-rootkit scan this isn’t an option.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page.

If a virus is replicant, coming and coming again, maybe you can follow David’s advices and then the general cleaning procedure:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
6. Disable System Restore and then reenable it again.
7. Immunize your system with SpywareBlaster.
8. Check if you have insecure applications with Secunia Software Inspector.

Thanks to both of you - I am trying David’s suggestions and will report back. Meanwhile, as a beginner at this anti-virus stuff, I have to admit I don’t even know how to do Tech’s first step - clean temporary files! Best wishes.

Welcome to the forums, precise ali.

Just because you did a scan earlier in the day does not means you can not get infected later in the day.
After doing a scan earlier in the day, did you later read email, visit websites, or do any type of download?

a.exe is well known as a spyware item that can be part of several spyware programs and can be received in several ways.

Information on a.exe …

http://www.processlibrary.com/directory/files/a/

http://www.file.net/process/a.exe.html

http://www.auditmypc.com/process/a.asp

http://www.prevx.com/filenames/X8510371679546213-X1/A.EXE.html

The same information in more details…

1. Clean your temporary files. You can use CleanUp or CCleaner for that.

2. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot. Other option is scanning in SafeMode (repeatedly press F8 while booting).
   If avast does not detect it, you can try DrWeb CureIT! instead.

3. It will be good if you download, install, update and run SUPERantispyware, MBAM or SpywareTerminator.
   If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
   About legit antispyware applications or the bad ones see here.

4. If you still detecting any strange behavior or even you’re sure you’re not clean, maybe it will be good to test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster for XP/Vista. For XP only: Panda.

5. Also, if you still detecting strange behaviors or you want to be sure you’re clean, maybe making a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.

6. After you’re clean, disable System Restore on Windows ME, XP or Vista. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After disabling you can enable it again.

7. Use the immunization of SpywareBlaster.

8. Finally, when you’re clean, check for insecure applications with Secunia Software Inspector to update insecure applications and avoid reinfection.

Here is the result from Virus Total: http://www.virustotal.com/analisis/163ec2a7978569c92217809074b6f32a

I also did yet another avast! scan, which once again produced the warning “Suspicious File Found”, with a.exe as the file name again.

Did you allow the sample to be sent to avast on this detection ?

You should also check for what may be regenerating this using the applications in Tech’s step 3. If nothing found then those in step 4 which specialise in rootkit detection.

Yes, the “Submit the file to ALWIL Software virus lab for further analysis” was checked. Meanwhile, I will continue to work through Tech’s steps. Thanks again - you are all being so helpful!

So, finally it was Super antispyware that found the a.exe file and quarantined it. I had earlier tried DrWeb, but that didn’t deal with it. So thanks once more to all for being so helpful. Happy new year! precise ali

You’re welcome, a Happy New Year to you too.