suspicious file found....

Hi All.

Just need some advice with regards to a very annoying problem. Firstly how do i put up a screen shot in this thread?
Basically its a box that comes up titled “suspicious file found”…file name: c:\sys.exe, type: rootkit:hidden process

Im then given to options; delete or ignore

Could some one please give me some advice as how to proceed. i believe this problem is also slowing my pc down.

Thank You

I think i may have attached the screen shot along with this. ???

Select Ignore in this instance, and allow it to be submitted to Alwil software. Don’t select the 'Do not tell me about this in the future as you want it to come back up the next time you boot.

I too feel it is suspicious, based on its file name and location alone, so I would suggest scanning at virustotal.

Check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. The more detections the more likely that avast’s suspicions are correct.

Check out this http://www.systemlookup.com/search.php?type=filename&client=malwaresearch-ff&search=sys.exe and this lists a couple of different occurrences of this file being associated with malware. Though a file name can be changed and that is no guarantee, but is still highly suspicious.

This is a google search on c:\sys.exe, http://www.google.com/search?q=c%3A\sys.exe also suggesting association with malware.

I would suggest that you rename this file sysSUSPECT.exe, this renaming would mess up any run command trying to run sys.exe, I don’t like suggesting deletion as you are left with no options.

Hi David,

Thanks for your quick reply. David im a bit of a novice at all this and having difficulty in locating the file to put into VT analysis. Could you please inform me where to find it?

Also my pc is running a lot slower now and every so often my cpu usuage is at 100%. I have to reboot the pc when it does that…

Thanks

Also… i have windows defender also…shouldn’t that have picked up on this maware?? ???

-= KAZMANIA,

  The file was said to be in C:/ so after you double click on your Local Disk C, it should probably be there.. In case that it wont show up, try showing the hidden files by [Tools--> Folder Options--> View Tab --> Choose "show hidden files & folders"] then go to VirusTotal & submit the file..

  By the way, don't forget to hide the hidden files again [Tools--> Folder Options--> View Tab --> Choose "do not show hidden files & folders"] since they're a little sensitive..

  In case that you can't find it yet, the file might have already cloaked itself as a system protected file & will require you to also view protected files to see it.. But let's not think about it yet..

You can do a scan with windows defender but like i say windows defender is on demand for me so if avast didnt pick up a virus then the on demand scanner will can so until the next update maybe avast! will can pick it up :slight_smile:

Mr.Agent

Make sure Windows Defender is the latest from its portal:
http://www.microsoft.com/security/portal <== current is Windows Defender Antispyware: v1.57.1453.0

It needs to be updated daily as updates are only weekly through itself.

You’re welcome.

As has been said, you locate it using windows explorer and you may need to have hidden files displayed and some other settings, see image and set as per the image (click to enlarge).

When it gets slow check task manager and see what process is using the majority of the CPU %.
Is sys.exe listed in the task manager processes ?

It is important to find, upload and rename this file to help stop it run on start-up, you should reboot once you have found, uploaded to virustotal and renamed the file.

Thanks for all your help and advice guys! :slight_smile:

Ok i managed to locate the file. It was hidden deep in the the file. I had to un-hide ??? everything. It had a windows explorer icon to it saying “Microsoft incorporation” ?

Anyway i ran the VT and this should get you to the results page:

http://www.virustotal.com/analisis/4430f8aabca6d26f450c06f840bcae73

Please can you geniuses respond as soon as…

Thanks

p.s when i “x” the box this comes up…find attached

Also does anyone know what run command ods.exe is? keeps asking permission of my firewall to run?? and memcheck (mem.exe)???

And do i just click on the file and rename? david?

Thanks

UPDATE:

managed to change the file name.
when looked into task manager i found the process ods.exe running multiple times with diferent entries (same file name) so i ended all the processes and gained some cpu usuage back…
lastly i seem to have a constant uploading icon next to my mouse pointer??

Thanks…

Well the VT results are confirmation, whilst it isn’t detected by a large number it really is enough, so you can send the sample to avast.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.

Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

Now delete it from the original location.

What are the locations of these files, as that gives clues too ?

I can’t see a reason why mem.exe if it is a memcheck would require internet access and there are just too many hits on google for ods.exe (if that is correct) to make any determination, so I would have said no do not rename (you seem to have done it anyway), but you should upload to virustotal also.

Edit: re your image, did you do a boot-time scan as suggested in the alert ?

Hi David.

Thanks for your speedy response.
Another question…
How come when the suspicious virus is found im not given an option to move it to chest? where it cant harm the pc?
also in my fist post where i was given the option to ignore or delete, avast ask me to send the info to them by ticking the box…so do i need to re send it to them?
lastly i did reboot as advised by avast but it didn’t find anything. then when im in windows avast detects it.

really weird… >:(

once again thanks for the advice

Because it is just a suspicion, only confirmed detections give the full range of options, including move to the chest. The scan that found the suspect file uses a different detection method than the conventional scan.

That is the idea of submitting it to avast (your first image) they analyse it and if confirmed as malware will find a signature (means of identification) which will be added to a VPS update so that if it were still in location (what we discussed in my first reply) it would detect it by the conventional signature and most likely suggest a boot-time scan to deal with it (or give a conventional alert with full options).

I would always send the sample as you can now give more information, this forum topic URL and that of the virustotal results.

David,

Moved it to chest via user files. But its still in its original location?? ??? There is an option under ‘file’ to email it. I clicked it and nothing happened.

And can anyone tell me why i still have this loading icon next to my pointer?? really annoying me.

Thanks

Yes it does and I said that in my earlier post.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.

You should get a form to complete, see image, if nothing this can be down to remnants of a previous AV installed or something wrong with the installation.

Try a repair of avast. Add Remove programs, select ‘avast! Anti-Virus,’ click the Change/Remove button and scroll down to Repair, click next and follow.

If the above doesn’t work you may have to submit the old fashioned way by email as mentioned in an earlier post.

  • Have (or did) you another AV installed in this system, if so what was it and how did you get rid of it ?

Hey Kazmania, I’m Facing the same problem, totally the same.
Here’s the Virus Total Report of Sys.exe

http://www.virustotal.com/analisis/d6666e99de41bb81a04743ec1529df18

External Link: http://www.virustotal.com/analisis/d6666e99de41bb81a04743ec1529df18

PS: I Just checked my task Manager, My CPU Usage is 100% and it’s since a long period, and the PF Usage is 1.31 GB.
Plus, I can’t open any of my hard drives, when ever i double click, Nothing Happens. The only way to access my hard drive is by Right Clicking and then clicking on “Open”.

It’s Frustrating Guys, Help me Out.

@ Coder_

Please start your own topic by using NEW TOPIC as it will get confusing for both people in one topic.

Brother, Our problem is the same. ;D

You have an additional issue which you have mentioned in your post (not mentioned by the original poster) so not the same and that difference is what confuses the issues, more so for people who might be reading the topic later.