CDSWITCH.EXE

[Erebus]

I have been using VET/CA and Malwarebytes for some time - VET/CA for 13 odd years - and recently had an issue with CA that has seen me no longer using their software. So, after many recommendations I am using avast!, which on its first scan quarantined CDSWITCH.EXE from the Windows\System32 folder. I couldn't believe that my previous scanners never picked this up. Should I be concerned? What exactly is it?

(I am a new user here so please forgive me if I am in the wrong section.)

Cheers!

[scythe944]

Nope, it seems like you're in the right section.

Upload the file to http://www.virustotal.com and see if any other scanners flag it as a bad file.

If so, then be glad that Avast picked it up.

If not, submit it to avast as a False Positive and help them correct it for the rest of us.

Welcome to the forums!

LE: As a side note, I just did a google search on "CDSWITCH.EXE" and it doesn't look like there are a whole lot of good things about it.  Most of them attribute that file to malware, so it's likely that your old A/V just didn't catch it.

[Erebus]

Thank you for the reply and welcome. I cannot upload it as it's been put in the chest.

[scythe944]

Yes, I understand.  Sorry, I really need to start a "canned" response database, but alas, I have yet to do so.

There are many posts about this on the forum, most from user, "DavidR" that explains that you must create an "exceptions" folder on your computer that Avast will not scan, restore the file in the chest to that directory, then upload the file.

I'll look around on the forum to find instructions for you, just hold on a min.

(I'm on a linux machine right now, and don't have avast installed, so I can't walk through the steps myself at the moment).

[scythe944]

Here you go:

That said you should never scan a file without being 100% sure it isn't infected, and if it isn't then it should be reported to avast so that it can be corrected.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\*
That will stop the File System Shield scanning any file you put in that folder.

If only GData and avast detect it - GData uses avast as one of its two scanners so counts as 1 detection and almost certainly an FP.
Send the sample to avast as a False Positive:
Open the chest and right click on the file and select 'Submit to virus lab...' complete the form and submit, the file will be uploaded during the next update.

Taken from DavidR's post from this thread: http://forum.avast.com/index.php?topic=66042.0

[CharleyO]

***

It is a malware downloader.

For information only:
http://www.prevx.com/filenames/669313869147776354-X1/CDSWITCH.EXE.html
http://www.spywareterminator.com/de/item/99862/TrojanDownloaderAgentahvv.html

Right click on the file in the Chest, select Submit to virus lab, a small form will open where you can add information if you want, and then click on Submit.


***

[Erebus]

Thank you, CharleyO, I have done what you suggested. Seems weird that neither Malwarebytes or CA found it previously

[scythe944]

LE: As a side note, I just did a google search on "CDSWITCH.EXE" and it doesn't look like there are a whole lot of good things about it.  Most of them attribute that file to malware, so it's likely that your old A/V just didn't catch it.

That's what I said, dang it!

[Erebus]

Thanks for everyone's help. Looks like it's good thing to be rid of then!

[scythe944]

I'd say so.

[CharleyO]

***

You are welcome as I am glad to have helped.


***