rootkit ~.exe

[sunrisecc]

On a client's computer, Avast found a rootkit located at system32\~.exe. It was removed successfully. System is XP Home SR3.

Any background for this file?

[DavidR]

Well all I can say is that it isn't named conventionally using the tilde ~ character isn't normal, the same is true of just using a single character name, often seen in malware file naming.

A google serch is what I would normally suggest on a detected file name but this doesn't bring up anything useful, mostly totally unrelated.

[sunrisecc]

Yes, I tried Google and others and could find nothing useful. I was just hoping someone else had seen this also.

[Lisandro]

If you scan your computer at boot time or thoroughly into Windows, will any infection reappear?
If so, can you submit the file to www.virustotal.com?

Remember, sending files to Chest (if available) for further analysis is better than direct removing.

[DavidR]

Yes, I tried Google and others and could find nothing useful. I was just hoping someone else had seen this also.

Well the only other clue would have been if it were given a malware name, but that wasn't mentioned. Or as Tech mentions analysis at VT which would come up with other aliases for the malware that could be searched on.

If this was detected during the anti-rootkit scan (8 minutes after boot) then it could have been detected by heuristic anti-rootkit method, so might not be a recognised malware name. Again no info on when it was detected or by what scan.

If it was detected conventionally (by signature) either on-access (standard shield) or on-demand scan then the avast log viewer should contain info on the detection including the malware name.

Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe

Even searching on the malware name is often a hit and miss affair as there is no standardisation on naming malware, so it could have many aliases.

[sunrisecc]

The complete scan is currently being run. Since the client is 350 miles away, I am helping by the phone. They are to call me back when the full scan completes or another virus is found.

When the rootkit was found, the delete option did work, it appears. I do know that Avast us up-to-date as I had them upgrade on Sunday.
I'll report back with the results of the full scan as soon as I know something. I am also going to get them to run MBAM shortly.

@ DavidR
I believe it was the standard shield as the computer was on for over an hour and they were surfing the net. They called me after ignoring the first warning but we caught the second time.

Update:
It is definitely malware and I will email them MBAM and the browser just got gets hijacked.

[Jtaylor83]

~.exe is related to a backdoor trojan. Something called Win32.Backdoor.Agent.

[DavidR]

Try renaming the MBAM setup file before installing it, malware could be looking out for it.

[sunrisecc]

Update:
I attempted to have the client download MBAM. They could not due to malware popups etc. I then emailed them the program, got it installed and executed. The quick scan found 28 items. Rebooted and now running the full MBAM scan.

More after the next phone call.

Added: I did try renaming etc to no avail. I zipped the file first and emailed the zip. Then I had the client unblock the zip and extract the setup file.

[DavidR]

You are fortunate the client is a little more computer savy than most. MBAM generates a log, if you have them send you that it may give you a handle on the malware and if anything else needs to be done.

[sunrisecc]

Actually I have a lot of patience. LOL
MBAM saved the day. The log was emailed to me. Most of the malware was VUNDO.H

Full scan by MBAM found one system restore bad and it and I took care of that.

I want to thank all for your help.

[DavidR]

You're welcome.

[Lisandro]

To Vundo cleaning, please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
When VundoFix re-opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.

A log will be produced which you can post in your next response.

[sunrisecc]

I'll take note. The only problem I foresee is that MBAM is needed to run in order toknow that Vundo cleanup is required. In my case today, MBAM (first quick then full) did the job completely.

[DavidR]

Well a HiJackThis log could also show suspect entries which may be Vundo, but I find it is often better to run MBAM and SAS to get rid of as much dross before running HJT. Not to mention MBAM is quite good on the Vundo detections as is SAS.