WikiWirral Online with you since 2003, fantastic.
Forum Statistics
Forums65
Topics76,352
Posts1,033,280
Members14,560
Most Online16,551
Feb 2nd, 2024
Who's Online Now
12 members (ArranGirl13, 3 invisible), 7,899 guests, and 667 robots.
Key: Admin, Global Mod, Mod
Top Posters
sunnyside 45,164
MattLFC 22,315
Mark 21,269
granny 17,788
_Ste_ 16,345
Newest Members
Kalena1962, rattus, Lisrush, Emotecreative, ArranGirl13
14,560 Registered Users
New General Forums
New Wirral History
Tall Brick Chimneys
by diggingdeeper - 16th Mar 2024 11:56am
D.I.Y. / Building Shop
by mharford91 - 3rd Mar 2024 8:53pm
1970's Murder in Central Park, Wallasey
by cutespam - 4th Aug 2018 10:28am
Old Hall in Higher Bebington
by Rhoobarb - 25th May 2010 5:55pm
Oleo Works
by Ducko - 14th May 2008 3:09pm
Top Posters(30 Days)
granny 14
casper 13
bri445 4
Topic Replies
Facial recognition coming in supermarkets?
by diggingdeeper - 27th Mar 2024 3:50pm
Bolts at Bebington Road
by diggingdeeper - 27th Mar 2024 2:33am
Hot Spot Chippie Broadway
by Excoriator - 26th Mar 2024 7:57pm
Tall Brick Chimneys
by diggingdeeper - 26th Mar 2024 5:43pm
Lost river (Well, brook really)
by diggingdeeper - 26th Mar 2024 3:09am
Old Hall in Higher Bebington
by diggingdeeper - 24th Mar 2024 5:58pm
Netflix 3 Body Problem.
by BultacoAstro - 22nd Mar 2024 8:04am
Wisper electric bike. 36v .
by Dilly - 21st Mar 2024 7:36pm
This is Elvis
by GingerTom - 21st Mar 2024 9:27am
March
M T W T F S S
1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31
Top Likes Received (30 Days)
Kylix 1
cools 1
Top Likes Received
bert1 14
Mark 4
granny 3
casper 3
Previous Thread
Next Thread
Print Thread
#279867 3rd Jan 2009 6:44pm
Joined: Jul 2008
Posts: 14,343
Likes: 19
Wiki Master
OP Offline
Wiki Master
Joined: Jul 2008
Posts: 14,343
Likes: 19
I have a file ~.exe in c:windows\system32 directory/folder - does anybody know anything about his, it runs at boot somehow and tries to access the internet occasionally.

I strongly suspect this is a trojan keylogger (like somebody else on the net), but there is no mention by any of the virus people and only a couple of queries by punters.

It is not helped that google can't search for the tilde character ~

I can stop the process easy enough and it is well and truly blocked from talking to the internet.

For the moment I have renamed the file to stop it being run.

It is 8238 bytes long (9K), the only times it could have come onto my computer is either through an "Adobe Reader" update or a "Mozilla Thunderbird" update (which I might have OK'd without looking too closely), nothing else was given permission to run at about the time the file was created.

The only other funny that has happened recently was Windows Installer popping up sometimes looking for a CD that isn't there and asking me to insert a vdrive CD (I do have vdrive installed, but haven't used it for ages), this happens when I try to run programs that I use all the time from the hard drive, but happens only occasionally.

Any help appreciated.


We don't do charity in Germany, we pay taxes. Charity is a failure of governments' responsibilities - Henning Wehn

https://ddue.uk
Google Ads
diggingdeeper #279871 3rd Jan 2009 6:48pm
Joined: Nov 2003
Posts: 21,269
Likes: 4
Wiki Master
Online Happy
Wiki Master
Joined: Nov 2003
Posts: 21,269
Likes: 4
Check

msconfig

and see if its in the list to run at boot up.
You can probably get rid, run a malware program too.

Start >> RUN >>> msconfig wink (Type in the Run Box)

Mark #279873 3rd Jan 2009 6:52pm
Joined: Jul 2008
Posts: 14,343
Likes: 19
Wiki Master
OP Offline
Wiki Master
Joined: Jul 2008
Posts: 14,343
Likes: 19
Thanks Mark - I had checked with Spybot startup tool, but YES it is there in msconfig under HKLM/Microsoft/Windows/currentversion/run

But I still don't know if it a goody or a baddy

Spybot and AVG don't recognise it as a baddy and none of the other virus companies mention it in there lists of baddies as far as I can see.

Last edited by diggingdeeper; 3rd Jan 2009 6:54pm.
diggingdeeper #279877 3rd Jan 2009 7:00pm
Joined: Nov 2003
Posts: 21,269
Likes: 4
Wiki Master
Online Happy
Wiki Master
Joined: Nov 2003
Posts: 21,269
Likes: 4
HKLM/Microsoft/Windows/currentversion/run

That's where most of the virus sit,
as it will start.

Get rid mate, if it had a job to do it would have a name simple as.

Dont for get to turn off your system restore,
as the virus can hide in there too.

Turn system restore off,
remove the virus
re-boot
turn system restore back on smile

diggingdeeper #279878 3rd Jan 2009 7:01pm
Joined: Aug 2006
Posts: 2,423
Forum Master
Offline
Forum Master
Joined: Aug 2006
Posts: 2,423
delete it from the registry

reboot

then delete the file


that usually works


Tony_1985 #280092 4th Jan 2009 11:33am
Joined: Jul 2008
Posts: 14,343
Likes: 19
Wiki Master
OP Offline
Wiki Master
Joined: Jul 2008
Posts: 14,343
Likes: 19
What worries me is what other files it has "played" with which is why I am trying to find out about it.

I hate doing a full Windows install - takes hours.


We don't do charity in Germany, we pay taxes. Charity is a failure of governments' responsibilities - Henning Wehn

https://ddue.uk
diggingdeeper #280742 5th Jan 2009 9:57pm
Joined: Jul 2008
Posts: 14,343
Likes: 19
Wiki Master
OP Offline
Wiki Master
Joined: Jul 2008
Posts: 14,343
Likes: 19
AVG was updated today, identified ~.exe in system32 as Trojan.Win32.Agent.AKSO

This is obviously getting round so watch out for it.

Though this trojan was known about Oct2008, it looks like it has been disguised in ~.exe (which is a packed exe file), none of the normal online scanners nor AVG, Spybot or Adaware recognised it as a baddie yesterday.


We don't do charity in Germany, we pay taxes. Charity is a failure of governments' responsibilities - Henning Wehn

https://ddue.uk
diggingdeeper #337849 23rd Jul 2009 10:13am
Joined: Jul 2008
Posts: 14,343
Likes: 19
Wiki Master
OP Offline
Wiki Master
Joined: Jul 2008
Posts: 14,343
Likes: 19
This nasty little b*gg*r is floating around again - I have yet to discover how it gets into my computer - it is the only virus that sneaks in undetected, it is contained immediately so can't actually do anything.

The only programs I have installed recently have been very established ones, downloaded from the program's own site or filehippo or download.com

The lastest installs/updates were Aspell (GNU spelling checker), Duplicate Cleaner update, AVG update, CCleaner update.

Forgot to check the install date of ~.exe which would have told me what it came in with. I was too quick to BLAST it off this planet.

Although AVG recognised this virus previously, it has gone undetected again so must have been reformed, it is definately the sneakiest trojan around, I do suggest checking if it exists on your computers c:\windows\system32\~.exe

If you find it delete it, there maybe some .dat file in the same directory starting with _c these seem to be its data collection files, I have read about them but never seen them (because on my computer ~.exe is prevented from functioning)

more info

here - clicky

Please no lectures on AVG, F-secure, Avast, Norton etc - they ALL missed this trojan last time it came around in 2008, AVG was the first to correctly recognise it although F-secure was the first that could fix it (unbelievably, before it could detect it).

diggingdeeper #337870 23rd Jul 2009 11:51am
Joined: Apr 2009
Posts: 871
Wise One
Offline
Wise One
Joined: Apr 2009
Posts: 871
perhaps you should try the free version of malaware anti malware if Norton and the likes missed it. i had a similar virus a year back and malaware removed it completly. you can find there website here http://www.malwarebytes.org/

Shadow_Omega #337895 23rd Jul 2009 1:24pm
Joined: Aug 2004
Posts: 22,315
Wiki Master
Offline
Wiki Master
Joined: Aug 2004
Posts: 22,315
AVG is utter shite at best, and if you are running multiple instances of AV software it is little suprise they are failing to detect virus's.

smile

diggingdeeper #337927 23rd Jul 2009 2:34pm
Joined: Nov 2008
Posts: 218
Addict
Offline
Addict
Joined: Nov 2008
Posts: 218
AVG used to have a function to make a "boot from floppy or CD", but I can't find it in the latest version? I remember having to do one for a friend and could only make a floppy, but then copied this to a CD, as the friends pc didn't have a floppy drive.

You used to be able to use this bootable floppy or CD to boot the pc with, then run the anti virus programe from there, like in DOS mode. First make sure the BIOS setting is enabled (for the needed floppy or CD) as the 1st boot.

I think F-secure does one? If you can do this I'm sure it will make a better job of finding the hidden file that recreates the ~.exe file.

Hope this helps


diggingdeeper #337929 23rd Jul 2009 2:49pm
Joined: Nov 2008
Posts: 218
Addict
Offline
Addict
Joined: Nov 2008
Posts: 218
Originally Posted by diggingdeeper
Thanks Mark - I had checked with Spybot startup tool, but YES it is there in msconfig under HKLM/Microsoft/Windows/currentversion/run

But I still don't know if it a goody or a baddy

Spybot and AVG don't recognise it as a baddy and none of the other virus companies mention it in there lists of baddies as far as I can see.


A good little programe that gives extra info for whats running on your pc Process Explorer v11.33, By Mark Russinovich. It doesn't install, you just run it.

I don't know if we are allowed to do direct links for files but here it is if you want to try it:

Process Explorer in a zip file

topofthepops #337943 23rd Jul 2009 4:49pm
Joined: Jul 2008
Posts: 14,343
Likes: 19
Wiki Master
OP Offline
Wiki Master
Joined: Jul 2008
Posts: 14,343
Likes: 19
It did turn out to be a Trojan, as I suspected by the way it tried to behave - it was formally identified on 4th Jan 2009, the day after I was playing with it (or it was trying to play with me!).

It concerns me that I have security very well clamped down on my computers AND I am very careful what I run on my computer (I have been an IT professional for 32 years) yet this little blighter still sneaked in TWICE now - if it has infiltrated my computer with the care I take, there must be an awful lot of computers infected by it out there.

To put peoples mind at rest, most firewalls will stop this Trojan from talking back home, BUT I don't know if Windows Firewall will, it is partly disguised as a microsoft program and may be trusted by the microsoft system, I can't find out without risking my system and having to do an 8 hour recovery, not my favourite past-time.


We don't do charity in Germany, we pay taxes. Charity is a failure of governments' responsibilities - Henning Wehn

https://ddue.uk
diggingdeeper #337990 23rd Jul 2009 7:15pm
Joined: Nov 2008
Posts: 218
Addict
Offline
Addict
Joined: Nov 2008
Posts: 218
Do you know if you have completley "bannished" it yet?

I'm as careful as you said you are & I have been lucky upto now & never had a virus/trojan etc. Maybe I shouldn't have said that doh

topofthepops #338003 23rd Jul 2009 8:08pm
Joined: Jul 2008
Posts: 14,343
Likes: 19
Wiki Master
OP Offline
Wiki Master
Joined: Jul 2008
Posts: 14,343
Likes: 19
Originally Posted by topofthepops
Do you know if you have completley "bannished" it yet?

I'm as careful as you said you are & I have been lucky upto now & never had a virus/trojan etc. Maybe I shouldn't have said that doh
It doesn't make any difference, on my computers it is completely blocked from doing anything. I have deleted the file and done a complete registry clean. It isn't one of these persistent little things (seen enough of those in my job, heal six files and by then another ten have got infected), it just is very sneaky how it gets on! Got to admit, I am very impressed that it has got me twice, six months apart, nothing else has ever got in.


We don't do charity in Germany, we pay taxes. Charity is a failure of governments' responsibilities - Henning Wehn

https://ddue.uk

Moderated by  Mark 

Link Copied to Clipboard
Random Wirral Images

Click to View Topic.
Newest Topics
Facial recognition coming in supermarkets?
by Excoriator - 27th Mar 2024 10:52am
Hot Spot Chippie Broadway
by Excoriator - 26th Mar 2024 7:57pm
Bolts at Bebington Road
by Excoriator - 23rd Mar 2024 9:48am
Netflix 3 Body Problem.
by BultacoAstro - 22nd Mar 2024 8:04am
Tall Brick Chimneys
by diggingdeeper - 16th Mar 2024 11:56am
For Sale & Free
Wisper electric bike. 36v .
by Dilly - 21st Mar 2024 7:36pm
This is Elvis
by GingerTom - 17th Mar 2024 2:37pm
Member Spotlight
Dilly
Dilly
wallasey
Posts: 8,973
Joined: July 2011
Today's Birthdays
There are no members with birthdays on this day.
New Wirral Info
Facial recognition coming in supermarkets?
by Excoriator - 27th Mar 2024 10:52am
Hot Spot Chippie Broadway
by Excoriator - 26th Mar 2024 7:57pm
Bolts at Bebington Road
by Excoriator - 23rd Mar 2024 9:48am
Get your Money Tree ready
by keef666 - 22nd Mar 2023 12:27pm
Restaurant/pub with outdoor seating - Bromborough
by CarterUSM - 7th Aug 2020 7:59pm
News : New Topics
Gaza
by diggingdeeper - 29th Oct 2023 9:28am
Lost river (Well, brook really)
by Excoriator - 10th Sep 2019 8:50am
New Enthusiast Forums
Netflix 3 Body Problem.
by BultacoAstro - 22nd Mar 2024 8:04am
Xbox
by TudorBlue - 3rd Mar 2024 8:48pm
Wiper mechanism needed
by Peter0787 - 20th Feb 2024 4:07pm
Popular Topics(Views)
5,067,821 WIKI WALK CHAT
4,013,750 Spotted!
Powered by UBB.threads™ PHP Forum Software 7.7.5