Results 1 to 5 of 5
  1. #1
    New Lounger
    Join Date
    Aug 2008
    Location
    Michigan, USA
    Posts
    8
    Thanks
    0
    Thanked 0 Times in 0 Posts

    sysWOW64 backdoor malware exe's?

    Prevx CSI reports in the c:windowssys32 folder (NOT where these files are located, actually) 13 'system backdoor' executables in my month old Vista64 Home Premium laptop (ASUS). Names all start with a 'V' and were created 2 weeks ago(8/3/08).
    Included are internet connection files (ping, ipconfig, tracert, netstat, and route), as well as makecab, nbtstat, net, getmac, icacls, compare, convert, and protection--- all exe's. All are located in c:windowssysWOW64.

    I've searched everywhere, but can find no information about any of these files when the first letter is V.

    My question is whether I've been invaded or not. I don't know my way around Vista very well, although I've learned that the sysWOW64 directory is Windows' systemWindowsOnWindows64, and is where Vista stores 32bit app info which run in 64bits, and sys32 is where it stores 64bit apps which run in 32. But nothing tells me whether these V*.* exe's are safe.

    Thanks to all in advance for any help you might be able to offer.

  2. #2
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: sysWOW64 backdoor malware exe's?

    Try scanning with some other tools for confirmation. You also could post a lists of the files in that folder (in an attachment, please), for any other Vista 64 users to compare with their systems.

  3. #3
    New Lounger
    Join Date
    Aug 2008
    Location
    Michigan, USA
    Posts
    8
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: sysWOW64 backdoor malware exe's?

    Hi,

    Thanks for getting back quickly. Neither AdAware, Spybot, or MalwareBytes AntiMalware saw these. I am attaching a screenshot of the Prevx CSI report (btw, I've contacted them and they have *no idea at all* whether these are legit Vista files or the bad stuff). This report shows the *wrong* location of the files, which are not in sys32 but are in sysWOW64. Also, the original Microsoft version of these files is in the same directory, and each of these are much larger (eg, ipconfig is 26kb, and makecab is 96kb), while all of these are 8kb or so. I have a HijackThis log, and a Prevx CSI log, in txt format if needed, as well as screenshots of the directories showing these V files, but these files exceed the 100k limit in this forum.
    Attached Images Attached Images

  4. #4
    3 Star Lounger
    Join Date
    Feb 2003
    Location
    England
    Posts
    378
    Thanks
    1
    Thanked 0 Times in 0 Posts

    Re: sysWOW64 backdoor malware exe's?

    As I understand it:Adaware and spybot are not totally anti virus progs. As your Prevx entries require a presumably paid for licence to remove....wouldn't it be worth running one of the free anti virus tools to see if you can clear amy infection

  5. #5
    Administrator
    Join Date
    Mar 2001
    Location
    St Louis, Missouri, USA
    Posts
    23,593
    Thanks
    5
    Thanked 1,059 Times in 928 Posts

    Re: sysWOW64 backdoor malware exe's?

    Click on the <IMG SRC=http://www.wopr.com/w3timages/housecall.gif> at the top list of posts for any forum to go to a <img src=/S/free.gif border=0 alt=free width=30 height=15> scan by TrendMicro. McAfee Computer Anti-Virus Software and Internet Security For Your PC , Symantec - Free Virus Scan - Free Antivirus Software, &Free ESET Online Antivirus Scanner are also <img src=/S/free.gif border=0 alt=free width=30 height=15> scans. I'd recommend one or more of these to see if they find the same issues.

    Joe
    Joe

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •