Results 1 to 6 of 6

Thread: vaultsvr.exe

  1. #1
    New Lounger
    Join Date
    Jul 2011
    Posts
    5
    Thanks
    4
    Thanked 0 Times in 0 Posts

    vaultsvr.exe

    I'm using Windows 7 'lite' on an Asus netbook. I recently installed the free version of AVG. It shows up vaultsvr.exe, in the Windows\System32 subfolder, as a Trojan and nags me about it every time.

    I ran it through the Jotti 'threat comparison' site and most anti-virus programmes gave it the green light, although a couple of others did issue warnings. It is, apparently, an EliteKeyLogger.

    What puzzles me about all this is that if you Google the file you get less than a page of totally unhelpful information. Can anyone throw a little more light on this file and what it does? Nothing that MS does surprises me any more, but a keylogger...?!!!

    BTW this is my first post; I've read the FAQs and searched the file within Ask Woody, to no avail. If however I'm annoying anyone, mea culpa and please set me straight.

    John

  2. #2
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    Hello John, welcome.

    Some interesting questions you raise.

    First things first. If you suspect you have a keylogger, I recommend not using the machine for anything important, such as online purchases or banking until you are happy the machine is clean.

    Now to the investigation........

    Windows 7 does not have a "lite" version. Do you mean the official Windows 7 Starter version?

    With Windows XP and Vista, there were a number of ways to load a "lite" package onto small netbooks with a minimal footprint. If perhaps you have one of those types of installations using Win 7, it's possible that the package you used to build the OS has come bundled with something rather nasty. Having said that, I suspect you have the Starter edition.

    Can you confirm the suspect file is vaultsvr.exe? : there is a legitimate vaultsvc.dll located in the \system32 folder of Windows 7 which is used for user credentials validation. It's possible that AVG thinks the heuristics of a credential manager is similar to that of a keylogger.

    Are your AVG signatures up to date? When were they last updated? Was the file reported clean in a previous scan? Does the file properties created date match the OS system installation date? Are there any other symptoms of a malware infection?

    AVG has been known, like several other antimalware vendors, to have some false positives. In some cases, these false positives can lead to serious corruptions if "cleaned".

    Anyway, download the free Malwarebytes Anti-Malware. Run that in a full scan mode (make sure you update first). If it gives the offending file the thumbs up and the file properties are not suspicious, I would suspect that the file is genuine and AVG has a false positve. You could double that up with a check for rootkits using Sophos' Anti-rootkit and Kaspersky's TDSS killer.
    Last edited by Tinto Tech; 2011-07-01 at 05:19. Reason: typo

  3. The Following User Says Thank You to Tinto Tech For This Useful Post:

    johntren (2011-07-01)

  4. #3
    New Lounger
    Join Date
    Jul 2011
    Posts
    5
    Thanks
    4
    Thanked 0 Times in 0 Posts
    Tinto Tech, thanks for your warm welcome ... and also for putting up with my sloppy use of language. Yes, starter edition is correct. I purchased online from Amazon and the Asus came with it pre-installed, long before the date of the suspect file.

    I confirm the name of the file is correct. My AVG signatures are up to date. AVG has always reported this as a suspect file ever since I installed it three days ago.

    There are no other symptoms of malware.

    I have downloaded your recommendations and will report back once I've run both of them.

    Again, thanks for your time and expertise.

    John

  5. #4
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,398 Times in 1,221 Posts
    You can submit the file to VirusTotal, which will test it against multiple engines and give you more information on whether it is a threat or not. As it will provide results from multiple engines, you will have more info to make a final decision about it.
    Last edited by ruirib; 2011-07-01 at 06:46.

  6. The Following User Says Thank You to ruirib For This Useful Post:

    johntren (2011-07-01)

  7. #5
    New Lounger
    Join Date
    Jul 2011
    Posts
    5
    Thanks
    4
    Thanked 0 Times in 0 Posts
    Virus Total produced a lot of positives, so many thanks for that.

    Sophos did not detect the file as a threat.

    Malwarebytes did not detect the file as a threat, but it found two others!

    I think it's best if I delete this .exe file. I'm slightly surprised that there isn't a checklist of the current contents of System32.

    All the best, and many thanks,

    John

  8. #6
    Administrator
    Join Date
    Jun 2010
    Location
    Portugal
    Posts
    12,519
    Thanks
    152
    Thanked 1,398 Times in 1,221 Posts
    I guess it would be very hard to maintain a valid list of contents for System32, as applications can place files there and Windows has no control over it. You can probably rename the file and place it somewhere else and check if that affects anything, before you remove it, even if it doesn't seem like a commonly available file.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •