sysWOW64 backdoor malware exe’s?

Topic

New Reply

Prevx CSI reports in the c:windowssys32 folder (NOT where these files are located, actually) 13 ‘system backdoor’ executables in my month old Vista64 Home Premium laptop (ASUS). Names all start with a ‘V’ and were created 2 weeks ago(8/3/08).
Included are internet connection files (ping, ipconfig, tracert, netstat, and route), as well as makecab, nbtstat, net, getmac, icacls, compare, convert, and protection— all exe’s. All are located in c:windowssysWOW64.

I’ve searched everywhere, but can find no information about any of these files when the first letter is V.

My question is whether I’ve been invaded or not. I don’t know my way around Vista very well, although I’ve learned that the sysWOW64 directory is Windows’ systemWindowsOnWindows64, and is where Vista stores 32bit app info which run in 64bits, and sys32 is where it stores 64bit apps which run in 32. But nothing tells me whether these V*.* exe’s are safe.

Thanks to all in advance for any help you might be able to offer.

Reply | Quote

Replies

Try scanning with some other tools for confirmation. You also could post a lists of the files in that folder (in an attachment, please), for any other Vista 64 users to compare with their systems.

Reply | Quote

Hi,

Thanks for getting back quickly. Neither AdAware, Spybot, or MalwareBytes AntiMalware saw these. I am attaching a screenshot of the Prevx CSI report (btw, I’ve contacted them and they have *no idea at all* whether these are legit Vista files or the bad stuff). This report shows the *wrong* location of the files, which are not in sys32 but are in sysWOW64. Also, the original Microsoft version of these files is in the same directory, and each of these are much larger (eg, ipconfig is 26kb, and makecab is 96kb), while all of these are 8kb or so. I have a HijackThis log, and a Prevx CSI log, in txt format if needed, as well as screenshots of the directories showing these V files, but these files exceed the 100k limit in this forum.

Reply | Quote

As I understand it:Adaware and spybot are not totally anti virus progs. As your Prevx entries require a presumably paid for licence to remove….wouldn’t it be worth running one of the free anti virus tools to see if you can clear amy infection

Reply | Quote

Click on the at the top list of posts for any forum to go to a scan by TrendMicro. McAfee – Computer Anti-Virus Software and Internet Security For Your PC , Symantec – Free Virus Scan – Free Antivirus Software, &Free ESET Online Antivirus Scanner are also scans. I’d recommend one or more of these to see if they find the same issues.

Joe

--Joe

Reply | Quote