Infected file in system32 folder?

[nite_monkey]

Today my anti-virus program (avast home edition) came up saying that C:\WINDOWS\system32\server.exe is infected with a Win32:Trojan-gen. {Other}, I would like to know what this file is, and possibly how it got on my computer, and if I should remove it?

[f0dder]

Not present on my XP SP2...

Which windows version are you running, and how is it connected to the internet? (Most important: are you behind a NAT'ing router that does not forward all traffic by default to your box?)

[nite_monkey]

I am running XP pro SP2
I am conected to a hub(I think) which is conected to a router, which is conected to the cable modem.
That is about all I can tell you about the way I am conected to the internet, I am not very smart when it comes to internet and what not.

[Curt]

Today my anti-virus program (avast home edition) came up saying that C:\WINDOWS\system32\server.exe is infected

-nite_monkey (April 08, 2007, 03:01 PM)

Not present on my XP SP2...

-f0dder (April 08, 2007, 03:34 PM)

Maybe it should be setver.exe, not server.exe ??

Read about it here - Oops! The interesting part of the article is Subscribers only. Sorry!

[nite_monkey]

nah, I have a server.exe and a setver.exe, setver is clean, server isn't

[Curt]

Did you run the test at http://www.liutiliti...ocesslibrary/server/  ??
- if not, maybe you should.

Note: server.exe is a process registered as a backdoor vulnerability which may be installed for malicious purposes by an attacker allowing access to your computer from remote locations, stealing passwords, Internet banking and personal data. If unaccounted for, this process should be removed immediately.

Note: server.exe could also be a process which belongs to the . This program is a non-essential process, but should not be terminated unless suspected to be causing problems.

Determining whether server.exe is a virus or a legitimate Windows process depends on the directory location it executes or runs from.

[nite_monkey]

It must not be very important, because I was able to rename it to server.exe.donotrunyet or something like that,and it didn't complain

[f0dder]

Iirc, you can usually rename (but not delete!) in-use files. Try rebooting your machine and see whether server.exe is re-created or not, or whether you get any weird error messages...

[nite_monkey]

I decided that if I can rename the file, it must not be very important, so I just deleted the file

[dk70]

Hmm not good enough I think, must know details - how you know it has not mutated or whatever?

Tell Avast to do a full bootscan - much better chance of correct detection and removal. Will kick in before most of XP does and one of the best features of progam.

Write down information and look it up on internet - could be this http://www.sarc.com/...ckdoor.easyserv.html or not. Must get similar info when you know more. To check what damage might have been done and to be sure it is really gone.

Also be ready to fire up S&D, Windows Defender, a-squared Free and what else you got. The more the better try a-squared http://www.emsisoft....om/en/software/free/

There is more you can do for ID. Send file to VirusTotal http://www.virustotal.com/en/indexf.html Most AVs check it then. You get lots of different name for same trojan - use relevant name when looking up details. They dont agree on standards. Must be 100% sure of details or you might start to manually "recover" the wrong items Could also be false positive.

When done find out what went wrong. You have IE7 and Windows Defender installed? Would "immunize" from S&D have changed anything? Which program installed trojan?, was Avast set up properly? and so on. How does Hijackthis report look like?

Avast is ok but not the best for trojans or detection of stuff it does not know about. If you figure programs has failed look elsewhere. Antivir/Avira is as good as the best but free version do not cover "malware" - so might not have changed much. May be try AOL Antivirus http://www.activevir...us/freeav/index.adp? based on Kaspersky and I believe uses their "extended database" = covers whatever. See if Kaspersky find it at VirusTotal.

Windows Defender also does some system monitoring btw. Is light, also in detection but some use with free AVs since they often have disabled malware part. Checking up on browser/system changes is rarely free. You can disable resident part and just have it ready for disaster but reason to install is just resident part. Rest is covered already.

So even if you can disinfect by deleting file (which is doubtful until some AV type of programs agree) you will know why it is a good idea to have updated copies of UBCD and UBCD4WIN http://www.ultimatebootcd.com/index.html http://www.ultimatebootcd.com/index.html The DOS thing have Mcafee and F-Prot, the cd is really a XP Live CD and has as default Avira as full scanner plus several Anti-Spyware programs, all can update themself over internet. Practically all hardware is supported so may be try UBCD4WIN. No effort required, run UBCD4WinBuilder.exe from installation folder - and put in a blank cd. You will need XP SP2 original files and perhaps also run through options - for each entry in a long list you can toggle this or that, for example let scanners update themself before burning to cd. Default should be fine though might be a good idea to do the updating should internet/LAN not work. In worst case have a look at their forum. 95% point and plug for sure. Can also be used if XP simply cant boot - pop it in and you have access to all files. Lots of uses really. Perfectly legal, only freeware and your own legal copy of XP is used.

[nite_monkey]

I don't think I want to do a full boot scan with avast, I want to find a new anti virus program that is 1. free and B. has real time protection, because whenever avast finds a virus, it locks up my computer and I have to consult with my best friend in the entire world, the handy dandy reset button on the front of my computer case.

[dk70]

Well Avast was stable for me during 3 years or so and bootscan is really a nice feature - almost like that LIVE cd trick.

You can get Avira free here http://www.free-av.com/ - but remember to get other tool for malware, not included in free version. Today may be just as important as virus - not even sure where they draw the line. Has much better filters for catching unknown virus - only give few false positives so useful. Why it is as good as NOD32, Kaspersky regarding virus. Does not have many options like Avast, less chance of screwing up - just works. Windows Defender should be painless and as said have some system monitoring so you will be warned if something like server.exe put itself in one of the 5X something startup groups - if it works that is. Update itself through regular Windows Update. Have 2-3 programs for this installed but only 1 or with Defender 2 resident running. They will conflict etc. Must get rid of Avast before checking Avira, AOL.

You still should investigate what actually happend and check evil is gone for real. Usually not so easy to get rid of, might still be on computer somewhere. Is trickered by a program, screensaver or whatever. Panic is bad but so is the opposite - be suspicious and check all those desktop icons you showed off in other thread. All programs are "clean"? You dont use keygenerators and all that? A full bootscan might reveal source.

If you go with Avira and not AOL offer then you might notice it has a pop up window every time it updates - not hourly like with payware, once a day or so. Anyway, that seem to drive people crazy but can be avoided. I tried Avira for some days, only took a little searching to find the trick But AOL is as far as I know the only All-in-one quality free program. Possible Avira wouldnt have catched server.exe because of "free" limitations. Must be sure of what it does and does not. Some dont like the AOL brand but Ive not yet seen any problems by signing up for program. Nothing wrong with quality since powered by Kaspersky - one of the better AV programs.