This isn't really about tilde.exe at all, but a file called C:\Windows\System32\~.exe that has a habit of showing up on laptops that have been playing up with frequent browser crashes.
~.exe is kind of an odd name for a file, and crucially it's an ungoogleable name, because Google uses the tilde mark for its Synonym Search function.
Probing more deeply at the file shows that is is 34,616 bytes in size and is described internally as "Microsoft® Remote Std I/O Shell". The version information gives the following details:
- Company: Microsoft Corporation
- File Version: 6.0.6001.16470 (fbl_tools(patst).070215-1229)
- Internal name: remote.exe
- Language: Language Neutral
- Original File name: remote.exe
- Product Name: Microsoft® Windows® Operating System
- Product Version: 6.0.6001.16470
The ~.exe file may also be accompanied by a couple of strange-looking .dat files, for example __c0084F92.dat or __c00E460A.dat which on closer examination are actually executables.
It does genuinely seem to be a bit of Microsoft software, but in this case it would appear to be acting as a trojan downloader. The .dat files are lilely to be the second stage of the infection, and this could well be related to all the fake anti-virus products that have been promoted recently.
~.exe is detected variously as Trojan-Downloader.Win32.Agent.abnd, Win32/TrojanDownloader.Agent.ABND or Trojan:Win32/Vundo.gen!V (VirusTotal results here). The .dat file shows up variously as Trojan-Downloader:W32/FakeAlert.AN, TROJ_TIBS.CKN, Tibs.gen222, not-a-virus:AdWare.Win32.Agent.ekj (VirusTotal results here and here).
Removal: delete the ~.exe file and any unusual looking .dat files that match the above pattern. If the trojan is active, then one of the .dat files will be locked. The F-Secure Online Scanner seems to be able to safely remove this trojan, although a reboot will be required.
This is the first time that I have seen a Microsoft SMS component used in this way. Presumably it attempts to connect up to a back-end server that I have not yet been able to identify. It may well be that a corporate firewall would block such behaviour.