Sponsored by..

Wednesday 27 August 2008

Tilde.exe in C:\Windows\System32 folder


This isn't really about tilde.exe at all, but a file called C:\Windows\System32\~.exe that has a habit of showing up on laptops that have been playing up with frequent browser crashes.

~.exe is kind of an odd name for a file, and crucially it's an ungoogleable name, because Google uses the tilde mark for its Synonym Search function.

Probing more deeply at the file shows that is is 34,616 bytes in size and is described internally as "Microsoft® Remote Std I/O Shell". The version information gives the following details:

  • Company: Microsoft Corporation
  • File Version: 6.0.6001.16470 (fbl_tools(patst).070215-1229)
  • Internal name: remote.exe
  • Language: Language Neutral
  • Original File name: remote.exe
  • Product Name: Microsoft® Windows® Operating System
  • Product Version: 6.0.6001.16470
The icon is identical to the remote.exe sometimes supplied with various Microsoft debugging or support tools. Indeed, it does seem to be just another version of remote.exe which is a component of Microsoft's SMS server.

The ~.exe file may also be accompanied by a couple of strange-looking .dat files, for example __c0084F92.dat or __c00E460A.dat which on closer examination are actually executables.

It does genuinely seem to be a bit of Microsoft software, but in this case it would appear to be acting as a trojan downloader. The .dat files are lilely to be the second stage of the infection, and this could well be related to all the fake anti-virus products that have been promoted recently.

~.exe is detected variously as Trojan-Downloader.Win32.Agent.abnd, Win32/TrojanDownloader.Agent.ABND or Trojan:Win32/Vundo.gen!V (VirusTotal results here). The .dat file shows up variously as Trojan-Downloader:W32/FakeAlert.AN, TROJ_TIBS.CKN, Tibs.gen222, not-a-virus:AdWare.Win32.Agent.ekj (VirusTotal results here and here).

Removal: delete the ~.exe file and any unusual looking .dat files that match the above pattern. If the trojan is active, then one of the .dat files will be locked. The F-Secure Online Scanner seems to be able to safely remove this trojan, although a reboot will be required.

This is the first time that I have seen a Microsoft SMS component used in this way. Presumably it attempts to connect up to a back-end server that I have not yet been able to identify. It may well be that a corporate firewall would block such behaviour.

6 comments:

Jasonatr0n said...

I have just run across this on a laptop that I am attempting to repair. There are two files, ~.exe and __c00EFBA6.dat. I can delete the exe file, however the .dat corresponds to a winlogon registry key, and am not able to delete it. I will make another comment when I am able to come to a resolution.

Jasonatr0n said...

Ok here is some more info on this infection. First of all, anything that infects the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ area of the registry can be very difficult and frustrating to remove. Here are the steps I took to remove this particular infection:

1. download hijackthis
2. extract hijackthis to \program files\hijackthis
3. run hijackthis
4. open the Misc Tools section
5. click the tool 'delete a file on reboot' option, and locate the .dat file in the \windows\system32
6. reboot the system.
7. open regedit and browse to the winlogon\notify area again. delete the malicious key.
8. reboot the system again, and when its back up, check for the .dat, .exe and the registy keys. If they are gone the infection was successfully removed.

Hope this helps!

Conrad Longmore said...

Thanks, I struggled with the rogue .DAT file in the same way, but the F-Secure online scanner did the trick - http://support.f-secure.com/enu/home/ols.shtml

kellykinns said...

I was just able to ditch this _cc00EFBA6.dat file by following the last part of this website:
http://bbayles.googlepages.com/antivundo.html
Basically the PendMove program it suggests. Also now Advast! updated it's database and can get rid of it too. Advast is free for like 3 months. Good luck! This virus is annoying :( Thanks Java!(according to wikipedia.)

kellykinns said...

Although F-Secure had this virus in its database (according to virustotal.com), it wouldnt pick it up on my system for some reason. This is why I downloaded PendMoves to delete it upon startup, just like jasonatr0n suggested.

The Mushroom said...

As of today, Avast has started finding that on my Win2k machine (not a laptop). It senses it's an odd filename but doesn't know what to do with it so offers Ignore and Delete. An hour or two after I selected Delete, Avast asked me again. The real scan it asked to do on reboot didn't find anything wrong (beside a couple items in the browser cache).