Non-visible executable in admin's temp folder?

Discussion in 'malware problems & news' started by new2security, Aug 29, 2012.

Thread Status:
Not open for further replies.
  1. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    Hello,

    I'm wondering about Kaspersky's Virus Removal Tool reporting executables that are not scannable because they're password protected.

    C:\Users\xxxx[administrator]\Appdata\Local\Temp\RarSFX0\3123871rar.exe

    When I looked for it in Explorer, the folder or file isn't there
    (all system files and hidden files are set to be visible).

    I am not so concerned about e.g. an installer to be password protected as I've seen this behavior couple of times. But why can't I see this folder/file in Explorer?
    I've tried to look for it it via cmd but no luck.

    Hitman Pro doesn't report anything.

    Any idea?


    Thanks,
     
  2. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    I can confirm the RarSFX + executable and other files are created by Kaspersky Virus Removal Tool.
    The files are only visible via VRT tool by opening Explorer from the software, and are normally deleted when the VRT is closed.

    The files in question are e.g. 3123871.prg, 3123871rar.exe, Driver folders etc.

    Edit: an attempt to open 3123871rar.exe (LUA) results in a pop-up window asking for password. The pop-up window looks very "non-Windows" like.
     
    Last edited: Aug 29, 2012
  3. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,413
    Strange, I had that too with the password protected files. Are you sure they are Kaspersky files and not malware?
     
  4. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    492
    I'm 99.9% certain. Those files are removed when Kaspersky's scanner is closed and re-created when you run the Kaspersky program again. Sometimes it happens the files aren't removed when the program is shut down.
     
  5. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,413
    OK good to know, thanks.
     
Loading...
Thread Status:
Not open for further replies.