It was time for me to assemble a new PC and put Windows 7 on the machine, flanked by all the applications I need (quite a lot :-)). After many, many days of installing and configuring it was time to finetune my system. One of the things on my to do list was running Autoruns, the Sysinternals tool listing the many, many software components that are started at boot time.
On the Explorer tab I could see an entry without a name (“n/a” which stands for “not available”) from the publisher “Pq3mUuOj”. Mmmm… Perhaps this is the funny nick name of the author of one of those freeware tools I use? Or perhaps it comes some strange Russian based company? Nah! I had a bad feeling: could this be some kind of malware…?
The file this entry was referring to was windefence32.exe in C:\Windows\system32\WinDefence, which didn’t contain any other file. If this was really a security file, then the publusher must be really stupid! Such a “safe name” with such an “unsafe publisher’s name”, nope, this didn’t sound well…
The problem is Microsoft Security Essentials has never warned me about this file, neither has Hitman Pro 3.5 (build 86). Perhaps I was wrong and nothing wrong was going on? I decided to go to VirusTotal (http://www.virustotal.com) and upload the file for a check.
The results were very clear: it was a trojan, not detected by the antimalware software on my system. Most engines checked by VirusTotal marked the malware as the Antavmu trojan. This thing must be deleted right away!
I deleted the exe and its folder and removed every referral to it in the registry, including the entry to run the exe at boot time. AFAIK this trash is gone now 🙂