McAfee repeatedly detects VDS.EXE in temp folder.

[everway9]

Hi everyone.

I've come here to post this before posting on the McAfee forum because, well.... it's just a better forum, period!

A day ago McAfee live safe started detecting and quarantining VDS.EXE in the local\temp folder. It detects it repeatedly all day in about 1 hour intervals.

I restored one of the quarantined VDS.EXE threats back to the temp folder and took a screenshot of the file explorer window showing the folder containing the VDS.EXE and it's associated files. Also on the screenshot is the McAfee quarantine window showing the details of one of the other VDS.EXE threats. There are at least 20 more of the VDS.EXE threats still in quarantine.

Obviously something is writing these files to the temp folder on a regular basis. I know vds.exe is the Virtual Disk Service which is in the System32 and WinSxS folders but vds.exe is in lowercase whereas the VDS.EXE in the temp folder is in capital letters.

I'm curious to know what is creating the VDS.EXE and it's associated files in the temp folder.

Maybe these files have always been appearing in the temp folder and it's just that McAfee has suddenly started to detect them as threats. OR... Maybe they have only recently started to appear in the temp folder and McAff is correct to detect them as a threat.


I haven't gotta clue and I'm wondering if any of you might know what it's all about.

Any input would be most welcome.

Many thanks.

 

[Mojazz]

Any vds.exe which appears outside of the windows/32/system is a high probability of virus intrusion. Temp folders and the like with vds.exe should be held in great suspicion . Delete them immediately. This is often used as a spoof mimicking an official Microsoft named file so that Trojan and virus writers can go about their business undetected. You should only see the vds.exe in your windows/32/system and no where else on your computer.

 

[everway9]

Hi Mojazz.

Thanks for your reply.

Yeah.. I didn't explain myself properly. I knew it was most probably suspicious and I had only restored it from quarantine because I wanted to see which other files might have been created along with the VDS.EXE. I also wanted to check the files 'Properties' to see if there were any clues as to what process/program had created them.

Because something keeps on creating the same files over and over again McAfee keeps detecting them over and over again. I still need to find out what is creating the files. McAfee is just detecting and quarantining, it's not finding/fixing the initial problem.

 

[Mojazz]

Hi Mojazz.

Thanks for your reply.

Yeah.. I didn't explain myself properly. I knew it was most probably suspicious and I had only restored it from quarantine because I wanted to see which other files might have been created along with the VDS.EXE. I also wanted to check the files 'Properties' to see if there were any clues as to what process/program had created them.

Because something keeps on creating the same files over and over again McAfee keeps detecting them over and over again. I still need to find out what is creating the files. McAfee is just detecting and quarantining, it's not finding/fixing the initial problem.

 

[Mojazz]

Have you manually run a file search through windows for the exact file name vds.exe and see how many times it appears and where the locations are? If not, try that and delete all vds.exe files which appear which are not in the windows/system/32. Also , run your virus scan in safe mode. Sometimes you can catch the virus hiding in programs which are not currently running while in safe mode. Also you can sometimes find and delete viruses in safe mode but not when the operating system is up and running full bore . Try the safe mode virus scan first. Do not restore anything you find in quarantine. You should try to delete those items if your anti virus allows. Also try a couple of free online scanners you can run.....Malwarebytes, Trend Micro House Call. No one anti virus program catches all and removes all virus threats. You have a nice long weekend to work on this. Report back after you have pulled all your hair out or with your success story.

 

[Mojazz]

Post script, those virus programs which only detect but do not allow full deletion of the quarantined item suck. One of those free online virus scanners which I suggested might allow for the actual deletion of detected item in addition to finding other virus intrusion locations. By the way, is your system being negatively affected in it's running or are you just overly concerned about the detections themselves? Ok

 

[everway9]

Thank you so very much for taking the time to help. I really do appreciate it.

I'll try your suggestions and report back Sir. (Madam?)

 

[everway9]

These are the files found when I searched the Windows folder.

 

[Mojazz]

I have looked at your files submitted and checked them out. According to what I have read, all of these files you have listed are normal within the windows operating platform. Nothing about any of your listed files have any virus threats attached to them. For your own peace of mind, do a search on each of your listed files yourself. Your virus program might be giving you a false positive for these files. They are not malicious. They are part of your normal windows operating system. These should not be a cause for alarm.

 

[Mojazz]

I just checked and I also have numerous vds files in my windows/system/32 folder. My Norton antivirus does not treat them as malicious. Once again, you should be ok. Is your system behaving strangely? If not, continue to press on.

 

[mdd1963]

Microsoft/SysInternals' Process Explorer will allow you to display parent/child relationships and determine which application is spawning this file...
https/technet.microsoft.com/en-us/sysinternals/processexplorer.aspx
A very powerful investigative tool!

https/www.computersecuritystudent.com/FORENSICS/Proccess_Tools/lesson1/index.html

 

[everway9]

I just checked and I also have numerous vds files in my windows/system/32 folder. My Norton antivirus does not treat them as malicious. Once again, you should be ok. Is your system behaving strangely? If not, continue to press on.

Thanks very much for checking. Because all of the files are either in the System32 or WinSxS folders I didn't think any were suspicious either.

My system does seem to be behaving normally. The only thing that's not is these repeat quarantine actions by McAfee. I could always check the 'Do not show this message again' option when the McAfee quarantine notification pops up. However it's not something I'm going to ignore. I WILL get to the bottom of this.

This repeat quarantine behaviour has not happened before for any other files. There are no other files which have been quarantined more than once. This VDS.EXE is the only one.

I will continue to investigate.

Thanks again.

 

[everway9]

Microsoft/SysInternals' Process Explorer will allow you to display parent/child relationships and determine which application is spawning this file...
https/technet.microsoft.com/en-us/sysinternals/processexplorer.aspx
A very powerful investigative tool!

https/www.computersecuritystudent.com/FORENSICS/Proccess_Tools/lesson1/index.html

Hi mdd1963.

That looks like a good utility. I will give it a go.

I will restore one of the quarantined VDS.EXE files again so that Process Explorer can access it.

Thanks for your post.

 

[everway9]

I'm sorry..... When I said my system is behaving normally I totally forgot about one of my other threads on this forum. I have a problem with 'Protected operating system files' repeatedly showing on my desktop. I go to folder options and check the option but they keep coming back. I'm now wondering if it may have something to do with the VDS.EXE issue. They both started happening on the same day I think. I just didn't put 2 and 2 together.

Here's the thread link: http/www.tomshardware.co.uk/forum/id-3455748/hide-protected-operating-system-files-suddenly-turned.html

 

[everway9]

mdd1963.... I've never used process explorer so I'm not quite sure what I should be doing. I clicked on find and typed VDS.EXE and it searched but nothing was found. Please can you tell me how I can get process explorer to show me details about a file once the file is created?

 

[everway9]

I've found a program called PA File Sight. It can monitor files which are created in selected folders in real time and log the process/user which created it (assuming it's a local process). I'm going to set it up to monitor the temp directory and see what it finds. I only hope that I can search the results. Otherwise it's going to take a very long time to browse all the files.

 

[Mojazz]

Hey, did you ever try those free online scans I suggested? If so, did they detect any threats ? Did you run your current anti virus in safe mode yet??

 

[everway9]

Hi Mojazz. I scanned with malwarebytes, adaware and my main AV McAfee but haven't yet downloaded Trend Micro. I haven't run anything in safe mode just yet either. I'm waiting for a time when I don't have to use my PC much, then I'll run all in safe mode. I also have this PA file sight it running in the background at the moment.

The scans did pick up a few things for which I already know are false positives and have been on my system for ages otherwise no suspicious items were detected.

I have a few other things to do which need to be done in safe mode and with safe/clean boots too. I have a cmd window popping up on boot that i'm investigating. I don't think it's connected to this issue as the cmd window has been popping up for over a month now and this VDS.EXE issue only started a few day ago. I also have (another) thread about the command window here too http/www.tomshardware.co.uk/forum/id-3401078/sqlitec-command-window-popping-boot-windows.html

I should really get on and do these things and get back to you when I've done them before I post anymore. You've been very helpful and it's only right that I finish doing your suggestions before taking up anymore of your valuable time.

Huge thanks.

 

[mdd1963]

mdd1963.... I've never used process explorer so I'm not quite sure what I should be doing. I clicked on find and typed VDS.EXE and it searched but nothing was found. Please can you tell me how I can get process explorer to show me details about a file once the file is created?

https/www.youtube.com/watch?v=yQSHqt-wIkY

There are numerous tutorials on Youtube, some much longer and comprehensive....

 

[everway9]

mdd1963.... I've never used process explorer so I'm not quite sure what I should be doing. I clicked on find and typed VDS.EXE and it searched but nothing was found. Please can you tell me how I can get process explorer to show me details about a file once the file is created?

https/www.youtube.com/watch?v=yQSHqt-wIkY

There are numerous tutorials on Youtube, some much longer and comprehensive....

Thanks for the link.