wextract.exe malware?

Banjan · September 10, 2008, 6:26am

I decided to run a full Defence+ scan with CFP earlier today while I was out for a couple of hours. When I returned back, not only had it found something suspicious, the scanner was “stuck” on a file, using excessive CPU.

Technical stuff:

I’m using Windows XP, SP3, with latest Windows updates. The only security application I use is CFP3 (3.0.25.378), updated just before the scan. Symptoms:
a) Malware found: “C:\I386\WEXTRACT.exe” (id = 0xb2ebe)
b) “Elapsed time”-counter stopped at 1+ hour something, but the magnifier scanner symbol animating as if it was still scanning (it said it was now scanning “C:\WINDOWS\Ökensand.bmp”, Ö being the last letter in my national alphabet and “Ökensand” the last file in the Windows folder).
c) cfpconfig.exe was using up to 70-80% CPU, even after stopping the scan and closing the scanner window.

Now, a google search for Wextract.exe tells me that it’s the legitimate Microsoft “Win32 Cabinet Self-Extractor”, but this file should normally not exist in the C:\I386 folder. There is no visible wextract process running on my computer, and I have never recieved a warning about it previously. An upload of the file to virustotal.com gives no malware return. I would think it’s a false positive, but why would the Defence+ scanner think it’s some kind of malware? Istn’t CFP3 using the upcoming CIS engine in it’s scanner?

On a sidenote, the behaviour of the scanner as described in b) and c) above was a bit strange, but I guess it has nothing to do with the wextract.exe?

Kyle142 · September 10, 2008, 8:21am

Hey Banjan,

If you can find the file - Upload it to www.Virustotal.com to check if it really is malware.

Banjan · September 10, 2008, 8:32am

An upload of the file to virustotal.com gives no malware return.

;)

I suppose this is a false positive, but why would the file recide in the C:\I386 folder (as I mentioned, my Google search gave no references to this folder)? And why does the CFP scanner think it is malware?

MamaJ · September 11, 2008, 11:38pm

I’ve had the same problem. It reported the 0xb2ebe in 2 files related to Jasc photoshop and also Musicmatch Jukebox. 100%CPU usage. Virus total cleared both files. How do I skip these files in future scans?

Vino · March 30, 2010, 3:45pm

Hey i have the same shit. I was scanning this time on Win7. and the scanner was searching in the Xp-s system32 folder when it alerted me that in the dlll cache and in the system32 root was a backoor (wextract.exe) found.

3/30/2010 5:08:24 PM C:\WINDOWS\system32\dllcache\wextract.exe Backdoor.Win32.Delf.pcf0@101653979 Detect Success
3/30/2010 5:08:24 PM C:\WINDOWS\system32\dllcache\wextract.exe Backdoor.Win32.Delf.pcf0@101653979 Ask Success

So i searched google, and found that many AV-s claimed it previously as a trojan, but they said that ist a FP. Now i am not sure, cause i clicked on the remove button, and comodo managed to remove it from the system32 root, but not from the dll cache. I wanted to remove it manually, and failed, the win said that i had no right to do that. But i was on win7 ■■■■ it!, and this file was on the XP partition, so it should not cause a conflict with user rights. Anyway i tried to delete the whole dllcache folder, and every other file in that folder, what should have been also protected, was deleted, except the wextract.exe. In top of that, i was trying to delete it from Xp, where isnt and UAC or something like that should restrict me that i aint got no right to delete a system file, and i could not remove that shit.

So i decided to upload it to virustotal, and for the first try i was waiting 5 minutes in front of the “pleas wait while the file is being uploaded” screen, and finally it said that there was an error. Tried again, and it uploaded smoothly in a few secs, and i got this:

http://www.virustotal.com/hu/analisis/4cba1dc2ddb610a8569a03e1b3b6b0b249f1c5744ab845b9257446c656a3993c-1269962215

I wondered why it was, but when i tried to upload it first, there was a loud HDD swapping what i found strange, and i tried to delete wextract.exe from the dll cache again, adn this time i had no alert at all, could delete it without problems, and i wonder what the heck this might have been ???

Chiron494 · March 30, 2010, 4:04pm

Please report this as a false positive here:

They will send you an email with the results of their analysis.

For future reference, if you ever have an AV detect a file that you are not sure about it is better to check it out using some of these methods on How To Tell If A File Is Malicious. You may have removed important files. Hopefully this is not the case, but it is always better safe then sorry.

What I am worried about is how this file would not allow you to delete it. This could indicate that it is an important system file. Hopefully this is not the case and you will not experience any more problems.

brucine · March 31, 2010, 7:09am

In a standard xp installation, there’s no i386 folder at the root of the system partition, and wextract.exe is legit under system32.

i386 might be a safe copy of xp installation, as it came from the cd, or a restoring partition on some computers, and might be in such an event deleted if one has the standard windows partition and xp cd.

It also results from “custom” xp installation (e.g., from deploying an iso like in slipstreamed installations, BartPE…)

xp forbids deleting system files and tries to restore them from restoring partition, cd or dllcache if xp restore is not disabled. (Note that this “feature” even forbids deleting screensavers or unused localized keyboard files).

Disabling xp restore is not such a nasty idea (as long as you have the cd), since a malware in the running system partition shall be copied to xp restoration.