Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New Anti-virus Programme Found Something


  • Please log in to reply
3 replies to this topic

#1 waterface

waterface

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 15 August 2008 - 06:45 PM

Hi
I, today, uninstalled my AVG 7.5 as it will be worthless by the end of the month & installed Avir AntiVir free version.
I ran it & it found something called
DR/Tool.Reboot.F.102 dropper
It has been put in quaranteen. My old AVG didn't detect this in recent scans.
Can you tell me what it is & what should i do??
Here is the report Antivir created :-


Avira AntiVir Personal
Report file date: 16 August 2008 00:18

Scanning for 1556257 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: HOME-E9D7CCFC95

Version information:
BUILD.DAT : 8.1.0.331 16934 Bytes 12/08/2008 11:46:00
AVSCAN.EXE : 8.1.4.7 315649 Bytes 26/06/2008 09:57:53
AVSCAN.DLL : 8.1.4.0 40705 Bytes 26/05/2008 08:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 12/06/2008 13:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 26/05/2008 08:58:52
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 11:33:34
ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 24/06/2008 14:54:15
ANTIVIR2.VDF : 7.0.6.10 2587136 Bytes 14/08/2008 22:43:06
ANTIVIR3.VDF : 7.0.6.23 74240 Bytes 15/08/2008 22:43:07
Engineversion : 8.1.1.19
AEVDF.DLL : 8.1.0.5 102772 Bytes 09/07/2008 09:46:50
AESCRIPT.DLL : 8.1.0.63 311673 Bytes 15/08/2008 22:43:13
AESCN.DLL : 8.1.0.23 119156 Bytes 15/08/2008 22:43:13
AERDL.DLL : 8.1.0.20 418165 Bytes 09/07/2008 09:46:50
AEPACK.DLL : 8.1.2.1 364917 Bytes 15/08/2008 22:43:12
AEOFFICE.DLL : 8.1.0.21 192891 Bytes 15/08/2008 22:43:11
AEHEUR.DLL : 8.1.0.47 1368437 Bytes 15/08/2008 22:43:11
AEHELP.DLL : 8.1.0.15 115063 Bytes 09/07/2008 09:46:50
AEGEN.DLL : 8.1.0.35 315764 Bytes 15/08/2008 22:43:09
AEEMU.DLL : 8.1.0.7 430452 Bytes 15/08/2008 22:43:09
AECORE.DLL : 8.1.1.8 172406 Bytes 15/08/2008 22:43:08
AEBB.DLL : 8.1.0.1 53617 Bytes 24/04/2008 09:50:42
AVWINLL.DLL : 1.0.0.12 15105 Bytes 09/07/2008 09:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 16/05/2008 10:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 15/08/2008 22:43:08
AVREG.DLL : 8.0.0.1 33537 Bytes 09/05/2008 12:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 12/02/2008 09:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 12/06/2008 13:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 22/01/2008 18:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 12/06/2008 13:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 25/01/2008 13:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 12/06/2008 14:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 27/06/2008 14:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: 16 August 2008 00:18

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'MailWasher.exe' - '1' Module(s) have been scanned
Scan process 'wscntfy.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
Scan process 'FireWall.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
27 processes with 27 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '50' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\System Volume Information\_restore{059FF85F-BE58-454B-A925-461FD9805E4B}\RP136\A0007985.exe
[DETECTION] Contains recognition pattern of the DR/Tool.Reboot.F.102 dropper
[NOTE] The file was moved to '48d6103e.qua'!


End of the scan: 16 August 2008 00:31
Used time: 13:03 Minute(s)

The scan has been done completely.

1589 Scanning directories
68753 Files were scanned
1 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
1 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
68751 Files not concerned
460 Archives were scanned
1 Warnings
1 Notes

I hope someone can advise
Many thanks
Wf

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:04 AM

Posted 15 August 2008 - 10:32 PM

The infected RP***\A00*****.exe/.dll file(s) identified by your scan are in the System Volume Information Folder (SVI) which is a part of System Restore. This is the feature that allows you to set points in time to roll back your computer to a clean working state. The SVI folder is protected by permissions that only allow the system to have access and is hidden by default unless you have reconfigured Windows to show it.

System Restore will back up the good as well as the bad files so when malware is present on the system it gets included in any restore points as an A00***** file. When you scan your system with anti-virus or anti-malware tools, they may detect and place these files in quarantine. When a security program quarantines a file, that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat. Thereafter, you can then delete it at any time.

Each security vendor uses their own naming conventions to identify various types of malware. Without knowing the specific file associated with the threat and its original location (full file path), its difficult to determine exactly what has been detected or the nature of the infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 waterface

waterface
  • Topic Starter

  • Members
  • 177 posts
  • OFFLINE
  •  
  • Local time:05:04 AM

Posted 16 August 2008 - 08:55 AM

Hi
Thankyou quietman.
I am still unsure as to what to do, whether it is safe to delete this from quarantine or restore it back to where it was!!?
I have seen no changes in my pc's performance since this was quarantined, & am wary of deleting it just incase it may be an important part of 'system restore' as you say!

qoute,,
Without knowing the specific file associated with the threat and its original location (full file path), its difficult to determine exactly what has been detected or the nature of the infection.


Is there anything i can do to show you this?, i just need to know what to do?

Many thanks

wf

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:04 AM

Posted 16 August 2008 - 10:52 AM

The threat detection is in system restore only. The actual physical file related to it was not detected on your system. There is no need for this file in SR other than to serve as a backup for a file that no longer exists so you can delete it.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users