Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Kaspersky Virus Removal Tool detected trojan in System.sav...is it a false positive or should I be worried?


  • Please log in to reply
5 replies to this topic

#1 mpg317

mpg317

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 02 August 2011 - 11:14 AM

I normally scan regularly with Malwarebytes and Symantec Endpoint Protection 11, and I haven't found anything with those recently. I occasionally use the Kaspersky Virus Removal Tool for a "second opinion", but I have had false positives found with it (For example, I did an avast! scan and SEP11 quarantined some files from avast mid scan as Downloaders as false positives, then Kaspersky found the same files and said I had multiple banload trojans incorrectly as well).

Yesterday I downloaded the most recent version of the Virus Removal Tool and it picked up a file with the pathname "C:\System.sav\util\RESBETA\RESDETECT.EXE" and said that it was "Trojan-Downloader.Win32.Banload.bmso". I searched for the file in my system and RESDETECT.exe has a nvidia logo, and it was created and last modified 11/14/2007, and it was last accessed 2/24/2008 at 6 a.m., when I don't think my PC was even on since I am rarely on my PC in the morning.

So what should I do? Should I delete the file, or ignore it? I don't want to delete anything from the System.sav folder without knowing that I must, and based on context clues, it seems like it is an auto resolution detecting program. Help as soon as possible is appreciated, as I want to use this computer as little as I can until I know it is safe.

Thank you.

EDIT: Upon further reflection, I didn't even have this PC until November of 2008, so this file hasn't been (apparently) accessed or modified while I have had this computer. Could trojans alter the access date so that it can mask when it altered the file?

Edited by mpg317, 02 August 2011 - 11:32 AM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:23 AM

Posted 02 August 2011 - 03:11 PM

Hello, Lets' upload this file for a second opinion on what it actually is..

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
<filepath>suspect.file

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/


NOTE:
For submission to a specific anti-virus vendor see Submitting Virus Samples: How to Submit a Virus.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 mpg317

mpg317
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 02 August 2011 - 04:22 PM

Thanks for the reply! Here is the link to the results of the Jotti scan. Since Kaspersky was the only scan that found an issue, should I assume it was a false positive?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:23 AM

Posted 02 August 2011 - 06:35 PM

Yes it looks that way.If you want to submit it to Kaspersky


Email: newvirus@kaspersky.com
Submission: http://support.kaspersky.com/virlab/helpdesk.html
Info: http://forum.kaspersky.com/index.php?showtopic=13881
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 mpg317

mpg317
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 02 August 2011 - 09:08 PM

Excellent, I'll be sure to submit the file to Kaspersky, and I will also have to keep the Jotti website in mind for whenever I have any other issues with possible false positives. Thanks again for the help!

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:23 AM

Posted 02 August 2011 - 09:22 PM

You're welcome from us all.. If they confirm it as an FP.let us know we keep a list.

Good luck out there,
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users