Author Topic: Restart.exe infected (Read 4536 times)

mapie · « **on:** February 28, 2008, 05:32:38 AM »

restart.exe infected...

so what do i do now? it's inside the virus chest... do i delete it? or how can in restore it coz i think i need this file to be able to restart the pc???

oldman · « **Reply #1 on:** February 28, 2008, 07:23:40 AM »

No you don't need it to restart your computer. Depending on where the file was located will tell us what it may be used for.

In windows explorer, please navigate to this folder

c:\program files\Alwil Software\Avast4\data\log

In the right hand panel. please locate this file warning. log

Open it with notepad and copy and paste the lines related to this detection. That will give us more information to go on.

mapie · « **Reply #2 on:** February 28, 2008, 02:06:44 PM »

thank you for the response... here it is

2/10/2008   2:00:33 PM   1202623233   SYSTEM   1332   Function setifaceUpdatePackages() has failed. Return code is 0x2000001A, dwRes is 2000001A.
2/10/2008   2:00:34 PM   1202623234   SYSTEM   1332   An error has occured while attempting to update. Please check the logs.
2/10/2008   3:31:31 PM   1202628691   SYSTEM   1332   Sign of "Win32:AutoRun-S [trj]" has been found in "G:\RECYCLER\S-1-5-21-1078073611-1993962763-839522115-1003\mmc32.EXE" file.
2/10/2008   6:03:31 PM   1202637811   SYSTEM   1332   Function setifaceUpdatePackages() has failed. Return code is 0x2000001A, dwRes is 2000001A.
2/10/2008   6:03:32 PM   1202637812   SYSTEM   1332   An error has occured while attempting to update. Please check the logs.
2/11/2008   10:37:19 PM   1202740639   XP   1772   Sign of "Win32:Rizo-E [trj]" has been found in "C:\DOCUME~1\XP\LOCALS~1\Temp\53341packed_server.exe" file.
2/28/2008   11:50:48 AM   1204170648   XP   3248   Sign of "Win32:Restarter-D [Spy]" has been found in "C:\WINDOWS\system32\Tools\Restart.exe" file.
2/28/2008   1:08:20 PM   1204175300   map   3948   Sign of "Win32:Restarter-D [Spy]" has been found in "C:\System Volume Information\_restore{375A5A91-270C-44F5-8C0C-466EBA062B7C}\RP29\A0010857.exe" file.

my pc keeps hanging... and then when i press the restart button.. it won't restart... i don't know if this is connected to the virus or spyware or whatever... but maybe...

i just hope someone can help me...

thank you again

oldman · « **Reply #3 on:** February 28, 2008, 03:02:15 PM »

Thanks. That particular file path is used by both legitamate and malware.

It could be a false positive, especially since your restart problems started after you moved it to the chest.

I'd suggest restoring the file from the chest, then submit it to virustotal for analysis.

Please submit these files for analysis

To submit a file to virustoal, please click on this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\WINDOWS\system32\Tools\Restart.exe

scroll down a bit and click "send file", wait for the results and post then in your next reply.

polonus · « **Reply #4 on:** February 28, 2008, 09:26:48 PM »

Hi mapie,

This is the description of the malicious variety:
http://www.softwaretipsandtricks.com/dangerous_files/1955-WinDirRestartexe.html
If you do not have any of the given files then indeed it could be a FP,

polonus

Author Topic: Restart.exe infected (Read 4536 times)

mapie

Restart.exe infected

oldman

Re: Restart.exe infected

mapie

Re: Restart.exe infected

oldman

Re: Restart.exe infected

polonus

Re: Restart.exe infected