Author Topic: RedArc-1594  (Read 10831 times)

0 Members and 1 Guest are viewing this topic.

Offline heldlik

  • Newbie
  • *
  • Posts: 6
  • I'm not a llama!
RedArc-1594
« on: September 03, 2003, 03:43:31 PM »
Hello.

My computer has a dual boot of w2k and w98. After a crash (perhaps caused by the virus), I scan the entire computer from the w98 boot. When scanning the w2k partition, it detects RedArc-1594 in my PAGEFILE.SYS.

I clear it and boot back up to w2k, When scanning again in W2k no virus is found, but afther a while the computer hangs again, and a wirus can be detected in the PAGEFILE.SYS same as before.

Ive been trying to find information about this virus RedArc-1594 on the net, and info about how it infects, and how to clear it. But cant find anything usefull.

Does anyone know what to do and where to look? I really dont want to reformat the entire drive.

BRG

heldlik

Offline whocares

  • Super Poster
  • ***
  • Posts: 1698
  • I'm not a llama! :-)
Re:RedArc-1594
« Reply #1 on: September 03, 2003, 03:46:09 PM »
Hi,
-do you have any other AV-Scanners on the system ?
Looks like Avast stumbles over its own/some other AV-signature in the Swap file.

-use the board search above, there was recently a similar problem with a detection in
PAGEFILE.SYS
 :)

Offline heldlik

  • Newbie
  • *
  • Posts: 6
  • I'm not a llama!
Re:RedArc-1594
« Reply #2 on: September 03, 2003, 03:58:10 PM »
Hi.

Yes as a mather of fact on the W2K system i have installed AVAST as well.

I was suspecting what you mentioned, but how can i be sure what is what?

hmmm

heldlik

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11761
    • AVAST Software
Re:RedArc-1594
« Reply #3 on: September 03, 2003, 04:03:05 PM »
If the "virus" is found only in the swap file and nowhere else, you don't have to be worried. The content of the swap file is not reused after restart, so it cannot do any harm to you.

Of course, it doesn't answer the question how did the signature get there...  ???

Offline heldlik

  • Newbie
  • *
  • Posts: 6
  • I'm not a llama!
Re:RedArc-1594
« Reply #4 on: September 03, 2003, 04:22:41 PM »
Alright, and thanks for the super quick answers!

Reading about similar issues with the PAGEFILS.SYS, leads me to think that this issue is caused by having the RedArc-1594 signature from the AV program in memory/swap file when crashing the computer in W2K. This makes AV detect it as a virus when scanning form W98.

Ergo; - no viruses on my computer anymore.... for now... perhaps...
:)
heldlik

Offline heldlik

  • Newbie
  • *
  • Posts: 6
  • I'm not a llama!
Re:RedArc-1594
« Reply #5 on: September 04, 2003, 01:22:13 PM »
The only problem I see, is why is it that the only virus it detects is this RedArc-1594 in the pagefile.sys file?

I mean that there should be other signatures in there as well no?

If anyone has some kind of information on this RedArc-1594 virus, i would so much apreciate it, but its not really reported somewhere i can find it with google or other search engines.
 :-\

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:RedArc-1594
« Reply #6 on: September 04, 2003, 01:41:15 PM »
I think avast does not report more, because it stops scanning the file if found a Virus. If they remove the signature for that Virus, it would report an other one.

The reason you can not find any infos on google is, that it is a real old dos virus and  was never ITW. It is a Zoo Virus.

If you want some infos( it is a "unintresting" dos fileinfector) you may look here: http://www.virusbtn.com/resources/vgrep/vgrep.cgi?terms=RedArc-1594&product=0
« Last Edit: September 04, 2003, 01:42:54 PM by raman »
MfG Ralf

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11761
    • AVAST Software
Re:RedArc-1594
« Reply #7 on: September 04, 2003, 01:51:20 PM »
What version of avast! do you use?

avast! 4 doesn't keep the virus signatures in plaintext (not even in memory) - so the signature could not get into the swap file this way.
With avast32, it may happen occasionally.

Offline pk

  • Avast team
  • Super Poster
  • *
  • Posts: 2085
Re:RedArc-1594
« Reply #8 on: September 04, 2003, 01:59:30 PM »
What version of avast! do you use?

why version? avast4 does not use real whole signatures in memory - and since it's a zoo virus, it could be our false alarm :(.

Offline heldlik

  • Newbie
  • *
  • Posts: 6
  • I'm not a llama!
Re:RedArc-1594
« Reply #9 on: September 04, 2003, 02:47:33 PM »
I am using AVAST v 4.0 Profesional...

Offline heldlik

  • Newbie
  • *
  • Posts: 6
  • I'm not a llama!
Re:RedArc-1594
« Reply #10 on: September 09, 2003, 11:43:47 AM »
Sorry to go on abut this, but im not really able to rest my mind untill i know wether this is a false alarm or not. I thought i was but im clearly not.

Pherhaps a total restore (FORMAT C:) is the best way after all...  :-\

Offline whocares

  • Super Poster
  • ***
  • Posts: 1698
  • I'm not a llama! :-)
Re:RedArc-1594
« Reply #11 on: September 09, 2003, 12:48:28 PM »
hi,
I don't think a reformat is necessary:
Info:

http://www.virusbtn.com/resources/vgrep/vgrep.cgi?terms=RedArc-1594&product=1

try other scanners, such as Trend, KAV, AV-Bootdisks (see below) & www.ravantivirus.com

I geuss sending in the swap-file is pretty impractical  ;)