Can Someone Please Help Me!

Hi, I am really confused at the moment I try a program called Spyware Terminator and I did a full scan with it and this what it pick up -

Trojan.Downloader.Dadobra.bru - that was located in C:\windows\system32\tools\Regexe.exe

and

RiskTool.Reboot.j - which was located in C:windows\system32\tools\restart.exe

I looked in that folder and what i found were my motherboard drivers of Elitegroup software.

So my question is does anyone know that are these Trojans, malware, or are they false positives. Because I scan my computer with Avast, Bitdefender 10 free edition, Ad aware, spy bots, superantispyware, a-squared, malwarebytes and these program found no virus, Trojan or malware during the scan with these programs.

So I’m confused to quarantine it or leave it in the folder because they could be linked to my motherboard registry drives and how reliable is Spyware Terminator compare to the other spyware scanners.

-= Try uploading the file here: VirusTotal

Hi, here is the virustotal result. I hope there is a link. ::slight_smile:

analisis/3f701b5984d796bd072af5c71e142765e79000fae52746ce8cffe9aa71c8b991-1243483833

analisis/efa2504692a7a180e4022e101f42cfcd40d32df8b04db4a4e7aa04b3f76476ec-1243483087

Here is the Regexe

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.28 -
AhnLab-V3 5.0.0.2 2009.05.28 -
AntiVir 7.9.0.168 2009.05.27 -
Antiy-AVL 2.0.3.1 2009.05.27 -
Authentium 5.1.2.4 2009.05.28 -
Avast 4.8.1335.0 2009.05.27 -
AVG 8.5.0.339 2009.05.27 -
BitDefender 7.2 2009.05.28 -
CAT-QuickHeal 10.00 2009.05.27 -
ClamAV 0.94.1 2009.05.28 -
Comodo 1207 2009.05.27 -
DrWeb 5.0.0.12182 2009.05.28 -
eSafe 7.0.17.0 2009.05.27 Win32.Downloader.dad
eTrust-Vet 31.6.6525 2009.05.28 -
F-Prot 4.4.4.56 2009.05.28 -
F-Secure 8.0.14470.0 2009.05.28 -
Fortinet 3.117.0.0 2009.05.28 -
GData 19 2009.05.28 -
Ikarus T3.1.1.57.0 2009.05.28 -
K7AntiVirus 7.10.746 2009.05.27 -
Kaspersky 7.0.0.125 2009.05.28 -
McAfee 5628 2009.05.27 -
McAfee+Artemis 5628 2009.05.27 Artemis!1D7AB8E965E5
McAfee-GW-Edition 6.7.6 2009.05.28 -
Microsoft 1.4701 2009.05.27 -
NOD32 4110 2009.05.28 -
Norman 6.01.05 2009.05.27 -
nProtect 2009.1.8.0 2009.05.27 Trojan-Downloader/W32.Agent.370688.O
Panda 10.0.0.14 2009.05.28 -
PCTools 4.4.2.0 2009.05.21 -
Prevx 3.0 2009.05.28 -
Rising 21.31.21.00 2009.05.27 -
Sophos 4.42.0 2009.05.28 -
Sunbelt 3.2.1858.2 2009.05.28 -
Symantec 1.4.4.12 2009.05.28 -
TheHacker 6.3.4.3.333 2009.05.28 -
TrendMicro 8.950.0.1092 2009.05.27 -
VBA32 3.12.10.6 2009.05.27 Trojan-Downloader.Win32.Dadobra.bru
ViRobot 2009.5.27.1757 2009.05.27 Spyware.Dadobra.Do.370688
Additional information
File size: 370688 bytes
MD5 : 1d7ab8e965e5a919af2a3aa4a68205ef
SHA1 : fd2c13d8229c164ce2f53fbfdb14f0d603bcb04f
SHA256: 3f701b5984d796bd072af5c71e142765e79000fae52746ce8cffe9aa71c8b991

Here is Restart

Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.28 -
AhnLab-V3 5.0.0.2 2009.05.28 -
AntiVir 7.9.0.168 2009.05.27 SPR/Tool.Reboot.J
Antiy-AVL 2.0.3.1 2009.05.27 -
Authentium 5.1.2.4 2009.05.28 -
Avast 4.8.1335.0 2009.05.27 -
AVG 8.5.0.339 2009.05.27 -
BitDefender 7.2 2009.05.28 -
CAT-QuickHeal 10.00 2009.05.27 -
ClamAV 0.94.1 2009.05.28 -
Comodo 1207 2009.05.27 -
DrWeb 5.0.0.12182 2009.05.28 -
eSafe 7.0.17.0 2009.05.27 -
eTrust-Vet 31.6.6525 2009.05.28 -
F-Prot 4.4.4.56 2009.05.28 -
F-Secure 8.0.14470.0 2009.05.28 -
Fortinet 3.117.0.0 2009.05.28 -
GData 19 2009.05.28 -
Ikarus T3.1.1.57.0 2009.05.28 -
K7AntiVirus 7.10.746 2009.05.27 -
Kaspersky 7.0.0.125 2009.05.28 -
McAfee 5628 2009.05.27 potentially unwanted program Generic PUP
McAfee+Artemis 5628 2009.05.27 potentially unwanted program Generic PUP
McAfee-GW-Edition 6.7.6 2009.05.28 Riskware.Tool.Reboot.J
Microsoft 1.4701 2009.05.27 -
NOD32 4110 2009.05.28 -
Norman 6.01.05 2009.05.27 -
nProtect 2009.1.8.0 2009.05.27 -
Panda 10.0.0.14 2009.05.28 -
PCTools 4.4.2.0 2009.05.21 -
Prevx 3.0 2009.05.28 Medium Risk Malware
Rising 21.31.21.00 2009.05.27 -
Sophos 4.42.0 2009.05.28 -
Sunbelt 3.2.1858.2 2009.05.28 -
Symantec 1.4.4.12 2009.05.28 -
TheHacker 6.3.4.3.333 2009.05.28 -
TrendMicro 8.950.0.1092 2009.05.27 -
VBA32 3.12.10.6 2009.05.27 -
ViRobot 2009.5.27.1757 2009.05.27 Not_a_virus:RiskTool.Reboot.408576
VirusBuster 4.6.5.0 2009.05.27 -
Additional information
File size: 408576 bytes
MD5 : 3a33a940be4e0dbff5b431a40e96bcfd
SHA1 : 6d4db92719c4aff404c360058b531f412acb7774
SHA256: efa2504692a7a180e4022e101f42cfcd40d32df8b04db4a4e7aa04b3f76476ec
PEInfo: PE Structure information

-= I would say that there is a high percentage of both to be a False Positive…

-= here is a similar issue

Hi Northeast,

A risktool is a tool or program or executable rather that could be used for malicious purposes if for instance it was placed onto your computer by a third party (hacker, malware, spyware, etc.).
Some anti-malware tools are also found up as risktools by anti-malware and av-scanners, because they are dangerous in the hands of the unaware and need instruction to work properly and not to harm the Operational System.
So a risktool is no risktool if you have willingly installed it, and you know what you plan to do with it and are aware of the workings of the tool and also the risks involved (registry editor).
Another issue is that firm admin’s do not want certain tool installed on the machines in their network and therefore have not made an exclusion to the use of certain risktools and unwanted programs seen given by that particular policy towards unwanted tools and programs (this should be presented in written form to the workers in that firm so they are aware what is allowed and not) are deleted by for instance an av-solution like McAfee for small companies. But on your personal computer you are free to make an exclusion for these tools as you see fit,

polonus

I had a similar report on virustotal and virscan.org a few weeks ago. I uploaded a crack file. And took a chance anyway and open it. Some days later I went to check system restore, everything was gone except for the files it (the installed crack) keep to stay in the system.

So, if I were you, I would start backuping all the files, and be careful that no hidden or self-modifying “.ini” files are not in your backup. I would select each files one by one with WinZip or WinRar (keeping the whole path, which I was not clever enough to do the time I tried it, it was my first)

I had tried different anti-virus-malware-etc… no luck. Vipre rescue did help and found it, but only in the file that I had dl. It could not do a thing for the rest. So I install Vipre Anti-virus, it blocked explorer.exe as a suspicious process. Guess what, everything shut down. I had to uninstall everything by hand file by file in safe mode not forgetting the keys. Lots regedit scanning.
Reinstall avast (it was never uninstall in the first place) just to be safe, all from an avast clean-up.
And I started packing my things.
Hope you don’t have to go throu this. Good luck;)

Ghis

btw; I would like to know if there are any risks of a malware to find its way throu the partition files where the retail vendors all have the very clever (I mean dumb) idea to put all the recovery files as the only way to reinstall?

Hi guys, thanks for replying

To Fenrir thanks for helping me find articles that has similar issue to me I thought it was a false positive because only Spyware Terminator pick up these as Trojans and no other programs did as I would say that Spyware Terminator does pick up some false positives than other spyware programs.

As the program scanned and pick up these 2 files i quarantine it and my computer was working fine as I was about to delete them, and then the next day I decide to check the system32\tools folder to find out that they were part of my motherboard drivers and then I restored them back to the folder, but since I dont usually check inside the windows folders I just wanted to make sure that those icon weren’t disguise as Trojans.

To polonus thanks for giving me info on my issues, your description was a bit advance and i had to read it a few times to understand it but it gave me great info on what a risktool is.

Cheers thanks for your help Guys.

-= You’re always welcome… :wink: