Restart.exe infected

system · February 28, 2008, 4:32am

restart.exe infected…

so what do i do now? it’s inside the virus chest… do i delete it? or how can in restore it coz i think i need this file to be able to restart the pc???

oldman960 · February 28, 2008, 6:23am

No you don’t need it to restart your computer. Depending on where the file was located will tell us what it may be used for.

In windows explorer, please navigate to this folder

c:\program files\Alwil Software\Avast4\data\log

In the right hand panel. please locate this file warning. log

Open it with notepad and copy and paste the lines related to this detection. That will give us more information to go on.

system · February 28, 2008, 1:06pm

thank you for the response… here it is

2/10/2008 2:00:33 PM 1202623233 SYSTEM 1332 Function setifaceUpdatePackages() has failed. Return code is 0x2000001A, dwRes is 2000001A.
2/10/2008 2:00:34 PM 1202623234 SYSTEM 1332 An error has occured while attempting to update. Please check the logs.
2/10/2008 3:31:31 PM 1202628691 SYSTEM 1332 Sign of “Win32:AutoRun-S [trj]” has been found in “G:\RECYCLER\S-1-5-21-1078073611-1993962763-839522115-1003\mmc32.EXE” file.
2/10/2008 6:03:31 PM 1202637811 SYSTEM 1332 Function setifaceUpdatePackages() has failed. Return code is 0x2000001A, dwRes is 2000001A.
2/10/2008 6:03:32 PM 1202637812 SYSTEM 1332 An error has occured while attempting to update. Please check the logs.
2/11/2008 10:37:19 PM 1202740639 XP 1772 Sign of “Win32:Rizo-E [trj]” has been found in “C:\DOCUME~1\XP\LOCALS~1\Temp\53341packed_server.exe” file.
2/28/2008 11:50:48 AM 1204170648 XP 3248 Sign of “Win32:Restarter-D [Spy]” has been found in “C:\WINDOWS\system32\Tools\Restart.exe” file.
2/28/2008 1:08:20 PM 1204175300 map 3948 Sign of “Win32:Restarter-D [Spy]” has been found in “C:\System Volume Information_restore{375A5A91-270C-44F5-8C0C-466EBA062B7C}\RP29\A0010857.exe” file.

my pc keeps hanging… and then when i press the restart button… it won’t restart… i don’t know if this is connected to the virus or spyware or whatever… but maybe…

i just hope someone can help me…

thank you again

oldman960 · February 28, 2008, 2:02pm

Thanks. That particular file path is used by both legitamate and malware.

It could be a false positive, especially since your restart problems started after you moved it to the chest.

I’d suggest restoring the file from the chest, then submit it to virustotal for analysis.

Please submit these files for analysis

To submit a file to virustoal, please click on this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\WINDOWS\system32\Tools\Restart.exe

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

polonus · February 28, 2008, 8:26pm

Hi mapie,

This is the description of the malicious variety:
http://www.softwaretipsandtricks.com/dangerous_files/1955-WinDirRestartexe.html
If you do not have any of the given files then indeed it could be a FP,

polonus

Restart.exe infected

Announcements