Hi.
Avast’s found an infected file in C:/Windows/SysWOW64 during a quickscan;
api-ms-win-core-sysinfo-l1-1–0.dll

I moved it in the box.
Avast then asked for a bootscan, it has found no more infected files.

Here’s the VT scan:
http://www.virustotal.com/file-scan/report.html?id=176b70c0267269d78b2519eabd3c7778faa6e6358dc2577c6b40907de633cd41-1318181581

I would appreciate any help you could offer regarding this problem.

Which problem? Aren’t you clean now?

It’s in the box,still infected.
It’s a crucial file, I shouldn’t delete it.

I tried repairing it with avast, but it remained infected.

If we trust the Sigcheck then it seems to be a Microsoft file

File size : 233472 bytes
First seen: 2011-08-08 19:33:02
Last seen : 2011-10-09 17:33:01

sigcheck:
publisher…: Microsoft
copyright…: Copyright (C) 1997-2001 Microsoft Corporation
product…: Microsoft
description…: RDP Renderer Filter (redirector)
original name: DSHOWRDPFILTER.ax
internal name: DSHOWRDPFILTER.ax
file version.: 1.00
comments…: n/a
signers…: -
signing date.: -
verified…: Unsigned

It has the same size according to the properties window,
but half of the scanners on VT found it infected.

Hi. Well… Windows system files have a “Microsoft® Windows® operating system” string at their ‘Product’ property. And as I see it isn’t signed, because “signers” is empty…

Or… Am I wrong?

Avira detect it

so if you upload it to Avira as a False Positive case, then you get them to do a manual analysis and give you a result…clean or malware

http://analysis.avira.com/samples/ may take 48hours before you recive the answer

or you can sendt it to SOPHOS as undetected sample, they are usually quick to respond…i have recived answers after 30minutes in some cases
https://secure.sophos.com/support/samples

Thanks, I’ve tried both.

OFF: Can I upload a file directly from the box, or it is impossible
to do it without restoring it to the original folder?

No it is a protected area (encrypted), you have to Extract it to a temporary location, don’t Restore it as that sends it back to the original location, which would mean it would be active again if infected.

Here are the reports:

Welcome back, Mr Mészáros Bence!
A listing of files alongside their results can be found below:
File ID Filename Size (Byte) Result
26335231 api-ms-win-core-s…-0.dll 228 KB MALWARE

Please find a detailed report concerning each individual sample below:
Filename Result
api-ms-win-core-s…-0.dll MALWARE

The file ‘api-ms-win-core-sysinfo-l1-1–0.dll’ has been determined to be ‘MALWARE’. Our analysts named the threat TR/Drop.Mudrop.rei.1. The term “TR/” denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.Detection is added to our virus definition file (VDF) starting with version 7.11.14.132.

Hello,

Thank you for contacting Sophos Technical Support.

Please note that this is an automated response. If you have any questions, require assistance or clarification on this analysis, please feel free to reply to this email quoting this case number in the subject line.

The file(s) submitted were malicious in nature and detection will be available on the Sophos Databank shortly.

api-ms-win-core-sysinfo-l1-1–0.dll – identity created/updated (New detection Troj/DwnLdr-JKM)

MBAM didn’t detect it as infected.

I ran avast bootscan, and Eset online scanner, they haven’t found anything,
so I think I can assume this is the only infected file.

Since MBAM didn’t detect it, I couldn’t use it to repair the file.

I wonder what I should do next:
Should I use hijackthis, wait for an MBAM update so it can detect this infection,
or try to replace the infected file with a vanilla microsoft file.

I ran avast bootscan, and Eset online scanner, they haven't found anything,

Since MBAM didn't detect it, I couldn't use it to repair the file.

And although the name is the same as an MS file it is not and never was one