Not-A-Virus.Tool.Reboot

I was surprised to get a blue sreen while surfing with Opera, yesterday evening. Never had a blue screen before. I decided to do scans today and Ewido caught C:\windows\_MSRSTRT.EXE, Not-A-Virus.Tool.Reboot

Is this anything serious, or related to the BS. Is it a trojan or a virus? Should it have passed by Nod?

thanks

 

The _MSRSTRT.EXE can be created by some legitimate apps as a way of reboot the pc (eg during a reg defrag by tuneup utilities etc)

https://www.wilderssecurity.com/showthread.php?t=81428

 

scan it with(upload it to each)
http://virusscan.jotti.org/
http://www.virustotal.com/flash/index_en.html
http://www.kaspersky.com/scanforvirus

 

Ewido has it in quarantine -- I don't think I should release it?

I'm certain I haven't use any such utilities program - especially since my last Ewido scan

 

I suggest you send it to analysis. Better safe than sorry

 

you mean send it to Nod

should I release it? presently in quarantine with an .ess extension.


scans of the .ess files came up with negatives from Kaspersky and possible from jotti

 

If NOD is your AV, then yes, send it to Eset.
It could be something or it could be harmless.

 

Please read the threat name more carefully: NOT-A-VIRUS.Tool.Reboot. NOD32 used to detect it in the past, but then we decided not to detect it because such tools are used by various programs and are used to reboot the machine (e.g. after installation of a particular program).

 

like a virus writer wouldn't use such a name

 

You do have a point 4Now, name a new virii after a 'previously' detected malware, success guaranteed.

 

well I think that I have submitted the .exe version

I went to Control Panel/Quarantine/add

on 'submit' it asks for file destination again - so I pointed to the original file - instead of searching for the Nod 32 quarantine folder, because I'm not sure why it would be asking for directions (to a known location?).

Did I manage to pass the test?

 

You can go into the quarantine menu in NOD32, click add and select the file.
Now it should be in the list - Just rightclick and select 'submit for analysis'.

http://img11.imageshack.us/img11/4797/add6tq.jpg

 

when you hit 'submit for analysis' it asks for 'file' and '...' <choose path>

what goes in there?

 

Navigate to where the infected/suspicious file is located on your system, and click on it.

Cheers

 

ok - thats what I did. Thanks blackspear

 

When it's in the quarantine, NOD already has a copy of the file stored in the quarantine folder (encrypted of course).
This is how it should look like when you rightclick on the file in the list and select 'submit ...':
http://img199.imageshack.us/img199/3969/sublit6pb.jpg

 

a different way

thanks

 

I am of the belief that NOD32 would normally be unfooled and detect the threat anyway via AH.

 

I think we have missed the point here though, why is/was the file created in the first place?
Regardless of whether it should be detected as a Virus etc.......
4Now stated that no utilities had been run...
It's obviously too late now, but if ever I find this sort of suspicious file, I usually check the date/time (yes I know that can be faked) and then look for a legitimate folder/file etc that was created at the same time.
ie if a folder like /program files/mynewwhizbangapplication was created at exactly the same time, then I don't feel so wary.

Cheers Ben.

 

But the new virus will have different behaviour...and then heuristics will catch it.

 

that a good idea beng. I will remember next time.

I haven't had any word from eset, so there's really know way to know that it was positive yet. Only the submission to the jotti site came with positives. One from it's Kaspersky engine, but strangely the Kaspersky site revealed a negative.

I just find it strange that I had a blue screen while browsing of all things. I've never had anything like this on my stable system. And I had just done scans a few days ago -- Ewido usually never finds anything.

It could be just a coincidence. It seems that Ewido has just upgraded to 3.5 from 3.0 in its last update - so perhaps its more sensitive.

 

But still, better safe than sorry.

 

why don't you Google it. it might turn to be a "normal`" file for certain app

 

G'day Hadi,
Great point.. however Ailric and Marcos beat you to the answer <grin>.

 

Should it have passed Ewido's realtime guard?