Returnil going crazy?

Discussion in 'Returnil releases' started by MLO, Jan 10, 2010.

Thread Status:
Not open for further replies.
  1. MLO

    MLO Registered Member

    Joined:
    Jan 10, 2010
    Posts:
    9
    There are 108 messages from Returnil in the attachment (if I properly attached the file). I've run Norton 360 and Spybot S & D and they haven't noticed anything. Is it possible that these are on my computer? I've noticed no difference in my computer's performance, but I don't know for sure. Any help is appreciated.

    Edit: I also ran a scan with ThreatFire and Malwarebytes Anti-Malware. Neither picked up anything. Anyone have any ideas as to why it's going crazy?
     

    Attached Files:

    Last edited: Jan 10, 2010
  2. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Not really, but my personal opinion is that the F-Prot heuristics can be a bit touchy. Have you've selected "All detection rules" under Preferences>Virus Guard? If so, you might knock it down a step. In any event, this is a TEMP folder. You should be able to simply execute a manual delete and be done with the issue.

    Blue
     
  3. MLO

    MLO Registered Member

    Joined:
    Jan 10, 2010
    Posts:
    9


    I have it set to only proven detection rules right now. Also, I'm not sure where that directory would be. I tried putting it in Explorer, but it said that it was an invalid path. I haven't had a USB device or anything attached and/or removed either.

    Edit: Thanks for your help so far though! :)
     
  4. cyberdiva

    cyberdiva Registered Member

    Joined:
    May 30, 2007
    Posts:
    71
    Since they all seem to be identified only through heuristics, and since none of your other antivirus or anti-malware programs find anything wrong, I'd bet this is just another instance of F-Prot running wild. Right after I started using Returnil, I got nine messages telling me about various baddies that F-Prot had supposedly found on my computer. None of my other security software found anything, my computer worked fine, and I just about NEVER have malware on my computer. So I was quite sure that the problem was with F-Prot. I decided to disable it. Why would I need a second antivirus program when I already had one I trusted, along with Malwarebytes Anti-Malware Pro, Spybot, a good firewall, etc? Moreover, isn't running two antivirus programs at the same time an unwise thing to do?
     
  5. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Hmm, got me there.
    The actual path that you would use is probably C:\WINDOWS\TEMP (DEVICE\HARDDISKVOLUME2 is one of your drives\partitions and by saying C:\, I'm assuming a standard configuration with no alternate boot partitions).
    My pleasure.

    If things are still unclear, keep asking....

    Blue
     
  6. MLO

    MLO Registered Member

    Joined:
    Jan 10, 2010
    Posts:
    9

    OK. I tried what you had linked and it still returned an error searching for it.

    Yeah. I'm thinking about disabling. I may just leave it running and let it go wild with whatever it wants as long as I notice no problems that arise because of it. Thanks all!
     
  7. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Within Explorer, this will be a hidden area. When you bring up explorer, on the top level menu, select Tools>Folder Options, select the View tab.

    Folders.png

    You need to select "Show Hidden Files and Folders". So I see everything, I generally also uncheck "Hide Protected Operating System Files" although that shouldn't be required for what you're looking for. Finally click the "Apply to All Folders" button. Those hidden areas should now be visible. Note: you need to be logged into an admin level account to navigate to that location as well.

    Blue
     
  8. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi MLO,
    When you are able to access your temp folder, please place a sample of the files detected in a ZIP or RAR archive and send to support (dash) tech (at) returnil (dot) com so they can be investigated.

    Thanks
    Mike
     
  9. MLO

    MLO Registered Member

    Joined:
    Jan 10, 2010
    Posts:
    9
    Oh. Haha. I had all that (displaying all hidden folders and extensions shown et al), but I accidentally copied the (\Device..) part after the \Temp. Thanks!

    Sure thing. Just to be safe I ran the scans again with this particular folder. Still no signs from other programs. Also, the folders or applications listed do not appear to exist within this folder. They don't exist within the tfxz either.

    Returnil is now at 169 message (up from the previous 108 ). Thanks you guys for your continued interest and assistance! Should I delete the folder \Windows\Temp after put them in a ZIP/RAR and sending it to your Returnil's support?

    Edit: Fixed the 108 so a smiley didn't appear.

    Edit again: It appears that I cannot fully copy all of the files that are necessary. One (JETAC26.TMP) appears to be in use by Norton 360 (when attempting to create with Window's standard compression service). It just says it's being use by another process when attempt to view the TMP file in Notepad. The other file simply says that Access is Denied (despite the fact that I'm the administrator and only user).

    Action: Add (and replace) files Include subfolders: no Save full path: no
    Adding Temp\fwtsqmfile00.sqm
    Warning: could not open for reading: C:\Windows\Temp\fwtsqmfile00.sqm
    Adding Temp\JETAC26.tmp
    Warning: could not open for reading: C:\Windows\Temp\JETAC26.tmp
     

    Attached Files:

    Last edited: Jan 11, 2010
  10. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Are these files being detected by RVS Virus Guard?

    Mike
     
  11. MLO

    MLO Registered Member

    Joined:
    Jan 10, 2010
    Posts:
    9

    Not that I'm aware of. I've run the Returnil scans and they've never detected anything in the scan itself. My messages are up to 178 now. I believe that one of them is from Norton. I ran a scan via Norton 360 in Safe Mode and that J file wasn't present and the .sqm. It only detected a tracking cookie on my computer.

    Would you like me to run Returnil in Safe Mode? I don't really mind the messages, but I'm just not sure what's causing them considering I've run multiple programs multiple times and they've found nothing.. That's the reason that I currently have concern.
     
  12. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Try to add the files in the message alert to your quarantine list. Let me know if the detections continue...

    Mike
     
  13. MLO

    MLO Registered Member

    Joined:
    Jan 10, 2010
    Posts:
    9
    Under the messages tab? I've tried that before to no avail. It doesn't do anything. I also looked in Preferences. I have nothing in Quarantine, but I've tried multiple times to add the files in the messages.
     
  14. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Please try a disk clean up and then restart to clear out the temp folder and then watch to see if there are more detections.

    Mike
     
  15. MLO

    MLO Registered Member

    Joined:
    Jan 10, 2010
    Posts:
    9
    OK. I've run the Disk Cleaup utility. I'll report back later to tell you if Returnil has identified anymore problems. Thanks for your continued help and aid!
     
  16. MLO

    MLO Registered Member

    Joined:
    Jan 10, 2010
    Posts:
    9
    There still appear to be messages being displayed. I'm up to 233 messages now. I've noticed something of interest. There may not be a problem with Returnil, but there may be a problem with my BIOS or another part of my computer. The messages only appear after I've been away from the computer for extended periods of time and the monitor turns itself off. This is interesting because I have the graphics card and Windows 7 to not turn off the monitor. I never though much of it.

    I'm going to try flashing the BIOS. I think that's probably where the problem is. This is a refurbished computer so I believe that it's a possibility. Thanks for your help though.

    Edit: It turns out I did have a different setting for the monitor to turn itself off. Stupid power settings! I still think it would be worth trying to flash the BIOS. I bought a SSD where I'll put my Windows install on. I'd be interested to see if it's something with the BIOS though.
     
    Last edited: Jan 14, 2010
  17. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi,
    Please check for root kits as well (GMER is one suggestion), just to make sure. The way you describe what is happening would make me cautious. Also, check to see if there is internet activity when the monitor goes into power saving mode; an old trick here would be for the (possible) malware or spyware to remain quiet until any possible activity would be hidden from the user (monitor/graphics in standby for example).

    Mike
     
  18. MLO

    MLO Registered Member

    Joined:
    Jan 10, 2010
    Posts:
    9
    Well, I ran yours and two others (one from Microsoft and I don't remember the name of the other). None of them appear to have identified anything. I've noticed that I don't have access to some things such as \Documents\My Pictures\. Access is restricted, even to administrators. :cautious:

    What's the most effective way to wipe the device clean and then reinstall the OS? I had installed Windows 7 when I got the machine (fresh install), but it kept the windows.old. I'm thinking that if there was a virus or rootkit or something (as my computer crashes if I try to return from sleep mode), but no one is identifying anything (except Returnil occasionally blocking something that I can't find)).

    I still haven't had a chance to flash BIOS, but I think I need to do that as well. There's something that's just not quite right. Folders that I should have access to are restricted and I've never been able to put my computer into Sleep Mode.

    Edit: I'm in the process of running DBAN in order to make sure that nothing is on the computer's hard drive. As stated, I am purchasing a SSD that should arrive at some point on Tuesday. I would like to use this as my storage device for programs I don't always need. Once it's done and completed, I will install Returnil and post an update as to whether or not this is till happening.

    Edit again: After having run DBAN in order to make sure the entire drive was written to and written over, there have been no reports from Returnil. It appears that I had some sort of virus or rootkit (even those three rootkit detectors found nothing). I do thank you and BlueZannetti for all of your help!
     
    Last edited: Jan 18, 2010
Thread Status:
Not open for further replies.