suspicious file

Discussion in 'Trojan Defence Suite' started by subzerox, May 13, 2005.

Thread Status:
Not open for further replies.
  1. subzerox

    subzerox Registered Member

    Joined:
    May 5, 2005
    Posts:
    35
    Hi, i had three files rated as suspicious and looks as follows:

    alarm: Suspicious filename

    Name: HTA file in suspicious location

    File: C:\system volume information\_restore{f82617b8-3574-4b04...

    This file or shall i say files, because this file displayed three times.These files has been deleted before because it showed this message before with a previous scan.
    I didn't know exactly what action to take but i have taken the chance to delete it and not knowing what other programs i would disturb eventualy but now these files show up again.

    I have no clue what these files mean or how i can find out :eek: , so if anybody can tell me where these files belongs to or how i can find out i would very much appreciate this because in my oppinion i have a possible infection at this point.
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi subzerox, If you had a previous infection which you cleaned then these suspicious files are in your system restore file.
    To clear this go to system restore settings and disable it. reboot and make sure there are no restore points then re-enable system restore.

    HTH Pilli :)
     
  3. subzerox

    subzerox Registered Member

    Joined:
    May 5, 2005
    Posts:
    35
    well i'm not even sure it is a infection but it is rated as suspicious, i am going to do what you advised but is this a real infection?
     
  4. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Since it's in your sys restore....some of the more helpful info concerning the HTA is unavailable....so without that info it would be a Guess.

    For example:

    Suspicious Filename: HTA file in suspicious location
    File: c:\program files\microsoft money\system\lnpg.hta


    As noted in the below thread....it might have been placed there by your scanner because the "suspicious detection reports" were "too sensitive" ?

    This thread---> https://www.wilderssecurity.com/showthread.php?t=37267
     
  5. subzerox

    subzerox Registered Member

    Joined:
    May 5, 2005
    Posts:
    35
    When i was going to disable system restore i had the following display from worm guard.......
    Is this a normal message display or do i have to worry?

    img214.echo.cx/my.php?image=screenhunter32hs.jpg

    ~added pic as attachment....Bubba~
     

    Attached Files:

    Last edited by a moderator: May 13, 2005
  6. subzerox

    subzerox Registered Member

    Joined:
    May 5, 2005
    Posts:
    35
    Bubba i'm sorry if did something wrong when posting the link for the image but it was the first time ever doing something like that.

    I'm kind of curious is the editing done because this looks better and faster to reply to or is the other way of posting the image "illegal".
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Rstrui should be on your WormGuard allowed list when running XP. Please add this line to your Allowed list. Note you will have to change your path if you have windows on a different drive - folder than C:\
    c:\windows\system32\restore\rstrui.exe

    HTH Pilli
     
  8. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    You did great [​IMG]

    It's a personal preference of mine to see the image as we follow along without leaving the confines of Wilders :cool:
    Not even close to being illegal....and if it had been....I would not have left the clickable hyper link :eek:

    Chill....your doing a great job ;)

    It ain't much....but the below thread is an attempt to show to make an attachment in case you are unsure.

    This thread---> FAQ: Screen Shots and Image Posting
     
  9. subzerox

    subzerox Registered Member

    Joined:
    May 5, 2005
    Posts:
    35
    Thanks Pilli, that did it i have those files removed.

    @bubba

    :D i'm chilled
     
Thread Status:
Not open for further replies.