What`s wrong here?

Discussion in 'Trojan Defence Suite' started by tutankamon, Sep 23, 2004.

Thread Status:
Not open for further replies.
  1. tutankamon

    tutankamon Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    170
    Location:
    Lancashire U.K.
    Hi all,
    I ran "Full system scan" earlier this afternoon,( I have not run the full scan for a while) and I got a positive ID.
    However the restore folder on my hard drive is in capital letters (RESTORE )
    not in small case as reported by TDS.
    Also when I open the RESTORE folder there is no temp folder or file in it. I have been to TOOLS/FOLDERS/show hidden etc, but still no folder or file called temp, and no reference at all to Riskware.Tool.Gendel32.0
    As I cant find this file I certainly cant submit it. Is this a `False Positive`?
     

    Attached Files:

  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi tut, Not sure about this one could be an FP funny that the text shows 0 files but then System Volume information is a special folder :(
    Can you check that your radius file is OK and reads as follows:
    Systems Initialised [38179 references - 15546 primaries/10651 traces/11982 variants/other]
    Gavin should be a long in a few hours and may be able to give you a proper answer.
     
    Last edited: Sep 23, 2004
  3. se7engreen

    se7engreen Registered Member

    Joined:
    Feb 6, 2004
    Posts:
    369
    Location:
    USA
    I notice in your pic that the directory is not c:\restore it's c:\_restore. The underscore can make all the difference. Make sure that you are able to view hidden files and folders and see if the _restore folder is directly under your C drive. Could be worth a shot.
     
  4. tutankamon

    tutankamon Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    170
    Location:
    Lancashire U.K.
    Hello again,
    Yes I have selected show hidden folders, the only RESTORE folder is _RESTORE ( capital letters ) which only contains this.
     

    Attached Files:

  5. tutankamon

    tutankamon Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    170
    Location:
    Lancashire U.K.
    Hi Pilli,
    I have checked my update and it is exactly as you say.
    38179references-15546 primaries/10651 traces/11982 variants
    so thats ok. I`ve tried `search for folders and files` _restore but all I get is _RESTORE (in capital letters) I do not seem to have a folder called _restore
    This is what makes it so confusing.
     
  6. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    That's the ME system restore folder

    You cannot see any files or folders in there from your usual user account


    Turn off system restore by following instructions here
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239 for ME

    That will purge the restore folder and clear any malware that has been put in there.
    Then run a tds scan and see if it finds the file I bet it won't

    Then reboot & then re-enable sytem restore & create a new restore point.
     
  7. tutankamon

    tutankamon Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    170
    Location:
    Lancashire U.K.
    HI dvk01,
    I dont use system restore, it has been disabled for a few months now. I use Go Back 3. As an experiment I rolloed my computer back to Tuesday 21 September, run a `Full system scan` No reports of any thing.
    I then downloaded todays update, ran the `Full system scan` and there it was again `Positive ID Riskware.Tool.Gendel C:\_restore\temp\gendel32.0`
    This looks to me like todays download is causing this report.
     
Thread Status:
Not open for further replies.