Guest labfuji Posted November 3, 2007 Posted November 3, 2007 Install the Avira AntiVirus and unpon reboot, it say it found a file that contains suspicious code Heur/malware at location c:\winnt\system32\ratbgpi.dll. it gives me the option of quaratine/deny access. Choosing either option, the message still remains even after clicking many times I have also run AVG and Spybot 1.4 and all give a clean health.Any suggestion please, thanks
Guest Dave Patrick Posted November 3, 2007 Posted November 3, 2007 Re: Heur/malware I'd ask the application developer. -- Regards, Dave Patrick ....Please no email replies - reply in newsgroup. Microsoft Certified Professional Microsoft MVP [Windows] http://www.microsoft.com/protect "labfuji" wrote: > Install the Avira AntiVirus and unpon reboot, it say it found a file that > contains suspicious code Heur/malware at location > c:\winnt\system32\ratbgpi.dll. it gives me the option of quaratine/deny > access. Choosing either option, the message still remains even after > clicking > many times > I have also run AVG and Spybot 1.4 and all give a clean health.Any > suggestion please, thanks
Guest philo Posted November 3, 2007 Posted November 3, 2007 Re: Heur/malware "labfuji" <labfuji@discussions.microsoft.com> wrote in message news:0224986D-D70E-4F56-B854-D47A8A5A4DFA@microsoft.com... > Install the Avira AntiVirus and unpon reboot, it say it found a file that > contains suspicious code Heur/malware at location > c:\winnt\system32\ratbgpi.dll. it gives me the option of quaratine/deny > access. Choosing either option, the message still remains even after clicking > many times > I have also run AVG and Spybot 1.4 and all give a clean health.Any > suggestion please, thanks try just plain renaming it (such as ratbgpi.xxx) and if your system runs ok then delete it entirely
Guest labfuji Posted November 3, 2007 Posted November 3, 2007 Re: Heur/malware Do you mean remain the .dll file? thanks "philo" wrote: > > "labfuji" <labfuji@discussions.microsoft.com> wrote in message > news:0224986D-D70E-4F56-B854-D47A8A5A4DFA@microsoft.com... > > Install the Avira AntiVirus and unpon reboot, it say it found a file that > > contains suspicious code Heur/malware at location > > c:\winnt\system32\ratbgpi.dll. it gives me the option of quaratine/deny > > access. Choosing either option, the message still remains even after > clicking > > many times > > I have also run AVG and Spybot 1.4 and all give a clean health.Any > > suggestion please, thanks > > > try just plain renaming it (such as ratbgpi.xxx) > and if your system runs ok then delete it entirely > > >
Guest philo Posted November 3, 2007 Posted November 3, 2007 Re: Heur/malware "labfuji" <labfuji@discussions.microsoft.com> wrote in message news:0B59ABED-BCA0-4DF2-B545-792A683524FD@microsoft.com... > Do you mean remain the .dll file? thanks yes, rename the .dll file in question.
Guest labfuji Posted November 4, 2007 Posted November 4, 2007 Re: Heur/malware Tried in normal and safe mode, cannot be renamed, it says 'file been used by windows' "philo" wrote: > > "labfuji" <labfuji@discussions.microsoft.com> wrote in message > news:0B59ABED-BCA0-4DF2-B545-792A683524FD@microsoft.com... > > Do you mean remain the .dll file? thanks > > > yes, rename the .dll file in question. > > >
Guest philo Posted November 4, 2007 Posted November 4, 2007 Re: Heur/malware "labfuji" <labfuji@discussions.microsoft.com> wrote in message news:E1D54545-FAC7-42A8-B749-84BA809B3012@microsoft.com... > Tried in normal and safe mode, cannot be renamed, it says 'file been used by > windows' > > "philo" wrote: > > > > > "labfuji" <labfuji@discussions.microsoft.com> wrote in message > > news:0B59ABED-BCA0-4DF2-B545-792A683524FD@microsoft.com... > > > Do you mean remain the .dll file? thanks > > > > > > yes, rename the .dll file in question. > > > > > > Then you will need to find out where the process is starting. You may have to look in the registry HKEY_LOCAL_MACHINE software microsoft windows current version run then delete the reference
Guest labfuji Posted November 4, 2007 Posted November 4, 2007 Re: Heur/malware expand run>optional components> right pan IMAIL>default REG_SZ value not set installed REG_SZ 1 MAPI>default REG_SZ value not set installed REG_SZ 1 NoChange REG_SZ 1 MSFS>default REG_SZ value not set installed REG_SZ 1 So which DATA should I delete or modify Appreciate your follow, thanks "philo" wrote: > > "labfuji" <labfuji@discussions.microsoft.com> wrote in message > news:E1D54545-FAC7-42A8-B749-84BA809B3012@microsoft.com... > > Tried in normal and safe mode, cannot be renamed, it says 'file been used > by > > windows' > > > > "philo" wrote: > > > > > > > > "labfuji" <labfuji@discussions.microsoft.com> wrote in message > > > news:0B59ABED-BCA0-4DF2-B545-792A683524FD@microsoft.com... > > > > Do you mean remain the .dll file? thanks > > > > > > > > > yes, rename the .dll file in question. > > > > > > > > > > > > Then you will need to find out where the process is starting. > > > You may have to look in the registry > > > HKEY_LOCAL_MACHINE > software > microsoft > windows > current version > run > > > then delete the reference > > >
Guest Dave Patrick Posted November 4, 2007 Posted November 4, 2007 Re: Heur/malware You'll need to find the process that loaded it. http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/processmonitor.mspx http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ListDlls.mspx -- Regards, Dave Patrick ....Please no email replies - reply in newsgroup. Microsoft Certified Professional Microsoft MVP [Windows] http://www.microsoft.com/protect "labfuji" wrote: > expand run>optional components> > right pan > IMAIL>default REG_SZ value not set > installed REG_SZ 1 > > MAPI>default REG_SZ value not set > installed REG_SZ 1 > NoChange REG_SZ 1 > > > MSFS>default REG_SZ value not set > installed REG_SZ 1 > > So which DATA should I delete or modify > > Appreciate your follow, thanks
Guest philo Posted November 4, 2007 Posted November 4, 2007 Re: Heur/malware "labfuji" <labfuji@discussions.microsoft.com> wrote in message news:A0AAAC82-7AE7-4DA5-BA1F-6C6F6962ED03@microsoft.com... > expand run>optional components> > right pan > IMAIL>default REG_SZ value not set > installed REG_SZ 1 > > MAPI>default REG_SZ value not set > installed REG_SZ 1 > NoChange REG_SZ 1 > > > MSFS>default REG_SZ value not set > installed REG_SZ 1 > > So which DATA should I delete or modify > > Appreciate your follow, thanks > > > " Those entries look normal so it's got to be somewhere else. Off hand I do not know which process it would be
Recommended Posts