johndrew 11:28 21 Aug 2006

I recently downloaded OS 98SE updates for a friend burned them to a CD and gave them to him. I kept the original files on my HDD in case he needed further copies as he does not have a burner and only a dial-upconnection.

Yesterday did an online scan with BitDefender which claimed to find trojan.bat.restart.a in file wupg98en-jul.exe (this file being one of the upgrades for 98SE).

I scan my machine regularly (and on the day after the download of the file) with AVG (free), Defender, Ad-Aware, SpyBot S&D ans a-squared free. None of these showed a problem. I also ran SysClean with the latest update and that picked up nothing.

Is this likely to be a false positive or could his system be at risk?

Many thanks for any advice in advance.

  SANTOS7 11:35 21 Aug 2006

it sits in your System volume info files (where your restore points are kept) which is why scans are not detecting it, you will need to disable system restore to be rid of it...

  SANTOS7 11:36 21 Aug 2006

Disable system restore, reboot, re-enable system restore..

  johndrew 12:13 21 Aug 2006

Thanks for responding quickly.

I`m running XP Pro SP2 and understand my OS is fairly resistant to this malware?

However the trojan was only in a downloaded update file for OS 98SE which I downloaded from a site recommended in PCA for October 2006. I downloaded the file last week but obviously had no need to unpack it.

My main concern is for the friend I gave the CD to. Is it likely to be a real threat to him? There seems to be very little on this trojan on the web but what I can find doesn`t seem to rate it a high magnitude.

I can resolve any risk to myself easily as you recommend but for the person who wanted the data.....

  SANTOS7 12:24 21 Aug 2006

it is a batch file worm that maybe, somehow has attached itself to your download (big clutch at big straw here) and i can see your point, have you tried anothe source for the update..

  johndrew 13:51 21 Aug 2006

Not as yet. There were two sites mentioned in the article in PCA (page 92) as I remember I went to the first (exuberant) as I figured PCA`s recommendation would be good. Still might be but the attachment of the malware does concern me. I`ll do a Google and look at the other site.

I checked the file size on the website (24.7MB) and it`s the same as I have on HDD. I would have thought that if it was integral with the file mine would now be smaller as BitDefender said it had `deleted the file` as it couldn`t remove/negate the trojan.

Since you are having a grasp at straws I may as well have a go. Is it possible this was a false positive based on BitDefender being overcautious and/or wanting to sell software? I diod check for the file rundll16.exe which I understand is associated with this malware but couldn`t find it on my HDD using Search.

  johndrew 10:34 22 Aug 2006


  SANTOS7 11:42 22 Aug 2006

click here
Have searched database for trojan.bat.restart.a and can't find it so not sure whats going on...

  johndrew 12:02 22 Aug 2006

Yes I feel the same. The best I came up with was at Symantic
click here and my total Google gave me this click here

  johndrew 12:13 22 Aug 2006

And it looks as if others are confused as well click here

This could be some wierd false positive yet the Symantic write up indicates it could be real!!!??

  johndrew 16:28 22 Aug 2006

This was provided on another site click here Interesting.........?

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Honor 9 Lite review

How Social Media has Propelled Political Graphic Design and Art in the Last Decade

The best kids apps for iPhone & iPad 2018

HomePod d’Apple : date de sortie, prix et fiche technique