Windows 2000 Heur/malware

  • Thread starter Thread starter labfuji
  • Start date Start date
L

labfuji

Install the Avira AntiVirus and unpon reboot, it say it found a file that
contains suspicious code Heur/malware at location
c:\winnt\system32\ratbgpi.dll. it gives me the option of quaratine/deny
access. Choosing either option, the message still remains even after clicking
many times
I have also run AVG and Spybot 1.4 and all give a clean health.Any
suggestion please, thanks
 
I'd ask the application developer.

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

"labfuji" wrote:
> Install the Avira AntiVirus and unpon reboot, it say it found a file that
> contains suspicious code Heur/malware at location
> c:\winnt\system32\ratbgpi.dll. it gives me the option of quaratine/deny
> access. Choosing either option, the message still remains even after
> clicking
> many times
> I have also run AVG and Spybot 1.4 and all give a clean health.Any
> suggestion please, thanks
 
"labfuji" <labfuji@discussions.microsoft.com> wrote in message
news:0224986D-D70E-4F56-B854-D47A8A5A4DFA@microsoft.com...
> Install the Avira AntiVirus and unpon reboot, it say it found a file that
> contains suspicious code Heur/malware at location
> c:\winnt\system32\ratbgpi.dll. it gives me the option of quaratine/deny
> access. Choosing either option, the message still remains even after
clicking
> many times
> I have also run AVG and Spybot 1.4 and all give a clean health.Any
> suggestion please, thanks


try just plain renaming it (such as ratbgpi.xxx)
and if your system runs ok then delete it entirely
 
Do you mean remain the .dll file? thanks

"philo" wrote:

>
> "labfuji" <labfuji@discussions.microsoft.com> wrote in message
> news:0224986D-D70E-4F56-B854-D47A8A5A4DFA@microsoft.com...
> > Install the Avira AntiVirus and unpon reboot, it say it found a file that
> > contains suspicious code Heur/malware at location
> > c:\winnt\system32\ratbgpi.dll. it gives me the option of quaratine/deny
> > access. Choosing either option, the message still remains even after
> clicking
> > many times
> > I have also run AVG and Spybot 1.4 and all give a clean health.Any
> > suggestion please, thanks
>
>
> try just plain renaming it (such as ratbgpi.xxx)
> and if your system runs ok then delete it entirely
>
>
>
 
"labfuji" <labfuji@discussions.microsoft.com> wrote in message
news:0B59ABED-BCA0-4DF2-B545-792A683524FD@microsoft.com...
> Do you mean remain the .dll file? thanks


yes, rename the .dll file in question.
 
Tried in normal and safe mode, cannot be renamed, it says 'file been used by
windows'

"philo" wrote:

>
> "labfuji" <labfuji@discussions.microsoft.com> wrote in message
> news:0B59ABED-BCA0-4DF2-B545-792A683524FD@microsoft.com...
> > Do you mean remain the .dll file? thanks
>
>
> yes, rename the .dll file in question.
>
>
>
 
"labfuji" <labfuji@discussions.microsoft.com> wrote in message
news:E1D54545-FAC7-42A8-B749-84BA809B3012@microsoft.com...
> Tried in normal and safe mode, cannot be renamed, it says 'file been used
by
> windows'
>
> "philo" wrote:
>
> >
> > "labfuji" <labfuji@discussions.microsoft.com> wrote in message
> > news:0B59ABED-BCA0-4DF2-B545-792A683524FD@microsoft.com...
> > > Do you mean remain the .dll file? thanks
> >
> >
> > yes, rename the .dll file in question.
> >
> >
> >


Then you will need to find out where the process is starting.


You may have to look in the registry


HKEY_LOCAL_MACHINE
software
microsoft
windows
current version
run


then delete the reference
 
expand run>optional components>
right pan
IMAIL>default REG_SZ value not set
installed REG_SZ 1

MAPI>default REG_SZ value not set
installed REG_SZ 1
NoChange REG_SZ 1


MSFS>default REG_SZ value not set
installed REG_SZ 1

So which DATA should I delete or modify

Appreciate your follow, thanks


"philo" wrote:

>
> "labfuji" <labfuji@discussions.microsoft.com> wrote in message
> news:E1D54545-FAC7-42A8-B749-84BA809B3012@microsoft.com...
> > Tried in normal and safe mode, cannot be renamed, it says 'file been used
> by
> > windows'
> >
> > "philo" wrote:
> >
> > >
> > > "labfuji" <labfuji@discussions.microsoft.com> wrote in message
> > > news:0B59ABED-BCA0-4DF2-B545-792A683524FD@microsoft.com...
> > > > Do you mean remain the .dll file? thanks
> > >
> > >
> > > yes, rename the .dll file in question.
> > >
> > >
> > >
>
>
> Then you will need to find out where the process is starting.
>
>
> You may have to look in the registry
>
>
> HKEY_LOCAL_MACHINE
> software
> microsoft
> windows
> current version
> run
>
>
> then delete the reference
>
>
>
 
You'll need to find the process that loaded it.

http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/processmonitor.mspx
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ListDlls.mspx


--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

"labfuji" wrote:
> expand run>optional components>
> right pan
> IMAIL>default REG_SZ value not set
> installed REG_SZ 1
>
> MAPI>default REG_SZ value not set
> installed REG_SZ 1
> NoChange REG_SZ 1
>
>
> MSFS>default REG_SZ value not set
> installed REG_SZ 1
>
> So which DATA should I delete or modify
>
> Appreciate your follow, thanks
 
"labfuji" <labfuji@discussions.microsoft.com> wrote in message
news:A0AAAC82-7AE7-4DA5-BA1F-6C6F6962ED03@microsoft.com...
> expand run>optional components>
> right pan
> IMAIL>default REG_SZ value not set
> installed REG_SZ 1
>
> MAPI>default REG_SZ value not set
> installed REG_SZ 1
> NoChange REG_SZ 1
>
>
> MSFS>default REG_SZ value not set
> installed REG_SZ 1
>
> So which DATA should I delete or modify
>
> Appreciate your follow, thanks
>
>
> "


Those entries look normal
so it's got to be somewhere else.

Off hand I do not know which process it would be
 
Back
Top