Heur/malware

  • Thread starter Thread starter labfuji
  • Start date Start date
L

labfuji

Guest
Install the Avira AntiVirus and unpon reboot, it say it found a file that
contains suspicious code Heur/malware at location
c:\winnt\system32\ratbgpi.dll. it gives me the option of quaratine/deny
access. Choosing either option, the message still remains even after clicking
many times
I have also run AVG and Spybot 1.4 and all give a clean health.Any
suggestion please, thanks
 
Re: Heur/malware

I'd ask the application developer.

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

"labfuji" wrote:
> Install the Avira AntiVirus and unpon reboot, it say it found a file that
> contains suspicious code Heur/malware at location
> c:\winnt\system32\ratbgpi.dll. it gives me the option of quaratine/deny
> access. Choosing either option, the message still remains even after
> clicking
> many times
> I have also run AVG and Spybot 1.4 and all give a clean health.Any
> suggestion please, thanks
 
Re: Heur/malware


"labfuji" <labfuji@discussions.microsoft.com> wrote in message
news:0224986D-D70E-4F56-B854-D47A8A5A4DFA@microsoft.com...
> Install the Avira AntiVirus and unpon reboot, it say it found a file that
> contains suspicious code Heur/malware at location
> c:\winnt\system32\ratbgpi.dll. it gives me the option of quaratine/deny
> access. Choosing either option, the message still remains even after
clicking
> many times
> I have also run AVG and Spybot 1.4 and all give a clean health.Any
> suggestion please, thanks


try just plain renaming it (such as ratbgpi.xxx)
and if your system runs ok then delete it entirely
 
Re: Heur/malware

Do you mean remain the .dll file? thanks

"philo" wrote:

>
> "labfuji" <labfuji@discussions.microsoft.com> wrote in message
> news:0224986D-D70E-4F56-B854-D47A8A5A4DFA@microsoft.com...
> > Install the Avira AntiVirus and unpon reboot, it say it found a file that
> > contains suspicious code Heur/malware at location
> > c:\winnt\system32\ratbgpi.dll. it gives me the option of quaratine/deny
> > access. Choosing either option, the message still remains even after
> clicking
> > many times
> > I have also run AVG and Spybot 1.4 and all give a clean health.Any
> > suggestion please, thanks
>
>
> try just plain renaming it (such as ratbgpi.xxx)
> and if your system runs ok then delete it entirely
>
>
>
 
Re: Heur/malware


"labfuji" <labfuji@discussions.microsoft.com> wrote in message
news:0B59ABED-BCA0-4DF2-B545-792A683524FD@microsoft.com...
> Do you mean remain the .dll file? thanks


yes, rename the .dll file in question.
 
Re: Heur/malware

Tried in normal and safe mode, cannot be renamed, it says 'file been used by
windows'

"philo" wrote:

>
> "labfuji" <labfuji@discussions.microsoft.com> wrote in message
> news:0B59ABED-BCA0-4DF2-B545-792A683524FD@microsoft.com...
> > Do you mean remain the .dll file? thanks
>
>
> yes, rename the .dll file in question.
>
>
>
 
Re: Heur/malware


"labfuji" <labfuji@discussions.microsoft.com> wrote in message
news:E1D54545-FAC7-42A8-B749-84BA809B3012@microsoft.com...
> Tried in normal and safe mode, cannot be renamed, it says 'file been used
by
> windows'
>
> "philo" wrote:
>
> >
> > "labfuji" <labfuji@discussions.microsoft.com> wrote in message
> > news:0B59ABED-BCA0-4DF2-B545-792A683524FD@microsoft.com...
> > > Do you mean remain the .dll file? thanks
> >
> >
> > yes, rename the .dll file in question.
> >
> >
> >


Then you will need to find out where the process is starting.


You may have to look in the registry


HKEY_LOCAL_MACHINE
software
microsoft
windows
current version
run


then delete the reference
 
Re: Heur/malware

expand run>optional components>
right pan
IMAIL>default REG_SZ value not set
installed REG_SZ 1

MAPI>default REG_SZ value not set
installed REG_SZ 1
NoChange REG_SZ 1


MSFS>default REG_SZ value not set
installed REG_SZ 1

So which DATA should I delete or modify

Appreciate your follow, thanks


"philo" wrote:

>
> "labfuji" <labfuji@discussions.microsoft.com> wrote in message
> news:E1D54545-FAC7-42A8-B749-84BA809B3012@microsoft.com...
> > Tried in normal and safe mode, cannot be renamed, it says 'file been used
> by
> > windows'
> >
> > "philo" wrote:
> >
> > >
> > > "labfuji" <labfuji@discussions.microsoft.com> wrote in message
> > > news:0B59ABED-BCA0-4DF2-B545-792A683524FD@microsoft.com...
> > > > Do you mean remain the .dll file? thanks
> > >
> > >
> > > yes, rename the .dll file in question.
> > >
> > >
> > >
>
>
> Then you will need to find out where the process is starting.
>
>
> You may have to look in the registry
>
>
> HKEY_LOCAL_MACHINE
> software
> microsoft
> windows
> current version
> run
>
>
> then delete the reference
>
>
>
 
Re: Heur/malware

You'll need to find the process that loaded it.

http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/processmonitor.mspx
http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ListDlls.mspx


--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

"labfuji" wrote:
> expand run>optional components>
> right pan
> IMAIL>default REG_SZ value not set
> installed REG_SZ 1
>
> MAPI>default REG_SZ value not set
> installed REG_SZ 1
> NoChange REG_SZ 1
>
>
> MSFS>default REG_SZ value not set
> installed REG_SZ 1
>
> So which DATA should I delete or modify
>
> Appreciate your follow, thanks
 
Re: Heur/malware


"labfuji" <labfuji@discussions.microsoft.com> wrote in message
news:A0AAAC82-7AE7-4DA5-BA1F-6C6F6962ED03@microsoft.com...
> expand run>optional components>
> right pan
> IMAIL>default REG_SZ value not set
> installed REG_SZ 1
>
> MAPI>default REG_SZ value not set
> installed REG_SZ 1
> NoChange REG_SZ 1
>
>
> MSFS>default REG_SZ value not set
> installed REG_SZ 1
>
> So which DATA should I delete or modify
>
> Appreciate your follow, thanks
>
>
> "


Those entries look normal
so it's got to be somewhere else.

Off hand I do not know which process it would be
 
Back
Top