I then downloaded and installed BitDefender Free Edition. When I scanned the system with it, it reported the following:
File Status
C:\WINDOWS\System32\Tools\Restart.exe Detected: Spyware.Destart.A
C:\WINDOWS\System32\Tools\Restart.exe Disinfection failed
C:\WINDOWS\System32\Tools\Restart.exe Moved
BitDefender moved the file, so I restored it and submitted it to VirusTotal for analysis and also to Jotti's Online Malware Scan.
Jotti's Online Malware Scan reported the following:
| File: | Restart.exe |
| Status: | INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) |
| MD5: | eb1b125ee5d2022cbf5e2f7226f47638 |
| Packers detected: | - |
| Bit9 reports: | High threat detected |
| A-Squared | Found nothing |
| AntiVir | Found SPR/Destart.A |
| ArcaVir | Found nothing |
| Avast | Found nothing |
| AVG Antivirus | Found nothing |
| BitDefender | Found Spyware.Destart.A |
| ClamAV | Found nothing |
| CPsecure | Found nothing |
| Dr.Web | Found nothing |
| F-Prot Antivirus | Found nothing |
| F-Secure Anti-Virus | Found nothing |
| Fortinet | Found HackerTool/Rebootah |
| Kaspersky Anti-Virus | Found nothing |
| NOD32 | Found nothing |
| Norman Virus Control | Found nothing |
| Panda Antivirus | Found Application/Restart |
| Rising Antivirus | Found nothing |
| Sophos Antivirus | Found nothing |
| VirusBuster | Found nothing |
| VBA32 | Found nothing |
I also submitted the file to Sunbelt Software's sandbox for analysis. When I did so, I saw a message indicating it had already been submitted.
Please Note: This file has already been added to the database, Sunbelt Sandbox
ID: 76482.
You can review the log file
HERE
I didn't see anything in the sandbox result that would lead me to believe
the program is dangerous. There were no filesystem changes listed. The
results indicated that the program reads the registry key
"\ "Restart", but there were no registry modifications listed.
Note: the filename listed for the Sunbelt sandbox results is
eb1b125ee5d2022cbf5e2f7226f47638.exe, which is the
MD5 checksum for the file
with ".exe" appended. That is likely done to eliminate duplicate database
entries, since with true malware the filename may vary for the exact same file
and files can also have the same name, but be different programs, so it makes
sense to store it in their database by MD5 sum.
Further information on how the Sunbelt Sandbox works is available at Sunbelt CWSandbox.
I looked for further information on the purported malware at several of the vendors' sites where they provided malware encyclopedia's, but found none, except within Panda Security's encyclopedia.
Several of the antivirus programs used by VirusTotal also reported the file as being malware (see VirusTotal Analysis of Restart.exe on 2007-11-06).
The Panda Security encylopedia provided the following information at Restart.
| Common Name: | Restart |
| Technical name | Application/Restart |
| Threat level | Low |
| Type | Potentially Unwanted Program (PUP) |
| Effects | It is a Potentially Unwanted Program, which can affect the users' consent, awarenes or control over the program. It does not spread automatically using its own means. |
| Affected platforms | Windows 2003/XP/2000/NT/ME/98/95 |
| First detected on | Nov. 12, 2004 |
| Detection updated on | Nov. 12, 2004 |
| In circulation? | No |
| Proactive protection | Yes, using TruPrevent Technologies |
For "Tech Details" the Panda encyclopedia entry also states the following:
Restart has the following additional characteristics:
- It is written in the programming language Borland Delphi.
- It is 431616 bytes in size.
The Panda Security encyclopedia entry describes the program as a "Potentially
Unwanted Program (PUP)". From what I found there, the program doesn't appear
dangerous. And, if it might only be used to restart the computer, then I
would classify the identification of the program as potentially being
malware as a "false positive". After all, Windows XP comes with the
shutdown command from Microsoft, which can be used to shut down
or reboot the computer. I consider that a useful utility.
Panda Antivirus reported it as Application/Restart. At Panda Scan Result.. Restart.exe, I found someone else reporting a similar situation. He reported that he ran Panda's free online scan and found C:/Windows/system32/Tools/Restart.exe reported as "Potentionally Unwanted Tool". As was the case with that person, atryeu, the file was found in C:/Windows/system32/Tools/ with other programs that had a "foreign looking icon". It looked like something in Chinese to me. And when I right-clicked on the files and chose Properties, clicked on the Version tab, and then checked the language listed, I found it listed as "Chinese (Taiwan)". The Product Name was listed as "Win32 Setup-Execute" and it had a copyright of "Copyright(C) Liter Liu 2002" listed with the description of "Restart Conuter".
When I ran a Google search on
"Liter Liu restart", at
please cheack my hijack log at the CastleCops website,
I found someone else reporting the presence of
reboot.exe with "Copyright(C) Liter Liu 2002" found in that
file. The name is different, reboot.exe versus restart.exe, but it appears
to be the same or similar file, since the file size he reported is 422 Kb,
which is the same size as restart.exe, and, from the name, it would
appear to perform a similar function. The person, HKeD, who analyzed the file
for the person who posted the query regarding it, concluded it looked
benign.
The other files in the C:\Windows\system33\Tools directory are
shown below. Note you have to use the /ah option to display
hidden files when you use the dir command from a command
prompt to see these files and you will need to have the display of
hidden files and folders turned on for Windows Explorer to see them there,
since the files have the "hidden" attribute set on them (see
View Hidden and System Files for instructions on how to
view such files under Windows XP).
C:\WINDOWS\system32\Tools>dir /ah
Volume in drive C has no label.
Volume Serial Number is E4CF-5D36
Directory of C:\WINDOWS\system32\Tools
07/21/2002 10:57 PM 418,816 All.exe
08/01/2003 02:53 AM 2,850 AutoClick.ini
07/19/2002 01:21 AM 390,144 Change.exe
07/19/2002 02:13 AM 574,464 CheckPath.exe
08/20/2002 01:22 AM 430,592 Counter.exe
07/23/2002 01:34 AM 390,656 DelFolders.exe
03/06/2001 02:25 PM 2,017 Devices.ini
11/22/2002 06:30 AM 399,872 DirectSetup.exe
04/24/2001 11:43 PM 38 Disable.ini
03/06/2002 03:56 AM 2,247 Readme.txt
07/19/2002 05:10 AM 388,096 RegClean.exe
07/19/2002 06:01 AM 388,608 Regexe.exe
11/06/2007 07:52 PM 431,616 Restart.exe
07/19/2002 06:09 AM 388,096 RunRegexe.exe
14 File(s) 4,208,112 bytes
0 Dir(s) 76,375,769,088 bytes freeNote: restart.exe is shown with a date of 11/06/2007 on it because that is when I last restored it using BitDefender after BitDefender had moved it during a scan of the system.
Looking at the devices.ini file in the folder, it appears the files might have come from the motherboard manufacturer, since the entries in it appear to be referencing device drivers.
Both Jotti's Online Malware Scan and VirusTotal referenced the
Bit9 FileAdvisor information
for the file. When I checked the
MD5 checksum for the file
by entering the checksum, eb1b125ee5d2022cbf5e2f7226f47638,
at the FileAdvisor site, I found it listed as being associated with malware
(see Fileadvisor report), yet one of the
sources listed for it was MAXDATA_AG, which
had a package name of
20_MAXDATA_PCs/10_MAXDATA_Desktop/40_Driver/Mainboards/ECS_Mainboards/C51G-B/C51G-B_Support-CD.iso,
which tends to imply it is associated with an ECS motherboard. And the company
displayed when I clicked on the DirectSetup file in the same directory
was "ELITEGROUP COMPUTER SYSTEMS CO., LTD."
When I submitted the DirectSetup.exe file to VirusTotal, none of the antivirus software it uses reported any problem for that file. The file information is shown below.
File size: 399872 bytes
MD5: 606891892e40043ede2e417f37b88a35
SHA1: fbd21a2614011aa914b55f7fbda658753049e2e5
The motherboard in the system is a PCChips motherboard. The motherboard model is A31G (V1.0). PCChips and Elitegroup Computer Systems (ECS) Co. merged in 2005 according to the Wikipedia article on Elitegroup Computer Systems.
At Not-a-virus.win32.restartcounter there is a posting on September 2, 2007 by YLstang, who has the same /windows/system32/tools directory on his system with the same files in it, judging from the screenshot of the directory on his system. There is a reply from quietman on September 3, 2007 who states the following:
Do you have an Elitegroup motherboard?
Elitegroup Computer Systems is a Taiwan-based electronics company.
Those files are probably part of the setup and installation of the motherboard drivers for the ECS (Elitegroup) motherbaord as discussed here and here
The files in that folder are all listed here as safe. scroll down toward bottom of the list
So at this point, I feel I can probably view the malware listings for the file as false positives. I've encountered cases where tools that I use for diagnostics have been identified as malware, e.g. "hacker tools", simply because most users won't have the tools on their systems and they might be installed by "hackers" who have gained access to the systems. I haven't found any specific information on restart.exe that leads me to believe its presence on the system represents a threat to the system.
Created: Friday November 16, 2007
