Restart.exe

After setting up a PC running Windows XP Home Service Pack 2 which I purchased at a computer show, I ran antivirus scans on the system. I downloaded ClamWin Free Antivirus version 0.91.2 and scanned the system with it on November 4, 2007 after updating its virus definitions to the latest version. ClamWin did not find any malware.

I then downloaded and installed BitDefender Free Edition. When I scanned the system with it, it reported the following:

File						Status
C:\WINDOWS\System32\Tools\Restart.exe	Detected: Spyware.Destart.A
C:\WINDOWS\System32\Tools\Restart.exe	Disinfection failed
C:\WINDOWS\System32\Tools\Restart.exe	Moved

BitDefender moved the file, so I restored it and submitted it to VirusTotal for analysis and also to Jotti's Online Malware Scan.

Jotti's Online Malware Scan reported the following:

File:Restart.exe
Status:INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5:eb1b125ee5d2022cbf5e2f7226f47638
Packers detected: -
Bit9 reports:High threat detected
 
A-SquaredFound nothing
AntiVirFound SPR/Destart.A
ArcaVirFound nothing
AvastFound nothing
AVG AntivirusFound nothing
BitDefenderFound Spyware.Destart.A
ClamAVFound nothing
CPsecureFound nothing
Dr.WebFound nothing
F-Prot AntivirusFound nothing
F-Secure Anti-VirusFound nothing
FortinetFound HackerTool/Rebootah
Kaspersky Anti-VirusFound nothing
NOD32Found nothing
Norman Virus ControlFound nothing
Panda AntivirusFound Application/Restart
Rising AntivirusFound nothing
Sophos AntivirusFound nothing
VirusBusterFound nothing
VBA32Found nothing

I also submitted the file to Sunbelt Software's sandbox for analysis. When I did so, I saw a message indicating it had already been submitted.

Please Note: This file has already been added to the database, Sunbelt Sandbox
ID: 76482.
You can review the log file HERE

I didn't see anything in the sandbox result that would lead me to believe the program is dangerous. There were no filesystem changes listed. The results indicated that the program reads the registry key "\ "Restart", but there were no registry modifications listed.

Note: the filename listed for the Sunbelt sandbox results is eb1b125ee5d2022cbf5e2f7226f47638.exe, which is the MD5 checksum for the file with ".exe" appended. That is likely done to eliminate duplicate database entries, since with true malware the filename may vary for the exact same file and files can also have the same name, but be different programs, so it makes sense to store it in their database by MD5 sum.

Further information on how the Sunbelt Sandbox works is available at Sunbelt CWSandbox.

I looked for further information on the purported malware at several of the vendors' sites where they provided malware encyclopedia's, but found none, except within Panda Security's encyclopedia.

Malware Encyclopedias

AntiVir
BitDefender
Panda AntiVirus

Several of the antivirus programs used by VirusTotal also reported the file as being malware (see VirusTotal Analysis of Restart.exe on 2007-11-06).

The Panda Security encylopedia provided the following information at Restart.

Common Name:Restart
Technical nameApplication/Restart
Threat levelLow
TypePotentially Unwanted Program (PUP)
EffectsIt is a Potentially Unwanted Program, which can affect the users' consent, awarenes or control over the program. It does not spread automatically using its own means.
Affected platforms Windows 2003/XP/2000/NT/ME/98/95
First detected onNov. 12, 2004
Detection updated onNov. 12, 2004
In circulation?No
Proactive protectionYes, using TruPrevent Technologies

For "Tech Details" the Panda encyclopedia entry also states the following:

Restart has the following additional characteristics:

The Panda Security encyclopedia entry describes the program as a "Potentially Unwanted Program (PUP)". From what I found there, the program doesn't appear dangerous. And, if it might only be used to restart the computer, then I would classify the identification of the program as potentially being malware as a "false positive". After all, Windows XP comes with the shutdown command from Microsoft, which can be used to shut down or reboot the computer. I consider that a useful utility.

Panda Antivirus reported it as Application/Restart. At Panda Scan Result.. Restart.exe, I found someone else reporting a similar situation. He reported that he ran Panda's free online scan and found C:/Windows/system32/Tools/Restart.exe reported as "Potentionally Unwanted Tool". As was the case with that person, atryeu, the file was found in C:/Windows/system32/Tools/ with other programs that had a "foreign looking icon". It looked like something in Chinese to me. And when I right-clicked on the files and chose Properties, clicked on the Version tab, and then checked the language listed, I found it listed as "Chinese (Taiwan)". The Product Name was listed as "Win32 Setup-Execute" and it had a copyright of "Copyright(C) Liter Liu 2002" listed with the description of "Restart Conuter".

Restart.exe properties

When I ran a Google search on "Liter Liu restart", at please cheack my hijack log at the CastleCops website, I found someone else reporting the presence of reboot.exe with "Copyright(C) Liter Liu 2002" found in that file. The name is different, reboot.exe versus restart.exe, but it appears to be the same or similar file, since the file size he reported is 422 Kb, which is the same size as restart.exe, and, from the name, it would appear to perform a similar function. The person, HKeD, who analyzed the file for the person who posted the query regarding it, concluded it looked benign.

The other files in the C:\Windows\system33\Tools directory are shown below. Note you have to use the /ah option to display hidden files when you use the dir command from a command prompt to see these files and you will need to have the display of hidden files and folders turned on for Windows Explorer to see them there, since the files have the "hidden" attribute set on them (see View Hidden and System Files for instructions on how to view such files under Windows XP).

C:\WINDOWS\system32\Tools>dir /ah
 Volume in drive C has no label.
 Volume Serial Number is E4CF-5D36

 Directory of C:\WINDOWS\system32\Tools

07/21/2002  10:57 PM           418,816 All.exe
08/01/2003  02:53 AM             2,850 AutoClick.ini
07/19/2002  01:21 AM           390,144 Change.exe
07/19/2002  02:13 AM           574,464 CheckPath.exe
08/20/2002  01:22 AM           430,592 Counter.exe
07/23/2002  01:34 AM           390,656 DelFolders.exe
03/06/2001  02:25 PM             2,017 Devices.ini
11/22/2002  06:30 AM           399,872 DirectSetup.exe
04/24/2001  11:43 PM                38 Disable.ini
03/06/2002  03:56 AM             2,247 Readme.txt
07/19/2002  05:10 AM           388,096 RegClean.exe
07/19/2002  06:01 AM           388,608 Regexe.exe
11/06/2007  07:52 PM           431,616 Restart.exe
07/19/2002  06:09 AM           388,096 RunRegexe.exe
              14 File(s)      4,208,112 bytes
               0 Dir(s)  76,375,769,088 bytes free

Note: restart.exe is shown with a date of 11/06/2007 on it because that is when I last restored it using BitDefender after BitDefender had moved it during a scan of the system.

Looking at the devices.ini file in the folder, it appears the files might have come from the motherboard manufacturer, since the entries in it appear to be referencing device drivers.

Both Jotti's Online Malware Scan and VirusTotal referenced the Bit9 FileAdvisor information for the file. When I checked the MD5 checksum for the file by entering the checksum, eb1b125ee5d2022cbf5e2f7226f47638, at the FileAdvisor site, I found it listed as being associated with malware (see Fileadvisor report), yet one of the sources listed for it was MAXDATA_AG, which had a package name of 20_MAXDATA_PCs/10_MAXDATA_Desktop/40_Driver/Mainboards/ECS_Mainboards/C51G-B/C51G-B_Support-CD.iso, which tends to imply it is associated with an ECS motherboard. And the company displayed when I clicked on the DirectSetup file in the same directory was "ELITEGROUP COMPUTER SYSTEMS CO., LTD."

DirectSetup.exe properties

When I submitted the DirectSetup.exe file to VirusTotal, none of the antivirus software it uses reported any problem for that file. The file information is shown below.

File size: 399872 bytes
MD5: 606891892e40043ede2e417f37b88a35
SHA1: fbd21a2614011aa914b55f7fbda658753049e2e5

The motherboard in the system is a PCChips motherboard. The motherboard model is A31G (V1.0). PCChips and Elitegroup Computer Systems (ECS) Co. merged in 2005 according to the Wikipedia article on Elitegroup Computer Systems.

At Not-a-virus.win32.restartcounter there is a posting on September 2, 2007 by YLstang, who has the same /windows/system32/tools directory on his system with the same files in it, judging from the screenshot of the directory on his system. There is a reply from quietman on September 3, 2007 who states the following:

Do you have an Elitegroup motherboard?
Elitegroup Computer Systems is a Taiwan-based electronics company.

Those files are probably part of the setup and installation of the motherboard drivers for the ECS (Elitegroup) motherbaord as discussed here and here

The files in that folder are all listed here as safe. scroll down toward bottom of the list

So at this point, I feel I can probably view the malware listings for the file as false positives. I've encountered cases where tools that I use for diagnostics have been identified as malware, e.g. "hacker tools", simply because most users won't have the tools on their systems and they might be installed by "hackers" who have gained access to the systems. I haven't found any specific information on restart.exe that leads me to believe its presence on the system represents a threat to the system.

 

TechRabbit ad 300x250 newegg.com

Justdeals Daily Electronics Deals1x1 px

Valid HTML 4.01 Transitional

Created: Friday November 16, 2007