Number Of Rootkit And Password Protected Items On Lenovo Thinkpad

PaulIDA

Hi

I recently had a virus(es) which I successfully removed. All seems to be operating well.

After my most recent DeepScan using Bitdefender AV2008, I noticed that the number of Rootkit and Password Protected items has increased.

I have a Lenovo Thinkpad and the Rootkit items are from a BackUp utility in RRbackups directory. There seems to be another set of files that are similar in name to the originals where a directory will have an extension .bd.ren. For example

C:\RRbackups\Documents and Settings.bd.ren/ ...

Does anyboday know what these might correspond to?

There appears to be an increased number of Password protected files in the C:\SWTOOLS\APPS\rnr as well. Does this make sense?

I have older log files as well as new if anybody is able to do a diff in some way.

Thanks,

Paul

PaulIDA

BTW

The virus my PC had was the Antivirus 2009 one.

rootkit

Please run a full scan and paste the log here !

PaulIDA

Please run a full scan and paste the log here !

Hi Crysty

Here is the log produced from a deep scan.

Thanks!

Paul

/applications/core/interface/file/attachment.php?id=4464" data-fileid="4464" rel="">1231358447_1_02.xml

cheapdude2

Had something similar and cured as follows. Might check into some more since I may run into future issues with going into safe mode to delete the bd.ren versions of old Lenovo RnR Backups.

From reading up on this here and elsewhere, it appears that Bitdefender may rename locked files with bd.ren at the end - would guess this stands for BitDefender (bd) and RENamed (ren).

In any case, I already use another backup program to save my files and system, so I went into Lenovo Care Backup and Recovery program's Advanced tab to delete the rnrbackup files after opting to turn off their scheduled backup option.

However, because Bitdefender in previous scans had renamed the backup files, Lenovo's backup and recovery program seems to have gotten confused because it could not find the backup files it created originally since they were renamed. Because it had never deleted the backups, it still listed them as being there and available, but of course trying to restore from them or even delete them was now impossible from the Lenovo backup recovery GUI console.

So here is what I did:

1. rebooted into Safe Mode and set folder view to see hidden items.

2. Renamed all the hidden files in RRbackups directory to eliminate the bd.ren.

3. rebooted into regular mode, launched Lenovo backup recovery.

4. That was now able to see and allowed me to delete these backups.

5. Of course had already turned off Lenovo's backup/recovery schedule so no more will be created.

6. Bitdefender does not come across these locked files anymore so I'm good.

Please note: before doing this, make sure you have used another backup program to safe guard your system. doing the above obviously deletes any backups done by Lenovo's recovery program and disables it in the future.

On your other question:

"There appears to be an increased number of Password protected files in the C:\SWTOOLS\APPS\rnr as well. Does this make sense?"

Sorry, not sure on that except looks like a Norton program.

Again, maybe wait a bit to see what others have to say. The above worked for me but I do not care if it crashes Lenovo's recovery system or not. Thus far though, about a week into it and no instability or problems running my machine.

Cheapdude2

ronchicago

I have just installed Internet Security 2009 and am also getting these "Rootkit" items in my Deep Scan Log from the Lenovo Rescue and Recovery folder. Is this a false positive? I sent my logs to BitDefender support a week ago but have heard NOTHING from them.