Avast and Win32:Luder-F

I'm cleaning up my son's computer and Avast is detecting Win32:Luder-F in two types of files: winlogon.exe and autofmt.exe, located in the HP recovery partition's MiniNT\system32, I386\SYSTEM32 and cmdcoms folders. No other antivirus/spyware programs are detecting this.

Are there any known false positives related to Avast and this virus?

If these are actually infected, Avast can remove, but not repair these files. Is there a way to access the locked folders so that I can write a non-infected copy of these files to the recovery partition?

 

http://www.majorgeeks.com/images/grenade.gifWelcome to MajorGeeks.com!http://www.majorgeeks.com/images/grenade.gif

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

Read & RUN ME FIRST Before Asking for Support

 

At this point, I was part way through the initial cleanup work and had these specific questions regarding this virus and Avast, and the issue of accessing the HP Recovery Partition. I wanted to address whether they might be false positives or if I should delete these particular files before I proceed further and then, whether I can replace them within the Recovery Partition if I do delete them.

Any info on these specific questions before I run the full "Read and Run Me First?"

I don't want to delete files from the Recovery Partition if not really infected. Neither Spybot, AVG, nor a-squared reported these files as infected, but Avast did.

Thanks.

 

It's very possible they are false positives however it's hard to say. Can you attach a screenshot of the alert from Avast?

Also, you may want to try to have the files in question scanned by the online scanner below.

http://virusscan.jotti.org/

 

I uploaded one of the files to jotti and it was detected by six of the scanners, so I'm sure the files are infected.

My problem is this:
Avast is able to delete the infected files from the HP Recovery Partition. I need to access those protected folders so that I can write clean files to replace those deleted. How can I gain access to the Recovery Partition on an HP Pavilion?

 

What is the exact location of the detections?

 

The files I'm concerned with replacing are all in the HP Recovery Partition which is the D logical drive.

The files are:
D:\I386\SYSTEM32\autofmt.exe
D:\I386|SYSTEM32\winlogon.exe
D:\MiniNT\system32\autofmt.exe
D:\MiniNT\system32\winlogon.exe
D:\cmdcons\autofmt.exe

It also appeared in the System Restore file:
D:\System Volume Informatio_restore{D7BD54B8-C977-4903-8CE7-9415B851EC71}\RP5\
A0000120.exe, A0000122.exe, A0000123.exe, A0000124.exe, A0000125.exe

There were some instances on the C drive, but those I have access to for replacement. It is the D dvive that has restricted access.

 

I do believe those are false positives from Avast. First, I would be sure I have the latest version of the applicaton which is Avast! Home Edition 4.7.1098. Next, be sure you have the latest definitions installed which are avast! Virus Definitions December 5, 2007.

Also, I wouldn't remove those files nor would I modify them in any way. If they are modified/deleted they will more than likely not work when you try to reinstall from that recovery partition.

 

To address the above, follow the below...

• If you are running Windows XP or Windows ME, do the below:
  • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
  • Then reboot and Enable System Restore to create a new clean Restore Point.