Viruses in "Restore to Factory Settings"...???

[T7TrainingSystems]

I'd have thought this would be impossible, but...

I bought a T40 for a relative off eBay. Avast virus checker said that XPclient.exe had a trojan horse virus. No matter I figured, going to restore to factory settings anyway, and did so. Sure enough, after restoring to factory settings, it was gone.

Then we did a backup using R&R and lo and behold, the virus was back!! Seems it is regenerated with the other R&R files when it's run the first time. How could that be possible?? The laptop hadn't been on the net at all. A few days later, she did a scan with Comodo (I think) and it found these:

Anti.0064.xpoint.variantID C\ProgramFiles\xpoint\agent\epagent.exe
VBS.ak.S.A(ID=oxa5e) C\ProgramFiles\xpoint\pe\dig\lastboot.exe
VBS.ak.S.A.(ID=oxa58) C\ProgramFiles\xpoint\pe\dig\RECRTSP.exe
VBS.ak.S.A.(ID=oxa5e) C\ProgramFiles\xpoint\pe\dig\xpshell.exe

Can anyone shed some light on this? Is it possible that a virus is in the pre-installation environment? Are these false positive? Or am I missing something here? Anyone else experienced this?

[Mike Blake]

This could be a case of mistaken identity. One site
I found lists, for example, two xpagent.exes, one part
of R&R, the other as malware:

XPAgent
Name: Xpagent
Command: xpagent.exe
Status: Unknown
Description: Part of the IBM/XPoint Rapid Restore utility.

Name: XPAgent
Command: XPAgent.exe
Status: Definitely not required. Usually Malware.
Description: Reported as the CLICKER.LE TROJAN by Panda Anti-Virus. Do not confuse this with the IBM/XPoint Rapid Restore file which is generally located in the PROGRAM FILES\XPOINT\AGENT folder

There were a number of other R&R files also listed.

I think you may want to do some research/Googling
on those file names you found. (It's 4 in the morning
here, so I'm not feeling inspired to do it for you right
now. )

[T7TrainingSystems]

Thanks Mike, I'd come to a similar conclusion from Googling but wasn't feeling very at ease about it.

To see someone else come to the same conclusion is reassuring!

Only doubt in my mind is that I'd imagine there'd be lots of mentions of this false-positive on the board here, but I find practically none.

Still, I'm planning to circumvent the whole issue next time we do a factory restore by interrupting the factory restore process with a BartPE CD and deleting these files before they're inflated (unzipped...?) and install the latest restore program from the IBM site.

I've tried this on my own T40/T41 laptops and it works a treat!

Thanks for your reply!