False Positive - EsetNOD32 registry files

[jacko]

Hi,

I've recently understood why Eset Nod 32 kept malfunctioning and not working properly after I saw the startup files in Malwarebyte's quarantine section. It highlights them as security hijacks but I don't think this is the case, as this is a legitimate purchase.

Can you please correct this. (or correct me if i'm wrong...)

Thanks

[jacko]

Sorry I forgot to upload

mbam_log_2010_07_12__00_20_04_.txt

[nosirrah]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe

The function of these keys is to allow another executable to run in the place of one with a static file name. Malware uses these keys to block security software from running.

I've recently understood why Eset Nod 32 kept malfunctioning and not working properly

It is likely that this is why NOD32 was not running correctly, these 2 files were being blocked.

[jacko]

It keeps blocking these keys even when I reinstall Nod32, is there a way to stop Malwarebytes from doing this? It is a false positive isn't it?

[nosirrah]

Your system is infected, you can read about the infection here:

http://webcache.googleusercontent.com/sear...=clnk&gl=us

Malwarebytes may be able to remove the rest of the infection in the next update, I am looking into this now.

[nosirrah]

It seems that your system likely has several replaced files that will need to be replaced, I am asking malware removal support to take a look at this.

[screen317]

Hi,

I highly recommend that you disconnect from the Internet for the duration of this fix.

Please transfer all required tools from a known clean computer to this one.

With that said, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.

[screen317]

I am also moving this topic to the Malware Removal forum.

[jacko]

Thanks for the reply, i guess it was positive after all!

Here's the log that wasn't minimised.

Cheers.

DDS.txt

[screen317]

Hi,

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.
  

-screen317

[jacko]

Hi,

I've done both scans and here are the logs.

Cheers and thanks for the help

DDS.txt

ComboFix.txt

[screen317]

Hi,

Open this file in Notepad and post its contents here:

c:\windows\system32\clr.BAT

Next, please update MBAM, run a Quick Scan, and post its log.

-screen317

[jacko]

Hi,

Here's the cl.bat contents:

@echo off

regedit /s "C:\WINDOWS\system32\clr.reg"

regedit /s "C:\WINDOWS\system32\IEHOME.reg"

move "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\clr.lnk" "C:\Documents and Settings\Default User\Start Menu\Programs\Startup"

del "%USERPROFILE%\Start Menu\Programs\Startup\clr.lnk" /f

and also the mbam log. It found an infection!

Thanks,

Jacko

mbam_log_2010_07_15__16_19_39_.txt

[screen317]

Hi,

Update MBAM, run another Quick Scan, and have it remove that item.

Also open these files in Notepad and post them here:

C:\WINDOWS\system32\clr.reg

C:\WINDOWS\system32\IEHOME.reg

[jacko]

Hi,

Heres the contents of clr.reg:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Control Panel\Desktop]

"FontSmoothing"="2"

"FontSmoothingType"=dword:00000002

And this is the content from IEHOME.reg

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

"Start Page"="http://shoptoshiba.ca/welcome/"

Can I just quarentine 'RESET.reg' and it will eventually be cleaned, or do i have to permanently delete it? I'm just thinking because the anti-virus program came with the computer and it originally had that file to reset NOD32's trial.

I appeciate your help,

Jacko

p.s Just to let you know, my system is a bit strained since I installed Trend Micro - It kept freezing (must have interacted with Malware programs - such a pain). But I managed to unistall it and it seems okay now.

[screen317]

Hi,

Do you still have NOD32 installed? If so, that would likely conflict with Trend Micro.

Yes you can permanently delete the RESET.reg file, but what do you mean by "I'm just thinking because the anti-virus program came with the computer and it originally had that file to reset NOD32's trial."??

[jacko]

Hi,

Its fine, I've unistalled Trend Micro instead.

As for the reset.reg, it was meant to reset Nod32's Trial period, otherwise it would just expire.

Sorry if I was unclear.

[jacko]

Would deleting this file clean the whole infection? If not, please let me know so I know you're working on it.

Thanks

[screen317]

What do you mean reset the trial period?? Are you not actually paying for ESET?

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!