HI People, After formatting TDS3 comes up with this:RegVal Trace: Possible Trojan: HKEY_LOCAL_MACHINE File: Software\Microsoft\Windows\CurrentVersion\Run [*=C:\WINDOWS\Options\OEMReset.exe /Audit] Is this a real tyrojan or false alarm. I can delete the registry entry only until the next reboot, then it's back. Best, Grant
Thanks Jooske, I can't find the file however. The last time I saw this file is when I had XP Pro. After 2 weeks I threw it away(after wiping the drive+fdisk/formatting) went back to 98 and never had another trojan alarm until I got XPhome.
Not necessarily a trojan; googled around and see it in several HJT logs on internet with no deletion advices, and this "oemreset.exe OEMCLEANUP Resets OEM installation settings at bootup. Not required unless you're new to PC's" So it seems harmless and sounds annoying in some cases. No reason to rebuild your system for that one, unless it would really contain a nasty. Thought Gavin mentioned in another thread this kind of alarms is not to worry about too much, but don't pin me on that till that advice is located back!
Well it doesnt look like a trojan. What that is alarming on seems to be the DEFAULT key in the registry. You can have keys with names, or there is a default entry.. which shouldnt really be used It also should not be alarming, get the latest database and then run TDS, do a trace scan. Does it come back ? If so please right click the alarm and choose save as text, then paste it here
Hi! Yes it does return after the trace scan. Here is the text: Scan Control Dumped @ 22:11:46 26-01-04 (Deleted) RegVal Trace: Possible Trojan: HKEY_LOCAL_MACHINE File: Software\Microsoft\Windows\CurrentVersion\Run [*=C:\WINDOWS\Options\OEMReset.exe /Audit] NTFS Alternate Data Stream: ADS Hidden Stream Detected: 0 bytes File: c:\documents and settings\all users\documents\my pictures\sample pictures\thumbs.db:encryptable NTFS Alternate Data Stream: ADS Hidden Stream Detected: 0 bytes File: c:\documents and settings\oo\my documents\my pictures\thumbs.db:encryptable RegVal Trace: Possible Trojan: HKEY_LOCAL_MACHINE File: Software\Microsoft\Windows\CurrentVersion\Run [*=C:\WINDOWS\Options\OEMReset.exe /Audit] The exrtra alarms that are now showing are from two digital photographs I just added. The first time I ever encountered the RegVal alarm is when I used XP Pro for two weeks a few years ago. Can't be a coincidence I have it back with XP home. I have the sensitivity turned to max. perhaps that's why it's alarming?
Hi, I just wiped thew drive 7 times and then formatted. The first thing I did online using opera was to download the KF for TDS3 and then run a scan. Same thing showed up.( Scan Control Dumped @ 12:51:38 28-01-04 (Deleted) RegVal Trace: Possible Trojan: HKEY_LOCAL_MACHINE File: Software\Microsoft\Windows\CurrentVersion\Run [*=C:\WINDOWS\Options\OEMReset.exe /Audit]) The old fdisk/mbr I could do with 98 might make the difference. Anyways I hope it isn't a trojan as I used my credit card online.
Grant, i posted above it is part of XP and a file you don't really need, as it's one resetting your system to defaults after reboot. It does come with XP, so somewhere it must be found, make all your files visible in the windows settings. There was not any need to reformatting the system for a file which comes with windows install. Gavin told you it is innocent and if you locate it to submit it so he can check it extra for you. For the NTFS ADS streams it has been posted various times in this forum you can in your scan options ignore files smaller then 88 bytes or 256 bytes, so certainly the 0 bytes files. They are rather usual in images, scanners might add them, etc.