AV Software Wars

1. The product a-squared Anti-Malware is detecting two registry keys belonging to NOD32 AV 4.2.35 as a threat: Trace.Registry.VirusShield2009!A2

2. The detected registry locations are:
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\equi.exe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\Image File Execution Options\ekrn.exe

3. The a-squared Anti-Malware Web site (http://www.emsisoft.com/en/malware/?Trace.Registry.VirusShield2009!A2) provides the following information on the above threat:

"Registry traces are known references of Spyware/Adware which are stored in the Windows registry database. Traces may be autorun keys which make Spyware/Adware run automatically on Windows startup. Traces may also be registrations of Spyware/Adware DLL files which are registered to hijack the Windows Explorer or the web browser. Traces cannot be harmful by definition. They are only some kind of helpers to enable Malware to be installed and run on your computer."

4. The scan log is attached.

 

I have already sent the registry traces to Emsisoft for analysis. My bet is they are FPs. I also posted in their forum here:
http://support.emsisoft.com/topic/1654-possible-fp-registry-values/

As a matter of precaution, I ran full system scans using Avast 5 Free and Microsoft Security Essentials and the scans found nothing.

 

Other AV's will at times detect other AV's and programs as malware which are false Positives you should upload those two files which are in C:\Program Files\Eset to EMSI software so they can get them fixed! http://www.emsisoft.com/en/support/submit/

HTH,

TH

Edit: Thankful beat me to it!

 

As I posted above, I sent the traces to Emsisoft as well as posted in their forum. The ball is in their court. In the last two weeks I have sent several FPs to Emsisoft. I have removed A squared Free due to the hassle the FPs have been causing.

 

See my Edit!

Cheers,

TH

 

No problem.
Thanks.

 

I highly doubt they are FPs. The "Image File Execution Options" is a OS feature, and depending on the value specified (debugger) it can disable programs from executing- hence frequently used to "hijack" or disable AVs from running. The keys don't belong to Eset AV.

 

There is no value set for those two registry values.
It is also possible the new version of NOD32 (4.2.35.0) introduced those two registry values.

 

Yes, that's why I said "depending on the value specified". That's why Eset is running.

Doubt it. But I'll check.
Edit: just downloaded and installed the latest version and it does indeed place those keys to prevent hijacking by malware.

 

Thanks for checking.

 

They should check for the presence of the Debugger value instead of just the reference to egui.exe/ekrn.exe in that key.

 

Thank you for the interest. I suppose we should wait for information that is more conclusive.
I have reported the issue to a-squared as a possible false positive. So far no reply.

 

This is no longer detected by A-Squared Free.