Brief failure to Scan causing concerns

Discussion in 'NOD32 version 2 Forum' started by Huwge, Nov 4, 2005.

Thread Status:
Not open for further replies.
  1. Huwge

    Huwge Registered Member

    Joined:
    Oct 21, 2004
    Posts:
    405
    Location:
    UK
    Tried to run a full scan. After around five seconds, poof, NOD scan window vanished. Tried again and same result. Did online virus scan, trojan scan and spyware scan...all clean. Tried again with same result. Turned NOD off then basck on and scanned ok with the following errors ..dont know how to cut and paste the scan results

    pagefilesys

    ntuser
    ntuserdat..these two appear a few times

    all adaware files password protected?

    mousepoint manager remotedatabase ...access denied

    and a load of system32 files locked

    Can anyone put my mind at rest or shine any light on this please o_O
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Can you please try running a scan in "Safe Mode" and see what the results are.

    Cheers ; D
     
  3. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    To copy the contents of a scanner log, just open it up and right-click on the log contents. You will get the oprions, "Copy selected", "Copy all", and "Export to file". :)

    Most of the files you mention are locked because they are in active use by Windows...
    • pagefile.sys is the Windows swapfile.
    • hiberfil.sys is the Windows hibernation file.
    • The "NTUSER.DAT" and "ntuser.dat.log" files are associated with the user portions of the Windows Registry.
    • The files in the C:\Windows\system32\config folder are the rest of the Windows registry.
    • C:\Windows\SoftwareDistribution\EventCache\{.....} is associated with Windows Update.
    • I am not sure about the "UsrClass.dat" and "UsrClass.dat.log" files, but I am pretty sure those are also locked by Windows.
    • The Ad-Aware files are password protected to prevent them from being detected (and deleted!) by other antispyware detection programs. This also helps prevent hackers from doing things like stealing the Ad-Aware data to use in their own programs.
    The only one I am not sure about is the "mousepoint manager remote database". Do you have any more info about this file, now that you know how to cut and paste from the log? ;)
     
  4. Huwge

    Huwge Registered Member

    Joined:
    Oct 21, 2004
    Posts:
    405
    Location:
    UK
    Scan in Safemode gave same result. No threats detected. The Mouseline I mentioned above is C:\System Volume Information\mousepointmanagerremotedatabase

    Thanks in advance
     
  5. auriell

    auriell Registered Member

    Joined:
    Feb 9, 2005
    Posts:
    105
    Location:
    Warsaw, Poland
    It is not "mouse" it is "mount" and on my system it looks like this:

    D:\System Volume Information\MountPointManagerRemoteDatabase

    I don't know what exactly is this, but it seems to be normal that this thing is blocked during the scan, as probably it is blocked by the OS like other system files being in use, or being protected. During each of my scans I have this and other system areas and files inaccessible by NOD and listed in LOGs as "error opening - access denied" and it is around 20-30 entries. Also in my case some Ad-aware files are reported as being pasword protected, nothing extraordinary.

    The strange thing is that NOD scan window disappears while scaning and I have no idea why it happens.
     
    Last edited: Nov 4, 2005
  6. auriell

    auriell Registered Member

    Joined:
    Feb 9, 2005
    Posts:
    105
    Location:
    Warsaw, Poland
    What I found about "System Volume Information" directory is this:

    The System Volume Information folders contain your restore
    points.
     
  7. Huwge

    Huwge Registered Member

    Joined:
    Oct 21, 2004
    Posts:
    405
    Location:
    UK
    thanks for the reply, my apologies for the misread, must be my age/eyesight. Scans are running fine after turning NOD off then on after the problems first time around. I'm just a bit paranoid (guess most are to some extent at Wilders:p ) and wory theres some nasty keylogger or something on the machine that caused the fault
     
  8. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I'd be worried too if Nod32 spat the dummy and shut itself off during a scan.

    Always good to ask questions in such cases.

    Cheers :D
     
  9. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    My copy does that too during scheduled scans sometimes, it just show scanning in the log entry after about 300 files, I delete the scheduled entry and recreate it and fixes it for a month or so and then it hiccups again. I think it is related to short power outages messing up files on the hdd though and not anything Eset could control.
     
  10. Huwge

    Huwge Registered Member

    Joined:
    Oct 21, 2004
    Posts:
    405
    Location:
    UK
    Hope thats the case and its nothing sinister. Nothing untoward has happened yet and nothing new trying to connect to the net according to Netveda.

    My worst scenario would be a keylogger. Any have any suggestions on any other scans I should run to check apart from Adaware, Nod, MSAS A2 and MSAS?
     
  11. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Some Anti - keyloggers have trial versions but I don't know which you should try. For online scans try Panda I really like it. It checks for and removes all kinds of things. http://www.pandasoftware.com/products/activescan.htm
     
  12. mhakman

    mhakman Registered Member

    Joined:
    Dec 13, 2004
    Posts:
    3
    Then how do you know that a virus doesn’t hide in one of these files? The same question applies to “access denied” files.

    Thanks/Mikael
     
  13. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    Good question!

    For the files that I said are in active use by Windows, there is no way to be 100% sure. It helps that I happen to know what these files are for, and that Windows will not unlock these files as long as they are in use. However, this is not 100% foolproof. What happens if I log in as "User A", and contract a virus that injects code into the registry portion of "User B"? Since User B's portion of the registry is not in active use, this would be possible. Then when User B logs in, his portion of the registry would be active, locked by Windows, and have a virus.

    Now, it helps to know that it would be difficult to create a virus that would do something like this without breaking Windows in the process, but "difficult" is not the same as "impossible". The only way I can think of to be 100% certain is to scan the disk when Windows is not active, and therefore not locking these files. For example, remove the disk from one computer, stick it in another computer as a slave drive, and then check for viruses... or run a multiboot system... etc.

    At the very least, it helps to know which files are *supposed* to be locked by the operating system. Viruses will have the same problems accessing these files that NOD32 does.

    By the way, I have come across some other "Access denied" files that were *not* locked by the operating system, but they were not viruses, either. Sometimes these locked files come as a result of file system corruption. Running chkdsk to fix the NTFS file structure has gotten rid of these problems for me.
     
  14. mhakman

    mhakman Registered Member

    Joined:
    Dec 13, 2004
    Posts:
    3

    This is exactly what I would like to do. However, the actual disk is in a notebook computer so it’s not easy to connect it to another computer. Certainly nothing you do routinely. It would be nice to have NOD32 scanner on a bootable CD – this would be helpful not only for this purpose but also in other cases such as computer being heavily infected so that installed NOD32 doesn’t work properly anymore. Is there any practically feasible way to make such a CD?

    Thanks/Mikael
     
  15. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    I know the subject has come up in the past, and it is probably in the wish list. For now, you can do a search of this forum for "bootable cd" and find several threads. I have not followed them closely enough to know exactly what they say.
     
  16. mhakman

    mhakman Registered Member

    Joined:
    Dec 13, 2004
    Posts:
    3
    Many thanks for the advice. I found an interesting discussion here in NOD32 on bootable media - real world options thread. Standard build of UBCD4Win known as windows ultimate boot cd in that thread boots from CD and allows me to run NOD32.
     
Thread Status:
Not open for further replies.