Does NOD correct registry entries?

A few months ago I had a customer (2 XP machine on a peer to peer network) who couldnt log into one machine from the other. He kept getting the message that access was denied.

I did a scan with NOD and found a virus (can't remember which one) but it was removed and problem was dealt with (or so I thought).

However, the access denied message continued and it wasn't until I did a Goggle search that I found the answer - the virus had changed a registry setting to prevent access to shared folders from other machines - I found this through Symantec's website and corrected the problem.

Does NOD correct registry problems caused by viruses?

 

That is a great question. Not sure if NOD32 does what you are asking but I don't think so. You will have to wait for the experts to chime in.

 

I would say no, but I am no expert. I would check remote access service like this: Start/Administrative Tools/Services.

 

No.
An AV program should catch the virus before any damage can happen.
At least that's what users trust with an AV program.

 

AFAIK no but im not sure about that

 

Marcos answer:
https://www.wilderssecurity.com/showpost.php?p=407309&postcount=8

in this thread:
https://www.wilderssecurity.com/showthread.php?t=71658

 

If the virus is detected by signature scanning, then in most cases, NOD32 will correct the registry entries. If it is detected by heuristics, then the reg keys are not corrected......yet.

 

And if you're upgrading someones PC to NOD32, and running that first time scan to remove any "bad guys" their prior antivirus totally missed?

I'd include that in the "trust" of an AV product.

 

This is not true, a threat should be removed from the run key regardless of whether it was detected by a signature or ThreatSense.

 

but what if nod32 doesnt know all the keys changed by the malware, then what?

 

I don't know of any AV that would revert all registry changes made by malware. You should remember that this would significantly reduce the number of samples added as each sample would require a detailed analysis and the signature with all of such information would be much bigger. Frankly, this would actually expose your computer to threats if an AV vendor had to focuse on detailed analysis of each piece of malware.

 

The registry entry in question wasn't the usual run, runonce etc keys. It was somewhere hidden in the remote access part of the registry

 

so which registry entries does nod32 focus on fixing?

 

The entries where infected files are run from.

 

Which one is this?

There's the 2x common ones I usually eyeball when cleaning manually...
MC\HK_C_U\Software\Microsoft\Windows\CurrentVersion\Run
and
MC\HK_L_M\Software\Microsoft\Windows\CurrentVersion\Run

 

Ahum , but unfortunately this isn't always enough .

To clean such things , I another softwares and aslo Symantec's site instructions which are really detailed one and they do analyze all threats and reg keys . See :

http://securityresponse.symantec.com/avcenter/venc/data/adware.ndotnet.html

http://securityresponse.symantec.com/avcenter/venc/data/trojan.zlob.k.html

 

It depends on the av product and the cure (signature) which is developed for the malware. Some signature may have information on how to clean the threat and this may include removing of malicious registry entries. AFAIK, NOD signatures do not contain this information but I stand corrected.

 

I feel sure Eset also analyses these registry entries and it would be nice if they had as detailed removal instructions as Symantec (but they're not always complete and correct).

You still have to delete and/or change permissions to access these registry entries manually, NAV doesn't remove all of them automatically. And their products are extremely invasive and impact performance dramatically (from my experience).

Even restoring an older registry can completely screw NAV up and prevent the pc from booting normally and would present a huge problem to someone who didn't know exactly what to do about it.

 

You must admit these Symantec instructions are marvelous .
Sure Norton doesn't remove them automatically . See , I am not Norton's fan , I really hate Norton . I just said that the instructions are detailed one.The instructions are something different from the product

 

I admit that they're removal instructions are very helpful when removing malware, and it would be very nice if Eset had such a valuable resource, but I'm sure that a "giant" such as Symantec would have a much easier job in building such a database. I'm sure it takes many employees and a lot of time dedicated to do so.

I prefer that Eset make their product(s) as complete as possible so that malware is detected before it can create the registry entries in the first place. Much easier to prevent infection than to recover from it.

 

Agreed

 

Ahem...I did say "the common ones"...wouldn't have enough room on this server to list all the entry locations of all the malware...and I hadn't seen which specific malware the OP is talking about yet.

 

And I still cant remember it... suffice to say it was a virus and not spyware and wasn't one of the common ones. I looked at the name, scratched my balding head and wondered what it did!

 

We tend to get that in the IT industry don't we?

<===Got the Dave Letterman isthmus myself.

 

Yes , may be this is the most important and definitely one the best with NOD 32