Does NOD correct registry entries?

Discussion in 'NOD32 version 2 Forum' started by pc-support, May 10, 2006.

Thread Status:
Not open for further replies.
  1. pc-support

    pc-support Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    285
    Location:
    Edinburgh, UK
    A few months ago I had a customer (2 XP machine on a peer to peer network) who couldnt log into one machine from the other. He kept getting the message that access was denied.

    I did a scan with NOD and found a virus (can't remember which one) but it was removed and problem was dealt with (or so I thought).

    However, the access denied message continued and it wasn't until I did a Goggle search that I found the answer - the virus had changed a registry setting to prevent access to shared folders from other machines - I found this through Symantec's website and corrected the problem.

    Does NOD correct registry problems caused by viruses?
     
  2. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,825
    That is a great question. Not sure if NOD32 does what you are asking but I don't think so. You will have to wait for the experts to chime in. :)
     
  3. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,827
    Location:
    USA
    I would say no, but I am no expert. I would check remote access service like this: Start/Administrative Tools/Services.
     
  4. kenw

    kenw Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    112
    Location:
    Brighton, Colorado
    No.
    An AV program should catch the virus before any damage can happen.
    At least that's what users trust with an AV program.
     
  5. cupez80

    cupez80 Registered Member

    Joined:
    Jun 28, 2005
    Posts:
    605
    Location:
    Surabaya Indonesia
    AFAIK no but im not sure about that :D
     
  6. Aerul

    Aerul Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    5
  7. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    If the virus is detected by signature scanning, then in most cases, NOD32 will correct the registry entries. If it is detected by heuristics, then the reg keys are not corrected......yet. ;)
     
  8. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    And if you're upgrading someones PC to NOD32, and running that first time scan to remove any "bad guys" their prior antivirus totally missed?

    I'd include that in the "trust" of an AV product.
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    This is not true, a threat should be removed from the run key regardless of whether it was detected by a signature or ThreatSense.
     
  10. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    but what if nod32 doesnt know all the keys changed by the malware, then what?
     
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I don't know of any AV that would revert all registry changes made by malware. You should remember that this would significantly reduce the number of samples added as each sample would require a detailed analysis and the signature with all of such information would be much bigger. Frankly, this would actually expose your computer to threats if an AV vendor had to focuse on detailed analysis of each piece of malware.
     
  12. pc-support

    pc-support Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    285
    Location:
    Edinburgh, UK
    The registry entry in question wasn't the usual run, runonce etc keys. It was somewhere hidden in the remote access part of the registry
     
  13. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    so which registry entries does nod32 focus on fixing?
     
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The entries where infected files are run from.
     
  15. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    Which one is this?

    There's the 2x common ones I usually eyeball when cleaning manually...
    MC\HK_C_U\Software\Microsoft\Windows\CurrentVersion\Run
    and
    MC\HK_L_M\Software\Microsoft\Windows\CurrentVersion\Run
     
  16. ASpace

    ASpace Guest


    Ahum , but unfortunately this isn't always enough .

    To clean such things , I another softwares and aslo Symantec's site instructions which are really detailed one and they do analyze all threats and reg keys . See :

    http://securityresponse.symantec.com/avcenter/venc/data/adware.ndotnet.html

    http://securityresponse.symantec.com/avcenter/venc/data/trojan.zlob.k.html
     
  17. i_kenefick

    i_kenefick Registered Member

    Joined:
    Nov 29, 2005
    Posts:
    135
    Location:
    Cork, Ireland.
    It depends on the av product and the cure (signature) which is developed for the malware. Some signature may have information on how to clean the threat and this may include removing of malicious registry entries. AFAIK, NOD signatures do not contain this information but I stand corrected.
     
  18. Elwood

    Elwood Registered Member

    Joined:
    Sep 12, 2005
    Posts:
    205
    Location:
    Mis'sippi
    I feel sure Eset also analyses these registry entries and it would be nice if they had as detailed removal instructions as Symantec (but they're not always complete and correct).

    You still have to delete and/or change permissions to access these registry entries manually, NAV doesn't remove all of them automatically. And their products are extremely invasive and impact performance dramatically (from my experience).

    Even restoring an older registry can completely screw NAV up and prevent the pc from booting normally and would present a huge problem to someone who didn't know exactly what to do about it.
     
  19. ASpace

    ASpace Guest


    You must admit these Symantec instructions are marvelous .
    Sure Norton doesn't remove them automatically . See , I am not Norton's fan , I really hate Norton . I just said that the instructions are detailed one.The instructions are something different from the product
     
  20. Elwood

    Elwood Registered Member

    Joined:
    Sep 12, 2005
    Posts:
    205
    Location:
    Mis'sippi
    I admit that they're removal instructions are very helpful when removing malware, and it would be very nice if Eset had such a valuable resource, but I'm sure that a "giant" such as Symantec would have a much easier job in building such a database. I'm sure it takes many employees and a lot of time dedicated to do so.

    I prefer that Eset make their product(s) as complete as possible so that malware is detected before it can create the registry entries in the first place. Much easier to prevent infection than to recover from it.
     
  21. pc-support

    pc-support Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    285
    Location:
    Edinburgh, UK
    Agreed
     
  22. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England

    Ahem...I did say "the common ones"...wouldn't have enough room on this server to list all the entry locations of all the malware...and I hadn't seen which specific malware the OP is talking about yet.
     
  23. pc-support

    pc-support Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    285
    Location:
    Edinburgh, UK
    And I still cant remember it... suffice to say it was a virus and not spyware and wasn't one of the common ones. I looked at the name, scratched my balding head and wondered what it did!
     
  24. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    We tend to get that in the IT industry don't we? :D

    <===Got the Dave Letterman isthmus myself.
     
  25. ASpace

    ASpace Guest


    Yes , may be this is the most important and definitely one the best with NOD 32;)
     
Thread Status:
Not open for further replies.