Ewido Online tool found reg.exe....please advise

Discussion in 'ewido anti-spyware forum' started by tamba1, Aug 3, 2006.

Thread Status:
Not open for further replies.
  1. tamba1

    tamba1 Registered Member

    Joined:
    Jan 13, 2006
    Posts:
    54
    Location:
    UK
    Hi

    I have just scanned my PC with Ewido online tool and it found 5 infections

    x4 esomniture tracking cookies and x1 Worm.Randon
    path c:\i386\Reg.exe

    I have "removed the infections" using Ewido now what shoudl I do

    Look forward to your reply many thanks

    tamba1
     
  2. GS2

    GS2 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    42
    Re: EWIDo Online tool found following please advise

    I would restart your system and scan with Ewido, anti-virus, Adaware SE and Spybot S & D. The cookies are nothing to worry about, but the worm could be. Once you have rescanned, restarting your pc each time a completed scan finds something until you get the all clean. Then post a hijackthis log in this, or another ASAP forum, and let the experts check your system out. Just let them know what you've scanned with already.

    In addition you may wish to scan with those products in safe mode too.
     
  3. tamba1

    tamba1 Registered Member

    Joined:
    Jan 13, 2006
    Posts:
    54
    Location:
    UK
    FAO GS2 Re: EWIDo Online tool found following please advise

    GS2 thanks for the advice

    My main concern is that when I restart my PC syst restore will "bring back" the removed ifections

    please advise before I start restarting PC
    thanks tamba1
     
  4. GS2

    GS2 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    42
    Re: EWIDo Online tool found following please advise

    Okay my understanding is that system restore will only 'bring back' infections if you choose to restore to an earlier date. That is click start>>All Programs>>Accesories>>system Tools>>system restore.

    If you restart your system system restore will not be utilized unless windows encounters a problem 'booting up'. While the restore information would reinstall the infected file if you use it, this is no particular problem, as once you are clean you can 'flush' system restore.

    Did you have Ewido Quarantine the file, or delete?

    Like I say if you are concerned post a Hijackthis log in the appropriate room of this forum, and the experts will help you there.

    Just to be safe I would back-up all your personal important data - word files etc before undertaking any 'fix'.
     
  5. phasechange

    phasechange Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    359
    Location:
    Edinburgh
  6. GS2

    GS2 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    42
    Re: Ewido Online tool found following please advise

    Ah didn't realise cheers fairyliquidizer. Bit of a shame that, but never mind.

    tamba1 you could try one of these forums instead - just choose from the list - all will help you free, and they are all very professional :)

    http://www.malwarecomplaints.info/viewtopic.php?t=63
     
  7. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.
    Re: Ewido Online tool found following please advise

    Also be aware tamba1 of the locations in which the threats are located. As long as system restore is enabled and a restore point has been created sense the infection occured your scans will continue to show them.
     
  8. GS2

    GS2 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    42
    Re: Ewido Online tool found following please advise

    I just checked my Hard-drive, and there is a legitimate file called reg, in the C:\i386\ fowlder, which is also an application, I right clicked it and chose properties, it is registered to M$, perhaps Ewido flagged it as yours was a duplicate entry, and the wrong size (mines approx 49 KB)
     
  9. karl.ewido

    karl.ewido former ewido team

    Joined:
    Dec 9, 2005
    Posts:
    236
    Location:
    Germany
    Re: Ewido Online tool found following please advise

    We checked here also this reg.exe without a detection, so please send us a copy of your detected reg.exe file:
    http://www.ewido.net/en/support/?AID=34
     
  10. tamba1

    tamba1 Registered Member

    Joined:
    Jan 13, 2006
    Posts:
    54
    Location:
    UK
    Re: Ewido Online tool found following please advise

    Hi Karl

    Have sent you the 3 files now

    PLease let me know your comments
    thanks tamba1
     
  11. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    Re: Ewido Online tool found following please advise

    Hi

    I had the same warning (same file in same location).

    My resident AV, NOD32, doesnt recognise it as a threat, nor does the Kaspersky online file scan. I think mine is a false positive. I will submit the file to Ewido also.

    thanks, Lee
     
  12. robinb

    robinb Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    456
    Location:
    NJ
    Re: Ewido Online tool found following please advise

    I just scanned a client's computer using the main program not the online scan and came up with Worm.Randon and it is also sitting in c:\136\reg.exe and I quarantined it. I cannot send the file because it is sitting in ewido's quarentine file but i sent the dat file in the quarantine list.

    Someone tell me if it is real or not because if it is a false positive I will restore it.

    robin
     
  13. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA
    Re: Ewido Online tool found following please advise

    I am pretty sure that this is a false positive (The Worm Randon). I checked this file on Jotti. It was only identified by Antivir as being Randon A.51 (and Jotti said that only applications that were noted for high false positives found it). I also ran scans with Spybot, Adaware, MS Defender, and Superantispyware. Nothing else identified it as being spyware.
    Unfortunately, I acted too hastily and removed it permanently from quarantine. Fortunately, I am running Ewido on my wife's computer also. It also identified this file as Worm Randon. I was able to get a copy of the file from her computer and mail it to my computer. So, if it is a false positive (as I believe it to be), I guess we will just keep getting the notice until the dat files are updated.
     
  14. robinb

    robinb Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    456
    Location:
    NJ
    Re: Ewido Online tool found following please advise

    Ewido please confirm asap if this is a false positive so I know what to do on my clients's computer and everyone else here that has it too. I would like to know if I can delete this file or put it back because as of now it is in ewido's quarantine.!!!!!!!

    robin
     
  15. buttoni

    buttoni Registered Member

    Joined:
    Jul 8, 2005
    Posts:
    44
    Location:
    Central Texas
    Re: Ewido Online tool found following please advise

    FWIW, I also just got this Worm.Randon detection, same file name, same location. I quarantined, as Googling indicates there is also legit Windows file this name. Will also await confirmation from developers this is FP.
     
  16. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    Re: Ewido Online tool found following please advise

    the c/i386 folder and its contents is likely a dell factory-installed copy of win xp..
     
  17. Cel

    Cel Registered Member

    Joined:
    Dec 5, 2005
    Posts:
    13
    Re: Ewido Online tool found following please advise

    I had AVG Free flag the same file only calling it Worm/generic.TX After hearing that this was a false positive I restored it.

    AVG scan now showed clean but....the Ewido scan now picked it up and it is calling it Worm.Randon. Interesting that both programs are owned by the same company.

    In searching forums there appears to be many foks experiencing the same thing. I wonder how many are Dell computers? I have checked 4 other nonDell systems and none of them even have the C:\I386 folder.

    I too also hope Grisoft will somehow get the word out either way on whether this is a real critter or a false positve.

    Dell Demension 2400
    XP Pro SP2
    ZoneAlarm Free,
    AVG 7.1.394 268.10.7/410 8/5/2006 5:15PM
    BoClean,
    Mailwasher Pro,
    B9,
    Winpatrol,
    Taskcatcher(Billpstudios)
    Ewido 4.0.0.172 trial,
    Spybot + Teatimer,
    Adaware,
    Spyblaster,
    A-Squared
     
  18. CesiaS

    CesiaS Registered Member

    Joined:
    Aug 6, 2006
    Posts:
    22
    Location:
    Australia
    Re: Ewido Online tool found following please advise

    Hi,
    I came to this forum because in recent scan of my PC Ewido reported C:\I386\REG.EXE infected with Worm.Randon.

    I too think this could be a false positive and I'm keeping the file quarantined until further clarification from Ewido.

    I have Dell Dimension 4600
    Win XP sp2 home Ed with all the relevant updates, use Firefox, Zone Alarm and have all the recommended antispyware ( AdAware SE, SpybotSD, Spywareblaster, Ewido, Microsoft WinDefender) and CCleaner installed.

    CesiaS
     
  19. CesiaS

    CesiaS Registered Member

    Joined:
    Aug 6, 2006
    Posts:
    22
    Location:
    Australia
    Re: Ewido Online tool found following please advise

    I just submitted my C:\I386\REG.EXE file.
    I forgot to add in my last post that I also have Norton 2006 as well as AdAware SE, SpybotSD, Spywareblaster, Ewido, Microsoft WinDefender- Ewido is the only one reporting this worm
    CesiaS
     
  20. robinb

    robinb Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    456
    Location:
    NJ
    Re: Ewido Online tool found following please advise

    I also scanned it on a computer that is a dell diminsion 4000 with Adaware Se, Spybot, Ewido and AVG. None picked this worm up except Ewido.

    I am going to scan my other 3 computers that are dell's with ewido today to see if they pick up this worm. they have not before.

    Why hasn't Ewido responded to us yet?

    robin
     
  21. Carol30

    Carol30 Registered Member

    Joined:
    Dec 20, 2005
    Posts:
    55
    Location:
    USA
    Re: Ewido Online tool found following please advise

    I'm totally confused at this point. I was trying to help someone. From what I gather, she first ran Ewido's online scan. Then finally d/l Ewido. On August 4th, she sent me a copy of her log, where Ewido detected:

    C:\1386\REG.EXE>Worm Randoni
    Cleaned with backup (quarantined).

    Now she is telling me Ewido has detected:

    Infected with: Backdoor.Rbot.bbd
    C:\I386\REG.EXE


    One of her logs indicated Backdoor.Rbot.bdd in SR:

    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1088\A0074713.exe -> Backdoor.Rbot.bbd

    At the very least, I do believe she's going to have to disable SR and have Ewido clean it. Is the very first entry above a f/p?
    From what I've read at BC, the entry in I386 is variant of Win32.Rbot.

    For whatever it's worth, she does have a Dell. I'm not looking to get into a middle of a thread, only to add to it and find out if there's a f/p involved.

    Any input would be greatly appreciated..
    Carol
     
  22. robinb

    robinb Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    456
    Location:
    NJ
    Re: Ewido Online tool found following please advise

    Ok I scanned all 3 computers.
    Dell dimension 5150 did not find it
    Dell Optiplex gx100 did not find it
    Dell Dimension 8200 found this worm
    I quarantined it and here is from the log
    C:\I386\REG.EXE -> Worm.Randon : Cleaned with backup (quarantined).
    I sent a copy of it to Ewido.

    All 3 dimension computers have this file.

    All running AVG antivirus, ad aware se, spybot, Windows Defender and none found this worm.

    Ewido Please respond and tell us what to do!!!!
    robin
     
  23. robinb

    robinb Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    456
    Location:
    NJ
    Re: Ewido Online tool found following please advise

    As said I have that file on all 3 dell computers including the client's computer and Ewido only found this worm on 2 of them.
    Since I do have this file and if it was a true worm then Ewido should have found it on the 2 computers that have reg.exe and it did not which shows something is wrong here.

    robin
     
    Last edited by a moderator: Aug 6, 2006
  24. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Re: Ewido Online tool found following please advise

    As this is still the weekend....I would ask that We take that into consideration as followup posts are being made. Also....if this was found on my machine\s....I would have no qualms in restoring the file and then checking the properties of said file. If indeed the files properties showed all appearances of it being a legitimate file from a legitiamte mfg....I would then have no problem keeping it as a restored file and await the results from ewido of the file sent in.
     
  25. Carol30

    Carol30 Registered Member

    Joined:
    Dec 20, 2005
    Posts:
    55
    Location:
    USA
    Re: Ewido Online tool found following please advise

    Robin..

    'That file' you referred to, should be Microsoft's Registry Console Tool, which is 49KB, as GS2 previously mentioned. It's a command line tool. If you check it's properties, you'll see where it does have the above, aforementioned information. It's creation date should be about, if not before, you purchased the computer.

    FWIW..
    Carol
     
Thread Status:
Not open for further replies.