Infected file too big to send to ESET for analysis

Discussion in 'NOD32 version 2 Forum' started by jcwy, Oct 28, 2004.

Thread Status:
Not open for further replies.
  1. jcwy

    jcwy Registered Member

    Joined:
    Oct 28, 2004
    Posts:
    9
    Hi,

    I am using nod32 ver 2.12.2 Trial and it alerted that my registry backup file is "probably infected with an unknown script virus". I have narrowed the infection to be contained in only two registry directories. I would like to send ESET the files, but my ISP does not accept such large files (25 MB each).

    Are there any free programs which would allow me to export an entire range of files within a registry directory so that I can perform virus scan to further pin-point the infected file. I use regedit, but it only allows me to export a single file within a directory at a time. With several thousand files in the two infected directories, it would take me weeks to complete the task.

    Any help will be very much appreciated.

    Thanks.
     
  2. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    You should be able to export any branch or even single keys within a branch, 25mb each sounds like your entire registry, especially zipped. If all other options fail however, you can export as you have and then copy them to CD and then use snail mail to Eset. Yes it would take much much longer but I am sure they would still analyze the files for you.
     
  3. jcwy

    jcwy Registered Member

    Joined:
    Oct 28, 2004
    Posts:
    9
    Thanks for your quick reply Flyrfan111.

    Using regedit, I can not select the entire range of folders in HKEY_LOCAL_MACHINE\Software\Classes for exporting, but can only select one folder at a time. With thousands of folders, this inconvenience will take many long and tedious hours to complete task. I need to do this so that I can do a virus scan to further pin-point which folder is infected and send only this small size folder to ESET.

    Sorry if my original post was unclear.
     
  4. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    you can use registry lite
    http://www.resplendence.com/download

    but if nod is saying it's in the registry BACKUP file then I don't know of any editor taht will do that only export sections of the registry

    I would just delete the entire backup and make a new one
     
  5. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    You should be able to export even a single key from any branch. You just can't use the right click context menu to do it. Select whatever branch folder you need to get to in the left pane, then highlight whatever specific key or keys needed in the right pane and don't right click but go to the File tab on top of regedit for the drop down menu and select export. That should allow you to get as small as you need. Sorry I can't pull up screen shots on this slow dial up, perhaps someone with a faster connection can post some screen shots to guide you through.
     
  6. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Seeing that it is in the back up that is infected yes deleting the back up and making a new one is the easiest method, how old is that back up though? I would presume if the back up is infected then the registry should also be infected. Try doing a scan in safe mode to see if any protected files are infected.
     
  7. jcwy

    jcwy Registered Member

    Joined:
    Oct 28, 2004
    Posts:
    9
    Thanks dvkol and flyrfan111.

    Please allow me to clarify myself.

    The registry backup file was made using regedit with full registry export. Once this file was created, nod32 gave an alert saying the "file is probably infected with an unknown script virus". I then exported the five primary HKEY branches individually and scanned them for viruses. It turned out only two primary branches were infected: HKEY_CLASSES_ROOT and HKEY_LOCAL_MACHINE. Because these two large files were about 25MB each, my attempt to email them to ESET for analysis was disallowed by my ISP.

    To narrowed down which subfolder were infected, I first proceeded to export the subfolders in HKEY_CLASSES_ROOT. While I can select one subfolder to export and then perform a virus scan, I can not select a range of subfolders by holding CTRL key and clicking the ARROW DOWN key. With thousands of subfolders, this task will be very time consuming.

    I don't know how to post an image, but the regedit window is like below:
    My Computer
    HKEY_CLASSES_ROOT (folder)
    * (subfolder)
    .323 (subfolder)
    .386 (subfolder)
    .3g2 (subfolder)
    .3gp (subfolder)
    etc.
    I can not select a range of subfolders, only one at a time.

    Thank you very much for everyone's patience.
     
  8. windstrings

    windstrings Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    337
    Humm... well I"m new with nod32 also.. but can you scan with "quaranteen" enabled and when its done... if it has anything in quaranteen, then you can go to it in windows explorer and send them email that way?

    If that won't work.. you could always send it in pieces with outlook express of others?

    In outlook express you would go to Tools ---> Accounts----> your account---->properties--->advanced tab--->3/4 down towards the bottom is a box that says "break apart messages larger than ___KB. check that box and enter something that they can accept... "not sure how big that is?"

    What this will do is like "span" your message and when they get it on the other side, their email client will recieve it as several different messages and then will piece it all together as one message.
    Hopefully that won't freak out their mail server!
     
  9. jcwy

    jcwy Registered Member

    Joined:
    Oct 28, 2004
    Posts:
    9
    Thanks windstrings, I'll give that a try.
     
Thread Status:
Not open for further replies.