Lots of false positives

Discussion in 'ESET NOD32 Antivirus' started by krist2, Oct 24, 2009.

Thread Status:
Not open for further replies.
  1. krist2

    krist2 Registered Member

    Joined:
    Oct 24, 2009
    Posts:
    4
    Possible Lots of false positives?

    Hello,
    the "Real-time file system protection" has deleted lots of GB of data because it thought they were infected with "Win32./Tenga.gen virus".
    These files include games downloaded from direct2drive, the latest directx dist, all patches and mods for battlefield 1942 and BF2, all updates for The Witcher, etc. etc. so. lots of GB.
    The dates for this is as follows:
    29.07.09
    06.08.09
    24.10.09

    thats lots of data I have to redownload, and not everything is possible to download again. Some of the games are problematic, maybe I have to get Eset to pay me for these games... :'(
    So, because also lots of .exe files have been "cleaned" (and therefor now just about 500k in size) I cant install games and programs thats been affected by this unforgivable fault by NOD32.
    Using version 3
     
    Last edited: Oct 25, 2009
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    1, it's not a fault of ESET that your files have been infected. Tenga is a pretty old file infector and ESET has been protecting against it reliably. For more information about Tenga, read this article.

    2, whether files are recoverable or not depends on how particular viruses are written. Some may amend files to such an extent that it's impossible to restore the original content. Cleaning of viruses is not automatic for a reason. The cleaning routine may not always recover infected files to such a state that they can be executed. Please restore a couple of infected files from quarantine to a new folder on the disk, disable real-time protection, compress the infected files as well as the files after cleaning has been attempted, protect the archive with the password "infected" and submit it to samples[at]eset.com with this thread's url in the subject. We'll examine the files to see if cleaning actually fails or if there's a problem with the originally infected files.
     
  3. ccomputertek

    ccomputertek Registered Member

    Joined:
    Jul 27, 2009
    Posts:
    371
    Mabe he used a game patcher thats infected with a virus, and now this is the end result.Plus he has backups in quarantine, before cleaning was attepted, so not all is lost, unless he deleted them from quarantine.
     
  4. krist2

    krist2 Registered Member

    Joined:
    Oct 24, 2009
    Posts:
    4
    ok, if these are real positives, why is it that it just attacks files in this folder? Some of the files have been there for over a year without me using them..

    I haven't used any gamepatchers, and why would that infect the witcher update and BF2 Forgotten Hope mod?
    Is there some other program I can run to try to fix this?
    And the files aren't in quarantine, they got cleaned. And all the files that got cleaned is now about 500k in size...
    I would really like to get to the bottom of this problem, so any help would be greatly appreaciated!


    edit:
    I don't have the regentries from the link you posted:

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "GAELICUM.EXE"="<Path>\GAELICUM.EXE"

    and

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "CBACK.EXE"="<Path>\CBACK.EXE"

    will you always have these entries with this virus?



    I don't have this process in taskmanager
     
    Last edited: Oct 25, 2009
  5. krist2

    krist2 Registered Member

    Joined:
    Oct 24, 2009
    Posts:
    4
    here are some lines from the Log file:

    Code:
    24.10.2009 16:51:40	Real-time file system protection	file	J:\Kristian\Media\Images\Risen\Risen\setup.exe	Win32/Tenga.gen virus	cleaned		Event occurred on a file modified by the application: C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE.
    24.10.2009 16:51:39	Real-time file system protection	file	J:\Kristian\Media\Images\Risen\Risen\redist\vc\vcredist_x86.exe	Win32/Tenga.gen virus	cleaned		Event occurred on a file modified by the application: C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE.
    24.10.2009 16:51:37	Real-time file system protection	file	J:\Kristian\Media\Images\Risen\Risen\redist\tages\TagesSetup_x64.exe	Win32/Tenga.gen virus	cleaned		Event occurred on a file modified by the application: C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE.
    24.10.2009 16:51:37	Real-time file system protection	file	J:\Kristian\Media\Images\Risen\Risen\redist\tages\TagesSetup.exe	Win32/Tenga.gen virus	cleaned		Event occurred on a file modified by the application: H:\Spill\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe.
    24.10.2009 16:51:21	Real-time file system protection	file	J:\Kristian\Media\Images\Risen\Risen\redist\dx\DXSETUP.exe	Win32/Tenga.gen virus	cleaned		Event occurred on a file modified by the application: H:\Spill\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe.
    24.10.2009 16:51:20	Real-time file system protection	file	J:\Kristian\Media\Images\Risen\Risen\executables\bin\TagesClient.exe	Win32/Tenga.gen virus	cleaned		Event occurred on a file modified by the application: H:\Spill\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe.
    24.10.2009 16:51:19	Real-time file system protection	file	J:\Kristian\Media\Images\Risen\Risen\AutoStarter.exe	Win32/Tenga.gen virus	cleaned		Event occurred on a file modified by the application: H:\Spill\Sid Meier's Civilization 4\Beyond the Sword\Civ4BeyondSword.exe.

    why should outlook and civilization 4 cause the Risen install files to get infected?


    more examples:
    Code:
    06.08.2009 19:14:04	Real-time file system protection	file	J:\Kristian\Media\Images\Star Wars KOTOR 2\HK-Factory Reconstructed Upd. 1.1\HK Factory Rc Update 1.2\Spanish\Install Update 1.2.exe	Win32/Tenga.gen virus	cleaned		Event occurred on a file modified by the application: C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE.
    06.08.2009 19:14:04	Real-time file system protection	file	J:\Kristian\Media\Images\Star Wars KOTOR 2\HK-Factory Reconstructed Upd. 1.1\HK Factory Rc Update 1.2\Simplified Chinese\Install Update 1.2.exe	Win32/Tenga.gen virus	cleaned		Event occurred on a file modified by the application: C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE.
    06.08.2009 19:13:52	Real-time file system protection	file	J:\Kristian\Media\Images\Star Wars KOTOR 2\HK-Factory Reconstructed Upd. 1.1\HK Factory Rc Update 1.2\Polski\Install Update 1.2.exe	Win32/Tenga.gen virus	cleaned		Event occurred on a file modified by the application: C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE.
    06.08.2009 19:13:52	Real-time file system protection	file	J:\Kristian\Media\Images\Star Wars KOTOR 2\HK-Factory Reconstructed Upd. 1.1\HK Factory Rc Update 1.2\Korean\Install Update 1.2.exe	Win32/Tenga.gen virus	cleaned		Event occurred on a file modified by the application: C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE.
    06.08.2009 19:13:40	Real-time file system protection	file	J:\Kristian\Media\Images\Star Wars KOTOR 2\HK-Factory Reconstructed Upd. 1.1\HK Factory Rc Update 1.2\Japanese\Install Update 1.2.exe	Win32/Tenga.gen virus	cleaned		Event occurred on a file modified by the application: C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE.
    06.08.2009 19:13:40	Real-time file system protection	file	J:\Kristian\Media\Images\Star Wars KOTOR 2\HK-Factory Reconstructed Upd. 1.1\HK Factory Rc Update 1.2\Italian\Install Update 1.2.exe	Win32/Tenga.gen virus	cleaned		Event occurred on a file modified by the application: C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE.
    06.08.2009 19:13:29	Real-time file system protection	file	J:\Kristian\Media\Images\Star Wars KOTOR 2\HK-Factory Reconstructed Upd. 1.1\HK Factory Rc Update 1.2\German\TSLPatcher.exe	Win32/Tenga.gen virus	cleaned		Event occurred on a file modified by the application: C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE.
    06.08.2009 19:13:17	Real-time file system protection	file	J:\Kristian\Media\Images\Star Wars KOTOR 2\HK-Factory Reconstructed Upd. 1.1\HK Factory Rc Update 1.2\Frensh\Install Update 1.2.exe	Win32/Tenga.gen virus	cleaned		Event occurred on a file modified by the application: C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE.
    06.08.2009 19:13:17	Real-time file system protection	file	J:\Kristian\Media\Images\Star Wars KOTOR 2\HK-Factory Reconstructed Upd. 1.1\HK Factory Rc Update 1.2\English\Install Update 1.2.exe	Win32/Tenga.gen virus	cleaned		Event occurred on a file modified by the application: C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE.
    06.08.2009 19:13:05	Real-time file system protection	file	J:\Kristian\Media\Images\Star Wars KOTOR 2\HK-Factory Reconstructed Upd. 1.1\German Version\Deutsches Update 1.1.exe	Win32/Tenga.gen virus	cleaned		Event occurred on a file modified by the application: C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE.
    06.08.2009 19:12:54	Real-time file system protection	file	J:\Kristian\Media\Images\Star Wars KOTOR 2\HK-Factory Reconstructed Upd. 1.1\English Version\Update to 1.1 English Version.exe	Win32/Tenga.gen virus	cleaned		Event occurred on a file modified by the application: C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE.
    06.08.2009 19:12:53	Real-time file system protection	file	J:\Kristian\Media\Images\Star Wars KOTOR 2\HK-Factory Reconstructed\Optional stronger HK-47\German Version\Stronger HK-47 installieren.exe	Win32/Tenga.gen virus	cleaned		Event occurred on a file modified by the application: C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE.
    06.08.2009 19:12:41	Real-time file system protection	file	J:\Kristian\Media\Images\Star Wars KOTOR 2\HK-Factory Reconstructed\Optional stronger HK-47\English Version\Install stronger HK-47.exe	Win32/Tenga.gen virus	cleaned		Event occurred on a file modified by the application: C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE.
    06.08.2009 19:12:41	Real-time file system protection	file	J:\Kristian\Media\Images\Star Wars KOTOR 2\HK-Factory Reconstructed\German Version\Deutsche Version installieren.exe	Win32/Tenga.gen virus	cleaned		Event occurred on a file modified by the application: C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE.
    06.08.2009 19:12:30	Real-time file system protection	file	J:\Kristian\Media\Images\Star Wars KOTOR 2\HK-Factory Reconstructed\English Version\Install English Version.exe	Win32/Tenga.gen virus	cleaned		Event occurred on a file modified by the application: C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE.

    what is outlook modifying? also firefox i modifying something:
    Code:
    29.07.2009 21:43:51	Real-time file system protection	file	J:\Kristian\Media\Images\Battlefield 1942\mods\silentheroes.1.2.digitalsoftware.exe	Win32/Tenga.gen virus	cleaned		Event occurred on a file modified by the application: C:\Program Files (x86)\Mozilla Firefox 3.1 Beta 2\firefox.exe.
    29.07.2009 21:43:37	Real-time file system protection	file	J:\Kristian\Media\Images\Battlefield 1942\mods\DesertCombat_0.7_Full_Install.exe	Win32/Tenga.gen virus	cleaned		Event occurred on a file modified by the application: C:\Program Files (x86)\Mozilla Firefox 3.1 Beta 2\firefox.exe.
    29.07.2009 21:43:24	Real-time file system protection	file	J:\Kristian\Media\Images\Battlefield 1942\mods\dc_final_client.exe	Win32/Tenga.gen virus	cleaned		Event occurred on a file modified by the application: C:\Program Files (x86)\Mozilla Firefox 3.1 Beta 2\firefox.exe.
    29.07.2009 21:43:01	Real-time file system protection	file	J:\Kristian\Media\Images\Battlefield 1942\mods\Battlefield High Definition 1.0 Installer.exe	Win32/Tenga.gen virus	cleaned		Event occurred on a file modified by the application: C:\Program Files (x86)\Mozilla Firefox 3.1 Beta 2\firefox.exe.
    29.07.2009 21:42:31	Real-time file system protection	file	J:\Kristian\Media\Images\Battlefield 1942\battlefield_1942_patch_v1.6.19.exe	Win32/Tenga.gen virus	cleaned		Event occurred on a file modified by the application: C:\Program Files (x86)\Mozilla Firefox 3.1 Beta 2\firefox.exe.
     
    Last edited: Oct 25, 2009
  6. krist2

    krist2 Registered Member

    Joined:
    Oct 24, 2009
    Posts:
    4
    And shouldn't NOD32 be able to detect the threat before so many files get infected? I thought that was part of the meaning whit an anti virus
     
Thread Status:
Not open for further replies.