Nerocheck.exe ?

Discussion in 'Trojan Defence Suite' started by Robyn, Feb 12, 2004.

Thread Status:
Not open for further replies.
  1. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    I have scanned my computer with the latest database and for the first time I have found something in the Alarm panel.

    Scan Control Dumped @ 13:05:45 12-02-04
    (Deleted) RegVal Trace: Worm.Doomjuice.b please submit: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\Run [NeroCheck=C:\WINDOWS\system32\NeroCheck.exe]


    I have tried the delete key but when I run the scan again the same file is reported on. I have scanned with my AV and also ran online scanners and everything is reported as 'no infection' I would be grateful if someone would advise if this is just showing me a possibel trojan/worm key as I know Nero needs to run a check on boot but this has really worried me.

    I have also ran HijackThis and see nothing I do not recognise in the log file. I scan with TDS daily and also have the resident watch installed therefore I was very concernded to find this reported today. :'( I have an updated AV and other security software all updated as soon as updates are released.

    I would greatly appreciate any help and advice.
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Robyn, It may be best if you zip a copy of the NeroCheck file and send it to submit@diamondcs.com.au. Could be a false positive which Gavin can analyse.

    Point to point file sharing such as Kazaa is one of the methods used to infect users with doomjuice.
     
  3. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    Thank you for your reply, one thing where do I find a copy orf the Nero check file to zip :oops: Will it be in Nero's folder? I do not file share so hopefully it is a false positive; would appreciate your advice on finding the check file.

    I think I have found it and will submit it now, thanks again.
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Robyn, isn't it in the place as indicated
    NeroCheck=C:\WINDOWS\system32\NeroCheck.exe
    It's part of the DoomJuice so i have fingers crossed for you you find and can zip the nasty.
    Maybe in safe mode?
    At the moment the DoomJuice is trying to get in the backdoors created by MyDoom, TCP ports 3127-3198 and 10080 so make sure you have those closed extra tight in your firewall; it is possible the thing came indeed on your system without --i hope!-- doing any harm if other parts are not there.
    I noticed lots of extra portscans on TCP 3127 but it seems my ISP took warnings serious to do something extra about that on their level as it's only few now.

    I'm not 100% what is on your system, as the file if it did run would have been installed in that location as regedit.exe so it might still be innocent (fingers and toes crossed for you now)
    http://www.viruslist.com/eng/viruslist.html?id=942691

    Make sure your settings in Windows Explorer are to display all files and extensions on your system, no hidden files these days!
     
  5. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    Hi Jookse, I have my computer well secured as I have both a software firewall and a Hardwired Router firewll which is set to block all incoming traffic to my computer.

    I have ran several online scanners and none of them are showing anything o_O I have looked at the link you have provided but am not sure what to look for in the registry to see if anything nasty is there :oops:

    I zipped the Nero file and have submitted it. I have also scanned this to see if I can find anything myself but all other reports do not show anything. I do not know why TDS does not delete although it indicates it has deleted this.

    I would be grateful if you could advise if there is anything else I can do while I am waiting as I am very worried. I am always so careful I do not know how this would have infected my computer :'( Thank you for your concern, I will have to check and see if there are tools for finding and cleaning this if it is actually in my computer.
    :'(
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Robyn, It may just be an incorrect registry key if there is no nerocheck.exe in your windows\system32 folder.
    If the file is in that folder and you copied that one & not one in your nero folder then you could rename it to nerocheck.Bak or something like that until you get the all clear.
    If you go to www.sophos.com I believe they have a doom clearance tool you could download and run just to be on the safe side. Though TDS does detect Mydoom.

    HTH Pilli
     
  7. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    Hello again

    I have just downloaded the Symantec clean up tools and ran them twice - report - computer not infected by mydoom - I also ran Symnatec's online scan - no infection found. I also downloaded the Microsoft detection tool and it also reports no infection.

    I have just checked the system 32 folder and have found nerocheck.exe so I think I have sent the wrong file to be analysed as the one I found was in the Nero folder itself. :oops:

    Is this the one I should rename to .bak instead of exe? Apologies for asking so many questions but I have never has anything like this before. I didn't have the first vrsion of mydoom this is why I am puzzled as to why this alarm has happened :'(

    I have just checked Sophos but I think I need to be ruunignsophos to use their tool however the exact key they show is this: The worm creates a copy of itself named regedit.exe in the Windows system folder and creates the following registry entry to ensure that the copy is run when Windows is started:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
    NeroCheck= <system folder>\regedit.exe

    I have backed up the registry and deleted the key as advised by Sophos on this and ran TDS again, this time nothing is reported. I hope this will have solved the issue for me as I was very worried indeed.
     
  8. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi, Robyn, Sounds like a possible false positive but are the two nercheck.exe's the same i.e. date and file size etc.?
     
  9. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    Sorry, just about to close down computer for tonight but have ran search again and find I now only have one after deleting the registry key. The one I do have was created 9.7.01 in my Windows system folder. I still have the other one in the zip file if I find I need to replace it in Nero itself. I have opened Nero and it seems to be ready to go, I will test this tomorrow to make sure I do not need the file.

    I really was so worried that I had to follow the instruction at the Sopho's site. I have scanned with TDS again (a few times) and nothing is reported. I am so worried about things like this I just could not shut down the computer wondering if it was nasty or not :oops:

    I am just happy to see that TDS has not found anything with all the scans I have done now.

    I will test out Nero tomorrow but I do know by running all the tools I do not have mydoom which is a huge relief. Many thanks for helping me I will post back if I find I do need to copy the file again but so far I would much rather not have to :'( I definitely do not run kazza or even share files with my own laptop I am that worried about things like this :oops:
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    If i'm not sure if i need a file i chage the extension or put an extra .tmp or something behind it, nerocheck.exe.tmp for instance, so you find it always back or zip the thing and if anything doesn't run anymore you can correct the situation.
    If you google for the file name on internet you see it used a lot in all kinds of nasties but impression is also legit files, so........ there is another posting from Gavin about regval alarms which not in all cases are to be alarming, so if you found your second file don't hesitate to submit that one too, (the one in the system32 folder was the alarm, so if that disappeared with the registry cleaning ........ )
    In the pages Pilli and i gave you above was talking about other files too, if you didn't locate those you might not have been infected at all or the nasty didn't run, maybe, if it was a real thing but didn't find what it needed to be activated.
     
  11. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    My apologies to Nero 5.x users. I can confirm that this TRACE is a false alarm.

    On my testing system this registry key is NeroFilterCheck, not NeroCheck. However, older versions of Nero use NeroCheck instead :(

    Please ignore this and there will be an updated database as soon as is possible. Edit :

    If you have no antivirus scanner please submit the file or run an online scanner to verify. If you DO have an antivirus, trust IT (as long as it is updated)
     
  12. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    Hi Gavin

    I am relieved to read this but in my panic I deleted the registry key. I am not sure what affect this will have if any as I was able to use Nero this morning and it did work for me o_O

    Should I have the NeroCheck.exe in my System32 folder? Sorry to ask yet more questions but I really was worried more than anything when TDS found this on me therefore my 'fix it' ASAP.

    I think I ran every AV test I could last night plus any tools I could find for detecting this worm :oops:

    I presume if Nero is working everything is OK? I did back up the H_Key_Local etc as described by Sophos should I import this into the registry again? I am relived that I don't have anything nasty but just unsure how I will correct the registry or if this has been corrected when I ran Nero this morning :oops:
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Doesn't Nero correct it when you started it itself?
    If all is running right ....... if you look in that place in the registry?
     
  14. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    Hello again Jooske

    I have looked in the registry again (a long way to get to the little key) but this one hasn't been replaced even though I have used Nero. I do have the one for INCD which I know has to be started when Windows starts but maybe I did not need the other one afterall.

    I am still trying to find someone with Nero 5.5 to see if there should be a NeroCheck.exe in the Nero folder and also in Windows32 folder. To be truthful I was in and out so many files and folders when this happened I really cannot remember what should be in my folders :oops: I guess this is the outcome of my total panic as I did not want to leave the computer thinking I had something nasty running even though I used every scan I could think of :rolleyes:
     
  15. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Robyn, I have Nero 5.5.1.5, windows\system32\ nerocheck.exe dated 9/7/2001 152KB's
    And do not have one in the Nero folder.
     
  16. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    Thank you :) I was worried that I didn't find one in Nero and had one in system32 (which I renamed until this was cleared) Thankfully I did not do what I was going to do today and delete this :oops: I can give it back it's name now as it is the same as yours is and now I know not to drop anything into Nero. A big Thank you for this information it is excatly what I was looking for :)
     
  17. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Well done Robyn! Have a weekend Karma cookie to help chill out :)
     
  18. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    Somehow I don't have a chill out program ;) but at least I am virus free :)

    Thanks again to everyone who coped with my panic last night and today.
     
Thread Status:
Not open for further replies.