nod32 and spybot backup file...

Discussion in 'NOD32 version 2 Forum' started by LordAsriel, Aug 14, 2005.

Thread Status:
Not open for further replies.
  1. LordAsriel

    LordAsriel Guest

    nod32 keeps detecting the following spybot file when i perform an on-demand scan:

    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups\regLocal.reg - probably unknown SCRIPT virus [7]

    Its a false positive i know but how can i get nod32 to exclude this file?

    thanks,

    SCC
     
  2. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    Amon --> Setup -->Exclusions

    Please send file at samples@nod32.com if U think that is false positive.

    Regards,

    izi
     
  3. LordAsriel

    LordAsriel Guest

    thanks. do you not think its a false positive? I am having doubts now.
     
  4. LordAsriel

    LordAsriel Guest

    hmm...just tried to send it to nod32 for analysis but i keep getting an error message saying that it failed to send it to the submission que. Is this because its a registry file or something?
     
  5. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Try an online scan from another AV such as BitDefender,Panda,Trend,F-Secure etc.
     
  6. LordAsriel

    LordAsriel Guest

    I have bitdefender as a backup scanner and it has found nothing.

    false positive then right?
     
  7. LordAsriel

    LordAsriel Guest

    If any nod32 users could comment it would be appreciated. Im guessing that if they use spybot and do not have this issue then it is not a false positive.
     
  8. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Try sending it from your mail program - samples@nod32.com
     
  9. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    I use NOD and Spybot and I do not have this issue. However I am not knowledgeable enough to advise you as to whether or not it is a FP. I still would try a online scan Panda is very good. Be patient and some of NOD's heavy hitters will eventually weigh in. You could try using Google to research the file in question you may be surprised how useful that can be. Also try having the file scanned here.http://virusscan.jotti.org/
     
    Last edited: Aug 14, 2005
  10. culla

    culla Guest

    try ccleaner it cleans old log files i think that might be all
    or you may have to clean it through spybot advanced
     
  11. LordAsriel

    LordAsriel Guest

    Ive tried CC cleaner and still i get the warning. What do you mean i might need to 'clean' it with spybot advanced? Surely some other nod32 users have this issue...please help.
     
  12. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Maybe I'm wrong here, but the file which NOD finds an unknown in, is it not a backup from your system?
     
  13. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    I'm a NOD user and reseller and I have put dozens of licenses on machines with Spybot and have yet to run into any such situation.

    If you worried about the file don't. If NOD is catching it when you scan, then it won't let the file be activated. It'll stop it upon activation. Add it to the exclude list for the time being if you are sure it is a FP.

    Submit the file to the address above and let the Eset experts analyze the file.
    Let us know how you go :)
     
  14. LordAsriel

    LordAsriel Guest

    thats what i hope, bit im looking for reassurance. I think it might be a backup of the registry that spybot makes. But as noone else seems to have this issue im wondering if it is actually a script virus posing as a reg. backup.
     
  15. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    If NOd and your backup on demand scanner BitDefender and a third online scanner such as F-Secure or Panda does not find anything it's unlikely you have anyting to worry about. I suggest again you run an online scanner other than the two Av's already on your computer.
     
  16. LordAsriel

    LordAsriel Guest

    Just to update,

    I ran the Panda online virus scan and it said that i had some malware in the registry. But it doesnt actually give you the specific file name and so i do not know what the hell it is. Now im even more confused, whats the point of doing an online scan if it doesnt give you the exact location of the suspected infection? Anyway, i have placed the file into nod32's exclusion for now until i hear anything else that makes me think otherwise. I still find it odd that no other nod32 and spybot users have this issue, if spybot does make a backup file and this is what nod32 is finding it should be common. As for sending the file, its proving impossible (probably due to my incompetance) both through the actual nod32 program and manually.

    thanks for all of your suggestions.
     
  17. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Try the following:

    Open up the Nod32 Control Centre.

    1 Click on Quarantine.

    2 Click on “Add”.

    3 Click on the drop down arrow.

    4 Choose “All files”.

    5 Click on the drop down arrow.

    6 Navigate to “Program files”.

    7 Double click on “Spybot Search and Destroy” and then navigate to the file in question.

    8 When the file is found, click on “Open”.

    9 Click on “Submit for analysis”.

    Hope this helps…

    Cheers :D
     

    Attached Files:

  18. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    2,825
    It will be interesting to see how this goes. I have Spybot. Ran a full scan with NOD32 tonight, but no such beast has shown up on my machine.

    Hopefully an Eset mod will tell us what it is once it has been properly analzyed.
     
  19. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    What Blackspear has suggested is really the right response to an issue like this - Quarantine will keep the file safe either until it is restored or deleted and once you 'Submit for analysis' make it available for ESET to check out.:)
    Much better than an exclusion!!!
    :)
     
  20. LordAsriel

    LordAsriel Guest

    Thank you all for your help,

    I am currently away from my laptop but as soon as i get home i will follow blackspear's instructions. I had already tried this but received an error message but ill try again anyway as like i said before i reckon i did something wrong. As soon as i send it to eset i will await their response and then keep you all posted.

    to be continued...
     
  21. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    That particular file is one of the two .reg backups that Spybot makes on an initial install of the software if the user chooses to do so....Step 3 of 7. Those 2 files(reglocal.reg and regusers.reg) can also be created at any time via Mode\Advanced Mode\Settings\Settings....then the Wizard selection at the top.

    The reglocal.reg file only contains the Sub-keys of HKEY_LOCAL_MACHINE\Software key. Which one of those Software keys Nod is burping on would be the question for anyone willing to test that reg file.

    If you care to send it....I'll be glad to attempt to locate what Nod is burping on unless Cool Daddy and the Eset bunch have the time.

    e-mail is in profile.
     
  22. LordAsriel

    LordAsriel Guest

    Ok. So I tried Blackspears intructions and I cannot find the guilty file anywhere is the spybot folder; i have checked countless times now. I then went to nod32 and found the quarantined file and looked at the location of the file again which is:

    c:Documents and Settings\All Users\Application Data\Spybot-Search & Destroy\Backups\relocal.reg

    I cannot find this file anywhere! When I open the 'All Users' folder there is no 'Application Data' folder...weird.

    Im sure I am again doing something wrong and so I would appreciate as much advice as possible. Currently I have the above file in quarantine until I know whats going on. Being able to actually locate it so I can send it off to be checked is my next step.

    thanks again.
     
  23. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    I believe the "Application Data" folder is hidden by default. To display it, go to Control Panel --> Folder Options --> View --> "Show hidden files and folders".
     
  24. LordAsriel

    LordAsriel Guest

    Ok thanks for that. I have located the file, but now I have two other problems:

    a)nod32 will not let me submit the file as it is 'too large for submission'.
    b) I cannot send the file manually as I get a message saying that the file is in use.

    This is getting ridiculous, any suggestions?

    thanks again.
     
  25. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    b) Quite probably it is NOD32 that has locked the file. If you can (or have already) successfully added it to the quarantine list then right click on the entry and use 'Restore To' to make a copy of it somewhere you can access it, otherwise shutdown all spybot modules AND/OR reboot into safe mode and make a copy you can work on.

    a) ZIP the file with the password 'infected' before submission via email as explained above and include the password and a link to this thread in the body text of your email as well as a breif explanation.

    See how you go with that, and please let us know :)
     
Thread Status:
Not open for further replies.