nod32 and spybot backup file...

nod32 keeps detecting the following spybot file when i perform an on-demand scan:

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups\regLocal.reg - probably unknown SCRIPT virus [7]

Its a false positive i know but how can i get nod32 to exclude this file?

thanks,

SCC

 

Amon --> Setup -->Exclusions

Please send file at samples@nod32.com if U think that is false positive.

Regards,

izi

 

thanks. do you not think its a false positive? I am having doubts now.

 

hmm...just tried to send it to nod32 for analysis but i keep getting an error message saying that it failed to send it to the submission que. Is this because its a registry file or something?

 

Try an online scan from another AV such as BitDefender,Panda,Trend,F-Secure etc.

 

I have bitdefender as a backup scanner and it has found nothing.

false positive then right?

 

If any nod32 users could comment it would be appreciated. Im guessing that if they use spybot and do not have this issue then it is not a false positive.

 

Try sending it from your mail program - samples@nod32.com

 

I use NOD and Spybot and I do not have this issue. However I am not knowledgeable enough to advise you as to whether or not it is a FP. I still would try a online scan Panda is very good. Be patient and some of NOD's heavy hitters will eventually weigh in. You could try using Google to research the file in question you may be surprised how useful that can be. Also try having the file scanned here.http://virusscan.jotti.org/

 

try ccleaner it cleans old log files i think that might be all
or you may have to clean it through spybot advanced

 

Ive tried CC cleaner and still i get the warning. What do you mean i might need to 'clean' it with spybot advanced? Surely some other nod32 users have this issue...please help.

 

Maybe I'm wrong here, but the file which NOD finds an unknown in, is it not a backup from your system?

 

I'm a NOD user and reseller and I have put dozens of licenses on machines with Spybot and have yet to run into any such situation.

If you worried about the file don't. If NOD is catching it when you scan, then it won't let the file be activated. It'll stop it upon activation. Add it to the exclude list for the time being if you are sure it is a FP.

Submit the file to the address above and let the Eset experts analyze the file.
Let us know how you go

 

thats what i hope, bit im looking for reassurance. I think it might be a backup of the registry that spybot makes. But as noone else seems to have this issue im wondering if it is actually a script virus posing as a reg. backup.

 

If NOd and your backup on demand scanner BitDefender and a third online scanner such as F-Secure or Panda does not find anything it's unlikely you have anyting to worry about. I suggest again you run an online scanner other than the two Av's already on your computer.

 

Just to update,

I ran the Panda online virus scan and it said that i had some malware in the registry. But it doesnt actually give you the specific file name and so i do not know what the hell it is. Now im even more confused, whats the point of doing an online scan if it doesnt give you the exact location of the suspected infection? Anyway, i have placed the file into nod32's exclusion for now until i hear anything else that makes me think otherwise. I still find it odd that no other nod32 and spybot users have this issue, if spybot does make a backup file and this is what nod32 is finding it should be common. As for sending the file, its proving impossible (probably due to my incompetance) both through the actual nod32 program and manually.

thanks for all of your suggestions.

 

Try the following:

Open up the Nod32 Control Centre.

1 Click on Quarantine.

2 Click on “Add”.

3 Click on the drop down arrow.

4 Choose “All files”.

5 Click on the drop down arrow.

6 Navigate to “Program files”.

7 Double click on “Spybot Search and Destroy” and then navigate to the file in question.

8 When the file is found, click on “Open”.

9 Click on “Submit for analysis”.

Hope this helps…

Cheers

 

It will be interesting to see how this goes. I have Spybot. Ran a full scan with NOD32 tonight, but no such beast has shown up on my machine.

Hopefully an Eset mod will tell us what it is once it has been properly analzyed.

 

What Blackspear has suggested is really the right response to an issue like this - Quarantine will keep the file safe either until it is restored or deleted and once you 'Submit for analysis' make it available for ESET to check out.
Much better than an exclusion!!!

 

Thank you all for your help,

I am currently away from my laptop but as soon as i get home i will follow blackspear's instructions. I had already tried this but received an error message but ill try again anyway as like i said before i reckon i did something wrong. As soon as i send it to eset i will await their response and then keep you all posted.

to be continued...

 

That particular file is one of the two .reg backups that Spybot makes on an initial install of the software if the user chooses to do so....Step 3 of 7. Those 2 files(reglocal.reg and regusers.reg) can also be created at any time via Mode\Advanced Mode\Settings\Settings....then the Wizard selection at the top.

The reglocal.reg file only contains the Sub-keys of HKEY_LOCAL_MACHINE\Software key. Which one of those Software keys Nod is burping on would be the question for anyone willing to test that reg file.

If you care to send it....I'll be glad to attempt to locate what Nod is burping on unless Cool Daddy and the Eset bunch have the time.

e-mail is in profile.

 

Ok. So I tried Blackspears intructions and I cannot find the guilty file anywhere is the spybot folder; i have checked countless times now. I then went to nod32 and found the quarantined file and looked at the location of the file again which is:

cocuments and Settings\All Users\Application Data\Spybot-Search & Destroy\Backups\relocal.reg

I cannot find this file anywhere! When I open the 'All Users' folder there is no 'Application Data' folder...weird.

Im sure I am again doing something wrong and so I would appreciate as much advice as possible. Currently I have the above file in quarantine until I know whats going on. Being able to actually locate it so I can send it off to be checked is my next step.

thanks again.

 

I believe the "Application Data" folder is hidden by default. To display it, go to Control Panel --> Folder Options --> View --> "Show hidden files and folders".

 

Ok thanks for that. I have located the file, but now I have two other problems:

a)nod32 will not let me submit the file as it is 'too large for submission'.
b) I cannot send the file manually as I get a message saying that the file is in use.

This is getting ridiculous, any suggestions?

thanks again.

 

b) Quite probably it is NOD32 that has locked the file. If you can (or have already) successfully added it to the quarantine list then right click on the entry and use 'Restore To' to make a copy of it somewhere you can access it, otherwise shutdown all spybot modules AND/OR reboot into safe mode and make a copy you can work on.

a) ZIP the file with the password 'infected' before submission via email as explained above and include the password and a link to this thread in the body text of your email as well as a breif explanation.

See how you go with that, and please let us know