Thankful

Possible FP registry values

Recommended Posts

Hi Thankful, welcome to the forum

Those Traces could be FPs indeed.

At the same time in any case please submit flagged items

from the detection list to EMSI developers for analysis

Highlight the item(s) ; Right-Click and choose "Submit as false alert" option

Since the files were not flagged you can anyway submit them just in case

to EMSI [email protected]

Before submitting, create a password protected archive (ZIP or RAR) containing the file(s). Make sure the main body of the email contains the password for the compressed archive.

In case you will use e-mail you can attach the report as well

Most likely those were flagged because their specific location in the registry

We cannot rely on the names

The said files indeed by names belong to ESET (Nod32) at the same time you can find descriptions like things like this about egui.exe

{added} there were updates of the native a-squared ("!A2") signatures since you posted.

So please update and rescan. In order to rescan Traces you can use Quick Scan type

My regards

P.S. 1) It's a bit strange though that the Deep Scan lasted just 43 seconds and only 1106 files were scanned;

2) when posting provide info about your System Environment as in Forum Posting Rules #2)

3)Traces are not necessarily representing danger Please read the article “Spyware Traces in Detail”

Share this post


Link to post
Share on other sites

I'm running XP PRO/SP3, NOD32 4.22.35.0, Windows Firewall

I had sent these registry values as FPs using right click a couple of

days ago as well as today. The scan was short because I terminated it

once I saw the traces detected.

...Those Traces could be FPs indeed.

At the same time in any case please submit flagged items from the detection list to EMSI developers for analysis ...

P.S. 1) It's a bit strange though that the Deep Scan lasted just 43 seconds and only 1106 files were scanned;...

~ Whole Quotation Edited {Lynx}

Share this post


Link to post
Share on other sites

Thanks for reply , Thankful

I edited the whole quote and left only the points you referred to

Well, you should not stop the scan because you just saw few suspects... and decided that those "may happened being FPs"

Sure, this time it could've been the the case, but...

I would not recommend such "technique" ever ;)

1st, as you can see from my reply that would be better to end the scan and probably, as in some cases the files themselves would be flagged too.

There is no chance actually to be sure that the legitimate files including the security related files could not be compromised by the 3rd party infection that by itself is currently undetected.

There could be different scenarios as well.

Therefore, please either perform full Deep Scan or ( if you are certain) just submit files themselves by e-mail as suggested, since you are saying that you submitted Traces quite a while ago.

My regards

P.S.

I'm running XP PRO/SP3, NOD32 4.22.35.0, Windows Firewall...

You can use that info in your signature, so you will not be asked again

a side note: Considering that you are using native Windows Firewall on XP that does not control outgoing traffic - you are not in the best position regarding the security... so at least if you are relying on scans do those full scans sometimes from the beginning till the end

Share this post


Link to post
Share on other sites

Hello,

Image File Execution Options absolutely is not a good thing as far as I know.It may stop your antivirus from running.

Thankful,does your NOD32 work well?I Suspect that your PC may got Avkiller or something alike.

Here is my advice:

1)Run a deep scan when you offline.

2)Put the scan logs in malware removal section for review.

Share this post


Link to post
Share on other sites

Thank you both for replying.

1. I had run a completed deep scan and the only thing it found

were the two registry traces. I then sent the two traces to

Emsisoft for analysis.

2. The following day, I wanted to see if Emsisoft had corrected the

FPs. They had not. That is why I stopped the scan once the two traces came up again.

3. My NOD32 is working very well. In fact, the new version release of NOD32

is considerably faster than the prior version of NOD32.

4. I installed and ran a full scan of the Free version of Avast 5 to get a second opinion.

The results came back clean, no infection.

5. A scan by Malwarebytes also came back clean.

For those that are willing to sacrifice FPs for extra detection

and don't believe FPs are a big issue, think again.

Share this post


Link to post
Share on other sites

Hi Guys,

Ray,

...Put the scan logs in malware removal section for review.

Since nothing was quarantined and matter is under investigation - that is a bit premature ;)

I think that will be fixed soon if submitted as suggested

Thankful, you are welcome

...For those that are willing to sacrifice FPs for extra detection and don't believe FPs are a big issue, think again...

If I got your statement correctly,

I definitely prefer having some issues with FPs (we cannot live without those) but having such great detection rate as a-squared has

Cheers!

Share this post


Link to post
Share on other sites

Hi,

I've got the same problem.

I'm running a fresh installed Windows7 with Nod32 4.2.35, Comodo Firewall and Asquared Free.

Both registry keys are detected as Trace.Registry.VirusShield2009!A2.

The whole system was installed yesterday, so I think that this is a false positve.

Share this post


Link to post
Share on other sites

Hello guys,

This is not a coincidence now.I got the same issue.

In order to test this I installed ESET Smart Security 4.2.3.50 and A2 free.Image was captured when quick scan finished.

I hope EMSI developers could fix it asap.

PS:This is a clean installed stand-alone VPC.Only ESS and A2 free running on it.

Share this post


Link to post
Share on other sites

Ray,

\ Image \ what? You could at least adjust the columns width ;)

Yes there are several requests already by the users of ESET including the Malware Removal section with the similar detections (see one of the recent cases there http://support.emsisoft.com/topic/1668-traceregistryvirusshield2009a2/)

...\Image File Execution Options\egui.exe

...\Image File Execution Options\ekrn.exe ...

... But the "image" (literally) that you supplied doesn't show a thing about the "Image File Execution" detection

Have you as experienced user submitted the entries and/or the files ?

I hope you did

Cheers!

Share this post


Link to post
Share on other sites

Oh sorry for mindless capture.I forget to save the log here and I've removed undo disk changes...

But it was detected after ESS installed.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.