Ghostly files detected and quarantined!

[nod32user 0]

Hello all,

 

I just updated to NOD32 AV 7.0.302.0 yesterday from 5.2.15.2 on Windows 7 Ultimate 64-bit. Uninstalled the program using the normal uninstaller and then just to be sure rebooted into Safe Mode and ran the cleanup utility.

 

Overall happy with 7.x so far except for a couple of niggling issues that I hope someone can help me with:

 

1) Every time I clear the logs or do something similar (using an admin account BTW) a UAC prompt for ESET Elevated Client pops up. Can't even begin to tell you just how irritating this is! Simple log cleaning shouldn't require further elevation and indeed, neither NOD32 AV 4.x nor 5.x ever exhibited such behavior. How do I turn this off?

 

2) The initial scan and a second full scan of my system showed no threats, yet strangely under Tools it says Number of quarantined objects: 1. However when I open Quarantine it shows nothing! This has never happened before. According to a post on the Wilders Security Forum I should be looking for an encrypted .NDF or .NQF file under %AppData%\ESET\ESET NOD32 Antivirus\Quarantine or perhaps %LocalAppData%\ESET\ESET NOD32 Antivirus\Quarantine. I have searched C:\Users and indeed the entire C: partition but no such files exist anywhere. Has the extension for quarantined files been changed in 7.x? How can I get rid of this ghostly quarantined file?

 

Thanks

[PodrskaNORT 17]

@nod32user

 

1) Try with this:

hxxp://download.eset.com/manuals/eset_eav_7_userguide_enu.pdf

-> 4.5.4 Access setup

"Require full administrator rights..."

 

Tomo

[Marcos 5,070]

Yes, that's it. If EAV is configured to require full administrator rights to perform tasks requiring them, then UAC will prompt you when such an action is attempted (indicated by a shield in a button). Disabling this option will disable UAC prompts.

 

As for quarantine files, neither the format nor file extensions have changed. Do you see the gui reporting 1 file in quarantine even after a computer restart?

[nod32user 0]

Yes, that's it. If EAV is configured to require full administrator rights to perform tasks requiring them, then UAC will prompt you when such an action is attempted (indicated by a shield in a button). Disabling this option will disable UAC prompts.

 

Thanks (to PodrskaNORT too), I'll try turning off Advanced setup > User interface > Access setup > Require full administrator rights for limited administrator accounts and get back to you if it doesn't help.

 

 

As for quarantine files, neither the format nor file extensions have changed. Do you see the gui reporting 1 file in quarantine even after a computer restart?

 

Yes, multiple restarts and cold boot too but no change. UI keeps showing 1 ghost file in Quarantine. Where is this count stored? Registry? Perhaps I can reset it to zero and see if that helps.

Edited October 18, 2013 by nod32user

[nod32user 0]

So Marcos, I'll try my luck again...

 

Where is the Quarantine count stored? I would like to tinker with it and see if it solves this issue. Can you please help?

[stackz 112]

Have a look for: C:\Users\[user name]\AppData\Local\ESET\ESET Smart Security\Quarantine\INFO.NQI

[PodrskaNORT 17]

@nod32user

 

Can you try to deliberately quarantinte one file (eicar, for example) and then empty the quarantine? Maybe that will reset counter...

I can not reproduce the problem so I could not test this theory, but this little trick works with Recycle Bin in Windows, maybe it would work here, too :-)

 

Tomo

[Arakasi 549]

Lol the recycle bin bug.

Been a while since i seen that.

[nod32user 0]

Have a look for: C:\Users\[user name]\AppData\Local\ESET\ESET Smart Security\Quarantine\INFO.NQI

 

Here's the content of C:\Users\UserName\AppData\Local\ESET\ESET NOD32 Antivirus\Quarantine\INFO.NQI:

 

 

I don't see any values there, just an "EQIF" header. I tried deleting this file and rebooting but no change.

 

@nod32user

 

Can you try to deliberately quarantinte one file (eicar, for example) and then empty the quarantine? Maybe that will reset counter...

I can not reproduce the problem so I could not test this theory, but this little trick works with Recycle Bin in Windows, maybe it would work here, too :-)

 

Tomo

 

Count Before:

 

 

Adding File to Quarantine:

 

 

Count After:

 

 

Unfortunately, after deleting the quarantined file the count's now back at 1.

 

So... any more ideas?

[Marcos 5,070]

Try creating a batch file with the following content (e.g. getquar.bat) and run it then:

 

@echo off

for /r c:\users %%a in (*.n?f) do echo %%a && copy "%%a" c:\quarantine && goto eof

 

Finally check the content of the c:\quarantine folder to see if it contains some files.

[linsj 0]

I have the same ghost file problem in quarantine. The quarantined objects number shows 1, but none are listed. I checked the c:\user... line above and found this file in the quarantine folder: info.nqi. Should I delete it or leave it?

[Fanzine 0]

Problem solved. I found several hidden accounts with an ESET folder in them. I deleted all those folders. I removed ESET completly. Then went into safe mode used the clean up tool. Searched for any traces of ESET. Rebooted back to normal and re-installed. No more left over quarantined files left in the log window. Thanks again.

 

Make sure to show all hidden files and folders. Go into your user document folders and look look at all the user accounts and remove all ESET folders they will be hidden under application data and or local settings application files. look deep into all user accounts.

[Dracula 0]

#1.
C:\Users\Scipio_A\AppData\Local\ESET\ESET NOD32 Antivirus\Quarantine\                 [hidden files]

 

#2.

 delete all files .NQF  and .NDF

 

#3.

restart PC. Enjoy !

[linsj 0]

I don't have any .NQF or .NDF files in quarantine, only INFO.NQI. Quarantine still shows the ghostly 1 but no files.

[Marcos 5,070]

I don't have any .NQF or .NDF files in quarantine, only INFO.NQI. Quarantine still shows the ghostly 1 but no files.

 

Search the whole c: drive for *.nqi and *.ndf files.