dllhost.exe and msdtc.exe were quarantined as soon as virus signatures updated to 3918. They are being seen as a variant of Win32/Kryptic.JX trojan.

I am not convinced that this is correct

We've got the same problem. Entire Network!

I can confirm that I had the same problem as well. Same files with same supposed trojan and immediately after the 3918 update.

obviously a false positive and deleting and/or quarantining these files on all our systems as well.

It's absolutely a FP.
Please fix it asap.

I was just putting together a zip to submit as a FP. Got the same results as OP on dllhost and a few others. Then ran a scan on system32 and whole bunch were marked.

Part of log:
3/9/2009 1:31:18 AM Real-time file system protection file C:\WINDOWS\system32\dllcache\stimon.exe.new a variant of Win32/Kryptik.JX trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe.
3/9/2009 1:31:17 AM Real-time file system protection file C:\WINDOWS\system32\dllcache\ping.exe a variant of Win32/Kryptik.JX trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: \??\C:\WINDOWS\system32\winlogon.exe.
3/9/2009 1:15:43 AM Real-time file system protection file C:\windows\system32\com\SET533.tmp a variant of Win32/Kryptik.JX trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe.
3/9/2009 1:15:36 AM Real-time file system protection file C:\windows\system32\SET4D5.tmp a variant of Win32/Kryptik.JX trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe.
3/9/2009 1:15:26 AM Real-time file system protection file C:\windows\system32\SET4D4.tmp a variant of Win32/Kryptik.JX trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe.
3/9/2009 1:15:21 AM Real-time file system protection file C:\WINDOWS\system32\msdtc.exe.new a variant of Win32/Kryptik.JX trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe.
3/9/2009 1:15:20 AM Real-time file system protection file C:\windows\system32\SET49A.tmp a variant of Win32/Kryptik.JX trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe.
3/9/2009 1:15:19 AM Real-time file system protection file C:\WINDOWS\system32\msdtc.exe.new a variant of Win32/Kryptik.JX trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe.
3/9/2009 1:15:18 AM Real-time file system protection file C:\WINDOWS\system32\msdtc.exe.new a variant of Win32/Kryptik.JX trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe.
3/9/2009 1:15:17 AM Real-time file system protection file C:\WINDOWS\system32\msdtc.exe.new a variant of Win32/Kryptik.JX trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe.
3/9/2009 1:15:09 AM Real-time file system protection file C:\windows\system32\SET48B.tmp a variant of Win32/Kryptik.JX trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe.
3/9/2009 1:15:00 AM Real-time file system protection file C:\windows\system32\SET488.tmp a variant of Win32/Kryptik.JX trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe.
3/9/2009 1:14:44 AM Real-time file system protection file C:\windows\system32\SET2D8.tmp a variant of Win32/Kryptik.JX trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe.
3/9/2009 1:04:46 AM Real-time file system protection file C:\WINDOWS\system32\dllcache\msdtc.exe a variant of Win32/Kryptik.JX trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: \??\C:\WINDOWS\system32\winlogon.exe.
3/9/2009 1:04:43 AM Real-time file system protection file C:\WINDOWS\system32\dllcache\msdtc.exe.new a variant of Win32/Kryptik.JX trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe.
3/9/2009 12:55:33 AM Real-time file system protection file C:\windows\system32\SET5816.tmp a variant of Win32/Kryptik.JX trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe.
3/9/2009 12:55:27 AM Real-time file system protection file C:\windows\system32\SET5815.tmp a variant of Win32/Kryptik.JX trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe.
3/9/2009 12:55:26 AM Startup scanner file C:\WINDOWS\system32\msdtc.exe a variant of Win32/Kryptik.JX trojan cleaned by deleting - quarantined
3/9/2009 12:55:19 AM Startup scanner file C:\WINDOWS\system32\dllhost.exe a variant of Win32/Kryptik.JX trojan cleaned by deleting

This probably a silly question, but assuming these files were deleted/quarentined, will this require that I reinstall install Windows? :-[ At the moment, my computer seems fine, but I imagine those files were necessary files for Windows. Is there some way to retreive those files, without having to reinstall Windows.

I'm getting ready to abandon the NOD32 ship and move on to Avira, Kaspersky, or any other competent AV. This is the 2nd time that NOD32 has sunk my machine in a year. Last time was the total reinstall of Adobe Acrobat after NOD32 decided it was a huge virus. This is stupid. Apparently the folks at Eset don't test any of these updates.

my gooodness!!! what's up NOD32? got the same results as well. pleasee fix this asap!

Same for me. I watched the signature file getting updated to 3918 a short while ago, followed immediately by four quarantine warnings - msdtc.exe and dllhost.exe from the windows\system32 folder, plus two tmp files from the same folder with file sizes matching the two executables.

The msdtc.exe file is associated with the Microsoft Distributed Transaction Coordinator service, while HiJackThis indicated that the dllhost.exe file was associated with MS Software Shadow Copy Provider.

The files can be restored from quarantine if necessary to keep your system running, but I guess that until the signature file is corrected as well you'd have to disable NOD32.

Jim.

Anyone know how to do a pattern rollback using Remote Administrator? We've got the same problem.

How are files from windows not tested in updates? I tend to be fairly forgiving when random mistakes happen but come on. This isn't some odd program FP.

License is up next month. This may have been too much to pay more.

Crippled our Network, by the time I rolled out a System32 exclusion, all machines had updated to 3918 and I'd receive 4882 virus emails. Great fun for a Monday!

not good at all :(

It happened to me too.. Annoying.
ShadowProtect was the knight in shining armor on this occation..

I've also had actmovie.exe, nddeapir.exe, mqsvc.exe, dmremote.exe, stimon.exe, and progman.exe; be quarantined after this update including the 2 mentioned msdtc.exe and dllhost.exe. All with the Kryptik.JX Trojan as the reason.

Like Jimbo, I also had 2 tmp files show up and get quarentined/deleted, not sure if those were critical files too.

Hello,

I've got the same problem on my laptop running Windows Vista Business 32-bit, Core 2 Duo 2.20GHz, 2GB RAM, 120 GB hard disk and NOD32 v.4 and ZAP 8.0.298

NOD32 v.4 just flagged some Windows files as viruses/trojans and deleted them and now my laptop has problem to log Windows in normal mode. Had to boot on safe mode and take the files off quarantine to be able to heal Windows.

This is a real mess. I hope ESET comes up with a solution very quickly or I will have to look for something else to protect my laptop.

Regards,

Carlos

I just tried a manual update and got a "program modules have been updated event". I then restored the files from quarantine and it would appear that the program modules update has fixed the FP detection.

my pc has been on an hour, no problems as yet. am not going to risk a scan. update 3918 was a weekend 1 entry update http://www.eset.com/support/updates.php

I'm running SFC /scannnow on my computer now. THANK GOD THAT NOD32 ISN'T ON MY CONTROL SYSTEM PCs!!!!! If it was, I'd be at work right now fixing the problem on 30+ computers.

NOD32 absolutely s***s with respect to testing updates. The quarantining of fully valid Windows XP files is an indication of Eset's gross incompetence.

I put in a case to ESET on this earlier and they are aware and have stopped the update however this is little help for all of us that already got the update. Just wanted to let everyone know that ESET is aware.

Whats the best way to solve this across a domain. I've got 250 machines in this situation, on a domain, managed NOD32.

I don't see any easy way to tell the bulk of them to restore the file from quarenteen. Is the problem isolated to %WINDIR%?

Exclude that dir + SFC /scannow across the whole domain?

{QUOTE-> Same for me. I watched the signature file getting updated to 3918 a short while ago, followed immediately by four quarantine warnings - msdtc.exe and dllhost.exe from the windows\system32 folder, plus two tmp files from the same folder with file sizes matching the two executables.

The msdtc.exe file is associated with the Microsoft Distributed Transaction Coordinator service, while HiJackThis indicated that the dllhost.exe file was associated with MS Software Shadow Copy Provider.

The files can be restored from quarantine if necessary to keep your system running, but I guess that until the signature file is corrected as well you'd have to disable NOD32.

Jim. <-QUOTE}
Hello,

After my ESET NOD32 Antivirus updated to 3818, it picked up the exact same thing that your NOD32 did. msdtc.exe, dllhost.exe from the SYSTEM32 folder and two tmp files as well.

The two .exe files (msdtc.exe and dllhost.exe) are important files for Windows. What will happen if I try to reboot my computer? Should I restore them or what?

I'm afraid to turn off my computer now as maybe these 2 important windows files that were deleted could prevent boot up?

I restored the Windows files from quarantine and ran System File Checker on my PC. Was able to reboot fine.

My NOD32 license expires in a few days. I won't be renewing.

{QUOTE-> Hello,

After my ESET NOD32 Antivirus updated to 3818, it picked up the exact same thing that your NOD32 did. msdtc.exe, dllhost.exe from the SYSTEM32 folder and two tmp files as well.

The two .exe files (msdtc.exe and dllhost.exe) are important files for Windows. What will happen if I try to reboot my computer? Should I restore them or what?

I'm afraid to turn off my computer now as maybe these 2 important windows files that were deleted could prevent boot up? <-QUOTE}

I am in the same boat, but I don't see the files in my quarantine menu which I can only assume means they were deleted. I also did a search and they aren't in the system32 folder either. Any ideas how to get the files back? Reinstall windows?

OK so I'm pretty sure I should restore the two Windows .exe files because everyone's NOD32 has detected them so they're definately FP.

However, my NOD32 also picked up two .tmp files in the SYSTEM32 folder. Should I restore the .tmp files as well?

I was able to just restore them on a number of machines. The Microsoft Distributed Transaction Coordinator Service started once the file was restored.

{QUOTE-> OK so I'm pretty sure I should restore the two Windows .exe files because everyone's NOD32 has detected them so they're definately FP.

However, my NOD32 also picked up two .tmp files in the SYSTEM32 folder. Should I restore the .tmp files as well? <-QUOTE}

If you're not sure, then restore everything, run the manual update to get the fix for the FP and rescan the affected folders. If it comes back clean, then you're sorted.

{QUOTE-> If you're not sure, then restore everything, run the manual update to get the fix for the FP and rescan the affected folders. If it comes back clean, then you're sorted. <-QUOTE}
That's exactly what I did. Thank you for your advice. Rebooted computer and everything is normal.

Just wondering -- what would happen if the FPs (the important Windows files) weren't restored from quarantine and one was to reboot the computer? Would everything be normal.. or what would happen?

Thanks,
Mark.

http://www.wilderssecurity.com/showpost.php?p=1419988&postcount=6

So, all you guys saying you're no longer using NOD32 because of this...

Do you ever get tired of switching programs?

I'll admit this is pretty bad, and I can afford to be more forgiving since apparently I was not bit by this, but still, NO s/w is perfect... and the fact is, NOD32 is, overall, the best protection for your PC that money can buy...

We have added more information about this to our news page here: http://kb.eset.com/esetkb/index?page=content&id=NEWS9

A Knowledgebase article describing the issue is here: http://kb.eset.com/esetkb/index?page=content&id=SOLN2181

We apologize for problems caused by this issue. If further help from our Customer Care Engineers is needed, please call Toll Free. +1 (866) 343-ESET [3738] or Tel. +1 (619) 876-5400, or through the support request page here: http://www.eset.com/support/contact.php


Thank you,
Richard

I thought this was fixed with Advanced heuristics module version: 1091 ?

Still seeing this on servers I manage...... :(

--------------------
NOD32 antivirus system information
Virus signature database version: 3922 (20090309)
Dated: Monday, March 09, 2009
Virus signature database build: 15308

Information on other scanner support parts
Advanced heuristics module version: 1091 (20090309)
Advanced heuristics module build: 1200
Internet filter version: 1.002 (20040708)
Internet filter build: 1013
Archive support module version: 1082 (20090213)
Archive support module build version: 1224

Information about installed components
NOD32 For Windows NT/2000/XP/2003/Vista/x64 - Administrative tools
Version: 2.70.39
NOD32 For Windows NT/2000/XP/2003/Vista/x64 - Base
Version: 2.70.39
NOD32 For Windows NT/2000/XP/2003/Vista/x64 - Internet support
Version: 2.70.39
NOD32 for Windows NT/2000/XP/2003/Vista/x64 - Standard component
Version: 2.70.39

Operating system information
Platform: Microsoft Windows Server 2003
Version: 5.2.3790 Service Pack 2
Version of common control components: 5.82.3790
RAM: 2048 MB
Processor: Intel(R) Xeon(R) CPU 3040 @ 1.86GHz (1866 MHz)

3/9/2009 0:03:30 AM - NOD32 Kernel Threat Alert triggered on : c:\windows\system32\msdtc.exe is infected with a variant of Win32/Kryptik.JX trojan.
3/9/2009 0:03:48 AM - NOD32 Kernel Threat Alert triggered on : C:\WINDOWS\system32\msdtc.exe is infected with a variant of Win32/Kryptik.JX trojan.
-------------------------------

SRW

{QUOTE-> I thought this was fixed with Advanced heuristics module version: 1091 ?
Still seeing this on servers I manage...... :(
<-QUOTE}

The "Kryptik.JX" signature was removed in the update 3920. Please restore the files in question from quarantine and rescan them with the most current version.

what's up NOD32? got the same results as well. pleasee fix this
My Organization used ESET after My recommendation . Plz Keep Me trust you ??? >:(

{QUOTE-> what's up NOD32? got the same results as well. pleasee fix this
My Organization used ESET after My recommendation . Plz Keep Me trust you ??? >:( <-QUOTE}

Please post here a screenshot of the on-demand scanner detecting this file so that we can see all relevant information.