How can I tell if the Win32/Kryptik.X$$ trojans are real or false positives? They files have been submitted for analysis but, having never received feedback on submitted files, I expect no reply this time.

System Configuration
XP SP3
IE 8.0.6
Sandboxie 3.60
ESET NOD32 Antivirus 4.2.67.10
Virus Signature 6824, (2012-01-24)
Online Armor version Premium Edition 5.1.1.1395 (last update 1-23-2012 20:56)
Webroot Spy Sweeper Version 6.1.0.157
Just recently changed to Wirless (WPA2) but I still use wired for banking.



Object Name:
c:\system volume information\_restore{insert machine guid here}\#######.exe
###### is A0227232, A0227235, A0227234, A0227233, A0227051, A0138243, etc.

Reason for quarrantine:
a variant of Win32/Kryptik.$$$ trojan
$$ is XOZ, XKX, XMU, XNU, XHA, etc.


Since December Eset has a date of 12/13/2011, 12/14, 12/19, 12/19, 12/19, and 1/19.

For the record, since 1981 I have had one known virus on my system and that prompted me to install Eset, OA, Webroot anti-spyware, and SandBoxie. Prior to that I rarely used any protection. Trust me when I say I don't go to websites that don't appear "right."

I notice there were false positives for Win32/Kryptik.JX in January 2011. I also notice there is an "E-Set Antivirus 2011" rogue. My ESET NOD32 Antivirus 4 reads "ESET NOD32 Antivirus".

Any suggestions?


PS: Long wanted clarification.
The question; "How do I delete a quarantined file in my ESET security product?" is often asked. The answer is usually "Right-click the desired file and click Delete from Quarantine."

However, I want to delete Quarantined files from my computer, not just from Quarantine. Suggestions?

I, for one, haven't heard about a Kryptik false positive for a very long time and I'm in touch with the virus lab every day. Also the fact that several Kryptiks were found indicates that it should not be FP.
As for deleting files from quarantine, this is not necessary as quarantined files are stored in an encrypted form. If you want to delete the permanently anyway, select them in the quarantine pane and select "Delete from quarantine" from the right-click context menu.

Thanks for the response and the confirmation that removing from quarantine removes it from the HDD. I thought it might but really, really hate assuming.

Any suggestions on how to track down the trojan creator? No one uses this computer but me. So, I must be doing something really wrong.


The false positives that I read about were documented at:
http://kb.eset.com/esetkb/index?page=content&id=SOLN2181&actp=search&viewlocale=en_US&searchid=1327472028267

and, while not the same issue,
http://kb.eset.com/esetkb/index?page=content&id=SOLN2697&actp=search&viewlocale=en_US&searchid=1327472028267

Hello,

It looks like the detections were in the directory used by Microsoft Windows' System Restore functionality, is there anything in ESET NOD32 Antivirus' log files which shows the infections being detected in other locations on the computer?

Regards,

Aryeh Goretsky

No.

A system restore point was just created. Sevreal scans were run of c:\System Volume Information. Nothing was found. Every file was logged on the last scan and there were many files with names similar to the reported Win32/Kryptik trojans in folders of simlar names. (Folder RP1###, and file names A#######.exe)

Of the 9 quarantined files in the C drive restore folder 2 are adware. All 7 "variant of the Win32/Kryptik.??? trojan" files are in the C drive restore folder. They are dated 2011-12-08, 12-13, 12-14, 12-19 (3, all about one hour apart), and 1/19/2012.

Since 2009-06-28 27 files have been quarantined. I have found proof that 5 from a VBA handbook were false positives. Most of the others are adware, potentially unwanted apps, and trojans... I really don't like the latter.

Daily scans run since 1-24 have turned up nothing.

(Edited to add the first full paragraph.)

Hello,

It sounds like the system is clean. You could try creating an ESET SysRescue disc and booting the system off of that for a scan just to get a second opinion from a copy of ESET NOD32 Antivirus running under a different version of Windows than the one the hard disk drive boots off of, but other than that, I don't think any further action is required on your part.

Regards,

Aryeh Goretsky

-{ Quote: "I also notice there is an "E-Set Antivirus 2011" rogue." }-
Perhaps this is your issue. (http://kb.eset.com/esetkb/index?page=content&id=SOLN2697&ref=wsf) For the record, an infected system restore archive (http://en.wikipedia.org/wiki/System_Restore) is an infected archive and should not be used to retrieve any previous settings.

During a disinfection process, you would back asked to purge your system restore archive.

The ESET Rogue was Blogged here (http://blog.eset.com/2010/10/07/imitation-is-not-always-the-sincerest-form-of-flattery) and here (http://blog.eset.com/2011/03/17/more-unflattering-imitation)

agoretsky, I will try creating the rescue disk and running another scan. (I get such a warm feeling of comfort from Microsoft. With Win XP SP3 installed I"m taken to the Vista SP1 and Windows Server 2008 download page for AIK. :P)

Trojans scare me. So when one seems to be replicating itself that, to me, suggests it exists on my system in one of the password protected files or files in use that Eset can't test. Hopefully, the rescue disk will circumvent that issue. I will probably delete the password protected files since they seem to be programs downloade for installation from Adobe, etc.



siljaline, I made note of one of those threads. My Eset has the proper name of "ESET NOD32 Antivirus." (Thanks for responding)

You're quite welcome - stand by for further assistance from ESET.

-{ Quote: "siljaline, I made note of one of those threads. My Eset has the proper name of "ESET NOD32 Antivirus." (Thanks for responding) " }-

Hello,

ESET SysRescue will prompt for the best version of WAIK to use. As I understand it, the version deployed in the Windows Vista/Server 2008 timeframe is the most compatible one in terms of Microsoft operating systems (Windows 2000 through Windows 7) so it is the best one to use.

Regards,

Aryeh Goretsky