ESS locks, won't update, followed by Kryptik.AMQ infection

Discussion in 'ESET NOD32 Antivirus/Smart Security Beta' started by drose25, Jul 2, 2012.

Thread Status:
Not open for further replies.
  1. drose25

    drose25 Registered Member

    Joined:
    Jul 2, 2012
    Posts:
    4
    Location:
    USA
    So I had something very unusual happen with Smart Security over the weekend. When I got to my PC yesterday afternoon, the ESS icon was still spinning like it was scanning the PC. I found this odd since the scan starts at 3am and it only has two SSDs to scan. :D

    ESS opened normally, and showed the scanning screen normally, where it appeared to be stuck on a file (in a Windows Python distro for Blender, had been on PC long time already). Clicking the pause button, etc. failed to stop or restart the scan. I rebooted the PC and scanned the PC manually, nothing unusual was found.

    This morning when I got to the PC, I got an alert saying ESS was not able to update its virus signatures. I tried clearing the cache, etc., but it continued to die when updating. I checked the box for the beta or pre-release signatures, and started the update again. It downloaded a lot of new stuff, but also failed to update successfully. The update would die around 7 or 8 of 10 steps, in what appeared to be a data unpacking and applying stage rather than a downloading stage.

    At this point I uninstalled the ESS beta and installed ESS 5. It installed properly, updated without any trouble, and I ran a quick memory and boot sector scan with nothing found. I then set it for a full scan and went about working.

    After a few minutes ESS starting popping up warnings about files in memory and the disk being infected with Kryptik.AMQ. One of the infected files was in the ESET program directory, and so was one of the files in memory. ESS was unable to delete the files or quarantine them. At this point I pulled the power and intended to boot from a rescue CD to check the system with an uncompromised source.

    Unfortunately it did not boot from the CD as intended, and Windows booted to the login screen while I was out of the room. So, it's possible ESS deleted any infected files at boot. I rebooted with rescue CDs.

    Running complete scans with both Avira and Kaspersky rescue CDs yielded no infections. Rebooting into Windows and scanning again with ESS 5 yields no infections.

    I am concerned, however, because the ESS threat log does not show that all of the infected files were deleted. They no longer appear in the locations given, but I'm skeptical.

    I've been unable to identify the vector by which the virus would have entered the system. All downloads are saved on a networked share and a scan of it yields nothing infected. The only thing I've downloaded or installed recently was a game patch for Tropico 4, and that was downloaded directly by the game. There is only one other Windows PC on the network, and it scans as clean. From Googling, it appears this Kryptik trojan is fairly old, so I'm surprised it would have been able to slip by ESS 6.

    I know this information is very vague and probably not helpful, but I thought I would throw it out there in case anyone else experiences a similar problem. If so, maybe ESET can determine if there's an actual bug running loose.
     
  2. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    Check the On demand scans log, maybe the cleaning was performed after reboot.
     
  3. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    How you noticed signs of active infiltrations?

    Maybe you could paste the info from the "Detected threats" log here.
     
  4. drose25

    drose25 Registered Member

    Joined:
    Jul 2, 2012
    Posts:
    4
    Location:
    USA
    This is from the Detected Threat Log:

    7/2/2012 12:05:39 PM Startup scanner file Operating memory » C:\Windows\SysWOW64\msv1_0.DLL a variant of Win32/Kryptik.AMQ trojan error while deleting
    7/2/2012 12:04:08 PM Startup scanner file Operating memory » C:\Program Files\ESET\ESET Smart Security\x86\ekrnSmon.dll a variant of Win32/Kryptik.AMQ trojan cleaned by deleting (after the next restart) - quarantined
    7/2/2012 12:04:06 PM Startup scanner file C:\Windows\system32\msv1_0.dll a variant of Win32/Kryptik.AMQ trojan error while deleting

    I don't see any thing called an On Demand Scan log.
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please submit the 2 dlls to ESET as per the instructions here. Also enclose a link to this thread.
     
  6. drose25

    drose25 Registered Member

    Joined:
    Jul 2, 2012
    Posts:
    4
    Location:
    USA
    Thanks for reading this thread! I submitted the files from quarantine as requested.
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Are you able to reproduce the detection at any time by running an on-demand memory scan? As for the update issue, if it persists enable debug logging, run a manual update and copy & paste here the appropriate records from the ESET Event log. Also try deleting the content of the system and user temporary folders.
     
  8. drose25

    drose25 Registered Member

    Joined:
    Jul 2, 2012
    Posts:
    4
    Location:
    USA
    Unfortunately I cannot check -- I uninstalled the beta and re-installed v5 when the virus cropped up, so I can't try it out again now.
     
Thread Status:
Not open for further replies.