false positives but only via firefox - Kryptik.EI ?

Discussion in 'ESET Smart Security' started by denno, Jan 9, 2009.

Thread Status:
Not open for further replies.
  1. denno

    denno Registered Member

    Joined:
    Mar 22, 2006
    Posts:
    49
    false positives but only via firefox - Kryptik.EI ? [ RESOLVED ]

    Grr!

    Today I was trying to get an old version of uTorrent and the GPU-z utility.

    GPU-z: http://www.techpowerup.com/downloads/1304/mirrors.php
    uTorrent via filehippo (i was actually after 1.6.1 build 490, but even other versions give the same alert) : http://www.filehippo.com/download_utorrent/2467/

    I get this: http://i41.tinypic.com/o9pwdu.jpg

    Now, if I download these in Internet Explorer 7, they download fine! (bit of a delay in saving to disk though). At first I thought it was Firefox 3 because I just updated to that today. However, on an identical computer (except running Firefox 2) the same issue occurs o_O

    Is this is a definition issue?

    ESS 3.0.672.0 - stock configuration, apart from disabling antispam and perhaps modifying the email alerts etc.
    Definition: 3754 (20090109)
    XP Pro 32bit SP3

    Updated: ahhh... just searched kryptik.EI via the Threatsense and it seems definition 3751 included this signature. There's also another kryptik. variant in 3752 update.
     
    Last edited: Jan 12, 2009
  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,856
    Why exactly are you using old versions of those programs?
     
  3. denno

    denno Registered Member

    Joined:
    Mar 22, 2006
    Posts:
    49
    Oh, I'm not for both.. it's just a coincidence.

    I'm after the latest GPU-z version, as denoted by that link.

    The uTorrent was an old version that i was trying to match up with one I had on a disk, using the MD5s filehippo provides. It was moreso out of curiosity that I tried to download one, and the alert popped up; this surprised me considering filehippo is a reputable archive.

    But isn't it interesting that via FF it detects it, but not via IE? I even tried turning off the 'Enable Web Access protection' via the tickbox, but it still occurred.
     
  4. denno

    denno Registered Member

    Joined:
    Mar 22, 2006
    Posts:
    49
    UPDATE - I was monitoring the definition updates recently to see if a new update would resolve it (using the links above to checking) and either v3759 or v3760 appears to have done so. Checking the links no longer results in FF detecting them as a threat.

    Can a moderator please tag my thread title with [ RESOLVED ] so that others can see a problem no longer exists when searching the forum? Cheers!
     
  5. waveform

    waveform Registered Member

    Joined:
    Aug 10, 2008
    Posts:
    4
    I'm getting this same warning, and I don't have uTorrent on this computer. I am using Firefox 3.0.6 however. I'm behind a Netgear hardware firewall with an IP routing table, and haven't opened any strange files other than AVI, and movie images. I also keep many services disabled, like remote reg, messenger, automatic updates. Guest account disabled, Help account deleted. Is this warning false? Why is Nod32 pointing at Ping.exe? That executable is part of windows.
    ----
    C:\WINDOWS\ServicePackFiles\i386\actmovie.exe - a variant of Win32/Kryptik.JX trojan
    C:\WINDOWS\ServicePackFiles\i386\comrereg.exe - a variant of Win32/Kryptik.JX trojan
    C:\WINDOWS\ServicePackFiles\i386\dllhost.exe - a variant of Win32/Kryptik.JX trojan
    C:\WINDOWS\ServicePackFiles\i386\dmremote.exe - a variant of Win32/Kryptik.JX trojan
    C:\WINDOWS\ServicePackFiles\i386\mqsvc.exe - a variant of Win32/Kryptik.JX trojan
    C:\WINDOWS\ServicePackFiles\i386\msdtc.exe - a variant of Win32/Kryptik.JX trojan
    C:\WINDOWS\ServicePackFiles\i386\nddeapir.exe - a variant of Win32/Kryptik.JX trojan
    C:\WINDOWS\ServicePackFiles\i386\ping.exe - a variant of Win32/Kryptik.JX trojan
    C:\WINDOWS\ServicePackFiles\i386\progman.exe - a variant of Win32/Kryptik.JX trojan
    C:\WINDOWS\ServicePackFiles\i386\stimon.exe - a variant of Win32/Kryptik.JX trojan
    C:\WINDOWS\system32\actmovie.exe - a variant of Win32/Kryptik.JX trojan
    C:\WINDOWS\system32\dllhost.exe - a variant of Win32/Kryptik.JX trojan
    C:\WINDOWS\system32\dmremote.exe - a variant of Win32/Kryptik.JX trojan
    C:\WINDOWS\system32\mqsvc.exe - a variant of Win32/Kryptik.JX trojan
    C:\WINDOWS\system32\msdtc.exe - a variant of Win32/Kryptik.JX trojan
    C:\WINDOWS\system32\nddeapir.exe - a variant of Win32/Kryptik.JX trojan
    C:\WINDOWS\system32\stimon.exe - a variant of Win32/Kryptik.JX trojan
    C:\WINDOWS\system32\Com\comrereg.exe - a variant of Win32/Kryptik.JX trojan
    C:\WINDOWS\system32\dllcache\dllhost.exe - a variant of Win32/Kryptik.JX trojan
    C:\WINDOWS\system32\dllcache\msdtc.exe - a variant of Win32/Kryptik.JX trojan

    In regard to the Active Movie exe listed above, it appears to be an MS application.
     
    Last edited: Mar 9, 2009
  6. diffy

    diffy Registered Member

    Joined:
    Apr 9, 2008
    Posts:
    31
    Location:
    LI, NY, USA
Thread Status:
Not open for further replies.