Kryptik.BCQE trojan & subsequent System Care Antivirus infection

Discussion in 'ESET Smart Security' started by wongawallen, Jun 4, 2013.

Thread Status:
Not open for further replies.
  1. wongawallen

    wongawallen Registered Member

    May 25, 2008
    I just cleaned System Care Antivirus out of a computer that was running Eset Security and am curious how it managed to bypass Eset. The owner rang me immediately the program appeared and the only detected threats in the log were:
    4/06/2013 10:59:07 AM Real-time file system protection file C:\Users\Penny\AppData\Local\Temp\758F.tmp a variant of Win32/Kryptik.BCQE trojan cleaned by deleting
    Event occurred on a file modified by the application: C:\Windows\SysWOW64\svchost.exe.
    4/06/2013 10:58:54 AM HTTP filter file hxxp:// a variant of Win32/Kryptik.BCQE trojan connection terminated - quarantined
    Threat was detected upon access to web by the application: C:\Windows\SysWOW64\svchost.exe

    She told me it just "suddenly appeared" & told her the computer was infected, but a check of her web browsing history shows that she hadn't visited any suspicious sites, only a couple of government websites and the anz banking website (definitely no facebook or other social networking sites). I also went to the same sites on my own computer and got no warnings of infections from Eset.

    Can anybody explain how something like this gets past Eset Security?

    Edit: link obfuscated.
    Last edited by a moderator: Jun 4, 2013
  2. Marcos

    Marcos Eset Staff Account

    Nov 22, 2002
    It's normal that no antivirus software detect 100% of all threats, especially if they are being adjusted every while to evade detection. However, even new variants of these rogue AVs should get removed after an update or at computer system startup when a startup scan is run automatically. Also they should be detected and cleaned if you run an on-demand scan with memory selected as target.

    Edit: it seems that the aforementioned rogue AV detected as Win332/Kryptik.BCQE is downloaded by Win32/Injector.AHNY besides other means, such as drive-by malware on compromised websites. That said, it's important to keep Java runtime up to date and ideally not allowing it on newly visited websites.
    Last edited: Jun 4, 2013
Thread Status:
Not open for further replies.