signature 3918 appears to be putting windows files into quarantine

Discussion in 'ESET NOD32 Antivirus' started by BeanCounter, Mar 9, 2009.

Thread Status:
Not open for further replies.
  1. BeanCounter

    BeanCounter Registered Member

    Joined:
    Apr 8, 2006
    Posts:
    66
    Location:
    Melbourne, Australia
    dllhost.exe and msdtc.exe were quarantined as soon as virus signatures updated to 3918. They are being seen as a variant of Win32/Kryptic.JX trojan.

    I am not convinced that this is correct
     
  2. mickhardy

    mickhardy Registered Member

    Joined:
    May 16, 2005
    Posts:
    140
    Location:
    Australia
    We've got the same problem. Entire Network!
     
  3. wingman ix

    wingman ix Registered Member

    Joined:
    Mar 9, 2009
    Posts:
    4
    I can confirm that I had the same problem as well. Same files with same supposed trojan and immediately after the 3918 update.
     
  4. rdfye

    rdfye Registered Member

    Joined:
    Apr 17, 2008
    Posts:
    8
    Location:
    Valencia, CA
    obviously a false positive and deleting and/or quarantining these files on all our systems as well.
     
  5. viruscraft

    viruscraft Registered Member

    Joined:
    Sep 22, 2007
    Posts:
    114
    It's absolutely a FP.
    Please fix it asap.
     
  6. kevinz

    kevinz Registered Member

    Joined:
    Jan 5, 2009
    Posts:
    16
    I was just putting together a zip to submit as a FP. Got the same results as OP on dllhost and a few others. Then ran a scan on system32 and whole bunch were marked.

    Part of log:
    3/9/2009 1:31:18 AM Real-time file system protection file C:\WINDOWS\system32\dllcache\stimon.exe.new a variant of Win32/Kryptik.JX trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe.
    3/9/2009 1:31:17 AM Real-time file system protection file C:\WINDOWS\system32\dllcache\ping.exe a variant of Win32/Kryptik.JX trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: \??\C:\WINDOWS\system32\winlogon.exe.
    3/9/2009 1:15:43 AM Real-time file system protection file C:\windows\system32\com\SET533.tmp a variant of Win32/Kryptik.JX trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe.
    3/9/2009 1:15:36 AM Real-time file system protection file C:\windows\system32\SET4D5.tmp a variant of Win32/Kryptik.JX trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe.
    3/9/2009 1:15:26 AM Real-time file system protection file C:\windows\system32\SET4D4.tmp a variant of Win32/Kryptik.JX trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe.
    3/9/2009 1:15:21 AM Real-time file system protection file C:\WINDOWS\system32\msdtc.exe.new a variant of Win32/Kryptik.JX trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe.
    3/9/2009 1:15:20 AM Real-time file system protection file C:\windows\system32\SET49A.tmp a variant of Win32/Kryptik.JX trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe.
    3/9/2009 1:15:19 AM Real-time file system protection file C:\WINDOWS\system32\msdtc.exe.new a variant of Win32/Kryptik.JX trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe.
    3/9/2009 1:15:18 AM Real-time file system protection file C:\WINDOWS\system32\msdtc.exe.new a variant of Win32/Kryptik.JX trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe.
    3/9/2009 1:15:17 AM Real-time file system protection file C:\WINDOWS\system32\msdtc.exe.new a variant of Win32/Kryptik.JX trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe.
    3/9/2009 1:15:09 AM Real-time file system protection file C:\windows\system32\SET48B.tmp a variant of Win32/Kryptik.JX trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe.
    3/9/2009 1:15:00 AM Real-time file system protection file C:\windows\system32\SET488.tmp a variant of Win32/Kryptik.JX trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe.
    3/9/2009 1:14:44 AM Real-time file system protection file C:\windows\system32\SET2D8.tmp a variant of Win32/Kryptik.JX trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe.
    3/9/2009 1:04:46 AM Real-time file system protection file C:\WINDOWS\system32\dllcache\msdtc.exe a variant of Win32/Kryptik.JX trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: \??\C:\WINDOWS\system32\winlogon.exe.
    3/9/2009 1:04:43 AM Real-time file system protection file C:\WINDOWS\system32\dllcache\msdtc.exe.new a variant of Win32/Kryptik.JX trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe.
    3/9/2009 12:55:33 AM Real-time file system protection file C:\windows\system32\SET5816.tmp a variant of Win32/Kryptik.JX trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe.
    3/9/2009 12:55:27 AM Real-time file system protection file C:\windows\system32\SET5815.tmp a variant of Win32/Kryptik.JX trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe.
    3/9/2009 12:55:26 AM Startup scanner file C:\WINDOWS\system32\msdtc.exe a variant of Win32/Kryptik.JX trojan cleaned by deleting - quarantined
    3/9/2009 12:55:19 AM Startup scanner file C:\WINDOWS\system32\dllhost.exe a variant of Win32/Kryptik.JX trojan cleaned by deleting
     
  7. wingman ix

    wingman ix Registered Member

    Joined:
    Mar 9, 2009
    Posts:
    4
    This probably a silly question, but assuming these files were deleted/quarentined, will this require that I reinstall install Windows? :oops: At the moment, my computer seems fine, but I imagine those files were necessary files for Windows. Is there some way to retreive those files, without having to reinstall Windows.
     
  8. tsmith35

    tsmith35 Registered Member

    Joined:
    Jan 26, 2008
    Posts:
    7
    I'm getting ready to abandon the NOD32 ship and move on to Avira, Kaspersky, or any other competent AV. This is the 2nd time that NOD32 has sunk my machine in a year. Last time was the total reinstall of Adobe Acrobat after NOD32 decided it was a huge virus. This is stupid. Apparently the folks at Eset don't test any of these updates.
     
  9. artsky

    artsky Registered Member

    Joined:
    Jan 9, 2008
    Posts:
    35
    my gooodness!!! what's up NOD32? got the same results as well. pleasee fix this asap!
     
  10. Jimbo14

    Jimbo14 Registered Member

    Joined:
    Mar 9, 2009
    Posts:
    1
    Same for me. I watched the signature file getting updated to 3918 a short while ago, followed immediately by four quarantine warnings - msdtc.exe and dllhost.exe from the windows\system32 folder, plus two tmp files from the same folder with file sizes matching the two executables.

    The msdtc.exe file is associated with the Microsoft Distributed Transaction Coordinator service, while HiJackThis indicated that the dllhost.exe file was associated with MS Software Shadow Copy Provider.

    The files can be restored from quarantine if necessary to keep your system running, but I guess that until the signature file is corrected as well you'd have to disable NOD32.

    Jim.
     
  11. JAB

    JAB Registered Member

    Joined:
    Apr 17, 2007
    Posts:
    36
    Anyone know how to do a pattern rollback using Remote Administrator? We've got the same problem.
     
  12. kevinz

    kevinz Registered Member

    Joined:
    Jan 5, 2009
    Posts:
    16
    How are files from windows not tested in updates? I tend to be fairly forgiving when random mistakes happen but come on. This isn't some odd program FP.

    License is up next month. This may have been too much to pay more.
     
  13. mickhardy

    mickhardy Registered Member

    Joined:
    May 16, 2005
    Posts:
    140
    Location:
    Australia
    Crippled our Network, by the time I rolled out a System32 exclusion, all machines had updated to 3918 and I'd receive 4882 virus emails. Great fun for a Monday!
     
  14. artsky

    artsky Registered Member

    Joined:
    Jan 9, 2008
    Posts:
    35
    not good at all :(
     
  15. haerdalis

    haerdalis Registered Member

    Joined:
    Sep 6, 2006
    Posts:
    74
    It happened to me too.. Annoying.
    ShadowProtect was the knight in shining armor on this occation..
     
  16. Morandor

    Morandor Registered Member

    Joined:
    Mar 9, 2009
    Posts:
    1
    I've also had actmovie.exe, nddeapir.exe, mqsvc.exe, dmremote.exe, stimon.exe, and progman.exe; be quarantined after this update including the 2 mentioned msdtc.exe and dllhost.exe. All with the Kryptik.JX Trojan as the reason.
     
  17. wingman ix

    wingman ix Registered Member

    Joined:
    Mar 9, 2009
    Posts:
    4
    Like Jimbo, I also had 2 tmp files show up and get quarentined/deleted, not sure if those were critical files too.
     
  18. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA
    Hello,

    I've got the same problem on my laptop running Windows Vista Business 32-bit, Core 2 Duo 2.20GHz, 2GB RAM, 120 GB hard disk and NOD32 v.4 and ZAP 8.0.298

    NOD32 v.4 just flagged some Windows files as viruses/trojans and deleted them and now my laptop has problem to log Windows in normal mode. Had to boot on safe mode and take the files off quarantine to be able to heal Windows.

    This is a real mess. I hope ESET comes up with a solution very quickly or I will have to look for something else to protect my laptop.

    Regards,

    Carlos
     
  19. BeanCounter

    BeanCounter Registered Member

    Joined:
    Apr 8, 2006
    Posts:
    66
    Location:
    Melbourne, Australia
    I just tried a manual update and got a "program modules have been updated event". I then restored the files from quarantine and it would appear that the program modules update has fixed the FP detection.
     
  20. stratoc

    stratoc Guest

  21. tsmith35

    tsmith35 Registered Member

    Joined:
    Jan 26, 2008
    Posts:
    7
    I'm running SFC /scannnow on my computer now. THANK GOD THAT NOD32 ISN'T ON MY CONTROL SYSTEM PCs!!!!! If it was, I'd be at work right now fixing the problem on 30+ computers.

    NOD32 absolutely s***s with respect to testing updates. The quarantining of fully valid Windows XP files is an indication of Eset's gross incompetence.
     
  22. rdfye

    rdfye Registered Member

    Joined:
    Apr 17, 2008
    Posts:
    8
    Location:
    Valencia, CA
    I put in a case to ESET on this earlier and they are aware and have stopped the update however this is little help for all of us that already got the update. Just wanted to let everyone know that ESET is aware.
     
  23. CEllsworth

    CEllsworth Registered Member

    Joined:
    Mar 9, 2009
    Posts:
    7
    Whats the best way to solve this across a domain. I've got 250 machines in this situation, on a domain, managed NOD32.

    I don't see any easy way to tell the bulk of them to restore the file from quarenteen. Is the problem isolated to %WINDIR%?

    Exclude that dir + SFC /scannow across the whole domain?
     
  24. xMarkx

    xMarkx Registered Member

    Joined:
    Dec 1, 2008
    Posts:
    447
    Hello,

    After my ESET NOD32 Antivirus updated to 3818, it picked up the exact same thing that your NOD32 did. msdtc.exe, dllhost.exe from the SYSTEM32 folder and two tmp files as well.

    The two .exe files (msdtc.exe and dllhost.exe) are important files for Windows. What will happen if I try to reboot my computer? Should I restore them or what?

    I'm afraid to turn off my computer now as maybe these 2 important windows files that were deleted could prevent boot up?
     
  25. tsmith35

    tsmith35 Registered Member

    Joined:
    Jan 26, 2008
    Posts:
    7
    I restored the Windows files from quarantine and ran System File Checker on my PC. Was able to reboot fine.

    My NOD32 license expires in a few days. I won't be renewing.
     
Thread Status:
Not open for further replies.