Update 3918 False Positive Win32/Kriptik.JX trojan

We're getting msdtc.exe and winlogon.exe being deleted and quarantined on ALL of our systems after the 3918 update. This is a HUGE problem and obviously a false positive. WTF!! ESET.... come on.. We're going to walk into a debacle on Monday morning with all these files being deleted and/or quarantined.

 

Roger. Also in dllhost.exe.

I take the sudden increase people viewing this forum as a sign that we're not alone.

 

Hello,

Yes! We are seeing the same issue... We are seeing this as a major outbreak(false alert?).. Likely due to updates as you have outlined..



S.

 

any updates on this issue? What will be the cause if this issue is not resolved?

 

I noticed the same items being detected on my machine, so I ran a scan and it came up with a bunch of other items which I don't feel are actually malicious... See pic below.

http://img258.imageshack.us/my.php?image=esetresults.jpg

 

Hello,
a problem was found in the recent update of the advanced heuristics module which, in combination with the generic signature for Win32/Kryptik.JX caused certain system files to be flagged as infected. The problematic update was withdrawn from the update servers in 10 minutes after the release. Those who have come across this false positive can restore the original files from quarantine. A fix has already been issued - you can verify this by right-clicking the program tray icon and selecting About. The version of the Advanced heuristics module containing the fix is 1092 for v3/v4 users and 1091 for v2 users.

Update: a newer update is being released which will restore false positives from quarantine to their original locations without user intervention. V2 users will either need to restore the affected files from quarantine manually or wait for a tool that can be used in a network environment.

 

hi,

what do we need to do now, is there a new update that will be release? when will this be release?
In a corporate environment 100+pcs will be affected by this so we need to go to each pc to click the quarantine and restore it or is there any simple way?

 

Marcos. Is it possible to push this kind of fix out across the network? We are on a domain, and also use the NOD32 Administrator Console.

 

The updated advanced heuristics module is distributed the way virus signature databases are so all clients should receive it automatically.

 

Marcos,

Going to every PC in the Enterprise and restoring the affected files is less than an optimal solution. Is there any way to affect the changes via the Remote Admin Console?? or is there another solution?

Any help on this would be greatly appreciated. It's going to be a very tense Monday morning.

Roger

 

Is it possible to RESTORE THE ORIGINAL FILES FROM QUARANTINE in a batch method?

We have 250 workstation across more than a dozen sites who have picked up the False Positive. Walking around to 'fix' this is not an option.

The ESET NOD32 AV (ecls) command line parameters to not appear to have a function to restore from quarantine. Is there another option?

Again. We're in a domain environment, and utilize the NOD 32 Administration Console. Is there any possible way to restore these files from Quarantine across the environment?

 

shall the updated modules also automatically restore those deleted files as well? what happens if those computers reboot afterwards while those system files are still quarantined?

 

I got caught by this, dllhost.exe and mstdc.exe were quarantined, then Dllhost.exe and mstdc.exe.new so it behaved like a virus but it could have been windows file protection kicking in.?

 

Eset you must do something about it! Please release a update to restore the files. I have many clients in different locations and this is a real problem for me! I have restored the files manually in one location but this a real mess.

 

our support staff is reporting that those quarantined system files can no longer be found in both the system32 and the quarantine folder.

where could they be? how do we restore those files?

 

unfortunately, it does not work yet?

I saw the alert on a customer's server this morning, I did not trust the alert and checked it out here.
Happy to see this being communicated so quickly.
You wrote that adv. heuristics need to update to 1092 (20090309) by regular update.
I did a manual update, but after updating (9.15 UTC+1) The server modules are still at:

NOD32 antivirus system information
Virus signature database version: 3918 (20090309)
Dated: maandag 9 maart 2009
Virus signature database build: 15296

Information on other scanner support parts
Advanced heuristics module version: 1091 (20090309)
Advanced heuristics module build: 1200
Internet filter version: 1.002 (2004070
Internet filter build: 1013
Archive support module version: 1082 (20090213)
Archive support module build version: 1224

Information about installed components
NOD32 For Windows NT/2000/XP/2003/Vista/x64 - Administrative tools
Version: 2.71.9
NOD32 For Windows NT/2000/XP/2003/Vista/x64 - Base
Version: 2.71.9
NOD32 for Windows NT/2000/XP/2003/Vista/x64 - Standard component
Version: 2.71.9
NOD32 for Windows NT/2000/XP/2003/Vista/x64 - XMON
Version: 2.71.9

Operating system information
Platform: Microsoft Windows Server 2003
Version: 5.2.3790 Service Pack 2
Version of common control components: 5.82.3790
RAM: 2047 MB
Processor: Intel(R) Pentium(R) 4 CPU 2.60GHz (2593 MHz)​

What can i do else to handle this issue best?

Greetings from Holland

UPDATE 9.35 UTC+1:

Did a new update:
defs now on 3919, but adv. heurisics still on 1091:

NOD32 antivirus system information
Virus signature database version: 3919 (20090309)
Dated: maandag 9 maart 2009
Virus signature database build: 15299

Information on other scanner support parts
Advanced heuristics module version: 1091 (20090309)
Advanced heuristics module build: 1200
Internet filter version: 1.002 (2004070
Internet filter build: 1013
Archive support module version: 1082 (20090213)
Archive support module build version: 1224

Information about installed components
NOD32 For Windows NT/2000/XP/2003/Vista/x64 - Administrative tools
Version: 2.71.9
NOD32 For Windows NT/2000/XP/2003/Vista/x64 - Base
Version: 2.71.9
NOD32 for Windows NT/2000/XP/2003/Vista/x64 - Standard component
Version: 2.71.9
NOD32 for Windows NT/2000/XP/2003/Vista/x64 - XMON
Version: 2.71.9

Operating system information
Platform: Microsoft Windows Server 2003
Version: 5.2.3790 Service Pack 2
Version of common control components: 5.82.3790
RAM: 2047 MB
Processor: Intel(R) Pentium(R) 4 CPU 2.60GHz (2593 MHz)

 

Is there any better way besides going computer to computer to reverse this catastrophe?

 

My modules updated to 1092 and just now sig has been updated to 3919. All fixed and files restored. There are also dllhost.exe and msdtc.exe in dllcache on XP so Windows should automatically restore these files.

 

Ok i've seen this asked alot but all the ESET team seem to be avoiding the question..... How do you fix this across 100+ clients without restoring the quarantined files manually on each machine

Your 'fix' may be all well and good for the home user but how about providing details on what the corporate customers should do to our larger computer estates as no disrespect towards home users but ESET are actually costing our companies money sorting this mess out!

It's one thing to make an almighty screw up like this but it's how you deal with the aftermath & your users that shows how good a company you are.

 

This affected about 7 servers on clients networks.
There is an option, pressing F5 in EAV Business v3, advanced configuration > tools > quarantene to recheck quarantined files after update but this seems dont work.
At this time the only possible solution seems to manually restore single files from quarantine.
Really BAD.

 

When a solution is ready (within a couple of hours from now), V3 and V4 clients will restore these files from quarantine automatically.

We're also working on a stand-alone tool that will accomplish that in a network environment or which can be used by v2 users as well.

 

I hope that Eset will give us something for it, like additional month of subscription. Because i don't like to run and repair computers on monday morning and we actually pay for many licenses.

 

Marcos,

on earlier occasions (small local FP's) I saw that after applying the right updates, quarantined files were restored automatically.
Will this also happen with this FP? If so, this will definately be good news to admins with a FP-headache...

Greetings from Holland

FTR: at this time, I only saw kernel detections without auto-delete/quarantain, so I cannot reproduce it at this time

update:
Ok marcos, I did not see your latest comment until now...

 

While I think many will be flying off the handles and screaming about this being a huge screw up, I also think they should just switch to decaf.

That said, I must ask, after helping a friend "fix" his system after NOD32 just quarantined his systemfiles... How do we "update" to the newest Advanced Heuristics module.

Both our systems are saying Virus Signature 3918 and Advanced Heuristics module 1091, module build 1200. Manually updating says no updates are available.

His machine was "infected" but, mine, WinXp SP2, was not. Not even when I started copying the missing files to a rar to send him in case the quarantine restore didn't work, did it complain about my files. His machine is SP3. Both of us run the advanced heuristics. His is still saying it is infected after disabling the Advanced Heuristics option for now.

Edit: As I was about to hit post... I was just auto updated to 3919. But my module version is still 1091. I'm still not getting alerts, even with Adv. Heur turned back on. It has been fixed on my friend's machine as well.

NOD32 antivirus system information
Virus signature database version: 3918 (20090309)
Dated: Monday, March 09, 2009
Virus signature database build: 15296

Information on other scanner support parts
Advanced heuristics module version: 1091 (20090309)
Advanced heuristics module build: 1200
[noparse]Internet filter version: 1.002 (2004070[/noparse]
Internet filter build: 1013
Archive support module version: 1082 (20090213)
Archive support module build version: 1224

Information about installed components
NOD32 For Windows NT/2000/XP/2003/Vista/x64 - Base
Version: 2.70.39
NOD32 For Windows NT/2000/XP/2003/Vista/x64 - Internet support
Version: 2.70.39
NOD32 for Windows NT/2000/XP/2003/Vista/x64 - Standard component
Version: 2.70.39

Operating system information
Platform: Microsoft Windows XP
Version: 5.1.2600 Service Pack 2
Version of common control components: 5.82.2900
RAM: 2047 MB
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 5200+ (2611 MHz)

 

So I can goto sleep? There will be a fix within the next 4 hours (8am CST) that restores the system files?