Win32/Kryptik.X

Discussion in 'ESET NOD32 Antivirus' started by ExpertNovice, Jan 24, 2012.

Thread Status:
Not open for further replies.
  1. ExpertNovice

    ExpertNovice Registered Member

    Joined:
    Jan 24, 2012
    Posts:
    4
    Location:
    U.S. of A.
    How can I tell if the Win32/Kryptik.X$$ trojans are real or false positives? They files have been submitted for analysis but, having never received feedback on submitted files, I expect no reply this time.

    System Configuration
    XP SP3
    IE 8.0.6
    Sandboxie 3.60
    ESET NOD32 Antivirus 4.2.67.10
    Virus Signature 6824, (2012-01-24)
    Online Armor version Premium Edition 5.1.1.1395 (last update 1-23-2012 20:56)
    Webroot Spy Sweeper Version 6.1.0.157
    Just recently changed to Wirless (WPA2) but I still use wired for banking.



    Object Name:
    c:\system volume information\_restore{insert machine guid here}\#######.exe
    ###### is A0227232, A0227235, A0227234, A0227233, A0227051, A0138243, etc.

    Reason for quarrantine:
    a variant of Win32/Kryptik.$$$ trojan
    $$ is XOZ, XKX, XMU, XNU, XHA, etc.


    Since December Eset has a date of 12/13/2011, 12/14, 12/19, 12/19, 12/19, and 1/19.

    For the record, since 1981 I have had one known virus on my system and that prompted me to install Eset, OA, Webroot anti-spyware, and SandBoxie. Prior to that I rarely used any protection. Trust me when I say I don't go to websites that don't appear "right."

    I notice there were false positives for Win32/Kryptik.JX in January 2011. I also notice there is an "E-Set Antivirus 2011" rogue. My ESET NOD32 Antivirus 4 reads "ESET NOD32 Antivirus".

    Any suggestions?


    PS: Long wanted clarification.
    The question; "How do I delete a quarantined file in my ESET security product?" is often asked. The answer is usually "Right-click the desired file and click Delete from Quarantine."

    However, I want to delete Quarantined files from my computer, not just from Quarantine. Suggestions?
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I, for one, haven't heard about a Kryptik false positive for a very long time and I'm in touch with the virus lab every day. Also the fact that several Kryptiks were found indicates that it should not be FP.
    As for deleting files from quarantine, this is not necessary as quarantined files are stored in an encrypted form. If you want to delete the permanently anyway, select them in the quarantine pane and select "Delete from quarantine" from the right-click context menu.
     
  3. ExpertNovice

    ExpertNovice Registered Member

    Joined:
    Jan 24, 2012
    Posts:
    4
    Location:
    U.S. of A.
    Thanks for the response and the confirmation that removing from quarantine removes it from the HDD. I thought it might but really, really hate assuming.

    Any suggestions on how to track down the trojan creator? No one uses this computer but me. So, I must be doing something really wrong.


    The false positives that I read about were documented at:
    http://kb.eset.com/esetkb/index?pag...earch&viewlocale=en_US&searchid=1327472028267

    and, while not the same issue,
    http://kb.eset.com/esetkb/index?pag...earch&viewlocale=en_US&searchid=1327472028267
     
  4. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    It looks like the detections were in the directory used by Microsoft Windows' System Restore functionality, is there anything in ESET NOD32 Antivirus' log files which shows the infections being detected in other locations on the computer?

    Regards,

    Aryeh Goretsky
     
  5. ExpertNovice

    ExpertNovice Registered Member

    Joined:
    Jan 24, 2012
    Posts:
    4
    Location:
    U.S. of A.
    No.

    A system restore point was just created. Sevreal scans were run of c:\System Volume Information. Nothing was found. Every file was logged on the last scan and there were many files with names similar to the reported Win32/Kryptik trojans in folders of simlar names. (Folder RP1###, and file names A#######.exe)

    Of the 9 quarantined files in the C drive restore folder 2 are adware. All 7 "variant of the Win32/Kryptik.o_O trojan" files are in the C drive restore folder. They are dated 2011-12-08, 12-13, 12-14, 12-19 (3, all about one hour apart), and 1/19/2012.

    Since 2009-06-28 27 files have been quarantined. I have found proof that 5 from a VBA handbook were false positives. Most of the others are adware, potentially unwanted apps, and trojans... I really don't like the latter.

    Daily scans run since 1-24 have turned up nothing.

    (Edited to add the first full paragraph.)
     
    Last edited: Jan 26, 2012
  6. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    It sounds like the system is clean. You could try creating an ESET SysRescue disc and booting the system off of that for a scan just to get a second opinion from a copy of ESET NOD32 Antivirus running under a different version of Windows than the one the hard disk drive boots off of, but other than that, I don't think any further action is required on your part.

    Regards,

    Aryeh Goretsky
     
  7. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Perhaps this is your issue. For the record, an infected system restore archive is an infected archive and should not be used to retrieve any previous settings.

    During a disinfection process, you would back asked to purge your system restore archive.

    The ESET Rogue was Blogged here and here
     
    Last edited: Jan 27, 2012
  8. ExpertNovice

    ExpertNovice Registered Member

    Joined:
    Jan 24, 2012
    Posts:
    4
    Location:
    U.S. of A.
    agoretsky, I will try creating the rescue disk and running another scan. (I get such a warm feeling of comfort from Microsoft. With Win XP SP3 installed I"m taken to the Vista SP1 and Windows Server 2008 download page for AIK. :p)

    Trojans scare me. So when one seems to be replicating itself that, to me, suggests it exists on my system in one of the password protected files or files in use that Eset can't test. Hopefully, the rescue disk will circumvent that issue. I will probably delete the password protected files since they seem to be programs downloade for installation from Adobe, etc.



    siljaline, I made note of one of those threads. My Eset has the proper name of "ESET NOD32 Antivirus." (Thanks for responding)
     
    Last edited: Jan 27, 2012
  9. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    You're quite welcome - stand by for further assistance from ESET.

     
  10. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello,

    ESET SysRescue will prompt for the best version of WAIK to use. As I understand it, the version deployed in the Windows Vista/Server 2008 timeframe is the most compatible one in terms of Microsoft operating systems (Windows 2000 through Windows 7) so it is the best one to use.

    Regards,

    Aryeh Goretsky
     
Thread Status:
Not open for further replies.