NOD32 false alarm! Win32/Kryptik.JX

Posted by The Patri0t 9 March, 2009 - 2,289 views

NOD32 went kahoots sometime ago with me as soon as it updated to 3918. It detected some critical system files as Win32/Kryptik.JX, started deleting them and putting them in quarantine. I was under the impression that my system has been infected with the trojan but after looking at the topics to which I am linking below, it turned out to be a big blunder on NOD32’s part.

NOD32 was deleting very critical and required Windows files and Windows Files Security prompt popped up as well telling me that some files have been overwritten or missing and that they need to be restored. Eset - maker of NOD32’s take on all this is here for everyone to see:

a problem was found in the recent update of the advanced heuristics module which, in combination with the generic signature for Win32/Kryptik.JX caused certain system files to be flagged as infected. The problematic update was withdrawn from the update servers in 10 minutes after the release. Those who have come across this false positive can restore the original files from quarantine. A fix has already been issued - you can verify this by right-clicking the program tray icon and selecting About. The version of the Advanced heuristics module containing the fix is 1092.

I guess I was among several several other people whose NOD32 was updated within 10 minutes after the release of update by NOD32. I think several other people will include pretty much everyone who was online at that time since NOD32 updates automatically as soon as an update is available provided you are online. So the lucky ones will be those who were offline during this blunder.

Well, if you fell victim to this then just run NOD32 update again and check your “Advanced heuristics module: 1092 (20090309)” is 1092 - just right click NOD32 icon in tray and click About. It’s 4th in the list. Make sure its 1092 - then restore the Windows files either from Quarantine or run the files recovery software, which I guess will pop up to you when NOD32 goes mad.

The topics I was talking about:
http://www.wilderssecurity.com/showthread.php?t=235509
http://www.wilderssecurity.com/showthread.php?t=235510
http://www.wilderssecurity.com/showthread.php?t=235513
http://www.wilderssecurity.com/showthread.php?t=235515

Eset’s clarification:
http://www.wilderssecurity.com/showpost.php?p=1419988&postcount=6

A serious blunder on Eset’s part. Home users I can imagine fixing this problem but there are people managing company networks with 100’s of computers and whose Windows files are most probably deleted, fixing a problem like this on such a large scale is a pain…

Share and Enjoy:
  • Digg
  • StumbleUpon
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google

Related Posts:

Categories : Computers & Tech Tags : , ,

Comments
March 9, 2009

I’m working as a sysadmin…and this morning i thought i get a heart attack : my mailbox was full a mails from the Eset Remote Administrator telling that my domain server was full of this crap. Thanks for the links, my day will be better :)

Posted by AstroMan
March 9, 2009

Darn it, it looks like its too late for me. I already rebooted my machine and all of the false positives have been removed from my Quarantine folder.

I hope that I don’t have to reinstall Windows because of this…

Posted by coolgeorge423
March 9, 2009

You are welcome AstroMan

@coolgeorge423: Thanks for your comment. Hopefully you will not have to reinstall Windows.

Posted by The Patri0t
March 9, 2009

Thanks for this article, after a couple hours of hunting on Google and only seeing minor rumblings, this popped up and confirmed what I feared. Thankfully only about 5% of my enterprise got whacked…we shut them all down. Now to see how we can bring them up nicely and recover the files…

Posted by Keith
March 9, 2009

I had the same problem this morning. I had NOD32 put these files in quarantine. But windows started complaining. I used a system restore point to restore everything. NOD32 updated after the restore and stopped complaining.

Posted by Patrick
March 9, 2009

Nevermind about that. I rebooted my machine directly into the limited account I always use. For some reason I didn’t see these files in the Quarantine until I logged in as an admin. So I just restored the files back into their original locations. Lucky for me only dllhost, msdtc and the other two tmp files were quarantined. Its a bummer for the other people who have to restore the other numerous system files labeled as false positives. :/

I didn’t notice anything wrong when I rebooted, so I’m assuming that the files quarantined are not critical files necessary to start Windows. This happened to me on Windows XP MCE 2002 SP3.

Posted by coolgeorge423
March 9, 2009

@coolgeorge423:

Put in the CD of the OS installed and run the following command

sfc /scannow

Posted by Einy
Leave a comment

(required)

(required)