I’m working as a sysadmin…and this morning i thought i get a heart attack : my mailbox was full a mails from the Eset Remote Administrator telling that my domain server was full of this crap. Thanks for the links, my day will be better :)

Darn it, it looks like its too late for me. I already rebooted my machine and all of the false positives have been removed from my Quarantine folder.

I hope that I don’t have to reinstall Windows because of this…

Thanks for this article, after a couple hours of hunting on Google and only seeing minor rumblings, this popped up and confirmed what I feared. Thankfully only about 5% of my enterprise got whacked…we shut them all down. Now to see how we can bring them up nicely and recover the files…

I had the same problem this morning. I had NOD32 put these files in quarantine. But windows started complaining. I used a system restore point to restore everything. NOD32 updated after the restore and stopped complaining.

Nevermind about that. I rebooted my machine directly into the limited account I always use. For some reason I didn’t see these files in the Quarantine until I logged in as an admin. So I just restored the files back into their original locations. Lucky for me only dllhost, msdtc and the other two tmp files were quarantined. Its a bummer for the other people who have to restore the other numerous system files labeled as false positives. :/

I didn’t notice anything wrong when I rebooted, so I’m assuming that the files quarantined are not critical files necessary to start Windows. This happened to me on Windows XP MCE 2002 SP3.

@coolgeorge423:

Put in the CD of the OS installed and run the following command

sfc /scannow

SysAdmin here also. I am very happy this wasnt the real deal. It was a good drill though. Damn near gave me a heart attack too.

I for one am extremely cranky with ESET for this blunder, it cost me and my team three and a half hours as well as two hours of lost productivity by our entire office. Firstly because after telling us we had a trojan, we couldn’t find enough information online (and nothing on the local ESET NOD32 site) to verify or deny, so trusting NOD32 we decided it was for real and more and more computers were being “Infected” so we took quick action to try to delete the infected files as NOD32 for some reason after telling us about the infection failed to do it itself. Some hours later with nigling doubt coming to the forefront again, as many pc’s did not find a problem, more googling revealed that China had identified this problem. We all trust China right? Virus central… Well to be sure we looked up the files we were deleting and OMG they are pretty darn important. We had been duped by ESET. Another hour or so later and everything put back right after recovering some files from machines we hadn’t gotten to and/or restoring old files renamed. And now another hour later and finally some info not from China confirming the blunder. What are ESET going to do about formally apologising to businesses for loss of productivity due to necessary computer isolations for infection control. The first thing they should have done whilst their techs were issuing the revised update should have been to post a bulletin on all there website homepages.

Ahh I can sleep now after chasing this f****ing virus for hours =)
Seriously, I think IT staff has higher risk of geting stroke than other staff in the company.

thanks The Patri0t!!!!

This article was my first finding after coming into this problem this morning.

It sounds like I was hardly effected because even my computers that did get this update have already restored the files that were moved to quarantine automatically..?

Follow up:

I believe my files were restored after the next update because I have the option “re-scan all quarantined files after update” enabled on all my machines across the network.

For those of us still running Version 2 of NOD32, the updated heuristics version is 1091, so says the link you posted above for “Eset’s clarification.”

I should have googled for nod32 kryptik.jx earlier. Oh well, at least I only got hit for a couple of DLLs.

Thanks for this page, knowing that it was a false alarm takes a load off my mind.

Thanks very much from a Home User here. I was online around 1 AM surfing the net when I received the virus definitions followed rather quickly by the “trojan warnings”. Thanks again!

I have been fighting this trojan dropper problem for a week, i fixed it sunday evening — RA said no problems so i went home. Started blowing up about midnight with emails from the RA about two of my servers. It only identified a file used for cluster service, so i was ok. I made EVERY user change their passwords this morning for no reason. Thats kinda payback for those “I dont have an ‘any’ key” deals.

I lost three hours of my life/sleep to this last night, thinking that I got owned by a website I was on at the time. Time was wasted with repeated scanning in regular and safe modes, using three different software packages, then a windows repair install just to be safe, and reapplying all my windows patches, THEN fixing a driver problem caused by the repair.

This kept me up to 4am because I needed my computer functional for work in the morning.

I am very unhappy with eset on this one.

Thanks for this quick and accurate information. This morning I was working to finish a pressing Word document when Windows file protection prompted to insert my Windows disk. Needless to say that was very strange and unexpected (at this point nothing yet visible from Nod32). Windows seemed satisfied and I continued work, but then Nod32 popped up with all the red warnings about kryptik JX…so I ran a quick scan of the system 32 folder finding about 20 “infections”. I am pretty vigilant about computer security, so half expected this to be a fp, but I was nervous for a while. I’m sure this event affected a lot of users.

After scanning last night, NOD32 said that I have 30 trojans, most or all with Kryptik.JX int he names. I did a system restore to last week. I don’t understand how I could have gotten all of those within a day, I don’t go on seriously dangerous websites. When I scanned after the system restore, it said there were no threats found, but all of those other ones still showed int he Threat Log. I’m so confused, I have no idea what to do. My friend is telling me to update my heuristic module to 1092 as well, but there’s no way to do it. Mine is at 1091 right now and I’ve looked everywhere. I have no idea how to update it to 1092. By the way, I have this trial version of it that lasts like a 1000 years or something like that, but it still has the scanning and cleaning and everything. Can someone please help me? Please respond on here. Thanks.

Natalie,
It sounds to me like you might have an older version of Nod 32. (Current version is 3.0.669.0) What I first did regarding this false positive thing was to cross-check with another scanner to make sure. A good one is A-squared free: http://www.emsisoft.com/en/software/free/ which you can install and run without conflicts with Nod 32. If the scan comes up clean, the “Kryptik.JX” entries can all be restored from Nod 32’s quarantine. (This was a general mistake on their part).

Thank you for gathering this info – my heart stopped when I came into work this morning and saw that.