Marcos

8692We'll be adding detections for new Koreplug variants in update 8692. When available, update the signature database and run a full disk scan. Should it still be detected only in memory, I'll check your SysInspector log for suspicious files.

Please create a SysInspector log as per the instructions here and send it to me as an attachment to a private message.

It seems a reply was sent to you that the domain was removed from blacklist.

The best course of action would be to log file operations during a backup using Process Monitor and to supply Customer care with the log created as well as with a SysInspector log for perusal. It will be enough to leave Process Monitor logging operations only for about a minute. When you have the logs ready, you can upload them to a safe location and PM me the download link or contact Customer care.

Please post a complete record related to the detection from your threat log. The record should look like as follows: 18. 7. 2013 13:59:44 Real-time file system protection file D:\test\kogabontusiq.exe a variant of Win32/Kryptik.BFXC trojan cleaned by deleting - quarantined domain\admin Event occurred during an attempt to access the file by the application:

The log reads "Error 5001. The computer has not been restarted after a program uninstallation. Please restart the computer and run the installer again." So please restart the computer and create a new set of logs.

Check your PM, I've sent you instructions how to fix the issue.

Please check if the issue with CPU spiking goes away after disabling real-time protection. If so, capture all file operations using Process Monitor while reproducing the issue. When done, compress the log along with a current SysInspector log into an archive, upload it to a safe location and pm me the download link.

Does unticking "Epfw NDIS Lightweight Filter" in your local area connection properties make a difference then?

Does this happen regardless of what browser you use? It sounds more like a browser issue than an actual threat symptom.

Try disabling each of the protection modules in the following order, one at a time, to see if it makes a difference: - disable web protection - disable protocol filtering in the advanced setup - change firewall integration to Personal firewall is completely disabled and restart the computer - disable Parental control - disable HIPS and restart the computer

We've found out that the recent Internet protection module 1073 might have caused ekrn crashes on systems powered by CPUs from 2001 and older (2004 and older for AMD CPUs). Updating to the latest version of Internet protection module 1076 should solve the issue.

I confirm that the detection is correct, it's not a false positive. If the above mentioned detection is triggered, the website was compromised and a malicious java script is injected into the web page.

A list of updates with signatures added is available at hxxp://www.virusradar.com.

Yes, because EMS v2 has been released just recently and this is actually just a newly discovered issue stemming from the design of Android 4.3. We plan to address it in future builds of EMS v2.

If possible, please answer the following questions: - What type of Internet connection do you use? (3G, wi-fi,...) - Are you able to open websites in a browser when experiencing the issue? - Does changing the type of connection make a difference? - Does uninstalling EMS v1 and installing EMS v2 make a difference?

Is there a message displayed on your screen when you tap "Update Threat Database" or simply nothing happens at all?

Has the client actually connected to ERAS to download the list of tasks? Try temporarily setting the interval for connecting to ERAS to 0 on a client and see if the task is downloaded and started.

Tested with Kaspersky, Antivir, Avast, it was possible to kill all 3 via the Task manager. As I wrote, it's a system problem of Android on Samsung mobile phones.

I wonder if you browse websites that you need to keep http checking enabled on the server. It's always been disabled by default on servers as it may cause issues, for instance, due to bugs in Windows Filtering Platform. Do you have SSL scanning disabled?

If the new server has the name preserved, I presume that copying the folder C:\Documents and Settings\All users\ESET\ESET Remote Administrator\Server from the old disk to C:\ProgramData\ESET\ESET Remote Administrator\Server on Win2008R2 would suffice.

You can report phishing sites via the built-in form after selecting "Suspicious site" from the drop-down menu.

Are you able to modify all other settings? If so, try to reproduce the issue while logging all operations and events using Process monitor. When done, save the log, compress it, upload it to a safe location and pm me the download link.

Not necessarily. Please create a SysInspector log as per the instructions here and submit it to ESET along with a link to this thread as described here.

This issue will be solved in a newer Anti-Stealth module.