These forums have been archived and are now read-only.

The new forums are live and can be found at https://forums.eveonline.com/

EVE Launcher

 
  • Topic is locked indefinitely.
 

maintenancetool.exe deleted by Kaspersky Internet Security

First post
Author
Previous Topic Next Topic
Silistras
Sebiestor Tribe
Minmatar Republic
#1 - 2016-04-29 19:36:16 UTC
Today i got this messages from kaspesky Internet Security 2016 (KIS)

maintenancetool.exe;UDS:DangerousObject.Multi.Generic;unknown threat.

The file was deleted by KIS.

Someone else has similar problems?
CCP Snorlax
C C P
C C P Alliance
#2 - 2016-04-29 20:12:39 UTC
Silistras wrote:
Today i got this messages from kaspesky Internet Security 2016 (KIS)

maintenancetool.exe;UDS:DangerousObject.Multi.Generic;unknown threat.

The file was deleted by KIS.

Someone else has similar problems?


We're investigating this and hope to have a process in place to catch false positives ourselves soon.

CCP Snorlax - Software Architect - Team RnB - @CCP_Snorlax - http://ccpsnorlax.blogspot.is/
Syrren
Zilla Inc.
#3 - 2016-05-01 18:35:27 UTC
almost the same problem here. also using KIS 2016.

01.05.2016 20.18.10
Gefundenes Objekt (Datei) wurde nicht verarbeitet.
...\EVE\Launcher\maintenancetool.exe;Trojan.MSIL.CoinStealer.hg
Trojanisches Programm

i'd like to know what u programmed to get a false positive on this one oO
Nike Andedare
Diamond Command
#4 - 2016-05-02 21:32:49 UTC
Logged into see if anyone else had similar

Posting to say I'm in the same boat; Kaspersky removed said Trojan from maintenance tool exe, etc.

Have a great day CCP Snorlax!
Darius Shakor
Second Shakor Clan
#5 - 2016-05-03 09:34:04 UTC
Had this same issue today and I am not convinced it is a 'false positive' here. Specifically Kaspesky identified the malware type to be trojan.MSIL.CoinStealer.hb. That is a very specific identification for a false positive.

Also I was not running EVE or the launcher itself at this time. My laptop was only powered on for less than 15 mins when Kaspesky detected this.

I want to make it clear, too, that I do not have scheduled security scans running. I do however have active protection running which checks files as they are opened and run. Meaning this was found when a check on the file was triggered. And I did not run anything EVE related meaning this file ran itself. Which it should not be doing from what I can see. So yes, you might want to look deeper into this because that does not indicate a false positive to me, it indicates a program running on my PC without my permission and it is embedded in your maintenancetool.exe program.

Please take this seriously, CCP.

Darius Shakor - Kacha

Vandeamon Writing Project - EVE Works
Solar Chase
Perkone
Caldari State
#6 - 2016-05-03 14:00:02 UTC
Same here. Hope to get an informative comment from CCP on what has caused this and how to proceed with the file.
Starain
SoT
DarkSide.
#7 - 2016-05-03 14:55:15 UTC
same thing, at first I thought that it something in my system, but then found out this theme
http://i.imgur.com/Ot2JlVs.png
https://www.virustotal.com/ru/file/e8816746f35fa53e8a34db6bcefcda8c1e9053bc15adb309aa69d59713355f0e/analysis/1462286843/

Kaspersky says it's Trojan.MSIL.CoinStealer.hb

virustotal info:
File identification
MD5 269e46f941fd5a8796752a545f444dda
SHA1 dc819844d9d34b1d06d3f29a44b33d7ae20c36cd
SHA256 e8816746f35fa53e8a34db6bcefcda8c1e9053bc15adb309aa69d59713355f0e
ssdeep196608:ZvPmxX9KZocze1IfBlALdwD7Jsv6tWKFdu9Cxxe:ZvPmfgzovZwD7Jsv6tWKFdu9Cu
authentihash 18fac6f5fc8246ccaf244346f2310f2fd010332251ff4fc7b8237a9aacee4719
imphash 94eb88cfd6185da077c0d4a9413d99d2
File size 14.7 MB ( 15410224 bytes )
File type Win32 EXE
Magic literalPE32 executable for MS Windows (GUI) Intel 80386 32-bit
TrID Win32 Executable (generic) (52.9%)
Generic Win/DOS Executable (23.5%)
DOS Executable Generic (23.5%)
Tagspeexe overlay
VirusTotal metadata
First submission 2016-04-26 13:09:01 UTC ( 1 week ago )
Last submission 2016-05-03 14:47:23 UTC ( 6 minutes ago )
File names maintenancetool.exe
Nuhvok
University of Caille
Gallente Federation
#8 - 2016-05-03 20:19:40 UTC
My KIS just flagged this too, active protection caught this as windows loaded.

03.05.2016 21.14.00
Detected object (file) was deleted.
C:\EVE\Launcher\maintenancetool.exe
File: C:\EVE\Launcher\maintenancetool.exe
Object name: Trojan.MSIL.CoinStealer.hg
Object type: Trojan program
Time: 03/05/2016 21:14
Kate Katsumi
Deep Core Mining Inc.
Caldari State
#9 - 2016-05-04 09:52:04 UTC
04.05.2016 12.45.27;
Обнаруженный объект (файл) будет обработан после перезагрузки компьютера.;
disk:\EVE\maintenancetool.exe;
disk:\EVE\maintenancetool.exe;
Trojan.MSIL.CoinStealer.hb;
Троянская программа;
05/04/2016 12:45:27
HellGate fr
#10 - 2016-05-04 17:46:09 UTC
It will delete your boot.ini
Sarmatiko
#11 - 2016-05-07 15:56:16 UTC  |  Edited by: Sarmatiko
Darius Shakor wrote:
Had this same issue today and I am not convinced it is a 'false positive' here. Specifically Kaspesky identified the malware type to be trojan.MSIL.CoinStealer.hb. That is a very specific identification for a false positive.


If you upload executable to Virustotal and it shows something like 3/56 (and those "threats" usually detected only by one product and rebranded derivatives on same engine ) - that IS a false positive, no need to overthink it.
As usual, most dangerous thing in your PC - paranoid antivirus, that has to show you any results even false. "Look user, I made up found some threats , please buy license for another year". Bear
Starain
SoT
DarkSide.
#12 - 2016-05-08 11:39:16 UTC  |  Edited by: Starain
I uploaded to virustotal once a file and there was like 3/47 and one of them was Dr.Web along with antiviruses, that barks to everything, but after quite time - almost all antiviruses was marked it as virus, as it really was. So, it's good to look which dog is barking, if it Norton/Kaspersky/Dr.Web - I'd listen to it and not people suggesting "nah, just disable it for a while, it's okaaaay" and then I found out some cool GPU bitcoin miners on their computers with their words like "maan, I have to change my videocard, can't play games, it always 100% GPU loaded"