Infected with win32\Kryptic Trojan

[hvdb]

Hello,

Since 1 week I seem to have problem with a trojan. My avg scanner detected

infection: trojan horse SHeur4.TOJ
malware: win32\Kryptic.ACFL

today also

infection: trojan horse Generic27.ARSE
malware: win32\Kryptic.ABVZ

I followed the XP malware removal guide and here are the logs files. The problem was not solved by running all these tools

Could you help me?

Hvdb

[hvdb]

and final log

[chaslang]

Welcome to Major Geeks!


Uninstall the below old versions of software:
Java(TM) 6 Update 29
Java(TM) SE Development Kit 6 Update 23

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

Quote:

ClearJavaCache::
KILLALL::
File::
C:\Documents and Settings\Hans Vanderbeke\Application Data\Antivirus Protection 2012\securityhelper.exe
C:\Documents and Settings\Hans Vanderbeke\Bureaublad\Antivirus Protection 2012.lnk
C:\WINDOWS\system32\18295610941.dll
C:\Documents and Settings\Hans Vanderbeke\Local Settings\temp\1iowieoo.exe
C:\Documents and Settings\Hans Vanderbeke\Local Settings\temp\ae0965a7157cd.exe
C:\Documents and Settings\Hans Vanderbeke\Local Settings\temp\cowceb.exe
C:\Documents and Settings\Hans Vanderbeke\Local Settings\temp\destroyer.exe
C:\Documents and Settings\Hans Vanderbeke\Local Settings\temp\fe.exe
C:\Documents and Settings\Hans Vanderbeke\Local Settings\temp\gpupz2a.exe
C:\Documents and Settings\Hans Vanderbeke\Local Settings\temp\hiphop.exe
C:\Documents and Settings\Hans Vanderbeke\Local Settings\temp\hodeme.exe
C:\Documents and Settings\Hans Vanderbeke\Local Settings\temp\hvipws9.exe
C:\Documents and Settings\Hans Vanderbeke\Local Settings\temp\jk****fu.exe
C:\Documents and Settings\Hans Vanderbeke\Local Settings\temp\jofcdks.exe
C:\Documents and Settings\Hans Vanderbeke\Local Settings\temp\kjh102k3.exe
C:\Documents and Settings\Hans Vanderbeke\Local Settings\temp\kn.a.exe
C:\Documents and Settings\Hans Vanderbeke\Local Settings\temp\lols.exe
C:\Documents and Settings\Hans Vanderbeke\Local Settings\temp\poertd.exe
C:\Documents and Settings\Hans Vanderbeke\Local Settings\temp\ppddfcfux.exxe
C:\Documents and Settings\Hans Vanderbeke\Local Settings\temp\protector2.exe
C:\Documents and Settings\Hans Vanderbeke\Local Settings\temp\qwedvor.exe
C:\Documents and Settings\Hans Vanderbeke\Local Settings\temp\safe.exe
C:\Documents and Settings\Hans Vanderbeke\Local Settings\temp\tryh-blv.exe
C:\Documents and Settings\Hans Vanderbeke\Local Settings\temp\wefgetn_00.exe
C:\Documents and Settings\Hans Vanderbeke\Local Settings\temp\wwautrsd.exe
C:\Documents and Settings\Hans Vanderbeke\Local Settings\temp\_9C.tmp

Folder::
C:\Documents and Settings\Hans Vanderbeke\Application Data\Antivirus Protection 2012

DirLook::
C:\Documents and Settings\Hans Vanderbeke\Application Data\Security

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Antivirus Protection 2012 SH"=-
[HKEY_USERS\S-1-5-21-117609710-1220945662-682003330-1004\Software\Microsoft\Windows\CurrentVersion\run]
"Antivirus Protection 2012 SH"=--
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

[hvdb]

Ok,

I followed all the steps and here are the log files. During combofix, I temporarily disabled AVG.

After running combofix, a reboot had to be done, and AVG starts with reboot. Immediatly after reboot, AVG gave again the same error that win32/Kryptic was detected...

Seems not to be solved yet...

[hvdb]

Also in C:WINDOWS\SYSTEM32\ directory there is again a new dll file:

C:\WINDOWS\system32\18444350041.dll

[hvdb]

and got also attached error now from AVG...

[chaslang]

As stated in the READ & RUN ME, you will have to uninstall AVG now to avoid having it get in our way. Once we have totally cleaned your PC, you will be able to reinstall it. So uninstall it now, while I look thru your new logs.

[chaslang]

Now we need to use ComboFix

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

Quote:

ClearJavaCache::
KILLALL::

File::
c:\documents and settings\Hans Vanderbeke\Application Data\Antivirus Protection 2012\securityhelper.exe
c:\documents and settings\Hans Vanderbeke\Application Data\Antivirus Protection 2012\AntivirusProtection2012.exe
c:\documents and settings\Hans Vanderbeke\Application Data\Antivirus Protection 2012\IcoActivate.ico
c:\documents and settings\Hans Vanderbeke\Application Data\Antivirus Protection 2012\IcoHelp.ico
c:\documents and settings\Hans Vanderbeke\Application Data\antivirus protection 2012\IcoUninstall.ico
c:\documents and settings\Hans Vanderbeke\Application Data\antivirus protection 2012\securitymanager.exe
c:\documents and settings\Hans Vanderbeke\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus Protection 2012.lnk
c:\documents and settings\Hans Vanderbeke\Application Data\Security\security.bin
C:\WINDOWS\system32\18444350041.dll

Folder::
c:\documents and settings\Hans Vanderbeke\Application Data\Antivirus Protection 2012
c:\documents and settings\Hans Vanderbeke\Application Data\Security
c:\documents and settings\Vicky Decock\Application Data\Security

FileLook::
C:\Program Files\Common Files\OnlineFilesManager.dll
C:\Program Files\Common Files\OnlineFilesManager.dll.old

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Antivirus Protection 2012 SH"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

[hvdb]

Ok,

Have retried with all AVG services stopped, this worked perfectly as i am a bit afraid of uininstalling. This time, after reboot combofix ran without any interference from AVG.

Find attached the 2 log files requested, and also the warning windows firewall showed after the reboot generated by combofix. Basically it says Windows firewall has blocked certain fucntions of windows explorer. It has blocked the program to accepts incoming connections from network or internet. I choose the option to keep blocking.

[hvdb]

Also, a new "suspicious" dll file appears in

C:\WINDOWS\system32\857189341.dll

Created after combofix has run. Combofix.txt was created at 9:56, the dll file was created at 9:57...

[hvdb]

Also got AVG warning (after I re-enabled the avg services) not immediatly but an hour later.

[chaslang]

Quote:

Originally Posted by hvdb

Also got AVG warning (after I re-enabled the avg services) not immediatly but an hour later.

Items in system restore are not currently problems. We will fix/remove them when we get to final instructions.

You may still have to remove AVG. We will see. It is not protecting you from this infection anyway and it is obviously incapable of remving it.



Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (If running Vista or Win7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the Customs Scans/Fixes text-field.
  
  Code:

  netsvcs
  /md5start
  afd.sys
  atapi.sys
  csrss.exe
  dhcpcsvc.dll
  explorer.exe
  lsass.exe
  nsiproxy.sys
  regedit.exe
  services.exe
  svchost.exe
  tcpip.sys
  tdx.sys
  userinit.exe
  winlogon.exe
  /md5stop
  %systemdrive%\*.*
  %systemdrive%\MGtools\*.*
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.sys /90
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %windir%\assembly\GAC\*.ini
  %windir%\assembly\GAC_MSIL\*.ini
  %windir%\assembly\gac_32\*.ini
  %windir%\assembly\gac_64\*.ini
  %windir%\assembly\temp\*.ini
  %windir%\assembly\tmp\u /s
  %allusersprofile%\application data\*.exe
  hklm\system\currentcontrolset\services\dhcp
  hklm\system\currentcontrolset\services\afd
  hklm\system\currentcontrolset\services\tdx
  hklm\system\currentcontrolset\services\tcpip
  hklm\system\currentcontrolset\services\nsiproxy
  hklm\software\microsoft\windows\currentversion\run
  hklm\software\microsoft\windows\currentversion\runonce

• Now click the Run Scan button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach both OTL.txt and Extras.txt to your next message. (See how to attach)

Also run GMER per the below and attach the log:

GMER - running with a random name

[chaslang]

One more request! Please put a copy of the C:\WINDOWS\system32\857189341.dll file into a ZIP file and attach it to your next message.

[hvdb]

Just to be sure I don't lose it during cleanup, here is already the dll file in rar format.

[chaslang]

Quote:

Originally Posted by hvdb

Just to be sure I don't lose it during cleanup,

Those last to scans I requested with OTL and GMER do not fix anything. They are just scans to look for information. Once I have the logs from them, we will continue.

The DLL file did not contain any identifying information. And virus scans on it do not show it to be a problem:

https://www.virustotal.com/file/839835e006b625cc3319312e2126ebd0b6831557c6ddeb5b4c7ebd18f094fe08/analysis/1332002868/

[hvdb]

OK,

as requested the different log files

[chaslang]

Now shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.

• Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
• Copy the text in the code box below and paste it into the text-field.

Code:

:OTL
O4 - HKU\S-1-5-21-117609710-1220945662-682003330-1004..\Run: [Antivirus Protection 2012 SM] C:\Documents and Settings\Hans Vanderbeke\Application Data\Antivirus Protection 2012\securitymanager.exe File not found
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
[2012/03/17 09:52:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Hans Vanderbeke\Application Data\Security
[2012/03/13 21:17:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Menu Start\Programma's\STOPzilla
[2011/11/16 21:40:00 | 000,197,632 | ---- | C] (Microsoft) -- C:\Program Files\Common Files\OnlineFilesManager.dll.old
[2011/11/16 21:40:00 | 000,197,632 | ---- | C] (Microsoft) -- C:\Program Files\Common Files\OnlineFilesManager.dll
[2012/03/17 16:00:00 | 000,001,176 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-117609710-1220945662-682003330-1004UA.job
[2012/03/17 15:54:00 | 000,001,044 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/03/17 09:57:18 | 000,025,272 | ---- | M] () -- C:\WINDOWS\System32\857189341.dll
[2012/03/17 09:40:24 | 000,002,042 | ---- | C] () -- C:\Documents and Settings\Hans Vanderbeke\Menu Start\Programma's\Antivirus Protection 2012.lnk
 
:Files
c:\documents and settings\Hans Vanderbeke\Application Data\Security\security.bin
C:\Program Files\Common Files\Data\hd2D_module.dat.vir
C:\Program Files\Common Files\OnlineFilesManager.dll
C:\Program Files\Common Files\OnlineFi
C:\WINDOWS\system32\857189341.dll    
C:\Documents and Settings\Hans Vanderbeke\Local Settings\temp\tmpA.tmp
:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Antivirus Protection 2012 SH"=-
"Antivirus Protection 2012 SM"=- 
:Commands
[PURITY]
[EMPTYTEMP] 
[EMPTYFLASH]

[REBOOT]

• Now click the button.
• If the fix needed a reboot please do it.
• Click the OK button (upon reboot).
• When OTL is finished, Notepad will open. Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (See: How to attach)

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• the log from OTL
• C:\MGlogs.zip

Make sure you tell me how things are working now!

[hvdb]

Here the requested logs...

[hvdb]

For the moment, symptoms seem to have disappeared.

Do the logs confirm all is OK?

Hvdb

[hvdb]

The only thing that came back was the attached error.