Infected with win32/kryptik.quu

Found this using ESET. ESET removes it, I reboot and after a few hours ESET finds it again. This is a brand new PC and I haven't done much other than install office, ESET and Firefox.

I ran through the entire RUN & READ ME FIRST thread. I didn't follow instructions at the end. I though I was cleaned out so I went to use my PC again today. Nope, still infected.

I ran ESET this morning again, cleaned everything it found, emptied out the quarrantined items and them went through RUN AND READ ME FIRST again.

Can you look at the attached? Everything seems to have run OK.

I'm on Windows 7 64 bit. Let me know if I've forgotten anything.

 

Hi and welcome to Major Geeks!

I will be reviewing your logs. Please be patient as there is a lot of information to review

 

It looks as though whatever you did through ESET NOD32 and during the first and second READ AND RUN ME FIRST procedures took care of most of your problems. Let's do the following steps for now. Let me know how the computer runs afterwards and what malware issues (if any) you still have. Feel free to attach any ESET logs so I can analyze those too to make sure your system is clean.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):
Run C:\MGtools\analyse.exe by double-clicking it (Vista and Win7 right-click and select Run as Administrator)
Choose Do a system scan only and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.


Could you please get this file: 975982594 [/B] into a zipped file and attach it for me in your next post? To do this, see the below:

On your keyboard, press the Windows key + R at the same time and paste in the following:
+ the letter R (at the same time)
This brings up the Run dialog box for windows 7
Now paste in the following:

Press ENTER
log retrievable @ C:\collect.zip
Attach collect.zip to your next message. (How to attach items to your post)

Please go to virustotal and upload the following files for analysis, and let me know the results.

• C:\Windows\SysWOW64\975982594
• C:\Windows\„õ£

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

This will automatically update all the logs in MGlogs.zip!
Make sure you click "Accept" on the License Agreement by HiJackThis!/analyse.exe twice (yes twice).

Then attach the below logs:

• C:\MGlogs.zip
• C:\collect.zip

 

I think I have what you're after, not sure I understand the edit Kestrel made, it looks the same to me as it did before it was edited...

I never got a license agreement to click on when I ran GetLogs.bat.

------------------------------------------

975982594
Submission date:
2011-07-27 23:49:31 (UTC)
Current status:
finished
Result:
0/ 43 (0.0%)

VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.07.28.00 2011.07.27 -
AntiVir 7.11.12.140 2011.07.27 -
Antiy-AVL 2.0.3.7 2011.07.27 -
Avast 4.8.1351.0 2011.07.27 -
Avast5 5.0.677.0 2011.07.27 -
AVG 10.0.0.1190 2011.07.27 -
BitDefender 7.2 2011.07.28 -
CAT-QuickHeal 11.00 2011.07.27 -
ClamAV 0.97.0.0 2011.07.27 -
Commtouch 5.3.2.6 2011.07.28 -
Comodo 9536 2011.07.28 -
DrWeb 5.0.2.03300 2011.07.28 -
Emsisoft 5.1.0.8 2011.07.27 -
eSafe 7.0.17.0 2011.07.27 -
eTrust-Vet 36.1.8468 2011.07.27 -
F-Prot 4.6.2.117 2011.07.28 -
F-Secure 9.0.16440.0 2011.07.27 -
Fortinet 4.2.257.0 2011.07.27 -
GData 22 2011.07.27 -
Ikarus T3.1.1.104.0 2011.07.27 -
Jiangmin 13.0.900 2011.07.27 -
K7AntiVirus 9.108.4953 2011.07.27 -
Kaspersky 9.0.0.837 2011.07.28 -
McAfee 5.400.0.1158 2011.07.28 -
McAfee-GW-Edition 2010.1D 2011.07.28 -
Microsoft 1.7104 2011.07.27 -
NOD32 6330 2011.07.27 -
Norman 6.07.10 2011.07.27 -
nProtect 2011-07-27.01 2011.07.27 -
Panda 10.0.3.5 2011.07.27 -
PCTools 8.0.0.5 2011.07.28 -
Prevx 3.0 2011.07.28 -
Rising 23.68.02.03 2011.07.27 -
Sophos 4.67.0 2011.07.28 -
SUPERAntiSpyware 4.40.0.1006 2011.07.28 -
Symantec 20111.1.0.186 2011.07.28 -
TheHacker 6.7.0.1.263 2011.07.26 -
TrendMicro 9.200.0.1012 2011.07.27 -
TrendMicro-HouseCall 9.200.0.1012 2011.07.28 -
VBA32 3.12.16.4 2011.07.27 -
VIPRE 9985 2011.07.28 -
ViRobot 2011.7.27.4591 2011.07.27 -
VirusBuster 14.0.142.0 2011.07.27 -
Additional information
MD5 : 54ed9a792318aa67a23004fa1f901b4c
SHA1 : 712fcb384f0dec47c3a4521d60cd903123251cf7
SHA256: e476a7ec99a89055080ed3e962e991a36ebf2cee1ce5e5b8d3185435d7ab93c5

------------------------------------------

File name:
„õ£
Submission date:
2011-07-27 23:54:13 (UTC)
Current status:
finished
Result:
0/ 43 (0.0%)

VT Community

malware
Safety score: 0.0%
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.07.28.00 2011.07.27 -
AntiVir 7.11.12.140 2011.07.27 -
Antiy-AVL 2.0.3.7 2011.07.27 -
Avast 4.8.1351.0 2011.07.27 -
Avast5 5.0.677.0 2011.07.27 -
AVG 10.0.0.1190 2011.07.27 -
BitDefender 7.2 2011.07.28 -
CAT-QuickHeal 11.00 2011.07.27 -
ClamAV 0.97.0.0 2011.07.27 -
Commtouch 5.3.2.6 2011.07.28 -
Comodo 9536 2011.07.28 -
DrWeb 5.0.2.03300 2011.07.28 -
Emsisoft 5.1.0.8 2011.07.27 -
eSafe 7.0.17.0 2011.07.27 -
eTrust-Vet 36.1.8468 2011.07.27 -
F-Prot 4.6.2.117 2011.07.28 -
F-Secure 9.0.16440.0 2011.07.27 -
Fortinet 4.2.257.0 2011.07.27 -
GData 22 2011.07.27 -
Ikarus T3.1.1.104.0 2011.07.27 -
Jiangmin 13.0.900 2011.07.27 -
K7AntiVirus 9.108.4953 2011.07.27 -
Kaspersky 9.0.0.837 2011.07.28 -
McAfee 5.400.0.1158 2011.07.28 -
McAfee-GW-Edition 2010.1D 2011.07.28 -
Microsoft 1.7104 2011.07.27 -
NOD32 6330 2011.07.27 -
Norman 6.07.10 2011.07.27 -
nProtect 2011-07-27.01 2011.07.27 -
Panda 10.0.3.5 2011.07.27 -
PCTools 8.0.0.5 2011.07.28 -
Prevx 3.0 2011.07.28 -
Rising 23.68.02.03 2011.07.27 -
Sophos 4.67.0 2011.07.28 -
SUPERAntiSpyware 4.40.0.1006 2011.07.28 -
Symantec 20111.1.0.186 2011.07.28 -
TheHacker 6.7.0.1.263 2011.07.26 -
TrendMicro 9.200.0.1012 2011.07.27 -
TrendMicro-HouseCall 9.200.0.1012 2011.07.28 -
VBA32 3.12.16.4 2011.07.27 -
VIPRE 9985 2011.07.28 -
ViRobot 2011.7.27.4591 2011.07.27 -
VirusBuster 14.0.142.0 2011.07.27 -
Additional information
MD5 : f9f4905664c5b42b49e78efa12d1a6b6
SHA1 : 9b706deb688bc85688246af31af821b014e72d13
SHA256: 4dd8aaa8bd9f90459d4dc82aeddf5dcd439a7cd27b70a067e2c6ca904c717c83

 

Yes, you did it correctly.

Thanks for the info. HJT ran correctly so all is well

Can you tell me what malware problems (if any) you are still experiencing?

 

None, but I've kept it off the internet since i realized it was being re-infected. I can reconnect and use it for a bit and see if I see anything.

 

Apparently I'm OK. No notices of anything odd in the last 30 min of web surfing.

 

Re-enabled UAC, Toggled System Restore, installed Comodo Firewall and bought Malwarebytes.

thanks for the help, and the fantastic walk throughs. You guys and gals rock!

 

You're welcome

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!