Win32/Kryptik.GH Trojan

View previous topic View next topic Go down

Solved Win32/Kryptik.GH Trojan

Post by Stephon on 10th February 2009, 7:04 pm

--------------------


Last edited by 11PM on 13th February 2009, 1:11 am; edited 1 time in total (Reason for editing : Idk)

Stephon
Intermediate
Intermediate

Posts Posts : 93
Joined Joined : 2008-09-06
Gender Gender : Male
OS OS : Windows XP
Points Points : 30180
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32/Kryptik.GH Trojan

Post by Belahzur on 10th February 2009, 7:07 pm

Back again? LMBO or ROFL

Download [You must be registered and logged in to see this link.] to your desktop.

  • Close all windows and open it
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up called OTViewIt.txt, the other will be saved on your desktop and called Extras.txt. Just post OTViewIt.txt, I don't need to see Extras.txt
  • You may need to use more than one post to get it all on the forum


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32/Kryptik.GH Trojan

Post by Stephon on 10th February 2009, 7:56 pm

[You must be registered and logged in to see this link.] wrote:Back again? LMBO or ROFL

Download [You must be registered and logged in to see this link.] to your desktop.

  • Close all windows and open it
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up called OTViewIt.txt, the other will be saved on your desktop and called Extras.txt. Just post OTViewIt.txt, I don't need to see Extras.txt
  • You may need to use more than one post to get it all on the forum

For some reason, it's not wanting to do the full scan. Sometimes it stops or a error comes up.

Error:

Access violation at address 774410B0 in module 'ntdll.dll'. Read of address 00000012.

Then I click "ok" but 5-10 minutes pass showing "application event log"..

Stephon
Intermediate
Intermediate

Posts Posts : 93
Joined Joined : 2008-09-06
Gender Gender : Male
OS OS : Windows XP
Points Points : 30180
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32/Kryptik.GH Trojan

Post by Belahzur on 10th February 2009, 8:08 pm

Hello. OTViewIt and MBAM are probably the only few tools that run on Vista 64bit version.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: Iminent.SearchTheWeb.HelperObject - {0E896FCA-D07E-45FE-901F-6A26FCF59C02} - mscoree.dll (file missing)
    O2 - BHO: SmartShopper - {2BA1C226-EC1B-4471-A65F-D0688AC6EE3A} - C:\Program Files (x86)\SmartShopper\Bin\2.5.0\SmrtShpr.dll
    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
    O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\SysWOW64\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.6) Gecko/2009011913 YFF3 Firefox/3.0.6" -"http://bcs.worthpublishers.com/discoveringpsych4e/content/cat_020/05020-01.asp"


  • Press "Fix Checked"
  • Close Hijack This.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    C:\Program Files (x86)\SmartShopper
    C:\Program Files (x86)\RelevantKnowledge


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

Please run a GMER Rootkit scan:

Download GMER's application from here:
[You must be registered and logged in to see this link.]

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

If you're having problems with running GMER.exe, try it in safe mode.
This tools works in safe mode. Other rootkitrevealers don't.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32/Kryptik.GH Trojan

Post by Stephon on 10th February 2009, 8:34 pm

Log of OTMoveit3:

Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02102009_122044


------------------------------------------------------------------------------------------------

The last program said it didn't find anything..

Stephon
Intermediate
Intermediate

Posts Posts : 93
Joined Joined : 2008-09-06
Gender Gender : Male
OS OS : Windows XP
Points Points : 30180
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32/Kryptik.GH Trojan

Post by Belahzur on 10th February 2009, 8:37 pm

Download [You must be registered and logged in to see this link.]

Right-click Lop S&D.exe > Select "Run as administrator"
Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt)


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32/Kryptik.GH Trojan

Post by Stephon on 10th February 2009, 8:46 pm

I did what you said but it shows "Starting scan" then it closes and nothing comes up..

Stephon
Intermediate
Intermediate

Posts Posts : 93
Joined Joined : 2008-09-06
Gender Gender : Male
OS OS : Windows XP
Points Points : 30180
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32/Kryptik.GH Trojan

Post by Belahzur on 10th February 2009, 8:50 pm

Darn.
Can you try the run as administrator on OTViewIt?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32/Kryptik.GH Trojan

Post by Stephon on 10th February 2009, 8:52 pm

[You must be registered and logged in to see this link.] wrote:Darn.
Can you try the run as administrator on OTViewIt?

It worked when I used OTViewIt when I ran it as admin..

Stephon
Intermediate
Intermediate

Posts Posts : 93
Joined Joined : 2008-09-06
Gender Gender : Male
OS OS : Windows XP
Points Points : 30180
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32/Kryptik.GH Trojan

Post by Belahzur on 10th February 2009, 8:55 pm

Hooray! Thank god for that.
Post the log please.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32/Kryptik.GH Trojan

Post by Stephon on 10th February 2009, 8:58 pm

-------------------


Last edited by 11PM on 13th February 2009, 1:12 am; edited 1 time in total

Stephon
Intermediate
Intermediate

Posts Posts : 93
Joined Joined : 2008-09-06
Gender Gender : Male
OS OS : Windows XP
Points Points : 30180
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32/Kryptik.GH Trojan

Post by Stephon on 10th February 2009, 8:59 pm

---------------------


Last edited by 11PM on 13th February 2009, 1:12 am; edited 1 time in total

Stephon
Intermediate
Intermediate

Posts Posts : 93
Joined Joined : 2008-09-06
Gender Gender : Male
OS OS : Windows XP
Points Points : 30180
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32/Kryptik.GH Trojan

Post by Stephon on 10th February 2009, 8:59 pm

--------------------------


Last edited by 11PM on 13th February 2009, 1:12 am; edited 1 time in total

Stephon
Intermediate
Intermediate

Posts Posts : 93
Joined Joined : 2008-09-06
Gender Gender : Male
OS OS : Windows XP
Points Points : 30180
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32/Kryptik.GH Trojan

Post by Belahzur on 10th February 2009, 9:06 pm

Do you know what this file is?
C:\Users\Tessonja\Documents\Your Credit Diagnosis membership has been cancelled per your membership terms.doc

Fix this registry item.

  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2BA1C226-EC1B-4471-A65F-D0688AC6EE3A}]

  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.

Now open another new notepad file.
Input this into the notepad file:

@echo off
sc config "RelevantKnowledge" start= disabled
sc stop "RelevantKnowledge"
sc delete "RelevantKnowledge"
del fix.bat
exit

Save this as fix.bat, save it to your desktop.
Double click fix.bat and the black cmd window will open and close, this is normal.

Delete these two folders in bold if they exist:
C:\Program Files (x86)\RelevantKnowledge
C:\Program Files (x86)\SmartShopper

No sign of malware in the log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32/Kryptik.GH Trojan

Post by Stephon on 10th February 2009, 9:25 pm

It's good, just some info...

Okay, I did everything that you said. Big Grin

Hopefully it doesn't happen again to any of my familys computers.. lol

Thanks for the help [again]. ;)

Stephon
Intermediate
Intermediate

Posts Posts : 93
Joined Joined : 2008-09-06
Gender Gender : Male
OS OS : Windows XP
Points Points : 30180
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32/Kryptik.GH Trojan

Post by Doctor Inferno on 6th July 2009, 3:22 am

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a [You must be registered and logged in to see this link.] for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104610
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum