Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Win32/Kryptik.BHG trojan in Windows 7 [Solved]

Started by pspuser007 , Dec 05 2009 06:56 AM

This topic is locked

#1
pspuser007

Posted 05 December 2009 - 06:56 AM

Member

Member
48 posts

Hello all,

System Info:
OS: Windows 7 Ultimate
CPU: E8400 (@ 3,00GHz)
GPU: GTX280
PSU: 650W
RAM: 3GB
Antivirus: Nod32 V.4
Also installed malwarebyte's antimalware and superantispyware.

Problem:
Today, almost every 15 minutes nod notifies me with 2 notices:
This is the first that shows up:
5/12/2009 2:47:23 μμ HTTP filter file

http://91.212.226.178/anime3CL.exe

Win32/Kryptik.BHG trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\Windows\System32\svchost.exe.

And this is the second:
5/12/2009 2:47:25 μμ Real-time file system protection file C:\Windows\TEMP\rnpx.tmp\svchost.exe Win32/Kryptik.BHG trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\Windows\System32\svchost.exe.

I have scanned with nod32, with malwarebyte's antimalware and deleted what these found.
I also scanned with superantispyware and it found this one:
Trojan.Dropper/SVCHost-Fake

What can I do?

This is the Nod32 Log file until now:

5/12/2009 3:02:31 μμ Real-time file system protection file C:\Windows\TEMP\xqoe.tmp\svchost.exe Win32/Kryptik.BHG trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\Windows\System32\svchost.exe.
5/12/2009 3:02:31 μμ HTTP filter file http://91.212.226.178/anime3CL.exe Win32/Kryptik.BHG trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\Windows\System32\svchost.exe.
5/12/2009 2:57:29 μμ Real-time file system protection file C:\Windows\TEMP\rlfc.tmp\svchost.exe Win32/Kryptik.BHG trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\Windows\System32\svchost.exe.
5/12/2009 2:57:28 μμ HTTP filter file http://91.212.226.178/anime3CL.exe Win32/Kryptik.BHG trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\Windows\System32\svchost.exe.
5/12/2009 2:52:26 μμ Real-time file system protection file C:\Windows\TEMP\ntet.tmp\svchost.exe Win32/Kryptik.BHG trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\Windows\System32\svchost.exe.
5/12/2009 2:52:26 μμ HTTP filter file http://91.212.226.178/anime3CL.exe Win32/Kryptik.BHG trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\Windows\System32\svchost.exe.
5/12/2009 2:47:25 μμ Real-time file system protection file C:\Windows\TEMP\rnpx.tmp\svchost.exe Win32/Kryptik.BHG trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\Windows\System32\svchost.exe.
5/12/2009 2:47:23 μμ HTTP filter file http://91.212.226.178/anime3CL.exe Win32/Kryptik.BHG trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\Windows\System32\svchost.exe.

NEW EDIT:
The problem has stopped for a few days but today again I got the same message from nod32.
This is the log:

10/12/2009 9:06:51 μμ Real-time file system protection file C:\$RECYCLE.BIN\S-1-5-21-554481470-3224669014-3345837826-1001\$R7RIEKP.tmp a variant of Win32/Kryptik.BJM trojan cleaned by deleting - quarantined Χρήστος-PC\Χρήστος Event occurred on a file modified by the application: C:\Windows\explorer.exe.
10/12/2009 9:04:09 μμ Startup scanner file C:\Windows\TEMP\pxno.tmp\svchost.exe a variant of Win32/Kryptik.BJM trojan cleaned by deleting - quarantined

Thank you for your time.

Edited by pspuser007, 10 December 2009 - 01:22 PM.

#2
Essexboy

Posted 12 December 2009 - 06:38 AM

GeekU Moderator

Retired Staff
69,964 posts

Hi there sorry for the delay. I will need a fresh look at your system and what are your current symptoms

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program.
Check the box that says Scan All Users
Under Additional Scans check the following:
- Reg - Shell Spawning
- File - Lop Check
- File - Purity Scan
- Evnt - EvtViewer (last 10)
Under custom scans copy and paste the following:netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
/md5stop
CREATERESTOREPOINT
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

Click Add Reply
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green Upload button
Once it has uploaded, click the Manage Current Attachments drop down box
Click on to insert the attachment into your post

#3
pspuser007

Posted 12 December 2009 - 04:01 PM

Member

Topic Starter
Member
48 posts

Hello,

It's ok!

Well I have no symptoms for now, but I would like to make sure that my system and all my files are clean.

I 've attached the log file.

PS: I had a problem writing in the text form when I pressed "add reply", what I did was to type in the fast reply text box and the edit the reply to add the log file.

Attached Files

OTS.Txt 249.74KB 505 downloads

Edited by pspuser007, 12 December 2009 - 04:02 PM.

#4
Essexboy

Posted 12 December 2009 - 04:48 PM

GeekU Moderator

Retired Staff
69,964 posts

There are some remnants - so lets kill them

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "Calc32" -> C:\Windows\System32\regedit.exe [C:\Windows\system32\regedit.exe]
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

THEN

Posted Image

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

#5
pspuser007

Posted 12 December 2009 - 06:58 PM

Member

Topic Starter
Member
48 posts

I did what you said.

When OTS finished it said that it needed to reboot and no log came up.

I scanned with MBAM and no harmful objects were found.
This is the log (It was in greek language, I used google translate to translate it into English)
Malwarebytes' Anti-Malware 1.42
Database Version: 3350
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

13/12/2009 2:53:19 AM
mbam-log-2009-12-13 (02-53-19). txt

Scan type: Quick Scan
Items scanned: 150638
Time spent: 2 minute (s), 36 second (s)

Infected processes in memory: 0
Contaminated items in memory: 0
Contaminated keys in the registry: 0
Contaminated values in the registry: 0
Contaminated data objects in the registry: 0
Infected files: 0
Infected files: 0

Infected processes in memory:
(No malicious items detected)

Contaminated items in memory:
(No malicious items detected)

Contaminated keys in the registry:
(No malicious items detected)

Contaminated values in the registry:
(No malicious items detected)

Contaminated data objects in the registry:
(No malicious items detected)

Infected files:
(No malicious items detected)

Infected files:
(No malicious items detected)

After the OTS fix I believe that some of my settings at the folder view were lost.
In example I can see hidden system files and the definition of each know file type (.txt, .mp3)

#6
Essexboy

Posted 13 December 2009 - 10:10 AM

GeekU Moderator

Retired Staff
69,964 posts

No problem we will revert your hidden files

So subject to no further problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so..Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Do not show hidden files and folders.
Click Yes to confirm.
Click OK.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:

Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 17.
Click the "Download" button to the right.
Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
Click on Continue.
Click on the link to download Windows Offline Installation (jre-6u17-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u17-windows-i586-p.exe and select "Run as an Administrator.")

VISTA
To manually create a new Restore Point

Go to Control Panel and select System and Maintenance
Select System
On the left select Advance System Settings and accept the warning if you get one
Select System Protection Tab
Select Create at the bottom
Type in a name i.e. Clean
Select Create

Now we can purge the infected ones

Go back to the System and Maintenance page
Select Performance Information and Tools
On the left select Open Disk Cleanup
Select Files from all users and accept the warning if you get one
In the drop down box select your main drive i.e. C
For a few moments the system will make some calculations
Select the More Options tab
In the System Restore and Shadow Backups select Clean up
Select Delete on the pop up
Select OK
Select Delete

You are now done

SPRING CLEAN

Download TFC to your desktop

Open the file and close any other windows.
It will close all programs itself when run, make sure to let it run uninterrupted.
Click the Start button to begin the process. The program should not take long to finish its job
Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

THEN

Download and run Auslogics Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

SpywareBlaster to help prevent spyware from installing in the first place.
SuperAntispyware Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe

#7
pspuser007

Posted 15 December 2009 - 01:02 PM

Member

Topic Starter
Member
48 posts

The system files were showing up too.
I hid the system files and and the extensions for the know types of files.
(I need the hidden files and folders to appear.

)

I upgraded Java.

What is the OTL programme? Where can I find it?

There are 2 problems now:
When we did this with OTS, a problem might have been occured with my connection.
Everytime I open my PC, there is a problem with the connection.
I open the connection panel and see that there are 2 connections.
This is what I see (sorry my Windows is Greek--Tell me anything you need and I will translate it):
Posted Image

The second active connection is the addition which I don't know how it was created, since I didn't.
I believe it's making a confict with the correct connection I am using.

This is how it looks after I use the repair function of Windows.
Posted Image

Additionally, I cannot get my PC into inactivation/ suspension mode {I am not sure how this is called in English} (it is when the system saves its current state and can be opened again with a click at the keyboard).
When I click that button the screen turns black with the aero effect and laods again at my desktop after 1 or 2 seconds.

What can I do?

Edited by pspuser007, 15 December 2009 - 01:05 PM.

#8
Essexboy

Posted 15 December 2009 - 02:06 PM

GeekU Moderator

Retired Staff
69,964 posts

Sorry that should have read OTS for the cleanup

Is it a wireless connection that you are using ? OTS had no affect on your connection as it just removed a malware run key and emptied your temporary files

On the left top of the network window is Manage Wireless networks
Select that
Then remove the one you do not use (looking at the screenshot it appears to be the public one)

Is it the sleep function you are refering to ?
I am on windows 7 so I will check that out

#9
pspuser007

Posted 15 December 2009 - 02:34 PM

Member

Topic Starter
Member
48 posts

Yes! The sleep function, that is what I am talking about.

OK, I will be waiting!

Well I am connected via Ethernet.
And I don't have a wireless adaptor.
So, what I see there is:
*Change adaptor settings
*Change settings for shared used (Advanced users)

I ran OTL clean up and got this:
File/Folder !Killbox not found.
File/Folder *.run not found.
File/Folder _backupD not found.
File/Folder _OTL not found.
File/Folder _OTListIt not found.
File/Folder _OTM not found.
File/Folder _OTMoveIt not found.
Service not present: catchme.
Service not present: gmer.

I have noticed another problem.
If I stop using the computer for 10 minutes and the screen gets into "sleep" state, when I move the mouse and my desktop shows up, my icons have changed place.
What is wrong with that?

#10
Essexboy

Posted 15 December 2009 - 03:08 PM

GeekU Moderator

Retired Staff
69,964 posts

For the sleep problem read this

OK will check out the moving icons next

Do you have the option to delete the errant network connection ?

#11
pspuser007

Posted 15 December 2009 - 03:48 PM

Member

Topic Starter
Member
48 posts

It didn't seem to work.

If I click the sleep mode button after 1-2 secs of black screen I am taken at the select user screen, where there is:
My user picture and below that
My username and below that
it says "Locked".

At that errant network I can only deactivate it at start and then use the repair function. That's when I can get connected.
This is what I see at the properties of this connection:
Posted Image

It seems that it is my connection. Like a clone.
Notice that it says "Domain Invalid" at something that has to do with DNS.

Also, next to the bench it says:
Unidentified network
Public network

Edited by pspuser007, 15 December 2009 - 03:50 PM.

#12
Essexboy

Posted 15 December 2009 - 04:11 PM

GeekU Moderator

Retired Staff
69,964 posts

Bear with me I will ask the Techs to look at this

#13
pspuser007

Posted 15 December 2009 - 04:12 PM

Member

Topic Starter
Member
48 posts

Ok then, thank you for your hepl and concern!

So I should wait for a reply from a tech here?

Edited by pspuser007, 15 December 2009 - 04:13 PM.

#14
Essexboy

Posted 15 December 2009 - 04:19 PM

GeekU Moderator

Retired Staff
69,964 posts

The techs can't reply in this thread but they will talk to me and then I will relay it to you. If it gets to technical for me I will set you up in the network forum where they can get their hands dirty and reply immediately