WiredWX Hobby Weather ToolsLog in

 


Win32/Kryptik.GH Trojan

3 posters

descriptionSolvedWin32/Kryptik.GH Trojan

more_horiz
--------------------

Last edited by 11PM on 13th February 2009, 1:11 am; edited 1 time in total (Reason for editing : Idk)

descriptionSolvedRe: Win32/Kryptik.GH Trojan

more_horiz
Back again? LMBO or ROFL

Download OTViewIt to your desktop.

  • Close all windows and open it
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up called OTViewIt.txt, the other will be saved on your desktop and called Extras.txt. Just post OTViewIt.txt, I don't need to see Extras.txt
  • You may need to use more than one post to get it all on the forum

descriptionSolvedRe: Win32/Kryptik.GH Trojan

more_horiz
Belahzur wrote:
Back again? LMBO or ROFL

Download OTViewIt to your desktop.

  • Close all windows and open it
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up called OTViewIt.txt, the other will be saved on your desktop and called Extras.txt. Just post OTViewIt.txt, I don't need to see Extras.txt
  • You may need to use more than one post to get it all on the forum


For some reason, it's not wanting to do the full scan. Sometimes it stops or a error comes up.

Error:

Access violation at address 774410B0 in module 'ntdll.dll'. Read of address 00000012.

Then I click "ok" but 5-10 minutes pass showing "application event log"..

descriptionSolvedRe: Win32/Kryptik.GH Trojan

more_horiz
Hello. OTViewIt and MBAM are probably the only few tools that run on Vista 64bit version.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: Iminent.SearchTheWeb.HelperObject - {0E896FCA-D07E-45FE-901F-6A26FCF59C02} - mscoree.dll (file missing)
    O2 - BHO: SmartShopper - {2BA1C226-EC1B-4471-A65F-D0688AC6EE3A} - C:\Program Files (x86)\SmartShopper\Bin\2.5.0\SmrtShpr.dll
    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
    O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\SysWOW64\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.6) Gecko/2009011913 YFF3 Firefox/3.0.6" -"http://bcs.worthpublishers.com/discoveringpsych4e/content/cat_020/05020-01.asp"


  • Press "Fix Checked"
  • Close Hijack This.

Please download the OTMoveIt3 by OldTimer.

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :files
    C:\Program Files (x86)\SmartShopper
    C:\Program Files (x86)\RelevantKnowledge


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

If you're having problems with running GMER.exe, try it in safe mode.
This tools works in safe mode. Other rootkitrevealers don't.

descriptionSolvedRe: Win32/Kryptik.GH Trojan

more_horiz
Log of OTMoveit3:

Error: Unable to interpret in the current context!
Error: Unable to interpret in the current context!

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02102009_122044


------------------------------------------------------------------------------------------------

The last program said it didn't find anything..

descriptionSolvedRe: Win32/Kryptik.GH Trojan

more_horiz
Download Lop S&D < here

Right-click Lop S&D.exe > Select "Run as administrator"
Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt)

descriptionSolvedRe: Win32/Kryptik.GH Trojan

more_horiz
I did what you said but it shows "Starting scan" then it closes and nothing comes up..

descriptionSolvedRe: Win32/Kryptik.GH Trojan

more_horiz
Darn.
Can you try the run as administrator on OTViewIt?

descriptionSolvedRe: Win32/Kryptik.GH Trojan

more_horiz
Belahzur wrote:
Darn.
Can you try the run as administrator on OTViewIt?


It worked when I used OTViewIt when I ran it as admin..

descriptionSolvedRe: Win32/Kryptik.GH Trojan

more_horiz
Hooray! Thank god for that.
Post the log please.

descriptionSolvedRe: Win32/Kryptik.GH Trojan

more_horiz
-------------------

Last edited by 11PM on 13th February 2009, 1:12 am; edited 1 time in total

descriptionSolvedRe: Win32/Kryptik.GH Trojan

more_horiz
---------------------

Last edited by 11PM on 13th February 2009, 1:12 am; edited 1 time in total

descriptionSolvedRe: Win32/Kryptik.GH Trojan

more_horiz
--------------------------

Last edited by 11PM on 13th February 2009, 1:12 am; edited 1 time in total

descriptionSolvedRe: Win32/Kryptik.GH Trojan

more_horiz
Do you know what this file is?
C:\Users\Tessonja\Documents\Your Credit Diagnosis membership has been cancelled per your membership terms.doc

Fix this registry item.

  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2BA1C226-EC1B-4471-A65F-D0688AC6EE3A}]


  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.

Now open another new notepad file.
Input this into the notepad file:

@echo off
sc config "RelevantKnowledge" start= disabled
sc stop "RelevantKnowledge"
sc delete "RelevantKnowledge"
del fix.bat
exit


Save this as fix.bat, save it to your desktop.
Double click fix.bat and the black cmd window will open and close, this is normal.

Delete these two folders in bold if they exist:
C:\Program Files (x86)\RelevantKnowledge
C:\Program Files (x86)\SmartShopper

No sign of malware in the log.

descriptionSolvedRe: Win32/Kryptik.GH Trojan

more_horiz
It's good, just some info...

Okay, I did everything that you said. Big Grin

Hopefully it doesn't happen again to any of my familys computers.. lol

Thanks for the help [again]. Wink

descriptionSolvedRe: Win32/Kryptik.GH Trojan

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum