Do I have a Trojan/malware? Trojware.Win32.Kryptik ~NT 105835263

Learn about Computer Security Virus/Malware Removal Assistance
1

I use Comodo Internet Security, and the a few days ago it detected 3 files infected with Trojware.Win32.Kryptik ~NT 105835263. It said that it quarantined them, however when I ran a scan again they were detected again.

I downloaded TCPView and it showed “[system process] (0)” connecting a ton of times to random remote addresses. They all connect over the port I use for bittorrent. When I open bittorrent more connections are made. In both cases some of them light up red then switch to yellow.

Also a lot of “svchost.exe” and “system 4” connecting to remote address “**” with listening states. I don’t know what that means.

When I run Hijackthis! it gives me an error saying “For some reason your system has denied write access to the HOSTS file.” etc.

I’ve run a scan with comodo, malwarebytes, superantispyware and windows defender and Asquared free, which detected nothing. I also tried Gmer. It detected a number of files but they were all in the Comodo quarantine. Anyone have any ideas if this sounds like malware or what I should do? Thanks.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:25:28 PM, on 6/13/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files (x86)\CyberLink\Shared Files\brs.exe
C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe
C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
C:\Program Files (x86)\VideoLAN\VLC\vlc.exe
C:\Program Files (x86)\Pidgin\pidgin.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Users\John\AppData\Local\Temp\Rar$EX01.299\Tcpview.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe
C:\Windows\SysWOW64\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN | Outlook, Office, Skype, Bing, Breaking News, and Latest Videos
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN | Outlook, Office, Skype, Bing, Breaking News, and Latest Videos
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
O4 - HKLM..\Run: [BDRegion] C:\Program Files (x86)\Cyberlink\Shared files\brs.exe
O4 - HKLM..\Run: [RemoteControl10] “C:\Program Files (x86)\CyberLink\PowerDVD10\PDVD10Serv.exe”
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files (x86)\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU..\Run: [Steam] C:\Program Files (x86)\Valve\Steam\Steam.exe -silent
O4 - HKCU..\Run: [uTorrent] “C:\Program Files (x86)\uTorrent\uTorrent.exe”
O4 - Startup: CurseClientStartup.ccip
O4 - Global Startup: McAfee Security Scan Plus.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra ‘Tools’ menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~4\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O17 - HKLM\System\CCS\Services\Tcpip..{7403B186-482B-4007-A3D1-80952F7D57A9}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CCS\Services\Tcpip..{87130B5A-F7B6-4CAF-8F03-FC938EEDA800}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CS1\Services\Tcpip..{7403B186-482B-4007-A3D1-80952F7D57A9}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CS2\Services\Tcpip..{7403B186-482B-4007-A3D1-80952F7D57A9}: NameServer = 156.154.70.22,156.154.71.22
O20 - AppInit_DLLs: ,C:\Windows\SysWOW64\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files (x86)\a-squared Free\a2service.exe
O23 - Service: [at]%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: COMODO livePCsupport Service (CLPSLS) - COMODO - C:\Program Files (x86)\COMODO\COMODO livePCsupport\CLPSLS.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: [at]%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: [at]%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: [at]keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files (x86)\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: [at]comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: [at]%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: [at]%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: [at]%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: [at]%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: [at]%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: [at]%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: [at]%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: StarWind AE Service (StarWindServiceAE) - StarWind Software - C:\Program Files (x86)\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: [at]%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: [at]%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: [at]%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: [at]%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: [at]%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: [at]%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: [at]%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: [at]%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)


End of file - 7789 bytes

2

Can you please upload the files that were detected by Comodo to virustotal and post a link to the results?

This should help to clarify whether this was an infection or not.

Also, can you please perform a scan with the two products listed here and tell us if they detect anything suspicious:
How to check if your computer is infected

3

I’m not sure how to upload it to Virustotal. I never saw the original location of where the file was. Now it says it is located in the comodo quarantine and I can’t open the folder or upload it on Virustotal because it says I don’t have permission.

Cloud Scanner found 0 malware, 431 privacy issues, 162 registry errors, and 570 junk files.

Hitman found nothing.

I guess it’s nothing? Also I forgot to mention Comodo continually reports intrusion attempts. from “System” source ip- 192.168.1.142 source port 4971-5 destination port 137 or 139.

4

I would delete this, but just in case LET HIJACK THIS create a backup copy
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll

also you have quite a bit of missing files

Do this

To start System File Checker (SFC.exe), follow the steps below.

  1. Open an elevated command prompt, i.e command prompt run as an administrator. To do this, click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  2. Now type the command sfc /scannow and press enter. The System File Checker will start checking the system.

This process might take some time as it has to scan all the system files for errors.

  1. Once the scan is complete it will display the result to inform whether there are any issues with the system files.

The sfc /scannow command scans all protected system files and replaces incorrect versions with correct Microsoft versions. In case the tool is not able to fix the error, it is better to restore the system to a previous state using System restore.

5

today my cis5 has found Trojware.Win32.Kryptik.cu. i was surf on the net on various sites and after that i had this malware on my pc.

i had clean this infection but a few minutes later ,the realtime scanner found other infections with Trojware.Win32.Kryptik.cu ,the malware has create various folders and files on many places…

cis5 has delete them after confirmation & send a sample to comodo

after that i have scanned my drive with cis5 and other scanners ,but i found nothing… i hope the infection is away.

sys:

win7x64 + cis5

the big problem is ,cis5 did not gave any popup for this malware downloads… only the av-scanner has shown a reaction. i had not any admin rights at this time but the malware can create folders & files oO

no fw or d+ popups…

uac - failed
cis5 - failed?

6

If it was running in the sandbox it can create folders and drop files (to certain places) but not do any damage.

7

I’m no expert at hijack scans but have you two antivirus programs installed at the same time comodo and mcafee? i notes this file in your log

C:\Program Files (x86)\McAfee Security Scan\2.0.181\SSScheduler.exe

having two antivirus program installed at the same time is no good they will fight each other.

download the uninstall tool for mcafee and run it and see if it finds any left over files of mcafee.

it could be the reason why comodo have detect malware.

hope it help you solve your problem. if not let us know.

8

mikaelrask
That hijacklog was from yahar

This person “w4ke”

anyway

after that i have scanned my drive with cis5 and other scanners ,but i found nothing... i hope the infection is away.

go download hitman pro, and run it, just to double check :slight_smile: I hope your good to go

if you want to post a hijack this log, feel free to if you feel it’s necessary :-TU

9

oops notice that know, me post was for yahar sorry i miss to add that in my post.