Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

oops, is Trojan Win32/Kryptik.EEI gone?


  • Please log in to reply
5 replies to this topic

#1 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:01:17 AM

Posted 17 May 2010 - 11:46 PM

Hey Folks,
I sort of goofed up last week. I downloaded something that I thought was an executable to a program. I was using firefox, so NOD32's IMON didn't flag it right then. Next, after clicking the .exe file, win patrol came up and told me that it had detected a new startup entry. I allowed it, went to dinner, and moved on with my life. When I returned, after talking to my friend on the phone for a bit, I saw that internet explorer had started automatically, that there were ads for hotels as well as other things up there. The funny thing was that I was able to kill IE8 easily including a download window (which I know I didn't click on). I looked at win patrols list of programs, and promptly removed the randomly named one that was running from my C drive under a file named fhg.exe. Beside it was a file with the name FHF.exe. These were running under my temp folder under local APPData. The even stranger thing is the fact that both files allowed me to delete them without a hoot or a holler. Meanwhile, next day, May 9, (for this first started on the 8th), in late afternoon, I was finally able to view NOD's log. My trusty antivirus told me that it had deleted a file in my windows folder called fzytua.exe flagging it as Trojan Win32/Kryptik.EEI. Now on May 17, nine days later, I ran malwarebytes and it found two lone registry keys, both with the same random process name as what was once detected by win patrol. Both went into cyberspace without a single word or error message. The thing that perplexed me the most was that both had the name trojan.fakeAlert beside their name in the MBAM log. Was this just one of those surface things that should now no longer be of any concern? If you have any input, please let me know.

Thanks
Chromebuster

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:17 AM

Posted 18 May 2010 - 09:11 AM

From what you describe, it appears MBAM found remnants of the malware infection which had created keys in the Windows registry. Although you were able to remove the physical malware files, those registry keys remained until MBAM detected and removed them.

Are you still showing any signs of infection?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 chromebuster

chromebuster
  • Topic Starter

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:01:17 AM

Posted 18 May 2010 - 11:07 AM

Not at all. I'll say that everything looks as good as new now. It's almost like it never happened at all. But just on the side, lucky for me, but bad for the author who wrote the darn thing. He must not have had too much bad stuff planned out since he basically left the darn thing open for manual removal with human hands. I'm just curious, how many times have you seem that in your time here on this board? But I'm also wondering, why when I scanned the files after downloading with Both SAS and MBAM, why didn't they see the trojan lurking inside them then? And not to mention, why on earth did NOD32 leave those lone registry entries behind? Is that normal for primary sources of protection to do that? And I also think that they should allow IMON to protect those users of firefox since firefox users can get infected by being stupid like I was. LOL. Thanks for the reply.

Regards,
Chromebuster

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:17 AM

Posted 18 May 2010 - 11:14 AM

No single product is 100% foolproof and can prevent, detect and remove all threats at any given time. The security community is in a constant state of change as new infections appear. Each vendor has its own definition of what constitutes malware and scanning your computer using different criteria will yield different results. The fact that each program has its own definition files means that some malware may be picked up by one that could be missed by another. Thus, a multi-layered defense using several anti-spyware products (including an effective firewall) to supplement your anti-virus combined with common sense and safe surfing habits provides the most complete protection.

NOTE: It is not uncommon for subsequent scanning after updates of a particular security product has been released to result in detection of items which had previously gone undetected by prior scans.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 chromebuster

chromebuster
  • Topic Starter

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:01:17 AM

Posted 18 May 2010 - 12:48 PM

Oh. That makes sense. But curiously, I was wondering why when I look up this particular Kryptik variant, I can find nothing. Not tomention, Eset didn't put any of the Kryptik variants in their encyclopedia. Do you know of any sources that might include them?

Thanks
Chroembuster

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,936 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:17 AM

Posted 18 May 2010 - 01:01 PM

Each security vendor uses their own naming conventions to identify various types of malware so it's difficult to determine exactly what has been detected or the nature of the infection without knowing more information about the actually file(s) involved. See Understanding virus names.

Looks like Eset added the Win32/Kryptik.EEI in 5098 (20100509)
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users