Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TR/Kryptik.aona found day of wannacry outbreak


  • Please log in to reply
11 replies to this topic

#1 roundrabbit

roundrabbit

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:07 AM

Posted 16 May 2017 - 09:03 PM

Hi, my issue happened on a Windows 10 laptop on the 12th of this month, the same day the wannacry ransomware was running rampant.

I was on the usual sites (netflix, reddit, tumblr) when Avira blocked and quarantined a file with the pattern TR/Kryptik.aona. The exact message was "Access to file 'C:\Users\...\79B24211F213E00AE7AC59E555820F5CE4635BBC' containing the pattern of 'TR/Kryptik.aona' was blocked. We moved the file to quarantine."

Checking quarantine revealed two files like this, plus a file marked as suspicious. The suspicious file is "C:\Users\Karli\AppData\Roaming\sp_data.sys". The "TR/Kryptik.aona" files were located in "C:\Users\Karli\AppData\Local\Mozilla\Firefox\Profiles\1vndxchs.default-1440887755479\cache2\entries\...". I hadn't made any changes to my computer or installed anything before this happened.

 

I scanned with Avira and MBAM right after, then again in safe mode, but found nothing. I ran CCleaner after all of this. Was this a failed wannacry infection attempt, or a separate virus altogether? I'm worried that it's the latter, and the virus is still on my computer.

I made a backup on an external HD a week prior to this, and a backup on OneDrive right after all this happened. If my computer is infected, are the backups infected, too?

 

I don't know if this is related, but I'll mention it anyway just in case: At the end of every scan since late February, Avira notifies me of a file "C:\Users\Karli\AppData\Local\Temp\tmpF91D.tmp" giving me the message "[WARNING] The file could not be read!". I assumed it was related to a tech editing my computer's registry when I took it in for repairs, but now I'm worried this may be part of TR/Kryptik. Is this file related, and would a virus really stay dormant for months before finally doing something (or trying to)?

 

I've tried to include everything I could think of, but if you need any more information, please just let me know.

Thanks for any help or advice anyone can offer. :)



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • BC Advisor
  • 12,873 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:07 AM

Posted 17 May 2017 - 09:18 AM

Could be adware. Use the programs below to remove adware and kryptik.

 

Download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 roundrabbit

roundrabbit
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:07 AM

Posted 17 May 2017 - 03:27 PM

Hi, Buddy215! Thanks for helping me with this. :)

 

The results of AdwCleaner were "AdwCleaner found no threat on your computer!" I clicked on "clean" anyway, though.

I'll do the next step now and either edit this reply or make a new one with the results, whichever you prefer.

 

# AdwCleaner v6.046 - Logfile created 17/05/2017 at 15:12:33
# Updated on 24/04/2017 by Malwarebytes
# Database : 2017-05-17.1 [Server]
# Operating System : Windows 10 Home  (X64)
# Username : Karli - PILGORE
# Running from : C:\Users\Karli\Desktop\AdwCleaner.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****



***** [ Folders ] *****



***** [ Files ] *****



***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****



***** [ Registry ] *****



***** [ Web browsers ] *****



*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [963 Bytes] - [17/12/2016 13:17:51]
C:\AdwCleaner\AdwCleaner[C2].txt - [815 Bytes] - [17/05/2017 15:12:33]
C:\AdwCleaner\AdwCleaner[S0].txt - [1131 Bytes] - [17/12/2016 13:16:59]
C:\AdwCleaner\AdwCleaner[S1].txt - [1280 Bytes] - [17/05/2017 15:10:52]

########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [1033 Bytes] ##########
 

 

Results of Junkware Removal Tool:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.3 (04.10.2017)
Operating System: Windows 10 Home x64
Ran by Karli (Administrator) on Wed 05/17/2017 at 15:31:59.68
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 0




Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 05/17/2017 at 15:33:12.80
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

I have a question: After running JRT, I noticed that the icons for OneDrive and Asus Web Storage have disappeared from the icon list on the right side of my taskbar. Asus Smart Gesture no longer shows up on Task Manager, and I can't scroll using the touchpad. Those will come back after I restart, right?

 

I held down the control button while clicking the ESET OnlineScan link, but it won't open in a new window. When it opens in a new tab, or I right click and select "open in new window", I get the same message on the page "Page not found (homepage.php)"

I don't have Internet Explorer, but I have Microsoft Edge. Should I try that instead? And I assume I'll need to follow the instructions for alternate browsers?


Edited by roundrabbit, 17 May 2017 - 03:59 PM.


#4 buddy215

buddy215

  • BC Advisor
  • 12,873 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:07 AM

Posted 17 May 2017 - 04:19 PM

Haven't seen that happen on other computers. Since JRT didn't remove anything....I suggest rebooting the computer before running Eset.

 

Eset may have changed. Download and run the FREE online scanner from Free Virus Scan | Online Virus Scan from ESET | ESET

It says it works in all browsers.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#5 roundrabbit

roundrabbit
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:07 AM

Posted 17 May 2017 - 04:23 PM

I restarted my computer. Is that alright, or should I shut down, then start back up before running ESET?

The programs I mentioned came back when I restarted, by the way.



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,937 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:07 AM

Posted 17 May 2017 - 04:46 PM

Hi, my issue happened on a Windows 10 laptop...

 
FYI

... we are taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003. Customers running Windows 10 were not targeted by the attack today.

Microsoft Customer Guidance for WannaCrypt attacks
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 roundrabbit

roundrabbit
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:07 AM

Posted 17 May 2017 - 04:51 PM

Thanks for the information, quietman7! This has been a worry in the back of my mind since I heard about it, so it's reassuring to have detailed info about the wannacrypt attack. :)



#8 buddy215

buddy215

  • BC Advisor
  • 12,873 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:07 AM

Posted 17 May 2017 - 04:58 PM

Go ahead and run the Eset scan...


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#9 roundrabbit

roundrabbit
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:07 AM

Posted 17 May 2017 - 06:50 PM

Before I ran the scan, it made me select either "Enable detection of potentially unwanted applications" or "Disable detection of potentially unwanted applications", so I selected "Enable". Two things were already checked, "Enable detection of suspicious applications" and "Enable anti-stealth technology", so I left them checked. Would doing that have effected the results of the scan?

It said "No threats found" after it finished scanning, with no option to "List threats", so I couldn't export and save the file.

I selected "Delete application's data on close", although the icon is still on my desktop.



#10 buddy215

buddy215

  • BC Advisor
  • 12,873 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:07 AM

Posted 17 May 2017 - 07:45 PM

Good...you made the best scanning selections. Your Avira removed whatever the threat was...

 

You are good to go....happy surfin'

 

If you don't have an ad blocker I suggest using Adblock Plus. Once it is installed in each browser click on the ABP icon at the top of the browsers.

Choose Filter Preferences. Then UNcheck the box next to Allow some non-intrusive advertisements.

Adblock Plus - Chrome Web Store    Adblock Plus for Edge browser   Adblock Plus :: Add-ons for Firefox


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#11 roundrabbit

roundrabbit
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:07 AM

Posted 17 May 2017 - 07:53 PM

Okay, that's a huge relief to know. :) Thank you so much for all your help, Buddy215!

I do have Adblock Plus, and I have "Allow some non-intrusive advertisements" unchecked, but I've noticed that very rarely a stray ad will get through somehow.

If we're done with everything, do I need to follow any special removal instructions for the things I downloaded today, or can I just drag them to the recycle bin and that will take care of them?



#12 buddy215

buddy215

  • BC Advisor
  • 12,873 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:07 AM

Posted 18 May 2017 - 05:17 AM

You can keep JRT and AdwCleaner or uninistall them. To uninstall JRT....right click on it and choose delete.

 

To uninstall AdwCleaner...open it and choose Uninstall.

 

You can uninstall Eset from the list of installed programs like any other installed program.

 

Those "stray ads" may be the results of a website being hacked and the ads are malicious, a new ad server on the block or the website's own ads.

You can block those by right clicking on the ad and allowing Adblock Plus to block them if an ad appears day after day on one of your frequently visited

websites.

 

You're welcome...


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users