# Infected With Malware Win32/Kryptik



## bauer24 (Sep 30, 2004)

Hi,

I am currently a PC installed with Windows XP (PRO, S2) and there are 4 admin accounts and one limited user account. My brother notified to me that ESET NOD32 (V3) had detected a threat, and that he had performed a scan. The results are below:

08/03/2009 23:59:34	HTTP filter	file	http://82.98.235.205/dwn/d.html?sid...3rkh2C6pPcwqqTEA5rkp1DJl4dAyYfilarUpNOK5Kcwuo a variant of Win32/Kryptik.JY trojan	connection terminated - quarantined	NT AUTHORITY\SYSTEM	Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.
08/03/2009 23:59:32	HTTP filter	file	http://82.98.235.205/dwn/d.html?sid...3rkh2C6pPcwqqTEA5rUp1C5l4dAyYfilarUpNOK5Kcwuo a variant of Win32/Adware.Virtumonde.NCY application	connection terminated - quarantined	NT AUTHORITY\SYSTEM	Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.
08/03/2009 23:59:28	HTTP filter	file	http://82.98.235.205/dwn/d.html?sid...3rkh2C6pPcwqqTEA5rkp1DJl4dAyYfilarUpNOK5Kcwuo a variant of Win32/Kryptik.JY trojan	connection terminated - quarantined	NT AUTHORITY\SYSTEM	Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe.
08/03/2009 23:59:28	HTTP filter	file	http://82.98.235.205/dwn/d.html?sid...3rkh2C6pPcwqqTEA5rUp1C5l4dAyYfilarUpNOK5Kcwuo a variant of Win32/Adware.Virtumonde.NCY application	connection terminated - quarantined	NT AUTHORITY\SYSTEM	Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe.
08/03/2009 23:59:24	HTTP filter	file	http://82.98.235.205/dwn/d.html?sid...3rkh2C6pPcwqqTEA5rkp1DJl4dAyYfilarUpNOK5Kcwuo a variant of Win32/Kryptik.JY trojan	connection terminated - quarantined	NT AUTHORITY\SYSTEM	Threat was detected upon access to web by the application: C:\WINDOWS\system32\winlogon.exe.
08/03/2009 23:59:23	HTTP filter	file	http://82.98.235.205/dwn/d.html?sid...3rkh2C6pPcwqqTEA5rUp1C5l4dAyYfilarUpNOK5Kcwuo a variant of Win32/Adware.Virtumonde.NCY application	connection terminated - quarantined	NT AUTHORITY\SYSTEM	Threat was detected upon access to web by the application: C:\WINDOWS\system32\winlogon.exe.
08/03/2009 23:53:53	Real-time file system protection	file	C:\DOCUME~1\Ahmed\LOCALS~1\Temp\nmdbxxnklw.tmp	a variant of Win32/Kryptik.HY trojan	cleaned by deleting - quarantined	NT AUTHORITY\SYSTEM	Event occurred on a new file created by the application: C:\DOCUME~1\Ahmed\LOCALS~1\Temp\incosnet.tmp.
08/03/2009 23:53:26	Real-time file system protection	file	C:\DOCUME~1\Ahmed\LOCALS~1\Temp\prun.tmp	Win32/TrojanClicker.VB.NFI trojan	cleaned by deleting - quarantined	NT AUTHORITY\SYSTEM	Event occurred on a new file created by the application: C:\WINDOWS\system32\rn.tmp.

A few weeks ago my computer was infected with the Vundo Trojan & Rootkit Seneka (See: http://forums.techguy.org/malware-r...396-infected-vundo-trojan-rootkit-seneka.html) however, this was succesfully solved, and i told the users of my PC to be more cautious on the net. Today, when browsing the net with Firefox, Internet Explorer opened up, loading a number of tabs which did not connect to an actual site. This action continually occurs, and now my computer runs really slow. I checked the System Configuration utility and noticed the following suspicous files:

lavusita.dll
YUGUTOYI.DLL
kinajuto.dll

Below are the result of the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:11:21, on 09/03/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: {4eafce73-d4e1-3fd8-8214-542592a83eb0} - {0be38a29-5245-4128-8df3-1e4d37ecfae4} - C:\WINDOWS\system32\mvnrpi.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {dee4b564-5dca-47a6-b0c9-2e6a6e1f0540} - C:\WINDOWS\system32\teyufeve.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nuwibizive] Rundll32.exe "C:\WINDOWS\system32\lavusita.dll",s
O4 - HKLM\..\Run: [CPMb3906176] Rundll32.exe "c:\windows\system32\yugutoyi.dll",a
O4 - HKLM\..\Run: [b0a352ea] rundll32.exe "C:\WINDOWS\system32\kinajuto.dll",b
O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\CounterSpy\SBAMTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Suleman\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKUS\S-1-5-19\..\Run: [nuwibizive] Rundll32.exe "C:\WINDOWS\system32\lavusita.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [nuwibizive] Rundll32.exe "C:\WINDOWS\system32\lavusita.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://utilities.pcpitstop.com/da/PCPitStop.CAB
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6DC59CFC-4FA6-4435-9155-0C28F9EEA015}: NameServer = 194.168.4.100,194.168.8.100
O20 - AppInit_DLLs: C:\WINDOWS\system32\kakekuze.dll c:\windows\system32\yugutoyi.dll mvnrpi.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yugutoyi.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yugutoyi.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: CounterSpy Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe
O23 - Service: SIMUL8 Parallel Processor (SIMUL8Parallel) - SIMUL8 Corporation - C:\PROGRA~1\SIMUL8\SIMUL8_ParallelSVC.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

--
End of file - 9248 bytes


----------



## bauer24 (Sep 30, 2004)

UPDATE: I have finished running a scan using CounterSpy, scan results below:

http://i43.tinypic.com/20ids7b.jpg
http://i41.tinypic.com/97pma8.jpg
http://i44.tinypic.com/308jmsl.jpg
http://i39.tinypic.com/9fqyqg.jpg

The scan also found some tracking cookies. I have chosen to delay on taking action, and get further assistance from here.


----------



## bauer24 (Sep 30, 2004)

Another update , i booted up the PC and just before the login stage , a BSOD appeared saying:

stop C000021a fatal system error 
the windows logon process System Process terminated unexpectedly with a status of 0×00000000 (0×00000000 0×00000000 )
The system has been shut down

This keeps on happening , i hope i don't have to format, as i have coursework documents on the PC, is there any way to recover them?


----------



## bauer24 (Sep 30, 2004)

bump,


----------



## sjpritch25 (Sep 8, 2005)

Welcome to TSG 

Sorry for the delay

Please download *Malwarebytes Anti-Malware* from *Here* or *Here*
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes Anti-Malware*, then click Finish. 
If an update is found, it will download and install the latest version. 
Once the program has loaded, select *Perform Quick Scan*, then click *Scan*. 
The scan may take some time to finish,so please be patient. 
When the scan is complete, click OK, then Show Results to view the results. 
Make sure that *everything is checked*, and click *Remove Selected*. 
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) 
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. 
Copy&Paste the entire report in your next reply with a fresh Hijackthis log too.

Extra Note:

*If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer, please do so immediately.*


Download *random's system information tool (RSIT)* by *random/random* from *here* and save it to your desktop.
Double click on *RSIT.exe* to run *RSIT*.
Click *Continue* at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both *log.txt* (<<will be maximized) and *info.txt* (<<will be minimized)


----------

