Kryptik.SQ Trojan

By uruha1 · 12 replies
Jun 23, 2009
  1. Hello, my computer has been infected by a virus, named "Kryptik.SQ Trojan".
    I have scanned my computer with ESET Nod32, it does delete the virus, but does not delete it completely. Even after deleting the virus, it still shows signs of it.

    I cannot run HijackThis, SuperAntiSpyware, Spybot Search and Destroy, or Combofix.

    Unfortunately, I cannot download MalwareBytes' AntiMalware because the website always shows up as "Internet Explorer cannot display the webpage", so the only logs I have are GMER:
  2. touch

    touch TS Rookie Posts: 978

    Hello uruha1

    Run combofix, slightly different ->

    Please download combofix here ->
    Before Saving it to Desktop, please rename it to to stop malware from disabling it.

    Now, please make sure no other programs are running, close all other windows.

    Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
    Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
    It may take a while to complete scanning and this is normal.

    You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
    scanning has completed.

    Combofix will create a logfile and display it after your computer has rebooted.
    Usually located in c:\combofix.txt, please attach it to your next post
  3. uruha1

    uruha1 TS Rookie Topic Starter

    Okay, I have followed your instructions and here is the Combofix log:

    Attached Files:

  4. uruha1

    uruha1 TS Rookie Topic Starter

    Hmm... haven't replied in a day, bump.
  5. touch

    touch TS Rookie Posts: 978

  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    It seems like those who are the most severely infected are also among the most impatient!

    Lack of information such as why this doesn't work- what happens when attempted:
    Would have been helpful, and why Combofix was even attempted when it clearly stated that it should not be run until or unless the helper recommends it.

    And how Combofix was suddenly working? And since it was, was there any attempt made to scan with the original three programs suggested?
  7. uruha1

    uruha1 TS Rookie Topic Starter

    I am very sorry for being impatient, but I think my computer is running fine now.

    Here are the logs:
  8. ChrisDown

    ChrisDown TS Rookie Posts: 125

    Is there a reason for you to be using as your TCP/IP nameserver?
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    There are too many helpers here and it might confuse you.

    This entry:
    usually indicates a DNS Changer infection. This will require resetting your router.

    Unfortunately, you did not follow the steps we recommend to be done first and now Combofix is in the middle!
    Virus and Malware Removal

    Please uninstall Combofix:
    • Click START then RUN
    • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • When shown the disclaimer, Select "2"
    The do this: Reset the router - and flush DNS

    Start>Run> type cmd> Enter>
    At the C prompt type ipconfig /flushdns
    (notice space between g and /)
    When finished, exit the command prompt and shutdown the system.

    Follow these steps:

    • [1]. Shut down your computer, and any other computer connected to your router.
      [2]. On the back of the router, there should be a small hole or button labelled RESET:
      [o]Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
      [o]Unplug the router. Wait sixty seconds.
      [o]Now holding again the reset button, plug it back in.
      [o]Continue holding the reset button for twenty seconds.
      [o]Unplug the router again.
      [3]. With the router unplugged, start your computer. Run MBAM again.
      [4]. Connect again to the router. Then turn the router back on.
      [o]When it stabilizes, reboot your workstation and try to access the internet.
      [o]If you have any issues, access the Router configuration page and re-enter your authentication information.
      [5]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.
    Rescan with Hijack This and attach new log.

    Run a full system scan with your antivirus program. Save the log and attach to your next reply

    Logs to include:
    Malware bytes
    Antivirus scan
    HijackThis scan
  10. uruha1

    uruha1 TS Rookie Topic Starter

    I have followed all your instructions, here are the logs.
    Apparently, my AntiVirus scan log exceeded the limit for uploading, so I zipped it up. <-- If you won't accept this, tell me what to do to show you the log. The log is very long.

    Thank you all very much for helping me.
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Did you apply the 'flush DNS' before you ran the scans? the DNS Changer is still showing.

    You' need to run an online AV scan- Nod32 'thinks' you have locked archives and wasn't able to scan: Before running it, please delete any files Nod32 has in quarantine.

    Open Kaspersky Online Scanner in Internet Explorer HERE.
    • Click Accept and the web scanner will begin to load
    • If a yellow warning bar appears at the top of the browser, click it and choose Install ActiveX Control
    • You will be prompted to install an ActiveX component from Kaspersky, click Install
    • If you are prompted about another ActiveX control called Kaspersky Online Scanner GUI part then allow it to be installed also.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT and then Scan Settings
    • In the scan settings make that the following are selected:
      [o] Scan using the following Anti-Virus database> Extended (if available otherwise Standard)
      [o] Scan Options: Scan Archives> Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      [o] Select My Computer
    • The program will start to scan your system.
    • Once the scan is complete, click on the Save as Text button and save the file to your desktop
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

    Please follow this with a new download of Combofix:

    With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

    Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    Also disable your internet connection.

    • Run Combo-Fix.exe and follow the prompts.
      [o]Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
      [•] Wait for the scan to be completed.
      [•] If it requires a reboot, please do it.
      [•] After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)
    Do not click on the ComoboFix window, as it may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Follow with a new scan with HijackThis:
    Includes logs from Kaspersky, Combofix report, HijackThis in your next reply.
  12. uruha1

    uruha1 TS Rookie Topic Starter

    Here are the logs:
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Down to business:
    Control Panel> Java> General tab> Temporary internet files> Settings> Delete
    My Computer> right click on Local Drive- usually C> Properties> General tab> do a disc clean up.

    The file TOOLBR.EXE is a legitimate component of America Online Security Edition. Kaspersky found the "not-a-virus:AdWare.Win32.SearchIt.t" I don't see any other entries for AOL. If you are not using AOL or their 'security', recommend you uninstall This program,.

    When finished the uninstall: right click on Start> Explore> Programs> right click on this AOL entry> Delete.
    Empty the Recycle Bin.

    I'm going to pass on to you that you have many programs starting on boot that do not need to start then. they can be started manually if or when you need them. Examples are:
    Adobe Reader Speed Launch>> reader_sl.exe
    Digital Camera
    Lexmark Printer
    QuickTime>> qtask
    ITunes>> up dater
    Sonic updater
    Real player updater
    Intervideo WinScheduler> (Filename: SchSvr.exe) If you want to schedule recordings from your TV tuner card, you will need it.
    WinDVD Remote Control
    (WZCSLDR2.exe >> D-Link-Wireless DWL-122 Adapter Software??)

    If all of these start on boot, they will run in the background. The 'updaters' will connect to the internet frequently 'looking' for updates. They will use system resources, slow you down and create additional vulnerabilities.

    I recommend using the msconfig utility to stop all from starting up, leaving only the antivirus, third party firewall if running one and touchpad if on laptop- nothing else needs to start on boot.

    If you are interested in stopping these processes, let me know and I'll take you through.

    You also have BitDefender Online Scanner (ActiveQscan), Panda AV (Housecall)in the background.

    So the system will have this conversation with itself, something like this: "OK guys, which one of us should field this malware?" "You take it." "No, I'll take it." and in the meantime, your main AV program is trying to shut them all up and do what it's suppose to do. You get the idea?

    Are you currently having any redirects? Any other problems? I would like you to run your Nod32 once more and attach new log. If clean and no problems, I'll have you remove the cleanup tools.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...