techinstructor 0 Posted November 13, 2013 Posted November 13, 2013 My computer was infected last night with a variant of Win32/Kryptik.BOJT Trojan. It locked the computer and demanded a $300 ransom for the key to unlock the machine. Upon the third restart, the computer was unlocked thanks to eSet Smart Security 5. eSet located and quarantined the trojan - file name: h4qfte.dss. Since then I've had only a few minor issues which may or may not be related. Soon after the desktop was unlocked I got a Windows error message stating that the Control deck had stopped working. This has not happened again, but then I haven't restarted the computer. I've also experienced a frozen browser (mouse would not move) for about a minute a few times this morning - once when trying to "print" to pdf. Each time the browser came back into operation on its own after a pause. Our internet connection (mobile broadband) is "iffy" at best so that may have been the culprit there. Since discovering the quarantined trojan I have run a computer scan with eSet, in addition to a scan with SuperAntiSpyware and Malwarebytes Anti Malware, all of which had up-to-date definitions. Nothing was found on any of these scans. I've also run CCleaner which did not find anything. Interestingly, wrhile checking the startup items in CCleaner, I found a suspicious file (etfq4h.ink) which was disabled and deleted. I also disabled "Remote Desktop Administration" after reading a tip at eSet (I don't recall ever enabling it, so I wonder if the trojan did that). I also put tape over my laptop's camera, since the trojan photographed the user when the infection occurred. This was disconcerting to say the least. I'm concerned that there could be other infected items that have not been discovered. I can't find any definitive information on the variant of this trojan that infected my computer, specifically if it could have had rootkit capabilities. I'm also concerned that the eSet Firewall allowed this trojan to get into my computer. I would appreciate comments concerning any further action that I might take to ensure that I don't have more problems from this trojan in the future. I'm afraid to back up my files for fear of infecting my external drive which was not plugged in at the time. Any assurances or advice would be welcomed.
Arakasi 549 Posted November 13, 2013 Posted November 13, 2013 Next best thing. Create a Sysinspector log and post a link here. Its in your tools section.
techinstructor 0 Posted November 17, 2013 Author Posted November 17, 2013 Sorry it took me so long to respond. I've attached the Sysinspector Log. Hopefully, this is what you were requesting. SysInspector-TIMOBILE-131117-1359.zip So far the computer has not had any other issues, though the issue with "the ControlDeck not responding" continues to occur each time it starts up. Interestingly though, there are no obvious issues other than the dialog window pops ups, I click "close" and then everything appears normal and there are no obvious issues with operation. I'm planning to download the latest version of the ControlDeck from ASUS and see if it fixes the problem. I'm still concerned that there may be other hidden issues from this trojan lurking on my machine so I greatly appreciate any suggestions you may have.
ESET Insiders stackz 115 Posted November 18, 2013 ESET Insiders Posted November 18, 2013 (edited) There's a service entry in the registry most likely related to the infection - Services: "Windows Management Instrumentation" = "c:\progra~3\etfq4h.pss" Automatic ; Stopped ; ( 5: Unknown ) ; Edited November 18, 2013 by stackz
techinstructor 0 Posted November 18, 2013 Author Posted November 18, 2013 There's a service entry in the registry most likely related to the infection - Services: "Windows Management Instrumentation" = "c:\progra~3\etfq4h.pss" Automatic ; Stopped ; ( 5: Unknown ) ; Thanks. Upon investigation I found this file in eSet's quarantine. Further seaching revealed three other files etfq4h.reg, etfq4h.bxx, and etfq4h.fvv. I was able to quarantine the first two and the third I was able to delete after reboot with the help of Hijack This. I also deleted the registry entry. Is it ok to delete these and the other trojan files from the eSet quarantine? I really don't like leaving them there and would much prefer for them to just be GONE! Thanks again.
SweX 871 Posted November 18, 2013 Posted November 18, 2013 Yes it's OK to permanently delete them from the quarantine if you want to do that, or leave them inside they can do no harm from there.
Recommended Posts