Jump to content

Win32/Kryptik.BOJT Trojan variant found

techinstructor
 Share

Recommended Posts

techinstructor

techinstructor 0

Posted
Posted

My computer was infected last night with a variant of Win32/Kryptik.BOJT Trojan.  It locked the computer and demanded a $300 ransom for the key to unlock the machine.  Upon the third restart, the computer was unlocked thanks to eSet Smart Security 5.  eSet located and quarantined the trojan - file name: h4qfte.dss.  Since then I've had only a few minor issues which may or may not be related.

 

Soon after the desktop was unlocked I got a Windows error message stating that the Control deck had stopped working.  This has not happened again, but then I haven't restarted the computer.  I've also experienced a frozen browser (mouse would not move) for about a minute a few times this morning - once when trying to "print" to pdf.   Each time the browser came back into operation on its own after a pause.  Our internet connection (mobile broadband) is "iffy" at best so that may have been the culprit there.

 

Since discovering the quarantined trojan I have run a computer scan with eSet, in addition to a scan with SuperAntiSpyware and Malwarebytes Anti Malware, all of which had up-to-date definitions.  Nothing was found on any of these scans.  I've also run CCleaner which did not find anything.  Interestingly, wrhile checking the startup items in CCleaner, I found a suspicious file (etfq4h.ink) which was disabled and deleted. I also disabled "Remote Desktop Administration" after reading a tip at eSet (I don't recall ever enabling it, so I wonder if the trojan did that).  I also put tape over my laptop's camera, since the trojan photographed the user when the infection occurred.  This was disconcerting to say the least.

 

I'm concerned that there could be other infected items that have not been discovered.  I can't find any definitive information on the variant of this trojan that infected my computer, specifically if it could have had rootkit capabilities.  I'm also concerned that the eSet Firewall allowed this trojan to get into my computer.

 

I would appreciate comments concerning any further action that I might take to ensure that I don't have more problems from this trojan in the future.  I'm afraid to back up my files for fear of infecting my external drive which was not plugged in at the time.  Any assurances or advice would be welcomed.

Link to comment
Share on other sites
techinstructor

techinstructor 0

Posted
  • Author
Posted

Sorry it took me so long to respond.  I've attached the Sysinspector Log.  Hopefully, this is what you were requesting.

 

SysInspector-TIMOBILE-131117-1359.zip

 

So far the computer has not had any other issues, though the issue with "the ControlDeck not responding" continues to occur each time it starts up.  Interestingly though, there are no obvious issues other than the dialog window pops ups, I click "close" and then everything appears  normal and there are no obvious issues with operation.  I'm planning to download the latest version of the ControlDeck from ASUS and see if it fixes the problem. 

 

I'm still concerned that there may be other hidden issues from this trojan lurking on my machine so I greatly appreciate any suggestions you may have.

Link to comment
Share on other sites
  • ESET Insiders
stackz

stackz 112

Posted
  • ESET Insiders
Posted (edited)

There's a service entry in the registry most likely related to the infection -

Services:

"Windows Management Instrumentation" = "c:\progra~3\etfq4h.pss" Automatic ; Stopped ; ( 5: Unknown ) ;
Edited by stackz
Link to comment
Share on other sites
techinstructor

techinstructor 0

Posted
  • Author
Posted

There's a service entry in the registry most likely related to the infection -


Services:

"Windows Management Instrumentation" = "c:\progra~3\etfq4h.pss" Automatic ; Stopped ; ( 5: Unknown ) ;
Thanks.  Upon investigation I found this file in eSet's quarantine.  Further seaching revealed three other files etfq4h.reg,  etfq4h.bxx, and etfq4h.fvv.  I was able to quarantine the first two and the third I was able to delete after reboot with the help of Hijack This.  I also deleted the registry entry.

 

Is it ok to delete these and the other trojan files from the eSet quarantine?  I really don't like leaving them there and would much prefer for them to just be GONE! 

 

Thanks again.

Link to comment
Share on other sites
SweX

SweX 871

Posted
Posted

Yes it's OK to permanently delete them from the quarantine if you want to do that, or leave them inside they can do no harm from there. :)

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...