Shoaib Maqsood 0 Posted October 10, 2018 Share Posted October 10, 2018 Hello All, we receive a Trojan display with the name of "Win32/Kryptik.GLLG Trojan". we used ESETNod32 Antivirus Version 11.2.63.0 and we see the problem is that the antivirus show us that he detect it and clean it automatically but the virus/Trojan is still in the system. please resolve this if any one have any knowledge about this. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 187 Posted October 10, 2018 Most Valued Members Share Posted October 10, 2018 1 hour ago, Shoaib Maqsood said: Hello All, we receive a Trojan display with the name of "Win32/Kryptik.GLLG Trojan". we used ESETNod32 Antivirus Version 11.2.63.0 and we see the problem is that the antivirus show us that he detect it and clean it automatically but the virus/Trojan is still in the system. please resolve this if any one have any knowledge about this. Can you post the log of the detected threats from the Log ? , Did you scan your PC after the Trojan was detected in realtime by ESET? Link to comment Share on other sites More sharing options...
itman 1,538 Posted October 10, 2018 Share Posted October 10, 2018 5 hours ago, Shoaib Maqsood said: we see the problem is that the antivirus show us that he detect it and clean it automatically but the virus/Trojan is still in the system How did you determine this was the case? Link to comment Share on other sites More sharing options...
Shoaib Maqsood 0 Posted October 17, 2018 Author Share Posted October 17, 2018 Time;Scanner;Object type;Object;Threat;Action;User;Information;Hash;First seen here 9/7/2018 2:20:49 PM;Real-time file system protection;file;C:\Users\ADMINI~1\AppData\Local\Temp\792158756\app.exe;a variant of Win32/Kryptik.GKLX trojan;cleaned by deleting;ACCESSRETAILPK\administrator;Event occurred on a new file created by the application: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;A0F45B1D7365633968D792A40919A2809A9220D4;9/7/2018 2:20:48 PM this the log. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 187 Posted October 17, 2018 Most Valued Members Share Posted October 17, 2018 17 minutes ago, Shoaib Maqsood said: Time;Scanner;Object type;Object;Threat;Action;User;Information;Hash;First seen here 9/7/2018 2:20:49 PM;Real-time file system protection;file;C:\Users\ADMINI~1\AppData\Local\Temp\792158756\app.exe;a variant of Win32/Kryptik.GKLX trojan;cleaned by deleting;ACCESSRETAILPK\administrator;Event occurred on a new file created by the application: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;A0F45B1D7365633968D792A40919A2809A9220D4;9/7/2018 2:20:48 PM this the log. It has been cleaned by deleting,you could scan your PC , full system scan to make sure there are no left-over by the trojan Link to comment Share on other sites More sharing options...
Shoaib Maqsood 0 Posted October 17, 2018 Author Share Posted October 17, 2018 Time;URL;Status;Application;User;IP address;SHA1 10/17/2018 3:23:53 PM;hxxp://newscommer.com/41qilngy38303743/app.exe;Blocked by internal blacklist;C:\Windows\explorer.exe;PRINTER2F\Printer2f;51.158.71.75;89A175A12BC20104770D0EF83E553F8B0E06274B 10/17/2018 4:23:36 PM;hxxp://newscommer.com/41qilngy38303743/app.exe;Blocked by internal blacklist;C:\Windows\explorer.exe;PRINTER2F\Printer2f;51.158.71.75;89A175A12BC20104770D0EF83E553F8B0E06274B 10/17/2018 5:23:18 PM;hxxp://newscommer.com/41qilngy38303743/app.exe;Blocked by internal blacklist;C:\Windows\explorer.exe;PRINTER2F\Printer2f;51.158.71.75;89A175A12BC20104770D0EF83E553F8B0E06274B these are the latest log and also full scan my pc after scan it detect nothing but after some time it come again. Link to comment Share on other sites More sharing options...
Shoaib Maqsood 0 Posted October 17, 2018 Author Share Posted October 17, 2018 we search this trojan in ESET trojan foram we see only Win32/Kryptik.GKOG,Win32/Kryptik.GKOH,Win32/Kryptik.GKOI and Win32/Kryptik.GKOJ but Win32/Kryptik.GLLG is not in list please update it in ESET antivirus. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,704 Posted October 17, 2018 Administrators Share Posted October 17, 2018 Listed on virusradar: Please provide logs gathered by ELC. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 187 Posted October 17, 2018 Most Valued Members Share Posted October 17, 2018 46 minutes ago, Shoaib Maqsood said: Time;URL;Status;Application;User;IP address;SHA1 10/17/2018 3:23:53 PM;hxxp://newscommer.com/41qilngy38303743/app.exe;Blocked by internal blacklist;C:\Windows\explorer.exe;PRINTER2F\Printer2f;51.158.71.75;89A175A12BC20104770D0EF83E553F8B0E06274B 10/17/2018 4:23:36 PM;hxxp://newscommer.com/41qilngy38303743/app.exe;Blocked by internal blacklist;C:\Windows\explorer.exe;PRINTER2F\Printer2f;51.158.71.75;89A175A12BC20104770D0EF83E553F8B0E06274B 10/17/2018 5:23:18 PM;hxxp://newscommer.com/41qilngy38303743/app.exe;Blocked by internal blacklist;C:\Windows\explorer.exe;PRINTER2F\Printer2f;51.158.71.75;89A175A12BC20104770D0EF83E553F8B0E06274B these are the latest log and also full scan my pc after scan it detect nothing but after some time it come again. How does it come back again? , do you enter a website or access somewhere that sends you the trojan again? Link to comment Share on other sites More sharing options...
itman 1,538 Posted October 17, 2018 Share Posted October 17, 2018 The malware Eset is detecting is originating from explorer.exe. In the first Eset log screen shot posted, Eset detected and deleted malicious app.exe creation in C:\Users\ADMINI~1\AppData\Local\Temp\792158756\ directory. The later log screen shots appear to show some type of remote execution attempt of app.exe from explorer.exe most likely executing a shell originating from your printer directory. This is why Eset keeps detecting the malware. It appears the attacker has gained remote access to your device. Link to comment Share on other sites More sharing options...
Shoaib Maqsood 0 Posted October 17, 2018 Author Share Posted October 17, 2018 is there any solution for remove this trojan. Link to comment Share on other sites More sharing options...
itman 1,538 Posted October 17, 2018 Share Posted October 17, 2018 38 minutes ago, Shoaib Maqsood said: is there any solution for remove this trojan. If you had Eset Internet/Smart Security, I would recommend temporarily creating a firewall rule to block or monitor any outbound TCP/UDP communication from both x(86) and x(64) instances of explorer.exe until it can be established what malware is the source. Also if you are using Win 10 non-Home version, you need to lock down RDP access. Link to comment Share on other sites More sharing options...
Administrators Marcos 4,704 Posted October 17, 2018 Administrators Share Posted October 17, 2018 Please provide ELC logs as I requested before. Link to comment Share on other sites More sharing options...
itman 1,538 Posted October 17, 2018 Share Posted October 17, 2018 (edited) This appears to be malicious adware related: https://malwaretips.com/blogs/remove-newscommer-com/ Additional ref. here: https://urlquery.net/report/e62bc006-8e06-4829-9a89-c43311cd01e5 Edited October 17, 2018 by itman Link to comment Share on other sites More sharing options...
Shoaib Maqsood 0 Posted October 18, 2018 Author Share Posted October 18, 2018 13 hours ago, Marcos said: Please provide ESET Log Collector logs as I requested before. ESET Log Collector logs. collector_log.txt Link to comment Share on other sites More sharing options...
ESET Support notimportant 5 Posted October 18, 2018 ESET Support Share Posted October 18, 2018 45 minutes ago, Shoaib Maqsood said: ESET Log Collector logs. collector_log.txt This is not output from ESET Log Collector. File should be called eis_logs.zip, or similar (eav_logs.zip, ...), it will be generated in few minutes. Link to comment Share on other sites More sharing options...
Shoaib Maqsood 0 Posted October 18, 2018 Author Share Posted October 18, 2018 50 minutes ago, notimportant said: This is not output from ESET Log Collector. File should be called eis_logs.zip, or similar (eav_logs.zip, ...), it will be generated in few minutes. ESET Log Collector logs efsw_logs.zip Link to comment Share on other sites More sharing options...
Administrators Marcos 4,704 Posted October 18, 2018 Administrators Share Posted October 18, 2018 You have posted ELC logs from EFSW. However, your EFSW doesn't have Web and email protection installed and obviously the Filtered websites log could not be collected because it didn't exist. Were those records with detected threats actually from EFSW? Link to comment Share on other sites More sharing options...
itman 1,538 Posted October 18, 2018 Share Posted October 18, 2018 As originally posted below, the OP specifically stated the Eset detections where from NOD32; On 10/10/2018 at 4:17 AM, Shoaib Maqsood said: we used ESETNod32 Antivirus Version 11.2.63.0 and we see the problem is that the antivirus show us that he detect it and clean it automatically but the virus/Trojan is still in the system. Further justification given below: On 10/17/2018 at 7:43 AM, Shoaib Maqsood said: Time;Scanner;Object type;Object;Threat;Action;User;Information;Hash;First seen here 9/7/2018 2:20:49 PM;Real-time file system protection;file;C:\Users\ADMINI~1\AppData\Local\Temp\792158756\app.exe;a variant of Win32/Kryptik.GKLX trojan;cleaned by deleting;ACCESSRETAILPK\administrator;Event occurred on a new file created by the application: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;A0F45B1D7365633968D792A40919A2809A9220D4;9/7/2018 2:20:48 PM Therefore @Shoaib Maqsood, you need to post ELC logs from the device with NOD32 installed where the above log detections originated. Link to comment Share on other sites More sharing options...
Recommended Posts