Jump to content

Win32/Kryptik.GLLG Trojan


Recommended Posts

Hello All,

we receive a Trojan display with the name of "Win32/Kryptik.GLLG Trojan". we used ESETNod32 Antivirus Version 11.2.63.0 and we see the problem is that the antivirus show us that he detect it and clean it automatically but the virus/Trojan is still in the system. please resolve this if any one have any knowledge about this.  

Link to comment
Share on other sites

  • Most Valued Members
1 hour ago, Shoaib Maqsood said:

Hello All,

we receive a Trojan display with the name of "Win32/Kryptik.GLLG Trojan". we used ESETNod32 Antivirus Version 11.2.63.0 and we see the problem is that the antivirus show us that he detect it and clean it automatically but the virus/Trojan is still in the system. please resolve this if any one have any knowledge about this.  

Can you post the log of the detected threats from the Log ? , Did you scan your PC after the Trojan was detected in realtime by ESET?

Link to comment
Share on other sites

5 hours ago, Shoaib Maqsood said:

we see the problem is that the antivirus show us that he detect it and clean it automatically but the virus/Trojan is still in the system

How did you determine this was the case?

Link to comment
Share on other sites

Time;Scanner;Object type;Object;Threat;Action;User;Information;Hash;First seen here
9/7/2018 2:20:49 PM;Real-time file system protection;file;C:\Users\ADMINI~1\AppData\Local\Temp\792158756\app.exe;a variant of Win32/Kryptik.GKLX trojan;cleaned by deleting;ACCESSRETAILPK\administrator;Event occurred on a new file created by the application: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;A0F45B1D7365633968D792A40919A2809A9220D4;9/7/2018 2:20:48 PM

this the log.

Link to comment
Share on other sites

  • Most Valued Members
17 minutes ago, Shoaib Maqsood said:

Time;Scanner;Object type;Object;Threat;Action;User;Information;Hash;First seen here
9/7/2018 2:20:49 PM;Real-time file system protection;file;C:\Users\ADMINI~1\AppData\Local\Temp\792158756\app.exe;a variant of Win32/Kryptik.GKLX trojan;cleaned by deleting;ACCESSRETAILPK\administrator;Event occurred on a new file created by the application: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;A0F45B1D7365633968D792A40919A2809A9220D4;9/7/2018 2:20:48 PM

this the log.

It has been cleaned by deleting,you could scan your PC , full system scan to make sure there are no left-over by the trojan

Link to comment
Share on other sites

Time;URL;Status;Application;User;IP address;SHA1
10/17/2018 3:23:53 PM;hxxp://newscommer.com/41qilngy38303743/app.exe;Blocked by internal blacklist;C:\Windows\explorer.exe;PRINTER2F\Printer2f;51.158.71.75;89A175A12BC20104770D0EF83E553F8B0E06274B
10/17/2018 4:23:36 PM;hxxp://newscommer.com/41qilngy38303743/app.exe;Blocked by internal blacklist;C:\Windows\explorer.exe;PRINTER2F\Printer2f;51.158.71.75;89A175A12BC20104770D0EF83E553F8B0E06274B
10/17/2018 5:23:18 PM;hxxp://newscommer.com/41qilngy38303743/app.exe;Blocked by internal blacklist;C:\Windows\explorer.exe;PRINTER2F\Printer2f;51.158.71.75;89A175A12BC20104770D0EF83E553F8B0E06274B


these are the latest log and also full scan my pc after scan it detect nothing but after some time it come again.

Link to comment
Share on other sites

we search this trojan in ESET trojan foram we see only Win32/Kryptik.GKOG,Win32/Kryptik.GKOH,Win32/Kryptik.GKOI and Win32/Kryptik.GKOJ but Win32/Kryptik.GLLG is not in list please update it in ESET antivirus.

Link to comment
Share on other sites

  • Most Valued Members
46 minutes ago, Shoaib Maqsood said:

Time;URL;Status;Application;User;IP address;SHA1
10/17/2018 3:23:53 PM;hxxp://newscommer.com/41qilngy38303743/app.exe;Blocked by internal blacklist;C:\Windows\explorer.exe;PRINTER2F\Printer2f;51.158.71.75;89A175A12BC20104770D0EF83E553F8B0E06274B
10/17/2018 4:23:36 PM;hxxp://newscommer.com/41qilngy38303743/app.exe;Blocked by internal blacklist;C:\Windows\explorer.exe;PRINTER2F\Printer2f;51.158.71.75;89A175A12BC20104770D0EF83E553F8B0E06274B
10/17/2018 5:23:18 PM;hxxp://newscommer.com/41qilngy38303743/app.exe;Blocked by internal blacklist;C:\Windows\explorer.exe;PRINTER2F\Printer2f;51.158.71.75;89A175A12BC20104770D0EF83E553F8B0E06274B


these are the latest log and also full scan my pc after scan it detect nothing but after some time it come again.

How does it come back again? , do you enter a website or access somewhere that sends you the trojan again?

Link to comment
Share on other sites

The malware Eset is detecting is originating from explorer.exe.

In the first Eset log screen shot posted, Eset detected and deleted malicious app.exe creation in C:\Users\ADMINI~1\AppData\Local\Temp\792158756\ directory.

The later log screen shots appear to show some type of remote execution attempt of app.exe from explorer.exe most likely executing a shell originating from your printer directory. This is why Eset keeps detecting the malware.

It appears the attacker has gained remote access to your device.

Link to comment
Share on other sites

38 minutes ago, Shoaib Maqsood said:

is there any solution for remove this trojan.

If you had Eset Internet/Smart Security, I would recommend temporarily creating a firewall rule to block or monitor any outbound TCP/UDP communication from both x(86) and x(64) instances of explorer.exe until it can be established what malware is the source.

Also if you are using Win 10 non-Home version, you need to lock down RDP access.

Link to comment
Share on other sites

  • Administrators

You have posted ELC logs from EFSW. However, your EFSW doesn't have Web and email protection installed and obviously the Filtered websites log could not be collected because it didn't exist.

Were those records with detected threats actually from EFSW?

Link to comment
Share on other sites

As originally posted below, the OP specifically stated the Eset detections where from NOD32;

On ‎10‎/‎10‎/‎2018 at 4:17 AM, Shoaib Maqsood said:

we used ESETNod32 Antivirus Version 11.2.63.0 and we see the problem is that the antivirus show us that he detect it and clean it automatically but the virus/Trojan is still in the system.

Further justification given below:

On ‎10‎/‎17‎/‎2018 at 7:43 AM, Shoaib Maqsood said:

Time;Scanner;Object type;Object;Threat;Action;User;Information;Hash;First seen here
9/7/2018 2:20:49 PM;Real-time file system protection;file;C:\Users\ADMINI~1\AppData\Local\Temp\792158756\app.exe;a variant of Win32/Kryptik.GKLX trojan;cleaned by deleting;ACCESSRETAILPK\administrator;Event occurred on a new file created by the application: C:\Windows\explorer.exe (5A49D7390EE87519B9D69D3E4AA66CA066CC8255).;A0F45B1D7365633968D792A40919A2809A9220D4;9/7/2018 2:20:48 PM

Therefore @Shoaib Maqsood, you need to post ELC logs from the device with NOD32 installed where the above log detections originated.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...