Blackshore 0 Posted October 21, 2016 Share Posted October 21, 2016 Hi guys, I recently booted windows and I say windows update running. Since I have it controlled (no automatic updates) I thought this was strange. I thought that it might be some forced update from MS or something so I went to the controllpanel inorder to check what was installed. It says silverlight. But I know that I do not have silverlight on my computer, so why would it update something..it does not have. So I ran eset (swedish version) I found this: Logg C:\Documents and Settings\All Users\Piriform Ltd\CCleaner\2.0.0.0\اسم مجلد اختار اي اسم لا يهم\windowsupdate.vbs - VBS/Kryptik.ET trojan - rensad genom borttagning [1] C:\Documents and Settings\All Users\Piriform Ltd\CCleaner\2.0.0.0\اسم مجلد اختار اي اسم لا يهم\ccsetup500.exe = NSIS = PF-Toolbar-W78.exe - är OK I manually removed Piriform Ltd and sub dictonaries after that.I used google translate inorder to translate "اسم مجلد اختار اي اسم لا يهم" and it turns out that it is "Chose any folder name does not matter \ name" So my suspension is that a script kid used a tool for the infection. Somebody in a rush since they did not name the folder either. How can this been transmitted? I have never seen anything like it. Have you? Link to comment Share on other sites More sharing options...
itman 1,755 Posted October 21, 2016 Share Posted October 21, 2016 Here's one write-up on it: hxxp://www.cookingsystems.net/completely-remove-update_windows-vbs-vbskryptik-bk/ . It can also be spread via an infected USB drive. To be safe, I would run an Eset "in-depth" scan on your boot drive. Run the scan as administrator. Also recommended is like scan on any USB drive you have recently used on the PC. Link to comment Share on other sites More sharing options...
Blackshore 0 Posted October 22, 2016 Author Share Posted October 22, 2016 I have run a deep scan now and it seems to be cleaned. I also searched in the places in regedit. Should I assume that it is cleaned and can continue using the computer? Link to comment Share on other sites More sharing options...
itman 1,755 Posted October 22, 2016 Share Posted October 22, 2016 Should I assume that it is cleaned and can continue using the computer? Appears so. From what you posted, Eset caught the .vbs malware upon file creation by signature detection. So malware was not allowed to run creating further infection. The question is how access to C:\Documents and Settings\All Users\ directory was allowed. In Win 10, access to C:\Documents and Settings is locked down. Check your UAC settings and make sure they are set to default recommended levels. Or as I recommend, set UAC to its highest level. Yes, you will receive more prompts but the added security is worth the minor inconvenience. Link to comment Share on other sites More sharing options...
Recommended Posts