Got an annoying little trojan (Kryptik.IXJ)

Closed
Jim - May 25, 2011 at 06:31 AM
 Mehdi - May 26, 2011 at 05:43 AM
Hello all,


After googling around and discovering things I come to this place in search of a solution. Please bare with me this may be a lenghty post.


BUT before I begin, here are some other common symptoms. 1) one of the files created is pcotATwPWkOrt.exe, 2) the error message that appears is "one or more installed IDE / Sata hard disks it is recommended that you restart the system"


Unfortunately my system picked up a trojan which NOD32 identifies as Kryptik.IXJ - basically every time I log into windows (under normal mode at least), NOD32 shows a warning saying 'a variant of Win32/Kryptik.IXJ trojan' with the file location under C:\ProgramData\2516384.exe (the number part changes every time I boot up my system though).


As for the symptoms, it's weird. (under normal mode) I cannot access the Task Manager whatsoever, and while my D drive is fine I cannot see or access any files on my C:\ drive. But the data is still all there; actually I am currently running windows in SAFE mode and I can only access my files again by clicking the 'show hidden files & folders' options under Folder Options. But if I don't do that then it's all hidden away.


Of course I still have little idea on how to remove this trojan... I'm assuming there are some dll files, exe files and registry files I have to remove or else the trojan will keep on reproducing itself but I'm not sure where to begin. I've also googled the Kryptik trojan and there have been other users who's come accross this, but under the name Kriptik.E, Kryptik.H etc. Not Kryptik.IXJ though...

Anyway I would greatly appreciate any help. cheers!
PS. I forgot to add that, at the bottom right it says 'Links' on the task bar (usually where my language options are)

2 replies

jack4rall
Posts
6428
Registration date
Sunday June 6, 2010
Status
Moderator
Last seen
July 16, 2020

May 25, 2011 at 07:56 AM
Hello,

Try this 1

1) Go to "Safe Mode with Networking"

2) Download the applications from the below link.

https://download.bleepingcomputer.com/grinler/rkill.com

https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/

Run the rkill which will terminate the malicious processes. Wait for the process to

get completed. Then, install the "Malwarebytes' Anti-Malware", update it and

perform "Full Scan".

3) After completion of step 2, follow the below instructions

Click on the below link and download the application

https://www.zebulon.fr/telechargements/securite/systeme/zhpdiag.html

Install the downloaded application --> Now you can find two shortcuts icons

ZHPDiag and ZHPFix.

3) Double-click on "ZHPDiag". When the "ZHPDiag" window appears, select the

below additional options by going to "Options (Screwdriver Icon)"

[] Redirection of the file HOSTS

[] Last file created in windows prefetcher.

[] Last modified or created user files.

Now click on the Magnifying glass and run the analysis.

Wait for the process to get completed. When the analysis process gets completed

click on the "Save button ( Floppy Icon)" and save the report on your desktop.

Now upload the file in speedyshare. Click on the below link

https://authentification.site

Click on "Browse" button and select the saved report --> Click on "Click here to

start uploading" button --> Now copy the given URL and post it here.

Good Luck
0
Hi

I had the same Trojan on one of my laptops so this is what I did(You should turn off your system restore before start cleaning a Malware but sometimes restoring windows to nearest point before infection will save your system & turning off it may cause to loose some of your files that deleted by Malware in this case some of my desktop files are gone) :

1- Boot to "Safe Mode"

2- Use "rkill" from above link (I used it 4 times Until it didn't find any processes to kill)

3- Install "Malwarebytes' Anti-Malware Pro" & update it using offline update package (I don't like to connect to internet when there is a Malware on my system) & performed a full scan with it. 3 malware found. choose to delete them & it ask to restart.

4- Restart to windows normal mode (Windows work now) & update "Malwarebytes' Anti-Malware" & perform another full scan.2 registry keys found (One diable taskmanager & another disable changing wallpaper) & delete them with another restart.(I updated ESET too & performed a full scan with it too but nothing found but you do this too maybe they updated their definition by now)

5- Then I found 2 other files in "Documents and Settings\All Users" folder. An exe file & another file with the same name as the file ESET found it as Kryptik.IXJ Trojan that obviously left overs so I deleted them manually. No problem in deleting them because they don't booted with windows anymore.

6- Now there is no desktop & no write click on it yet.
Use "Run" from start menu & type "regedit" to go to registry & go to this path (This path maybe correct for WinXP only) :
HKey_Current_User>Software>Microsoft>Windows>CurrentVersion>Policies>
There are 3 folders you should check for changed values, "ActiveDesktop, Explorer and System".
It's easy to understand what most of those registry do.
In my case the problem was a registry key in Explorer folder with a name of "NoDesktop" that I double clicked on it & turned the value from "1" to "0".
Restarted & desktop is back but I lost some of my files on desktop.

7- I was too tired to resume checking for other changes & fixing them or searching if it's copied my desktop files somewhere else so I stopped here. I will write here if I found anything else after resume working on it again. ;)
0
No file deleted by the Trojan the person who ran the infected file on my system was moving them from desktop to some place else before infection. :D
So It doesn't delete any user files only it turned them to hidden.
But it deleted many of my shortcuts under start menu, all quick launch & all shortcuts in "Administrative Tools" under control panel.(Not a big problem)
you can get back some of your startmenu shortcuts by unhide "Start Menu" folders under user's profiles.
At last the Trojan create shortcuts to itself on desktop & start menu with these name "Windows XP Recovery". Delete them manually & make sure the target file of them deleted too.
0