Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

External WD HD infected with Win32:Kryptik.LQL

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: External WD HD infected with Win32:Kryptik.LQL

Unread postby ssmad » May 27th, 2013, 3:47 pm

No luck I'm afraid it's still showing as a hidden folder nothing changed.

========== FILES ==========
< attrib -h -s day5 /c >
File not found - day5
C:\Users\SS\Desktop\cmd.bat deleted successfully.
C:\Users\SS\Desktop\cmd.txt deleted successfully.
< ren day5.lnk old-day5.lnk /c >
C:\Users\SS\Desktop\cmd.bat deleted successfully.
C:\Users\SS\Desktop\cmd.txt deleted successfully.

OTL by OldTimer - Version 3.2.69.0 log created on 05282013_004509
ssmad
Regular Member
 
Posts: 41
Joined: May 25th, 2013, 12:10 pm
Advertisement
Register to Remove

Re: External WD HD infected with Win32:Kryptik.LQL

Unread postby deltalima » May 27th, 2013, 3:51 pm

Hi ssmad,

OK, try this.

Run OTL Script

Code: Select all

:files
attrib -h -s H:\day5 /c
ren H:\day5.lnk H:\old-day5.lnk /c




Now see if you can access the Day5 folder.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: External WD HD infected with Win32:Kryptik.LQL

Unread postby ssmad » May 27th, 2013, 3:53 pm

still the same I'm afraid...

========== FILES ==========
< attrib -h -a H:\day5 /c >
Not resetting system file - H:\Day5
C:\Users\SS\Desktop\cmd.bat deleted successfully.
C:\Users\SS\Desktop\cmd.txt deleted successfully.
< ren H:\day5.lnk H:\old-day5.lnk /c >
C:\Users\SS\Desktop\cmd.bat deleted successfully.
C:\Users\SS\Desktop\cmd.txt deleted successfully.

OTL by OldTimer - Version 3.2.69.0 log created on 05282013_005213
ssmad
Regular Member
 
Posts: 41
Joined: May 25th, 2013, 12:10 pm

Re: External WD HD infected with Win32:Kryptik.LQL

Unread postby deltalima » May 27th, 2013, 3:54 pm

Try the last script again, I made a slight change after posting it.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: External WD HD infected with Win32:Kryptik.LQL

Unread postby ssmad » May 27th, 2013, 3:56 pm

Success deltalima!

========== FILES ==========
< attrib -h -s H:\day5 /c >
C:\Users\SS\Desktop\cmd.bat deleted successfully.
C:\Users\SS\Desktop\cmd.txt deleted successfully.
< ren H:\day5.lnk H:\old-day5.lnk /c >
C:\Users\SS\Desktop\cmd.bat deleted successfully.
C:\Users\SS\Desktop\cmd.txt deleted successfully.

OTL by OldTimer - Version 3.2.69.0 log created on 05282013_005434
ssmad
Regular Member
 
Posts: 41
Joined: May 25th, 2013, 12:10 pm

Re: External WD HD infected with Win32:Kryptik.LQL

Unread postby deltalima » May 27th, 2013, 3:57 pm

Hi ssmad,

Run OTL Script

  • Double-click OTL.exe (Right click and choose "Run as administrator" in Vista/Win7).
  • Copy and Paste the following code into the Image textbox. Do not include the word Code
    Code: Select all
    
    :files
    attrib -h -s H:\*.* /c
    del h:\*.lnk /c
    attrib +h +s H:\$RECYCLE.BIN /c
    attrib +h +s "H:\System Volume Information" /c
    
    
  • Then click the Run Fix button at the top.
  • Click Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.


Let me know how it looks now.

Upload a File to Virustotal

Please go to Virustotal

Copy/paste this file and path into the white box at the top:
H:\.Trashes\b3fdadef.com

Press Scan it - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: External WD HD infected with Win32:Kryptik.LQL

Unread postby ssmad » May 27th, 2013, 4:02 pm

Hey deltalima,

I'm not sure I follow you, the folder named Day5 is no longer being shown as a hidden folder after the last scan. The shortcut and all are still present but this particular folder is now working as normal.

So do i still run the fix and all the rest that you sent in your last post?
ssmad
Regular Member
 
Posts: 41
Joined: May 25th, 2013, 12:10 pm

Re: External WD HD infected with Win32:Kryptik.LQL

Unread postby deltalima » May 27th, 2013, 4:05 pm

Yes, run the script as above and let me know how it looks.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: External WD HD infected with Win32:Kryptik.LQL

Unread postby ssmad » May 27th, 2013, 4:13 pm

Ok now all the shortcuts have been removed but the folders are still being shown as hidden folders.

As for Virustotal I'm afraid it's only giving me a place to upload files and trying to put the link there isn't working nor can i find the file so upload it.

========== FILES ==========
< attrib -h -s H:\*.* /c >
C:\Users\SS\Desktop\cmd.bat deleted successfully.
C:\Users\SS\Desktop\cmd.txt deleted successfully.
< del h:\*.lnk /c >
C:\Users\SS\Desktop\cmd.bat deleted successfully.
C:\Users\SS\Desktop\cmd.txt deleted successfully.
< attrib +h +s H:\$RECYCLE.BIN /c >
C:\Users\SS\Desktop\cmd.bat deleted successfully.
C:\Users\SS\Desktop\cmd.txt deleted successfully.
< attrib +h +s "H:\System Volume Information" /c >
Access denied - H:\System Volume Information
C:\Users\SS\Desktop\cmd.bat deleted successfully.
C:\Users\SS\Desktop\cmd.txt deleted successfully.

OTL by OldTimer - Version 3.2.69.0 log created on 05282013_010717
ssmad
Regular Member
 
Posts: 41
Joined: May 25th, 2013, 12:10 pm

Re: External WD HD infected with Win32:Kryptik.LQL

Unread postby deltalima » May 27th, 2013, 4:28 pm

Hi ssmad,

Ok now all the shortcuts have been removed but the folders are still being shown as hidden folders.


OK, we are making good progress, we need to find how those folders are being hidden.

Does Day5 still show as un hidden?


Run OTL Script

  • Double-click OTL.exe (Right click and choose "Run as administrator" in Vista/Win7).
  • Copy and Paste the following code into the Image textbox. Do not include the word Code
    Code: Select all
    
    :files
    attrib H:\*.* /c
    dir H:\*.* /a /c
    dir H:\.Trashes\*.* /a /c
    
    
  • Then click the Run Fix button at the top.
  • Click Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: External WD HD infected with Win32:Kryptik.LQL

Unread postby ssmad » May 27th, 2013, 4:32 pm

Hey yes day5 is still being shown as unhidden.

I'm not sure if the last scan was supposed to make any changes or not, but if it was it didn't.

========== FILES ==========
< attrib H:\*.* /c >
File not found - H:\*.*
C:\Users\SS\Desktop\cmd.bat deleted successfully.
C:\Users\SS\Desktop\cmd.txt deleted successfully.
< dir H:\*.* /a /c >
Volume in drive H is My Passport
Volume Serial Number is 9666-B114
Directory of H:\
05/25/2013 01:44 PM <DIR> $RECYCLE.BIN
05/28/2013 12:45 AM <DIR> .Trashes
05/15/2013 02:21 PM <DIR> 100EOS5D
05/15/2013 05:18 PM <DIR> 101GOPRO
05/04/2013 06:24 PM <DIR> Day1 Nusai
05/05/2013 06:00 PM <DIR> Day2
05/07/2013 11:00 AM <DIR> Day3
05/08/2013 05:09 PM <DIR> Day4 Ishkashim
05/09/2013 08:23 PM <DIR> Day5
05/10/2013 08:23 PM <DIR> Day6
05/12/2013 11:14 AM <DIR> Day7
05/15/2013 03:49 PM <DIR> Day8
05/15/2013 02:39 PM <DIR> Day9
05/04/2013 02:05 PM <DIR> New Folder
05/15/2013 09:32 AM <DIR> PPH Vedio for Shabbir
05/25/2013 11:54 AM <DIR> System Volume Information
0 File(s) 0 bytes
16 Dir(s) 397,076,238,336 bytes free
C:\Users\SS\Desktop\cmd.bat deleted successfully.
C:\Users\SS\Desktop\cmd.txt deleted successfully.
< dir H:\.Trashes\*.* /a /c >
Volume in drive H is My Passport
Volume Serial Number is 9666-B114
Directory of H:\.Trashes
05/28/2013 12:45 AM <DIR> .
05/28/2013 12:45 AM <DIR> ..
05/11/2013 09:54 AM 63 Desktop.ini
1 File(s) 63 bytes
2 Dir(s) 397,076,238,336 bytes free
C:\Users\SS\Desktop\cmd.bat deleted successfully.
C:\Users\SS\Desktop\cmd.txt deleted successfully.

OTL by OldTimer - Version 3.2.69.0 log created on 05282013_013015
ssmad
Regular Member
 
Posts: 41
Joined: May 25th, 2013, 12:10 pm

Re: External WD HD infected with Win32:Kryptik.LQL

Unread postby deltalima » May 27th, 2013, 4:40 pm

Hi ssmad,

I'm not sure if the last scan was supposed to make any changes or not, but if it was it didn't.


No, the scan was information gathering only.


Run OTL Script

  • Double-click OTL.exe (Right click and choose "Run as administrator" in Vista/Win7).
  • Copy and Paste the following code into the Image textbox. Do not include the word Code
    Code: Select all
    
    :files
    attrib -h -s "H:\Day1 Nusai" /c
    attrib -h -s H:\Day2 /c
    attrib -h -s H:\Day3 /c
    attrib -h -s "H:\Day4 Ishkashim" /c
    attrib -h -s H:\Day6 /c
    attrib -h -s "H:\New Folder" /c
    
    
    
  • Then click the Run Fix button at the top.
  • Click Image.
  • OTL may ask to reboot the machine. Please do so if asked.
  • The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.


Let me know how it looks now.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: External WD HD infected with Win32:Kryptik.LQL

Unread postby ssmad » May 27th, 2013, 4:47 pm

hey deltalima,

All the folders that were created by me look fine now and seem to open and all just as they should.

I still have three hidden folders left though

.Trashes
$RECYCLE.BIN
System Volume Information
ssmad
Regular Member
 
Posts: 41
Joined: May 25th, 2013, 12:10 pm

Re: External WD HD infected with Win32:Kryptik.LQL

Unread postby deltalima » May 27th, 2013, 4:55 pm

Hi ssmad,

I still have three hidden folders left though


$RECYCLE.BIN
System Volume Information


They are legitimate and should be hidden, they are the folders that Windows uses to store deleted items so that they can be restored from the Recycle Bin and the folder used to store snapshots of the system to allow System Restore to work.

The .Trashes folder can be removed.


ESET online scannner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista or Windows 7, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • First please Disable any Antivirus you have active, as shown in This topic.
  • Note: Don't forget to re-enable it after the scan.
  • Next hold down Control then click on the following link to open a new window to ESET online scannner
  • Press the Blue Run ESET Online Scanner button on the left side of the page.
  • A popup box will open.
  • Select the option YES, I accept the Terms of Use then click on Start.
    Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
    All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on Start.
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
  • Now click on Finish.
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: External WD HD infected with Win32:Kryptik.LQL

Unread postby ssmad » May 28th, 2013, 3:49 am

hey deltalima,

It seems the scan didn't pick it up at all. After the scan finished I tried to just delete the folder .trashes and was able to. Everything seems find looks good in the drive as far as I can tell.
Shall we consider this problem resolved?

ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=e57e078e27a2854bb4489cefe1cacb8d
# engine=13931
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2013-05-28 04:47:25
# local_time=2013-05-28 09:47:25 (+0500, Pakistan Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=774 16777213 85 91 309004 146426317 0 0
# compatibility_mode=5893 16776573 100 94 58256 121346295 0 0
# scanned=252119
# found=5
# cleaned=0
# scan_time=27348
sh=CE0CFF1523E2DF7E436072554DEBBD86BCCDE1B8 ft=1 fh=64a8ad1547f2fc9f vn="a variant of Win32/Bundled.Toolbar.Ask application" ac=I fn="D:\Software\duplicate-file-finder-setup.exe"
sh=8F34BB9503DC54A9452821391D923FA19CE6E6FA ft=1 fh=ba0bf2bb89260abf vn="a variant of Win32/HackTool.Patcher.T application" ac=I fn="D:\Software\Adobe Acrobat XI Pro 11.0.1 Multilanguage [ChingLiu]\patch-MPT\adobe.acrobat.xi.pro.patch-MPT.exe"
sh=9B66BE44FCED8289978C552F513D94053E4D5D2A ft=1 fh=bd79624b2933f04f vn="Win32/PrcView application" ac=I fn="D:\Software\Drivers\Gigabyte\Other\Marvell\MSU\MSUSetup.exe"
sh=D2408C8A09A2BD9704AF39F818EC7AC9E9CCA46E ft=1 fh=08d2b982dc66508e vn="a variant of Win32/Bunndle application" ac=I fn="D:\Software\Windows Oct 5 2012\utorrent.exe"
sh=63E5A055D0F0D516D740E881AE9CE93440D148AA ft=1 fh=d03ef94bc0718461 vn="NSIS/TrojanDownloader.FakeAlert.DK.Gen trojan" ac=I fn="D:\Software\Windows Oct 5 2012\EASEUS.Partition.Master.v6.0.1.Professional.Edition.Retail-rG\EASEUS.Partition.Master.v6.0.1.Professional.Edition.Retail-rG\rgepm6pi\rg-setup\setup.exe"
ssmad
Regular Member
 
Posts: 41
Joined: May 25th, 2013, 12:10 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 138 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware