Win32/Kryptik.SGE

[Golassic]

http://img155.imageshack.us/img155/5948/catscqe.jpg

It pop up on every 5-10 mins (started like before a hour or something). It doesnt seems that ESET is removing it. I stopped that conhost.exe in the Device manager, and its still showing. I thought of deleting it, but i read some stuff that it shouldnt be deleted, never. I searched for help on google but i got only topics that want me to download programs.. but im not downloading stuff that i dont know. So anyone can help me? ><

EDIT: I forgot to mention that sometimes (after it started) i recirve a pop up that tells me that i need to reboot becouse some bad files cant be deleted becouse they are using programs.

So any help?
Tnx, Golassic.

 

[KSoD]

http://www.spyware-asylum.com/

Go through the appropriate guide fully.

 

[Golassic]

Im sorry but will this delete the virus?

Sorry i had to read before posting...

Umm.. I used ComboFix. At the end of cleaning proggres my comp restarted and it didnt make a log report.. And it wanned me to isntall the recovery console and i clicked yes cuz there wasnt another option... Now when i enter in My computer folder and go to C:/ disk there is another folder that looks like "My computer folder" and its named ComboFix. When i click it i got to "My computer" but on the link tab is written C:/ComboFix... Is that like it have to be?

 

[KSoD]

I dont understand what you are talking about with that whole Folder thing. Combofix doesnt install, it just runs. It creates a log file automatically. It is located right in the C:\ drive in no folders at all. So I dont know where you downloaded it from, but it doesnt sound like any version of Combofix I have ever used. Mine has never created any folders and never installed any Recovery Consoles. Combofix just cleans your system, nothing more, nothing less.

Please follow the guide step by step using the links provided. They are known and trusted sources and all of the work should be completed in Safe Mode.

 

[Golassic]

I downloaded it from here Bleeping Computer Downloads: ComboFix Download .-.

This icon: http://img841.imageshack.us/img841/6727/cats2yk.jpg
Where it takes me: http://img853.imageshack.us/img853/6282/57679294.jpg

Anyways i used Hijackthis:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:21:29 PM, on 8/30/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Gamesbar\SearchEngineProtection.exe
C:\Program Files\Skype\Phone\Skype.exe
D:\Program Files\LOLReplay\LOLRecorder.exe
C:\Documents and Settings\Yuriy\Local Settings\Application Data\Google\Update\1.3.21.65\GoogleCrashHandler.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\MAGIX Services\Database\bin\FABS.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Yuriy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Yuriy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Yuriy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Yuriy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Yuriy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Yuriy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Yuriy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Yuriy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Yuriy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Yuriy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Yuriy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\Yuriy\My Documents\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = MSN Games - Web Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
O2 - BHO: GamesBarBHO Class - {CB0D163C-E9F4-4236-9496-0597E24B23A5} - C:\Program Files\GamesBar\2.0.1.82\oberontb.dll
O3 - Toolbar: GamesBar - {6F282B65-56BF-4BD1-A8B2-A4449A05863D} - C:\Program Files\GamesBar\2.0.1.82\oberontb.dll
O3 - Toolbar: (no name) - {91397D20-1446-11D4-8AF4-0040CA1127B6} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [AdobeCS5.5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Yuriy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [uTorrent] "D:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [AutoStartNPSAgent] C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SearchEngineProtection] C:\Program Files\Gamesbar\SearchEngineProtection.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Praetorian] C:\Documents and Settings\Yuriy\Local Settings\Application Data\Yandex\Updater\praetorian.exe
O4 - HKUS\S-1-5-21-1390067357-1275210071-682003330-1005\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'UpdatusUser')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: LOLRecorder.lnk = D:\Program Files\LOLReplay\LOLRecorder.exe
O9 - Extra button: (no name) - {1A93C934-025B-4c3a-B38E-9654A7003239} - C:\Program Files\GamesBar\2.0.1.82\oberontb.dll
O9 - Extra 'Tools' menuitem: GamesBar - {1A93C934-025B-4c3a-B38E-9654A7003239} - C:\Program Files\GamesBar\2.0.1.82\oberontb.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{50332574-2EBC-42DC-B401-C515D9076001}: NameServer = 8.8.8.8,8.8.4.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{50332574-2EBC-42DC-B401-C515D9076001}: NameServer = 8.8.8.8,8.8.4.4
O17 - HKLM\System\CS2\Services\Tcpip\..\{50332574-2EBC-42DC-B401-C515D9076001}: NameServer = 8.8.8.8,8.8.4.4
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FABS - Helping agent for MAGIX media database (Fabs) - MAGIX AG - C:\Program Files\Common Files\MAGIX Services\Database\bin\FABS.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\Common Files\MAGIX Services\Database\bin\fbserver.exe
O23 - Service: FsUsbExService - Teruten - C:\WINDOWS\system32\FsUsbExService.Exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

--
End of file - 8232 bytes

​

 

[KSoD]

Okay that really doesnt help. I dont see that with my combofix and the only thing I can think of is that is created by the program cause of the different language sets in use. Since I use English and you are not maybe the program created that so that it can operate properly. I cant say for sure as I did not create the program. Only sUBs could answer that.

As for your HiJack Log these are infections:

C:\Program Files\Gamesbar\SearchEngineProtection.exe
O2 - BHO: GamesBarBHO Class - {CB0D163C-E9F4-4236-9496-0597E24B23A5} - C:\Program Files\GamesBar\2.0.1.82\oberontb.dll
O3 - Toolbar: GamesBar - {6F282B65-56BF-4BD1-A8B2-A4449A05863D} - C:\Program Files\GamesBar\2.0.1.82\oberontb.dll
O4 - HKCU\..\Run: [SearchEngineProtection] C:\Program Files\Gamesbar\SearchEngineProtection.exe
O9 - Extra button: (no name) - {1A93C934-025B-4c3a-B38E-9654A7003239} - C:\Program Files\GamesBar\2.0.1.82\oberontb.dll
O9 - Extra 'Tools' menuitem: GamesBar - {1A93C934-025B-4c3a-B38E-9654A7003239} - C:\Program Files\GamesBar\2.0.1.82\oberontb.dll


It is the Game Bar that is causing your issues. Remove that.

 

[Golassic]

Did it.. tho i dont have an idea from where this came from.. .-.

Tnx alot for all the help!

 

[Golassic]

It still pop-ups. >< No problem till todays morning. So any other suggestion?

 

[KSoD]

I need the logs from combofix and MBAM. HiJack This is not a complete scanner, it just scans startup items.

 

[Golassic]

Malwarebytes' Anti-Malware 1.51.1.1800
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Database version: 7631

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

9/1/2011 10:48:34 PM
mbam-log-2011-09-01 (22-48-28).txt

Scan type: Quick scan
Objects scanned: 164133
Time elapsed: 4 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\Temp\conhost.exe (Trojan.Agent.BTMGen) -> No action taken.


MBAM scann... .-. Do i need to do and ComboFix scann?