Beware the ‘Kryptik’ Trojan.

[Bandung_Dero]

This morning my PC was attacked by a variant of the ‘Kryptik’ Trojan some how got through NOD32 initially but was picked up later. Too late damage done, the only way I could get into my machine was via a boot CD. It corrupted the boot.ini file (Xp Prof SP3) although on initial inspection it looked OK but it wasn’t until I built a new file was I able to get past the ‘Disk Error’ message I received on boot up and get in to finish cleaning the mess. A heart stopping couple of hours.

Note:
Look at your C:\Windows\system32 folder
Look for 3 files NLx.EXE

x = B, C, D,

Delete them or if unsure move them to another ‘Junk’ folder.

Then

Look at your C:\Windows\Prefetch folder
Look for 3 files starting with NLx.EXE they will look something like NLB.EXE-1E7655f5.pf

x = B, C, D,

Delete them or if unsure move them to another ‘Junk’ folder.

After they have done their damage they get moved to your ……\Local Settings\Temp\ folder as NLD.EXE. It was on the move NOD32 detected their presence.


KEEP A COPY OF YOUR ‘boot.ini’ file on a memory stick as there are many viruses out there that attack it.

[BobHelm]

‘Kryptik’ Trojan is quite an old one Dero. I've seen mention of it going back to October 2008 so am surprised your virus checker didn't find it. Mind you these clever little people are always making new, uncheckable versions. Thanks for the warning, any idea where you picked it up?

[Bandung_Dero]

Bob, no idea where it came from. I have been downloading a number of utilities lately (which all work perfectly) to help me build a new package in QLD Aust. next month emulating (mirror) this machine. I normally scan ALL new executables before running them, maybe I missed something! From the searches I have made it is a "variant" with many different fields of attack, really depends on the extension. The one that got me was Ktyptik.CKB and hence the NLD.EXE attack.

TTF my machine has fully recovered and I have downloaded a 2nd MalWare product to do a double check.

[BobHelm]

I'm glad your machine is A OK again!!
Yes, downloading is always a bit of a worry, not the product so much as the site you get it from. Some sites are a little naughty at slipping in things that you have not asked for (not malicious, just unasked for) & some sites will slip in spy ware, malware, viruses as well!!
I have ADV threat & WOT FF add on running on my pc. Neither are foolproof, but they both try & identify 'safe' sites when you are googling things, which gives me a bit more re-assurance.
Thanks for the heads up & how to restore an infected machine as well...

[alshidaa]

How to recover data after a virus? My labtop was infected by a trojan virus i was not able to restore from an earlier setting. I did get rid of the virus and reinstalled windows vista but now i want to recover my word documents and pictures and other programs but i do not know how. How can i recover all my data?

[BangkokButcher]

If you have already re-installed your operating system, you 'may' not be able recover anything of value as your hard drive 'may' have been formatted as part of the re-installation process.

However, if you're lucky you should be able to get some lost data back using a data recovery software application, a good free one is:
http://www.pcinspector.de/Default.htm?language=1

[Charlieb]

A little "trick" I have learned if you plan to reinstall the OS anyway

Go to the complex and buy another laptop drive. I don't what they run there but you can get a rather large (capacity) at newegg.com for around $50 US. All laptop drives have the same form and fit

Buy a laptop disk carrier for around 100 Baht. The carrier is a small enclosure with a USB connection.

After installing the OS onto the new laptop drive you should be able to mount the old drive as an external USB drive giving you access to the data files there. This is assuming only the boot files or sectors are bad. You can then use the old drive for external storage, backup, etc.

FWIW, I keep an up to date OS on an external laptop drive. That way if my drive does crash, I simply exchange them. I will periodically swap them out to keep them in sync. I also backup from one to the other.

Hope it helps