Jump to content

caint get rid of trojan


Recommended Posts

hi. i accidently downloaded a trojan about 1 month ago. malwarebytes finds this trojan and i deletes it, but it keeps coming back. usally in the 'c' folder. it automatically turns off my firewall,and i dont know if this is related to the trojan, but when i try to dowload .exe files, they never finish. they get to 99% and stall.  i reformatted windows xp thinking it would get rid of the trojan, but it keeps comning back under a different name. this time "ktedn.exe"

how do i get rid of this trojan for good?? i uploaded a picture of trojan in malwarebytes.  thanks.post-166254-0-79025400-1405091698_thumb.

Link to post
Share on other sites

Hello and post-32477-1261866970.gif

 

P2P/Piracy Warning:

 

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

Kevin...

Link to post
Share on other sites

thanks for replying and trying to help. i dont have any Peer 2 Peer software such as uTorrent, BitTorrent installed on my computer. and i dont think i have any illegal/cracked software, cracks, keygens etc installed either cause i just did a reformat 3 days ago and everything is legit.

 

here is the FRST.txt log FRST.txt

 

here is the Addition.txt log Addition.txt

Link to post
Share on other sites

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

Next,

 

ComboFix usage, Questions, Help? - Look here

 

Next,

 

Delete any versions of Combofix that you may have on your Desktop, download a fresh copy from either of the following links :-

 

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

 

http://www.infospyware.net/antimalware/combofix/

 

  • Ensure that Combofix is saved directly to the Desktop <--- Very important
     
  • Disable all security programs as they will have a negative effect on Combofix, instructions available here  http://www.bleepingcomputer.com/forums/topic114351.html if required. Be aware the list may not have all programs listed, if you need more help please ask.
     
  • Close any open browsers and any other programs you might have running
     
  • Double click the combofix.gif icon to run the tool (Vista or Windows 7 users right click and select "Run as Administrator)
     
  • Instructions for running Combofix available here http://www.bleepingcomputer.com/combofix/how-to-use-combofix if required.
     
  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
     
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review

 

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

 

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read here  http://thespykiller.co.uk/index.php?page=20 why  disabling autoruns is recommended.

 

*EXTRA NOTES*


    If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
    If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
    If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

 

Post those logs in next reply please...

 

Kevin

 

fixlist.txt

Link to post
Share on other sites

Do not delete Combofix, we can remove it later....

 

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Codebox below into it:

ClearJavaCache::File::C:\ktedn.exeC:\scqs.exe

 

Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

CF3.jpg

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

 

Next,

 

We need to run an online AV scan to ensure there are no remnants of any infection left on your system that may have been missed. This scan is very thorough and well worth running, it can take several hours please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and Windows 7/8 right click on IE shortcut and run as admin

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 


Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the add/on to be installed
Click Start
Make sure that the option "Remove found threats"  is UNticked
Click on Advanced Settings, ensure the options
Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
wait for the virus definitions to be downloaded
Wait for the scan to finish

 

When the scan is complete

 


If no threats were found
put a checkmark in "Uninstall application on close"
close program
report to me that nothing was found

 

If threats were found

 


click on "list of threats found"
click on "export to text file" and save it as ESET SCAN and save to the desktop
Click on back
put a checkmark in "Uninstall application on close"
click on finish

 

close program

 

Copy and paste the report in next reply.

 

Let me see those logs...

 

Kevin

Link to post
Share on other sites

i know that this virus called "Sality.NBA" prevents me from completing some .exe downloads.

heres what happened.

i copied that CFScript into notepad, but i thought you meant make a new folder with the icon ComboFix.exe in it. after i did that ComboFix.exe wouldnt run. i got a error when trying to put the CFScript in it. so i knew i had to delete ComboFix.exe and the folder and redownload it.

i redownloaded ComboFix.exe and put the script in it and it worked. then when i tried to open eset it wouldnt run. i thought i had deleted some important files when i deleted ComboFix. so i did a system restore. i didnt like that system restore so i undid it back to original. when my pc was rebooting malwarebytes blocked the virus "Sality". thats the 1st time it ever did that when restarting. then i was able to install eset after a few tries.
 

here is the combo fix log after running the script ComboFix log.txt

here is the eset log ESET SCAN.txt

Link to post
Share on other sites

That information really is bad news, Sality is a polymorphic virus that modifies its own code at any new infection trying to avoid antivirus recognition, it will spread through networks. It replaces the original code at the entry point with viral code and stores an encrypted copy of the original code in the appended space of the file. Just like Virut and any other file infector, the only way to be truly free from infection is a reformat of the hard drive and re-install the OS.

 

Is that an option you will undertake?

Link to post
Share on other sites

thanks for replying i know this is not your problem but mine.

i already reformatted my hard drive 2 times trying to get rid of it. its still there. at 1st it was on my usb windows xp flash drive that i use to reformat,  but i made another bootable windows xp flash drive from a clean machine, installed xp from that and its still there. apparently it changed the registry. if you look into my registry maybe you can find what it changed, what i need to delete, restore or anything. i can reformat again if nessesary. i will probally have to delete/change some keys manually to get rid of it. but i know it can be done. look at these links.

http://killtrojanvirus.blogspot.com/2014/01/how-to-remove-win32salitynba-delete.htm
http://ebenjie.blogspot.com/2011/09/how-to-remove-win32salitynba-manually.html
http://www.bestsafeguardtools.com/Unknown/how+to+remove+Win32.Sality.NBA.html
 

thanks for helping but is this beyond your knowlege to get rid of it? should i seek help elsewere?

Link to post
Share on other sites

Removing Sality is not really beyond any ones scope, believing it is 100% gone and trusting the system is not something you can guarantee. I`ve removed Sality before several times with Kaspersky SalityKiller from the following link: http://support.kaspersky.com/viruses/utility#salitykiller problem is I do not believe it supports XP. Also as Microsoft no longer support XP you will always be prone to many types of infection...

 

If you want to try is possible to try with KIS rescue CD, then run ESET with the option to "Remove found threats" ticked this time.

 

Download Kaspersky Rescue Disk (iso)

  • Burn it to a cd or dvd, if you need a program to burn an ISO...use  Active@ ISO Burner
  • Configure your computer to boot from CD/DVD
     
    Note : If you do not know how to set your computer to boot from CD/DVD follow the steps here
     
  • Once you have the CD/DVD created, boot the computer up using it
  • Press any key to enter the menu
  • Select your language
  • Press 1 to accept the End User License Agreement
  • Select Kaspersky Rescue Disk. Graphic Mode
  • Click on the Start button located in the left bottom corner of the screen
  • Run Kaspersky WindowsUnlocker to remove Windows system and registry changes made by Malware/Virus
     
     
    krd5.jpg If you can't find Kaspersky WindowsUnlocker, go to Terminal instead > type > windowsunlocker > choose 1 - Unlock Windows > Enter
     
     
  • When it's done, click on the Start button and start Kaspersky Rescue Disk utility
  • Click on My Update Center tab and press Start to download the latest update
  • Next, select the Object Scan tab
  • Put a check next to C:\ and any other local drives
  • Then click Start Objects Scan
  • Quarantine any malware found
  • Restart your computer and see if it boots up normally....

 

When booted back into Windows Navigate > Start > Computer > C:\Kaspersky Rescue Disck 10.0 Open the folder, inside is log from KRD run named "ScanObject" copy/paste that file to your reply.

 

It is possible your system will no longer Boot after running that tool, no guarantees so your choice....

 

Next,

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and Windows 7/8 right click on IE shortcut and run as admin

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 


Turn off the real time scanner of any existing antivirus program while performing the online scan
click on the Run ESET Online Scanner button
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the add/on to be installed
Click Start
Make sure that the option "Remove found threats"  is ticked
Click on Advanced Settings, ensure the options
Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Select "Change" next to Current scan targets A new window will open, select any extra drives, Flash drives etc as required.
Click Scan
wait for the virus definitions to be downloaded
Wait for the scan to finish

 

When the scan is complete

 


If no threats were found
put a checkmark in "Uninstall application on close"
close program
report to me that nothing was found

 

If threats were found

 


click on "list of threats found"
click on "export to text file" and save it as ESET SCAN and save to the desktop
Click on back
put a checkmark in "Uninstall application on close"
click on finish

 

close program

 

Copy and paste the report in next reply.

 

Post those logs..

 

Kevin

Link to post
Share on other sites

guess what??

that salitykiller cleaned my computer. at 1st the page http://support.kaspersky.com/viruses/utility#salitykiller wouldnt load. then i restored my computer to a earlier date. then i undid that restore. and malwarebytes blocked sality from my computer. then the page would load. the salitykiller ran for 4 hours. all of the .exe files on my pc were infected and salitykiller cured all them and restored some settings. then i ran malwarebytes and it found 2 infections. i rebooted, ran mb again and ZERO infections were found.

thanks man for your help. its worth lots of $$$

if the virus comes back ill let you know but i dont think it will

 

thanks very much.

Link to post
Share on other sites

Run the following to clean up;

 

Download "Delfix by Xplode" and save it to your desktop.

 

"Delfix link mirror"

 

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

 

Make Sure the following items are checked:

 


    Remove disinfection tools
    Create registry backup
    Purge System Restore
    Reset system settings

 

Now click on "Run" and wait patiently until the tool has completed.

 

The tool will create a log when it has completed. We don't need you to post this.

 

Part of the routine will be to create a registry back up with ERUNT,  the back up will be created here:

 

C:\Windows\ERUNT

 

When all is known to be well with your system you can delete that back up folder if you consider it as not needed...

 

When delfix completes let me know if any remaining issues or concerns, if none are we ok to close out...

 

Kevin

Link to post
Share on other sites

Good to hear all is well for you, self help is often needed to give the final nudge.....  Read the following link to fully understand PC security and best practices, you may find it useful....

 

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629

 

Take care and surf safe...

 

Kevin.... ;)

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.