MaxGaming3 Posted May 20, 2016 ID:1041041 Share Posted May 20, 2016 I was recently infected with Trojan.Kovter. Malwarebytes Anti-Malware detected it and notified me. I clicked remove. Am I safe now or do I need to do something else to make sure the trojan is completely gone? I am mainly worried about my passwords. Link to post Share on other sites More sharing options...
MaxGaming3 Posted May 20, 2016 Author ID:1041052 Share Posted May 20, 2016 Hey could someone also explain to me how this virus works so i know more about it? Link to post Share on other sites More sharing options...
kevinf80 Posted May 20, 2016 ID:1041057 Share Posted May 20, 2016 The Kovter Trojan infection can be installed via kits found on exploited web sites or via TrojanDownloaders. When Kovter is installed the infection is stored in the registry as opposed to a file on your hard drive. This method of storing the malware files in the Registry rather than the hard drive can make it more difficult for antivirus programs to ever detect it. After the infection is stored in memory it can create various autorun entries that start the infection as you login to the computer. The registry entries make it difficult to view the values or even remove them using normal tools such as the Windows Registry Editor. Symantic have a removal tool specifically designed to remove this nemisis, go here: https://www.symantec.com/security_response/writeup.jsp?docid=2015-092321-2230-99 and follow the instructions, let me know the outcome..... Next, Download Farbar Recovery Scan Tool and save it to your desktop.Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way... Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.) Make sure Addition.txt is checkmarked under "Optional scans" Press Scan button to run the tool.... It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply. The tool will also make a log named (Addition.txt) Please attach those logs to your reply. Thank you, Kevin Link to post Share on other sites More sharing options...
MaxGaming3 Posted May 20, 2016 Author ID:1041061 Share Posted May 20, 2016 I'm running the tool right now but I was wondering when the virus stores itself in the registry. It it immediately when it is installed or does it do it later? Is it possible to get rid of the virus before it gets on the registry? Link to post Share on other sites More sharing options...
kevinf80 Posted May 20, 2016 ID:1041062 Share Posted May 20, 2016 Symantec tool will remove the infection. Lets wait for the report at the end, it should save same place as tool is run from.... Link to post Share on other sites More sharing options...
MaxGaming3 Posted May 20, 2016 Author ID:1041063 Share Posted May 20, 2016 Okay its done. Here are the files. FRST.txt Addition.txt Link to post Share on other sites More sharing options...
kevinf80 Posted May 20, 2016 ID:1041064 Share Posted May 20, 2016 Did Symantec tool create a report? Link to post Share on other sites More sharing options...
MaxGaming3 Posted May 20, 2016 Author ID:1041067 Share Posted May 20, 2016 It says "Trojan.Kovter has not been found on your computer" Link to post Share on other sites More sharing options...
kevinf80 Posted May 20, 2016 ID:1041068 Share Posted May 20, 2016 That is good news, am looking over FRST logs, back shortly..... Link to post Share on other sites More sharing options...
kevinf80 Posted May 20, 2016 ID:1041071 Share Posted May 20, 2016 Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work. Run FRST and press the Fix button just once and wait. The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply. Next, Download AdwCleaner by Xplode onto your Desktop. Double click on Adwcleaner.exe to run the tool. Click on the Scan in the Actions box Please wait fot the scan to finish.. When "Waiting for action.Please uncheck elements you want to keep" shows in top line.. Click on the Cleaning box. Next click OK on the "Closing Programs" pop up box. Click OK on the Information box & again OK to allow the necessary reboot After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed... Next, Please open Malwarebytes Anti-Malware. On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits". Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button. A Threat Scan will begin. When the scan is complete Apply Actions to any found entries. Wait for the prompt to restart the computer to appear (if applicable), then click on Yes. After the restart once you are back at your desktop, open MBAM once more. To get the log from Malwarebytes do the following: Click on the History tab > Application Logs. Double click on the scan log which shows the Date and time of the scan just performed. Click Export > From export you have three options:Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your replyText file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to replyXML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply… Next, Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop Ensure to get the correct version for your system.... 32 Bit version:https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en 64 Bit version:https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window In the "Scan Type" window, select Quick Scan Perform a scan and Click Finish when the scan is done. Retrieve the MSRT log as follows, and post it in your next reply: 1) Select the Windows key and R key together to open the "Run" function 2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:notepad c:\windows\debug\mrt.log The log will include log details for each time MSRT has run, we only need the most recent log by date and time.... Let me see those logs, also give an update on any remaining issues or concerns... Thank you, Kevin... Fixlist.txt Link to post Share on other sites More sharing options...
MaxGaming3 Posted May 20, 2016 Author ID:1041077 Share Posted May 20, 2016 AdwCleaner log: ***** [ Services ] ***** ***** [ Folders ] ***** [-] Folder Deleted : C:\Users\Max\AppData\Local\torch [-] Folder Deleted : C:\Users\Max\AppData\Local\YSearchUtil [-] Folder Deleted : C:\Users\Max\AppData\Roaming\tencent ***** [ Files ] ***** ***** [ DLLs ] ***** ***** [ WMI ] ***** ***** [ Shortcuts ] ***** ***** [ Scheduled tasks ] ***** ***** [ Registry ] ***** [-] Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION [AndroidServer.exe] [-] Key Deleted : HKLM\SOFTWARE\Classes\pc-mechanic [-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{22E9CC7A-04B2-4558-A993-763395274E42} [-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{506DDB16-455A-4746-AD77-D23228955FD3} [-] Key Deleted : HKCU\Software\torch [-] Key Deleted : HKLM\SOFTWARE\torch [-] Key Deleted : HKLM\SOFTWARE\Uniblue ***** [ Web browsers ] ***** ************************* :: "Tracing" keys deleted :: Winsock settings cleared ************************* C:\AdwCleaner\AdwCleaner[C1].txt - [1354 bytes] - [20/05/2016 17:58:47] C:\AdwCleaner\AdwCleaner[S1].txt - [1435 bytes] - [20/05/2016 17:51:51] ########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1500 bytes] ########## The other 2 scans are still running. I will send you the logs for those when they finish. Link to post Share on other sites More sharing options...
kevinf80 Posted May 20, 2016 ID:1041078 Share Posted May 20, 2016 Thanks for the update.... Link to post Share on other sites More sharing options...
MaxGaming3 Posted May 21, 2016 Author ID:1041092 Share Posted May 21, 2016 Neither MSRT or MBAM detected anything. Does this mean that I for sure don't have any viruses? Link to post Share on other sites More sharing options...
kevinf80 Posted May 21, 2016 ID:1041124 Share Posted May 21, 2016 One final scan with ESET online AV scanner, this one is very thorough so make a take a few hours.. Scan with ESET Online Scanner This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox. Temporary disable your AntiVirus and AntiSpyware protection - instructions here. after ESET is ready to run. Please visit ESET Online Scanner website. Click there Run ESET Online Scanner. If using Internet Explorer: Accept the Terms of Use and click Start. Allow the running of add-on. If using Mozilla Firefox or Google Chrome: Download esetsmartinstaller_enu.exe that you'll be given link to. Double click esetsmartinstaller_enu.exe. Allow the Terms of Use and click Start. To perform the scan: Select "Enable detection of potentially unwanted applications" Make sure that Remove found threats is unchecked. Scan archives is checked. In Advanced Settings: Scan for potentially unwanted applications, Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked. Under “Enable Stealth Technology select “Change” select any extra drives in that window. Click Start The program will begin to download it's virus database. The speed may vary depending on your Internet connection. When completed, the program will begin to scan. This may take several hours. Please, be patient. Do not do anything on your machine as it may interrupt the scan. When the scan is done, click Finish. A logfile will be created at C:\Program Files (x86)\ESET\ESET Online Scanner. Open it using Notepad. Please include this logfile in your next reply. Don't forget to re-enable security system! Thank you, Kevin.. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 31, 2016 Root Admin ID:1042866 Share Posted May 31, 2016 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts