Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fell for Firefox critical update - now have win32/kovter.c trojan


  • Please log in to reply
8 replies to this topic

#1 sacsr

sacsr

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 02 May 2017 - 08:16 PM

Before my first cup of coffee this morning, I got the firefox "critical update" message and without thinking downloaded and opened the file. As soon as I realized what was going on I tried to stop the download but too late.

I read the tutorial on here for win32/kovter.c trojan and went through it step by step. What I think I have figured out is my eset is catching and cleaning the file upon starting up, so when i went through the stages, it did not detect any virus's etc. I rebooted and eset immediately caught it trying to load again. (I remind my kids, wife and father in law never to download anything and I did)



BC AdBot (Login to Remove)

 


#2 sacsr

sacsr
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 03 May 2017 - 05:36 AM

  1. Just an update. This morning so far, no message that kovter.c trojan has been detected or cleaned by eset. Maybe a good sign. I will watch today to see if I get any more messages.


#3 iMacg3

iMacg3

    Bleepin' 68000


  • Malware Study Hall Senior
  • 1,064 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:03:08 PM

Posted 03 May 2017 - 06:29 AM

Download Malwarebytes Anti-Malware from the provided link.

  1. Launch MBAM by clicking the .EXE file you downloaded.

  2. Run the installation wizard.

  3. Once complete, open MBAM and click Scan.

  4. Let the scan complete, then make sure all threats are selected and click Quarantine.

  5. Once done, go to History > Logs. Select the most recent Scan Log and paste its contents into a post.


Regards, iMacg3

"Do, or do not. There is no try." - Yoda

#4 sacsr

sacsr
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 03 May 2017 - 07:07 AM

Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 5/3/17
Scan Time: 7:58 AM
Logfile:
Administrator: Yes

-Software Information-
Version: 3.0.6.1469
Components Version: 1.0.75
Update Package Version: 1.0.1860
License: Trial

-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: LAPTOP-MTCO1SP8\Scott Culbreth

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 412588
Time Elapsed: 4 min, 45 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 1
Rootkit.Fileless.MTGen, HKU\S-1-5-21-2530408665-4014164610-2641893368-1001_Classes\46596ce\SHELL\OPEN\COMMAND, Quarantined, [1298], [386625],1.0.1860

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 3
Rootkit.Fileless.MTGen, C:\USERS\SCOTT CULBRETH\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\98A8E6A.LNK, Quarantined, [1298], [-1],0.0.0
Rootkit.Fileless.MTGen, C:\Users\SCOTT CULBRETH\AppData\Local\e658a34\95A39B2.E800D2B9, Quarantined, [1298], [-1],0.0.0
Rootkit.Fileless.MTGen, C:\USERS\SCOTT CULBRETH\START MENU\PROGRAMS\STARTUP\98A8E6A.LNK, Quarantined, [1298], [-1],0.0.0

Physical Sector: 0
(No malicious items detected)


(end)



#5 iMacg3

iMacg3

    Bleepin' 68000


  • Malware Study Hall Senior
  • 1,064 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:03:08 PM

Posted 03 May 2017 - 10:32 AM

What file extension is the file? Please delete it immediately and empty the recycle bin.

Did MBAM help? If not, please follow the below steps.

 

Download Malwarebytes Anti-Rootkit and save it to your desktop.

  1. Double-click on the .EXE file that you downloaded and follow the extracting prompt.

  2. Find the MBAR folder and launch the executable in the folder.

  3. Select the option to Update the virus definitions.

  4. Once done updating, MBAR will scan your computer.

  5. When complete, please click Cleanup to remove the threats. Do NOT click inside the window when MBAR is doing the cleanup process.

  6. When finished, restart the PC.

  7. Post these logs in a forum post, which are inside the MBAR folder: mbar-log(date) and system-log.txt.


Edited by iMacg3, 03 May 2017 - 10:39 AM.

Regards, iMacg3

"Do, or do not. There is no try." - Yoda

#6 sacsr

sacsr
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 04 May 2017 - 06:55 AM

Sorry I have not been in my office since yesterday. I think we are good. I have not seen eset picking up anything, and my cookie blocker is no longer picking up a strange ip every few minutes.

I wlll run the malwarebytes antirootkit tonight and post it , so you can look to see if there are any issues hidden. thanks



#7 iMacg3

iMacg3

    Bleepin' 68000


  • Malware Study Hall Senior
  • 1,064 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:03:08 PM

Posted 04 May 2017 - 11:14 AM

Go to your downloads folder and delete everything so there is no chance of a downloaded file running itself.


Regards, iMacg3

"Do, or do not. There is no try." - Yoda

#8 sacsr

sacsr
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 07 May 2017 - 10:05 PM

Sorry I have been on the road for the past 7 days. I ran the mbar and it did not find anything. I closed it before I realized I needed to copy and paste the log. I will run it again tomorrow and post it then.

Maybe we have gotten it all? thanks



#9 iMacg3

iMacg3

    Bleepin' 68000


  • Malware Study Hall Senior
  • 1,064 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Indiana, USA
  • Local time:03:08 PM

Posted 08 May 2017 - 09:04 AM

Once you run MBAR, your computer is probably clean.

Just paste the log file into a post when you have a chance.


Edited by iMacg3, 08 May 2017 - 09:05 AM.

Regards, iMacg3

"Do, or do not. There is no try." - Yoda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users