|
Post by rbeechnut11 on Oct 15, 2016 3:58:27 GMT -8
Please help with removal of this virus. I have created the necessary logs
|
|
|
Post by rbeechnut11 on Oct 15, 2016 4:04:17 GMT -8
|
|
|
Post by rbeechnut11 on Oct 15, 2016 4:07:17 GMT -8
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Oct 15, 2016 9:48:56 GMT -8
FIRST >>>>Please go to START (Windows Orb) >> Control Panel >> Uninstall a Program or Programs and Features and remove the following (if listed): Amazon 1Button AppTo do so, left clicking on the name once and then click Uninstall/Change at the bar above the list window. Follow the prompts of the uninstaller BUT please read carefully any questions it asks before answering; some uninstallers will try and deceive you into keeping the software. SECOND >>>>Open notepad by pressing the Windows Key + R key, typing notepad in the Run box and pressing Enter. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txtNOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating systemStart FRST that is on the desktop by right clicking on file and selecting "Run as Administrator..." and press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply. LAST >>>>How is your system running now? Can you tell me where Norton was telling you Kotver files were? They no longer show in the logs you posted but we will keep looking.
|
|
|
Post by rbeechnut11 on Oct 15, 2016 12:48:50 GMT -8
Thank you for your response.....
Here is the location of the Kotver file per Norton...
Filename: 6bcda3.bat Threat name: Trojan.Kotver!batFull Path: c:\users\richard\appdata\local\c2cf40\6bcda3.bat
____________________________
____________________________
On computers as of 10/14/2016 at 8:01:06 PM
Last Used 10/14/2016 at 8:03:07 PM
Startup Item Yes
Launched No
Threat type: Heuristic Virus. Detection of a threat based on malware heuristics.
____________________________
6bcda3.bat Threat name: Trojan.Kotver!bat Locate
Unknown It is unknown how many users in the Norton Community have used this file.
Unknown This file release is currently not known.
High This file risk is high.
____________________________
Source: External Media
Source File: 6bcda3.bat
____________________________
File Actions
File: c:\users\richard\appdata\local\c2cf40\ 2d4519.lnk No fix attempted Infected file: c:\users\richard\appdata\local\c2cf40\ 6bcda3.bat Remove Failed ____________________________
Registry Actions
Registry change: HKEY_USERS\S-1-5-21-1622471919-130339503-2552963955-1001\Software\Microsoft\Windows\CurrentVersion\Run->\ x00dzsn No fix attempted ____________________________
|
|
|
Post by rbeechnut11 on Oct 15, 2016 12:50:45 GMT -8
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Oct 15, 2016 14:51:51 GMT -8
Thanks for the information and the Fixlog file. I find it hard to believe that Norton finds the Trojan and does not delete that however we will deal with the malware ourselves. There is some information hidden on the system by the malware. To see if we can find this, please disable Norton from starting, reboot the system and let the Trojan run / populate itself. Then run the FRST scanner and make new logs. Once the logs are made and saved on the desktop, you can start Norton and reboot the system. Then post the new logs and I hopefully can find all the locations needed to clean this malware. Norton just 'bothers' the malware while it is active and that triggers a 'self-protection / hiding routine' that makes the malware not show in logs or active scanners any more. Please follow the steps below when making the logs. Read Slowly and all of it.If you still have a Addition.txt log file on your desktop, please delete it now. Start FRST64 that is on your Desktop by right clicking it and selecting "Run as Administrator". Please allow the software to run when the User Access Control asks (if it does). The tool will start to run. When the tool opens click Yes to disclaimer. (if it does) Select Additional.txt in the Optional Scans section of FRST64. Also select the 90 Days Files. Press Scan button. It will make two logs ( FRST.txt and addition.txt) on your Desktop. Please attach the logs in your reply back. Or open the logs in notepad and copy the logs and paste back in a message as a reply. ( Ask if you don't know how to do either of these). Notes:
If your Security software blocks the running or download of FRST / FRST64, please disable the security software or make an exception for this file. FRST is updated very frequently and is safe to run but because of the frequent changes (to keep up with newest malware techniques) most Security Software does not approve of the unknown file. Right now the forum will not allow one to attach the Addition.txt file so please use wikisend.com or pastebin.com to upload the file and then post the download link here in your reply post.
|
|