Trojan Alert

Discussion in 'Windows Security' started by holdum333, May 22, 2016.

  1. holdum333

    holdum333 Banned

    Joined:
    Mar 27, 2016
    Messages:
    1,244
    Likes Received:
    147
    Yuppers It is very late! Just finishing up a few things and then it's sack time in Oklahoma. I believe it's 9:00 Am in Aussie land.
    I'll catch you later on the flip flop my friend.
     
  2. LoboVerde

    LoboVerde Active Member

    Joined:
    Apr 24, 2016
    Messages:
    211
    Likes Received:
    26
    Morning holdum333! I found a great post about the Kovter Trojan at Bleeping Computer. It says it installs itself in the Windows Registry which is more difficult for most AVs to find. That's what the post says, so I don't know. But with that bit of information why don't you do a direct scan of your Registry anyways for good measure? Bleeping Computer has a good rep for helpful information.

    How to remove the Kovter Trojan (Removal Guide)

    ***I totally messed up my post sorry, the link is fixed now***
     
    #42 LoboVerde, May 23, 2016
    Last edited: May 23, 2016
  3. Neemobeer

    Neemobeer Windows Forum Team
    Staff Member

    Joined:
    Jul 4, 2015
    Messages:
    2,391
    Likes Received:
    360
    Things to remember when scanning and also when something is detected.
    • Malware scanners can use definitions and/or behavior to try and determine if something is malicious
    • Just because you scan with one or two anti-malware applications and don't or do find something doesn't mean you are clean/infected
    • Malware can lay dormant or the initial infection could be something as simple as a scheduled task to BITS that kicks off downloading the payload (in this instance the trojan)
    • Malware can be delivered in any way imaginable and those you can't and the delivery is only limited by the malware authors imagination and programming skills
    A partial list of infection vectors
    1. Social engineering, trick you into click on a link or attachment, can also be a fake "your out of date" message on a web page
    2. Drive-by, payload is embedded in a compromised legitimate site, in an ad or a bad site you inadvertently clicked on
    3. Embedded in many types of files (word, excel, pdf, image file, exe embedded in another exe
    4. Java script
    5. There is even a known instance of malware embedded in an exe's icon such that when windows renders the icon that infects your system
    6. Polymorphic malware (Q-bot is an example) each sample that is unpacked results in an unique executable with a different signature
    7. Malware that can modify Windows DLLs that prevent securitry software from working
    8. Malware that disable security software
    9. Buffer overflows
    10. Heap overflows
    11. NO-OP sleds
    12. Exploiting a known or unknown (zero-day) vulnerabilty
    13. Packed malware
     
  4. RichM

    RichM Active Member

    Joined:
    May 9, 2016
    Messages:
    321
    Likes Received:
    49
    There are many different ways Malware can be detected Gary and nothing is 100% unfortunately. If Malware enters your system it can be a while before it is noticed. It may be dormant as in a worm that is coiled waiting to open that is only ever caught asleep by the very best paid antivirus programs. Malware systems often come in and navigate around getting there bearings before actually "setting up shop" and when combating suites like Antivirus 2013 (and other Vundo infections), they could sit in a system for a week before actually making their moves or sometimes go into action at once. The fact it takes them time to " setup shop" is why in some case if someone is shown ransomware screens or in the past got one of those fake scans from Antivirus 2013 or the like, a quick "pull the plug" completely enables you to miss the infection even though you saw it. The one Crypto Locker Virus called in to me was avoided because I told the user to shut off the power strip immediately and the user never actually got the infection complete going back in an hour later.

    I think you are fine now. It would not hurt to run Eset Online scan for further protection though. One thing I cannot help but wonder about and that is when you Google your Trojan, the only references are from WD. In most cases on real issues you would see entries for many antivirus companies reporting the thing so the best thing to do is wait a while and then Google it again because it might show later as a false positive attracted to WD as I have seen that before a lot.
     
  5. RichM

    RichM Active Member

    Joined:
    May 9, 2016
    Messages:
    321
    Likes Received:
    49
    A Trojan is a doorway much like the Trojan Horse that allows through things....they are generally spread through some form of social engineeering so forums, or social networking sites are where they would go to "work their magic" because that is where sufficient traffic is but don't assume that the site knows they are there lurking as they can't tell that until they do something. Trojans work in tandem with other scumware usually so even though you may have caught the Trojan and removed it doesn't mean you stopped whatever it brought in with it.

    Sounds like you are fine and crisis is over but there is a bit of a lingering feeling that is uncomfortable feeling that remains as if you have been violated and that is a common feeling Gary that most people have afterwards especially if this has never happened before.
     
  6. holdum333

    holdum333 Banned

    Joined:
    Mar 27, 2016
    Messages:
    1,244
    Likes Received:
    147
    Hi ! All! Special thanks to all for your help. I never was infected with a Trojan. WD found the threat and quarantined it.
    It was not laying dormant, and then some thing triggered it. Why this Trojan tried to install on my PC while I was on the forum, I probably will never know.
    If it was on my PC like the Trojan Horse in the Bible days and some thing triggered it and started it's ugly scumware; I have been a PC user long enough to recognize that was going on.
    I do not believe any of the above quote. The Trojan was never installed on my PC and it didn't bring any thing in with it. I'm not the least bit worried about any thing and I don't feel violated. I feel very confident with the layered protection I have installed on my PC. I will admit I got a little worried when certain members led me to believe this Trojan was already on my PC and ready to start showing it's nasty head.
    I ain't buying any of it. My PC is clean and WD did it's job and MBAM has always done it's job. I'm not one bit worried. If I was I would restore a back up image from Macrium. Surely not all my images have a Trojan waiting to be triggered when I perform a certain action.
    I'm done now! I see no use for me to revisit this thread as I think there is a lot of BS going on and I'm not sure it should be a sticky, but that's staffs decision to make.;):(
     
    #46 holdum333, May 23, 2016
    Last edited by a moderator: May 24, 2016
  7. XAOS

    XAOS Member

    Joined:
    Apr 27, 2016
    Messages:
    49
    Likes Received:
    18
    You were never infected, Gary.
    As I said, the Trojan was caught at the front gate, and Quarantined.
    All this advice is if you were infected, and that's not the case.
     
    allheart55 and holdum333 like this.
  8. matterny

    matterny New Member

    Joined:
    May 13, 2016
    Messages:
    20
    Likes Received:
    0
    How much stuff is on your hard drive? If you have a lot, and WD updates its definitions, or several other possibilities, real-time may just detect the virus at a random time, this forum being slightly more likely than others.

    Modern real time scanning scans everything incoming and also uses a small amount of processing power to scan everything you have on your hard drive(s).
     
  9. holdum333

    holdum333 Banned

    Joined:
    Mar 27, 2016
    Messages:
    1,244
    Likes Received:
    147
    @kemical You are the very best. Top of the line. Thank you my friend!:worship::worship::worship::worship::worship:
    :star::star::star::star::star: 5 Stars is the best rating you can get friend. That was a lot of work. I appreciate you.
    Gary!
     
  10. holdum333

    holdum333 Banned

    Joined:
    Mar 27, 2016
    Messages:
    1,244
    Likes Received:
    147
    Hi @matterny I value all help replies. I have a 500GB hard drive. I'm using 40GB the last time I looked. WD was not updating definitions.
    What are the other possibilities? I do not understand this
    "real-time may just detect the virus at a random time, this forum being slightly more likely than others."
    PS Welcome to the forum!:wave:
     
  11. matterny

    matterny New Member

    Joined:
    May 13, 2016
    Messages:
    20
    Likes Received:
    0
    Real time with modern security software means that it will scan your hard drive all the time, as system resources permit, repetitively. The small amount of your hard drive used would indicate that unless you are using a minimal PC, everything gets scanned very rapidly, probably every day, so something you were doing earlier may be the cause or if an update applied after the Trojan was installed the detection may appear at a "random" time.

    The forum is more likely due to using a relatively low amount of system resources.
     
    #51 matterny, May 23, 2016
    Last edited: May 25, 2016
  12. holdum333

    holdum333 Banned

    Joined:
    Mar 27, 2016
    Messages:
    1,244
    Likes Received:
    147
    Hi I don't think my hard drive is small. I have over 400GB+ of free space. I have 6GB of RAM. A four core AMD processor.
    I would like to think that WD is on alert and scanning all the time. I sure don't want a AV that takes a nap on me!:rofl:
    Thanks for your reply!:up:I understand real time and on demand.;) I'm not a expert on malware, but I would think that WD doesn't delay a warning or a quarantine, and wait until I'm using minimum resources to alert me!;)
     
  13. XAOS

    XAOS Member

    Joined:
    Apr 27, 2016
    Messages:
    49
    Likes Received:
    18
    On any of my computers that are running real time scanners, no matter what I am doing (Photoshop) for example and how many Tabs I have open, I get an instant Popup right hand side above Task Bar, alerting me Malware has been detected.It doesn't wait till my system is idle to alert me.

    Maybe all my computers are weird like me.:D

    You HDD is not small, Gary.
     
  14. holdum333

    holdum333 Banned

    Joined:
    Mar 27, 2016
    Messages:
    1,244
    Likes Received:
    147
    :rofl:
    You're not weird my friend, but you are different.:ahaha:
    Thanks for your reply.:brew:
     
    XAOS likes this.
  15. holdum333

    holdum333 Banned

    Joined:
    Mar 27, 2016
    Messages:
    1,244
    Likes Received:
    147
    Hi! Here's a little off topic Dougie. I use to get pop-ups a lot that MBAM blocked a incoming or out going malicious IP address.
    I haven't seen one of those in a long time. I guess the Chinese finally decided they couldn't hack me and gave up trying.:rofl:
    Myself and my neighbor sent 4 certified letters to politicians in Oklahoma with the prof of these hacking attempts.
    Not surprising, but not one politician replied. They don't care. Your on your own my friends!
    This is the world we have to live in if we want access to the world.;)
    Tornado on the ground at Woodward Oklahoma at the moment!
     
  16. XAOS

    XAOS Member

    Joined:
    Apr 27, 2016
    Messages:
    49
    Likes Received:
    18
    Off Topic reply. Watch it's path carefully, Gary.
     
  17. Neemobeer

    Neemobeer Windows Forum Team
    Staff Member

    Joined:
    Jul 4, 2015
    Messages:
    2,391
    Likes Received:
    360
    Most AV suites are real-time. What that means is they install one or more kernel-mode drivers to intercept interactions to other parts of the kernel. They will have a filesystem filter driver that sits over the filesystem driver and a network filter driver. All user mode applications will call either into the .NET framework or can call into Windows API's such as User32.dll, Kernal32.dll, GDI.dll etc. These all interface to the kernel through ntdll.dll and then into kernel mode. Some malware will hook directly into ntdll.dll or use their own kernel mode drivers to bypass AV.
     
  18. holdum333

    holdum333 Banned

    Joined:
    Mar 27, 2016
    Messages:
    1,244
    Likes Received:
    147
    Will do my friend! Thanks! I'm thinking about taking some time off from this forum and do some serious thinking.
    I really appreciate you Dougie. There are things we know, that others here don't know yet my friend.
    Be careful friend. You're a good man Dougie;):). I'm a little down in the dumps to night. I'll tell you about it in a PM latter.
    Right now I'm playing Texas-Hold-um and watching the weather
     
    XAOS likes this.
  19. holdum333

    holdum333 Banned

    Joined:
    Mar 27, 2016
    Messages:
    1,244
    Likes Received:
    147
    Thanks @Neemobeer A wee bit over this old country boys head, but I did understand a little bit of your reply:D. Do you have to click on any thing or just be in the same room with them. Please reply in terms this old country boy understands!:rofl:
     
  20. William B

    William B Active Member

    Joined:
    May 14, 2016
    Messages:
    146
    Likes Received:
    32
    Real time means resident & running Gary. It means it loads on startup and also as a running monitoring process. In the Country terms you ask for it means that the bacon was cooking as soon as it hit the pan because the pan was already hot. From a Texan to an Okie.
     
    holdum333 likes this.

Share This Page

Loading...