Trojan Alert

Yuppers It is very late! Just finishing up a few things and then it's sack time in Oklahoma. I believe it's 9:00 Am in Aussie land.
I'll catch you later on the flip flop my friend.
 
Morning holdum333! I found a great post about the Kovter Trojan at Bleeping Computer. It says it installs itself in the Windows Registry which is more difficult for most AVs to find. That's what the post says, so I don't know. But with that bit of information why don't you do a direct scan of your Registry anyways for good measure? Bleeping Computer has a good rep for helpful information.

How to remove the Kovter Trojan (Removal Guide)

***I totally messed up my post sorry, the link is fixed now***
 
Last edited:
Things to remember when scanning and also when something is detected.
  • Malware scanners can use definitions and/or behavior to try and determine if something is malicious
  • Just because you scan with one or two anti-malware applications and don't or do find something doesn't mean you are clean/infected
  • Malware can lay dormant or the initial infection could be something as simple as a scheduled task to BITS that kicks off downloading the payload (in this instance the trojan)
  • Malware can be delivered in any way imaginable and those you can't and the delivery is only limited by the malware authors imagination and programming skills
A partial list of infection vectors
  1. Social engineering, trick you into click on a link or attachment, can also be a fake "your out of date" message on a web page
  2. Drive-by, payload is embedded in a compromised legitimate site, in an ad or a bad site you inadvertently clicked on
  3. Embedded in many types of files (word, excel, pdf, image file, exe embedded in another exe
  4. Java script
  5. There is even a known instance of malware embedded in an exe's icon such that when windows renders the icon that infects your system
  6. Polymorphic malware (Q-bot is an example) each sample that is unpacked results in an unique executable with a different signature
  7. Malware that can modify Windows DLLs that prevent securitry software from working
  8. Malware that disable security software
  9. Buffer overflows
  10. Heap overflows
  11. NO-OP sleds
  12. Exploiting a known or unknown (zero-day) vulnerabilty
  13. Packed malware
 
I'm doing a rootkit scan at the moment. What your saying is this Trojan was just setting there on my PC; and WD just now, while I'm setting on this forum decided to find it, warn me, and then stop this Trojan. You say no reason to assume it came from here and then you say it can lay anywhere at any site. I'm totally confused. I haven't been to any other site. Are you saying my PC could get infected and WD may wait a week to inform me that I'm infected. I have some real cheap bridges for sale! How many do you want??
Thanks for your help, but this is the first time I have ever heard these things and I have been on more help forums than the law allows.
I will post the rootkit scan and MBAM. Are there any more scans I should run??
Why did you blame a rootkit and was your first choice to run??

There are many different ways Malware can be detected Gary and nothing is 100% unfortunately. If Malware enters your system it can be a while before it is noticed. It may be dormant as in a worm that is coiled waiting to open that is only ever caught asleep by the very best paid antivirus programs. Malware systems often come in and navigate around getting there bearings before actually "setting up shop" and when combating suites like Antivirus 2013 (and other Vundo infections), they could sit in a system for a week before actually making their moves or sometimes go into action at once. The fact it takes them time to " setup shop" is why in some case if someone is shown ransomware screens or in the past got one of those fake scans from Antivirus 2013 or the like, a quick "pull the plug" completely enables you to miss the infection even though you saw it. The one Crypto Locker Virus called in to me was avoided because I told the user to shut off the power strip immediately and the user never actually got the infection complete going back in an hour later.

I think you are fine now. It would not hurt to run Eset Online scan for further protection though. One thing I cannot help but wonder about and that is when you Google your Trojan, the only references are from WD. In most cases on real issues you would see entries for many antivirus companies reporting the thing so the best thing to do is wait a while and then Google it again because it might show later as a false positive attracted to WD as I have seen that before a lot.
 
A Trojan is a doorway much like the Trojan Horse that allows through things....they are generally spread through some form of social engineeering so forums, or social networking sites are where they would go to "work their magic" because that is where sufficient traffic is but don't assume that the site knows they are there lurking as they can't tell that until they do something. Trojans work in tandem with other scumware usually so even though you may have caught the Trojan and removed it doesn't mean you stopped whatever it brought in with it.

Sounds like you are fine and crisis is over but there is a bit of a lingering feeling that is uncomfortable feeling that remains as if you have been violated and that is a common feeling Gary that most people have afterwards especially if this has never happened before.
 
Hi ! All! Special thanks to all for your help. I never was infected with a Trojan. WD found the threat and quarantined it.
It was not laying dormant, and then some thing triggered it. Why this Trojan tried to install on my PC while I was on the forum, I probably will never know.
If it was on my PC like the Trojan Horse in the Bible days and some thing triggered it and started it's ugly scumware; I have been a PC user long enough to recognize that was going on.
Trojans work in tandem with other scumware usually so even though you may have caught the Trojan and removed it doesn't mean you stopped whatever it brought in with it.
I do not believe any of the above quote. The Trojan was never installed on my PC and it didn't bring any thing in with it. I'm not the least bit worried about any thing and I don't feel violated. I feel very confident with the layered protection I have installed on my PC. I will admit I got a little worried when certain members led me to believe this Trojan was already on my PC and ready to start showing it's nasty head.
I ain't buying any of it. My PC is clean and WD did it's job and MBAM has always done it's job. I'm not one bit worried. If I was I would restore a back up image from Macrium. Surely not all my images have a Trojan waiting to be triggered when I perform a certain action.
I'm done now! I see no use for me to revisit this thread as I think there is a lot of BS going on and I'm not sure it should be a sticky, but that's staffs decision to make.;):(
 
Last edited by a moderator:
How much stuff is on your hard drive? If you have a lot, and WD updates its definitions, or several other possibilities, real-time may just detect the virus at a random time, this forum being slightly more likely than others.

Modern real time scanning scans everything incoming and also uses a small amount of processing power to scan everything you have on your hard drive(s).
 
@kemical You are the very best. Top of the line. Thank you my friend!:worship::worship::worship::worship::worship:
:star::star::star::star::star: 5 Stars is the best rating you can get friend. That was a lot of work. I appreciate you.
Gary!
 
How much stuff is on your hard drive? If you have a lot, and WD updates its definitions, or several other possibilities, real-time may just detect the virus at a random time, this forum being slightly more likely than others.

Modern real time scanning scans everything incoming and also uses a small amount of processing power to scan everything you have on your hard drive(s).
Hi @matterny I value all help replies. I have a 500GB hard drive. I'm using 40GB the last time I looked. WD was not updating definitions.
What are the other possibilities? I do not understand this
"real-time may just detect the virus at a random time, this forum being slightly more likely than others."
PS Welcome to the forum!:wave:
 
Real time with modern security software means that it will scan your hard drive all the time, as system resources permit, repetitively. The small amount of your hard drive used would indicate that unless you are using a minimal PC, everything gets scanned very rapidly, probably every day, so something you were doing earlier may be the cause or if an update applied after the Trojan was installed the detection may appear at a "random" time.

The forum is more likely due to using a relatively low amount of system resources.
 
Last edited:
Hi I don't think my hard drive is small. I have over 400GB+ of free space. I have 6GB of RAM. A four core AMD processor.
I would like to think that WD is on alert and scanning all the time. I sure don't want a AV that takes a nap on me!:rofl:
Thanks for your reply!:up:I understand real time and on demand.;) I'm not a expert on malware, but I would think that WD doesn't delay a warning or a quarantine, and wait until I'm using minimum resources to alert me!;)
 
On any of my computers that are running real time scanners, no matter what I am doing (Photoshop) for example and how many Tabs I have open, I get an instant Popup right hand side above Task Bar, alerting me Malware has been detected.It doesn't wait till my system is idle to alert me.

Maybe all my computers are weird like me.:D

You HDD is not small, Gary.
 
Hi! Here's a little off topic Dougie. I use to get pop-ups a lot that MBAM blocked a incoming or out going malicious IP address.
I haven't seen one of those in a long time. I guess the Chinese finally decided they couldn't hack me and gave up trying.:rofl:
Myself and my neighbor sent 4 certified letters to politicians in Oklahoma with the prof of these hacking attempts.
Not surprising, but not one politician replied. They don't care. Your on your own my friends!
This is the world we have to live in if we want access to the world.;)
Tornado on the ground at Woodward Oklahoma at the moment!
 
Most AV suites are real-time. What that means is they install one or more kernel-mode drivers to intercept interactions to other parts of the kernel. They will have a filesystem filter driver that sits over the filesystem driver and a network filter driver. All user mode applications will call either into the .NET framework or can call into Windows API's such as User32.dll, Kernal32.dll, GDI.dll etc. These all interface to the kernel through ntdll.dll and then into kernel mode. Some malware will hook directly into ntdll.dll or use their own kernel mode drivers to bypass AV.
 
Off Topic reply. Watch it's path carefully, Gary.
Will do my friend! Thanks! I'm thinking about taking some time off from this forum and do some serious thinking.
I really appreciate you Dougie. There are things we know, that others here don't know yet my friend.
Be careful friend. You're a good man Dougie;):). I'm a little down in the dumps to night. I'll tell you about it in a PM latter.
Right now I'm playing Texas-Hold-um and watching the weather
 
Most AV suites are real-time. What that means is they install one or more kernel-mode drivers to intercept interactions to other parts of the kernel. They will have a filesystem filter driver that sits over the filesystem driver and a network filter driver. All user mode applications will call either into the .NET framework or can call into Windows API's such as User32.dll, Kernal32.dll, GDI.dll etc. These all interface to the kernel through ntdll.dll and then into kernel mode. Some malware will hook directly into ntdll.dll or use their own kernel mode drivers to bypass AV.
Thanks @Neemobeer A wee bit over this old country boys head, but I did understand a little bit of your reply:D. Do you have to click on any thing or just be in the same room with them. Please reply in terms this old country boy understands!:rofl:
 
Real time means resident & running Gary. It means it loads on startup and also as a running monitoring process. In the Country terms you ask for it means that the bacon was cooking as soon as it hit the pan because the pan was already hot. From a Texan to an Okie.
 
Back
Top