This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mal/KovterLnk-A and Mal/KovterBat-A cannot be removed

Sophos Endpoint Security and Control 10.6 running on Windows 7 Professional x64 detected Mal/KovterLnk-A and Mal/KovterBat-A this morning and moved them to Quarantine.

The available actions say Clean Up then goes to Cleaning Up and instantly the viruses appear in the Quarantine again.

 

When I open the Details that take me to the file location the shortcuts are in a the Windows Startup folder and appear and re-appear while Sophos tries to Clean Up the threat.

It appears as if the virus/malware is re-installing itself as soon as Sophos cleans it up.

 

I've tried to select and Cleanup the files, but it says a Cleanup is already in process.



This thread was automatically locked due to age.
  • Hi,

    If you know the location and/or file name of the location the files re-appear in, what about running Process Monitor:
    https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx
    ...to understand what process is writing the files to that location.

    It sounds like the "dropper" is not detected if it keeps coming back.  If you can understand the process creating the files, you can then find the file responsible and send them to Sophos Labs.

    Regards,

    Jak

  • Jak,

    Thank you very much. I downloaded the tool you recommended and it ran fine. In minutes it detected 10's of thousands of processes so I am unable to identify what is generating the virus/malware.

     

    The first time End Point Control ran there was a file that said manual clean up required, but it is gone now. I've no idea what the name was or where it was located.

    I've updated Sophos Virus Removal Tool and it is running a scan again.

    Endpoint Control still shows the two threats cleaning up and instantly re-appearing.

     

  • This is from the Anti-Virus Log of Endpoint Control

    ****************** Sophos Anti-Virus Log - 10/9/2016 3:54:52 PM **************

        ...
    20161009 155049 File "C:\Users\BABerarducci\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\15731b43.lnk" belongs to virus/spyware 'Mal/KovterLnk-A'.
    20161009 155049 On-access scanner has denied access to location "C:\Users\BABerarducci\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\15731b43.lnk" for user BCM-PC\BABerarducci
    20161009 155050 File "C:\Users\BABerarducci\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\022c92f0.lnk" belongs to virus/spyware 'Mal/KovterLnk-A'.
    20161009 155050 File "C:\Users\BABerarducci\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\15731b43.lnk" belongs to virus/spyware 'Mal/KovterLnk-A'.
    20161009 155050 On-access scanner has denied access to location "C:\Users\BABerarducci\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\15731b43.lnk" for user BCM-PC\BABerarducci
          (5 items)

  • Jak,

     

    I believe I located the file you described. I am the only user/administrator on the machine, but it says I have insufficient permission to delete the file and get the same message when trying to submit the file to Sophos Labs.

  • Jak,

     

    After Sophos Anti Virus completed it said it cleaned up both threats and submitted a log to Sophos.

    When I checked Endpoint Control the threats are still re-installing and being cleaned up.

    I started the scans again and they both detect the threats.

    This seems a very pervasive threat.

    Thank you again for your help.

  • Jak,

     

    After another re-start the shield in the system tray now says Sophos is disabled, but ALMON.exe is running in the task manager.


    There are now additional items in the Quarantine that require manual cleanup including an interchk.chk file in Sophos itself.

  • Hello Brent Berarducci.

    please see the Sophos Malware Remediation Toolkit (SMaRT). IMO it's a good walk-through and helps with a systematic approach. If you've contracted this thing as a user with administrative rights you might have to use SBAV.

    Christian   

  • Christian,

    Thank you for this valuable suggestion.

    I am to the point where I need to isolate the computer from the network and the steps tell me to run Sophos Anti-Virus. However, when I download and try to install Sophos Anti-Virus I receive an error message that says it will not install unless I uninstall all other instances of Sophos software first. This doesn't seem intuitive, is this correct?

    Thank you again.

  • Hello Brent Berarducci,

    I download and try to install Sophos Anti-Virus
    which package? The SESC stand-alone? Normally setup logs its actions in your user's %TEMP% directory (the Enterprise installer e.g. Sophos ES setup.log) naming the "unacceptable" product(s), wonder if it's the SVRT. Could you post/show the exact error message? If I understand correctly you have SESC installed but it no longer seems to work?

    Christian

  •  

     

    Christian,

    This is the message I am receiving

    These are the Sophos installations I have currently.

    When I place my cursor over the Sophos Icon in the System tray this morning it says Sophos Protection Disabled and Sophos Protection Update has Failed. However Sophos opens up and looks normal.

    The Anti Virus Log just keeps repeating that Mal/KovterLnk-A has been removed then follows that it has been detected, same with Mal/KovterBat-A

    The Quarantine continues to show Clean Up, Cleaning Up, then the threats re-appear.

    Thank you very much for your interest and support.