Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 16 replies
  • Subscribers 4 subscribers
  • Views 43306 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mal/KovterLnk-A and Mal/KovterBat-A cannot be removed

Brent Berarducci

Sophos Endpoint Security and Control 10.6 running on Windows 7 Professional x64 detected Mal/KovterLnk-A and Mal/KovterBat-A this morning and moved them to Quarantine.

The available actions say Clean Up then goes to Cleaning Up and instantly the viruses appear in the Quarantine again.

 

When I open the Details that take me to the file location the shortcuts are in a the Windows Startup folder and appear and re-appear while Sophos tries to Clean Up the threat.

It appears as if the virus/malware is re-installing itself as soon as Sophos cleans it up.

 

I've tried to select and Cleanup the files, but it says a Cleanup is already in process.



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    If you know the location and/or file name of the location the files re-appear in, what about running Process Monitor:
    https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx
    ...to understand what process is writing the files to that location.

    It sounds like the "dropper" is not detected if it keeps coming back.  If you can understand the process creating the files, you can then find the file responsible and send them to Sophos Labs.

    Regards,

    Jak

  • 0 in reply to jak

    Jak,

    Thank you very much. I downloaded the tool you recommended and it ran fine. In minutes it detected 10's of thousands of processes so I am unable to identify what is generating the virus/malware.

     

    The first time End Point Control ran there was a file that said manual clean up required, but it is gone now. I've no idea what the name was or where it was located.

    I've updated Sophos Virus Removal Tool and it is running a scan again.

    Endpoint Control still shows the two threats cleaning up and instantly re-appearing.

     

Reply
  • 0 in reply to jak

    Jak,

    Thank you very much. I downloaded the tool you recommended and it ran fine. In minutes it detected 10's of thousands of processes so I am unable to identify what is generating the virus/malware.

     

    The first time End Point Control ran there was a file that said manual clean up required, but it is gone now. I've no idea what the name was or where it was located.

    I've updated Sophos Virus Removal Tool and it is running a scan again.

    Endpoint Control still shows the two threats cleaning up and instantly re-appearing.

     

Children
No Data
Unfiltered HTML