Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 16 replies
  • Subscribers 4 subscribers
  • Views 43538 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mal/KovterLnk-A and Mal/KovterBat-A cannot be removed

Brent Berarducci

Sophos Endpoint Security and Control 10.6 running on Windows 7 Professional x64 detected Mal/KovterLnk-A and Mal/KovterBat-A this morning and moved them to Quarantine.

The available actions say Clean Up then goes to Cleaning Up and instantly the viruses appear in the Quarantine again.

 

When I open the Details that take me to the file location the shortcuts are in a the Windows Startup folder and appear and re-appear while Sophos tries to Clean Up the threat.

It appears as if the virus/malware is re-installing itself as soon as Sophos cleans it up.

 

I've tried to select and Cleanup the files, but it says a Cleanup is already in process.



This thread was automatically locked due to age.
  • 0 in reply to Brent Berarducci

    Hello Brent Berarducci,

    Sophos Home and Enterprise are different "families" - you can't install one over the other. I don't see the Sophos Remote Management System so this seems to be the stand-alone Enterprise version. 


    Both the Interactive SMaRT and the PDF have many paths, I'm not sure what you have already tried and what not. Apparently you want to update the existing installation - that might or might not work depending on what the malware did and does.
    Did you run the Source Of Infection tool? This should identify the rogue process (or a hijacked process). If the former and you can find the file it runs from then you still have to capture it. Probably not possible from the symptoms you've described. Might be possible in Safe Mode, if not you'd have to try SBAV  or some LiveCD.

    Christian

  • 0 in reply to QC

    Christian,

     

    I am at step 10. The SDU is running now. It is asking for a Sophos Reference Number and then says it cannot locate the referenced files.

    I don't understand how to run the SOI via the command line.

    Thank you.

  • 0 in reply to QC

    Christian,

    I am getting messages to contact support, but when I click the support link all it does is take me to this forum.

    I can email the logs, but don't know the email to send them to.

    Thank you.

  • 0 in reply to Brent Berarducci

    Hello Brent Berarducci,

    you can raise a ticket or send samples on the Support page. Samples can be sent to samples@sophos.com  and Support request to support@sophos.com. If you have not yet opened  a ticket for this incident you don't have a reference number, naturally.

    Scenarion B in the SOI article gives an example for use in your situation (of course you have to use "your" path).

    Christian

  • 0 in reply to QC

    Christian,

    Thank you for the link. I read the article when I downloaded the tool. It is beyond my technical ability.

    I can't even get it to open in CMD prompt.

    I've started a ticket with Sophos and uploaded the files from the SDU.

    Hopefully they have a remedy for a layperson such as me.

  • 0 in reply to QC

    Praveen contacted me this morning and we were able to remove the threat.

    1. Download and install Sophos Clean.

    2. Re-start the machine in Safe Mode

    3. Run Sophos Clean and DELETE all detected threats. If you leave it in Quarantine it will be there when you re-start in Normal Mode and the threat will re-install itself. Must DELETE in SAFE MODE

    4. Restart machine in normal mode. Scan with Endpoint Control and Sophos Virus Removal and ensure machine is clean.

    Thank you to forum members for their suggestions and support.

    R,

    Brent

Unfiltered HTML