RE: Recurring Malware

PeterM — Wed, 13 Dec 2017 16:55:58 GMT

Thanks,

We can see the detection is on the legit regsvr32.exe file:

C:\Windows\SysWOW64\regsvr32.exe" belongs to virus/spyware 'HPmal/Kovter-D

That file isn't the problem it is just being used by Kovter. Kovter is what we call a fileless malware meaning once it has infected your machine it wont be us any malicious files physically stored on your machine, instead it will be running in the memory and using the Windows Registry to load itself after a reboot. We need to find where it is hiding itself in the registry and doing that is complicated.

I will send you a private message with some instructions.

RE: Recurring Malware

BeejTee — Wed, 13 Dec 2017 16:29:33 GMT

I'm replying online as I'm not sure my first email reply was sent to you.

I am using the personal version (I am on a Windows 64 bit PC).

I will insert a copy of the log below:

20171210 150514 Using detection data version 5.46 (detection engine 3.70.2). This version can detect 15340704 items.
20171210 150514 User (NT AUTHORITY\LOCAL SERVICE) has started on-access scanning for this machine.
20171210 150541 The automatic sending of file data and samples for Sophos Live Protection is enabled.
20171210 150650 Scan 'Scan my computer' started.
20171210 153105 Scan 'Scan my computer' aborted.
20171210 153105 Summary of results for scan 'Scan my computer':
  Items scanned: 53
  Errors: 0
  Items quarantined: 0
  Items dealt with: 0
20171210 153350 Scan 'Scan my computer' started.
20171210 155846 Scan 'Scan my computer' aborted.
20171210 155846 Summary of results for scan 'Scan my computer':
  Items scanned: 73
  Errors: 0
  Items quarantined: 0
  Items dealt with: 0
20171210 155851 Scan 'Scan my computer' started.
20171210 163037 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171210 163037 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171210 163037 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171210 163037 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171210 163037 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171210 163037 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171210 163037 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171210 163037 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171210 163037 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171210 163037 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171210 163037 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171210 163037 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171210 163037 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171210 163037 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171210 163037 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171210 163037 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171210 163037 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171210 163037 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171210 163037 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171210 174841 File "I:\Downloads Bkup\Downloads\DriverUpdate-setup.exe" belongs to adware or PUA 'DriverUpdate - Slimware Util' (of type Adware).
20171210 185602 Scanning "I:\FileHistory\BJT\LENOVO\Data\C\Users\BJT\Downloads\flash_setup (2015_08_18 15_36_57 UTC).exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171210 185602 Scanning "I:\FileHistory\BJT\LENOVO\Data\C\Users\BJT\Downloads\flash_setup (2015_08_18 15_36_57 UTC).exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171210 185602 Scanning "I:\FileHistory\BJT\LENOVO\Data\C\Users\BJT\Downloads\flash_setup (2015_08_18 15_36_57 UTC).exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171210 185602 Scanning "I:\FileHistory\BJT\LENOVO\Data\C\Users\BJT\Downloads\flash_setup (2015_08_18 15_36_57 UTC).exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171210 185602 Scanning "I:\FileHistory\BJT\LENOVO\Data\C\Users\BJT\Downloads\flash_setup (2015_08_18 15_36_57 UTC).exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171210 192945 Adware or PUA 'DriverUpdate - Slimware Util' has been detected.
20171210 192945 Scan 'Scan my computer' completed.
20171210 192946 Summary of results for scan 'Scan my computer':
  Items scanned: 372461
  Errors: 24
  Items quarantined: 1
  Items dealt with: 0
20171210 194007 File "I:\Downloads Bkup\Downloads\DriverUpdate-setup.exe" belongs to adware or PUA 'DriverUpdate - Slimware Util' (of type Adware).
20171210 194013 File "I:\Downloads Bkup\Downloads\DriverUpdate-setup.exe" has been cleaned up.
20171210 194013 Adware or PUA 'DriverUpdate - Slimware Util' has been removed.
20171210 201455 Using detection data version 5.46 (detection engine 3.70.2). This version can detect 15340707 items.
20171210 231337 Using detection data version 5.46 (detection engine 3.70.2). This version can detect 15340710 items.
20171211 025819 File "C:\Windows\SysWOW64\regsvr32.exe" belongs to virus/spyware 'HPmal/Kovter-D': Process killed.
20171211 025826 File "C:\Windows\SysWOW64\regsvr32.exe" belongs to virus/spyware 'HPmal/Kovter-D'.
20171211 025828 Virus/spyware 'HPmal/Kovter-D' has been removed.
20171211 133727 File "C:\Windows\SysWOW64\regsvr32.exe" belongs to virus/spyware 'HPmal/Kovter-D': Process killed.
20171211 133734 File "C:\Windows\SysWOW64\regsvr32.exe" belongs to virus/spyware 'HPmal/Kovter-D'.
20171211 133740 Virus/spyware 'HPmal/Kovter-D' has been removed.
20171211 150014 Using detection data version 5.46 (detection engine 3.70.2). This version can detect 15340716 items.
20171211 182831 Scan 'Scan my computer' started.
20171211 190039 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171211 190039 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171211 190039 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171211 190039 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171211 190039 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171211 190039 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171211 190039 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171211 190039 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171211 190039 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171211 190039 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171211 190039 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171211 190039 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171211 190039 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171211 190039 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171211 190039 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171211 190039 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171211 190039 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171211 190039 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171211 190039 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171211 210308 Using detection data version 5.46 (detection engine 3.70.2). This version can detect 15340746 items.
20171211 211051 Scanning "I:\FileHistory\BJT\LENOVO\Data\C\Users\BJT\Downloads\flash_setup (2015_08_18 15_36_57 UTC).exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171211 211051 Scanning "I:\FileHistory\BJT\LENOVO\Data\C\Users\BJT\Downloads\flash_setup (2015_08_18 15_36_57 UTC).exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171211 211051 Scanning "I:\FileHistory\BJT\LENOVO\Data\C\Users\BJT\Downloads\flash_setup (2015_08_18 15_36_57 UTC).exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171211 211051 Scanning "I:\FileHistory\BJT\LENOVO\Data\C\Users\BJT\Downloads\flash_setup (2015_08_18 15_36_57 UTC).exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171211 211051 Scanning "I:\FileHistory\BJT\LENOVO\Data\C\Users\BJT\Downloads\flash_setup (2015_08_18 15_36_57 UTC).exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171211 213757 Scan 'Scan my computer' completed.
20171211 213757 Summary of results for scan 'Scan my computer':
  Items scanned: 370355
  Errors: 24
  Items quarantined: 0
  Items dealt with: 0
20171212 132424 File "C:\Windows\SysWOW64\regsvr32.exe" belongs to virus/spyware 'HPmal/Kovter-D': Process killed.
20171212 132431 File "C:\Windows\SysWOW64\regsvr32.exe" belongs to virus/spyware 'HPmal/Kovter-D'.
20171212 132433 Virus/spyware 'HPmal/Kovter-D' has been removed.
20171212 132646 Scan 'Scan my computer' started.
20171212 140404 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171212 140404 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171212 140404 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171212 140404 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171212 140404 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171212 140404 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171212 140404 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171212 140404 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171212 140404 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171212 140404 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171212 140404 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171212 140404 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171212 140404 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171212 140404 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171212 140404 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171212 140404 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171212 140404 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171212 140404 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171212 140404 Scanning "C:\OEM\Preload\Autorun\APP\Best Buy Software Installer R2\Setup.exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171212 141835 Using detection data version 5.46 (detection engine 3.70.2). This version can detect 15340798 items.
20171212 162119 Scanning "I:\FileHistory\BJT\LENOVO\Data\C\Users\BJT\Downloads\flash_setup (2015_08_18 15_36_57 UTC).exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171212 162119 Scanning "I:\FileHistory\BJT\LENOVO\Data\C\Users\BJT\Downloads\flash_setup (2015_08_18 15_36_57 UTC).exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171212 162119 Scanning "I:\FileHistory\BJT\LENOVO\Data\C\Users\BJT\Downloads\flash_setup (2015_08_18 15_36_57 UTC).exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171212 162119 Scanning "I:\FileHistory\BJT\LENOVO\Data\C\Users\BJT\Downloads\flash_setup (2015_08_18 15_36_57 UTC).exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171212 162119 Scanning "I:\FileHistory\BJT\LENOVO\Data\C\Users\BJT\Downloads\flash_setup (2015_08_18 15_36_57 UTC).exe" returned SAV Interface error 0xa0040212: The file is encrypted.
20171212 164802 Scan 'Scan my computer' completed.
20171212 164802 Summary of results for scan 'Scan my computer':
  Items scanned: 370804
  Errors: 24
  Items quarantined: 0
  Items dealt with: 0
20171213 021810 Using detection data version 5.46 (detection engine 3.70.2). This version can detect 15340822 items.
20171213 132753 File "C:\Windows\SysWOW64\regsvr32.exe" belongs to virus/spyware 'HPmal/Kovter-D': Process killed.
20171213 132800 File "C:\Windows\SysWOW64\regsvr32.exe" belongs to virus/spyware 'HPmal/Kovter-D'.
20171213 132802 Virus/spyware 'HPmal/Kovter-D' has been removed.
20171213 140928 Using detection data version 5.46 (detection engine 3.70.2). This version can detect 15340847 items.
20171213 162045 Using detection data version 5.46 (detection engine 3.70.2). This version can detect 15340847 items.
20171213 162046 User (NT AUTHORITY\LOCAL SERVICE) has started on-access scanning for this machine.
20171213 162526 File "C:\Windows\SysWOW64\regsvr32.exe" belongs to virus/spyware 'HPmal/Kovter-D': Process killed.
20171213 162532 File "C:\Windows\SysWOW64\regsvr32.exe" belongs to virus/spyware 'HPmal/Kovter-D'.
20171213 162536 Virus/spyware 'HPmal/Kovter-D' has been removed.
20171213 162931 Using detection data version 5.46 (detection engine 3.70.2). This version can detect 15340847 items.
20171213 162932 User (NT AUTHORITY\LOCAL SERVICE) has started on-access scanning for this machine.
20171213 163120 File "C:\Windows\SysWOW64\regsvr32.exe" belongs to virus/spyware 'HPmal/Kovter-D': Process killed.
20171213 163127 File "C:\Windows\SysWOW64\regsvr32.exe" belongs to virus/spyware 'HPmal/Kovter-D'.
20171213 163130 Virus/spyware 'HPmal/Kovter-D' has been removed.
20171213 193318 Using detection data version 5.46 (detection engine 3.70.2). This version can detect 15340869 items.
20171213 204345 Scanning "Boot record, drive F:" returned SAV Interface error 0xa0040210: The file could not be accessed.
20171213 204439 Scanning "Boot record, drive F:" returned SAV Interface error 0xa0040210: The file could not be accessed.
20171213 204556 Scanning "Boot record, drive J:" returned SAV Interface error 0xa0040210: The file could not be accessed.

RE: Recurring Malware

PeterM — Wed, 13 Dec 2017 14:57:10 GMT

Hi BeejTee,

Kovter is a nasty piece of malware, among other things it will attempt to steal user details (passwords etc), and a HPmal detection means we detected it running in memory. The fact that we have blocked and removed it is mainly referring to us killing it running in memory, you are quite right to want to know why it is coming back. There is likely something else hiding on the machine that is doing it.

What Sophos product are you using?

Can you confirm the exact detection you are getting and what file/process is being detected, assuming you are on a Windows 64bit machine you should be able to look at the log file here: C:\ProgramData\Sophos\Sophos Anti-Virus\logs\SAV.txt

that txt file will have the detections of the Kovter detection.