This Trojan was not found and removed by my AvastPro Antivirus software!
I am so disappointed!
My computer has been over-taxing my network components which is what led to my further investigation using resource monitor. I found several instances of regsrv32.exe running. Google research of that name led me to the possibility that this was a virus.
No more regsrv32.exe in my resource monitor list and my computer boots up faster than it has in a long time :-\
I don’t know how long this has been going on but my household internet usage has been 300GB over normal for the past two months (which we blamed on our kids :o). Why it was missed by AvastPro troubles me greatly.
Posting here so others can avoid this trojan taking over their computers and causing much anguish and pain.
This Trojan was not found and removed by my AvastPro Antivirus software!
I am so disappointed!
Then you are going to be more disappointed when i tell you that [b]NO[/b] security program have 100% detection or zero false positives
Anyway Trojan:Win32/Kovter.C!Reg is just the malicious reg key that will start up the actual Trojan:Win32/Kovter.C
And this was not found, is it already removed by avast or is it still in there?
Did the tool from MS produce a log? Does it tell you what it “fixed” or removed? That would be helpful also as some of the tools used to fight this infection just remove the Start / Run links and leave the payload files / data registry intact.
Strangely when i opened history in malwarebytes there were some files from May of this year even though I don’t remember using this tool before. I will be posting those files as well to see if you find any differences.
We found a lnk that had an embedded java script which loaded the value from the jpg registry key in the file attached here. We exported the related keys from the registry. My husband says it looks like a serialized object and he suspects this is the Trojan payload.
That, my friend, is the payload of the Trojan and it tells the system (once called and loaded via Powershell / WScript → Javascript) how to set up the Start / Run links, change an association in the OS (this one could be Jpgs file association so that this is run everytime one views a Jpeg file) and infect a running OS process. The actual dropper for this file is long gone and is usually a manual triggered malware (attachment to an email, phishing link, etc.) which is why this is a classified Malware and not a Virus.
This is the first I’ve seen that has a Jpgs association. The usual ones are for mshta.exe or just a straight WScript file call.
Finding the class registry key manually is quite a feat. Thanks for posting it, and hopefully you deleted the key from your registry.
Your FRST logs show Avast is disabled (may just be the integration with the Windows Security Center). I believe that it would be best to do a clean install of Avast to fix this. https://forum.avast.com/?topic=143284.0
The file ‘xetg.reg.txt’ has been determined to be ‘MALWARE’.
Our analysts named the threat JS/Agent.54687.
The term “JS/” denotes a Java scriptvirus.
Detection will be added to our virus definition file (VDF) with one of the next updates.
My Avast was showing as disabled only because those programs suggest i disable it while they were running. I always have it running and did turn it back on as soon as I was finished with those scans.
;D 