Tweet
The Kovter infection is a Trojan that performs click-fraud while running on your computer. This infection is typically installed via exploit kits found on hacked web sites or TrojanDownloaders like Nemucod. When Kovter is installed, the actual infection is stored in the Windows registry rather than as a file on your hard drive. This method of storing the malware files in the Registry rather than the hard drive makes it more difficult for antivirus programs to properly detect it.
How to remove the Kovter Trojan (Removal Guide)
The Kovter infection is a Trojan that performs click-fraud while running on your computer. This infection is typically installed via exploit kits found on hacked web sites or TrojanDownloaders like Nemucod. When Kovter is installed, the actual infection is stored in the Windows registry rather than as a file on your hard drive. This method of storing the malware files in the Registry rather than the hard drive makes it more difficult for antivirus programs to properly detect it.
Furthermore, when the infection is stored in memory it will create various autorun entries that start the infection when you login to the computer. The way these registry entries are made, makes it not possible to view the values or remove them with normal tools like the Windows Registry Editor. In fact, if you try to view the registry associated with Kovter it will display an error that states "Cannot display: Error reading the value's contents." as show below.
While infected, there are symptoms that indicate Kovter is installed on your computer. These symptoms include:
Kovter is detected under various names depending on the particular anti-virus vendor. A list of vendors and their detection names for Kovter can be found below.
As you can see, the Kovter Trojan is an intrusive infection that causes issues on your machine and can be difficult to remove. Thankfully, Symantec's Kovter Removal Tool can be used to easily remove this infection from your computer. Instructions on how to use this program are described in the removal guide below.
Array
View Associated Kovter Trojan Files %LocalAppData%\evum\%LocalAppData%\evum\1QGNQ.2MGvFO%AppData%\BlastoffCounterpoiseDissimilitude%AppD ata%\ForesideDopattaEmpyrean%AppData%\gangbang.dll%AppData%\htmlhelp.title.xml%AppData%\libertine.dl l%AppData%\minimize_hover.png%AppData%\System.dll
View Associated Kovter Trojan Registry Information HKCU\Software\Classes\.2MGvFOHKCU\Software\Classes\.2MGvFO\ ayC5HKCU\Software\Classes\ayC5HKCU\Software\Classes\ayC5\shellHKCU\Software\Classes\ayC5\shell\openH KCU\Software\Classes\ayC5\shell\open\commandHKCU\Software\3c1cee05f3HKCU\Software\Classes\ayC5\shell \open\command\ HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ [unreadable_char]HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ [unreadable_char]
Click here to view the article.
How to remove the Kovter Trojan (Removal Guide)
- Wed, 23 Mar 2016 16:29:02 EDT
- Read 195 times
The Kovter infection is a Trojan that performs click-fraud while running on your computer. This infection is typically installed via exploit kits found on hacked web sites or TrojanDownloaders like Nemucod. When Kovter is installed, the actual infection is stored in the Windows registry rather than as a file on your hard drive. This method of storing the malware files in the Registry rather than the hard drive makes it more difficult for antivirus programs to properly detect it.
Furthermore, when the infection is stored in memory it will create various autorun entries that start the infection when you login to the computer. The way these registry entries are made, makes it not possible to view the values or remove them with normal tools like the Windows Registry Editor. In fact, if you try to view the registry associated with Kovter it will display an error that states "Cannot display: Error reading the value's contents." as show below.
While infected, there are symptoms that indicate Kovter is installed on your computer. These symptoms include:
- Task Manager will show numerous occurrences of mshta.exe or powershell.exe processes running as shown in the image below.
- Pages may be blocked or unreachable while you are browsing the web.
- Your computer will act sluggish and programs will take a long time to start up.
- Unusual disk activity.
- Alerts stating that PowerShell has stopped working:
Kovter is detected under various names depending on the particular anti-virus vendor. A list of vendors and their detection names for Kovter can be found below.
Definition Name |
Anti-virus Vendor |
| Win32:Kovter-C | Avast |
| Win32/Kovter.C | ESET-NOD32 |
| Trojan:Win32/Kovter!rfn | Microsoft |
| Trojan.GenericKD.3112101 (B) | Emsisoft |
| Trojan.Kotver Trojan.Kotver!gen1 Trojan.Ransomlock.AK Trojan.Ransomlk.AK!gm |
Symantec |
| Trojan.Win32.Kovter.evv | Kaspersky |
| Trojan.GenericKD.3112101 | F-Secure |
| Ransom_.956D2004 | Trend Micro |
| Trojan.GenericKD.3112101 | BitDefender |
| Trojan.Kovter!Tocgra7MIok | Agnitum |
| TR/Kovter.352313 | Avira |
| Trojan.Kovter.88 | DrWeb |
| Trojan/Kovter.c | TheHacker |
| Trojan.Win32.Z.Kovter | ViRobot |
| Trojan.Kovter | Malwarebytes |
Array
View Associated Kovter Trojan Files %LocalAppData%\evum\%LocalAppData%\evum\1QGNQ.2MGvFO%AppData%\BlastoffCounterpoiseDissimilitude%AppD ata%\ForesideDopattaEmpyrean%AppData%\gangbang.dll%AppData%\htmlhelp.title.xml%AppData%\libertine.dl l%AppData%\minimize_hover.png%AppData%\System.dll
View Associated Kovter Trojan Registry Information HKCU\Software\Classes\.2MGvFOHKCU\Software\Classes\.2MGvFO\ ayC5HKCU\Software\Classes\ayC5HKCU\Software\Classes\ayC5\shellHKCU\Software\Classes\ayC5\shell\openH KCU\Software\Classes\ayC5\shell\open\commandHKCU\Software\3c1cee05f3HKCU\Software\Classes\ayC5\shell \open\command\ HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ [unreadable_char]HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ [unreadable_char]
Click here to view the article.