Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

Trojan.Kotver Removal Tool

Trojan.Kotver Removal Tool

Discovered:
September 23, 2015
Download Removal Tool
This tool is designed to remove the infection of Trojan.Kotver .

How to download and run the tool

Important:
  • Selecting "Run as administrator" will result in an incomplete repair. You must be logged in to the Administrator account and all other users must be logged out in order for the tool to work correctly.
  • There are two versions of this tool, one designed to run on 32-bit computers and one designed to run on 64-bit computers. To find out if your computer is running a 32-bit or 64-bit version of Windows, please read the following Microsoft Knowledge Base article: How to determine whether a computer is running a 32-bit version or 64-bit version of the Windows operating system
  • Before running the tool it is important to rename the file to [RANDOM NAME].exe (as described in step 6 below). If this step is not followed Trojan.Kotver may end the process and the tool will not work.

Note for network administrators: If you are running MS Exchange 2000 Server, we recommend that you exclude the M drive from the scan by running the tool from a command line, with the Exclude switch. For more information, read the Microsoft Knowledge Base article: Issues caused by a back up or a scan of the Exchange 2000 M drive

Follow these steps to download and run the tool:
  1. Download FixToolKotver64.exe for 64-bit computers and FixToolKotver32.exe for 32-bit computers.
  2. Save the file to a convenient location, such as your Windows desktop.
  3. If you are sure that you are downloading this tool from the Security Response website, you can skip this step. If you are not sure, or are a network administrator and need to authenticate the files before deployment, follow the steps in the Digital Signature section before proceeding with step 4.
  4. Close all the running programs.
  5. If you are running Windows XP, turn off System Restore. For instructions on how to turn off System Restore, read your Windows documentation.
  6. Important: Rename the tool to [RANDOM NAME].exe to ensure that Trojan.Kotver does not end the process.
  7. Double-click the renamed [RANDOM NAME].exe file to start the removal tool.
  8. Click I Accept to accept the EULA, then click Start to begin the process and allow the tool to run.
  9. When the tool has finished running, you will see a message prompting you to check the log file for results.

The removal tool writes a summary of its operation to a log file named FixToolKotver64.log or FixToolKotver32.log with results similar to the following:
  • List of terminated processes
  • List of removed registry values



If the system is clean, no restart is required and the log file will be blank.

Note: If the removal tool does not display the following message after being run, please run the removal tool again to provide confirmation that the compromised computer has been repaired:
  • Trojan.Kotver has not been found on the system.

Note: If all running programs were not closed prior to successful removal of Trojan.Kotver, it may be necessary to relaunch relevant applications or reboot the computer to restore functionality. This is the result of injected processes being terminated.

What the removal tool does
The removal tool carries out the following actions:
  • Terminates the associated processes
  • Removes registry keys/values added by the threat

Switches
The following switches are designed for use by network administrators:
  • /HELP, /H, /?
    Displays the help message
  • /SILENT, /S
    Enables silent mode
  • /NOSILENTREBOOT
    If silent mode is enabled, no reboot will occur
  • /LOG=[PATH NAME]
    Creates a logfile where [PATH NAME] is the location in which to store the removal tool's output. By default, this switch creates the logfile in the same folder from which the removal tool was executed.
  • /MAPPED
    Scans the mapped network drives. (We do not recommend using this switch.*)

*Important: Using the /MAPPED switch does not ensure the complete removal of the virus on the remote computer, because:
  • The scanning of mapped drives scans only the mapped folders. This may not include all of the folders on the remote computer, which can lead to missed detections.
  • If a viral file is detected on the mapped drive, the repair may fail if a program on the remote computer uses that file.
  • On Windows Vista and Windows 7, scanning mapped drives may fail if the user account running the removal tool is not the administrator account, even if it is a member of the Administrator group. In these cases the mapped drive will appear as disconnected after scanning with the removal tool. Please see the following Microsoft Knowledge Base article for more information: Programs may be unable to access some network locations after you turn on User Account Control in Windows Vista or newer operating systems

Therefore, you should run the removal tool on every computer.

Digital signature
For security purposes, the removal tool is digitally signed. Symantec recommends that you use only copies of the removal tool that have been directly downloaded from the Symantec Security Response website. If you are not sure, or are a network administrator and need to authenticate files before deployment, you should check the authenticity of the digital signature. Follow these steps:
  1. Go to http://www.wmsoftware.com/free.htm.
  2. Download and save the Chktrust.exe file to the same folder in which you saved the removal tool.

    Note: Most of the following steps are done at a command prompt. If you downloaded the removal tool to the Windows desktop, it will be easier if you first move the tool to the root of the C drive. Then save the Chktrust.exe file to the root of the C drive as well. (Step 3 assumes that both the removal tool and Chktrust.exe are in the root of the C drive.)
  3. Click Start > Run.
  4. Type the following: cmd
  5. Click OK.
  6. For 64-bit computers
    In the command window, type the following, pressing Enter after typing each line:
    cd\
    chktrust -i FixToolKotver64.exe

    For 32-bit computers

    In the command window, type the following, pressing Enter after typing each line:
    cd\
    chktrust -i FixToolKotver32.exe
  7. You should see one of the following messages, depending on your operating system:

    Windows XP SP2: The Trust Validation Utility window will appear. Under Publisher, click the Symantec Corporation link. The Digital Signature Details appear.

    Verify the contents of the following fields to ensure that the tool is authentic:
    Name: Symantec Corporation
    Signing Time: 23 June 2017 01:46:22 (for 64-bit) or 23 June 2017 01:46:19 (for 32-bit)

    All other operating systems: You should see either of the following messages:
    For 64-bit computers: Do you want to install and run "FixToolKotver64.exe" signed on 23 June 2017 01:46:22 and distributed by Symantec Corporation?
    For 32-bit computers: Do you want to install and run "FixToolKotver32.exe" signed on 23 June 2017 01:46:19 and distributed by Symantec Corporation?

    Notes: The date and time in the digital signature above are based on Pacific Time. They will be adjusted for your computer's time zone and regional options settings. If you are using Daylight Saving time, the displayed time will be exactly one hour earlier.

    If this dialog box does not appear, it may be because the removal tool is not from Symantec: Unless you are sure that the removal tool is legitimate and that you downloaded it from the legitimate Symantec website, you should not run it.
  8. Click Yes or Run to close the dialog box.
  9. Type exit, and then press Enter. (This will close the MS-DOS session.)