Trojan:W32/Kavala.S!DeepGuard

[kenny g]

This trojan came in through a downloadlink from a site. i got ask if i wanted to open the file i did this because it comes from a site which i have a paid membership for as you can see in the images the wscript.exe has been closed it says in dutch because i possibly dont have the right acces for this but it is publicily downloadable than a message that it cant be packed out im talking about the script.js file this file was immediatly detected by my antivirus and malware as the trojan and was blocked and placed i believed in quarantaine i can find this under virus ,deepguard and ransomware in my antivirus from fsecure / kpn i have deleted the file in the antivirus and on the laptop i have deleted the file either in the wastebin i dont think this is enough thats why i am here what to do next because my laptop is pretty slow and i think a backdoor has been opened because of this i have also read that it can pretty damaging to your operating system help please haha

 

[struppigel]

Hello Kenny

I am Karsten and will help you with malware-related problems.

Please familiarize yourself with the following ground rules before you start.

• Read my instructions thoroughly, carry out each step in the given order.
• Do not make any changes to your system, or run any tools other than those I provided. Do not delete, fix, uninstall, or install anything unless I tell you to.
• If you are unsure about anything or if you encounter any problems, please stop and inform me about it.
• Stick with me until I tell you that your computer is clean. Absence of symptoms does not mean that your computer is free of malware.
• Back up important files before we start.
• Note: On weekends I might be slow to reply

-------------------------------------------------------------------

Farbar Recovery Scan Tool (FRST) Scan

• Please download Farbar Recovery Scan Tool and save the file to your Desktop. (Note: choose the right version, 64 or 32 bit, for your operating system, only one will run)
• Double-click FRST64.exe to run the programme.
• Click Yes to the disclaimer.
• Ensure the Addition.txt box is checked.
• Click the Scan button and let the programme run.
• Upon completion, click OK, then OK on the Addition.txt pop up screen.
• Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Attach both logs in your next reply.

 

[kenny g]

first of all thank you for your help and here are the files you asked for

 

[struppigel]

Thank you. It will take some time to look through your logs.
I noticed you have three different browser protection software installed:

• Norton Safe Web
• McAfee WebAdvisor
• Browsing Protection by F-Secure

It is not advisable to keep all of them, because they have the same purpose, may slow down your browsers and may get in the way of each other.
Please tell me which ones you want to keep.
If you are unsure: The main antivirus product registered on your system is F-Secure, so I would probably stick with them.

 

[kenny g]

yes thats correct f secure i want to keep i thought i had deleted the other 2 how can i do that

 

[struppigel]

Step 1: Uninstall Software

• Press the Windows Key
  
  + r on your keyboard at the same time. Type appwiz.cpl and click OK.
• Search for the following programs, right-click and click Uninstall.
  • Webadvisor McAfee
• Follow the prompts.
• Note: If you are offered the choice to install additional software, ensure you decline.
• Reboot if necessary.

Step 2: Remove Edge Extension

• Please open Edge
• Enter the following line into the address bar
  edge://extensions/
• For the following extensions, select the extension and click Remove
  • Norton Safe Web

Step 3:Remove Chrome Extension

• Please open Chrome.
• Enter the following line into the address bar
  chrome://extensions/
• For the following extensions click the button Remove and follow the prompts
  • Norton Safe Web

Please tell me if any of those steps did not work.

-----------------------------------------------------------------------------

Regarding the script.js you downloaded: I have the suspicion that this is a false positive detection by your antivirus.
From your screenshots it looks like it comes from a Javascript course, and you say you had to pay for membership. So it is something like SkillShare, Udemy, Coursera or of that sorts?
It is unlikely that someone makes you pay for their courses and then places malware.

Furthermore, the signature name shows that DeepGuard detected the file. DeepGuard is heuristc as F-Secure describe on their website, it "blocks new and undiscovered Trojans, worms, exploits"
Those techniques to block yet unknown threats have a higher potential to produce false positive detections.

I suggest you do the following:

• Temporarily disable your antivirus software.
• Download the archive with your course material again, do not extract it.
• Navigate to their sample submission page
• Select the File Sample tab. Click Browse, and attach the archive with the script.js file in it.
• Tick the I want to give more details about this sample and to be notified of the analysis results box to add in that you suspect a false positive because it is a course you paid for. Maybe tell them also where you downloaded the course material from.
• To be on the safe side: Delete the archive and empty the recycle bin
• re-enable your anvirus software

After some time you should hear back from F-Secure about their analysis result. If it is a false positive, they will adjust their signatures in DeepGuard to not block this file anymore.

 

[kenny g]

as for the extensions in the webbrowser i cant find them i have done right as you said it but nothing to be found of those antivirusses and as the sample submission page i will do that too and keep you updated about the results i get from there i want to thank you for your help and wish you all the best wishes greetings kenny ps if i need to do anything else with the antivirusses let me know

 

[struppigel]

1. Farbar Recovery Scan Tool (FRST) Script

• Download the attached fixlist.txt
• Important: The file must be saved in the same location as FRST64.exe.

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

• Double-click FRST64.exe to run the programme.
• Click Fix.
• A log (Fixlog.txt) will open on your desktop. Attach the log to your next reply.

 

[kenny g]

because i thought we were finished i cleaned a little bit up overhere on the laptop i know you said dont do anything so apologies for that but the fix went well and here the log you requested

 

[struppigel]

Your system looks clean.
Are there any outstanding issues?

 

[kenny g]

no nothing anymore thank you very much for your work i appreciate it

 

[struppigel]

You are welcome.

I am closing this thread now as the issue seems to be resolved.