Jump to content

Macro virus/trojan

Recommended Posts




They call me TwinHeadedEagle around here, and I'll try to help your with your issue.




Before we start please read and note the following:

  • We're primarily oriented on malware removal here, so you must know that some issues just cannot be solved and you must be prepared for this. Some tools we use here will remove your browser search history, so backup your important links and all the files whose loss is unacceptable.
  • Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
  • Please be patient. I know it is frustrating when your PC isn't working properly, but malware removal takes time. Keep in mind that private life gets in the way too. Note that we may live in totally different time zones, what may cause some delays between answers.
  • Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
  • Do not paste the logs in your posts, attachments make my work easier. There is a More reply options button, that gives you Upload Files option below which you can use to attach your reports. Always attach reports from all tools.
  • Always execute my instructions in given order. If for some reason you cannot completely follow one instruction, inform me about that.
  • Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay someone to repair it.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
:excl: I can't foresee everything, so if anything not covered in my instructions happens, please stop and inform me!

:excl: There are no silly questions. Never be afraid to ask if in doubt!




  warning.gif Rules and policies


We won't support any piracy.

That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!

The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!


Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.



Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.

Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Link to post
Share on other sites

Results of scan:


Malwarebytes Anti-Malware
Scan Date: 12/2/2015
Scan Time: 11:29 AM
Administrator: Yes
Malware Database: v2015.12.02.04
Rootkit Database: v2015.11.26.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
OS: Windows 10
CPU: x64
File System: NTFS
User: Nicole
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 451477
Time Elapsed: 1 hr, 14 min, 59 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
Processes: 0
(No malicious items detected)
Modules: 0
(No malicious items detected)
Registry Keys: 3
PUP.Optional.Vosteran, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{52C009CA-C475-409B-A8FF-3755E0E9CEFA}, , [b19b6c34e8a339fd8132e1ceec171be5], 
PUP.Optional.Yontoo, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\Update DigiHelp, , [212b534d7e0db6802cf95f9311f27090], 
PUP.Optional.Yontoo, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\Util DigiHelp, , [3418722e870458de988df9f916edec14], 
Registry Values: 5
PUP.Optional.Vosteran, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{52C009CA-C475-409B-A8FF-3755E0E9CEFA}|FaviconPath, C:\Program Files (x86)\WSE_Vosteran\\FavIcon.ico, , [39137b25d0bbbd79595aab04b94acb35]
PUP.Optional.Vosteran, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{52C009CA-C475-409B-A8FF-3755E0E9CEFA}, Vosteran, , [d27af9a7becd4cea6d46a10eb74cc23e]
PUP.Optional.Vosteran, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{52C009CA-C475-409B-A8FF-3755E0E9CEFA}|DisplayName, Vosteran, , [54f8f8a82a6104329e151d925ba85ba5]
Registry Data: 0
(No malicious items detected)
Folders: 0
(No malicious items detected)
Files: 0
(No malicious items detected)
Physical Sectors: 0
(No malicious items detected)
The good news (?)  is that I don't use Internet Explorer! 
Link to post
Share on other sites



The malware you improperly posted is not a macro virus related MS Office document.


The file you posted is a DOC macro Dropper trojan.


If you have MS Office Word Macro Security set too low it drops and executes a Fareit data stealing trojan that also downloads additional malware.


This sub-forum is not for submitting malware nor is it for posting malware for information on its activity.


It is a malicious file and as malware it must be handled properly. 


You uploaded the file to the WRONG place and did it in an insecure fashion. 


Why chance other people getting infected ?


All malware must be submitted in;  Newest Malware Threats


Please reference the following on how to provide sample submissions such that Malwarebytes' Anti-Malware (MBAM) can detect targeted but presently undetected threats.

Malware hunters please read
Purpose of this forum
Malware Hunters group


The file could have been submitted properly and then your post made in the Malware Removal sub-forum and in your request for assistance, you would provide the link and reference the submitted file.

Link to post
Share on other sites

Thanks so much, Dave!!!


The good news is that after finishing the MBAM scan and reboot, I was able to run the Farbar tool. Attached are the text files from that.  I am running the Windows Malicious Software Removal Tool in the event that will be even remotely helpful as well. I am dead in the water right now and really would love to trust that I haven't just bricked my laptop. :-/



Link to post
Share on other sites

There are only some signs of Adware, there is no some serious infection.
adwcleaner_new.png Fix with AdwCleaner
Please download AdwCleaner by Xplode and save the file to your Desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Cleaning.
  • Your PC should reboot now.
  • After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

Link to post
Share on other sites

Adwcleaner logfile:


# AdwCleaner v5.023 - Logfile created 02/12/2015 at 14:20:53
# Updated 30/11/2015 by Xplode
# Database : 2015-11-30.1 [server]
# Operating system : Windows 10 Home  (x64)
# Username : Nicole - ATN_ADMIN
# Running from : C:\Users\Nicole\Downloads\AdwCleaner.exe
# Option : Cleaning
***** [ Services ] *****
***** [ Folders ] *****
[-] Folder Deleted : C:\Users\Nicole\AppData\Local\pokki
[-] Folder Deleted : C:\Users\Nicole\AppData\Roaming\download Manager
[-] Folder Deleted : C:\Users\Nicole\Favorites\StumbleUpon
[!] Folder Not Deleted : C:\Users\Nicole\Favorites\StumbleUpon
[-] Folder Deleted : C:\Users\QBDataServiceUser23\AppData\Local\pokki
[-] Folder Deleted : C:\Users\QBDataServiceUser25\AppData\Local\pokki
***** [ Files ] *****
[-] File Deleted : C:\Users\Nicole\AppData\Local\Google\Chrome\User Data\Default\local storage\hxxp_www.azlyrics.com_0.localstorage
[-] File Deleted : C:\Users\Nicole\AppData\Local\Google\Chrome\User Data\Default\local storage\hxxp_www.azlyrics.com_0.localstorage-journal
[-] File Deleted : C:\Users\Nicole\AppData\Local\Google\Chrome\User Data\Default\local storage\hxxp_www.metrolyrics.com_0.localstorage
[-] File Deleted : C:\Users\Nicole\AppData\Local\Google\Chrome\User Data\Default\local storage\hxxp_www.metrolyrics.com_0.localstorage-journal
[-] File Deleted : C:\Users\Nicole\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.yourtango.com_0.localstorage
[-] File Deleted : C:\Users\Nicole\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.yourtango.com_0.localstorage-journal
***** [ DLLs ] *****
***** [ Shortcuts ] *****
***** [ Scheduled tasks ] *****
***** [ Registry ] *****
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Pokki_b52b7a05ea010d22183cece45cbb6e86cf917a76
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A07E5BFF-B16C-4ABA-A30F-514213A945E6}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{A07E5BFF-B16C-4ABA-A30F-514213A945E6}
[-] Key Deleted : HKCU\Software\Pokki
[-] Key Deleted : HKCU\Software\AppDataLow\Software\adawarebp
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Pokki
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\nortonsafe.search.ask.com
***** [ Web browsers ] *****
[-] [C:\Users\Nicole\AppData\Local\Google\Chrome\User Data\Default\Web Data] [search Provider] Deleted : aol.com
[-] [C:\Users\Nicole\AppData\Local\Google\Chrome\User Data\Default\Web Data] [search Provider] Deleted : ask.com
[-] [C:\Users\Nicole\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [startup_URLs] Deleted : hxxp://Vosteran.com/?f=7&a=vst_ir_14_50_ch&cd=2XzuyEtN2Y1L1QzutByE0F0DyDtB0CtDzztDzz0DyByCyCyCtN0D0Tzu0StCtDyByCtN1L2XzutAtFyCtFtCtDtFyBtN1L1CzutCyEtBzytDyD1V1BtN1L1G1B1V1N2Y1L1Qzu2StByBzy0E0EyEtD0CtGyBzztAtCtG0EyCzyyCtG0EtCtAyEtGtA0CtAtDzztDtD0AtD0E0AtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0CzytA0D0EtAzzzztG0FyD0E0EtGyE0B0C0CtGzzyCyCzytG0DtCyEzztD0ByEyD0C0ByEyE2Q&cr=272077845&ir=
[-] [C:\Users\Nicole\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : oilkkkefbalmbfppgjmgjoefbclebkce
:: "Tracing" keys removed
:: Winsock settings cleared
########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [3594 bytes] ##########
Link to post
Share on other sites

As I mentioned earlier, this is not a case of a Macro Virus.  This is a case of a dropper trojan.


What does that mean ?


More than a decade ago we saw the case of Macro Viruses.  In that situation you have a legitimate document that gets infected with a Macro Virus.  If that Macro Virus is viewed on a clean MS Office then the MS Office environment is infected and when that MS Office environment is used to view/edit legitimate documents, they get infected.  Thus it is a Virus because it spreads from file to system, system to file and ultimately from system to system.


In this case the DOC file was never a legitimate document.  It was specifically crafted to be malicious.  An executable binary is embedded in the document and a VB Macro is added to cause the file to be executed.  Because the file is embedded, the initial malware is "dropped".


In an alternate case the MS Office Document file was never a legitimate document and a VB Macro is added to cause the file to be downloaded from a web site and then executed.  Because the malware file is downloaded from the Internet, the document is a "downloader."


In the case of the dropper and downloaders, there is no VB macro that infects the MS Office environment and there is no spreading therefore it is not a virus.  Thus your MS Office Environment is safe to use.


In the case of MS Office; Macro Viruses, Macro Downloaders and Macro Droppers, all can be mitigated by making sure that the MS Office Macro Security is set to to "high".  In later versions of MS Office that condition is the default.  It was set as a default because of the situation of macro viruses almost 20 years ago ( wow, has time passed :P  ).

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.