Macro virus/trojan

[Nicolrenee1968]

I need to know what to do to get rid of the suspected macro virus/trojan in the attached. It came from a trusted email, so I opened it up without thinking. *sigh*.

Edited December 2, 2015 by MysteryFCM
Malicious file (Dridex) removed

[TwinHeadedEagle]

Hello,

    

 

They call me TwinHeadedEagle around here, and I'll try to help your with your issue.

 

     

    

Before we start please read and note the following:

• We're primarily oriented on malware removal here, so you must know that some issues just cannot be solved and you must be prepared for this. Some tools we use here will remove your browser search history, so backup your important links and all the files whose loss is unacceptable.
• Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
• Please be patient. I know it is frustrating when your PC isn't working properly, but malware removal takes time. Keep in mind that private life gets in the way too. Note that we may live in totally different time zones, what may cause some delays between answers.
• Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
• Do not paste the logs in your posts, attachments make my work easier. There is a More reply options button, that gives you Upload Files option below which you can use to attach your reports. Always attach reports from all tools.
• Always execute my instructions in given order. If for some reason you cannot completely follow one instruction, inform me about that.
• Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay someone to repair it.
• If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

I can't foresee everything, so if anything not covered in my instructions happens, please stop and inform me!

There are no silly questions. Never be afraid to ask if in doubt!

 

 

 

  Rules and policies

 

We won't support any piracy.

That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!

The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!

 

Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.

 

 

---

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.

Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

[Nicolrenee1968]

Unable to open the script file.

 

Running Windows 10, if that makes a difference. Since realizing my idiocy (immediately after attempting to open the document and view), I shut down all open Office documents and have not opened any new ones, nor have I gone to any sites requiring a password.

[Nicolrenee1968]

 I am on a 64 bit system, downloaded the correct version. I also immediately began a scan and Malwarebytes is currently running in the background. So far, Vosteran/Yontoo detected. On the final Heuristic analysis.

[Nicolrenee1968]

Results of scan:

 

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 12/2/2015

Scan Time: 11:29 AM

Logfile: 

Administrator: Yes

 

Version: 2.2.0.1024

Malware Database: v2015.12.02.04

Rootkit Database: v2015.11.26.01

License: Free

Malware Protection: Disabled

Malicious Website Protection: Disabled

Self-protection: Disabled

 

OS: Windows 10

CPU: x64

File System: NTFS

User: Nicole

 

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 451477

Time Elapsed: 1 hr, 14 min, 59 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 3

PUP.Optional.Vosteran, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{52C009CA-C475-409B-A8FF-3755E0E9CEFA}, , [b19b6c34e8a339fd8132e1ceec171be5], 

PUP.Optional.Yontoo, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\Update DigiHelp, , [212b534d7e0db6802cf95f9311f27090], 

PUP.Optional.Yontoo, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\EVENTLOG\APPLICATION\Util DigiHelp, , [3418722e870458de988df9f916edec14], 

 

Registry Values: 5

PUP.Optional.Vosteran, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{52C009CA-C475-409B-A8FF-3755E0E9CEFA}|URL, http://Vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ir_14_50_ch&cd=2XzuyEtN2Y1L1QzutByE0F0DyDtB0CtDzztDzz0DyByCyCyCtN0D0Tzu0StCtDyByCtN1L2XzutAtFyCtFtCtDtFyBtN1L1CzutCyEtBzytDyD1V1BtN1L1G1B1V1N2Y1L1Qzu2StByBzy0E0EyEtD0CtGyBzztAtCtG0EyCzyyCtG0EtCtAyEtGtA0CtAtDzztDtD0AtD0E0AtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0CzytA0D0EtAzzzztG0FyD0E0EtGyE0B0C0CtGzzyCyCzytG0DtCyEzztD0ByEyD0C0ByEyE2Q&cr=272077845&ir=,, [b19b6c34e8a339fd8132e1ceec171be5]

PUP.Optional.Vosteran, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{52C009CA-C475-409B-A8FF-3755E0E9CEFA}|TopResultURLFallback, http://Vosteran.com/results.php?f=4&q={searchTerms}&a=vst_ir_14_50_ch&cd=2XzuyEtN2Y1L1QzutByE0F0DyDtB0CtDzztDzz0DyByCyCyCtN0D0Tzu0StCtDyByCtN1L2XzutAtFyCtFtCtDtFyBtN1L1CzutCyEtBzytDyD1V1BtN1L1G1B1V1N2Y1L1Qzu2StByBzy0E0EyEtD0CtGyBzztAtCtG0EyCzyyCtG0EtCtAyEtGtA0CtAtDzztDtD0AtD0E0AtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0CzytA0D0EtAzzzztG0FyD0E0EtGyE0B0C0CtGzzyCyCzytG0DtCyEzztD0ByEyD0C0ByEyE2Q&cr=272077845&ir=,, [b6963b65464522144370c4eb61a2fa06]

PUP.Optional.Vosteran, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{52C009CA-C475-409B-A8FF-3755E0E9CEFA}|FaviconPath, C:\Program Files (x86)\WSE_Vosteran\\FavIcon.ico, , [39137b25d0bbbd79595aab04b94acb35]

PUP.Optional.Vosteran, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{52C009CA-C475-409B-A8FF-3755E0E9CEFA}, Vosteran, , [d27af9a7becd4cea6d46a10eb74cc23e]

PUP.Optional.Vosteran, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{52C009CA-C475-409B-A8FF-3755E0E9CEFA}|DisplayName, Vosteran, , [54f8f8a82a6104329e151d925ba85ba5]

 

Registry Data: 0

(No malicious items detected)

 

Folders: 0

(No malicious items detected)

 

Files: 0

(No malicious items detected)

 

Physical Sectors: 0

(No malicious items detected)

 

 

(end)

 

 

The good news (?)  is that I don't use Internet Explorer! 

[David H. Lipman]

Nicolrenee1968:

 

The malware you improperly posted is not a macro virus related MS Office document.

 

The file you posted is a DOC macro Dropper trojan.

 

If you have MS Office Word Macro Security set too low it drops and executes a Fareit data stealing trojan that also downloads additional malware.

 

This sub-forum is not for submitting malware nor is it for posting malware for information on its activity.

 

It is a malicious file and as malware it must be handled properly. 

 

You uploaded the file to the WRONG place and did it in an insecure fashion. 

 

Why chance other people getting infected ?

 

All malware must be submitted in;  Newest Malware Threats

 

Please reference the following on how to provide sample submissions such that Malwarebytes' Anti-Malware (MBAM) can detect targeted but presently undetected threats.

Malware hunters please read
Purpose of this forum
Malware Hunters group

 

The file could have been submitted properly and then your post made in the Malware Removal sub-forum and in your request for assistance, you would provide the link and reference the submitted file.

[Nicolrenee1968]

Sorry, noob to forum posting, noob to this sort of issue.

[David H. Lipman]

Caution is the word !

 

I posted the file and its payload in;  DOC Macro Dropper Payload

 

I will request Moderators remove the DOC file from this thread

[Nicolrenee1968]

Thanks so much, Dave!!!

 

The good news is that after finishing the MBAM scan and reboot, I was able to run the Farbar tool. Attached are the text files from that.  I am running the Windows Malicious Software Removal Tool in the event that will be even remotely helpful as well. I am dead in the water right now and really would love to trust that I haven't just bricked my laptop. :-/

FRST.txt

Addition.txt

[TwinHeadedEagle]

There are only some signs of Adware, there is no some serious infection.
 
 
Fix with AdwCleaner
 
Please download AdwCleaner by Xplode and save the file to your Desktop.

• Right-click on icon and select Run as Administrator to start the tool.
• Accept the Terms of use.
• Wait until the database is updated.
• Click Scan.
• When finished, please click Cleaning.
• Your PC should reboot now.
• After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

[Nicolrenee1968]

So my other protection was able to successfully keep the trojan at bay?

[TwinHeadedEagle]

Please run Adwcleaner first.

[Nicolrenee1968]

Adwcleaner logfile:

 

# AdwCleaner v5.023 - Logfile created 02/12/2015 at 14:20:53

# Updated 30/11/2015 by Xplode

# Database : 2015-11-30.1 [server]

# Operating system : Windows 10 Home  (x64)

# Username : Nicole - ATN_ADMIN

# Running from : C:\Users\Nicole\Downloads\AdwCleaner.exe

# Option : Cleaning

# Support : http://toolslib.net/forum

 

***** [ Services ] *****

 

 

***** [ Folders ] *****

 

[-] Folder Deleted : C:\Users\Nicole\AppData\Local\pokki

[-] Folder Deleted : C:\Users\Nicole\AppData\Roaming\download Manager

[-] Folder Deleted : C:\Users\Nicole\Favorites\StumbleUpon

[!] Folder Not Deleted : C:\Users\Nicole\Favorites\StumbleUpon

[-] Folder Deleted : C:\Users\QBDataServiceUser23\AppData\Local\pokki

[-] Folder Deleted : C:\Users\QBDataServiceUser25\AppData\Local\pokki

 

***** [ Files ] *****

 

[-] File Deleted : C:\Users\Nicole\AppData\Local\Google\Chrome\User Data\Default\local storage\hxxp_www.azlyrics.com_0.localstorage

[-] File Deleted : C:\Users\Nicole\AppData\Local\Google\Chrome\User Data\Default\local storage\hxxp_www.azlyrics.com_0.localstorage-journal

[-] File Deleted : C:\Users\Nicole\AppData\Local\Google\Chrome\User Data\Default\local storage\hxxp_www.metrolyrics.com_0.localstorage

[-] File Deleted : C:\Users\Nicole\AppData\Local\Google\Chrome\User Data\Default\local storage\hxxp_www.metrolyrics.com_0.localstorage-journal

[-] File Deleted : C:\Users\Nicole\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.yourtango.com_0.localstorage

[-] File Deleted : C:\Users\Nicole\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.yourtango.com_0.localstorage-journal

 

***** [ DLLs ] *****

 

 

***** [ Shortcuts ] *****

 

 

***** [ Scheduled tasks ] *****

 

 

***** [ Registry ] *****

 

[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Pokki_b52b7a05ea010d22183cece45cbb6e86cf917a76

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E993643-8FBC-44FE-BC85-D318495C4D96}

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A07E5BFF-B16C-4ABA-A30F-514213A945E6}

[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{A07E5BFF-B16C-4ABA-A30F-514213A945E6}

[-] Key Deleted : HKCU\Software\Pokki

[-] Key Deleted : HKCU\Software\AppDataLow\Software\adawarebp

[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Pokki

[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com

[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\nortonsafe.search.ask.com

 

***** [ Web browsers ] *****

 

[-] [C:\Users\Nicole\AppData\Local\Google\Chrome\User Data\Default\Web Data] [search Provider] Deleted : aol.com

[-] [C:\Users\Nicole\AppData\Local\Google\Chrome\User Data\Default\Web Data] [search Provider] Deleted : ask.com

[-] [C:\Users\Nicole\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [startup_URLs] Deleted : hxxp://Vosteran.com/?f=7&a=vst_ir_14_50_ch&cd=2XzuyEtN2Y1L1QzutByE0F0DyDtB0CtDzztDzz0DyByCyCyCtN0D0Tzu0StCtDyByCtN1L2XzutAtFyCtFtCtDtFyBtN1L1CzutCyEtBzytDyD1V1BtN1L1G1B1V1N2Y1L1Qzu2StByBzy0E0EyEtD0CtGyBzztAtCtG0EyCzyyCtG0EtCtAyEtGtA0CtAtDzztDtD0AtD0E0AtD2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0CzytA0D0EtAzzzztG0FyD0E0EtGyE0B0C0CtGzzyCyCzytG0DtCyEzztD0ByEyD0C0ByEyE2Q&cr=272077845&ir=

[-] [C:\Users\Nicole\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : oilkkkefbalmbfppgjmgjoefbclebkce

 

*************************

 

:: "Tracing" keys removed

:: Winsock settings cleared

 

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [3594 bytes] ##########

[TwinHeadedEagle]

Good. Your PC should be clean now? How is it behaving now?

[Nicolrenee1968]

Seems to be behaving fine. I have not opened any word documents since attempting to open the document with the trojan. Should that be safe to attempt at this point?

[TwinHeadedEagle]

Definitely.

[David H. Lipman]

Nicolrenee1968:
 
As I mentioned earlier, this is not a case of a Macro Virus.  This is a case of a dropper trojan.

 

What does that mean ?

 

More than a decade ago we saw the case of Macro Viruses.  In that situation you have a legitimate document that gets infected with a Macro Virus.  If that Macro Virus is viewed on a clean MS Office then the MS Office environment is infected and when that MS Office environment is used to view/edit legitimate documents, they get infected.  Thus it is a Virus because it spreads from file to system, system to file and ultimately from system to system.

 

In this case the DOC file was never a legitimate document.  It was specifically crafted to be malicious.  An executable binary is embedded in the document and a VB Macro is added to cause the file to be executed.  Because the file is embedded, the initial malware is "dropped".

 

In an alternate case the MS Office Document file was never a legitimate document and a VB Macro is added to cause the file to be downloaded from a web site and then executed.  Because the malware file is downloaded from the Internet, the document is a "downloader."

 

In the case of the dropper and downloaders, there is no VB macro that infects the MS Office environment and there is no spreading therefore it is not a virus.  Thus your MS Office Environment is safe to use.

 

In the case of MS Office; Macro Viruses, Macro Downloaders and Macro Droppers, all can be mitigated by making sure that the MS Office Macro Security is set to to "high".  In later versions of MS Office that condition is the default.  It was set as a default because of the situation of macro viruses almost 20 years ago ( wow, has time passed   ).

[Nicolrenee1968]

Awesome, guys! Thanks oodles! This was a new one for me and I have been so good and so careful about downloading and opening attachments, clicking email links, etc.! What a pain in the hindquarters this was! Should it ever happen again, God forbid, I am well prepared. 

[David H. Lipman]

Is there anything else that TwinHeadedEagle or I can help you with ?

[Nicolrenee1968]

I think I am good! I use this computer for so very much and was worried about vulnerabilities, particularly during this season. I wanted to make sure to fix whatever potential harm I inadvertently wrought by downloading/opening the file. Thanks for all of your assistance! You rock!

[David H. Lipman]

OK.  I will request the Forum Admin lock this thread.

 

Happy Holidays !

 

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!