Jump to content

Dridex Word Doc infection

Recommended Posts

Hey everyone, would appreciate any help you can give.


I got an email today saying a scan had been sent, I had actually been sending scans today, so I opened it up and only noticed after that the sender was this ranom one, and I opened the word doc on my iphone, saw that it was blank and thought I had sent a blank scan, so I opened it on office online, via the outlook email, I didn't download it, but it did save to my one driive (i have deleted it from the recycling bin on there),  whilst opening on my Firefox browser, I didn't download it, I pressed view online and I think I may have pressed "allow edit".


Can someone tell me how I can find out if macros are enabled on my computer / online  Office / Word account ?


I have downloaded  Farbar Recovery Scan Tool &  Hitman Pro  , I am also currently running a Malware Anti Bytes scan , do I need to run a scan off the exploit app too?  What do I do next ??      Have I been infected ? Are my passwords & banking info at risk?


Thank you for the help, not only on this issue, but for providing great help in general..

Link to post
Share on other sites

Hello and :welcome:
If you've not already done so please start here and post back the 2 log files FRST.txt and Addition.txt

P2P/Piracy Warning:

If you're using
Peer 2 Peer
software such as
uTorrent, BitTorrent
or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have
illegal/cracked software, cracks, keygens etc
. on the system, please remove or uninstall them now and read the policy on

Before we proceed further, please read all of the following instructions carefully.
If there is anything that you do not understand kindly ask before proceeding.
If needed please print out these instructions.
  • Please do not post logs using CODE, QUOTE, or FONT tags. Just paste them as direct text.
  • If the log is too large then you can use attachments by clicking on the More Reply Options button.
  • Please enable your system to show hidden files: How to see hidden files in Windows
  • Make sure you're subscribed to this topic:
    • Click on the Follow This Topic Button (at the top right of this page), make sure that the Receive notification box is checked and that it is set to Instantly

    [*]Removing malware can be unpredictable...It is unlikely but things can go very wrong! Please make sure you Backup all files that cannot be replaced if something were to happen. You can copy them to a CD/DVD, external drive or a pen drive [*]Please don't run any other scans, download, install or uninstall any programs unless requested by me while I'm working with you. [*]The removal of malware is not instantaneous, please be patient. Often we are also on a different Time Zone. [*]Perform everything in the correct order. Sometimes one step requires the previous one. [*]If you have any problems while following my instructions, Stop there and tell me the exact nature of the issue. [*]When we are done, I'll give you instructions on how to cleanup all the tools and logs [*]Please stick with me until I give you the "all clear" and Please don't waste my time by leaving before that. [*]Your topic will be closed if you haven't replied within 3 days [*](If I have not responded within 24 hours, please send me a Private Message as a reminder)


You've done well so far.  Just post the FRST logs ( both the FRST.txt and Addition.txt files) and the Malwarebytes Anti-Malware scan log.  I would hold off on the HitmanPro until later (if needed; we will tell you).  Thanks.

Link to post
Share on other sites

Hi DBreeze,


Thanks for replying, 


- I don't have any P2P or Torrent things, I'm fairly certain I have no cracked or illegal programs running, I have genuinely purchaed everything on my computer.  I do have Tor Browser though, so that I can stream soccer games that are geo-blocked, is that an issue?

- The Malwareantibytes scan showed no issues, but I'll do a new one and I'll do that other scan too, I'll hold off until the other scan until you say so


- I'm not going to be able to scan this weekend as I am away from home, so me not doing what you asked for is not out of rudeness, I do appreciate the help

- And I can only back-up all of my data on Monday/Tuesday, so I shall post scans and everything once that is done, is that okay?


Regarding the FRST app, after it has produced logs, is it supposed to continue scanning and searching?


Thank you for replying so quickly! and any help/advice you can provide

Link to post
Share on other sites

Thank you for the update on when you can continue this thread; real world issues always come first so handle those first, computer second.


As to FRST scanning; the log files will be started (created) as the scan runs that section but once you get the notice that the logs have been produced, FRST should stop scanning.


As to the TOR browser, please disable usage of this until we finish cleaning.  Thanks.

Link to post
Share on other sites

Thank you for the notice on the media files.


Good news is that the log is clean of malware; on the other hand there are some things that can be cleaned up on the system.  The Tasks that you noticed are leftovers from Microsoft's 'upgrade' to Win 10.  The following FRST Fixlist script will fix those.


Download the attached fixlist.txt file and save it to the Desktop.  Fixlist.txt

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting "Run as Administrator..".  The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.  

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show that it is ready to use (meaning there is no update found) and you can continue on.  Press the Fix button just once and wait.  The tool will create a restore point, process the script and ask for a restart of your system.


If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post the log in your next reply.


As to the question about Office 365 / Macros - the web applications (Excel, Word, etc.) running in a browser do not run macros; the installed parts of Office365 (Excel, Word, etc.) on your local hard drive can run macros.  The settings to enable macros should be in the File > Options > Trust Center > Trust Center Settings > Macro Settings.

Link to post
Share on other sites

Brilliant, the MalwareAntiBytes scan showed no items were infected, do you need me to up that scan result?

So, judging from what you've seen, no infections or malware or trojans or viruses shown?

I can't get around to doing that clean-up until early next week, is that okay?

I don't use PayPal, would you be okay with a small PaySafeCard code?

Link to post
Share on other sites

Also, just noticed that when opening the documents section of file explorer, there is a folder called "localmetadata" c, I have never seen that before.

It has 2 MTA files , crash_1033 & jan shut down events_1033

Is this something to be concerned about? I've literally only just noticed it

Link to post
Share on other sites

1)  Did you run the FRST Fixlist.txt script in my last post?  If so, can you post the Fixlog.txt log file that made please.


2)  Glad that Malwarebytes scans are now clean but I did not ask you to run that yet.


3)  The PaySafeCard code is fine ( you can send that in a Personal Message here) but my services are free and you do not have to do or pay anything for them.

Link to post
Share on other sites

I know that your services are free, but I wanted to do something to show that I am grateful, as I was worried about this possible infection.

The MALB scan was one from earlier (the one I mentioned in the original post), I simply forgot to mention it because I closed the application without looking at scan results, and saw that you mentioned it at the bottom of post 2, so thought I'd mention it.

I've not had a chance to do that new FRST Fix scan, I was going to try yesterday, but Windows decided to update, so I can only get around to it at the start of next week now, is that okay?

Link to post
Share on other sites

Yes, it is OK to do the scans / fix / steps in my last fix post (post #10 of this thread) this weekend; the real world / real life always comes first before anything else.  Have a great day and we will look for the logs sometime this weekend.  :)

Link to post
Share on other sites

  • 1 month later...
  • 1 month later...
  • 1 month later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.