Need Urgent Help With Malware.

[DALEDANTONY]

I recently opened a Microsoft Word document i was sent my someone who i didn’t know very well. When i opened it my mind began racing as to why he would want me to open this... that’s when i got to googling and found out about “Malicious Macro’s”. That’s when i decided to have a look at my Task Manager, there i found a file called “Launch” in my Start-Up. I disabled it right away and then began finding more and more suspicious things running that i knew were not previously there. One was called “Coordinator.exe”. As i started digging more clicking on “Open-File-Location” i found a folder full of at least 100 python scripts... in my panic i deleted almost everything i suspected to be malicious... i found dozens of DAT files and text documents which are mostly appearing in Temp folders in Users>Local>Temp and Windows>Temp. The DAT files are all just named a random assortment of characters and the text documents are all called the name of my PC and then random numbers, these text documents are being dumped into Temp hour after hour and contain a sort of Log looking thing? However i don’t know what it is logging... I also found a file called “ZoomInfoContactContributor” blah blah blah.. I believe this to be a part of the malware as i have never used Zoom before. I did a google search and found that it could be malware, you can see it for yourself here:  https://www.hybrid-analysis.com/sample/0ac026cc1f7a108f5fd908f7703d8af1d14735cff2556f230f902990321563b7?environmentId=120 although i could not really make sense of it. I have also done a MalwareBytes scan (with Rootkits box checked) and it found 0 Threats in an 8 hour scan... So what i want to know is... did i disrupt this malware in my tangent of deletion? or could it still be present somewhere undetected?

Thanks in advance.

[AdvancedSetup]

Hello @DALEDANTONY

 

Please run the following steps and post back the logs as an attachment when ready.

I'm almost off work but will try to check back on you later tonight if I can.

STEP 01

• If you're already running Malwarebytes then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
• If you don't have Malwarebytes installed yet please download it from here and install it.
• Once installed then open Malwarebytes and select Scan and let it run.
• Once the scan is completed click on the View Report button, then the Export button and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If Malwarebytes won't run then please skip to the next step and let me know in your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

• Right-click on the program and select Run as Administrator to start the tool.
• Accept the Terms of use.
• Wait until the database is updated.
• Click Scan Now.
• When finished, please click Clean & Repair.
• Your PC should reboot now if any items were found.
• After reboot, a log file will be opened. Attach or Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens, click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a checkmark here.
• Please attach the Additions.txt log to your reply as well.

 

Thanks

[DALEDANTONY]

@AdvancedSetup Hello, here are the reports as requested.

 

 

 

mbamscan1.txt AdwCleaner[C00].txt FRST.txt Addition.txt

[AdvancedSetup]

Please temporarily uninstall the following software

AVG
AVG PC TuneUp
Bonjour
Java 8 Update 121

You have the following site allowed to interact with and send alerts to the desktop.
CHR Notifications: Default -> hxxps://check-out-this.site

https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

Turn notifications on or off - Google Chrome

Web Push notifications in Firefox

 

What exactly is mDNSResponder.exe?

https://www.groovypost.com/howto/howto/what-is-mdnsresponder-exe-and-why-is-it-running/

MDNSResponder, also known as Bonjour, is Apple’s native zero-configuration networking process for Mac that was ported over to Windows and associated with MDNSNSP.DLL.  On a Mac or iOS device, this program is used for networking nearly everything.  On Windows, this process is only necessary for sharing libraries via iTunes and other Mac applications like the Apple TV that were ported to Windows.  Bonjour allows different computers running iTunes to communicate with each other regardless of network configuration, this is because it enables automatic network discovery.

What Is mDNSResponder.exe / Bonjour and How Can I Uninstall or Remove It?
https://www.howtogeek.com/howto/6456/what-is-mdnsresponder.exe-bonjour-and-how-can-i-uninstall-or-remove-it/

 

 

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real time antivirus or security software before running this script. Once completed make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Flash Player cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• BITS transfer queue (qmgr*.dat files)
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

[DALEDANTONY]

@AdvancedSetup Hello again, here is the fixlog. 

 

Fixlog.txt

[AdvancedSetup]

From the logs.

Windows Resource Protection found corrupt files and successfully repaired them.

 

Were you able to address the other issues I mentioned above?

Please run FRST again and click on Scan. Then attach back both new logs

 

[DALEDANTONY]

@AdvancedSetup 

Addition2.txt

[DALEDANTONY]

@AdvancedSetup  Could you explain to me what these weird files appearing in my Temp folder is? They appear around the clock hour after hour and i don't really know what they are.

[AdvancedSetup]

It appears to possibly be from Visual Studio for the dd_BackgroundDownload files

https://developercommunity.visualstudio.com/content/problem/815856/automatic-updates-is-disabled-but-the-background-d.html

For the mat-debug it appears it may be due to Microsoft Office

https://answers.microsoft.com/en-us/windows/forum/all/windowstemp-empty-folders/f73caf3e-3d15-4685-a17d-0d30e9a9a910

 

[AdvancedSetup]

Can you restart the computer and then run FRST again. I'd like to get both new logs please not just the one

Thanks

 

[DALEDANTONY]

@AdvancedSetup Ok i’ll get the logs for you soon. But i don’t really use Microsoft Office, i have it installed but i never really go on it.. and this malware was put on my PC by opening a word document with malicious macro’s? do you think this could be bad?

[AdvancedSetup]

My guess is that Office is setup to automatically update. You should be able to open one of the Office applications and check.

https://www.windowscentral.com/how-disable-updates-office-apps-windows-10

 

[AdvancedSetup]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks