Jump to content

Accidentally Allowed Macro on Excel File.


atlim
 Share

Go to solution Solved by kevinf80,

Recommended Posts

Hi all,

I am a university student who was talking to some classmates in a large discord server when someone put an excel spreadsheet into the chat. The assignment we were working on would directly involve  a spreadsheet so it wasn't super strange, and since we were helping each other with homework I opened it up, and then without thinking I enabled editing and, importantly, macros. I immediately realized my mistake and closed Excel through task manager and ran a Malwarebytes scan, but it seems to have been too late. A recurring executable by the name of "ok.exe" keeps appearing in my Roaming folder of AppData and is repeatedly caught by Malwarebytes, but where ever the file is coming from is not. I attached the FRST.txt and Additional.txt, as well as my most recent Malwarebytes scan which did not identify the file despite the fact that it is indeed in my AppData folder, as well as a screenshot showing it was previously found through RTP detection. Additionally, here is the link to the file's report on VirusTotal.

I feel like a complete moron for allowing this to happen, and I am very worried about it given the fact that my entire life is currently run through this computer and I do not really have any other options. I have not restarted my computer since this has happened. Any help is greatly appreciated!

rtp.png

FRST.txt Addition.txt mwb.txt

Link to post
Share on other sites

  • Replies 54
  • Created
  • Last Reply

Top Posters In This Topic

Hiya atlim and welcome to Malwarebytes,

The main log from FRST is not complete, "FRST.txt"  Can you re-run FRST again..

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

user posted image
 
Thanks,
 
Kevin

 

Link to post
Share on other sites

  • Solution

Hello atlim,

Thanks for those logs, continue:

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.

NOTE. It's important that both files, FRST or FRSTEnglish, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed.

The following directories are emptied:
 
  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin


Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

user posted image

The system will be rebooted after the fix has run.

Next,

Open Malwarebytes, select > small cog wheel top right hand corner, that will open "settings" from there select "Security" tab.

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Clsoe out the settings window, this will take you back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Click on the Detection History tab > from main interface.
  • Then click on "History" that will open to a historical list
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download "Microsoft's Safety Scanner" and save direct to the desktop

Ensure to get the correct version for your system....

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download


Right click on the Tool, select Run as Administrator the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\msert.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Let me see those logs in your reply...

Thank you,

Kevin

fixlist.txt

Link to post
Share on other sites

Hi Kevin,

I ran all four tests throughout the day and attached the results. I cleared my User Temp folder just before receiving your message and within it there was a suspicious .exe, but I deleted it without putting it through VirusTotal or anything equivalent which was a silly mistake. Anyway, since I deleted that, no instances of the malware have appeared. Thank you so much for your help! It means a lot!

Sincerely,

Devin

msert.log AdwCleaner[C00].txt Fixlog.txt MWB Report.txt

Link to post
Share on other sites

Hiya Devin,

Yes your system was heavily infected, I`d like another set of logs from FRST to make sure we`ve not missed anything, and nothing has returned..

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

user posted image

Let me see those logs in your reply...

Thank you,

Kevin..
Link to post
Share on other sites

Hiya Devin,

Those logs look good now, unless you have any remaining issues or concerns we can clean up...

Right click on FRST here: C:\Users\Devin\Downloads\FRST.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator"

If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST to uninstall

That action will remove FRST and all created files and folders...

Next,

Remove all System Restore Points: https://www.tenforums.com/tutorials/33593-delete-system-restore-points-windows-10-a.html#option2

Create clean fresh Restore Point: http://www.thewindowsclub.com/create-system-restore-point

Run Windows Disk Clean Up Utility - https://neosmart.net/wiki/disk-cleanup/

Condsider the following:

Malwarebytes Browser Guard (Free) for Firefox: https://addons.mozilla.org/en-GB/firefox/addon/malwarebytes/

Malwarebytes Browser Guard (Free) for Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee

PatchMyPC, keep all your software upto date - https://patchmypc.com/home-updater#download

From there you should be good to go...

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image
Link to post
Share on other sites

  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

  • Root Admin

User reports the ok.exe is back and seeking further assistance @kevinf80

@atlim

Please post back new logs and Kevin will assist you as soon as possible.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Link to post
Share on other sites

Hi again,

I was hoping this was behind me, but unfortunately late last night, the executable appeared, and opened itself once again. I attached the FRST results from today, MWB had already removed the latest version of it prior to running the scan. Additionally, MWB flagged a new file from the same directory (AppData/Roaming) with the same tag that was being applied to ok.exe, I attached the log for that as well. Thank you once again.

Sincerely,

Devin

Addition.txt FRST.txt newexe.txt

Link to post
Share on other sites

Hiya atlim,

Thanks for the new logs, continue:

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.

NOTE. It's important that both files, FRST or FRSTEnglish, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed.

The following directories are emptied:
 
  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin


Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

user posted image

Next,

Please download Malwarebytes Anti-Rootkit from here
 
  • Right click on the tool (select "Run as Administrator) to start the extraction to a convenient location. (Desktop is preferable)
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt


Let me see those logs in your reply...

Thank you,

Kevin..

fixlist.txt

Link to post
Share on other sites

Hi Kevin,

I ran the scans, and interestingly the Anti-Rootkit did not find anything on the first scan and on the second scan it solely found an executable in AppData/Roaming that my normal Malwarebytes process also caught with RTP. Additionally, the names for the executables are changing, ok.exe still appears frequently, but MWB is also detecting exe's with random strings of letters and numbers (similar to the new name previously mentioned). Finally, MWB's RTP only seems to detect ok.exe about 70% of the time, so I have been monitoring my AppData/Roaming manually, and removing it if it bypasses MWB, but I have yet to see any files that have random strings like what is being detected by MWB. I attached everything, as well as my most recent MWB scan.

Sincerely,

Devin

newmwb.png

Fixlog.txt mbar-log-2021-01-29 (11-07-40).txt mbar-log-2021-01-30 (00-47-01).txt mwbv3.txt

Link to post
Share on other sites

Hiya devin,

I want you to run an offline scan to see if we can find whatever is responsible for reinfecting your system. 

Open the search function, type or copy/paste Windows Defender Security Center then select ok to open that option.

In the new window select Virus and Threat Protection then select Scan Options

The scan options window will open, from there select Windows Defender Offline Scan

You will be given the option to save any opened work etc, then select Scan from there when the scan completes Windows will reboot..

To check for found entries:

Select Start , and then select Settings > Update & Security > Windows Security > Virus & threat protection . On the Virus & threat protection screen select Protection history.

If entries are shown as "Found" the time and date will be same as the offline scan just completed.....
 
Thanks,
 
Kevin
Link to post
Share on other sites

Hi Kevin,

Upon opening the Windows Security Center, I get this blank screen (image attached). I managed to get into Virus and Threat Protection by going through the Control Panel, but I am unable to run scans, when I click to run a scan, it will load for about a second and simply nothing will happen. A similar thing happens if I try to check for updates, or try to change any settings within the Virus and Threat Protection Settings which have all been disabled (which is not how it used to be). I am assuming this is a side effect of the malware? Any ideas? Thank you.

Sincerely,

Devin

security.png

security2.png

security3.png

security4.png

Link to post
Share on other sites

Ok, try the following:

Download Kaspersky Virus Removal Tool (KVRT) from here: https://www.kaspersky.com/downloads/thank-you/free-virus-removal-tool and save to your Desktop.

Select the Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

user posted image

add -dontcryptsupportinfo Note the space between KVRT.exe and -dontcryptsupportinfo

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontcryptsupportinfo should now show in the Run box.

user posted image

That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT_data\Reports and look similar to this report_20200727_103821.klr Right click direct onto that report, select > open with > Notepad. Save that file and attach to your reply.

To start the scan select OK in the "Run" box.

user posted image

The Windows Protected your PC window will open, select "More Info"

user posted image

A new Window will open, select "Run anyway"

user posted image

A EULA window will open, tick both confirmation boxes then select "Accept"

user posted image

In the new window select "Change Parameters"

user posted image

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

user posted image

Attach the report information as previously instructed....
Link to post
Share on other sites

Hi Kevin,

I accidentally stopped the scan 4 hours in, and thus had to redo the scan, nothing external caused it to stop four hours in. Additionally, a Malwarebytes scan ran during the Kaspersky scan and detected some new items that haven't appeared before.

Sincerely,

Devin

mwb3.txt report_20210130_173928.txt

Link to post
Share on other sites

Hiya atlim,

Thanks for those logs, lets try one more scan with FRST see if anything has returned..

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

user posted image
 
Thanks,
 
Kevin..
Link to post
Share on other sites

Hiya Devin,

Upload a File to Virustotal

Go to http://www.virustotal.com/
 
  • Click the Choose file button
  • Navigate to the file C:\Users\Devin\AppData\Local\WMI.ini
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the URL address back here please.
  • Repeat the above steps for the following files

C:\Users\Devin\AppData\Local\_settings.ini

Thanks,

Kevin

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.