Jump to content

Macro Module Virus Kangatang


Recommended Posts

  • Root Admin

Hello @Lacazar

Please run the followings for me and we'll see what we can find.

 

To begin, please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

  • Download the Malwarebytes Support Tool
  • In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
  • In the User Account Control pop-up window, click Yes to continue the installation
  • Run the MBST Support Tool
  • In the left navigation pane of the Malwarebytes Support Tool, click Advanced
  • In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
  • A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thank you

 

Link to post
Share on other sites

  • Root Admin

Thank you for the log @Lacazar

This is a Macro virus from a while ago. We don't scan Excel files for macros but our Anti-Exploit should stop the further spread of the virus. I'll help you get the computer cleaned up though.

 


It looks like this was potentially the source of the initial threat. C:\Users\Linh-KTNV\Downloads\nhượng 18.8.xls

C:\Users\Linh-KTNV\Downloads\nhượng 18.8.xls_tmp

Once that was run and the Macro initiated it was then able to attach itself to other files on your system such as these for example

C:\Users\Linh-KTNV\Desktop\Mẫu biểu gửi khách.xlsb
C:\Users\Linh-KTNV\AppData\Roaming\Microsoft\Excel\XLSTART\mypersonnel.xls (this file should be deleted if it still exists)

etc..

 

STEP 1

Please download and run the following Microsoft Safety Scanner and choose the FULL scan.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system.

The download links & the how-to-run-the tool are at this link at Microsoft

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

Please let me know the results of this scan.

The log is named MSERT.log 

the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is

C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

STEP 2

What is this program? A search on Google does not find it.

Startup: C:\Users\Linh-KTNV\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WUPOSStartup.exe

Please upload that file to https://virustotal.com and have them scan the file and let me know what they find

 

STEP 3

Let me have you run another antivirus scanner to double-check on the system.

 

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

STEP 4

Please go to Control Panel, Programs, Programs and Features and uninstall the following

Bonjour
 

STEP 5

Please clean up the browser Cốc Cốc (Cup Cup) to make sure it does not contain any bad links, cache, cookies, etc.
Do the same with Google Chrome
 

STEP 6

Please download the following program and have it scan for and update any of your other software to make sure it's up to date.

Patch My PC Home Updater
https://patchmypc.com/home-updater

 

STEP 7

Click on Start / Search and type in "Check for updates" and let Windows check for and install any updates it finds.

 

Thanks

 

 

Edited by AdvancedSetup
updated information
  • Like 1
Link to post
Share on other sites

  • 1 month later...
  • Root Admin

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.