Jump to content

TrojanDownloader:O97M/Donoff.ET removal

ElleMc

By ElleMc
in Resolved Malware Removal Logs

 Share

Recommended Posts

ElleMc

ElleMc

Posted
Posted

Good morning. I'm not sure if anyone here can help. Recently, Windows Defender found TrojanDownloader:O97M/Donoff.ET on my computer but can't remove it. The path for the virus is as follows: 

containerfile: C:\Users\linne\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRC0000.tmp

file: C:\Users\linne\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRC0000.tmp->word/vbaProject.bin

MalwareBytes does not detect this so initially, I chalked it up to a one-off in Windows, however, when a second instance appeared that Windows also could not remove, I started to panic. I deleted all my shadow files, then ran Malware Bytes in SafeMode (no detection), I ran Defender in offline mode (still there). I also ran CCleaner and deleted and wiped everything and ran the scans again with the same result.

Any recommendations? I also ran MSERT, which again, did not remove the trojan. System and MWB info below

Any advice or help you can offer is appreciated.

 

MWB.png

Screenshot 2022-11-04 075104.png

Link to post
Share on other sites
David H. Lipman

David H. Lipman

Posted
Posted (edited)

TrojanDownloader:O97M/Donoff.ET is a detection on a MS Office 97 and above Document that contains a malicious macro.  That VB macro has the propensity to download a malicious payload and execute it. 

MBAM does not detect it because MBAM does not target scripted malware and documents files via signatures.

The anti malware can't remove the maldoc (malicious document) as it is most likely found in a malicious email message that contained the Document as an attachment.

By default macros are disabled in the latest version of MS Office so unless you  opened the Document and allowed the macro to run, there is no chance to get infected.

If you have the full, paid-for, version of MBAM the anti exploit module would have kicked-in preventing the maldoc macro from downloading said payload.

 

Edited by David H. Lipman
Edited for content, clarity, spelling and/or grammar
Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please close all open applications and see if the following scanner can detect and clean up.

 

Let me have you run a different scanner to double-check.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started. 
  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes 
  • When prompted for scan type, Click on Full scan 
  • Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
  • Have patience.  The entire process may take an hour or more. There is an initial update download.
  • There is a progress window display.
  • You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log.
  • If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Link to post
Share on other sites
  • 1 month later...
Maurice Naggar

Maurice Naggar

Posted
Posted

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.