Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

O97M/Adnel Malware


  • Please log in to reply
3 replies to this topic

#1 bcemail

bcemail

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 11 December 2015 - 09:59 AM

I stupidly opened a Word document attached to an email. It was disguised as an invoice. Windows Defender is now alerting to O97M/Adnel and and says it is removing it, but then it keeps alerting. 

 

I had macros disabled in Word, so I'm not sure how this got through. I guess it's conceivable I clicked an allow button that I don't remember doing.  In any event, I am concerned about the seriousness of this infection, bank account info, etc. I've searched the forums here and have not found much, surprisingly. Any help would be greatly appreciated.

 

 

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=O97M/Adnel

 

 

 



BC AdBot (Login to Remove)

 


#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:05:22 PM

Posted 11 December 2015 - 10:54 AM

Hi there,

I go by Alexstrasza, but you can call me Alex. I will assist you with your problem.

According to the Microsoft Malware Protection Center, this detection is for a downloader that downloads the Dridex banking trojan into the infected machine. I suggest that you change all of your passwords from a clean machine!

Let us see if third party scanners can remove this malware.

:step1: Emsisoft Emergency Kit

Please download Emsisoft Emergency Kit and save it to your desktop. Double click on the EmsisoftEmergencyKit file you downloaded to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click the Extract button at the bottom. A folder named EEK will be created in the root of the drive (usually c:\).
  • After extraction please double-click on the new Start Emsisoft Emergency Kit icon on your desktop.
  • The first time you launch it, Emsisoft Emergency Kit will recommend that you allow it to download updates. Please click Yes so that it downloads the latest database updates.
  • When update is complete, click Malware Scan. When asked if you want the scanner to scan for Potentially Unwanted Programs, click Yes. Emsisoft Emergency Kit will start scanning.
  • When the scan is completed click Quarantine selected objects. Note, this option is only available if malicious objects were detected during the scan.
  • When the threats have been quarantined, click the View report button in the lower-right corner, and the scan log will be opened in Notepad.
  • Please save the log in Notepad on your desktop and post the contents in your next reply.
  • When you close Emsisoft Emergency Kit, it will give you an option to sign up for a newsletter. This is optional, and is not necessary for the malware removal process.
===

:step2: Kaspersky Virus Removal Tool

4n7CEPj.jpgPlease download Kaspersky Virus Removal Tool from here.
  • Right click on NfpAe5Z.jpg and select Run as Administrator.
  • Read the EULA, then select Accept.
  • Wait for Kaspersky Virus Removal Tool to initialize.
  • In the main screen, select Change parameters, place a checkmark in System drive, then click OK.
  • Click Start scan.
  • Wait for Kaspersky Virus Removal Tool to complete scanning.
  • When the scan is finished, select Neutralize all for all detected objects.
  • Close Kaspersky Virus Removal Tool when done.
Let me know if it found anything.

Regards,
Alex

#3 bcemail

bcemail
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 11 December 2015 - 12:36 PM

Thank you.

 

Kaspersky did not find anything. Emsisoft log below. Maybe Windows Defender successfully removed it before my post here. I have not rebooted the computer since infection. Not sure if that test needs to be done.  

 

Emsisoft Emergency Kit - Version 10.0
Last update: 12/11/2015 11:01:58 AM
User account: BACHOMEDELL\BAC
 
Scan settings:
 
Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files
 
Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off
 
Scan start: 12/11/2015 11:02:07 AM
C:\ProgramData\Yahoo! Companion detected: Application.AdInstall (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} detected: Application.AdInstall (A)
Key: HKEY_USERS\S-1-5-21-586131885-4165503719-1151441432-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{02478D38-C3F9-4EFB-9B51-7695ECA05670} detected: Application.AdInstall (A)
Key: HKEY_USERS\S-1-5-21-586131885-4165503719-1151441432-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{EF99BD32-C1FB-11D2-892F-0090271D4F88} detected: Application.AdInstall (A)
Key: HKEY_USERS\S-1-5-21-586131885-4165503719-1151441432-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{02478D38-C3F9-4EFB-9B51-7695ECA05670} detected: Application.AdInstall (A)
Key: HKEY_USERS\S-1-5-21-586131885-4165503719-1151441432-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{EF99BD32-C1FB-11D2-892F-0090271D4F88} detected: Application.AdInstall (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\TOOLBAR -> {EF99BD32-C1FB-11D2-892F-0090271D4F88} detected: Application.AdInstall (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\{02478D38-C3F9-4EFB-9B51-7695ECA05670} detected: Application.AdInstall (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\{EF99BD32-C1FB-11D2-892F-0090271D4F88} detected: Application.AdInstall (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\YAHOO! COMPANION detected: Application.AdInstall (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\YAHOO! TOOLBAR detected: Application.AdInstall (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR detected: Setting.DisableTaskMgr (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS detected: Setting.DisableRegistryTools (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN detected: Setting.NoRun (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS detected: Setting.NoFolderOptions (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670} detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{058F0E48-61CA-4964-9FBA-1978A1BB060D} detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{18F33C35-8EF2-40D7-8BA4-932B0121B472} detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88} detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\YT.YTNAVASSISTPLUGIN detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\YT.YTNAVASSISTPLUGIN.1 detected: Application.AdReg (A)
Value: HKEY_USERS\S-1-5-21-586131885-4165503719-1151441432-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN -> DW7 detected: Application.AdStart (A)
 
Scanned 81379
Found 22
 
Scan end: 12/11/2015 11:11:22 AM
Scan time: 0:09:15


#4 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:05:22 PM

Posted 12 December 2015 - 06:58 AM

Hi there,

Is Windows Defender still throwing alerts?

You did not quarantine EEK's detections - please re-run EEK and choose Quarantine for all detections.

:step1: Malwarebytes Anti-Malware

Download Malwarebytes Anti-Malware from here.

Double click on the file mbam-setup-2.x.x.xxxx.exe to install the application. (x.x.xxxx is the version)
  • Follow the prompt. At the end place a checkmark in Launch Malwarebytes Anti-Malware, then choose Finish.
  • When MBAM opens it will says Your database is out of date. Choose Fix Now.
  • Click on the Scan tab at the top of the window, choose Threat Scan, then Scan Now.
  • If you receive a message that updates are available, choose Update Now button (the scan will start after updates are completed).
  • Please be patient as the scan will take some time.
  • If MBAM detected threats, choose Quarantine for all items, then click Apply Actions.
  • While still on the Scan tab, choose View detailed log. In the window that opens, click the Export button, choose Text file (*.txt) and save the log to your Desktop.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


===

:step2: ESET Online Scanner
  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Remove found threats
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.
Regards,
Alex




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users