Author Topic: M097 : Downloader-HS [Drp]  (Read 9437 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
M097 : Downloader-HS [Drp]
« on: March 05, 2015, 10:23:29 AM »
Hello , I was doing a Boot time scan with avast and woke up to find that this scan found several of these. I tossed them to the chest for now but I can't seem to find anything online about it, can someone see light on what this is? I'm a bit afraid since it was found in some Microsoft windows communications folder and the number of them.

It's still at 37% so I can't get the needed logs just yet and will do when this is done. Also it's 4:22am here so I won't be able to do this right this moment.

Edit: oh and sorry if it is somewhere easily accessible, my google searches on my phone would be hampered by lack of sleep and a bit of panic
« Last Edit: March 05, 2015, 10:25:12 AM by IceSculpture »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37509
  • Not a avast user
« Last Edit: March 05, 2015, 10:29:13 AM by Pondus »

REDACTED

  • Guest
Re: M097 : Downloader-HS [Drp]
« Reply #2 on: March 05, 2015, 10:37:30 AM »
Thank you for the promt reply  :D, although it says risk is low on the second link I'm still very much paranoid to what it could have done and will post all logs as soon as I can.


Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37509
  • Not a avast user
Re: M097 : Downloader-HS [Drp]
« Reply #3 on: March 05, 2015, 11:56:49 AM »
Quote
I'm still very much paranoid to what it could have done
if run, it may try do this: W97M.Downloader is a Word macro Trojan that downloads additional malware.

Quote
W97M.Downloader is a malicious macro that may arrive as a Word document attachment in spam emails.

The emails may have different subjects and body messages. For example:

Subject: Outstanding invoices - [RANDOM LETTERS]

Attachment: In[RANDOM LETTERS].doc

Message:

Kindly find attached our reminder and copy of the relevant invoices.

Looking forward to receive your prompt payment and thank you in advance.

Kind regards,

[NAME]


When the Word document is opened, the macro attempts to download and execute malware from a remote location.


REDACTED

  • Guest
Re: M097 : Downloader-HS [Drp]
« Reply #4 on: March 05, 2015, 05:31:40 PM »
Question does aswMBR take a lot of time? I know it's relative but morso than the others? It's been on the same file for about 40 mins. The fubar tool and malware bytes both ran without problems.

Edit: seems I was impatient it continued. Although a bit of the file path on the right most side is still there.
« Last Edit: March 05, 2015, 05:35:09 PM by IceSculpture »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37509
  • Not a avast user
Re: M097 : Downloader-HS [Drp]
« Reply #5 on: March 05, 2015, 05:38:23 PM »
Quote
Question does aswMBR take a lot of time?
that log is usually not needed unless it is rootkit related .... if needed Essexboy have other tools


Logs to assist in cleaning malware  https://forum.avast.com/index.php?topic=53253.0
attach Malwarebytes and Farbar Recovery Scan Tool  logs




« Last Edit: March 05, 2015, 06:33:05 PM by Pondus »

REDACTED

  • Guest
Re: M097 : Downloader-HS [Drp]
« Reply #6 on: March 05, 2015, 07:49:48 PM »
Quote
Question does aswMBR take a lot of time?
that log is usually not needed unless it is rootkit related .... if needed Essexboy have other tools


Logs to assist in cleaning malware  https://forum.avast.com/index.php?topic=53253.0
attach Malwarebytes and Farbar Recovery Scan Tool  logs

It found something so I let that finish just incase. Attached the logs.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: M097 : Downloader-HS [Drp]
« Reply #7 on: March 05, 2015, 08:32:51 PM »
What was the location that these files were found in ?

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 
Quote
CreateRestorePoint:
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
FF user.js: detected! => C:\Users\Ik\AppData\Roaming\Mozilla\Firefox\Profiles\z1t37jse.default\user.js
S3 X6va017; \??\C:\WINDOWS\SysWOW64\Drivers\X6va017 [X]
S3 X6va021; \??\C:\WINDOWS\SysWOW64\Drivers\X6va021 [X]
S3 X6va022; \??\C:\WINDOWS\SysWOW64\Drivers\X6va022 [X]
S3 X6va025; \??\C:\WINDOWS\SysWOW64\Drivers\X6va025 [X]
S3 X6va027; \??\C:\WINDOWS\SysWOW64\Drivers\X6va027 [X]
S3 X6va028; \??\C:\WINDOWS\SysWOW64\Drivers\X6va028 [X]
S3 X6va029; \??\C:\WINDOWS\SysWOW64\Drivers\X6va029 [X]
2013-04-28 03:26 - 2012-09-07 06:40 - 0000256 _____ () C:\ProgramData\SetStretch.cmd
2013-04-28 03:26 - 2009-07-22 05:04 - 0024576 _____ () C:\ProgramData\SetStretch.exe
2013-04-28 03:26 - 2012-09-07 06:37 - 0000103 _____ () C:\ProgramData\SetStretch.VBS
C:\Users\Ik\Desktop\VIstaBackUp\Documents\games\0Doujin Games\Visionary Wings\Visionary Wings\graphics\irma_right.gpk
C:\Users\Ik\Desktop\VIstaBackUp\Documents\Testa\show efe
C:\Users\Ik\Desktop\DesktopGameMusik\comiket\Touhou Yuuen Sekai\TouYuu\Touhou Yuuen Sekai\thworld.exe
C:\Users\Ik\Desktop\ambiguous ro client 0.1
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

REDACTED

  • Guest
Re: M097 : Downloader-HS [Drp]
« Reply #8 on: March 05, 2015, 09:08:54 PM »
I did so, and as a side question I noticed that my chrome lost it's saved session, I assume I can't get that back somehow right?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37509
  • Not a avast user
Re: M097 : Downloader-HS [Drp]
« Reply #9 on: March 05, 2015, 09:18:24 PM »
See essexboys question at top of his post

REDACTED

  • Guest
Re: M097 : Downloader-HS [Drp]
« Reply #10 on: March 05, 2015, 09:24:56 PM »
Which files from which scan? You mean this part? With the Question marks?
Quote
S3 X6va017; \??\C:\WINDOWS\SysWOW64\Drivers\X6va017 [X]
S3 X6va021; \??\C:\WINDOWS\SysWOW64\Drivers\X6va021 [X]
S3 X6va022; \??\C:\WINDOWS\SysWOW64\Drivers\X6va022 [X]
S3 X6va025; \??\C:\WINDOWS\SysWOW64\Drivers\X6va025 [X]
S3 X6va027; \??\C:\WINDOWS\SysWOW64\Drivers\X6va027 [X]
S3 X6va028; \??\C:\WINDOWS\SysWOW64\Drivers\X6va028 [X]
S3 X6va029; \??\C:\WINDOWS\SysWOW64\Drivers\X6va029 [X]

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37509
  • Not a avast user
Re: M097 : Downloader-HS [Drp]
« Reply #11 on: March 05, 2015, 09:33:39 PM »
i guess he want to know where this   ( M097 : Downloader-HS [Drp] )   was found 


REDACTED

  • Guest
Re: M097 : Downloader-HS [Drp]
« Reply #12 on: March 05, 2015, 09:38:04 PM »
It was a bit of a long filepath and wasn't enitrely sure how to copy paste it from the viruschest either so I took a screenshot . It and another file copied 8 times for some reason.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: M097 : Downloader-HS [Drp]
« Reply #13 on: March 05, 2015, 09:57:06 PM »
They are documents in live mail or outlook saved files folder
I do not have access to that area so I would recommend that you empty the deleted e-mails folders

FRST did not remove anything from chrome unless it was in the temporary folder

How is the computer behaving ?

REDACTED

  • Guest
Re: M097 : Downloader-HS [Drp]
« Reply #14 on: March 05, 2015, 10:03:47 PM »
Will delete those emails right now.  And to begin with my computer was not behaving any differently from the start, this was just a routine scan that picked up several objects which made me panic since I didn't easily find anything on M097 : Downloader-HS [Drp] early this morning. That and the fact it was 16 items (Although 2 items with 7 extra copies each).

If it means anything it's still fine excluding the Chrome wipe.