Hello , I was doing a Boot time scan with avast and woke up to find that this scan found several of these. I tossed them to the chest for now but I can’t seem to find anything online about it, can someone see light on what this is? I’m a bit afraid since it was found in some Microsoft windows communications folder and the number of them.

It’s still at 37% so I can’t get the needed logs just yet and will do when this is done. Also it’s 4:22am here so I won’t be able to do this right this moment.

Edit: oh and sorry if it is somewhere easily accessible, my google searches on my phone would be hampered by lack of sleep and a bit of panic

it is an windows office macro malware

https://www.virustotal.com/en/file/10eca59c3d4df784bbb5fb581adf65dbb0c7ec4d95476816cb0f9ce4100b27e3/analysis/

symantec info http://www.symantec.com/security_response/writeup.jsp?docid=2014-110100-2117-99

Thank you for the promt reply :D, although it says risk is low on the second link I’m still very much paranoid to what it could have done and will post all logs as soon as I can.

I'm still very much paranoid to what it could have done

W97M.Downloader is a malicious macro that may arrive as a Word document attachment in spam emails.

The emails may have different subjects and body messages. For example:

Subject: Outstanding invoices - [RANDOM LETTERS]

Attachment: In[RANDOM LETTERS].doc

Message:

Kindly find attached our reminder and copy of the relevant invoices.

Looking forward to receive your prompt payment and thank you in advance.

Kind regards,

[NAME]

When the Word document is opened, the macro attempts to download and execute malware from a remote location.

Question does aswMBR take a lot of time? I know it’s relative but morso than the others? It’s been on the same file for about 40 mins. The fubar tool and malware bytes both ran without problems.

Edit: seems I was impatient it continued. Although a bit of the file path on the right most side is still there.

Question does aswMBR take a lot of time?

Logs to assist in cleaning malware https://forum.avast.com/index.php?topic=53253.0
attach Malwarebytes and Farbar Recovery Scan Tool logs

It found something so I let that finish just incase. Attached the logs.

What was the location that these files were found in ?

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File FF user.js: detected! => C:\Users\Ik\AppData\Roaming\Mozilla\Firefox\Profiles\z1t37jse.default\user.js S3 X6va017; \??\C:\WINDOWS\SysWOW64\Drivers\X6va017 [X] S3 X6va021; \??\C:\WINDOWS\SysWOW64\Drivers\X6va021 [X] S3 X6va022; \??\C:\WINDOWS\SysWOW64\Drivers\X6va022 [X] S3 X6va025; \??\C:\WINDOWS\SysWOW64\Drivers\X6va025 [X] S3 X6va027; \??\C:\WINDOWS\SysWOW64\Drivers\X6va027 [X] S3 X6va028; \??\C:\WINDOWS\SysWOW64\Drivers\X6va028 [X] S3 X6va029; \??\C:\WINDOWS\SysWOW64\Drivers\X6va029 [X] 2013-04-28 03:26 - 2012-09-07 06:40 - 0000256 _____ () C:\ProgramData\SetStretch.cmd 2013-04-28 03:26 - 2009-07-22 05:04 - 0024576 _____ () C:\ProgramData\SetStretch.exe 2013-04-28 03:26 - 2012-09-07 06:37 - 0000103 _____ () C:\ProgramData\SetStretch.VBS C:\Users\Ik\Desktop\VIstaBackUp\Documents\games\0Doujin Games\Visionary Wings\Visionary Wings\graphics\irma_right.gpk C:\Users\Ik\Desktop\VIstaBackUp\Documents\Testa\show efe C:\Users\Ik\Desktop\DesktopGameMusik\comiket\Touhou Yuuen Sekai\TouYuu\Touhou Yuuen Sekai\thworld.exe C:\Users\Ik\Desktop\ambiguous ro client 0.1 EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

I did so, and as a side question I noticed that my chrome lost it’s saved session, I assume I can’t get that back somehow right?

See essexboys question at top of his post

Which files from which scan? You mean this part? With the Question marks?

S3 X6va017; \??\C:\WINDOWS\SysWOW64\Drivers\X6va017 [X] S3 X6va021; \??\C:\WINDOWS\SysWOW64\Drivers\X6va021 [X] S3 X6va022; \??\C:\WINDOWS\SysWOW64\Drivers\X6va022 [X] S3 X6va025; \??\C:\WINDOWS\SysWOW64\Drivers\X6va025 [X] S3 X6va027; \??\C:\WINDOWS\SysWOW64\Drivers\X6va027 [X] S3 X6va028; \??\C:\WINDOWS\SysWOW64\Drivers\X6va028 [X] S3 X6va029; \??\C:\WINDOWS\SysWOW64\Drivers\X6va029 [X]

i guess he want to know where this ( M097 : Downloader-HS [Drp] ) was found

It was a bit of a long filepath and wasn’t enitrely sure how to copy paste it from the viruschest either so I took a screenshot . It and another file copied 8 times for some reason.

They are documents in live mail or outlook saved files folder
I do not have access to that area so I would recommend that you empty the deleted e-mails folders

FRST did not remove anything from chrome unless it was in the temporary folder

How is the computer behaving ?

Will delete those emails right now. And to begin with my computer was not behaving any differently from the start, this was just a routine scan that picked up several objects which made me panic since I didn’t easily find anything on M097 : Downloader-HS [Drp] early this morning. That and the fact it was 16 items (Although 2 items with 7 extra copies each).

If it means anything it’s still fine excluding the Chrome wipe.

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove tools

Download and run Delfix

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

If you do need to keep Java then download JavaRa
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version

https://dl.dropboxusercontent.com/u/73555776/javara.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe

Actually sorry to bring this up this late but should I worry about my backups or would MCshield take care of that? Some of the folders involved are on them. The backups are approx three weeks old if that makes any difference.

MCShield will scan the backups when they are plugged in and Avast will scan them as they are transferred