TrojanDownloader:O97M/Xdoc.YA

Topic

New Reply

My client’s Win 10 Pro computer picked this thing up somewhere and I can’t get rid of it with Windows Defender or Malwarebytes (the paid professional version) or Spybot Search & Destroy (all updated to the latest definitions, of course).  Malwarebytes and Spybot S&D won’t even detect it, crazily enough.  The Microsoft help page is well, no help at all, since it assumes that Defender was able to delete the thing.  I’ve done several searches and they all take me back to the afore-mentioned Microsoft page.  Any suggestions would be appreciated.  I haven’t seen one like this in a long time.

TrojanDownloader:O97M/Xdoc.YA Microsoft Help Page

Reply | Quote

Replies

Have you tried a 3rd party AV scan? Panda have a free one, as do others.

cheers, Paul

Reply | Quote

Hey thanks Paul, but aren’t the paid versions of Malwarebytes and Spybot Search & Destroy considered 3rd-party scanners?  Malwarebytes is supposed to be the “Lexus” of ’em all, from what I understand.  At this point I’m open for trying just about anything but if those other 2 “benchmark” A/V programs didn’t even detect the Trojan I’m wondering if Panda has as much horsepower as they do?  All suggestions are certainly appreciated though!  You never know which one might be the “silver bullet”!

Reply | Quote

Well.

It’s a Word macro.

From the “Trojan Information” attachment, seems that the “infected” location is inside a Volume Shadow Copy, which is a read-only state from a previous point in time, so the file in there cannot be directly removed or changed (changed as in the offending macro excised from the document… relevant if it has any content that needs to be kept).

So. Hopefully you’re using the shadow copies to take periodic backups and now you’ll know that this backup run has one file that contains malware, so you’ll be able to take care if you ever restore anything from that backup… You can of course drop the shadow copy once the backup run is complete, or this may happen automatically.

Could also be that other scanners aren’t scanning inside shadow copies?

Reply | Quote

Travis, please refer to the AskWoody Lounge Rules regarding cross-posting – you failed to link your answered post on answers.microsoft.com.

If you’ve already posted a similar question on a different site, please link to it so we can avoid reinventing the wheel.

1 user thanked author for this post.

satrow

Reply | Quote

Sorry, I wasn’t aware of that; as much as I’ve used various forums over the years I don’t think I even knew what “cross-posting” was in that respect, unless you were duplicating your posts / questions on the same general site, such as in different forums on AskWoody.com.  I figured that different sites give different and unique answers. I posted on the Microsoft site as kind of an afterthought after I posted here and the guy over there only just replied to my post a short while ago, so I really hadn’t had time to link back to it, even if I’d known the rules (which I didn’t); I’m just lucky I saw it before I called it quits for the night.  Also I’m not sure that his suggestion will work, so should I have done so without knowing whether it actually helped or not (aka was the “answer”)?  But just to clarify, if I have a question, can I only post it on 1 site, be it AskWoody.com, Microsoft.com or whatever?  That would seem to be a little limiting if that’s the case.  Not trying to be argumentative, but I’ve truly never run into this situation before…

Reply | Quote

Travasaurus wrote:

I posted on the Microsoft site as kind of an afterthought after I posted here

… hm, neither site includes timezones in the respective post timestamps, but here shows “July 25, 2019 at 1:36 am” and answers.microsoft.com shows “7/25/2019 10:38:54 AM” … both would seem to be respective server-side times … do we need a clarification of the rules on crossposting elsewhere after posting here?

Travasaurus wrote:

Also I’m not sure that his suggestion will work, so should I have done so without knowing whether it actually helped or not (aka was the “answer”)?

I do feel kind of sceptic about ESET SysRescue being all that much better at changing contents of volume shadow copies, anyway… though it might just drop the shadow copy entirely, same way as mounting the disk on Windows XP or Server 2003 would do because those don’t support persistent shadow copies.

Reply | Quote

No need to take a stopwatch to it. Just as a courtesy, if you post the same question somewhere else, let us know about it. That makes it easier for everybody.

Reply | Quote

Travasaurus wrote:

But just to clarify, if I have a question, can I only post it on 1 site, be it AskWoody.com, Microsoft.com or whatever?

Kirsty wrote:

If you’ve already posted a similar question on a different site, please link to it so we can avoid reinventing the wheel.

The rules don’t prevent you from posting on more than one site, but as quoted, we ask you record them – linking it is a courtesy to those investing their spare time to assist you in sorting your problem

Reply | Quote

Why not just use the Microsoft vssadmin command and delete the infected shadow copy?

2 users thanked author for this post.

cmptrgy, doriel

Reply | Quote

… preferably after checking that it isn’t needed for anything else, like an incomplete backup run.

Sort of reminds me of that one official document archive cdrom with a macro virus… couldn’t just get rid of it, or even keep a decontaminated copy of that file because that’d have been changing the file. (Another reason to keep archived documents as PDFs or in some other more sensible format…)

Reply | Quote

[Travasaurus]

That could well be the ultimate solution but I’m inclined to try some other suggestions as well, just to educate myself on what works the best.  As I said, I haven’t had to do any malware remediation in a long time.  The A/V programs which are out today, especially when used in concert with one-another, are incredibly better than they used to be, ‘way back when.

Update:  I ran some of these commands on my computer as sort of a “tutorial” to familiarize myself with it and discovered that I had shadow copies dating back to 2017.  How is that possible, since I’ve reformatted my boot drive multiple times since then?  I may need to more fully educate myself on all aspects of these things; I’ve always thought they were used for the immediate backup and then just kind of disappeared.  If you can further enlighten me (or point me toward an article on the subject) I would greatly appreciate it.  There’s (apparently) more here than meets the eye.

• This reply was modified 5 years, 8 months ago by Travasaurus. Reason: To add further information

Reply | Quote

Also try Bleeping Computer as they have a good forum section specific to malware/trojans etc.. usually entails registering, then downloading and running a small program that generates a log/txt file to upload in your post. The assistant will guide you through the process usually through to eradication.

Here is a similar issue posted today, to give you an idea what to expect (no reply in the post as yet) See what you think and whether YOU are comfortable with this.

bearing in mind it will need to be disclosed here as a cross-post if you post over there

Windows - commercial by definition and now function...

Reply | Quote

[doriel]

Hello,
I suggest you to execute Defender Offline Scan (it scans your computer before Windows are loaded, so it can clean infected files, that cannot be cleaned while runnig Windows). It helped me few times (off topic: with Win Pro we use Sophos, with Win Enterprise, we use simply Defender too)

It should be located somewhere near:

In Windows 10, the offline scan could be run from under Windows Settings > Update & security > Windows Defender or from the Windows Defender client.

If more information needed, please refer to

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

• This reply was modified 5 years, 8 months ago by doriel. Reason: oh grammar
• This reply was modified 5 years, 8 months ago by doriel.

2 users thanked author for this post.

cmptrgy, b

Reply | Quote

[Travasaurus]

Hey thanks for the thought.  I failed to mention that I’ve already run a couple of Windows Defender offline scans but to no effect.  I’m going to try and kick it up a notch or 2 with some of the other suggestions here.  I’ve got to get back out to the customer’s office first though.

• This reply was modified 5 years, 8 months ago by Travasaurus. Reason: Correct a typo

Reply | Quote

[b]

Did you try Windows Defender Offline scan?

Windows Defender Offline is a scanning tool that works outside of Windows, allowing it to catch and clean infections that hide themselves when Windows is running.
https://support.microsoft.com/en-us/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware

Start, Settings, Update & Security, Windows Security, Virus & threat protection, Scan options, Windows Defender Offline scan, Scan now

Some malicious software can be particularly difficult to remove from your device. Windows Defender Offline can help find and remove them using up-to-date threat definitions. This will restart your device and will take about 15 minutes.

(EDIT: Hadn’t seen doriel’s suggestion at time of posting. Leaving for extra quote/link/steps.)

• This reply was modified 5 years, 8 months ago by b.

Reply | Quote

Questions for doriel or b, in light of mn- at 3:19 am and 8:07 am (server times). Would the Defender offline scan be more effective at removing a Word macro within a shadow copy, or would it fail for the same reasons the “online” run failed?

Do you believe this exploit is not as suspected by mn-, that it is different or more than simply a macro?

Reply | Quote

anonymous wrote:

Questions for doriel or b, in light of mn- at 3:19 am and 8:07 am (server times). Would the Defender offline scan be more effective at removing a Word macro within a shadow copy, or would it fail for the same reasons the “online” run failed?

Not sure, but I think an offline scan may succeed in removing a shadow copy file.

anonymous wrote:

Do you believe this exploit is not as suspected by mn-, that it is different or more than simply a macro?

No.

Reply | Quote

I forgot to mention in my original post that I ran a couple of Windows Defender offline scans and it did not zap the Trojan, so that approach did not work.

Reply | Quote

I’m this guy => “at 1:41 pm”. My thought is: the offending macro got into the shadow copy because it was present on the system at the time the shadow copy was made.

Then Defender successfully removed the exploit from the mounted system. But the shadow copy is protected from corruption. Job more than half done. Let us now finish the task.

In keeping with suggestions by jabeattyauditor and mn– earlier today, make new backup now of cleaned system, excluding the offending shadow copy. Verify the backup satisfies all your needs. Delete (from highest elevated permissions) the bad shadow copy in total. Enter a comment into whatever log or journal you keep to track unusual events, describing this unusual event. Get on with your day.

Doing this sooner than later minimizes any data changes potentially lost between backup versions, through regular use not attributable to this exploit.

Reply | Quote

This might or not apply to the problem, the relevant details of which I do not know well enough, but just in case I would like to suggest an alternative to using an anti virus that might (or might not) eliminate the intrusive malware:

Wouldn’t restoring the system to an earlier state with a return to a restore point created before the malware infection, take care of this? I have observed that when I had to do that a few times and for different reasons, over the years, the operation also removed some updates to the installed software (browsers, etc.) that had occurred since that old restore point was created.

A full backup with an ISO disk created at an appropriately earlier date using, for example, Macrium Reflect, might do an even more thorough job of eliminating the problem.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

doriel

Reply | Quote

Full backup should work.

If you have no full backup, you can try to run

Microsoft safety Scanner

Which should find and clear that trojan, according to this article. Which I dont believe, but its worth a try

MS Security intelligence – TrojanDownloader:O97M/Xdoc.YB

I suggest to go disconnect from the internet before you run this.

Dell Latitude 3420, Intel Core i7 @ 2.8 GHz, 16GB RAM, W10 22H2 Enterprise

HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

PRUSA i3 MK3S+

Reply | Quote

https://community.sophos.com/kb/en-us/114422

1. From the search toolbar, type This PC.
2. Right click on Local Disk C (C:) and select Properties.
3. Accept any alerts from Windows UAC.
4. Click the Disk Cleanup button.
5. Wait for Disk cleanup to finish calculating.
6. Select the More Options tab in the new window.
7. Select the Clean up button for System Restore and Shadow Copies.
8. Click Delete to confirm.

3 users thanked author for this post.

rc primak, Fred, noblame no gain

Reply | Quote

Thanks. I’ve used the Disk Cleanup Tool 100s of times but I never even really paid any attention to the 2nd (More Options) tab. That’s kind of the “Doomsday Scenario” as far as your backups go but apparently it will zap the Shadow Copy that contains the Trojan, in this case.  Sometimes the answer is right under your nose and you can’t see the Forest for the Trees…

1 user thanked author for this post.

doriel

Reply | Quote

[Geo]

Try Adwcleaner, freebie.  It was superior to regular Malwarebytes so Malwarebytes bought them out.  Although they might have made changes.

• This reply was modified 5 years, 8 months ago by Geo.

Reply | Quote

Wrap-up:  I tried the suggested anti-malware programs, including the Microsoft Safety Scanner and the Malwarebytes AdwCleaner (which I really didn’t have high hopes for because, as I mentioned earlier, my client is using the paid version, Malwarebytes Premium) and it didn’t even detect it (nor did Spybot Search & Destroy, for that matter).  Windows Defender was the only thing that did but as noted, could not get rid of it.  Oddly, using the Windows Disk Cleanup Tool / More Options didn’t touch the Shadow Copies either, even though (supposedly) it should’ve deleted them.  The garden-variety Vssadmin commands didn’t even work (i.e. “delete shadows /all”).  Vssadmin Commands  What finally did was an obscure page that I stumbled onto that instructed me to “terminally” resize the Shadow Copies, thereby effectively deleting them.  It seemed kind of counter-intuitive but it worked like a charm and the Trojan disappeared right along with the Shadow Copies, after which I verified that it had been deleted (at least as reported by Windows Defender) and then I made a fresh backup, which took about 5 hours to complete.  The link to this “magic bullet” is below, in hopes that this might help somebody else in a similar situation.  Many thanks to all who offered-up a number of good suggestions; your assistance was appreciated!

How To Effectively Delete A Shadow Copy

As kind of an afterthought, it might not be a bad idea to do this occasionally, just to clean-up your disk a little bit, unless there is some downside to it that I’m not aware of.  If so then I’d welcome somebody to comment accordingly.  Apparently Shadow Copies are darn near impossible to get rid of, based on my recent experience.

4 users thanked author for this post.

rc primak, Elly, cmptrgy, b

Reply | Quote

[Alex5723]

Travasaurus wrote:

Oddly, using the Windows Disk Cleanup Tool / More Options didn’t touch the Shadow Copies either, even though (supposedly) it should’ve deleted them.

Disk Cleanup run as Admin deletes Shadow Copies leaving only the last one. I am deleting daily Shadow copies (15 days = 20GB) twice a month (before creating full image copies).

• This reply was modified 5 years, 8 months ago by Alex5723.

2 users thanked author for this post.

rc primak, Travasaurus

Reply | Quote

Travasaurus wrote:

Wrap-up:  I tried the suggested anti-malware programs, including the Microsoft Safety Scanner and the Malwarebytes AdwCleaner (which I really didn’t have high hopes for because, as I mentioned earlier, my client is using the paid version, Malwarebytes Premium) and it didn’t even detect it (nor did Spybot Search & Destroy, for that matter).  Windows Defender was the only thing that did but as noted, could not get rid of it.  Oddly, using the Windows Disk Cleanup Tool / More Options didn’t touch the Shadow Copies either, even though (supposedly) it should’ve deleted them.  The garden-variety Vssadmin commands didn’t even work (i.e. “delete shadows /all”).  Vssadmin Commands  What finally did was an obscure page that I stumbled onto that instructed me to “terminally” resize the Shadow Copies, thereby effectively deleting them.  It seemed kind of counter-intuitive but it worked like a charm and the Trojan disappeared right along with the Shadow Copies, after which I verified that it had been deleted (at least as reported by Windows Defender) and then I made a fresh backup, which took about 5 hours to complete.  The link to this “magic bullet” is below, in hopes that this might help somebody else in a similar situation.  Many thanks to all who offered-up a number of good suggestions; your assistance was appreciated!

How To Effectively Delete A Shadow Copy

As kind of an afterthought, it might not be a bad idea to do this occasionally, just to clean-up your disk a little bit, unless there is some downside to it that I’m not aware of.  If so then I’d welcome somebody to comment accordingly.  Apparently Shadow Copies are darn near impossible to get rid of, based on my recent experience.

Thank you for letting us know the solution that worked for you: it is much appreciated.

On “As kind of an afterthought, it might not be a bad idea to do this occasionally, just to clean-up your disk a little bit, unless there is some downside to it that I’m not aware of. If so then I’d welcome somebody to comment accordingly. Apparently Shadow Copies are darn near impossible to get rid of, based on my recent experience.”
— Since the computer was infected via a Volume Shadow Copy that wasn’t deletable or addressed by any Security program, that is a potential plan to keep in mind.

I’d like to add that since Disk Cleanup doesn’t delete all Restore Points, I would consider the following in order to do so if that recommendation doesn’t work in a different situation.
— I just carried out the following process on the computer I’m working on.

Control Panel > System > System Protection > System properties > Configure > Delete all restore points for this drive.
A following message follows reads “You will not be able to undo unwanted system changes on this drive.
— Are you sure you want to continue?
— This will delete all restore points on this drive. This might include older system image backups.”
— I selected Continue.
— The result was “The restore points were deleted successfully.” Click on Close.

The following screen showed Turn on system protection bulleted.
— I decided to bullet Disable system protection instead to ensure that not only to ensure that all of the restore pointswere successfully deleted but to definitely ensure that system protection was actually disabled at this point.
— Click Apply, then OK.
— Following message reads “Are you sure you want to turn off system protection on this drive? Answer Yes.
— Following that protection settings for your drive is Off.
— Only the Configure tab is available to be selected.
— The following screen shows Disable system protection is bulleted: select Turn on system protection > Apply > OK.
— Following that protection settings for your drive is On.
— If you click on the System Restore tab, it will report “No restore points have been created on your computer’s system drive.”
— Go back and select Create. I would enter something like this “Deleted & disabled all SRP, turned SRP back on”.

Unless you need to create manual restore points
“By default, System Restore automatically creates a restore point once per week and also before major events like an app or driver installation. If you want even more protection, you can force Windows to create a restore point automatically every time you start your PC.”
https://www.howtogeek.com/278388/how-to-make-windows-automatically-create-a-system-restore-point-at-startup/

HP EliteBook 8540w laptop Windows 10 Pro (x64)

Reply | Quote

Not bad advice, but I have generally never used System Restore Points, having never had a good experience with trying to roll-back to one after some kind of crash or malfunction.  I’ve read on many “Geek sites” (perhaps even this one) that System Restore can do as much harm as good, particularly if a virus (or even some previously-undetected OS corruption) gets embedded in the restore point.  My methodology of choice is an occasional System Image file, conventional backups and actual file-by-file copying to another disk (offline if at all possible, such as a USB Western Digital My Passport drive or the like, which is a hedge against ransomware) of my documents, photos, music and anything else important so that if all else fails I can simply reload Windows and restore my files.  Different people have different opinions and techniques and I respect that.  There’s seldom “1 correct way only” when it comes to preserving your data.

2 users thanked author for this post.

rc primak, cmptrgy

Reply | Quote

? says:

thank you for sharing your sucess in defeating the trojan. the backupchain resizing is elegant yet simple. i’m wondering if a person could boot to a live linux disk and delete the offending snapshot(s) without wrecking something? last time i looked i could view the contents of $Recycle.Bin and System Volume Information when booted to a live linux disk. anyway, congrats on your victory!

1 user thanked author for this post.

Travasaurus

Reply | Quote

Most likely wouldn’t work, at least not reliably and easily. NTFS shadow copies aren’t very much supported in Linux… might not work at all, should be preserved but any writes may corrupt the shadow copies as far as I know, would prefer to mount any NTFS containing shadow copies as read-only.

You can just about, barely, read the shadow copies if you work at it, and the tools to do even that are alpha-grade, as in nowhere near release quality according to their developers. (Though, being open source, are available anyway so you can try…)

See https://www.dfir.vn/2018/02/20/mounting-different-virtual-shadow-copies-at-the-same-time-on-linux/ on how to read shadow copies in Linux.

(Yes, there’s a package in Ubuntu for libvshadow-utils even if it’s alpha-grade. Not updated in 18.04 LTS, but there’s a fresher one in the “Glorious Incident Feedback Tools” untrusted PPA… or you could just follow the linked instructions and build fresh from source)

1 user thanked author for this post.

rc primak

Reply | Quote

? says:

thank you for the follow up mn. nice forensics site. i saw that i had access to the sys vol and $recycle.bin windows files while booted to linux and assumed i could delete them if needed. i don’t use hibernation or backup among other options just what is needed to boot and run. win7 on 27 processes (courtesy of charles black viper sparks). only know enough to be dangerous (to windows os).

eg: to get rid of a TI 84 or 89 update program with a file (tiehdusb.sys sharing an oeminf file number) in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LockdownFiles, rather than changing folder permissions i used Registrar Manager 8 to do it on the fly. also used the program to delete an enum\display file that was causing problems. anyway thank you for the interesting link and taking the time to reply…

Reply | Quote

Travasaurus wrote:

Not bad advice, but I have generally never used System Restore Points, having never had a good experience with trying to roll-back to one after some kind of crash or malfunction.  I’ve read on many “Geek sites” (perhaps even this one) that System Restore can do as much harm as good, particularly if a virus (or even some previously-undetected OS corruption) gets embedded in the restore point.  My methodology of choice is an occasional System Image file, conventional backups and actual file-by-file copying to another disk (offline if at all possible, such as a USB Western Digital My Passport drive or the like, which is a hedge against ransomware) of my documents, photos, music and anything else important so that if all else fails I can simply reload Windows and restore my files.  Different people have different opinions and techniques and I respect that.  There’s seldom “1 correct way only” when it comes to preserving your data.

We are essentially on the same page. I have read many comments about the pros & cons of using system restore but my experience has been pretty positive. That said, my main recovery method is to rely on a system image backup which I conduct on a monthly basis during the week before Patch Tuesday; which fortunately I haven’t had to recall on my main computer. I have a test computer in which I’ve had to recall a system image backup due to the experiments I do on that computer. But in the end all turns out well and thanks to your situation I have learned a few things. Most importantly I am impressed on how you stayed on track on how to solve your issue and follow-up on letting us know on how you solved your situation.

HP EliteBook 8540w laptop Windows 10 Pro (x64)

1 user thanked author for this post.

Travasaurus

Reply | Quote

@Travasaurus you are my HEROOOOOOO. Thank you for sharing the link

Reply | Quote