News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • TrojanDownloader:O97M/Xdoc.YA

    Posted on Travasaurus Comment on the AskWoody Lounge

    Home Forums AskWoody support Windows Windows 10 Questions: Win10 TrojanDownloader:O97M/Xdoc.YA

    This topic contains 32 replies, has 15 voices, and was last updated by  cmptrgy 3 weeks, 1 day ago.

    • Author
      Posts
    • #1886888 Reply

      Travasaurus
      AskWoody Plus

      My client’s Win 10 Pro computer picked this thing up somewhere and I can’t get rid of it with Windows Defender or Malwarebytes (the paid professional version) or Spybot Search & Destroy (all updated to the latest definitions, of course).  Malwarebytes and Spybot S&D won’t even detect it, crazily enough.  The Microsoft help page is well, no help at all, since it assumes that Defender was able to delete the thing.  I’ve done several searches and they all take me back to the afore-mentioned Microsoft page.  Any suggestions would be appreciated.  I haven’t seen one like this in a long time.

      TrojanDownloader:O97M/Xdoc.YA Microsoft Help Page

      Attachments:
    • #1886893 Reply

      Paul T
      AskWoody MVP

      Have you tried a 3rd party AV scan? Panda have a free one, as do others.

      cheers, Paul

    • #1887129 Reply

      Travasaurus
      AskWoody Plus

      Hey thanks Paul, but aren’t the paid versions of Malwarebytes and Spybot Search & Destroy considered 3rd-party scanners?  Malwarebytes is supposed to be the “Lexus” of ’em all, from what I understand.  At this point I’m open for trying just about anything but if those other 2 “benchmark” A/V programs didn’t even detect the Trojan I’m wondering if Panda has as much horsepower as they do?  All suggestions are certainly appreciated though!  You never know which one might be the “silver bullet”!

    • #1887220 Reply

      mn–
      AskWoody Lounger

      Well.

      It’s a Word macro.

      From the “Trojan Information” attachment, seems that the “infected” location is inside a Volume Shadow Copy, which is a read-only state from a previous point in time, so the file in there cannot be directly removed or changed (changed as in the offending macro excised from the document… relevant if it has any content that needs to be kept).

      So. Hopefully you’re using the shadow copies to take periodic backups and now you’ll know that this backup run has one file that contains malware, so you’ll be able to take care if you ever restore anything from that backup… You can of course drop the shadow copy once the backup run is complete, or this may happen automatically.

      Could also be that other scanners aren’t scanning inside shadow copies?

    • #1887231 Reply

      Kirsty
      Da Boss

      Travis, please refer to the AskWoody Lounge Rules regarding cross-posting – you failed to link your answered post on answers.microsoft.com.

      If you’ve already posted a similar question on a different site, please link to it so we can avoid reinventing the wheel.

      1 user thanked author for this post.
      • #1887278 Reply

        Travasaurus
        AskWoody Plus

        Sorry, I wasn’t aware of that; as much as I’ve used various forums over the years I don’t think I even knew what “cross-posting” was in that respect, unless you were duplicating your posts / questions on the same general site, such as in different forums on AskWoody.com.  I figured that different sites give different and unique answers. I posted on the Microsoft site as kind of an afterthought after I posted here and the guy over there only just replied to my post a short while ago, so I really hadn’t had time to link back to it, even if I’d known the rules (which I didn’t); I’m just lucky I saw it before I called it quits for the night.  Also I’m not sure that his suggestion will work, so should I have done so without knowing whether it actually helped or not (aka was the “answer”)?  But just to clarify, if I have a question, can I only post it on 1 site, be it AskWoody.com, Microsoft.com or whatever?  That would seem to be a little limiting if that’s the case.  Not trying to be argumentative, but I’ve truly never run into this situation before…

        • #1887709 Reply

          mn–
          AskWoody Lounger

          I posted on the Microsoft site as kind of an afterthought after I posted here

          … hm, neither site includes timezones in the respective post timestamps, but here shows “July 25, 2019 at 1:36 am” and answers.microsoft.com shows “7/25/2019 10:38:54 AM” … both would seem to be respective server-side times … do we need a clarification of the rules on crossposting elsewhere after posting here?

          Also I’m not sure that his suggestion will work, so should I have done so without knowing whether it actually helped or not (aka was the “answer”)?

          I do feel kind of sceptic about ESET SysRescue being all that much better at changing contents of volume shadow copies, anyway… though it might just drop the shadow copy entirely, same way as mounting the disk on Windows XP or Server 2003 would do because those don’t support persistent shadow copies.

          • #1888399 Reply

            woody
            Da Boss

            No need to take a stopwatch to it. Just as a courtesy, if you post the same question somewhere else, let us know about it. That makes it easier for everybody.

        • #1888849 Reply

          Kirsty
          Da Boss

          But just to clarify, if I have a question, can I only post it on 1 site, be it AskWoody.com, Microsoft.com or whatever?

          If you’ve already posted a similar question on a different site, please link to it so we can avoid reinventing the wheel.

          The rules don’t prevent you from posting on more than one site, but as quoted, we ask you record them – linking it is a courtesy to those investing their spare time to assist you in sorting your problem 🙂

    • #1888028 Reply

      jabeattyauditor
      AskWoody Lounger

      Why not just use the Microsoft vssadmin command and delete the infected shadow copy?

      2 users thanked author for this post.
      • #1888105 Reply

        mn–
        AskWoody Lounger

        … preferably after checking that it isn’t needed for anything else, like an incomplete backup run.

        Sort of reminds me of that one official document archive cdrom with a macro virus… couldn’t just get rid of it, or even keep a decontaminated copy of that file because that’d have been changing the file. (Another reason to keep archived documents as PDFs or in some other more sensible format…)

      • #1890701 Reply

        Travasaurus
        AskWoody Plus

        That could well be the ultimate solution but I’m inclined to try some other suggestions as well, just to educate myself on what works the best.  As I said, I haven’t had to do any malware remediation in a long time.  The A/V programs which are out today, especially when used in concert with one-another, are incredibly better than they used to be, ‘way back when.

        Update:  I ran some of these commands on my computer as sort of a “tutorial” to familiarize myself with it and discovered that I had shadow copies dating back to 2017.  How is that possible, since I’ve reformatted my boot drive multiple times since then?  I may need to more fully educate myself on all aspects of these things; I’ve always thought they were used for the immediate backup and then just kind of disappeared.  If you can further enlighten me (or point me toward an article on the subject) I would greatly appreciate it.  There’s (apparently) more here than meets the eye.

        • This reply was modified 4 weeks ago by  Travasaurus. Reason: To add further information
    • #1888047 Reply

      Microfix
      Da Boss

      Also try Bleeping Computer as they have a good forum section specific to malware/trojans etc.. usually entails registering, then downloading and running a small program that generates a log/txt file to upload in your post. The assistant will guide you through the process usually through to eradication.

      Here is a similar issue posted today, to give you an idea what to expect (no reply in the post as yet) See what you think and whether YOU are comfortable with this.

      bearing in mind it will need to be disclosed here as a cross-post if you post over there 😉

      ********** Win7 x64/x86 | Win8.1 x64 | Linux Hybrids x64 **********

    • #1888356 Reply

      doriel
      AskWoody Lounger

      Hello,
      I suggest you to execute Defender Offline Scan (it scans your computer before Windows are loaded, so it can clean infected files, that cannot be cleaned while runnig Windows). It helped me few times (off topic: with Win Pro we use Sophos, with Win Enterprise, we use simply Defender too)

      It should be located somewhere near:

      In Windows 10, the offline scan could be run from under Windows Settings > Update & security > Windows Defender or from the Windows Defender client.

      If more information needed, please refer to

      https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline

      I have not failed. I've just found 10,000 ways that won't work.
      --- Thomas A. Edison

      • This reply was modified 4 weeks ago by  doriel. Reason: oh grammar
      • This reply was modified 4 weeks ago by  doriel.
      2 users thanked author for this post.
      • #1888850 Reply

        Travasaurus
        AskWoody Plus

        Hey thanks for the thought.  I failed to mention that I’ve already run a couple of Windows Defender offline scans but to no effect.  I’m going to try and kick it up a notch or 2 with some of the other suggestions here.  I’ve got to get back out to the customer’s office first though.

        • This reply was modified 4 weeks ago by  Travasaurus. Reason: Correct a typo
    • #1888376 Reply

      b
      AskWoody Plus

      Did you try Windows Defender Offline scan?

      Windows Defender Offline is a scanning tool that works outside of Windows, allowing it to catch and clean infections that hide themselves when Windows is running.
      https://support.microsoft.com/en-us/help/4466982/windows-10-troubleshoot-problems-with-detecting-and-removing-malware

      Start, Settings, Update & Security, Windows Security, Virus & threat protection, Scan options, Windows Defender Offline scan, Scan now

      Some malicious software can be particularly difficult to remove from your device. Windows Defender Offline can help find and remove them using up-to-date threat definitions. This will restart your device and will take about 15 minutes.

      (EDIT: Hadn’t seen doriel’s suggestion at time of posting. Leaving for extra quote/link/steps.)

      Knuckle dragger Cannon fodder Chump Daft glutton Idiot Crazy/Ignorant Toxic drinker Blockhead Unwashed mass Seeker/Sucker "Ancient/Obsolete" (Group ASAP) Win10 v.1903

      • This reply was modified 4 weeks ago by  b.
    • #1888809 Reply

      anonymous

      Questions for doriel or b, in light of mn- at 3:19 am and 8:07 am (server times). Would the Defender offline scan be more effective at removing a Word macro within a shadow copy, or would it fail for the same reasons the “online” run failed?

      Do you believe this exploit is not as suspected by mn-, that it is different or more than simply a macro?

      • #1888819 Reply

        b
        AskWoody Plus

        Questions for doriel or b, in light of mn- at 3:19 am and 8:07 am (server times). Would the Defender offline scan be more effective at removing a Word macro within a shadow copy, or would it fail for the same reasons the “online” run failed?

        Not sure, but I think an offline scan may succeed in removing a shadow copy file.

        Do you believe this exploit is not as suspected by mn-, that it is different or more than simply a macro?

        No.

        Knuckle dragger Cannon fodder Chump Daft glutton Idiot Crazy/Ignorant Toxic drinker Blockhead Unwashed mass Seeker/Sucker "Ancient/Obsolete" (Group ASAP) Win10 v.1903

      • #1888860 Reply

        Travasaurus
        AskWoody Plus

        I forgot to mention in my original post that I ran a couple of Windows Defender offline scans and it did not zap the Trojan, so that approach did not work.

    • #1889087 Reply

      anonymous

      I’m this guy => “at 1:41 pm”. My thought is: the offending macro got into the shadow copy because it was present on the system at the time the shadow copy was made.

      Then Defender successfully removed the exploit from the mounted system. But the shadow copy is protected from corruption. Job more than half done. Let us now finish the task.

      In keeping with suggestions by jabeattyauditor and mn– earlier today, make new backup now of cleaned system, excluding the offending shadow copy. Verify the backup satisfies all your needs. Delete (from highest elevated permissions) the bad shadow copy in total. Enter a comment into whatever log or journal you keep to track unusual events, describing this unusual event. Get on with your day.

      Doing this sooner than later minimizes any data changes potentially lost between backup versions, through regular use not attributable to this exploit.

    • #1889127 Reply

      OscarCP
      AskWoody Plus

      This might or not apply to the problem, the relevant details of which I do not know well enough, but just in case I would like to suggest an alternative to using an anti virus that might (or might not) eliminate the intrusive malware:

      Wouldn’t restoring the system to an earlier state with a return to a restore point created before the malware infection, take care of this? I have observed that when I had to do that a few times and for different reasons, over the years, the operation also removed some updates to the installed software (browsers, etc.) that had occurred since that old restore point was created.

      A full backup with an ISO disk created at an appropriately earlier date using, for example, Macrium Reflect, might do an even more thorough job of eliminating the problem.

      1 user thanked author for this post.
    • #1891834 Reply

      Vincenzo
      AskWoody Lounger

      https://community.sophos.com/kb/en-us/114422

      1. From the search toolbar, type This PC.
      2. Right click on Local Disk C (C:) and select Properties.
      3. Accept any alerts from Windows UAC.
      4. Click the Disk Cleanup button.
      5. Wait for Disk cleanup to finish calculating.
      6. Select the More Options tab in the new window.
      7. Select the Clean up button for System Restore and Shadow Copies.
      8. Click Delete to confirm.
      3 users thanked author for this post.
      • #1891913 Reply

        Travasaurus
        AskWoody Plus

        Thanks. I’ve used the Disk Cleanup Tool 100s of times but I never even really paid any attention to the 2nd (More Options) tab. That’s kind of the “Doomsday Scenario” as far as your backups go but apparently it will zap the Shadow Copy that contains the Trojan, in this case.  Sometimes the answer is right under your nose and you can’t see the Forest for the Trees…

        1 user thanked author for this post.
    • #1896441 Reply

      Geo
      AskWoody Plus

      Try Adwcleaner, freebie.  It was superior to regular Malwarebytes so Malwarebytes bought them out.  Although they might have made changes.

      • This reply was modified 3 weeks, 3 days ago by  Geo.
    • #1898292 Reply

      Travasaurus
      AskWoody Plus

      Wrap-up:  I tried the suggested anti-malware programs, including the Microsoft Safety Scanner and the Malwarebytes AdwCleaner (which I really didn’t have high hopes for because, as I mentioned earlier, my client is using the paid version, Malwarebytes Premium) and it didn’t even detect it (nor did Spybot Search & Destroy, for that matter).  Windows Defender was the only thing that did but as noted, could not get rid of it.  Oddly, using the Windows Disk Cleanup Tool / More Options didn’t touch the Shadow Copies either, even though (supposedly) it should’ve deleted them.  The garden-variety Vssadmin commands didn’t even work (i.e. “delete shadows /all”).  Vssadmin Commands  What finally did was an obscure page that I stumbled onto that instructed me to “terminally” resize the Shadow Copies, thereby effectively deleting them.  It seemed kind of counter-intuitive but it worked like a charm and the Trojan disappeared right along with the Shadow Copies, after which I verified that it had been deleted (at least as reported by Windows Defender) and then I made a fresh backup, which took about 5 hours to complete.  The link to this “magic bullet” is below, in hopes that this might help somebody else in a similar situation.  Many thanks to all who offered-up a number of good suggestions; your assistance was appreciated!

      How To Effectively Delete A Shadow Copy

      As kind of an afterthought, it might not be a bad idea to do this occasionally, just to clean-up your disk a little bit, unless there is some downside to it that I’m not aware of.  If so then I’d welcome somebody to comment accordingly.  Apparently Shadow Copies are darn near impossible to get rid of, based on my recent experience.

      4 users thanked author for this post.
      • #1898488 Reply

        Alex5723
        AskWoody Plus

        Oddly, using the Windows Disk Cleanup Tool / More Options didn’t touch the Shadow Copies either, even though (supposedly) it should’ve deleted them.

        Disk Cleanup run as Admin deletes Shadow Copies leaving only the last one. I am deleting daily Shadow copies (15 days = 20GB) twice a month (before creating full image copies).

        SC

        • This reply was modified 3 weeks, 2 days ago by  Alex5723.
        Attachments:
        2 users thanked author for this post.
    • #1899467 Reply

      cmptrgy
      AskWoody Plus

      Wrap-up:  I tried the suggested anti-malware programs, including the Microsoft Safety Scanner and the Malwarebytes AdwCleaner (which I really didn’t have high hopes for because, as I mentioned earlier, my client is using the paid version, Malwarebytes Premium) and it didn’t even detect it (nor did Spybot Search & Destroy, for that matter).  Windows Defender was the only thing that did but as noted, could not get rid of it.  Oddly, using the Windows Disk Cleanup Tool / More Options didn’t touch the Shadow Copies either, even though (supposedly) it should’ve deleted them.  The garden-variety Vssadmin commands didn’t even work (i.e. “delete shadows /all”).  Vssadmin Commands  What finally did was an obscure page that I stumbled onto that instructed me to “terminally” resize the Shadow Copies, thereby effectively deleting them.  It seemed kind of counter-intuitive but it worked like a charm and the Trojan disappeared right along with the Shadow Copies, after which I verified that it had been deleted (at least as reported by Windows Defender) and then I made a fresh backup, which took about 5 hours to complete.  The link to this “magic bullet” is below, in hopes that this might help somebody else in a similar situation.  Many thanks to all who offered-up a number of good suggestions; your assistance was appreciated!

      How To Effectively Delete A Shadow Copy

      As kind of an afterthought, it might not be a bad idea to do this occasionally, just to clean-up your disk a little bit, unless there is some downside to it that I’m not aware of.  If so then I’d welcome somebody to comment accordingly.  Apparently Shadow Copies are darn near impossible to get rid of, based on my recent experience.

      Thank you for letting us know the solution that worked for you: it is much appreciated.

      On “As kind of an afterthought, it might not be a bad idea to do this occasionally, just to clean-up your disk a little bit, unless there is some downside to it that I’m not aware of. If so then I’d welcome somebody to comment accordingly. Apparently Shadow Copies are darn near impossible to get rid of, based on my recent experience.”
      — Since the computer was infected via a Volume Shadow Copy that wasn’t deletable or addressed by any Security program, that is a potential plan to keep in mind.

      I’d like to add that since Disk Cleanup doesn’t delete all Restore Points, I would consider the following in order to do so if that recommendation doesn’t work in a different situation.
      — I just carried out the following process on the computer I’m working on.

      Control Panel > System > System Protection > System properties > Configure > Delete all restore points for this drive.
      A following message follows reads “You will not be able to undo unwanted system changes on this drive.
      — Are you sure you want to continue?
      — This will delete all restore points on this drive. This might include older system image backups.”
      — I selected Continue.
      — The result was “The restore points were deleted successfully.” Click on Close.

      The following screen showed Turn on system protection bulleted.
      — I decided to bullet Disable system protection instead to ensure that not only to ensure that all of the restore pointswere successfully deleted but to definitely ensure that system protection was actually disabled at this point.
      — Click Apply, then OK.
      — Following message reads “Are you sure you want to turn off system protection on this drive? Answer Yes.
      — Following that protection settings for your drive is Off.
      — Only the Configure tab is available to be selected.
      — The following screen shows Disable system protection is bulleted: select Turn on system protection > Apply > OK.
      — Following that protection settings for your drive is On.
      — If you click on the System Restore tab, it will report “No restore points have been created on your computer’s system drive.”
      — Go back and select Create. I would enter something like this “Deleted & disabled all SRP, turned SRP back on”.

      Unless you need to create manual restore points
      “By default, System Restore automatically creates a restore point once per week and also before major events like an app or driver installation. If you want even more protection, you can force Windows to create a restore point automatically every time you start your PC.”
      https://www.howtogeek.com/278388/how-to-make-windows-automatically-create-a-system-restore-point-at-startup/

      HP EliteBook 8540w laptop Windows 10 Pro (x64)

    • #1899500 Reply

      Travasaurus
      AskWoody Plus

      Not bad advice, but I have generally never used System Restore Points, having never had a good experience with trying to roll-back to one after some kind of crash or malfunction.  I’ve read on many “Geek sites” (perhaps even this one) that System Restore can do as much harm as good, particularly if a virus (or even some previously-undetected OS corruption) gets embedded in the restore point.  My methodology of choice is an occasional System Image file, conventional backups and actual file-by-file copying to another disk (offline if at all possible, such as a USB Western Digital My Passport drive or the like, which is a hedge against ransomware) of my documents, photos, music and anything else important so that if all else fails I can simply reload Windows and restore my files.  Different people have different opinions and techniques and I respect that.  There’s seldom “1 correct way only” when it comes to preserving your data.

      2 users thanked author for this post.
    • #1899524 Reply

      anonymous

      ? says:

      thank you for sharing your sucess in defeating the trojan. the backupchain resizing is elegant yet simple. i’m wondering if a person could boot to a live linux disk and delete the offending snapshot(s) without wrecking something? last time i looked i could view the contents of $Recycle.Bin and System Volume Information when booted to a live linux disk. anyway, congrats on your victory!

      1 user thanked author for this post.
      • #1899561 Reply

        mn–
        AskWoody Lounger

        Most likely wouldn’t work, at least not reliably and easily. NTFS shadow copies aren’t very much supported in Linux… might not work at all, should be preserved but any writes may corrupt the shadow copies as far as I know, would prefer to mount any NTFS containing shadow copies as read-only.

        You can just about, barely, read the shadow copies if you work at it, and the tools to do even that are alpha-grade, as in nowhere near release quality according to their developers. (Though, being open source, are available anyway so you can try…)

        See https://www.dfir.vn/2018/02/20/mounting-different-virtual-shadow-copies-at-the-same-time-on-linux/ on how to read shadow copies in Linux.

        (Yes, there’s a package in Ubuntu for libvshadow-utils even if it’s alpha-grade. Not updated in 18.04 LTS, but there’s a fresher one in the “Glorious Incident Feedback Tools” untrusted PPA… or you could just follow the linked instructions and build fresh from source)

        1 user thanked author for this post.
        • #1899588 Reply

          anonymous

          ? says:

          thank you for the follow up mn. nice forensics site. i saw that i had access to the sys vol and $recycle.bin windows files while booted to linux and assumed i could delete them if needed. i don’t use hibernation or backup among other options just what is needed to boot and run. win7 on 27 processes (courtesy of charles black viper sparks). only know enough to be dangerous (to windows os).

          eg: to get rid of a TI 84 or 89 update program with a file (tiehdusb.sys sharing an oeminf file number) in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LockdownFiles, rather than changing folder permissions i used Registrar Manager 8 to do it on the fly. also used the program to delete an enum\display file that was causing problems. anyway thank you for the interesting link and taking the time to reply…

    • #1899712 Reply

      cmptrgy
      AskWoody Plus

      Not bad advice, but I have generally never used System Restore Points, having never had a good experience with trying to roll-back to one after some kind of crash or malfunction.  I’ve read on many “Geek sites” (perhaps even this one) that System Restore can do as much harm as good, particularly if a virus (or even some previously-undetected OS corruption) gets embedded in the restore point.  My methodology of choice is an occasional System Image file, conventional backups and actual file-by-file copying to another disk (offline if at all possible, such as a USB Western Digital My Passport drive or the like, which is a hedge against ransomware) of my documents, photos, music and anything else important so that if all else fails I can simply reload Windows and restore my files.  Different people have different opinions and techniques and I respect that.  There’s seldom “1 correct way only” when it comes to preserving your data.

      We are essentially on the same page. I have read many comments about the pros & cons of using system restore but my experience has been pretty positive. That said, my main recovery method is to rely on a system image backup which I conduct on a monthly basis during the week before Patch Tuesday; which fortunately I haven’t had to recall on my main computer. I have a test computer in which I’ve had to recall a system image backup due to the experiments I do on that computer. But in the end all turns out well and thanks to your situation I have learned a few things. Most importantly I am impressed on how you stayed on track on how to solve your issue and follow-up on letting us know on how you solved your situation.

      HP EliteBook 8540w laptop Windows 10 Pro (x64)

      1 user thanked author for this post.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: TrojanDownloader:O97M/Xdoc.YA

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.