Word Document -- End User authorized Macros about hijackthis HOT 9 CLOSED

CollectionLog-2018.11.07-14.02.zip

I know the end user enabled the Macro. Analysing the word document led to a generic VBA/Trojan Downloader. I'm not sure what was actually downloaded and ran.

I'm running the traditional removal tools and scans, but as yet they have not found anything. I'm hoping someone can look at the collection log and provide feedback on what payload the Macro delivered.

from hijackthis.

Hi,
thank you for the log.
We'll return to you as soon as possible.

Please, note that only members of VIRUSNET-Association are allowed to respond in PC cure topics.
Ignore any recommendations given by other users, including PM !!!

Assistance is provided free of charge at our free time. If you found our help useful, you can thank us with any amount using this form or you can leave a feedback in Guestbook.

from hijackthis.

Hello,

What kind of problems are you experience now?
Are these tweaks were applied by yourself?

Blocked: Registry Editor
Internet Explorer - settings blocked

from hijackthis.

Those are Group Policy Restrictions to restrict End User access to prevent students (and teachers) from bypassing the internet filter.

from hijackthis.

Ok, but you didn't answer my first question. :)

from hijackthis.

I choose to reimage the machine before putting it back on the network Friday as I couldn't wait any longer to get the employee back her computer. So I'm not having issues as of now. But I'm still concerned as all the virus scanners and malware scanners found nothing before I imaged the machine. So what did the macro do? I didn't see anything in the hijackthis logs, but maybe I missed something. I'm concerned if it moved laterally on my network. But without any idea what footprint to look for... I'm hoping the logs uploaded to GitHub last Wednesday would give me a clue as to what I'm looking for.

from hijackthis.

Logs didn't show any malicious in system.

You can check the system for vulnerabilities:
Run script in AVZ while Internet is connected:

var
LogPath : string;
ScriptPath : string;

begin
 LogPath := GetAVZDirectory + 'log\avz_log.txt';
 if FileExists(LogPath) Then DeleteFile(LogPath);
 ScriptPath := GetAVZDirectory +'ScanVuln.txt';

  if DownloadFile('http://dataforce.ru/~kad/ScanVuln.txt', ScriptPath, 1) then ExecuteScript(ScriptPath) else begin
    if DownloadFile('http://dataforce.ru/~kad/ScanVuln.txt', ScriptPath, 0) then ExecuteScript(ScriptPath) else begin
       ShowMessage('It is impossible to download AVZ script for finding vulnerability!');
       exit;
      end;
  end;
 if FileExists(LogPath) Then ExecuteFile('notepad.exe', LogPath, 1, 0, false)
end.

After script ends and if it find vulnerabilities file avz_log.txt will be open in the Notepad and there'll be download links in it.
First of all it depends to browsers, Java, Adobe Acrobat/Reader and Adobe Flash Player.
You should download and install needful programs if they exist in avz_log.txt

Reboot your PC.
Run script again to ensure that all vulnerabilities gone.

from hijackthis.

Thank you for double checking the logs for me. I appreciate the second opinion.

from hijackthis.

If you want we try to analyze that sample you can send us your macros file.
Pack it in zip or rar with password "virus" and send it via email quarantine <at> safezone.cc (replace <at> with @).

from hijackthis.