Defender keeps finding the same "Trojan downloader"

Page 1 of 2 12 LastLast

  1. Posts : 158
    10 Home x64 v22H2
       #1

    Defender keeps finding the same "Trojan downloader"


    For the past week Defender has been going off for a TrojanDownloader:O97M/Donoff or TrojanDownloader:O97M/Dornoe.C!ams. I'm not sure how to stop this happening, I don't download random email attachments or anything like that but the description of it seems to suggest that's how it's executed. Malwarebytes isn't finding anything else besides PUPs.

    The location always seems to be in a similar area in AppData:
    PHP Code:
    C:\Users\Craig\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Files\S0\75\Facture_Num_J691534[673].doc 
    Not sure what to do with this one. I feel like it might be a false positive, but then I don't know where the docs are coming from.
      My Computer


  2. Posts : 8,057
    windows 10
       #2

    Do you use office a lot. It sounds like the macro is running in office which keeps infecting you the problem being that its not found on a scan as its not active until you run office then you get the hit as then the virus is active.

    First you want to open office applications one at a time and see which one triggers the virus wait a while in each application for it to be detected. You may then know which is infected this can scan for macros Macro Virus - How to remove - 2-viruses.com
      My Computer


  3. Posts : 158
    10 Home x64 v22H2
    Thread Starter
       #3

    That's the thing, I don't even have Office installed.
      My Computer


  4. Posts : 8,057
    windows 10
       #4

    What are you doing when it finds it?
      My Computer


  5. Posts : 158
    10 Home x64 v22H2
    Thread Starter
       #5

    Samuria said:
    What are you doing when it finds it?
    I mostly come back AFK to find Defender scanned and found it.
      My Computer


  6. Posts : 8,057
    windows 10
       #6

    Sp its showing a doc file J691534[673].doc what do you use to open them and were did it come from?
      My Computer


  7. Posts : 158
    10 Home x64 v22H2
    Thread Starter
       #7

    I don't open it.
      My Computer


  8. Posts : 16,325
    W10Prox64
       #8

    Supra said:
    For the past week Defender has been going off for a TrojanDownloader:O97M/Donoff or TrojanDownloader:O97M/Dornoe.C!ams. I'm not sure how to stop this happening, I don't download random email attachments or anything like that but the description of it seems to suggest that's how it's executed. Malwarebytes isn't finding anything else besides PUPs.

    The location always seems to be in a similar area in AppData:
    PHP Code:
    C:\Users\Craig\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\Files\S0\75\Facture_Num_J691534[673].doc 
    Not sure what to do with this one. I feel like it might be a false positive, but then I don't know where the docs are coming from.
    You can upload the file to virustotal.com and verify it is indeed an infected Word document (I'll bet it is).

    It could be easily dropped onto your system by a compromised web site using an exploit kit taking advantage of a vulnerability in your system. Are you up-to-date with all Windows Updates? Java? Flash? etc.

    Have you run Malwarebytes Antimalware -full scan, check the box for the entire drive, and check the box for rootkits.
      My Computer


  9. Posts : 158
    10 Home x64 v22H2
    Thread Starter
       #9

    simrick said:
    Are you up-to-date with all Windows Updates? Java? Flash? etc.
    Java and Flash I don't use, and Windows is always up to date.

    If Defender quarentines malware, doesn't that mean I won't be able to upload it to virustotal?
      My Computer


  10. Posts : 3,272
    Win10
       #10

    Have you tried running Windows Defender in Offline mode, in case it helps remove the threat permanently ?

    See this tutorial:
    Windows Defender Offline Scan in Windows 10 | Windows 10 Tutorials

    (quote from tutorial : "Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR)." )
      My Computers


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 18:24.
Find Us




Windows 10 Forums