I have a friend, tried to download cracked Photoshop. Since Malwr, Wikisend and VT won’t scan the file, I can’t tell if it’s malicious or not.
Malwarebytes Anti-Malware will not run. Chameleon is having difficulties updating and running. OTL has stop responding and Avast! deemed him clean. (Avast! is Password Protected). I suspect 0Access or something.
Any ideas? He’s using Windows 8.1, so no safe mode.
Edit: OTL has given us a log and Cham finally updated. We will see about logs.
Edit 2: Malwarebytes Cham just failed at trying to launch.
Already gave him the lecture. However, he usually won’t listen. I’ll tell him to get into Safe Mode when he gets on skype and walk him through the process. Btw, he’s using windows 8.2. Not 8.1
:Commands
[CREATERESTOREPOINT]
:OTL
O3 - HKU\S-1-5-21-740717726-3063088930-3629085741-1001\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O4 - HKLM..\Run: [Windows COM Host] C:\{$5642-5471-5422-8310$}\comhost.exe -rundll32 /SYSTEM32 "C:\Windows\System32\taskmgr.exe" "C:\Program Files\Microsoft\Windows" File not found
F3:64bit: - HKU\S-1-5-21-740717726-3063088930-3629085741-1001 WinNT: Load - (C:\ProgramData\{$5642-5471-5422-8310$}\comhost.exe) - C:\ProgramData\{$5642-5471-5422-8310$}\comhost.exe ()
F3 - HKU\S-1-5-21-740717726-3063088930-3629085741-1001 WinNT: Load - (C:\ProgramData\{$5642-5471-5422-8310$}\comhost.exe) - C:\ProgramData\{$5642-5471-5422-8310$}\comhost.exe ()
O27:64bit: - HKLM IFEO\avcenter.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\avguard.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\avp.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\bdagent.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\ccuac.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\ComboFix.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\egui.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\hijackthis.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\keyscrambler.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\mbam.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\MpCmdRun.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\MSASCui.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\MsMpEng.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\msseces.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\spybotsd.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\wireshark.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\zlclient.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\avcenter.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\avguard.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\avp.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\bdagent.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\ccuac.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\ComboFix.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\egui.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\hijackthis.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\keyscrambler.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\mbam.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\MpCmdRun.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\MSASCui.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\MsMpEng.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\msseces.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\spybotsd.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\wireshark.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\zlclient.exe: Debugger - nsjw.exe File not found
[2014/01/20 12:48:51 | 000,000,000 | -H-D | C] -- C:\ProgramData\{$5642-5471-5422-8310$}
[2014/01/19 15:00:57 | 084,716,544 | RHS- | C] () -- C:\ProgramData\197145800.exe
:Commands
[resethosts]
[emptytemp]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
What was it? Uploaded to Steven for research. Going to Avast! and Malwarebytes since it didn’t detect it either.
Also note: As I do not have direct access to his computer it will have to wait until he gets home. I have exams so I’m off since I didn’t write all of them
It will probably be a clickjacker and maybe downloader. Although the IFEO blocks could open the gates for a bootkit. Avast will definitely need a copy of this, including the dropper if you have it
:Commands
[CREATERESTOREPOINT]
:OTL
O4 - HKLM..\Run: [Windows COM Host] C:\{$5642-5471-5422-8310$}\comhost.exe -rundll32 /SYSTEM32 "C:\Windows\System32\taskmgr.exe" "C:\Program Files\Microsoft\Windows" File not found
:Commands
[resethosts]
[emptytemp]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
Download ComboFix from one of the following locations: Link 1 Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop and rename to Gotcha
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks