Interesting Case

Hey,

I have a friend, tried to download cracked Photoshop. Since Malwr, Wikisend and VT won’t scan the file, I can’t tell if it’s malicious or not.

Malwarebytes Anti-Malware will not run. Chameleon is having difficulties updating and running. OTL has stop responding and Avast! deemed him clean. (Avast! is Password Protected). I suspect 0Access or something.

Any ideas? He’s using Windows 8.1, so no safe mode.

Edit: OTL has given us a log and Cham finally updated. We will see about logs.
Edit 2: Malwarebytes Cham just failed at trying to launch.

OTL is what you have to work with at this point.

OTL Attached

Edit: I’ve asked Essexboy to come take a look…

Yes there is a safe mode: http://www.7tutorials.com/5-ways-boot-safe-mode-windows-8-windows-81

Tell your friend that there is no need to use illegal software.
If he wants to draw, LibreOffice and TheGimp are great and freeware.

Already gave him the lecture. However, he usually won’t listen. I’ll tell him to get into Safe Mode when he gets on skype and walk him through the process. Btw, he’s using windows 8.2. Not 8.1

Nice one Alan something new

All the bad files will be stored in c:_OTL\moved files
The main files are :

nsjw.exe
comhost.exe

There will probably be some associated dll’s
Could you upload them all to Avast as new malware
They also add some IFEO’s to block AV’s and Combofix

O27:64bit: - HKLM IFEO\avcenter.exe: Debugger - nsjw.exe File not found

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
O3 - HKU\S-1-5-21-740717726-3063088930-3629085741-1001\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O4 - HKLM..\Run: [Windows COM Host] C:\{$5642-5471-5422-8310$}\comhost.exe -rundll32 /SYSTEM32 "C:\Windows\System32\taskmgr.exe" "C:\Program Files\Microsoft\Windows" File not found
F3:64bit: - HKU\S-1-5-21-740717726-3063088930-3629085741-1001 WinNT: Load - (C:\ProgramData\{$5642-5471-5422-8310$}\comhost.exe) - C:\ProgramData\{$5642-5471-5422-8310$}\comhost.exe ()
F3 - HKU\S-1-5-21-740717726-3063088930-3629085741-1001 WinNT: Load - (C:\ProgramData\{$5642-5471-5422-8310$}\comhost.exe) - C:\ProgramData\{$5642-5471-5422-8310$}\comhost.exe ()
O27:64bit: - HKLM IFEO\avcenter.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\avguard.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\avp.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\bdagent.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\ccuac.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\ComboFix.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\egui.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\hijackthis.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\keyscrambler.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\mbam.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\MpCmdRun.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\MSASCui.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\MsMpEng.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\msseces.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\spybotsd.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\wireshark.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\zlclient.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\avcenter.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\avguard.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\avp.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\bdagent.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\ccuac.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\ComboFix.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\egui.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\hijackthis.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\keyscrambler.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\mbam.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\MpCmdRun.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\MSASCui.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\MsMpEng.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\msseces.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\spybotsd.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\wireshark.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\zlclient.exe: Debugger - nsjw.exe File not found
[2014/01/20 12:48:51 | 000,000,000 | -H-D | C] -- C:\ProgramData\{$5642-5471-5422-8310$}
[2014/01/19 15:00:57 | 084,716,544 | RHS- | C] () -- C:\ProgramData\197145800.exe


:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

What was it? Uploaded to Steven for research. Going to Avast! and Malwarebytes since it didn’t detect it either.

Also note: As I do not have direct access to his computer it will have to wait until he gets home. I have exams so I’m off since I didn’t write all of them

I have a friend, tried to download cracked Photoshop.......
lesson learned ..... when the bad guys give away something for free, they usually bundel it with some nice extra software. ;D

Uhh. The last time I saw his computer it was a mess. Der Gosh. Time to clean it up. Thank-you Essex for helping him.

Good News. FatDcuk from MBAM is on the case to set up and block this program actively.

It will probably be a clickjacker and maybe downloader. Although the IFEO blocks could open the gates for a bootkit. Avast will definitely need a copy of this, including the dropper if you have it

I do indeed have the dropper. I sent the actually dropper and everyhing straight to Avast! via Email and the Virus Chest (Which doesn’t seem to work)?

edit: Essex, do you want the dropper?

Why not :slight_smile:

Fix Log attached. He’s running a Quick Scan

The run key was not able to be deleted but it appears that the rest has gone

Has he run an MBAM scan ? What symptoms are still apparent

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:Commands
[CREATERESTOREPOINT]

:OTL
O4 - HKLM..\Run: [Windows COM Host] C:\{$5642-5471-5422-8310$}\comhost.exe -rundll32 /SYSTEM32 "C:\Windows\System32\taskmgr.exe" "C:\Program Files\Microsoft\Windows" File not found

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Need to set up a new VM for this.

I wonder if it works without Photoshop installed.

I would be interested to see if it tries to alter the MBR :slight_smile:

Maybe, thats a huge file for a virus or trojan.

Or it brings just garbage, like some Windows 95 virus which just filled your harddrive up with text files until the last kilobyte.

And you needed to find the original one to stop it :slight_smile:

Lol, he isn’t a test subject.

Also, MBAM still won’t work. Fresh copies will not install either. Skype will not load aswell, he’s using an iPod right now

That system is pretty messed up. :slight_smile:

OK methinks it may be additional stuff

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop and rename to Gotcha

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

THEN

Download aswMBR.exe ( 4.5mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan

https://dl.dropboxusercontent.com/u/73555776/AswMBR%20scan.JPG

On completion of the scan click save log, save it to your desktop and post in your next reply