Malware VBS Downloader Camoca Mosim in System32 Keeps Returning

Viruses and worms
1

Hello! I hope someone can help me. Avast has found and removed the same malware 3 times. It is being moved to the chest but keeps returning. A screenshot of the virus is attached. I was not able to find anything online about “camoca mosim”. Most topics regarding VBS downloader are old or require me to download premium software. Any help or guidance would be appreciated! Thank you.

https://ibb.co/T209SXx

2

Hello,
this look like some random name. Can you post sha25 of the file in virus chest or send the file to Virustotal and post the link of the scan result, please?

Milos

3

In addition, can you please run these scans? https://forum.avast.com/index.php?topic=194892.0

4

Thanks for the responses! Forgive my ignorance, how do I create a “sha25” of the file? In the virus chest, I see an extract option. (Image attached of my virus chest with the options I see). Is this what you mean? I hesitated to do that just in case that is not what you meant. And then if that is the case, I then go to virustotal and scan the file, posting results here? Thanks for the help! :smiley:

https://gofile.io/d/RFPcdo

5

As an FYI, I did “send the file” to Avast for analysis already. There wasn’t an option to send it anywhere else when you click “send for analysis” .

6

Here are the MalwareBytes results. There were 40 finds, 3 of them malicious. I did go ahead and quarantine. The first scan I did not include a rootkit scan so I’m scanning again. I did see the “camoca mosim” verbiage in these initial results.

-Software Information-
Version: 4.1.2.73
Components Version: 1.0.990
Update Package Version: 1.0.27887
License: Trial

-System Information-
OS: Windows 10 (Build 18362.959)
CPU: x64
File System: NTFS

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 343194
Threats Detected: 40
Threats Quarantined: 40
Time Elapsed: 16 min, 25 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 5
PUP.Optional.InstallCore, HKU\S-1-5-21-1723383654-43535822-1689055409-1001\SOFTWARE\CSASTATS\ic, Quarantined, 504, 586068, 1.0.27887, , ame,
Adware.WinYahoo.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS{83033A57-B072-4BE1-819F-7FA1C2374C30}, Quarantined, 6519, 512672, , , ,
Adware.WinYahoo.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\PLAIN{83033A57-B072-4BE1-819F-7FA1C2374C30}, Quarantined, 6519, 512672, , , ,
Adware.WinYahoo.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Camoco Mosim, Quarantined, 6519, 512672, 1.0.27887, , ame,
PUP.Optional.WinYahoo.TskLnk, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL{5ED6B616-0E56-6796-BFD6-17166F56C496}, Quarantined, 897, 542290, , , ,

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 4
PUP.Optional.WinYahoo.TskLnk, C:\Users\lcoul\AppData\Local{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}\HowToRemove, Quarantined, 897, 542290, , , ,
PUP.Optional.WinYahoo.TskLnk, C:\USERS\LCOUL\APPDATA\LOCAL{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}, Quarantined, 897, 542290, 1.0.27887, , ame,
PUP.Optional.MySearchDial, C:\USERS\LCOUL\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, Quarantined, 115, 663899, , , ,
PUP.Optional.Conduit, C:\USERS\LCOUL\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Sync Data\LevelDB, Quarantined, 193, 454832, , , ,

File: 31
PUP.Optional.WinYahoo, C:\WINDOWS\TASKS\Yahoo! Powered conol.job, Quarantined, 240, 308966, 1.0.27887, , ame,
PUP.Optional.WinYahoo.TskLnk, C:\PROGRAMDATA\Microsoft\Windows\Start Menu\Programs\HowToRemove.lnk, Quarantined, 897, 542290, , , ,
PUP.Optional.WinYahoo.TskLnk, C:\USERS\LCOUL\APPDATA\LOCAL{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}\HOWTOREMOVE\HOWTOREMOVE.HTML, Quarantined, 897, 542290, 1.0.27887, , ame,
PUP.Optional.WinYahoo.TskLnk, C:\Users\lcoul\AppData\Local{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}\HowToRemove\chromium-min.jpg, Quarantined, 897, 542290, , , ,
PUP.Optional.WinYahoo.TskLnk, C:\Users\lcoul\AppData\Local{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}\HowToRemove\control panel-min-min.JPG, Quarantined, 897, 542290, , , ,
PUP.Optional.WinYahoo.TskLnk, C:\Users\lcoul\AppData\Local{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}\HowToRemove\down.png, Quarantined, 897, 542290, , , ,
PUP.Optional.WinYahoo.TskLnk, C:\Users\lcoul\AppData\Local{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}\HowToRemove\ff menu.JPG, Quarantined, 897, 542290, , , ,
PUP.Optional.WinYahoo.TskLnk, C:\Users\lcoul\AppData\Local{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}\HowToRemove\ff search engine-min.png, Quarantined, 897, 542290, , , ,
PUP.Optional.WinYahoo.TskLnk, C:\Users\lcoul\AppData\Local{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}\HowToRemove\hp-min ff.png, Quarantined, 897, 542290, , , ,
PUP.Optional.WinYahoo.TskLnk, C:\Users\lcoul\AppData\Local{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}\HowToRemove\hp-min ie.png, Quarantined, 897, 542290, , , ,
PUP.Optional.WinYahoo.TskLnk, C:\Users\lcoul\AppData\Local{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}\HowToRemove\search engine.gif, Quarantined, 897, 542290, , , ,
PUP.Optional.WinYahoo.TskLnk, C:\Users\lcoul\AppData\Local{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}\HowToRemove\setup pages.gif, Quarantined, 897, 542290, , , ,
PUP.Optional.WinYahoo.TskLnk, C:\Users\lcoul\AppData\Local{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}\HowToRemove\sp-min.png, Quarantined, 897, 542290, , , ,
PUP.Optional.WinYahoo.TskLnk, C:\Users\lcoul\AppData\Local{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}\HowToRemove\start-min.jpg, Quarantined, 897, 542290, , , ,
PUP.Optional.WinYahoo.TskLnk, C:\Users\lcoul\AppData\Local{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}\HowToRemove\up.png, Quarantined, 897, 542290, , , ,
PUP.Optional.WinYahoo.TskLnk, C:\Users\lcoul\AppData\Local{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}\lanatino, Quarantined, 897, 542290, , , ,
PUP.Optional.WinYahoo.TskLnk, C:\Users\lcoul\AppData\Local{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}\lelinice, Quarantined, 897, 542290, , , ,
PUP.Optional.WinYahoo.TskLnk, C:\Users\lcoul\AppData\Local{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}\uninst.exe, Quarantined, 897, 542290, , , ,
PUP.Optional.WinYahoo.TskLnk, C:\Users\lcoul\AppData\Local{AB3C9D60-8F94-F1D8-E20C-D430C66428A8}\uninstp.dat, Quarantined, 897, 542290, , , ,
PUP.Optional.AuslogicsDiskDefrag, C:\USERS\LCOUL\DESKTOP\BOOK OF LIFE\DISK-DEFRAG-SETUP.EXE, Quarantined, 3516, 353217, 1.0.27887, , ame,
PUP.Optional.MySearchDial, C:\Users\lcoul\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000005.ldb, Quarantined, 115, 663899, , , ,
PUP.Optional.MySearchDial, C:\Users\lcoul\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\010036.ldb, Quarantined, 115, 663899, , , ,
PUP.Optional.MySearchDial, C:\Users\lcoul\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\010038.log, Quarantined, 115, 663899, , , ,
PUP.Optional.MySearchDial, C:\Users\lcoul\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\010039.ldb, Quarantined, 115, 663899, , , ,
PUP.Optional.MySearchDial, C:\Users\lcoul\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENT, Quarantined, 115, 663899, , , ,
PUP.Optional.MySearchDial, C:\Users\lcoul\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOCK, Quarantined, 115, 663899, , , ,
PUP.Optional.MySearchDial, C:\Users\lcoul\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG, Quarantined, 115, 663899, , , ,
PUP.Optional.MySearchDial, C:\Users\lcoul\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old, Quarantined, 115, 663899, , , ,
PUP.Optional.MySearchDial, C:\Users\lcoul\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-002896, Quarantined, 115, 663899, , , ,
PUP.Optional.MySearchDial, C:\USERS\LCOUL\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 115, 663899, 1.0.27887, , ame,
PUP.Optional.Conduit, C:\USERS\LCOUL\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Secure Preferences, Replaced, 193, 454832, 1.0.27887, , ame,

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)

(end)

7

Nothing in the MBAM logs indicates a VBS infection, just some PUA/PUPs. From the same instructions, can you run Farbar Recovery Scan Tool (FRST)?

As for hashing a file - In a powershell prompt (Hit the Windows Button, and type “Windows Powershell”, right click and run as Administrator).

Type the following command, exactly as written: Get-FileHash ‘C:\Windows\System32\Tasks\Camoca Masim’ -Algorithm SHA256

Edit: Rather then have you play around in powershell (not recommended), post the VirusTotal results, they will give us the hash.

8

Thank you for your time! That’s weird. The results before I quarantined and exported results showed 3 malicious files were found and the rest were PUPs. Are you referring to https://www.virustotal.com/? What file would I be submitting to them?

I am comfortable using powershell unless you feel this would reactivate any virus issues.

I did complete another Malwayrebytes scan with root kit selected and zero issues were found.

9
What file would I be submitting to them?
C:\Windows\System32\Tasks\Camoca Masim

post link to scan result here

10

Here are the Farbar scan results - attached.

11

I used the link you gave me, that also matches what my avast showed but that file cannot be found, maybe because it was quarantined?

What file would I be submitting to them?
C:\Windows\System32\Tasks\Camoca Masim

post link to scan result here

12
I used the link you gave me, that also matches what my avast showed but that file cannot be found, maybe because it was quarantined?
That may be it, but you said in your first post " It is being moved to the chest but keeps returning" maybe malwarebytes got it?

Anyway, @Sass Drake will check your attached logs when he is online

13

Ah - I’m blind. Malwarebytes removed the threat that Avast! is complaining about. Detected as Adware, not a VBS Downloader.

Adware.WinYahoo.Generic, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\[u][i][b]Camoco Mosim[/b][/i][/u], Quarantined, 6519, 512672, 1.0.27887, , ame,

Updates/Uninstall Apps (Acrobat is in Version 17.011.X):


(Adobe Systems Inc.) [File not signed] C:\Program Files (x86)\Adobe\Acrobat 6.0\Distillr\acrotray.exe
(Safer-Networking Ltd. -> Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe ([b]Remove - Outdated Application[/b])

Sass Drake will need to double check your logs, but mrt.exe shouldn’t be blocked on a typical system.


Task: {170FC629-E5C7-4297-B4B7-091F09138452} - System32\Tasks\nelicil\{7518481C-EF1F-6C31-85F6-06EACB1AC84E} => C:\Users\lcoul\AppData\Roaming\751848~1\nelicil.exe <==== ATTENTION
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
14

Thanks so much guys for the help! It does appear that MalwareBytes got it, assuming it doesn’t come back again like it did in Avast. So I guess it’s not as harmful as an actual VBS downloader, that’s good news!

Let me know what I should do about this part in quotes below. I’m not sure what this is for. I use Spybot Search & Destroy, possibly blocking the mrt.exe file? I do recognize the HKLM from some Spybot scan results in the past.

“Task: {170FC629-E5C7-4297-B4B7-091F09138452} - System32\Tasks\nelicil{7518481C-EF1F-6C31-85F6-06EACB1AC84E} => C:\Users\lcoul\AppData\Roaming\751848~1\nelicil.exe <==== ATTENTION
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION”

15

I’ve sent this thread to Sass drake for review, not sure if he never saw it or what… Whilst you wait,


VirusTotal: C:\Users\lcoul\AppData\Roaming\751848~1\nelicil.exe

Save that to a file called “fixlist” with the TXT extension. Place the file in the same directory as the FRST executable. Open the FRST executable and press “fix”. It will run and save a new file with the results. Please upload that file here.

16
  • Open Notepad (click Start button → type notepad.exe → press Enter)
  • Copy text from code block below and paste it into Notepad
FF HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction <==== ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
Task: {170FC629-E5C7-4297-B4B7-091F09138452} - System32\Tasks\nelicil\{7518481C-EF1F-6C31-85F6-06EACB1AC84E} => C:\Users\lcoul\AppData\Roaming\751848~1\nelicil.exe <==== ATTENTION
VirusTotal: C:\Users\lcoul\AppData\Roaming\751848~1\nelicil.exe
C:\Users\lcoul\AppData\Roaming\751848~1
  • Go to FileSave As
  • Make sure that UTF-8 is selected as Encoding (left side of Save button)
  • Save it as fixlist.txt on Desktop
  • Open again FRST and click on button Fix
  • Wait until FRST finishes
  • fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.
17

This file: VirusTotal: C:\Users\lcoul\AppData\Roaming\751848~1\nelicil.exe is no longer there. I made sure files were not hidden and triple checked. The 751848 nor the nelicil.exe are in this directory. Perhaps Malwarebytes got it too? Maybe I’m good to go now? Maybe there isn’t a need to have anyone else spend more time on this, unless you feel Sass drake should still take a look at it?

I truly appreciate all your help and time. THANK YOU! :slight_smile: :slight_smile: :slight_smile: