Author Topic: Interesting Case  (Read 42956 times)

0 Members and 1 Guest are viewing this topic.

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Interesting Case
« on: January 22, 2014, 02:40:59 AM »
Hey,

I have a friend, tried to download cracked Photoshop. Since Malwr, Wikisend and VT won't scan the file, I can't tell if it's malicious or not.

Malwarebytes Anti-Malware will not run. Chameleon is having difficulties updating and running. OTL has stop responding and Avast! deemed him clean. (Avast! is Password Protected). I suspect 0Access or something.

Any ideas? He's using Windows 8.1, so no safe mode.

Edit: OTL has given us a log and Cham finally updated. We will see about logs.
Edit 2: Malwarebytes Cham just failed at trying to launch.

OTL is what you have to work with at this point.
« Last Edit: January 22, 2014, 02:49:36 AM by alan1998 »
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Interesting Case
« Reply #1 on: January 22, 2014, 02:45:05 AM »
OTL Attached

Edit: I've asked Essexboy to come take a look...
« Last Edit: January 22, 2014, 02:52:45 AM by alan1998 »
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31078
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Interesting Case
« Reply #2 on: January 22, 2014, 03:13:37 AM »
Yes there is a safe mode: http://www.7tutorials.com/5-ways-boot-safe-mode-windows-8-windows-81

Tell your friend that there is no need to use illegal software.
If he wants to draw, LibreOffice and TheGimp are great and freeware.

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Interesting Case
« Reply #3 on: January 22, 2014, 11:23:57 AM »
Yes there is a safe mode: http://www.7tutorials.com/5-ways-boot-safe-mode-windows-8-windows-81

Tell your friend that there is no need to use illegal software.
If he wants to draw, LibreOffice and TheGimp are great and freeware.

Already gave him the lecture. However, he usually won't listen. I'll tell him to get into Safe Mode when he gets on skype and walk him through the process. Btw, he's using windows 8.2. Not 8.1
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Interesting Case
« Reply #4 on: January 22, 2014, 03:42:15 PM »
Nice one Alan something new

All the bad files will be stored in c:\_OTL\moved files
The main files are :

nsjw.exe
comhost.exe


There will probably be some associated dll's
Could you upload them all to Avast as new malware
They also add some IFEO's to block AV's and Combofix

O27:64bit: - HKLM IFEO\avcenter.exe: Debugger - nsjw.exe File not found

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following


Code: [Select]
:Commands
[CREATERESTOREPOINT]

:OTL
O3 - HKU\S-1-5-21-740717726-3063088930-3629085741-1001\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O4 - HKLM..\Run: [Windows COM Host] C:\{$5642-5471-5422-8310$}\comhost.exe -rundll32 /SYSTEM32 "C:\Windows\System32\taskmgr.exe" "C:\Program Files\Microsoft\Windows" File not found
F3:64bit: - HKU\S-1-5-21-740717726-3063088930-3629085741-1001 WinNT: Load - (C:\ProgramData\{$5642-5471-5422-8310$}\comhost.exe) - C:\ProgramData\{$5642-5471-5422-8310$}\comhost.exe ()
F3 - HKU\S-1-5-21-740717726-3063088930-3629085741-1001 WinNT: Load - (C:\ProgramData\{$5642-5471-5422-8310$}\comhost.exe) - C:\ProgramData\{$5642-5471-5422-8310$}\comhost.exe ()
O27:64bit: - HKLM IFEO\avcenter.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\avguard.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\avp.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\bdagent.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\ccuac.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\ComboFix.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\egui.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\hijackthis.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\keyscrambler.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\mbam.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\MpCmdRun.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\MSASCui.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\MsMpEng.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\msseces.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\spybotsd.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\wireshark.exe: Debugger - nsjw.exe File not found
O27:64bit: - HKLM IFEO\zlclient.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\avcenter.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\avguard.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\avp.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\bdagent.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\ccuac.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\ComboFix.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\egui.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\hijackthis.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\keyscrambler.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\mbam.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\MpCmdRun.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\MSASCui.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\MsMpEng.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\msseces.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\spybotsd.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\wireshark.exe: Debugger - nsjw.exe File not found
O27 - HKLM IFEO\zlclient.exe: Debugger - nsjw.exe File not found
[2014/01/20 12:48:51 | 000,000,000 | -H-D | C] -- C:\ProgramData\{$5642-5471-5422-8310$}
[2014/01/19 15:00:57 | 084,716,544 | RHS- | C] () -- C:\ProgramData\197145800.exe


:Commands
[resethosts]
[emptytemp]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Interesting Case
« Reply #5 on: January 22, 2014, 04:16:19 PM »
What was it? Uploaded to Steven for research. Going to Avast! and Malwarebytes since it didn't detect it either.

Also note: As I do not have direct access to his computer it will have to wait until he gets home. I  have exams so I'm off since I didn't write all of them
« Last Edit: January 22, 2014, 04:18:29 PM by alan1998 »
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37597
  • Not a avast user
Re: Interesting Case
« Reply #6 on: January 22, 2014, 04:32:53 PM »
Quote
I have a friend, tried to download cracked Photoshop.......
lesson learned ..... when the bad guys give away something for free, they usually bundel it with some nice extra software.   ;D


Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Interesting Case
« Reply #7 on: January 22, 2014, 04:35:54 PM »
Quote
I have a friend, tried to download cracked Photoshop.......
lesson learned ..... when the bad guys give away something for free, they usually bundel it with some nice extra software.   ;D


Uhh. The last time I saw his computer it was a mess. Der Gosh. Time to clean it up. Thank-you Essex for helping him.
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Interesting Case
« Reply #8 on: January 22, 2014, 04:40:57 PM »
Good News. FatDcuk from MBAM is on the case to set up and block this program actively.
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Interesting Case
« Reply #9 on: January 22, 2014, 04:59:30 PM »
It will probably be a clickjacker and maybe downloader.  Although the IFEO blocks could open the gates for a bootkit.  Avast will definitely need a copy of this, including the dropper if you have it 

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Interesting Case
« Reply #10 on: January 22, 2014, 05:01:34 PM »
I do indeed have the dropper. I sent the actually dropper and everyhing straight to Avast! via Email and the Virus Chest (Which doesn't seem to work)?


edit: Essex, do you want the dropper?
« Last Edit: January 22, 2014, 05:03:13 PM by alan1998 »
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Interesting Case
« Reply #11 on: January 22, 2014, 05:25:11 PM »
Why not :)

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2768
  • Volunteer
Re: Interesting Case
« Reply #12 on: January 22, 2014, 10:02:23 PM »
Fix Log attached. He's running a Quick Scan
« Last Edit: January 22, 2014, 10:16:06 PM by alan1998 »
VOLUNTEER

Senior Security Analyst; Sys Admin (Linux); Forensics/Incident Response.

Security is a mindset, not an application. Think BEFORE you click.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Interesting Case
« Reply #13 on: January 22, 2014, 11:11:35 PM »
The run key was not able to be deleted but it appears that the rest has gone

Has he run an MBAM scan ? What symptoms are still apparent

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following


Code: [Select]
:Commands
[CREATERESTOREPOINT]

:OTL
O4 - HKLM..\Run: [Windows COM Host] C:\{$5642-5471-5422-8310$}\comhost.exe -rundll32 /SYSTEM32 "C:\Windows\System32\taskmgr.exe" "C:\Program Files\Microsoft\Windows" File not found

:Commands
[resethosts]
[emptytemp]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: Interesting Case
« Reply #14 on: January 22, 2014, 11:22:49 PM »
Need to set up a new VM for this.

I wonder if it works without Photoshop installed.
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10