Author Topic: Firefox update Malware?  (Read 21167 times)

0 Members and 1 Guest are viewing this topic.

Dave W

  • Guest
Firefox update Malware?
« on: February 04, 2012, 08:47:40 PM »
Hello,

I have Avast Free, running XP Pro-32 bit.

I am getting the same kinds of Avast Warning and Blocking messages that NickJHenderson reported in a previous thread on this Forum, on his newer Windows 7 - 64 bit system: 

http://forum.avast.com/index.php?topic=92407.0

My last specific Avast pop-up reported the following information:

Infection Details

URL:   hxxp://www.zoosexshow.com/?x     (My added note: I changed the http to hxxp, for safety)
Process:   file://C:\Program Files\Common Files\Com...
Infection:   html:Iframe-inf

Note: In other previous pop-up warnings (nearly all of which seem to try to connect to animal sex porn sites), Avast has provided the complete Process pathway, being;

 C:\Program Files\Common Files\ComObjects\update.exe

(Note: On my computer, the "update" file in this path has a Firefox logo beside it).

__________________________________________________

I have been working on this for a week.  With an ISP Tech (who could not find or fix the problem), and with a Bleepingcomputer.com Virus/Malware Consultant (who could not find or fix the problem), we tried many approaches that included the following programs, to no avail:

Hijackthis
GMER
Tdsskiller
dds
aswMBR
Combofix
OTL
Kaspersky VTR
Revo Uninstaller
resetDMA

Some of these programs were run more than once in an effort to identify and/or fix the problem.

In addition, my regular scanners (Avast, Malwarebytes, and Spybot) all find no infections or problems. 

However, these pop-ups keep occurring (sometimes by the dozen in a few minutes, and other times a day or two apart) - whether or not I have Firefox or any browser open.

The following additional measures did not fix the problem:
-  Disabling all Firefox add-ons 
-  Updating older versions of programs (such as Adobe Reader)that had security vulnerability.
-  Uninstalling and re-downloading and re-installing Avast.
-  Running Avast, Malwarebytes and Spybot in Safe Mode.

If you would like to see more specifically what has been tried (including many scan results), the following link will take you directly to my ongoing (3 pg) thread at bleepingcomputer.com  (On this forum, my username is Daveinsk):

http://www.bleepingcomputer.com/forums/topic440353.html

On that forum, we ran out of things to try, so I am hoping that the Avast Folks may have some experience or familiarity with this problem.

Do you have any knowledge of this infection, or suggestions?

As I typed this post, I rec'd my monthly Avast security report, which reported that 54 web and network objects were infected and blocked, but that 0 files were infected and cleaned by scans.

Note:  While I was typing this message, Avast gave warnings and blocked approx 20 more attempts to connect to an array of animal sex porn sites (which I have never visited).  Please help if you can.

Thank-you for your considerations, and any responses provided.

Dave W


Gargamel360

  • Guest
Re: Firefox update Malware?
« Reply #1 on: February 04, 2012, 08:54:06 PM »
Read carefully and follow this guide>>http://forum.avast.com/index.php?topic=53253.msg451454#msg451454, while the programs may look familiar and lead you to think "here we go again", they need to be run first to try and diagnose. ;)

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Firefox update Malware?
« Reply #2 on: February 04, 2012, 08:54:59 PM »
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: Firefox update Malware?
« Reply #3 on: February 04, 2012, 08:59:01 PM »
This is coming from "C:\Program Files\Common Files\ComObjects\update.exe"?

You can try uploading the suspect file to VirusTotal to have it scanned by 40+ antiviruses to see if any others detect it.

Alternatives to VirusTotal:
Jotti
VirSCAN
Metascan


I use Firefox and don't have a "ComObjects" folder. ???


Also
Quote
The pop-up happened to occur right after I enabled an add-on called QuickJS ( h[X]tps://addons.mozilla.org/en-US/firefox/addon/quickjs/?src=search ). Since I had first installed this add-on only a couple of weeks ago (unlike most of my other add-ons - that I have had for months to years), I was very suspicious that it may have been the source of the pop-up problem. So I went into the Firefox add-ons and removed it completely. But the warning pop-up occurred again after it was removed.
Looks like a relatively new add-on. What prompted you to install it? Just out of curiosity? Or was it something in the past that provoked you?
« Last Edit: February 04, 2012, 09:08:49 PM by Donovansrb10 »
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Firefox update Malware?
« Reply #4 on: February 04, 2012, 09:49:30 PM »
I see Gringo is assisting - he is good

But sometimes a fresh set of eyes helps

Dave W

  • Guest
Re: Firefox update Malware?
« Reply #5 on: February 05, 2012, 01:43:39 AM »
Hello, and thank-you for all of the responses.


This is my attempt to fulfill the requests in the first response after my post:

Malwarebytes Anti-Malware 1.60.1.1000

www.malwarebytes.org

Database version: v2012.02.04.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: DELL1 [administrator]

2/4/2012 4:26:17 PM
mbam-log-2012-02-04 (16-26-17).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 165900
Time elapsed: 5 minute(s), 8 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
____________________________________________

Re OTL Scan

The Following OTL scan did not open two different scan results in Notepad as the instructions said that it would, but rather, only one.   I ran the program twice in case it was just a glitch, but both times, only one Notepad window opened with one OTL report.  That report is attached, as instructed.

____________________________________________

Re aswMBR Scan

aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-04 17:27:26
-----------------------------
17:27:26.578    OS Version: Windows 5.1.2600 Service Pack 3
17:27:26.578    Number of processors: 2 586 0x304
17:27:26.578    ComputerName: DELL1  UserName:
17:27:27.406    Initialize success
17:27:28.203    AVAST engine defs: 12020401
17:27:35.500    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17
17:27:35.500    Disk 0 Vendor: HDS728040PLA320 PF1OA63A Size: 38146MB BusType: 3
17:27:35.515    Disk 1  \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-22
17:27:35.515    Disk 1 Vendor: ST3120026AS 3.18 Size: 114473MB BusType: 3
17:27:35.531    Disk 0 MBR read successfully
17:27:35.531    Disk 0 MBR scan
17:27:35.593    Disk 0 Windows XP default MBR code
17:27:35.593    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS        31580 MB offset 63
17:27:35.609    Disk 0 scanning sectors +64677690
17:27:35.687    Disk 0 scanning C:\WINDOWS\system32\drivers
17:27:48.078    Service scanning
17:27:49.093    Modules scanning
17:28:00.781    Disk 0 trace - called modules:
17:28:00.796    ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
17:28:00.812    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89bb4ab8]
17:28:00.812    3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-17[0x89b7cd98]
17:28:01.281    AVAST engine scan C:\WINDOWS
17:28:06.484    AVAST engine scan C:\WINDOWS\system32
17:30:08.484    AVAST engine scan C:\WINDOWS\system32\drivers
17:30:22.875    AVAST engine scan C:\Documents and Settings\Administrator
17:33:10.703    AVAST engine scan C:\Documents and Settings\All Users
17:33:44.203    Scan finished successfully
18:13:35.125    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
18:13:35.125    The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\12 02 04 aswMBR.txt"

___________________________________________________

Re Rogue Killer

I wasn't sure if I was supposed to run RogueKiller or not.  The instruction page seemed to suggest that I run it if I fulfilled a condition  - that did not seem to apply to me.  However, I tried to run it anyway - just in case, but the link to download it did not work.  If you still want me to run it, please let me know where I can get it.

___________________________________________________

Re Farbar Service Scanner


I did not run this scanner as the instruction page said; If you are having internet connection problems or firewall problems then do the following":  Since I am not having these specific problems, I did not download or run the program.  If you wish me to, please just let me know.

___________________________________________________


The above scans and reports were on the instruction page of the link provided in the first rewponse after my initial post.   

I will now look at the second response after my initial post, and will try to fulfill all of the requests there, in my next post.  In turn, I will try to fulfill every scan and report request that has been made - confidently hopeful that I am not just repeating 3 days of scanning and reporting - to no avail.

Thank-you for your considerations.

- Dave

Dave W

  • Guest
Re: Firefox update Malware?
« Reply #6 on: February 05, 2012, 02:04:52 AM »
Hello again,

The second response to my initial post (by Asyn) sent me to the same page of instructions as the first response (by Gargame) - to which I have already responded.

The third response (by Donavonsrb) suggested that the suspicious file (update.exe) that Avast identified as the possible source of the infection, could be inspected online by several programs.  The results of those scans are as follows:

VirusTotal: on 2012-02-04 23:42:01. Detection ratio: 0/43   

Metascan: Online Scan detected 0 possible threats.

VirScan:  Scanners did not find Malware.

Jotti:  0 out of 20 scanners found Malware.

________________________________________________________

Thx again.

I await any further suggestions you may have.

- Dave

Dave W

  • Guest
Re: Firefox update Malware?
« Reply #7 on: February 05, 2012, 02:40:35 AM »
Donavonsrb,

Sorry, I missed answering your question in my previous post.

I downloaded QuickJS a couple weeks back, because I was sometimes running into pop-up windows  that asked me if I was sure I wanted to leave a website when I closed a tab.  In some cases, even if I said "yes", it would not let me leave.  Every time I would click the pop-up window to leave - I noticed that (with the help of another add-on called Ghostery), another tracker would try to to add me to the list of those trying to track me.  I presume that someone was somehow making money from this ploy.  To stop this looping, I had to shut off Java (presumably stopping the script that kept repeating the loop).  But the pop-up windows would often also prevent or delay my access to the normal Java check box (under Tools/options/Enable Java), making it difficult to shut off Java, so I could close and escape the site.

The plug-in you asked about (QuickJS) placed a small on/off icon on my lower task bar - allowing me to turn Java on and off much faster.  That is why I downloaded it.

________________________________________

However, in the same time period, I downloaded several other Java plug-ins, and several other add-ons, just to try them out.  I only kept two.  One blackened any web page - making the writing green (as my eyes are sensitive to light and cannot watch a bright white screen for long).  This was called; "Blank your Monitor + Easy reading 1.9.7"   

The other add-on that I kept placed a small blue arrow on a lower task bar, that could be pushed to download (and covert if desired) any YouTube video, or videos from other sites.  This was called; "Flash Video Downloader YouTube Downloader 3.4.3"

Currently, all of my add-ons are disabled.  However, the pop-ups are still occurring anyway.

A couple weeks ago, I also downloaded two different media players, just to try them out.  They include the VLC Video Player, and the Media Player Classic (downloaded with the K-Lite codec pack).   I scanned these downloads before and after installing them - with Avast, Malwarebytes and Spybot, and nothing was found by these scans.

Hope this helps!

- Dave 


machinshin

  • Guest
Re: Firefox update Malware?
« Reply #8 on: February 05, 2012, 08:49:54 AM »
I'm very interested in this story. Since yesterday I'm experiencing exactly the same problems.
I do not use firefox, but had v.4.0 installed.
Suspicious activities I did yesterday include plugging in a suspect usb key, updating VLC to the latest version (1.1.11), installing DirectVobSub (VSFilter)
I'm suspecting DirectVobSub since it didn't seem to do anything when installed, but I'd rather wait and see how Dave fixes his problem (one thing we both did was update VLC!).

Avast also identified "firefox"'s update.exe trying to access pr0n sites. I killed the update.exe via process admin, but sysinternals process explorer showed it was still active, after I killed it there, I have not experienced additional rogue internet access (I'll keep checking). But obviously there is something wrong with our computers.

Avast and MaM complete scans yielded nothing, but I'll try to follow the complete recommended operations pointed out to Dave. Please do not think I'm trying to highjack this thread, I'm only trying to help Dave as the OP, since probably once he fixes his comp. I'll be able to do the same.

UPDATE: I uploaded the installers for VLC and DirectVobSub (VSFilter) to virustotal and both were identified as infected but only by one engine (1/40) in each case:
VSFilter: AntiVir   -> HTML/ADODB.Exploit.Gen
VLC: Antiy-AVL      -> Virus/Win32.Xpaj.gen

UPDATE2: I will open a separate thread for my problem, sorry if I created unwanted noise here.
« Last Edit: February 05, 2012, 12:07:59 PM by machinshin »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Firefox update Malware?
« Reply #9 on: February 05, 2012, 01:23:33 PM »
RogueKiller link is fixed, a formating error on my part

OK lets look in the com folder and see what we have there

Run OTL and select all users
In the custom scans and fixes box copy/paste the following :

C:\Program Files\Common Files\ComObjects\*.* /s

Press run scan
Again there will only be one log
Attach said log

Dave W

  • Guest
Re: Firefox update Malware?
« Reply #10 on: February 05, 2012, 06:09:19 PM »
Hello Essexboy,

I have run and attached the OTL file, as per your instructions.

I did not run RogueKiller, as your last post did not seem to instruct me to, even though you did explain that the link was now operational.  Just let me know if you would like me to run it.
_____________________________________

I found it interesting that Machinshin is experiencing the same problem.  I could easily do without the (common suspect) VLC player - that I downloaded and he updated recently (as I virtually never use it),  but I will wait to see if we can locate the source (which does not seem to be in a VLC file - at least, no scanner has found any such association to date on my system).

It may be worth mentioning, that I have two physical hard drives, and most of my (non-XP) programs are not on my primary Drive C, but rather on my Drive P (Programs) - which is on my second physical hard drive.  Drive P is where my VLC player folder is located.  I don't know if this has any significance.
_____________________________________

One other point, if I may?

On the attached OTL report, I noticed that some of the plug-ins were reported as enabled, even though my Firefox add-ons page shows them all as disabled (except Shockwave, which was installed and enabled when I downloaded a new version of Adobe Flash last night, as my Flash was not working - in retrospect - likely because I disabled all add-ons a couple days ago, to see if an active add-on may have been causing the problem).

One plug-in that particularly interests me, is Google Update.  I don't recall ever downloading this update, and, right now, my Firefox add-ons page shows it to be disabled, while the attached OTL scan reports it to be enabled, with the following (copied) line:
 
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.39\npGoogleOneClick8.dll

Again, I don't know if this has any significance.

Thank-you again for your considerations.  I await any further insights, instructions or suggestions.

- Dave

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Firefox update Malware?
« Reply #11 on: February 05, 2012, 06:17:56 PM »
You have the same java dll - also Vlan has two folders in the C drive

You have a google update job in windows tasks.  That goes there as soon as you get any google product and it is set to check for updates daily 

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    Quote
    :OTL
    [2012/01/06 09:09:04 | 000,044,032 | ---- | M] () -- C:\Program Files\Common Files\ComObjects\js3260.dll

    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Dave W

  • Guest
Re: Firefox update Malware?
« Reply #12 on: February 05, 2012, 09:10:40 PM »
Hello Essexboy,

When I ran OTL, it prompted me to re-boot as it ended.  Then, it automatically produced a report after the reboot.

Your instructions were to run a quick scan after the reboot - which I did.

I have attached both scan reports for your consideration.

Thanks,
- Dave   

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: Firefox update Malware?
« Reply #13 on: February 05, 2012, 09:38:41 PM »
Hi Dave W,

The results of those scans are as follows:

VirusTotal: on 2012-02-04 23:42:01. Detection ratio: 0/43   

Metascan: Online Scan detected 0 possible threats.

VirScan:  Scanners did not find Malware.

Jotti:  0 out of 20 scanners found Malware.

The update.exe seems legit then. The dll file that Essexboy mentions has something to do with telling the update.exe to execute these sites.

This dll file appears new, see:
http://systemexplorer.net/db/js3260.dll.html


I'm not so sure about this new malware, so let essex take care of the rest.
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Dave W

  • Guest
Re: Firefox update Malware?
« Reply #14 on: February 06, 2012, 08:18:48 PM »
Hello,

I have something strange new phenomenon occurring here, which I suspect is related to my primary problem, and/or Essexboy's last OTL customized script.

First off, I notice a split second image of a black page with white writing as Windows boots up, that was not there before today (or perhaps yesterday).  It is on screen too briefly to read.  This is not a problem, but it is a recent change, so I mentioned it.     

More importantly, when I boot up my computer now, there is a  minimized application button on my task bar at the bottom of my screen.   On it, there is a Firefox logo, and the words; "about:memory - Mozilla Firefox"

The words on this button intermittently changes to different strange websites.

When I clicked on it - it would not open into a page or application.

When I checked the Windows Task Manager - it listed "about:memory - Mozilla Firefox" as a running application.  When I right clicked on this application, a drop down menu appeared.  One of the options was "Go to Process".  When I clicked this option it took me to the Processes window in the Task Manager, and highlighted "update.exe"

I then went back to the Applications tab in the Windows Task Manager and right clicked on the "about:memory - Mozilla Firefox" running application again.  This time, I selected "Maximize".  (I hope this was not a mistake). A web page opened.   It had the following headings, but no information;

Memory Usage
   
  Overview
  Memory mapped:
  Memory in use:
  Other Information
  Description

I tried re-booting the computer to see if the task bar button appeared again. It did.  When I maximized the button, I briefly saw a window that was titled; "Welcome Humans".  When this window was open, the name on the task bar button was; “Gort! Klaatu barada nikto!”

Here is the website that I found when I did a web search for this name.  This webpage shows the same window that I saw, titled; “Welcome Humans”

http://mozillalinks.org/2008/12/gort-klaatu-barada-nikto/

I don't know if this specific site has significance, but I wonder if a "Mozilla Links" application may be implicated?

___________________________________________

Then, I noticed a Firefox minimized application button on my task bar called “Download”. However,
-  There were no downloads showing on my Firefox Download list.
-  Clicking on it did nothing.
-  When the button was visible, it was shown in Windows Task Manager – Applications, with the Process path (also) leading to update.exe

- Then, a few mins later, the “about:memory” button/application kept changing to the names of different porn sites (unknown to me), but now Firefox web pages also opened – with a new tab opening each time the tab name/application changed.  Two of the websites that opened were “iphone porn and Android porn” and “Hole Movies”. 

Avast has made no attempt to block any of these sites, but they are not the animal sex porn sites that Avast had been blocking before.

Could I have opened the door to these connections being able to open Firefox web pages when I maximized the “about:memory” button, or the “Download” button, using the Windows Task Manager? 
 
As I typed this post, I noticed that additional (usually porn) websites were opening with other names.  Eventually, Avast gave the same old familiar warning and blocked a connection to an animal sex porn site (as per the usual problem).

Here are a few other things I noticed
:

- After I would “End Task” in the applications window of the Windows Task manager (to get rid of the button, and close the website), the first spontaneous re-appearance of the application (with a corresponding opening web page)was usually the about:memory button.

-  If the button/application changes and other actual web pages begin to open, it is usually either the Gortu page, or, a porn page that is not animal sex porn (and that Avast does not block), but if I do not “end task” for the application, I presume it may only be a matter of time until the application tries to connect to a malicious animal sex site - which Avast blocks from opening.

- One of the names of the porn sites in the Applications window of Windows Task manager is “Yes Porn - Mozilla Firefox”, even when an Avast pop-up calls the site a different name (such as one of the typical animal sex porn sites).

- Sometimes the task bar button name & web pages change quite quickly.  Other times, the about:memory button stays the same for significant periods.  Sometimes, a porn site name appears, and then the button name changes back to “about:memory - Mozilla Firefox”, all by itself.  I have no idea what dictates the frequency or order of the changes.

- Seemingly related, my entire screen now “blinks” quite periodically.  This is also quite new within the last day or two. It was not doing this before, even when I was getting Avast pop-up warnings and site blocks.
 
I presume these new appearances may have something to do with Essexboy's script – which apparently has acted to make behind the scenes activity more visible, but I am just speculating here.

I am also speculating, that the same connections (as described above) may have been occurring since my problem started – but without the buttons on the task bar, and without the connections actually opening web pages.  Thus, the only time I was aware that any such background connections were occurring, was when a connection was attempted to a malicious site - which Avast blocked and notified me of – with a pop-up.

This mechanism could seemingly explain the background connection mechanism to the Internet, but  what is directing my computer to make these connections?  And how or why are these particular websites (non-malicious, and malicious and blocked by Avast) being selected for connection?

And, what next?

Thank-you again.

- Dave