Author Topic: Firefox "update.exe" malware?  (Read 8314 times)

Offline NickJHenderson

  • Newbie
  • *
  • Posts: 14
    • Personal Message (Offline)
Firefox "update.exe" malware?
« on: January 30, 2012, 11:32:21 AM »
Hi everyone,

I've just got a new build PC running Windows 7 64-bit. I've only had it for a few days but Avast keeps coming up with a Malware blocked message:

Infection Details
URL:   hxtp://allzoomovies.com/?x
Process:   file://C:\Program Files (x86)\Common Files\ComObjects\update.exe
Infection:   html:Iframe-inf


I have never been on the website quoted or anything similar but it comes up with this message almost every time I launch Firefox.

Going to the destination folder, the file has a Firefox logo and cannot be deleted (comes up with a message reading something like "Firefox is still using this file so it cannot be deleted" even when Firefox is not installed.

So far Avast is blocking it but I don't want this to escalate and ruin my nice new PC!

ANY help is greatly appreciated!

Nick

UPDATE: It's also calling the same file a Suspicious File now!
« Last Edit: January 30, 2012, 12:00:10 PM by Milos »

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21649
  • Gender: Male
    • Personal Message (Offline)
Re: Firefox "update.exe" malware?
« Reply #1 on: January 30, 2012, 11:34:57 AM »
Quote
-http://allzoomovies.com/
Sucuri - http://sitecheck.sucuri.net/results/http://allzoomovies.com/

VirusTotal
https://www.virustotal.com/file/0409d3fae1729689c4813f2516d3559b6fecbb3f64b6a2180fe826a1fa93db4c/analysis/1327927242/


Quote
Process:   file://C:\Program Files (x86)\Common Files\ComObjects\update.exe

upload suspicious file(s) to www.virustotal.com and test with 40+ malware scanners
when you have the result, copy the url in the address bar and post it here for us to see


alternative
Jotti     http://virusscan.jotti.org/en
VirSCAN   http://virscan.org/
Metascan   http://www.metascan-online.com/


« Last Edit: January 30, 2012, 11:42:25 AM by Pondus »
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69208
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Firefox "update.exe" malware?
« Reply #2 on: January 30, 2012, 11:37:43 AM »
Please 'modify' your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.

You might not have been on the web site in the alert, but something on your system is trying to connect to it "C:\Program Files (x86)\Common Files\ComObjects\update.exe"

Do you know what this ComObjects folder/application is about ?
It may be that it is legit but the site has been hacked.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2016/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21649
  • Gender: Male
    • Personal Message (Offline)
Re: Firefox "update.exe" malware?
« Reply #3 on: January 30, 2012, 11:48:05 AM »
Check for malware with this

Malwarebytes Anti-Malware http://filehippo.com/download_malwarebytes_anti_malware/
always click the update button before you start a scan
click on the remove selected  button to quarantine anything found

post the scan log here
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21649
  • Gender: Male
    • Personal Message (Offline)
Re: Firefox "update.exe" malware?
« Reply #4 on: January 30, 2012, 12:33:40 PM »
Norman lab
Quote
allzoomovies.com.htm : Processed - HTML/Redir.JN
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline NickJHenderson

  • Newbie
  • *
  • Posts: 14
    • Personal Message (Offline)

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69208
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Firefox "update.exe" malware?
« Reply #6 on: January 30, 2012, 06:21:36 PM »
Well it isn't update.exe that avast is alerting on as that is the process responsible for making the connection to the site, which avast considers malicious. So I wouldn't really have expected VT to find anything or avast may have been likely to have alerted on that file not the URL location. This isn't uncommon as this element would appear benign, it is just where it is trying to send you that would do the dirty deed were it not for avast blocking that.

I have done a search and find only one other instance of this C:\Program Files (x86)\Common Files\ComObjects\update.exe and it supports this ComObjects folder being highly suspect.

So download install MalwareBytes AntiMalware (MBAM) install, update, run and post the contents of the log file as asked by Pondus.

- This however may require further investigation:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the logs and start your own new topic and attach the logs there, not in the LOGS topic.

You will already have made a head start by running MBAM as asked.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2016/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline NickJHenderson

  • Newbie
  • *
  • Posts: 14
    • Personal Message (Offline)
Re: Firefox "update.exe" malware?
« Reply #7 on: February 01, 2012, 10:53:34 AM »
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.01.03

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Nick & Liz :: TEST-PC [administrator]

01/02/2012 11:17:47
mbam-log-2012-02-01 (11-17-47).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 381310
Time elapsed: 34 minute(s), 8 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69208
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Firefox "update.exe" malware?
« Reply #8 on: February 01, 2012, 12:43:12 PM »
Proceed with the other scans (OTL) and attach their logs.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2016/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline NickJHenderson

  • Newbie
  • *
  • Posts: 14
    • Personal Message (Offline)
Re: Firefox "update.exe" malware?
« Reply #9 on: February 01, 2012, 02:33:14 PM »
Here you go!

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69208
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Firefox "update.exe" malware?
« Reply #10 on: February 01, 2012, 03:09:19 PM »
Essexboy one of our malware removal specialists should take a look at it later on, he is normally on-line from 7pm UK time, currently 4:10pm in the UK.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2016/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline NickJHenderson

  • Newbie
  • *
  • Posts: 14
    • Personal Message (Offline)
Re: Firefox "update.exe" malware?
« Reply #11 on: February 01, 2012, 03:14:32 PM »
Cheers, you guys are quite literally Gods of technology.

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28931
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Firefox "update.exe" malware?
« Reply #12 on: February 01, 2012, 06:02:31 PM »
Hi I would like to look at the launch points next

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    Quote
    :OTL
    @Alternate Data Stream - 1055 bytes -> C:\Users\Nick & Liz\AppData\Local\Temp:f7QDsmoZwpktY9wVf

    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [emptytemp]
    [CREATERESTOREPOINT]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done


Then re-run OTL and copy/paste the following into the custom scans box and press run scan

hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs



Offline razoreqx

  • Jr. Member
  • **
  • Posts: 89
  • Gender: Male
    • Personal Message (Offline)
Re: Firefox "update.exe" malware?
« Reply #13 on: February 01, 2012, 06:12:45 PM »
Hi everyone,

I've just got a new build PC running Windows 7 64-bit. I've only had it for a few days but Avast keeps coming up with a Malware blocked message:

Infection Details
URL:   hxtp://allzoomovies.com/?x
Process:   file://C:\Program Files (x86)\Common Files\ComObjects\update.exe
Infection:   html:Iframe-inf


I have never been on the website quoted or anything similar but it comes up with this message almost every time I launch Firefox.

Going to the destination folder, the file has a Firefox logo and cannot be deleted (comes up with a message reading something like "Firefox is still using this file so it cannot be deleted" even when Firefox is not installed.

So far Avast is blocking it but I don't want this to escalate and ruin my nice new PC!

ANY help is greatly appreciated!

Nick

UPDATE: It's also calling the same file a Suspicious File now!


just to clerify to the OP, based on the 256 ShA is goodware.

http://systemexplorer.net/filereviews.php?fid=873766

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69208
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Firefox "update.exe" malware?
« Reply #14 on: February 01, 2012, 07:10:18 PM »
The problem being this has nothing to do with firefox.exe in the link that you posted.

Nor is firefox.exe mentioned in the quoted text, it is update.exe, the fact that that has a firefox icon just makes me more suspicious of it.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2016/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now