Firefox update Malware?

[essexboy]

The comobjects folder has been updated so I may need another look in there I feel

I will run two quick fixes first and then see what the folder reveals

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTL
  O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Configuration Wizard.lnk = File not found
  
  :Files
  ipconfig /flushdns /c
  C:\Program Files\Common Files\ComObjects\js3250.dll
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done

THEN

Lets see if there is an update by JP

Please download GooredFix from one of the locations below and save it to your Desktop

Download Mirror #1
Download Mirror #2

• Ensure all Firefox windows are closed.
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  
• When prompted to run the scan, click Yes.
  
• GooredFix will check for infections, and then a log will appear.

Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).[/list]

FINALLY

Rerun OTL with this custom scan please

C:\Program Files\Common Files\ComObjects\*.* /s

[Dave W]

Hello again,

Sorry for the delay.  I didn't realize you had responded at the top of the 2nd page.

During the first OTL fix, the following message came up in a window:

Update.exe - Unable to Locate Component

This application has failed to start because js3250.dll was not found.  Reinstalling the application may fix the problem.
______________________________________

The same message came up after the re-boot, and returned within few seconds every time I closed it (with either "X" or "OK").  I cannot get rid of this message window for more than a few seconds.

Attached is:

1)  The OTL report that opened automatically after the reboot (called 12 02 06 Auto after boot).
2)  The GooredFix report (called 12 02 06 Gooredfix).
3)  The final OTL scan report (called 12 02 06 Last OTL Scan). 

I have also cut and pasted the first two (shorter) reports below. 

OTL Auto after boot

[EMPTYTEMP]
 
User: Administrator
->Temp folder emptied: 387626 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 59404901 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 593 bytes
 
User: All Users
 
User: Default User
->Temp folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: LocalService
->Temp folder emptied: 66016 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 66253 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 7736 bytes
 
Total Files Cleaned = 57.00 mb
 
Restore point Set: OTL Restore Point (0)
 
OTL by OldTimer - Version 3.2.31.0 log created on 02062012_185805

Files\Folders moved on Reboot...
File move failed. C:\WINDOWS\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.
C:\WINDOWS\temp\Perflib_Perfdata_190.dat moved successfully.
File\Folder C:\WINDOWS\temp\Perflib_Perfdata_cec.dat not found!

Registry entries deleted on Reboot...

______________________________________
 

GooredFix by jpshortstuff (03.07.10.1)
Log created at 19:18 on 06/02/2012 (Administrator)
Firefox version 10.0 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
(none)

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3nomuutp.default\extensions\
firefox@ghostery.com [15:37 24/01/2012]
superstart@enjoyfreeware.org [20:47 22/01/2012]
{7E7165E2-0767-448c-852F-5FA8714F2C37} [02:55 02/02/2012]
{ada4b710-8346-4b82-8199-5de2b400a6ae} [15:59 28/01/2012]
{EDA7B1D7-F793-4e03-B074-E6F303317FB0} [02:30 12/03/2011]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [19:36 04/07/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [22:05 01/02/2012]
"wrc@avast.com"="C:\Program Files\AVAST Software\Avast\WebRep\FF" [03:24 02/02/2012]

-=E.O.F=-
___________________________________________


I composed the last two posts at the end of page 1 of this thread.  I hope that you saw both of them, as the second especially seemed to have pertinent information.   

In an earlier post, Donavon had spoke of suspicious js3260.dll file.  However, my update.exe file now seems to want to open, but cannot due to a missing js3250.dll file.  I don't know if the closeness of these two files has any significance, but mentioned it just in case.

Thx again.

- Dave 

[Dave W]

Only one attachment got through on my last post.  This is my attempt to send the other two.

[essexboy]

From the other thread with this self same problem it appears to track down to one js file

I will quarantine that now - could you let me know the results

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTL
  [2012/01/04 07:12:24 | 000,188,916 | ---- | M] () -- C:\Program Files\Common Files\ComObjects\data.js
  
  :Commands
  [emptyjava]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[Dave W]

Essexboy,

The OTL scan that you requested is attached.

When I reboot, I now get the following message on my screen: 

Windows Script Host

Can not find the file "C:\Program Files\Common Files\ComObjects\data.js"

____________________________________________

Does the above message indicate an ongoing problem, that needs to be addressed?

If not, can the message be prevented from opening every time the computer is booted?

____________________________________________

Also, one of the scans or repair programs used here (or perhaps on bleepingcomputers.com) has seemed to add a spit second view of a page with white text on a black background when the computer first boots up (just before the Window's logo page).  This is not a major problem, but can it be removed?
____________________________________________

General Questions

Is the original problem presumed solved now?   (Note:  I have had no further Avast website block/pop-ups over the last day).

Was the source of the problem ever identified (such as where the bad file file came from?, and/or, what vulnerability permitted it to infect the system)?

Are there any further scans, programs or monitoring that you would suggest that I conduct?

Is there any problem with my turning my Firefox add-ons back on now?

Is there something I can do to protect from re-infection?, or, something I should do if I am re-infected (that would be less than the two weeks of time and hassle that it took to get rid of this infection)?


A gracious thank-you for all of your time, considerations and help. 

Regards,
Dave W

[essexboy]

I would like to see where the start point is for the js data

Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.

• Save it to the desktop.
• Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
• You will receive a prompt:

Do you want to skip supplementary searches?
click NO[/list]

• If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
• You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  
• Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
  

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

[/list]

[Dave W]

Hello Essexboy,

I tried running the program you suggested - following your directions, but it did not seem to act as you anticipated - so I don't think that I have made it run at all. 

First off - I did not receive a prompt: Do you want to skip supplementary searches?   So, I could not click "no".

Secondly, when I double clicked on the file to open it - it opened in Notepad with a LOT of information to start with - but even leaving it for 30 mins - there was no evidence that anything further was happening.   

The last thing in the file was:   '** Update Revision Number on line #15 **

No matter how long I left it, it never said; All Done  (as you said it would). 

This makes me doubt that the program has run, or run properly,  but I don't know what to do to make it run.  I tried re-running it several times, and even re-downloaded it again, and then tried running it several more times.  The outcome was always the same. 

I tried to copy and paste the text from Notepad into this post (for your consideration), but a preview said that  it exceeded the maximum allowed length.  Next, I tried sending it as an attachment, but the post was again denied - saying that it exceeded the maximum allowed length - so I could not show you what was in the Notepad file that opened when I double clicked on the file.   

Can you please give further instructions on how I might make this program run properly?

With Thanks,
- Dave

[!Donovan]

Hi Dave,

The file is a Visual Basic Scripting file, or .VBS file.

Open the file in notepad > save as > all files > Silent Runners.vbs

Then, please re-run the newly saved file. A prompt should appear. Choose "No" as essexboy says, and the program will start searching for startup entries.



~Donovansrb10

[Dave W]

Thank-you Donavon,

I think it ran correctly this time.  However, the report was still too large to post as Essexboy had requested.  Thus, I have sent the report as an attachment.

I await interpretation and further instructions.

Dave W

[essexboy]

You probably did not use the right click save as - if not then it will save as a txt file

I was hoping that a comparison of the two silent runners files might throw some light on the subject but alas no

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

Code: [Select]

:OTL
[2010/03/31 00:58:04 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Common Files\ComObjects\update.exe
[2012/01/26 09:07:26 | 000,189,107 | ---- | M] () -- C:\Program Files (x86)\Common Files\ComObjects\data.js


:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[Dave W]

Essexboy,

Again, after running the customized script in OTL as instructed, and rebooting, OTL opened automatically - prompting me to push "Run".  When I did it produced a small report that I have attached (called 12 02 09 Auto run on boot). 

I then re-opened OTL and performed another quick scan - as instructed.  This scan is also attached (called 12 02 09 After boot scan OTL).

Hope this helps.
TY again for your considerations. 

- Dave

[essexboy]

Are you still getting the problem ?

I have a trace on it now and I am asking Machinshin for a registry export, to determine the reason why I cannot see it (yet)

So bear with me please - his solution should be yours

[essexboy]

OK lets see if you have the same blighter

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

Code: [Select]

:regfind
data.js

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

[Dave W]

Scan report, as requested;

SystemLook 30.07.11 by jpshortstuff
Log created at 15:05 on 10/02/2012 by Administrator
Administrator - Elevation successful

========== regfind ==========

Searching for "data.js"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TaskMngr"="wscript.exe "C:\Program Files\Common Files\ComObjects\data.js""

-= EOF =-

________________________________________

I have not had any Avast pop-ups/malicious website blocks since (approx) Feb 6th (4 days).

However, I would like to reiterate the questions that I originally posed on Feb 7th:

I still get a message after each boot from the Windows Script Host; Can not find the file "C:\Program Files\Common Files\ComObjects\data.js"

Ques 1)  Does the above message indicate an ongoing problem, that needs to be addressed?

Ques 2)  If not, can this message be prevented from opening every time the computer is booted?

____________________________________________

Ques 3)  Also, one of the scans or repair programs used here (or perhaps on bleepingcomputers.com) has seemed to add a spit second view of a page with white text on a black background when the computer first boots up (just before the Window's logo page).   It is on too briefly to be able to read.  This is not a major problem, but can it be removed from the boot-up process?
____________________________________________

General Questions

Ques 4)  Is the original problem presumed solved now?   (Note:  I have had no further Avast website block/pop-ups since approx Feb 6th).

Ques 5)  Was the source of the problem ever identified (such as where the bad file file came from?, and/or, what vulnerability permitted it to infect my system)?

Ques 6)  Are there any further scans, programs or monitoring that you would suggest that I conduct?

Ques 7)  Is there any problem with my turning my Firefox add-ons back on now?

Ques   Is there something I can do to protect from re-infection?,

Ques 9)  Is there something that I should do if the problem re-occurs (that would be less than the 2+ weeks of time and hassle that it took to get rid of this infection)?

A very appreciative thank-you for your response, as well as all of your gracious time, patience, considerations and help. 

Regards,
Dave W
   

[essexboy]

OK first we will stop the popup about data.js  Q1 and 2 answered 

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

Code: [Select]

:Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TaskMngr"=-

:Files
ipconfig /flushdns /c

:Commands
[CREATERESTOREPOINT]


• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

3. The boot start may be the recovery console installed by combofix.. We can remove that for you

4. Once this fix has run then yes

5. No it may well have been an update that you were tricked into installing

6. Probably not

7.  Nope put 'em all back

8. Be suspicious of all updates that are not from programmers site

9. This was new.... But not now as we have traced the elements that need removal