Author Topic: Firefox update Malware?  (Read 7012 times)

0 Members and 1 Guest are viewing this topic.

Offline Dave W

  • Newbie
  • *
  • Posts: 19
Re: Firefox update Malware?
« Reply #30 on: February 11, 2012, 03:44:28 AM »
Thank-you for answering my questions.

The requested scan is attached, along with the fix report that OTL generated before I rebooted and ran the quick scan. 

If this all checks out, it seems that the only thing left may be removing the (Combofix?) boot screen (if it was not already removed with the last fix).

After running a lot of scans and attempted fixes with Gringo from bleepingcomputer.com (just before I came to this forum), my computer was slow, unresponsive and the mouse action was not smooth. Even sound was garbled for the first second or so, whenever any sound was played.  In short, the computer was running terrible.  He had me run a program called "resetdma" - which seemed to clean up all the problems and make everything run smooth and fast again.  Do you have any problems with my running that program again now (to "clean up" - so to speak)?

I await any further instructions, explanations or suggestions you'd like to share.

- Dave

 

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 36474
  • Dragons by Sasha
    • Malware fixes
Re: Firefox update Malware?
« Reply #31 on: February 11, 2012, 11:59:12 AM »
OK all we need to do is reset the boot logon screeen

Right click My Computer (either desktop icon or on the start menu)
Select Properties
Select the advanced tab
Select start up settings
Remove the tick from the time to display boot options (see screenshot)
Fixed

Could you now go to the following folder and locate then zip the following files

C:\_OTL\moved files (HHDDMM)\C:\Program Files (x86)\Common Files\ComObjects

And zip the following

data.js
update.exe
js3250.dll


Once zipped could you upload them to mediafire for me and post the sharing link, I will then forward to Avast for analysis

When you are happy let me know and I will remove my tools

Also could you let Gringo know that it is fixed please and post him the link to here 

Offline Dave W

  • Newbie
  • *
  • Posts: 19
Re: Firefox update Malware?
« Reply #32 on: February 11, 2012, 07:48:14 PM »
I think I need some additional instructions.  I am running XP Pro.  When I tried to follow your instructions to reset the boot logon screen,  all of the instructions made sense (and worked), until I got to your instruction that said;
"Remove the tick from the time to display boot options (see screenshot)" .

I did not know where the screenshot was that you referred to, but I doubt that a screenshot would help, as my options are not the same as you stated.

I do not get a "Time to display boot options" check-box.  I do get a "Time to display list of operating systems" checkbox, and a "Time to display recovery options when needed" checkbox.   It seems the former may be the closer equivalent.  It currently has a checkmark and is set to 2 seconds.

Ques 1)   Is this the box that I should uncheck?  If not, please give further instructions on how I should proceed.

Ques 2)  And may I ask, will the above change remove the Combo-fix screen (or whatever else has been added to my boot-up) from my boot-up process, or will it just stop it from showing?

__________________________________________

With regards to the folder in "C:\_OTL\moved files (HHDDMM)\C:\Program Files (x86)\Common Files\ComObjects", I don't have one folder,  I have six, but only three have the pathways that you described, with a file (of any name) in "ComObjects".

In one of these folders is a file called;  "js3260.dll".  This is not one of the files that you requested.  Ques 3)  Do you want it zipped and sent anyway?

In another folder is the file called; "js3250.dll".   This is one of the files that you requested.  NP here.

In a third folder, is a file that is just called; "data"  (with a logo beside it).  Under "properties", this file is described as a JScript Script File.  Ques 4)  May I assume that this is the js.data file that you requested? (and thus, I should zip and send it)?
 
I can find no folder here, with the update.exe file in it (that you requested).  However, the original "update" file still appears at the end of the path: C: Program Files\Common Files\ComObjects\update  (with a Firefox logo beside  the "update" file). 
Ques 5)  Do you want me to copy, zip and send this file?   If no, please give alternative instructions on how I can fulfill your request for the update.exe file.
_________________________________________

Once it is clear to me exactly which files that you want sent, I will gladly zip and send them to you through the Mediafire uploader website, but I have never used this service before. 
Ques 6)  How do I send files specifically to you, through Mediafire?   
_________________________________________

An unrelated question
Ques 7)    Will all of my automatic updates (for various programs) still function properly and normally now?

TY for your response and further instructions. 
 

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 36474
  • Dragons by Sasha
    • Malware fixes
Re: Firefox update Malware?
« Reply #33 on: February 11, 2012, 08:22:44 PM »
Yes that is the box to untick, that will stop the recovery console from showing, but it will still be available for use if required   

Yes  zip all  those files including the data and the update
when you get to mediafire it is fairly straightforward to upload.  Once it has completed it will give you a sharing link.  Just copy/paste that into the next reply

All update programmes should function correctly


Offline Dave W

  • Newbie
  • *
  • Posts: 19
Re: Firefox update Malware?
« Reply #34 on: February 11, 2012, 09:45:26 PM »
Thank-you for the clarification.

The four zipped files that I uploaded to MediaFire should now be accessible with the following link:

http://www.mediafire.com/?216478hjusfbt72,9i5jjs246todzzt,zzwxossf5snn8cu,z2ags5pgtfg6gi2

__________________________________

I copied the four files from their respective locations to my desktop, and then zipped them, and then uploaded them to MediaFire. 

Thus, the C:\_OTL\moved files ... all still exist.   Ques 1)  Should I just leave them, or should I delete the _OTL folder?   

In addition, the update file that I copied and zipped from C: Program Files\Common Files\ComObjects\update  (with a Firefox logo beside  the "update" file) - still exists.   Ques 2)   Should this file be left alone as it is needed for some essential or desired functions? .   

Ques 3)  Previously, I had asked for your thoughts on my again running the resetdma program, that I ran before (as directed by Gringo) - to iron out the wrinkles from my system so it ran faster and smoother.  Do you have any problem with my running that program again now?, and, whenever my system seems slow or choppy?  If you are familiar with it, may I ask -  Does it have a downside or significant risk involved with its use? 

Is there anything else that I should do, or be made aware of?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 36474
  • Dragons by Sasha
    • Malware fixes
Re: Firefox update Malware?
« Reply #35 on: February 11, 2012, 10:37:40 PM »
Delete the update from the  comobject folder (although this one looks legit)

As soon as you are happy I will remove all my tools cleanly so just let me know

resetdma should not need to be run again as it changed the way your hard drive was read, and it should not have reverted


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 36474
  • Dragons by Sasha
    • Malware fixes
Re: Firefox update Malware?
« Reply #36 on: February 11, 2012, 10:46:14 PM »
Thank you  - Uploaded to Avast

Offline Dave W

  • Newbie
  • *
  • Posts: 19
Re: Firefox update Malware?
« Reply #37 on: February 12, 2012, 01:14:47 AM »
I deleted the "update" file from C: Program Files\Common Files\ComObjects\update  (that had a Firefox logo beside it).

When I rebooted the computer afterwards, no message came up to say that the file was missing.  I checked and the file had not been re-installed automatically with the reboot.  I then opened Firefox, with no apparent problems, and then checked again, and the "update" file that I deleted had still not been re-installed. 

Out of curiosity and a desire to understand, my questions are;

1a) If this file was not an essential, necessary or beneficial part of Firefox, or a legitimate update process for the Firefox program or its add-ons, or for any other updates (which would be functions that I would presumably want to retain) - Then, why was the file there in the first place?
and 1b)  Why didn't we just delete it?   

2a)  Should I expect it to ever return? and 2b) If it does return, should I be concerned? and would that indicate re-infection? 
___________________________________________

My computer seems to be working fine again - except that it will not be back to normal until after I re-enable my add-ons.

Unless you have further concerns, I think that we could proceed with uninstalling your tools now - although, I'm not sure what that means. 

Is there a way that I can contact you directly, if I have further problems that involve this bug?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 36474
  • Dragons by Sasha
    • Malware fixes
Re: Firefox update Malware?
« Reply #38 on: February 12, 2012, 01:25:53 PM »
I have sent the files to Avast for analysis and maybe my thoughts that the update was just an innocent bystander was wrong... But I will wait to see what Avast says.  Although no regeneration would indicate it was a culprit

It should not return now, this is a new type of infection so the initial analysis/removal was mainly by gut instinct and following the breadcrumb trail

When you re-enable the addons do them one at a time and check that all is OK before you restart the next.  This way if one is the culprit we can add that to the removal list
   
If any further problems then either PM me or post back in this thread as it will be a few months before I cease monitoring it


Subject to no further problems   :)

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems 

Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    Quote
    :Commands
    [resethosts]
    [emptytemp]
    [CLEARALLRESTOREPOINTS]
     [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
Run OTL and hit the cleanup button.  It will remove all the programmes we have used plus itself. 

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Do not show hidden files and folders.
  • Click Yes to confirm.
  • Click OK.
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ?Keep safe  :wave:

Offline Dave W

  • Newbie
  • *
  • Posts: 19
Re: Firefox update Malware?
« Reply #39 on: February 15, 2012, 08:30:12 PM »
My computer seems to be working very well again.  <big smile>

A gracious thank-you to all who participated in identifying the source file and fix for this very stealthy new infection.   

Special thanks to Essexboy.   Your persistence, patience and skill stands out - even amongst the Virus Pros.

I have followed all of the instructions in your last post, and now have most of my add-ons re-enabled, with no problems so far.     

I have also posted this thread on my recent thread on bleepingcomputer.com (where I first sought help), so both their Techs and other people with the same problem who may seek help there, might be helped in finding the source file and fix (which is now known here).

With regards and appreciation,
- Dave W

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 36474
  • Dragons by Sasha
    • Malware fixes
Re: Firefox update Malware?
« Reply #40 on: February 15, 2012, 08:39:28 PM »
Glad all is well  ;D