Author Topic: Another firefox update.exe malware?  (Read 19032 times)

0 Members and 1 Guest are viewing this topic.

machinshin

  • Guest
Another firefox update.exe malware?
« on: February 05, 2012, 12:11:45 PM »
Hello,

I've been using avast for some months now, and yesterday I started getting warkings about access to unsafe urls (just like Dave at http://forum.avast.com/index.php?topic=92616.0 and Nick at http://forum.avast.com/index.php?topic=92407.0 )
Before locating those threads, I identified the offending process (update.exe in Common Files) and killed it with sysinternals process explorer. After it was killed, I didn't receive further warnings from avast. It was very suspicious because update.exe seemed to be a firefox file, but I've not used firefox in months (I use chrome mainly), and had not updated it recently.

I run a complete scan just to be sure with avast, but it didn't find anything. I also downloaded MBAM and did a scan with it but it didn't find anything either. Since I'm quite sure there is something wrong in the PC, I also run OTL as per http://forum.avast.com/index.php?topic=53253.msg451454#msg451454

Suspicious activities I did yesterday include plugging in a suspect usb key, updating VLC to the latest version (1.1.11), installing DirectVobSub (VSFilter)
I'm suspecting DirectVobSub since it didn't seem to do anything when installed (I later uninstalled it).

 I uploaded the installers for VLC and DirectVobSub (VSFilter) to virustotal and both were identified as infected but only by one engine (1/40) in each case:
VSFilter: AntiVir   -> HTML/ADODB.Exploit.Gen
VLC: Antiy-AVL      -> Virus/Win32.Xpaj.gen


I will copy/paste the logs below.

Thanks for your help!
« Last Edit: February 05, 2012, 12:23:09 PM by machinshin »

machinshin

  • Guest
Re: Another firefox update.exe malware?
« Reply #1 on: February 05, 2012, 12:17:27 PM »
MBAM log:


Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.04.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
agustin :: GALATEA [limited]

05/02/2012 11:00:01
mbam-log-2012-02-05 (11-00-01).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 177331
Time elapsed: 6 minute(s), 57 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

---------------------------------------------------------------

OTL.Txt:

Attached, it is too long to paste here (the forum rejected such a long message)

machinshin

  • Guest
Re: Another firefox update.exe malware?
« Reply #2 on: February 05, 2012, 12:50:04 PM »
I noticed that I had a wscript.exe process running with a path to a data.js in the ComObjects directory, which was spawning regularly the update.exe program. Even though I was not getting any additional warnings from Avast, I decided to uninstall firefox.
Since the wscript.exe process was still running and accessing the ComObjects directory, I killed the wscript process (nothing bad has happened yet) and moved the ComObjects directory to ComObjects_suspect.

Neither the wscript.exe nor update.exe were reported to be infected by totalvirus.

machinshin

  • Guest
Re: Another firefox update.exe malware?
« Reply #3 on: February 05, 2012, 01:52:22 PM »
The log from aswMBR: Interestingly it finds infected files where previous runs of Avast did not find any.

aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-05 13:42:28
-----------------------------
13:42:28.404    OS Version: Windows x64 6.1.7601 Service Pack 1
13:42:28.404    Number of processors: 2 586 0x170A
13:42:28.405    ComputerName: GALATEA  UserName: Usuario
13:42:32.152    Initialize success
13:42:32.577    AVAST engine defs: 12020500
13:42:46.146    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
13:42:46.149    Disk 0 Vendor: ST9500420AS 0006HPM1 Size: 476940MB BusType: 11
13:42:46.166    Disk 0 MBR read successfully
13:42:46.168    Disk 0 MBR scan
13:42:46.171    Disk 0 unknown MBR code
13:42:46.178    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          199 MB offset 2048
13:42:46.191    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       463519 MB offset 409600
13:42:46.220    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        13220 MB offset 949696512
13:42:46.224    Service scanning
13:42:48.301    Modules scanning
13:42:48.312    Disk 0 trace - called modules:
13:42:48.341    ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys ACPI.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
13:42:48.346    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004cac520]
13:42:48.354    3 CLASSPNP.SYS[fffff8800111c43f] -> nt!IofCallDriver -> [0xfffffa8004ca9870]
13:42:48.360    5 hpdskflt.sys[fffff88002332289] -> nt!IofCallDriver -> [0xfffffa8004ae01a0]
13:42:48.366    7 ACPI.sys[fffff88000ed77a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004b16060]
13:42:49.458    AVAST engine scan C:\Windows
13:42:51.694    AVAST engine scan C:\Windows\system32
13:45:42.041    AVAST engine scan C:\Windows\system32\drivers
13:45:57.807    AVAST engine scan C:\Users\Usuario
13:47:02.094    AVAST engine scan C:\ProgramData
13:47:02.330    File: C:\ProgramData\Adobe\Reader\9.4\ARM\agustin\15306\AcrobatUpdater.exe  **INFECTED** Win32:Trojan-gen
13:47:02.422    File: C:\ProgramData\Adobe\Reader\9.4\ARM\agustin\15306\AdobeARM.exe  **INFECTED** Win32:Trojan-gen
13:47:02.501    File: C:\ProgramData\Adobe\Reader\9.4\ARM\agustin\15306\AdobeARMHelper.exe  **INFECTED** Win32:Trojan-gen
13:47:02.581    File: C:\ProgramData\Adobe\Reader\9.4\ARM\agustin\15306\ReaderUpdater.exe  **INFECTED** Win32:Trojan-gen
13:47:02.676    File: C:\ProgramData\Adobe\Reader\9.4\ARM\agustin\19775\AcrobatUpdater.exe  **INFECTED** Win32:Trojan-gen
13:47:02.768    File: C:\ProgramData\Adobe\Reader\9.4\ARM\agustin\19775\AdobeARM.exe  **INFECTED** Win32:Trojan-gen
13:47:02.842    File: C:\ProgramData\Adobe\Reader\9.4\ARM\agustin\19775\AdobeARMHelper.exe  **INFECTED** Win32:Trojan-gen
13:47:02.931    File: C:\ProgramData\Adobe\Reader\9.4\ARM\agustin\19775\ReaderUpdater.exe  **INFECTED** Win32:Trojan-gen
13:47:03.032    File: C:\ProgramData\Adobe\Reader\9.4\ARM\agustin\26644\AcrobatUpdater.exe  **INFECTED** Win32:Trojan-gen
13:47:03.095    File: C:\ProgramData\Adobe\Reader\9.4\ARM\agustin\26644\AdobeARM.exe  **INFECTED** Win32:Trojan-gen
13:47:03.156    File: C:\ProgramData\Adobe\Reader\9.4\ARM\agustin\26644\AdobeARMHelper.exe  **INFECTED** Win32:Trojan-gen
13:47:03.223    File: C:\ProgramData\Adobe\Reader\9.4\ARM\agustin\26644\ReaderUpdater.exe  **INFECTED** Win32:Trojan-gen
13:49:57.886    Scan finished successfully
13:50:36.811    Disk 0 MBR has been saved successfully to "C:\Users\agustin\Downloads\MBR.dat"
13:50:36.818    The log file has been saved successfully to "C:\Users\agustin\Downloads\aswMBR.txt"

true indian

  • Guest
Re: Another firefox update.exe malware?
« Reply #4 on: February 05, 2012, 02:01:33 PM »
The files reported by aswmbr are False positives....so no worries! ;)

machinshin

  • Guest
Re: Another firefox update.exe malware?
« Reply #5 on: February 05, 2012, 02:05:58 PM »
Oh, Ok, thanks, after I closed the Acrobat auto-updater the files went away anyway :-)

Still the original problem seems to be unsolved, although I am not seeing strange behavior right now (I'm afraid of rebooting, since I killed manually the offending update.exe process).

Thanks for taking the time to help.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Another firefox update.exe malware?
« Reply #6 on: February 05, 2012, 02:11:11 PM »
Hi lets have a look in that folder as this appears to be a new kid on the block

Download OTL  to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
C:\Windows\assembly\tmp\U\*.* /s
C:\Program Files\Common Files\ComObjects\*.* /s
%Temp%\smtmp\1\*.*
%Temp%\smtmp\2\*.*
%Temp%\smtmp\3\*.*
%Temp%\smtmp\4\*.*
CREATERESTOREPOINT

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Post both logs

machinshin

  • Guest
Re: Another firefox update.exe malware?
« Reply #7 on: February 05, 2012, 02:35:59 PM »
Thanks!

I renamed back the directory to ComObjects, just in case, and OTL has been running for a few minutes now. I'll attach the logs as soon as it finishes

machinshin

  • Guest
Re: Another firefox update.exe malware?
« Reply #8 on: February 05, 2012, 02:46:49 PM »
Done, but I just saw that the ComObjects directory is in a slightly different place.
I'm running OTL again with
C:\Program Files (x86)\Common Files\ComObjects
instead.

Thanks!

machinshin

  • Guest
Re: Another firefox update.exe malware?
« Reply #9 on: February 05, 2012, 03:12:14 PM »
again with the correct (?) directory name.

I had to split the file in order to upload it here.

Thanks!!!

machinshin

  • Guest
Re: Another firefox update.exe malware?
« Reply #10 on: February 05, 2012, 03:12:36 PM »
part 2...

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Another firefox update.exe malware?
« Reply #11 on: February 05, 2012, 04:21:45 PM »
OK there is one JS file in there that happens to be so close to a legitimate dll but is a tad wrong so I will remove that to quarantine

Once this run has completed could you check to see if the problem persists

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    Quote
    :OTL
    O4 - HKLM..\Run: [RegistrarUsrDNIeCertStoreDLL] C:\Program Files (x86)\DNIe\udcs.exe ()
    [2012/01/06 09:09:04 | 000,044,032 | ---- | M] () -- C:\Program Files (x86)\Common Files\ComObjects\js3260.dll


    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

machinshin

  • Guest
Re: Another firefox update.exe malware?
« Reply #12 on: February 06, 2012, 10:25:46 PM »
I've tried twice to run this, but the first time it didn't seem to work correctly (on startup an error message saying it couldn't remove a file appeared) and the second time the computer stopped responding while creating the restorepoint.
I'll try to run it again.
the update.exe has appeared again and contacts with many unwanted urls.

machinshin

  • Guest
Re: Another firefox update.exe malware?
« Reply #13 on: February 06, 2012, 10:31:00 PM »
opening OTL.exe again it opens a txt:


Files\Folders moved on Reboot...
File move failed. C:\Users\agustin\AppData\Local\Temp\FXSAPIDebugLogFile.txt scheduled to be moved on reboot.
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Another firefox update.exe malware?
« Reply #14 on: February 06, 2012, 10:51:08 PM »
Could you re-run the fix but with just this in please

:OTL
[2012/01/06 09:09:04 | 000,044,032 | ---- | M] () -- C:\Program Files (x86)\Common Files\ComObjects\js3260.dll