Author Topic: Another firefox update.exe malware?  (Read 19031 times)

0 Members and 2 Guests are viewing this topic.

machinshin

  • Guest
Re: Another firefox update.exe malware?
« Reply #15 on: February 06, 2012, 11:16:06 PM »
yes.
It must have worked before because it now says:


========== OTL ==========
File C:\Program Files (x86)\Common Files\ComObjects\js3260.dll not found.
 
OTL by OldTimer - Version 3.2.31.0 log created on 02062012_231426


(however the strange firefox update.exe process is still being spawned regularly by wscript.exe)

Thanks for helping out!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Another firefox update.exe malware?
« Reply #16 on: February 06, 2012, 11:23:05 PM »
OK lets have another look in the folder

Run a quick scan with the following script

C:\Program Files (x86)\Common Files\ComObjects\*.* /s

machinshin

  • Guest
Re: Another firefox update.exe malware?
« Reply #17 on: February 07, 2012, 07:15:01 AM »
I thought you might ask for it  ;). I launched it yesterday night, with:

%SYSTEMDRIVE%\*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
C:\Windows\assembly\tmp\U\*.* /s
C:\Program Files (x86)\Common Files\ComObjects\*.* /s
%Temp%\smtmp\1\*.*
%Temp%\smtmp\2\*.*
%Temp%\smtmp\3\*.*
%Temp%\smtmp\4\*.*

 Thanks!

machinshin

  • Guest
Re: Another firefox update.exe malware?
« Reply #18 on: February 07, 2012, 07:41:43 AM »
Here is a screenshot of the process. It was more obvious before since I could see it connecting to bogus urls. Now it starts up, it gets killed by a cscript.exe, and after a while wscript starts it up again.
Both wscript and cscript seem to be using data.js in the ComObjects directory.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Another firefox update.exe malware?
« Reply #19 on: February 07, 2012, 09:57:12 PM »
Could you follow the trail back up and see what kick starts it into action

machinshin

  • Guest
Re: Another firefox update.exe malware?
« Reply #20 on: February 07, 2012, 10:10:23 PM »
I'm not sure how to trace it backwards. The first thing I notice is the wscript.exe process but I don't know what is starting it.
Is there a way of looking it up?

Thanks!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Another firefox update.exe malware?
« Reply #21 on: February 07, 2012, 10:49:20 PM »
There should be a files/files prior to ws starting could you taker a full page screenshot with the update.exe at the bottom

machinshin

  • Guest
Re: Another firefox update.exe malware?
« Reply #22 on: February 08, 2012, 06:38:18 PM »
I not sure if this is what you mean.
As far as I can see there is no parent for wscript.exe...

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Another firefox update.exe malware?
« Reply #23 on: February 08, 2012, 10:27:35 PM »
OK lets roll back the years and use an old analysis tool

Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.

  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will receive a prompt:
Do you want to skip supplementary searches?
click NO


  • If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

machinshin

  • Guest
Re: Another firefox update.exe malware?
« Reply #24 on: February 08, 2012, 11:07:03 PM »
Ok here is the result. Since it is more than 10000 characters I have to attach it instead of just pasting it here.

Thanks!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Another firefox update.exe malware?
« Reply #25 on: February 09, 2012, 12:09:12 AM »
Running through it mnow to try and find the launch point.. I have a few suspicions but I need to confirm them

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Another firefox update.exe malware?
« Reply #26 on: February 09, 2012, 10:05:08 PM »
A side by side comparison of two silent runners reeveals no commonality

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
Code: [Select]
:OTL
[2012/01/26 09:07:26 | 000,189,107 | ---- | M] () -- C:\Program Files (x86)\Common Files\ComObjects\data.js
[2010/03/31 00:58:04 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files (x86)\Common Files\ComObjects\update.exe


:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

machinshin

  • Guest
Re: Another firefox update.exe malware?
« Reply #27 on: February 09, 2012, 10:35:42 PM »
After the Fix, and reboot, I get an error when the (virus/trojan?) wscript.exe tries to access data.js (see screenshot attached)

Opening OTL, here is the result of the Fix (I will add the QuickScan results in the next message).

Thank you!


All processes killed
========== OTL ==========
C:\Program Files (x86)\Common Files\ComObjects\data.js moved successfully.
C:\Program Files (x86)\Common Files\ComObjects\update.exe moved successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Configuraci¢n IP de Windows
Se vaci¢ correctamente la cach‚ de resoluci¢n de DNS.
C:\Users\agustin\Downloads\cmd.bat deleted successfully.
C:\Users\agustin\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
 
[EMPTYTEMP]
 
User: agustin
->Temp folder emptied: 3343 bytes
->Temporary Internet Files folder emptied: 61963 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 344806924 bytes
->Flash cache emptied: 905 bytes
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: luisa
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
User: Public
 
User: Usuario
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 6836 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 6142 bytes
 
Total Files Cleaned = 329,00 mb
 
Restore point Set: OTL Restore Point
 
OTL by OldTimer - Version 3.2.31.0 log created on 02092012_221941

Files\Folders moved on Reboot...
File move failed. C:\Users\agustin\AppData\Local\Temp\FXSAPIDebugLogFile.txt scheduled to be moved on reboot.
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot...

machinshin

  • Guest
Re: Another firefox update.exe malware?
« Reply #28 on: February 09, 2012, 10:45:07 PM »
Please find the QuickScan attached.

It seems that update.exe is no longer running, but the threat is still trying to launch it (wscript.exe)

Thanks!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Another firefox update.exe malware?
« Reply #29 on: February 09, 2012, 10:47:24 PM »
WSH is not really a requirement on windows so lets disable it and see what happens
I have tested it on my windows 7 with no ill effect

Download Noscript.exe  to the desktop.
http://www.symantec.com/avcenter/noscript.exe
Double-click the Noscript.exe icon. The Norton Script Disabler/Enabler appears.
If the WSH is currently enabled on the system, you will be prompted as to whether you want to disable it. To do so, click Disable, and then click OK.
If the WSH is currently disabled on the system, you will be prompted as to whether you want to enable it. To do so, click Enable, and then click OK.

Once disableed then reboot and let me know if there are any problems