Another firefox update.exe malware?

Hello,

I’ve been using avast for some months now, and yesterday I started getting warkings about access to unsafe urls (just like Dave at http://forum.avast.com/index.php?topic=92616.0 and Nick at http://forum.avast.com/index.php?topic=92407.0 )
Before locating those threads, I identified the offending process (update.exe in Common Files) and killed it with sysinternals process explorer. After it was killed, I didn’t receive further warnings from avast. It was very suspicious because update.exe seemed to be a firefox file, but I’ve not used firefox in months (I use chrome mainly), and had not updated it recently.

I run a complete scan just to be sure with avast, but it didn’t find anything. I also downloaded MBAM and did a scan with it but it didn’t find anything either. Since I’m quite sure there is something wrong in the PC, I also run OTL as per http://forum.avast.com/index.php?topic=53253.msg451454#msg451454

Suspicious activities I did yesterday include plugging in a suspect usb key, updating VLC to the latest version (1.1.11), installing DirectVobSub (VSFilter)
I’m suspecting DirectVobSub since it didn’t seem to do anything when installed (I later uninstalled it).

I uploaded the installers for VLC and DirectVobSub (VSFilter) to virustotal and both were identified as infected but only by one engine (1/40) in each case:
VSFilter: AntiVir → HTML/ADODB.Exploit.Gen
VLC: Antiy-AVL → Virus/Win32.Xpaj.gen

I will copy/paste the logs below.

Thanks for your help!

MBAM log:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.04.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
agustin :: GALATEA [limited]

05/02/2012 11:00:01
mbam-log-2012-02-05 (11-00-01).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 177331
Time elapsed: 6 minute(s), 57 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

---------------------------------------------------------------

OTL.Txt:

Attached, it is too long to paste here (the forum rejected such a long message)

I noticed that I had a wscript.exe process running with a path to a data.js in the ComObjects directory, which was spawning regularly the update.exe program. Even though I was not getting any additional warnings from Avast, I decided to uninstall firefox.
Since the wscript.exe process was still running and accessing the ComObjects directory, I killed the wscript process (nothing bad has happened yet) and moved the ComObjects directory to ComObjects_suspect.

Neither the wscript.exe nor update.exe were reported to be infected by totalvirus.

The log from aswMBR: Interestingly it finds infected files where previous runs of Avast did not find any.

aswMBR version 0.9.9.1532 Copyright(c) 2011 AVAST Software
Run date: 2012-02-05 13:42:28

13:42:28.404 OS Version: Windows x64 6.1.7601 Service Pack 1
13:42:28.404 Number of processors: 2 586 0x170A
13:42:28.405 ComputerName: GALATEA UserName: Usuario
13:42:32.152 Initialize success
13:42:32.577 AVAST engine defs: 12020500
13:42:46.146 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-0
13:42:46.149 Disk 0 Vendor: ST9500420AS 0006HPM1 Size: 476940MB BusType: 11
13:42:46.166 Disk 0 MBR read successfully
13:42:46.168 Disk 0 MBR scan
13:42:46.171 Disk 0 unknown MBR code
13:42:46.178 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
13:42:46.191 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 463519 MB offset 409600
13:42:46.220 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 13220 MB offset 949696512
13:42:46.224 Service scanning
13:42:48.301 Modules scanning
13:42:48.312 Disk 0 trace - called modules:
13:42:48.341 ntoskrnl.exe CLASSPNP.SYS disk.sys hpdskflt.sys ACPI.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
13:42:48.346 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8004cac520]
13:42:48.354 3 CLASSPNP.SYS[fffff8800111c43f] → nt!IofCallDriver → [0xfffffa8004ca9870]
13:42:48.360 5 hpdskflt.sys[fffff88002332289] → nt!IofCallDriver → [0xfffffa8004ae01a0]
13:42:48.366 7 ACPI.sys[fffff88000ed77a1] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004b16060]
13:42:49.458 AVAST engine scan C:\Windows
13:42:51.694 AVAST engine scan C:\Windows\system32
13:45:42.041 AVAST engine scan C:\Windows\system32\drivers
13:45:57.807 AVAST engine scan C:\Users\Usuario
13:47:02.094 AVAST engine scan C:\ProgramData
13:47:02.330 File: C:\ProgramData\Adobe\Reader\9.4\ARM\agustin\15306\AcrobatUpdater.exe INFECTED Win32:Trojan-gen
13:47:02.422 File: C:\ProgramData\Adobe\Reader\9.4\ARM\agustin\15306\AdobeARM.exe INFECTED Win32:Trojan-gen
13:47:02.501 File: C:\ProgramData\Adobe\Reader\9.4\ARM\agustin\15306\AdobeARMHelper.exe INFECTED Win32:Trojan-gen
13:47:02.581 File: C:\ProgramData\Adobe\Reader\9.4\ARM\agustin\15306\ReaderUpdater.exe INFECTED Win32:Trojan-gen
13:47:02.676 File: C:\ProgramData\Adobe\Reader\9.4\ARM\agustin\19775\AcrobatUpdater.exe INFECTED Win32:Trojan-gen
13:47:02.768 File: C:\ProgramData\Adobe\Reader\9.4\ARM\agustin\19775\AdobeARM.exe INFECTED Win32:Trojan-gen
13:47:02.842 File: C:\ProgramData\Adobe\Reader\9.4\ARM\agustin\19775\AdobeARMHelper.exe INFECTED Win32:Trojan-gen
13:47:02.931 File: C:\ProgramData\Adobe\Reader\9.4\ARM\agustin\19775\ReaderUpdater.exe INFECTED Win32:Trojan-gen
13:47:03.032 File: C:\ProgramData\Adobe\Reader\9.4\ARM\agustin\26644\AcrobatUpdater.exe INFECTED Win32:Trojan-gen
13:47:03.095 File: C:\ProgramData\Adobe\Reader\9.4\ARM\agustin\26644\AdobeARM.exe INFECTED Win32:Trojan-gen
13:47:03.156 File: C:\ProgramData\Adobe\Reader\9.4\ARM\agustin\26644\AdobeARMHelper.exe INFECTED Win32:Trojan-gen
13:47:03.223 File: C:\ProgramData\Adobe\Reader\9.4\ARM\agustin\26644\ReaderUpdater.exe INFECTED Win32:Trojan-gen
13:49:57.886 Scan finished successfully
13:50:36.811 Disk 0 MBR has been saved successfully to “C:\Users\agustin\Downloads\MBR.dat”
13:50:36.818 The log file has been saved successfully to “C:\Users\agustin\Downloads\aswMBR.txt”

The files reported by aswmbr are False positives…so no worries! :wink:

Oh, Ok, thanks, after I closed the Acrobat auto-updater the files went away anyway :slight_smile:

Still the original problem seems to be unsolved, although I am not seeing strange behavior right now (I’m afraid of rebooting, since I killed manually the offending update.exe process).

Thanks for taking the time to help.

Hi lets have a look in that folder as this appears to be a new kid on the block

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
C:\Windows\assembly\tmp\U*.* /s
C:\Program Files\Common Files\ComObjects*.* /s
%Temp%\smtmp\1*.*
%Temp%\smtmp\2*.*
%Temp%\smtmp\3*.*
%Temp%\smtmp\4*.*
CREATERESTOREPOINT

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

Thanks!

I renamed back the directory to ComObjects, just in case, and OTL has been running for a few minutes now. I’ll attach the logs as soon as it finishes

Done, but I just saw that the ComObjects directory is in a slightly different place.
I’m running OTL again with
C:\Program Files (x86)\Common Files\ComObjects
instead.

Thanks!

again with the correct (?) directory name.

I had to split the file in order to upload it here.

Thanks!!!

part 2…

OK there is one JS file in there that happens to be so close to a legitimate dll but is a tad wrong so I will remove that to quarantine

Once this run has completed could you check to see if the problem persists

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O4 - HKLM..\Run: [RegistrarUsrDNIeCertStoreDLL] C:\Program Files (x86)\DNIe\udcs.exe () [2012/01/06 09:09:04 | 000,044,032 | ---- | M] () -- C:\Program Files (x86)\Common Files\ComObjects\js3260.dll

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

I’ve tried twice to run this, but the first time it didn’t seem to work correctly (on startup an error message saying it couldn’t remove a file appeared) and the second time the computer stopped responding while creating the restorepoint.
I’ll try to run it again.
the update.exe has appeared again and contacts with many unwanted urls.

opening OTL.exe again it opens a txt:

Files\Folders moved on Reboot…
File move failed. C:\Users\agustin\AppData\Local\Temp\FXSAPIDebugLogFile.txt scheduled to be moved on reboot.
File move failed. C:\Windows\temp_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot…

Could you re-run the fix but with just this in please

[2012/01/06 09:09:04 | 000,044,032 | ---- | M] () – C:\Program Files (x86)\Common Files\ComObjects\js3260.dll[/b]

yes.
It must have worked before because it now says:

========== OTL ==========
File C:\Program Files (x86)\Common Files\ComObjects\js3260.dll not found.

OTL by OldTimer - Version 3.2.31.0 log created on 02062012_231426

(however the strange firefox update.exe process is still being spawned regularly by wscript.exe)

Thanks for helping out!

OK lets have another look in the folder

Run a quick scan with the following script

C:\Program Files (x86)\Common Files\ComObjects*.* /s

I thought you might ask for it ;). I launched it yesterday night, with:

%SYSTEMDRIVE%*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
C:\Windows\assembly\tmp\U*.* /s
C:\Program Files (x86)\Common Files\ComObjects*.* /s
%Temp%\smtmp\1*.*
%Temp%\smtmp\2*.*
%Temp%\smtmp\3*.*
%Temp%\smtmp\4*.*

Thanks!

Here is a screenshot of the process. It was more obvious before since I could see it connecting to bogus urls. Now it starts up, it gets killed by a cscript.exe, and after a while wscript starts it up again.
Both wscript and cscript seem to be using data.js in the ComObjects directory.

Could you follow the trail back up and see what kick starts it into action