Firefox "update.exe" malware?

Hi everyone,

I’ve just got a new build PC running Windows 7 64-bit. I’ve only had it for a few days but Avast keeps coming up with a Malware blocked message:

Infection Details
URL: hxtp://allzoomovies.com/?x
Process: file://C:\Program Files (x86)\Common Files\ComObjects\update.exe
Infection: html:Iframe-inf

I have never been on the website quoted or anything similar but it comes up with this message almost every time I launch Firefox.

Going to the destination folder, the file has a Firefox logo and cannot be deleted (comes up with a message reading something like “Firefox is still using this file so it cannot be deleted” even when Firefox is not installed.

So far Avast is blocking it but I don’t want this to escalate and ruin my nice new PC!

ANY help is greatly appreciated!

Nick

UPDATE: It’s also calling the same file a Suspicious File now!

-http://allzoomovies.com/
Sucuri - http://sitecheck.sucuri.net/results/http://allzoomovies.com/

VirusTotal
https://www.virustotal.com/file/0409d3fae1729689c4813f2516d3559b6fecbb3f64b6a2180fe826a1fa93db4c/analysis/1327927242/

Process: file://C:\Program Files (x86)\Common Files\ComObjects\update.exe

upload suspicious file(s) to www.virustotal.com and test with 40+ malware scanners
when you have the result, copy the url in the address bar and post it here for us to see

alternative
Jotti http://virusscan.jotti.org/en
VirSCAN http://virscan.org/
Metascan http://www.metascan-online.com/

Please ‘modify’ your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.

You might not have been on the web site in the alert, but something on your system is trying to connect to it “C:\Program Files (x86)\Common Files\ComObjects\update.exe”

Do you know what this ComObjects folder/application is about ?
It may be that it is legit but the site has been hacked.

Check for malware with this

Malwarebytes Anti-Malware http://filehippo.com/download_malwarebytes_anti_malware/
always click the update button before you start a scan
click on the remove selected button to quarantine anything found

post the scan log here

Norman lab

allzoomovies.com.htm : Processed - HTML/Redir.JN

Here’s the result from the scan:

https://www.virustotal.com/file/fb9045b74615a339fcdc3016f899aec5b8afbdacde5421d94d777c709295c2fd/analysis/

Well it isn’t update.exe that avast is alerting on as that is the process responsible for making the connection to the site, which avast considers malicious. So I wouldn’t really have expected VT to find anything or avast may have been likely to have alerted on that file not the URL location. This isn’t uncommon as this element would appear benign, it is just where it is trying to send you that would do the dirty deed were it not for avast blocking that.

I have done a search and find only one other instance of this C:\Program Files (x86)\Common Files\ComObjects\update.exe and it supports this ComObjects folder being highly suspect.

So download install MalwareBytes AntiMalware (MBAM) install, update, run and post the contents of the log file as asked by Pondus.

  • This however may require further investigation:
    Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the logs and start your own new topic and attach the logs there, not in the LOGS topic.

You will already have made a head start by running MBAM as asked.

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.01.03

Windows 7 x64 NTFS
Internet Explorer 9.0.8112.16421
Nick & Liz :: TEST-PC [administrator]

01/02/2012 11:17:47
mbam-log-2012-02-01 (11-17-47).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 381310
Time elapsed: 34 minute(s), 8 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Proceed with the other scans (OTL) and attach their logs.

Here you go!

Essexboy one of our malware removal specialists should take a look at it later on, he is normally on-line from 7pm UK time, currently 4:10pm in the UK.

Cheers, you guys are quite literally Gods of technology.

Hi I would like to look at the launch points next

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL @Alternate Data Stream - 1055 bytes -> C:\Users\Nick & Liz\AppData\Local\Temp:f7QDsmoZwpktY9wVf

:Files
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Then re-run OTL and copy/paste the following into the custom scans box and press run scan

hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs

just to clerify to the OP, based on the 256 ShA is goodware.

http://systemexplorer.net/filereviews.php?fid=873766

The problem being this has nothing to do with firefox.exe in the link that you posted.

Nor is firefox.exe mentioned in the quoted text, it is update.exe, the fact that that has a firefox icon just makes me more suspicious of it.

Cool, this is what was in the text document that opened after the FIX ran:

All processes killed
========== OTL ==========
ADS C:\Users\Nick & Liz\AppData\Local\Temp:f7QDsmoZwpktY9wVf deleted successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Nick & Liz\Downloads\cmd.bat deleted successfully.
C:\Users\Nick & Liz\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56502 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Nick & Liz
->Temp folder emptied: 188943416 bytes
->Temporary Internet Files folder emptied: 40066395 bytes
->Java cache emptied: 388972 bytes
->FireFox cache emptied: 198005266 bytes
->Flash cache emptied: 59346 bytes

User: Public

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 436434 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 93931923 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50400 bytes
RecycleBin emptied: 1841 bytes

Total Files Cleaned = 498.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.31.0 log created on 02022012_190149

Files\Folders moved on Reboot…
C:\Users\Nick & Liz\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File move failed. C:\Windows\temp_avast_\Webshlock.txt scheduled to be moved on reboot.

Registry entries deleted on Reboot…

The document that opened after the SCAN is annoyingly too large to be an attachment. Suggestions?

Many thanks again!

Could you upload to mediafire and post the sharing link http://www.mediafire.com/

Also are you still getting the alert

Here’s the link:

http://www.mediafire.com/file/hnuk99862bxgfu1/OTL.Txt

Haven’t had the alert recently, but will keep you posted if it appears.

If all is OK tomorrow I will remove my tools

The alert has just popped up again, lame. Could it be on an external hard-drive?