Other:Malware-gen[Trj] on each new firefox tab

Viruses and worms
1

Hi, every time I open a new tab, I get a virus warning. The javascript performs a redirection to http://cloffext.com/ That site is blocked by nod32 as well.

What is this, an how can I get rid of it?

Thanks in advance

Iarsin

https://s3.amazonaws.com/js-cache/1940453547ec8d17dd.js

https://i.imgur.com/wEOoiw9.png

https://i.imgur.com/b5fDBke.png

https://i.imgur.com/HlXELdv.png

https://imgur.com/m0qF0Q3.png

Joe Sandbox Analysis:

Detection: CLEAN
Score: 1/100
Classification: clean1.win@5/9@1/1
Domains: s3-1.amazonaws.com s3.amazonaws.com
Hosts: 52.216.168.205

HTML Report: https://www.joesandbox.com/analysis/96075/0/html
PDF Report: https://www.joesandbox.com/analysis/96075/0/pdf
Executive Report: https://www.joesandbox.com/analysis/96075/0/executive
Incident Report: https://www.joesandbox.com/analysis/96075/0/irxml
IOCs: https://www.joesandbox.com/analysis/96075?idtype=analysisid


https://www.virustotal.com/gui/url/93a182d114def5211fbb16ba2fa740c44c3246d04fbbc68088399e067a531d44/community

2

cloffext.com on Virustotal
https://www.virustotal.com/gui/url/7a0c84ccf5d844b95b984d706b0273823cc411a13ed85b26b2c145f355b8bb56/detection

Hm, I’m just curious: Since when Avast/Avg are no longer listed on VirusTotal?

There is an existing thread about chrome and the same behaviour. https://forum.avast.com/index.php?topic=223899.0

3
Hm, I'm just curious: Since when Avast/Avg are no longer listed on VirusTotal?
They are listed for file scan but not URL blacklist
................... That site is blocked by nod32 as well.
Do you have avast and nod32 installed ?
4

Yes, I know that that is a bad Idea, and two different antiviruses are interfering each others and my cause therefore system hangs and bsods. I was looking for a current antivirus database/signature for (Free)DOS nod32 (nod32.000), and thought, that I may got the database by installing it on Windows 10, but they changed the database layout. I disabled nod32 modules, to decrease the possible interference. I’ll remove nod32 soon.

BTW: ClamAV is still an option for DOS, or one have to use outdated scanners. F-Prot 3.16b for example. Unfortunately F-Prot also changed it’s database/signature layout. An older version of F-Prot still gets current signatures(!). I don’t know if there are NEW DOS Viruses in the wild, though.

5

It seems, that Malwarebytes removed it

One of the following quarantined items

PUP.Optional.WinYahoo, C:\PROGRAM FILES (X86)\MOZILLA FIREFOX\BROWSER\EXTENSIONS\JID1-G80EC8LLEBK5FQ@JETPACK.XPI, Löschen bei Neustart, 240, 256139, 1.0.18288, , ame, Adware.CrossAd.Generic, C:\USERS\IARSIN\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\ax6c67pz.default-1448066901262\EXTENSIONS\@wordpress-theme-and-plugins-detector.xpi, Löschen bei Neustart, 2023, 443246, 1.0.18288, , ame, PUP.Optional.ForcedInstalledExtensionFF, C:\USERS\IARSIN\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\AX6C67PZ.DEFAULT-1448066901262\EXTENSIONS\{E6A9A96E-4A08-4719-B9BD-0E91C35AAABC}.XPI, Löschen bei Neustart, 1782, 547035, 1.0.18288, , ame, PUP.Optional.Amazon1Button, C:\USERS\IARSIN\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\AX6C67PZ.DEFAULT-1448066901262\EXTENSIONS\ABB@AMAZON.COM.XPI, Löschen bei Neustart, 3185, 493346, 1.0.18288, , ame, PUP.Optional.Amazon1Button, C:\USERS\IARSIN\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\T34TL15G.DEFAULT-1548505488993\EXTENSIONS\ABB@AMAZON.COM.XPI, Löschen bei Neustart, 3185, 493346, 1.0.18288, , ame, PUP.Optional.ForcedInstalledExtensionFF, C:\USERS\IARSIN\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\T34TL15G.DEFAULT-1548505488993\EXTENSIONS\{E6A9A96E-4A08-4719-B9BD-0E91C35AAABC}.XPI, Löschen bei Neustart, 1782, 547035, 1.0.18288, , ame, PUP.Optional.RemoteInjectionFF, C:\USERS\IARSIN\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\T34TL15G.DEFAULT-1548505488993\EXTENSIONS\ARTUR.DUBOVOY@GMAIL.COM.XPI, Löschen bei Neustart, 1797, 680966, 1.0.18288, , ame, PUP.Optional.RemoteInjectionFF, C:\USERS\IARSIN\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\AX6C67PZ.DEFAULT-1448066901262\EXTENSIONS\ARTUR.DUBOVOY@GMAIL.COM.XPI, Löschen bei Neustart, 1797, 680966, 1.0.18288, , ame, PUP.Optional.Conduit, C:\USERS\IARSIN\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\T34TL15G.DEFAULT-1548505488993\PREFS.JS, Ersetzt, 199, 301520, 1.0.18288, , ame, PUP.Optional.Conduit, C:\USERS\IARSIN\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\T34TL15G.DEFAULT-1548505488993\PREFS.JS, Ersetzt, 199, 303091, 1.0.18288, , ame, PUP.Optional.Conduit, C:\USERS\IARSIN\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\89H1UU73.ESR 60.3.0 WIN64DE\PREFS.JS, Ersetzt, 199, 301520, 1.0.18288, , ame, PUP.Optional.WinBing, C:\USERS\IARSIN\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\T34TL15G.DEFAULT-1548505488993\SEARCHPLUGINS\BING-LAVASOFT-FF59.XML, Löschen bei Neustart, 5314, 678452, 1.0.18288, , ame, PUP.Optional.Conduit, C:\USERS\IARSIN\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\AX6C67PZ.DEFAULT-1448066901262\PREFS.JS, Ersetzt, 199, 301520, 1.0.18288, , ame, PUP.Optional.WinBing, C:\USERS\IARSIN\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\89H1UU73.ESR 60.3.0 WIN64DE\SEARCHPLUGINS\BING-LAVASOFT-FF59.XML, Löschen bei Neustart, 5314, 678452, 1.0.18288, , ame,

I don’t think, that every Firefox Extension listed is harmfull, but I know, that I once had issues with conduit (fake) search engine. Maybe I reinstalled it drive-by with a software I like …

S3-amazonasws (Other:Malware-gen[Trj])
https://dieviren.de/amazonaws/

Conduit
https://dieviren.de/conduit-virus/

PUP.Optional.ForcedInstalledExtensionFF
https://blog.malwarebytes.com/detections/pup-optional-forcedinstalledextensionff/

PUP.Optional.RemoteInjectionFF
https://forums.malwarebytes.com/topic/247169-very-odd-arturdubovoygmailcomxpi-detected-today/
https://bugzilla.mozilla.org/show_bug.cgi?id=1549444

6

The trouble with services like AWS, Azure Cloud, or Google Cloud is they can be abused. Now obviously, the employ techniques to stop the stupid people from abusing it, but the crafty ones always find a way around detection, even if for a short while. However, the actual service (AWS, GCloud, and Azure Cloud) are all perfectly legitimate companies. (Google, Amazon and Microsoft).

The important part (and often misunderstood) is that PUP does not immediately mean “malicious”, simply Potentially Unwanted Program. I find it poor advertising to general end users personally, only because most cannot be bothered to find out what it actually means. All the typical end user sees if “50 items detected” followed by a string of seemingly random BS to them.

But that’s just me. Conduit is a search engine hijacker, the RemoteInjectionFF is likely related to some kind of ad injector