I have a very similar problem to others on the board (update.exe being spawned by wscript). It’s infected all three of my computers. I normally use AVG and it hasn’t detected anything. An interesting twist is because one of the computers has a bad CPU, update.exe crashes and a window with the title “AMozilla crash reporter” pops up saying “Firefox had a problem and crashed… Tell AMozilla about this crash so they can fix it” with buttons “Restart AFirefox” and “Quit AFirefox”
…
@alexd457 on completion of this fix you will get errors popping up at start about a missing file/programme. Ignore them as I will need to determine the launch point first
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:Files ipconfig /flushdns /c C:\Program Files (x86)\Common Files\ComObjects\js3260.dll C:\Program Files (x86)\Common Files\ComObjects\js3250.dll C:\Program Files (x86)\Common Files\ComObjects\update.exe C:\Program Files (x86)\Common Files\ComObjects\data.js:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
[*]Double-click SystemLook.exe to run it.
[*]Copy the content of the following codebox into the main textfield:
:regfind
data.js
[*]Click the Look button to start the scan.
[*]When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Send the files directly to avast for analysis (see below) and then modify your post removing the sharing link.
Send the sample/s to avast as a Undetected Malware:
Open the chest and right click in the Chest and select Add, navigate to where you have the sample and add it to the chest (see image). Once in the chest, right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update. Note: manually adding to the chest doesn’t remove them from the original location, so they still have to be dealt with in that location.
Or
Send the sample to virus (at) avast (dot) com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.
I sent some samples of this yesterday - so I hope they will be in the definitions soon
Thanks, hopefully they will be added soon.
On restart, Windows Script Host error pops up.
crashreporter.exe - First seen by VirusTotal 2010-04-02 20:37:48 UTC ( 1 år, 10 måneder ago )
https://www.virustotal.com/file/280ebfee47bf6533796691f2ced8d51d7dcc866e53fb6a6466fffc53d0bf7405/analysis/1329069053/
data.js - First seen by VirusTotal 2012-02-01 13:40:30 UTC ( 1 uke, 4 dager ago )
https://www.virustotal.com/file/bf6c0f1d73d0d74a5c9aadf8e9753dc8029fe5ac966b3697a1ac05a3da4b8d18/analysis/1329069056/
update.exe - First seen by VirusTotal 2010-04-02 05:08:01 UTC ( 1 år, 10 måneder ago )
https://www.virustotal.com/file/fb9045b74615a339fcdc3016f899aec5b8afbdacde5421d94d777c709295c2fd/analysis/1329069060/
I ran SystemLook again. In the original instructions, there was a space after data.js. I removed the space and it found several registry entries.
Thank you for that I did not notice the space
This will now clear the popup and remove the final traces. Once done let me know of any problems
Warning This fix is only relevant for this system and no other, using on another computer may cause problems
Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot
If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL [2012/02/04 17:36:28 | 000,000,000 | ---D | C] -- C:\Users\CUDA\AppData\Local\AMozilla [2012/02/04 17:35:14 | 000,000,000 | ---D | C] -- C:\Users\CUDA\AppData\Roaming\AMozilla:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows]
“TaskMngr”=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“TaskMngr”=-
[HKEY_USERS\S-1-5-21-1193946699-3967883401-4202517870-1001\Software\Microsoft\Windows]
“TaskMngr”=-:Files
ipconfig /flushdns /c:Commands
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
Thanks, that did the trick. Maybe delete “C:\Program Files (x86)\Common Files\ComObjects” also? I also found a couple registry entries
[HKEY_CURRENT_USER\Software\AMozilla\AFirefox]
[HKEY_USERS\S-1-5-21-1193946699-3967883401-4202517870-1001\Software\AMozilla\AFirefox]
Those are just orphaned registry keys and are of no import so you can delete them manually
The comobjects folder is used by Firefox/chrome so it may not be a good idea to kill that
Any further problems ?
FYI, I’ve never had either Firefox or Chrome installed on this machine. The folder is 27 MB with what look like ordinary files.
Copy the entire folder to your desktop
Delete the folder “C:\Program Files (x86)\Common Files\ComObjects”
If after a few days you have no problems then delete the copy from the desktop