kafpolo 0 Posted February 25, 2020 Share Posted February 25, 2020 (edited) At the beginning when the computer was turned on the program was automatically executed, the program uses many resources and can even crash the computer. I managed to disable its execution at startup, and after making an analisys the ESET antivirus did not detected the malware. So, I know the location of the executable "C:\Program Files (x86)\Common Files\OmniSoft" but I don't see how to uninstall this program, It is not at the contoll panel. having access to the location of the program folder, how can I uninstall it? Edited February 25, 2020 by kafpolo Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted February 25, 2020 Administrators Share Posted February 25, 2020 Is the file detected by some other AVs at VirusTotal? It's obviously signed; is the digital signature ok if you select the appropriate tab in file properties? Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted February 25, 2020 Most Valued Members Share Posted February 25, 2020 (edited) Firefox updater is located in C:\Program Files\Mozilla Firefox and it's called updater not update.exe This file is malicious , and it's suspicious Upload it to one of these : https://www.virustotal.com/gui/home/upload https://www.hybrid-analysis.com/ https://app.any.run/submissions/ Edited February 25, 2020 by Nightowl Link to comment Share on other sites More sharing options...
kafpolo 0 Posted February 25, 2020 Author Share Posted February 25, 2020 5 hours ago, Marcos said: Is the file detected by some other AVs at VirusTotal? It's obviously signed; is the digital signature ok if you select the appropriate tab in file properties? Yes, in Digital Signatures it appears that it is signed by Mozilla, and compared to the original, it has exactly the same configurations. Link to comment Share on other sites More sharing options...
kafpolo 0 Posted February 25, 2020 Author Share Posted February 25, 2020 4 hours ago, Nightowl said: Firefox updater is located in C:\Program Files\Mozilla Firefox and it's called updater not update.exe This file is malicious , and it's suspicious Upload it to one of these : https://www.virustotal.com/gui/home/upload https://www.hybrid-analysis.com/ https://app.any.run/submissions/ Do I have to upload the .EXE or all the files that are in that folder? Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted February 25, 2020 Most Valued Members Share Posted February 25, 2020 45 minutes ago, kafpolo said: Do I have to upload the .EXE or all the files that are in that folder? Exe first , and some files in that folder might be connected to that malicious exe Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 25, 2020 Share Posted February 25, 2020 This C:\program files x(86)\common files\omnisoft\update.exe obviously has nothing to do with FireFox. It's update program is located in its specific C:\program files x(86) or C:\program files directory. For this reason alone, I say the program has nefarious purposes. Software located in C:\program files x(86)\common files directory get there usually as a result of something you downloaded and was placed there via installer method. It could also be adware that that was embedded or possibly even a coin miner since you state it is using a lot of system resources. The first place to check is Windows installed programs via Control Manager for anything that you don't recollect manually installing. I would start by creating an Eset firewall rule to block any outbound traffic from C:\program files x(86)\common files\omnisoft\update.exe. Make sure you enable event alert and log entry creation. When the alert occurs copy the Eset Network protection log entries related to the outbound traffic and post them in a forum reply. This will give us an idea of the server IP addresses the bugger is trying to connect to. Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 25, 2020 Share Posted February 25, 2020 (edited) Also check the signing certificates associated with update.exe. My guess is it is not a valid code signing one. Edited February 25, 2020 by itman Link to comment Share on other sites More sharing options...
kafpolo 0 Posted February 25, 2020 Author Share Posted February 25, 2020 (edited) 15 hours ago, Nightowl said: Firefox updater is located in C:\Program Files\Mozilla Firefox and it's called updater not update.exe This file is malicious , and it's suspicious Upload it to one of these : https://www.virustotal.com/gui/home/upload https://www.hybrid-analysis.com/ https://app.any.run/submissions/ No detections... 9 hours ago, itman said: This C:\program files x(86)\common files\omnisoft\update.exe obviously has nothing to do with FireFox. It's update program is located in its specific C:\program files x(86) or C:\program files directory. For this reason alone, I say the program has nefarious purposes. Software located in C:\program files x(86)\common files directory get there usually as a result of something you downloaded and was placed there via installer method. It could also be adware that that was embedded or possibly even a coin miner since you state it is using a lot of system resources. The first place to check is Windows installed programs via Control Manager for anything that you don't recollect manually installing. I would start by creating an Eset firewall rule to block any outbound traffic from C:\program files x(86)\common files\omnisoft\update.exe. Make sure you enable event alert and log entry creation. When the alert occurs copy the Eset Network protection log entries related to the outbound traffic and post them in a forum reply. This will give us an idea of the server IP addresses the bugger is trying to connect to. I created the Firewall rule, the alert and log, but 4 hours later it has not detected anything yet. --- Is ther anything that I can do to get rid of this malware? Edited February 25, 2020 by kafpolo Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 25, 2020 Share Posted February 25, 2020 (edited) 46 minutes ago, kafpolo said: Is ther anything that I can do to get rid of this malware? Is it still running after you did this? 21 hours ago, kafpolo said: I managed to disable its execution at startup, and after making an analisys the ESET antivirus did not detected the malware. If so, there are two best possibilities what is starting it up: 1. Look in Win Scheduled Tasks if there is an entry for it. If so, delete it. 2. It's starting via WMI event. Do no. 1 first, and we'll worry about no. 2 later. Also if you are positive this is undesirable software, just delete the omnisoft folder for it under C:\program files x(86)\common files\. Edited February 25, 2020 by itman Link to comment Share on other sites More sharing options...
kafpolo 0 Posted February 25, 2020 Author Share Posted February 25, 2020 1 minute ago, itman said: Is it still running after you did this? not even when I restart the pc. Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 25, 2020 Share Posted February 25, 2020 4 minutes ago, kafpolo said: not even when I restart the pc. Don't understand your reply. Are you saying it runs when you restart the PC? Link to comment Share on other sites More sharing options...
kafpolo 0 Posted February 25, 2020 Author Share Posted February 25, 2020 1 minute ago, itman said: Don't understand your reply. Are you saying it runs when you restart the PC? No it doesn't runs since I did that Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 25, 2020 Share Posted February 25, 2020 Just now, kafpolo said: No it doesn't runs since I did that Then you solved the problem it appears. If you are worried about any traces of it, I would start by looking in Control Panel -> Programs and Features if something exists that relates to this software. If so, install it. Otherwise, you will have to do a manual cleaning of all folders, files, and registry entries related to Omnisoft. If you don't know what you are doing here, you can bork your existing Windows installation. There are tools such as Revo Uninstaller: https://www.revouninstaller.com/ , that can do a forced uninstall. But, you have to know how to use it properly. Also if it is used in aggressive removal mode, it also can cause system issues thereafter. Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 25, 2020 Share Posted February 25, 2020 There is also a free utility by Microsoft SysInternals called Autoruns: https://docs.microsoft.com/en-us/sysinternals/downloads /autoruns . This is used primarily to find out what is starting up at boot time and block/remove undesired startup processes. Again, it appears you have already covered this. Also this tool's help/documentation should be thoroughly reviewed to use it properly and no bork something. Link to comment Share on other sites More sharing options...
kafpolo 0 Posted February 25, 2020 Author Share Posted February 25, 2020 3 minutes ago, itman said: Then you solved the problem it appears. If you are worried about any traces of it, I would start by looking in Control Panel -> Programs and Features if something exists that relates to this software. If so, install it. There is nothing related to the malware software at control panel. ------ 4 minutes ago, itman said: Otherwise, you will have to do a manual cleaning of all folders, files, and registry entries related to Omnisoft. If you don't know what you are doing here, you can bork your existing Windows installation. There are tools such as Revo Uninstaller: https://www.revouninstaller.com/ , that can do a forced uninstall. But, you have to know how to use it properly. Also if it is used in aggressive removal mode, it also can cause system issues thereafter. Thanks, I will try this. Link to comment Share on other sites More sharing options...
kafpolo 0 Posted February 26, 2020 Author Share Posted February 26, 2020 25 minutes ago, itman said: Otherwise, you will have to do a manual cleaning of all folders, files, and registry entries related to Omnisoft. If you don't know what you are doing here, you can bork your existing Windows installation. There are tools such as Revo Uninstaller: https://www.revouninstaller.com/ , that can do a forced uninstall. But, you have to know how to use it properly. Also if it is used in aggressive removal mode, it also can cause system issues thereafter. So in the registry I could find only this HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched :: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Common Files\OmniSoft\update.exe HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store :: C:\Program Files (x86)\Common Files\OmniSoft\uninstall\helper.exe Then I used the "revouninstaller" tool but there wasn't anything related to the Malware Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 26, 2020 Share Posted February 26, 2020 11 minutes ago, kafpolo said: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched :: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Common Files\OmniSoft\update.exe This key area is used to shown programs started by Win Explorer. Suspect whatever startup folder entry you found was in essence a shell that started update.exe via Win Explorer. 15 minutes ago, kafpolo said: Then I used the "revouninstaller" tool but there wasn't anything related to the Malware It's not used for that purpose. For example, you can use it to search for anything related to Omnisoft. Don't know if that option is available in the free version. 17 minutes ago, kafpolo said: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store :: C:\Program Files (x86)\Common Files\OmniSoft\uninstall\helper.exe This key is interesting. Did you check if there was an uninstaller program located in C:\Program Files (x86)\Common Files\OmniSoft\uninstall directory? Link to comment Share on other sites More sharing options...
kafpolo 0 Posted February 26, 2020 Author Share Posted February 26, 2020 (edited) 14 minutes ago, itman said: This key is interesting. Did you check if there was an uninstaller program located in C:\Program Files (x86)\Common Files\OmniSoft\uninstall directory? Yes, but it does not open any pop up, it does not run and it does not appear in the Task Manager. Basically doesn't work at all. Edited February 26, 2020 by kafpolo Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 26, 2020 Share Posted February 26, 2020 Something just occurred to me. This Omnisoft stuff might be related to some extension or the like you installed directly or inadvertently in FireFox. Perhaps something by Mozilla itself. This would at least explain the signed cert. by Mozilla for update.exe. Link to comment Share on other sites More sharing options...
kafpolo 0 Posted February 26, 2020 Author Share Posted February 26, 2020 1 minute ago, itman said: Something just occurred to me. This Omnisoft stuff might be related to some extension or the like you installed directly or inadvertently in FireFox. Perhaps something by Mozilla itself. This would at least explain the signed cert. by Mozilla for update.exe. But I uninstalled firefox and this remained, as I started the pc this program started opening pages in the malicious firefox. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 202 Posted February 26, 2020 Most Valued Members Share Posted February 26, 2020 7 hours ago, kafpolo said: But I uninstalled firefox and this remained, as I started the pc this program started opening pages in the malicious firefox. Did you run a deep scan of your PC by your AV? Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 26, 2020 Share Posted February 26, 2020 (edited) I finally found a web reference to this Omnisoft fake FireFox garbage. Per this MalwareByte forum posting thread: https://forums.malwarebytes.com/topic/238865-mozilla-pops-up-with-pon-contents-whenever-i-boot-my-pc/?tab=comments#comment-1279613 . Initially it appeared that this might be a rootkit and Kaspersky's TDSS Killer: https://usa.kaspersky.com/downloads/tdsskiller got rid of it. However as the OP posted, looks like the bugger reinfected the installation somehow. This might have been via the previously noted startup entry the malware created. Do as @Nightowl suggested. Run a Custom scan ensuring all drives, folders, files, and networks are selected. Make sure the scan is run as Administrator by clicking on like named button. This should at least let us know if a rootkit is present or the MBR is infected. Edited February 26, 2020 by itman Link to comment Share on other sites More sharing options...
kafpolo 0 Posted February 26, 2020 Author Share Posted February 26, 2020 58 minutes ago, itman said: Do as @Nightowl suggested. Run a Custom scan ensuring all drives, folders, files, and networks are selected. Make sure the scan is run as Administrator by clicking on like named button. This should at least let us know if a rootkit is present or the MBR is infected. I will do it. Do you recommend to use Avast Boot-Time scan tool in addition to the Eset Costum scan? Link to comment Share on other sites More sharing options...
itman 1,659 Posted February 26, 2020 Share Posted February 26, 2020 (edited) 39 minutes ago, kafpolo said: Do you recommend to use Avast Boot-Time scan tool in addition to the Eset Costum scan? If you are referring to this: https://www.avast.com/c-rootkit-scanner-tool , I wouldn't use it. The download appears to be the installer for Avast free anti-virus. The download for https://www.bleepingcomputer.com/download/aswmbr/ which is the old Avast stand-alone scanner states it only supports up to Win 8.1. Edited February 26, 2020 by itman Link to comment Share on other sites More sharing options...
Recommended Posts