itman 1,746 Posted February 26, 2020 Share Posted February 26, 2020 Also per the malwarebytes forum posting linked above, Kaspersky TDSS did not find anything objectionable about this bugger. Namely that it is validly signed: Quote 20:10:29.0865 0x3080 [ 49958506B773E40D31832E3EEDA522E7, FB9045B74615A339FCDC3016F899AEC5B8AFBDACDE5421D94D777C709295C2FD ] C:\Program Files (x86)\Common Files\OmniSoft\update.exe 20:10:29.0883 0x3080 firefox - ok Link to comment Share on other sites More sharing options...
itman 1,746 Posted February 26, 2020 Share Posted February 26, 2020 Also something else from the MBAM forum from the same poster. Check if this shows in Win installed programs: Quote Remove this program in bold via the Control Panel > Programs > Programs and Features. KMSpico (HKLM\...\{8B29D47F-92E2-4C20-9EE0-F710991F5D7C}_is1) (Version: - ) Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted February 26, 2020 Most Valued Members Share Posted February 26, 2020 41 minutes ago, itman said: Also something else from the MBAM forum from the same poster. Check if this shows in Win installed programs: This is probably due to infected KMSPico , it might not apply to his case Link to comment Share on other sites More sharing options...
itman 1,746 Posted February 26, 2020 Share Posted February 26, 2020 (edited) 3 hours ago, Nightowl said: This is probably due to infected KMSpico , it might not apply to his case KMSPico is a cracker for Microsoft products. Eset won't even allow you to access its website; detecting it as malicious. It goes w/o saying that if this bugger was installed, you have been nailed in some fashion. Edited February 26, 2020 by itman Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted February 27, 2020 Most Valued Members Share Posted February 27, 2020 13 hours ago, itman said: KMSPico is a cracker for Microsoft products. Eset won't even allow you to access its website; detecting it as malicious. It goes w/o saying that if this bugger was installed, you have been nailed in some fashion. ESET will not touch it if you disable the detection of unsafe applications , KMSPICO is not malicious if it's not made malicious by someone else , but the original one is not malicious , it's just a hacktool for Windows. Link to comment Share on other sites More sharing options...
kafpolo 0 Posted February 27, 2020 Author Share Posted February 27, 2020 21 hours ago, itman said: Do as @Nightowl suggested. Run a Custom scan ensuring all drives, folders, files, and networks are selected. Make sure the scan is run as Administrator by clicking on like named button. This should at least let us know if a rootkit is present or the MBR is infected. I did this and used the avast boot-time tool, there were no detections. -- Does that means that there isn't an infection? If so, what do I have to do with the omnisoft files and folders? Do I have to make any other scans? Link to comment Share on other sites More sharing options...
kafpolo 0 Posted February 27, 2020 Author Share Posted February 27, 2020 18 hours ago, Nightowl said: This is probably due to infected KMSPico , it might not apply to his case No, it doesn't apply, I haven't installed any hacktool for Windows. Link to comment Share on other sites More sharing options...
itman 1,746 Posted February 27, 2020 Share Posted February 27, 2020 1 hour ago, kafpolo said: If so, what do I have to do with the omnisoft files and folders? As I posted previously if their existence bothers you, delete them. This will send the files to the Recycle folder. If there are any subsequent system issues after their deletion, you can always restore the files from the Recycle folder Link to comment Share on other sites More sharing options...
kafpolo 0 Posted February 27, 2020 Author Share Posted February 27, 2020 51 minutes ago, itman said: As I posted previously if their existence bothers you, delete them. This will send the files to the Recycle folder. If there are any subsequent system issues after their deletion, you can always restore the files from the Recycle folder I moved them to the recycle bin and nothing happened after i turned on the pc. Then I accidentally moved some back to the omnisoft folder and they changed their name, with $ and random letters an numbers, why did this happened? Link to comment Share on other sites More sharing options...
itman 1,746 Posted February 27, 2020 Share Posted February 27, 2020 14 minutes ago, kafpolo said: Then I accidentally moved some back to the omnisoft folder and they changed their name, with $ and random letters an numbers, why did this happened? Enable the "hidden files" option in Windows Explorer View setting. I suspect the files were always named as such and restoring them basically did what the above option does - show the hidden extension associated with the files. Link to comment Share on other sites More sharing options...
kafpolo 0 Posted February 27, 2020 Author Share Posted February 27, 2020 So, that means that my pc is clear of infection? Link to comment Share on other sites More sharing options...
itman 1,746 Posted February 27, 2020 Share Posted February 27, 2020 Here's an old thread in the Avast forum dating from 2015 where the behavior observed was almost identical to that on your device: https://forum.avast.com/index.php?topic=92407.0 . The only difference here was the directory where the fake Firefox updater.exe was located was named ComObjects. The OP in this posting stated he had a "new build." This leads me believe that this software was installed by the OEM of the device. In any case, removing that startup entry for the software, prevented it from running thereafter. So my opinion is yes, you have eliminated whatever this thing was. If it reappears, I would start looking for any built-in diagnostic software or the like that was installed by the OEM of your device and uninstall that. Link to comment Share on other sites More sharing options...
kafpolo 0 Posted February 27, 2020 Author Share Posted February 27, 2020 7 minutes ago, itman said: The OP in this posting stated he had a "new build." This leads me believe that this software was installed by the OEM of the device. In any case, removing that startup entry for the software, prevented it from running thereafter. So my opinion is yes, you have eliminated whatever this thing was. If it reappears, I would start looking for any built-in diagnostic software or the like that was installed by the OEM of your device and uninstall that. I don't think that this apply in my case, I got my pc (which is an ASUS) 1 year ago Link to comment Share on other sites More sharing options...
itman 1,746 Posted February 27, 2020 Share Posted February 27, 2020 3 minutes ago, kafpolo said: I don't think that this apply in my case, I got my pc (which is an ASUS) 1 year ago FYI: https://www.us-cert.gov/ncas/current-activity/2019/03/26/ASUS-Releases-Security-Update-Live-Update-Software Link to comment Share on other sites More sharing options...
itman 1,746 Posted February 27, 2020 Share Posted February 27, 2020 Also note that from the Avast forum posting, Avast didn't detect this fake FireFox update.exe as malicious. It triggered on the outbound communication from it to a known malicious URL/IP address. My best guess is this bugger is legit software being used for other than legit purposes. Most likely for spyware purposes. Link to comment Share on other sites More sharing options...
itman 1,746 Posted February 27, 2020 Share Posted February 27, 2020 I just reanalyzed the Avast noted FireFox update.exe at VT and its 100% clean. Worse none of the cloud sandboxes; i.e. Hybrid-Analysis or Joe's Sandox, detect any abnormal behavior. What this bugger appears to be is a very old legit ver. of FireFox. Suspect it can be run in hidden mode to perform Internet activities and only God knows what else. Look in this registry key for any suspicious .exe's not installed by you; e.g.: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\996E.exe Link to comment Share on other sites More sharing options...
kafpolo 0 Posted February 27, 2020 Author Share Posted February 27, 2020 6 hours ago, itman said: Look in this registry key for any suspicious .exe's not installed by you; e.g.: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\996E.exe In the IFEO there are only CFGOptions, MitigationOptions and DisableExceptionChainValidation. I don't think there are any suspicious .exes Link to comment Share on other sites More sharing options...
kafpolo 0 Posted February 27, 2020 Author Share Posted February 27, 2020 7 hours ago, itman said: FYI: https://www.us-cert.gov/ncas/current-activity/2019/03/26/ASUS-Releases-Security-Update-Live-Update-Software I got ASUS LU with the lates update. Link to comment Share on other sites More sharing options...
itman 1,746 Posted February 28, 2020 Share Posted February 28, 2020 Again I believe that this bugger was installed by some resident software on your device. I also feel this would be something of a trusted utility nature that you would not suspect. Finally, whatever it is doing is not classified as malware, PUA, etc.. by virtual all security software. Link to comment Share on other sites More sharing options...
kafpolo 0 Posted February 28, 2020 Author Share Posted February 28, 2020 (edited) 16 minutes ago, itman said: Again I believe that this bugger was installed by some resident software on your device. I also feel this would be something of a trusted utility nature that you would not suspect. Finally, whatever it is doing is not classified as malware, PUA, etc.. by virtual all security software. What should I do about this? how could this problem be solved? __ Is this because of a bloatware? if so, What bloatware? Edited February 28, 2020 by kafpolo Link to comment Share on other sites More sharing options...
Administrators Marcos 5,267 Posted February 28, 2020 Administrators Share Posted February 28, 2020 If you have no reason to keep the sw, remove it. Link to comment Share on other sites More sharing options...
itman 1,746 Posted February 28, 2020 Share Posted February 28, 2020 (edited) 13 hours ago, kafpolo said: What should I do about this? how could this problem be solved? To begin with and again, It appears that the problem is solved since this update.exe is no longer running at system startup time. You're obsessing over removal over its remnants most of which it appears you have already removed. Remember this forum's purpose is to address Eset operational issues including assistance in malware removal. This software is not classified as malware or any form of undesirable software. I suggest you use the services of malwaretips.com, bleepingcomputer.com, etc. whose web based forums contain sections for assistance in malware removal. Their personnel are trained in the use of FRST, RogueKiller, etc. which are specialized tools used to perform deep analysis on installed software and identify malware and the like. Edited February 28, 2020 by itman Link to comment Share on other sites More sharing options...
kafpolo 0 Posted February 28, 2020 Author Share Posted February 28, 2020 (edited) Before closing this I have just one more question, can this incident make BSOD error "pool_corruption"? Edited February 28, 2020 by kafpolo Link to comment Share on other sites More sharing options...
itman 1,746 Posted February 28, 2020 Share Posted February 28, 2020 1 hour ago, kafpolo said: Before closing this I have just one more question, can this incident make BSOD error "pool_corruption"? Depends on the "pool corruption" that occurred. According to Microsoft it is usually related to a bad driver but can also be caused by faulty memory. A couple of refs. below: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0xde--pool-corruption-in-file-area https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x19--bad-pool-header I have no idea what manual cleaning you did and that could be related to this BSOD activity. You can always try a system restore using a restore point prior to when you started these cleaning activities. Link to comment Share on other sites More sharing options...
kafpolo 0 Posted February 28, 2020 Author Share Posted February 28, 2020 11 minutes ago, itman said: Depends on the "pool corruption" that occurred. According to Microsoft it is usually related to a bad driver but can also be caused by faulty memory. A couple of refs. below: https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0xde--pool-corruption-in-file-area https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x19--bad-pool-header I have no idea what manual cleaning you did and that could be related to this BSOD activity. You can always try a system restore using a restore point prior to when you started these cleaning activities. Ok, thanks to @itman @Nightowl and @Marcos for helping 👍 Link to comment Share on other sites More sharing options...
Recommended Posts