Jump to content
kafpolo

Firefox uptadte.exe virus

Recommended Posts

At the beginning when the computer was turned on the program was automatically executed, the program uses many resources and can even crash the computer.

 

I managed to disable its execution at startup, and after making an analisys the ESET antivirus did not detected the malware.

 

image.png.754219869f2bf8b79d74223ba4cceb1a.png 

So, I know the location of the executable "C:\Program Files (x86)\Common Files\OmniSoft" but I don't see how to uninstall this program, It is not at the contoll panel.

 

having access to the location of the program folder, how can I uninstall it?

Edited by kafpolo

Share this post


Link to post
Share on other sites

Is the file detected by some other AVs at VirusTotal? It's obviously signed; is the digital signature ok if you select the appropriate tab in file properties?

Share this post


Link to post
Share on other sites

Firefox updater is located in C:\Program Files\Mozilla Firefox and it's called updater not update.exe

This file is malicious , and it's suspicious

Upload it to one of these :

https://www.virustotal.com/gui/home/upload

https://www.hybrid-analysis.com/

https://app.any.run/submissions/

Edited by Nightowl

Share this post


Link to post
Share on other sites
5 hours ago, Marcos said:

Is the file detected by some other AVs at VirusTotal? It's obviously signed; is the digital signature ok if you select the appropriate tab in file properties?

Yes, in Digital Signatures it appears that it is signed by Mozilla,  and compared to the original,  it has exactly the same configurations.

Share this post


Link to post
Share on other sites
4 hours ago, Nightowl said:

Firefox updater is located in C:\Program Files\Mozilla Firefox and it's called updater not update.exe

This file is malicious , and it's suspicious

Upload it to one of these :

https://www.virustotal.com/gui/home/upload

https://www.hybrid-analysis.com/

https://app.any.run/submissions/

Do I have to upload the .EXE or all the files that are in that folder?

Share this post


Link to post
Share on other sites
45 minutes ago, kafpolo said:

Do I have to upload the .EXE or all the files that are in that folder?

Exe first , and some files in that folder might be connected to that malicious exe

Share this post


Link to post
Share on other sites

This C:\program files x(86)\common files\omnisoft\update.exe obviously has nothing to do with FireFox. It's update program is located in its specific C:\program files x(86) or C:\program files directory. For this reason alone, I say the program has nefarious purposes.

Software located in C:\program files x(86)\common files directory get there usually as a result of something you downloaded and was placed there via installer method. It could also be adware that that was embedded or possibly even a coin miner since you state it is using a lot of system resources.

The first place to check is Windows installed programs via Control Manager for anything that you don't recollect manually installing.

I would start by creating an Eset firewall rule to block any outbound traffic from C:\program files x(86)\common files\omnisoft\update.exe. Make sure you enable event alert and log entry creation. When the alert occurs copy the Eset Network protection log entries related to the outbound traffic and post them in a forum reply. This will give us an idea of the server IP addresses the bugger is trying to connect to.

Share this post


Link to post
Share on other sites

Also check the signing certificates associated with update.exe. My guess is it is not a valid code signing one.

Edited by itman

Share this post


Link to post
Share on other sites
15 hours ago, Nightowl said:

Firefox updater is located in C:\Program Files\Mozilla Firefox and it's called updater not update.exe

This file is malicious , and it's suspicious

Upload it to one of these :

https://www.virustotal.com/gui/home/upload

https://www.hybrid-analysis.com/

https://app.any.run/submissions/

No detections...

 

9 hours ago, itman said:

This C:\program files x(86)\common files\omnisoft\update.exe obviously has nothing to do with FireFox. It's update program is located in its specific C:\program files x(86) or C:\program files directory. For this reason alone, I say the program has nefarious purposes.

Software located in C:\program files x(86)\common files directory get there usually as a result of something you downloaded and was placed there via installer method. It could also be adware that that was embedded or possibly even a coin miner since you state it is using a lot of system resources.

The first place to check is Windows installed programs via Control Manager for anything that you don't recollect manually installing.

I would start by creating an Eset firewall rule to block any outbound traffic from C:\program files x(86)\common files\omnisoft\update.exe. Make sure you enable event alert and log entry creation. When the alert occurs copy the Eset Network protection log entries related to the outbound traffic and post them in a forum reply. This will give us an idea of the server IP addresses the bugger is trying to connect to.

I created the Firewall rule, the alert and log, but 4 hours later it has not detected anything yet.

---

Is ther anything that I can do to get rid of this malware?

Edited by kafpolo

Share this post


Link to post
Share on other sites
46 minutes ago, kafpolo said:

Is ther anything that I can do to get rid of this malware?

Is it still running after you did this?

21 hours ago, kafpolo said:

I managed to disable its execution at startup, and after making an analisys the ESET antivirus did not detected the malware.

If so, there are two best possibilities what is starting it up:

1. Look in Win Scheduled Tasks if there is an entry for it. If so, delete it.

2. It's starting via WMI event.

Do no. 1 first, and we'll worry about no. 2 later.

Also if you are positive this is undesirable software, just delete the omnisoft folder for it under C:\program files x(86)\common files\.

Edited by itman

Share this post


Link to post
Share on other sites
1 minute ago, itman said:

Is it still running after you did this?

 

not even when I restart the pc.

Share this post


Link to post
Share on other sites
4 minutes ago, kafpolo said:

not even when I restart the pc.

Don't understand your reply. Are you saying it runs when you restart the PC?

Share this post


Link to post
Share on other sites
1 minute ago, itman said:

Don't understand your reply. Are you saying it runs when you restart the PC?

No it doesn't runs since I did that

Share this post


Link to post
Share on other sites
Just now, kafpolo said:

No it doesn't runs since I did that

Then you solved the problem it appears.

If you are worried about any traces of it, I would start by looking in Control Panel -> Programs and Features if something exists that relates to this software. If so, install it.

Otherwise, you will have to do a manual cleaning of all folders, files, and registry entries related to Omnisoft. If you don't know what you are doing here, you can bork your existing Windows installation. There are tools such as Revo Uninstaller: https://www.revouninstaller.com/ , that can do a forced uninstall. But, you have to know how to use it properly. Also if it is used in aggressive removal mode, it also can cause system issues thereafter. 

Share this post


Link to post
Share on other sites

There is also a free utility by Microsoft SysInternals called Autoruns: https://docs.microsoft.com/en-us/sysinternals/downloads /autoruns . This is used primarily to find out what is starting up at boot time and block/remove undesired startup processes. Again, it appears you have already covered this. Also this tool's help/documentation should be thoroughly reviewed to use it properly and no bork something. 

Share this post


Link to post
Share on other sites
3 minutes ago, itman said:

Then you solved the problem it appears.

If you are worried about any traces of it, I would start by looking in Control Panel -> Programs and Features if something exists that relates to this software. If so, install it.

There is nothing related to the malware software at control panel.

------

4 minutes ago, itman said:

Otherwise, you will have to do a manual cleaning of all folders, files, and registry entries related to Omnisoft. If you don't know what you are doing here, you can bork your existing Windows installation. There are tools such as Revo Uninstaller: https://www.revouninstaller.com/ , that can do a forced uninstall. But, you have to know how to use it properly. Also if it is used in aggressive removal mode, it also can cause system issues thereafter. 

Thanks, I will try this.

Share this post


Link to post
Share on other sites
25 minutes ago, itman said:

Otherwise, you will have to do a manual cleaning of all folders, files, and registry entries related to Omnisoft. If you don't know what you are doing here, you can bork your existing Windows installation. There are tools such as Revo Uninstaller: https://www.revouninstaller.com/ , that can do a forced uninstall. But, you have to know how to use it properly. Also if it is used in aggressive removal mode, it also can cause system issues thereafter. 

So in the registry I could find only this

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched :: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Common Files\OmniSoft\update.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store :: C:\Program Files (x86)\Common Files\OmniSoft\uninstall\helper.exe

 

Then I used the "revouninstaller" tool but there wasn't anything related to the Malware

 

Share this post


Link to post
Share on other sites
11 minutes ago, kafpolo said:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppSwitched :: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Common Files\OmniSoft\update.exe

This key area is used to shown programs started by Win Explorer. Suspect whatever startup folder entry you found was in essence a shell that started update.exe via Win Explorer.

15 minutes ago, kafpolo said:

Then I used the "revouninstaller" tool but there wasn't anything related to the Malware

It's not used for that purpose. For example, you can use it to search for anything related to Omnisoft. Don't know if that option is available in the free version.

17 minutes ago, kafpolo said:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store :: C:\Program Files (x86)\Common Files\OmniSoft\uninstall\helper.exe

This key is interesting. Did you check if there was an uninstaller program located in C:\Program Files (x86)\Common Files\OmniSoft\uninstall directory?

Share this post


Link to post
Share on other sites
14 minutes ago, itman said:

This key is interesting. Did you check if there was an uninstaller program located in C:\Program Files (x86)\Common Files\OmniSoft\uninstall directory?

Yes, but it does not open any pop up, it does not run and it does not appear in the Task Manager.

Basically doesn't work at all.

Edited by kafpolo

Share this post


Link to post
Share on other sites

Something just occurred to me.

This Omnisoft stuff might be related to some extension or the like you installed directly or inadvertently in FireFox. Perhaps something by Mozilla itself. This would at least explain the signed cert. by Mozilla for update.exe.

Share this post


Link to post
Share on other sites
1 minute ago, itman said:

Something just occurred to me.

This Omnisoft stuff might be related to some extension or the like you installed directly or inadvertently in FireFox. Perhaps something by Mozilla itself. This would at least explain the signed cert. by Mozilla for update.exe.

But  I uninstalled firefox and this remained, as I started the pc this program started opening pages in the malicious firefox.

Share this post


Link to post
Share on other sites
7 hours ago, kafpolo said:

But  I uninstalled firefox and this remained, as I started the pc this program started opening pages in the malicious firefox.

Did you run a deep scan of your PC by your AV?

Share this post


Link to post
Share on other sites

I finally found a web reference to this Omnisoft fake FireFox garbage. Per this MalwareByte  forum posting thread: https://forums.malwarebytes.com/topic/238865-mozilla-pops-up-with-pon-contents-whenever-i-boot-my-pc/?tab=comments#comment-1279613 .

Initially it appeared that this might be a rootkit and Kaspersky's TDSS Killer: https://usa.kaspersky.com/downloads/tdsskiller got rid of it. However as the OP posted, looks like the bugger reinfected the installation somehow. This might have been via the previously noted startup entry the malware created.

Do as @Nightowl suggested. Run a Custom scan ensuring all drives, folders, files, and networks are selected. Make sure the scan is run as Administrator by clicking on like named button. This should at least let us know if a rootkit is present or the MBR is infected.

Edited by itman

Share this post


Link to post
Share on other sites
58 minutes ago, itman said:

Do as @Nightowl suggested. Run a Custom scan ensuring all drives, folders, files, and networks are selected. Make sure the scan is run as Administrator by clicking on like named button. This should at least let us know if a rootkit is present or the MBR is infected.

I will do it.

Do you recommend to use Avast Boot-Time scan tool in addition to the Eset Costum scan?

Share this post


Link to post
Share on other sites
39 minutes ago, kafpolo said:

Do you recommend to use Avast Boot-Time scan tool in addition to the Eset Costum scan?

If you are referring to this: https://www.avast.com/c-rootkit-scanner-tool , I wouldn't use it. The download appears to be the installer for Avast free anti-virus.

The download for https://www.bleepingcomputer.com/download/aswmbr/ which is the old Avast stand-alone scanner states it only supports up to Win 8.1.

Edited by itman

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...