Firefox uptadte.exe virus

[itman 1,659]

Also per the malwarebytes forum posting linked above, Kaspersky TDSS did not find anything objectionable about this bugger. Namely that it is validly signed:

Quote

20:10:29.0865 0x3080  [ 49958506B773E40D31832E3EEDA522E7, FB9045B74615A339FCDC3016F899AEC5B8AFBDACDE5421D94D777C709295C2FD ] C:\Program Files (x86)\Common Files\OmniSoft\update.exe
20:10:29.0883 0x3080  firefox - ok

 

[itman 1,659]

Also something else from the MBAM forum from the same poster.

Check if this shows in Win installed programs:

Quote

Remove this program in bold via the Control Panel > Programs > Programs and Features.
KMSpico (HKLM\...\{8B29D47F-92E2-4C20-9EE0-F710991F5D7C}_is1) (Version:  - )

 

[Nightowl 202]

41 minutes ago, itman said:

Also something else from the MBAM forum from the same poster.

Check if this shows in Win installed programs:

 

This is probably due to infected KMSPico , it might not apply to his case

 

[itman 1,659]

3 hours ago, Nightowl said:

This is probably due to infected KMSpico , it might not apply to his case

KMSPico is a cracker for Microsoft products. Eset won't even allow you to access its website; detecting it as malicious. It goes w/o saying that if this bugger was installed, you have been nailed in some fashion.

Edited February 26, 2020 by itman

[Nightowl 202]

13 hours ago, itman said:

KMSPico is a cracker for Microsoft products. Eset won't even allow you to access its website; detecting it as malicious. It goes w/o saying that if this bugger was installed, you have been nailed in some fashion.

ESET will not touch it if you disable the detection of unsafe applications , KMSPICO is not malicious if it's not made malicious by someone else , but the original one is not malicious , it's just a hacktool for Windows.

[kafpolo 0]

21 hours ago, itman said:

Do as @Nightowl suggested. Run a Custom scan ensuring all drives, folders, files, and networks are selected. Make sure the scan is run as Administrator by clicking on like named button. This should at least let us know if a rootkit is present or the MBR is infected.

I did this and used the avast boot-time tool, there were no detections.

--

Does that means that there isn't an infection?

If so, what do I have to do with the omnisoft files and folders?

Do I have to make any other scans?

[kafpolo 0]

18 hours ago, Nightowl said:

This is probably due to infected KMSPico , it might not apply to his case

 

No, it doesn't apply, I haven't installed any hacktool for Windows.

[itman 1,659]

1 hour ago, kafpolo said:

If so, what do I have to do with the omnisoft files and folders?

As I posted previously if their existence bothers you, delete them. This will send the files to the Recycle folder. If there are any subsequent system issues after their deletion, you can always restore the files from the Recycle folder

[kafpolo 0]

51 minutes ago, itman said:

As I posted previously if their existence bothers you, delete them. This will send the files to the Recycle folder. If there are any subsequent system issues after their deletion, you can always restore the files from the Recycle folder

I moved them to the recycle bin and nothing happened after i turned on the pc.

Then I accidentally moved some back to the omnisoft folder and they changed their name, with $ and random letters an numbers, why did this happened?

[itman 1,659]

14 minutes ago, kafpolo said:

Then I accidentally moved some back to the omnisoft folder and they changed their name, with $ and random letters an numbers, why did this happened?

Enable the "hidden files" option in  Windows Explorer View setting.

I suspect the files were always named as such and restoring them basically did what the above option does - show the hidden extension associated with the files.

[kafpolo 0]

So, that means that my pc is clear of infection?

[itman 1,659]

Here's an old thread in the Avast forum dating from 2015 where the behavior observed was almost identical to that on your device: https://forum.avast.com/index.php?topic=92407.0 . The only difference here was the directory where the fake Firefox updater.exe was located was named ComObjects.

The OP in this posting stated he had a "new build." This leads me believe that this software was installed by the OEM of the device. In any case, removing that startup entry for the software, prevented it from running thereafter. So my opinion is yes, you have eliminated whatever this thing was.

If it reappears, I would start looking for any built-in diagnostic software or the like that was installed by the OEM of your device and uninstall that.

[kafpolo 0]

7 minutes ago, itman said:

The OP in this posting stated he had a "new build." This leads me believe that this software was installed by the OEM of the device. In any case, removing that startup entry for the software, prevented it from running thereafter. So my opinion is yes, you have eliminated whatever this thing was.

If it reappears, I would start looking for any built-in diagnostic software or the like that was installed by the OEM of your device and uninstall that.

I don't think that this apply in my case, I got my pc (which is an ASUS) 1 year ago

[itman 1,659]

3 minutes ago, kafpolo said:

I don't think that this apply in my case, I got my pc (which is an ASUS) 1 year ago

FYI: https://www.us-cert.gov/ncas/current-activity/2019/03/26/ASUS-Releases-Security-Update-Live-Update-Software

[itman 1,659]

Also note that from the Avast forum posting, Avast didn't detect this fake FireFox update.exe as malicious. It triggered on the outbound communication from it to a known malicious URL/IP address.

My best guess is this bugger is legit software being used for other than legit purposes. Most likely for spyware purposes.

[itman 1,659]

I just reanalyzed the Avast noted FireFox update.exe at VT and its 100% clean. Worse none of the cloud sandboxes; i.e. Hybrid-Analysis or Joe's Sandox, detect any abnormal behavior.

What this bugger appears to be is a very old legit ver. of FireFox. Suspect it can be run in hidden mode to perform Internet activities and only God knows what else.

Look in this registry key for any suspicious .exe's not installed by you; e.g.:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\996E.exe

[kafpolo 0]

6 hours ago, itman said:

Look in this registry key for any suspicious .exe's not installed by you; e.g.:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\996E.exe

In the IFEO there are only CFGOptions, MitigationOptions and DisableExceptionChainValidation. I don't think there are any suspicious .exes

[kafpolo 0]

7 hours ago, itman said:

FYI: https://www.us-cert.gov/ncas/current-activity/2019/03/26/ASUS-Releases-Security-Update-Live-Update-Software

I got ASUS LU with the lates update.

[itman 1,659]

Again I believe that this bugger was installed by some resident software on your device. I also feel this would be something of a trusted utility nature that you would not suspect. Finally, whatever it is doing is not classified as malware, PUA, etc.. by virtual all security software.

[kafpolo 0]

16 minutes ago, itman said:

Again I believe that this bugger was installed by some resident software on your device. I also feel this would be something of a trusted utility nature that you would not suspect. Finally, whatever it is doing is not classified as malware, PUA, etc.. by virtual all security software.

What should I do about this? how could this problem be solved?

__

Is this because of a bloatware? if so, What bloatware?

Edited February 28, 2020 by kafpolo

[Marcos 5,070]

If you have no reason to keep the sw, remove it.

[itman 1,659]

13 hours ago, kafpolo said:

What should I do about this? how could this problem be solved?

To begin with and again, It appears that the problem is solved since this update.exe is no longer running at system startup time.

You're obsessing over removal over its remnants most of which it appears you have already removed. Remember this forum's purpose is to address Eset operational issues including assistance in malware removal. This software is not classified as malware or any form of undesirable software.

I suggest you use the services of malwaretips.com, bleepingcomputer.com, etc. whose web based forums contain sections for assistance in malware removal. Their personnel are trained in the use of FRST, RogueKiller, etc. which are specialized tools used to perform deep analysis on installed software and identify malware and the like.

Edited February 28, 2020 by itman

[kafpolo 0]

Before closing this I have just one more question, can this incident make BSOD error "pool_corruption"?

Edited February 28, 2020 by kafpolo

[itman 1,659]

1 hour ago, kafpolo said:

Before closing this I have just one more question, can this incident make BSOD error "pool_corruption"?

Depends on the "pool corruption" that occurred. According to Microsoft it is usually related to a bad driver but can also be caused by faulty memory. A couple of refs. below:

https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0xde--pool-corruption-in-file-area

https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x19--bad-pool-header

I have no idea what manual cleaning you did and that could be related to this BSOD activity. You can always try a system restore using a restore point prior to when you started these cleaning activities.

[kafpolo 0]

11 minutes ago, itman said:

Depends on the "pool corruption" that occurred. According to Microsoft it is usually related to a bad driver but can also be caused by faulty memory. A couple of refs. below:

https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0xde--pool-corruption-in-file-area

https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x19--bad-pool-header

I have no idea what manual cleaning you did and that could be related to this BSOD activity. You can always try a system restore using a restore point prior to when you started these cleaning activities.

Ok, thanks to @itman @Nightowl  and @Marcos for helping 👍