Jump to content

Archived

This topic is now archived and is closed to further replies.

kafpolo

Firefox uptadte.exe virus

Recommended Posts

Also per the malwarebytes forum posting linked above, Kaspersky TDSS did not find anything objectionable about this bugger. Namely that it is validly signed:

Quote

20:10:29.0865 0x3080  [ 49958506B773E40D31832E3EEDA522E7, FB9045B74615A339FCDC3016F899AEC5B8AFBDACDE5421D94D777C709295C2FD ] C:\Program Files (x86)\Common Files\OmniSoft\update.exe
20:10:29.0883 0x3080  firefox - ok

 

Share this post


Link to post
Share on other sites

Also something else from the MBAM forum from the same poster.

Check if this shows in Win installed programs:

Quote

Remove this program in bold via the Control Panel > Programs > Programs and Features.
KMSpico (HKLM\...\{8B29D47F-92E2-4C20-9EE0-F710991F5D7C}_is1) (Version:  - )

 

Share this post


Link to post
Share on other sites
41 minutes ago, itman said:

Also something else from the MBAM forum from the same poster.

Check if this shows in Win installed programs:

 

This is probably due to infected KMSPico , it might not apply to his case

 

Share this post


Link to post
Share on other sites
3 hours ago, Nightowl said:

This is probably due to infected KMSpico , it might not apply to his case

KMSPico is a cracker for Microsoft products. Eset won't even allow you to access its website; detecting it as malicious. It goes w/o saying that if this bugger was installed, you have been nailed in some fashion.

Share this post


Link to post
Share on other sites
13 hours ago, itman said:

KMSPico is a cracker for Microsoft products. Eset won't even allow you to access its website; detecting it as malicious. It goes w/o saying that if this bugger was installed, you have been nailed in some fashion.

ESET will not touch it if you disable the detection of unsafe applications , KMSPICO is not malicious if it's not made malicious by someone else , but the original one is not malicious , it's just a hacktool for Windows.

Share this post


Link to post
Share on other sites
21 hours ago, itman said:

Do as @Nightowl suggested. Run a Custom scan ensuring all drives, folders, files, and networks are selected. Make sure the scan is run as Administrator by clicking on like named button. This should at least let us know if a rootkit is present or the MBR is infected.

I did this and used the avast boot-time tool, there were no detections.

--

Does that means that there isn't an infection?

If so, what do I have to do with the omnisoft files and folders?

Do I have to make any other scans?

Share this post


Link to post
Share on other sites
18 hours ago, Nightowl said:

This is probably due to infected KMSPico , it might not apply to his case

 

No, it doesn't apply, I haven't installed any hacktool for Windows.

Share this post


Link to post
Share on other sites
1 hour ago, kafpolo said:

If so, what do I have to do with the omnisoft files and folders?

As I posted previously if their existence bothers you, delete them. This will send the files to the Recycle folder. If there are any subsequent system issues after their deletion, you can always restore the files from the Recycle folder

Share this post


Link to post
Share on other sites
51 minutes ago, itman said:

As I posted previously if their existence bothers you, delete them. This will send the files to the Recycle folder. If there are any subsequent system issues after their deletion, you can always restore the files from the Recycle folder

I moved them to the recycle bin and nothing happened after i turned on the pc.

Then I accidentally moved some back to the omnisoft folder and they changed their name, with $ and random letters an numbers, why did this happened?

Share this post


Link to post
Share on other sites
14 minutes ago, kafpolo said:

Then I accidentally moved some back to the omnisoft folder and they changed their name, with $ and random letters an numbers, why did this happened?

Enable the "hidden files" option in  Windows Explorer View setting.

I suspect the files were always named as such and restoring them basically did what the above option does - show the hidden extension associated with the files.

Share this post


Link to post
Share on other sites

So, that means that my pc is clear of infection?

Share this post


Link to post
Share on other sites

Here's an old thread in the Avast forum dating from 2015 where the behavior observed was almost identical to that on your device: https://forum.avast.com/index.php?topic=92407.0 . The only difference here was the directory where the fake Firefox updater.exe was located was named ComObjects.

The OP in this posting stated he had a "new build." This leads me believe that this software was installed by the OEM of the device. In any case, removing that startup entry for the software, prevented it from running thereafter. So my opinion is yes, you have eliminated whatever this thing was.

If it reappears, I would start looking for any built-in diagnostic software or the like that was installed by the OEM of your device and uninstall that.

Share this post


Link to post
Share on other sites
7 minutes ago, itman said:

The OP in this posting stated he had a "new build." This leads me believe that this software was installed by the OEM of the device. In any case, removing that startup entry for the software, prevented it from running thereafter. So my opinion is yes, you have eliminated whatever this thing was.

If it reappears, I would start looking for any built-in diagnostic software or the like that was installed by the OEM of your device and uninstall that.

I don't think that this apply in my case, I got my pc (which is an ASUS) 1 year ago

Share this post


Link to post
Share on other sites

Also note that from the Avast forum posting, Avast didn't detect this fake FireFox update.exe as malicious. It triggered on the outbound communication from it to a known malicious URL/IP address.

My best guess is this bugger is legit software being used for other than legit purposes. Most likely for spyware purposes.

Share this post


Link to post
Share on other sites

I just reanalyzed the Avast noted FireFox update.exe at VT and its 100% clean. Worse none of the cloud sandboxes; i.e. Hybrid-Analysis or Joe's Sandox, detect any abnormal behavior.

What this bugger appears to be is a very old legit ver. of FireFox. Suspect it can be run in hidden mode to perform Internet activities and only God knows what else.

Look in this registry key for any suspicious .exe's not installed by you; e.g.:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\996E.exe

Share this post


Link to post
Share on other sites
6 hours ago, itman said:

Look in this registry key for any suspicious .exe's not installed by you; e.g.:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\996E.exe

In the IFEO there are only CFGOptions, MitigationOptions and DisableExceptionChainValidation. I don't think there are any suspicious .exes

Share this post


Link to post
Share on other sites

Again I believe that this bugger was installed by some resident software on your device. I also feel this would be something of a trusted utility nature that you would not suspect. Finally, whatever it is doing is not classified as malware, PUA, etc.. by virtual all security software.

Share this post


Link to post
Share on other sites
16 minutes ago, itman said:

Again I believe that this bugger was installed by some resident software on your device. I also feel this would be something of a trusted utility nature that you would not suspect. Finally, whatever it is doing is not classified as malware, PUA, etc.. by virtual all security software.

What should I do about this? how could this problem be solved?

__

Is this because of a bloatware? if so, What bloatware?

Share this post


Link to post
Share on other sites

If you have no reason to keep the sw, remove it.

Share this post


Link to post
Share on other sites
13 hours ago, kafpolo said:

What should I do about this? how could this problem be solved?

To begin with and again, It appears that the problem is solved since this update.exe is no longer running at system startup time.

You're obsessing over removal over its remnants most of which it appears you have already removed. Remember this forum's purpose is to address Eset operational issues including assistance in malware removal. This software is not classified as malware or any form of undesirable software.

I suggest you use the services of malwaretips.com, bleepingcomputer.com, etc. whose web based forums contain sections for assistance in malware removal. Their personnel are trained in the use of FRST, RogueKiller, etc. which are specialized tools used to perform deep analysis on installed software and identify malware and the like.

Share this post


Link to post
Share on other sites

Before closing this I have just one more question, can this incident make BSOD error "pool_corruption"?

Share this post


Link to post
Share on other sites
1 hour ago, kafpolo said:

Before closing this I have just one more question, can this incident make BSOD error "pool_corruption"?

Depends on the "pool corruption" that occurred. According to Microsoft it is usually related to a bad driver but can also be caused by faulty memory. A couple of refs. below:

https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0xde--pool-corruption-in-file-area

https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x19--bad-pool-header

I have no idea what manual cleaning you did and that could be related to this BSOD activity. You can always try a system restore using a restore point prior to when you started these cleaning activities.

Share this post


Link to post
Share on other sites
11 minutes ago, itman said:

Depends on the "pool corruption" that occurred. According to Microsoft it is usually related to a bad driver but can also be caused by faulty memory. A couple of refs. below:

https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0xde--pool-corruption-in-file-area

https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-check-0x19--bad-pool-header

I have no idea what manual cleaning you did and that could be related to this BSOD activity. You can always try a system restore using a restore point prior to when you started these cleaning activities.

Ok, thanks to @itman @Nightowl  and @Marcos for helping 👍

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...