Firefox.exe Always Open - Poison Ivy? Options

[hilltown]

In my Task Manager, I constantly see a file named "firefox.exe", even when the program isn't running. I've done some basic research into this problem, and it appears this is a symptom of the Poison Ivy virus. I've had significant virus/malware problems in the last two weeks, although I thought I had removed everything.

Please note that Avast!, McAfee, and Spybot do NOT pick this up.

However, it is affecting my use of Firefox and I fear someone is logging my keystrokes.

I would be most grateful for any assistance, as I didn't want to start editing registries without expert advice.

[H4CK3R]

Hey hilltown,

Poison Ivy is a Trojan used by many young hackers to control (pwn/own) peoples computers!
Poison Ivy Has a Feature where it injects the trojan into your Browser so it can bypass firewalls and AV's.
To Warn you Poison Ivy does have a keylogger.
Also, There are many other trojans that inject themselves into Browsers like Poison Ivy does.

Removing Poison Ivy is quite difficult because it runs on start up using ActiveX Startup using a random GUID in registry,
And injects into Browser and any other process the hacker wants (normally msnmsgr.exe or explorer.exe).
You need to be quite a advanced user to remove it (becuase you need to know how to use the registry)

In the end this might not be Poison Ivy!

Regards,
H4CK3R

[hilltown]

I appreciate the response, but I was honestly hoping for something a little more concrete/instructional. Would any advanced users be willing to give me a hand in tackling this?

[quietman7]

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file. However, it then places itself in a different location on your computer. A file's properties may give a clue to identifying it. Right-click on the file, Properties and examine the General and Version tabs.

You can download and use Process Explorer or System Explorer to investigate all running processes and gather additional information to identify and resolve problems. These tools will show the process CPU usage, a description and its path location. If you right-click on the file in question and select properties, you will see more details about the file.

Get a second opinion. Go to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file(s) and submit (upload) it for scanning/analysis.
Post back with the results of the file analysis.

[hilltown]

I scanned firefox.exe using jotti's virusscan, and it returned 0 results.

I've seen references to ali.exe appear in error messages, so I submitted it and received the following:

Scan taken on 14 Feb 2008 02:49:12 (GMT)

AntiVir
Found TR/Drop.RPD.12
AVG Antivirus
Found BackDoor.Generic9.JBC
BitDefender
Found Trojan.Dropper.RPD
Ikarus
Found Virus.HackTool.Win32.SqlCrack
Panda Antivirus
Found Bck/Bandok.BQ

Could this file be causing my problems, or is it merely a symptom? How should I go about removing it? Again, any help is GREATLY appreciated.

[quietman7]

ali.exe is added by the TROJ/EXEMAS-B Trojan.

Download FileASSASSIN.zip and save to your desktop (this tool is compatible with Win 2000/NT/XP/Vista only).

• Create a new folder on your C:\ drive called FileASSASSIN and extract (unzip) the file to that folder. (Click here for information on how to do this if not sure. Win 9x/2000 users click here.)
• Open the folder and double-click on FileASSASSIN.exe.
• Select the bad file to delete by dragging it onto the text area or select it using the (...) browse button.
• Select a removal method. Start with the default "Attempt FileASSASSIN's method of file removal"
• Click delete and the removal process will begin.
• If that did not work, start the program again, select the file(s) the same way as before and this time check "Use delete on reboot function from windows."

Then download AutoRuns and save it to your Desktop.

• Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if your not sure how to do this.)
• Open the folder and double-click on autoruns.exe to launch it.
• Please be patient as it scans and populates the entries.
• When done scanning, it will say Ready at the bottom.
• Scroll through the list and look for a startup entry related to ali.exe.
• Right-click on the entry and choose delete.
• Reboot your computer when done.

[hilltown]

QuietMan - thanks for your response. I used File Assassin to delete "ali.exe", then AutoRuns to remove its startup entries. Perfect.

Haven't seen any random programs running since deleting, so it appears to have worked. I am INCREDIBLY grateful for your help.

[quietman7]

Your welcome.

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

• Go to Start > Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Then use Disk Cleanup to remove all but the most recently created Restore Point.
• Go to Start > Run and type: Cleanmgr
• Click "Ok".
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.