Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FireFox Java Trojan Redirecting


  • Please log in to reply
36 replies to this topic

#1 FedUp2011

FedUp2011

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 25 June 2011 - 11:59 AM

Hi Guys,

Thanks for offering these forums and the assistance you provide! I've got a Trojan on my computer that won't seem to go away. It's on FireFox (IE is fine to surf with and there are no redirects).

I have Windows XP Dell Inspiron, Version 2002, SP3, AMD Phenom 8650, Triple Core Processor.I have McAfee as my AV.

MalwareBytes detected an Artemis Trojan on Thursday night along with Malware Traces and quarantined & deleted them. I ran this scan in normal mode. I went online, curious as to what this trojan was and typed it in Google and clicked on, what I thought was, a McAfee link (it showed it being a link to their forums) and once I clicked on it it redirected me to one of their sites. I suspect it was never fully removed.

So later scans proved unsuccessful (McAfee, MalwareBytes, SuperAntiSpyware, and SpyBot). However, last night I downloaded Microsoft Security Essentials (I know, I shouldn't use this along with McAfee, but I wanted another scanner) and in normal mode and under quick scan, it immediately detected TrojanDownloader:Win32/Tracur.Q in my C:\WINDOWS\System32\atioglxx32.dll file and quarantined and removed it.

I then wanted to run a full scan to see what else might turn up. I went into Safe Mode with Networking and ran it and it found Exploit: Java\CVE-2010-0840.CL. Again, it quarantined and deleted it.

I then ran MalwareBytes again in full mode and it found Trojan.BHO Registry Key in HKEY_CLASSES_ROOT\.fsharproj and quarantined and deleted it.

I turn it on this morning in normal mode and I get the message in my tray saying McAfee is not connected and you're at risk. I go into Firefox and, as it has been doing since the infection has been noticed, it automatically shows a FireFox addon window with Java (I think two Java entries) and it says: Java Console 6.0.2.0 so I disabled and uninstalled it. I go into FireFox and again, if I type in Mcafee into Google and seemingly go to McAfee's official website, it redirects me to pcsecurityshield.com and inc.com and other sites, and even a fake looking McAfee site trying to get me to purchase their products.

I should also mention that when I get into normal mode I get an error message saying: MOM.exe has encountered a problem and needs to close. I wonder if that is part of the trojan?

I looked into Add/Remove Hardware and didn't see anything out of place. However, I did see Adobe Flash Player 10 ActiveX and the Plugin. Not sure if those are suspicious or not. Even before this I would always get notices in my tray telling me to update Java and Adobe but never did mostly because I heard it might slow down the computer, and that there are some suspicious Java and Adobe updates that have trojans and viruses in them.

Anyways, that's what is happening to me. If anyone can kindly help I would be very grateful. I'd rather not have to reformat.

Thank you in advance.

BC AdBot (Login to Remove)

 


#2 FedUp2011

FedUp2011
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 26 June 2011 - 01:57 AM

Okay, I think I've alleviated most of my problem while not entirely ruling out it being completely solved.

I was reading Broni's post "What do do??" on http://www.bleepingcomputer.com/forums/topic405780.html

Since my troubles were in Firefox, I followed the Add-on suggestions given. I went into Firefox Safe Mode first and everything worked fine and then I disabled the add-ons. Everything worked after a browser restart. I continued to follow Broni's advice and one by one enabled each one in order to rule out the problem. Well, it appears the three XUL Cache 1.0 Add-ons were causing the redirects so I disabled them and uninstalled them. I couldn't find an option to delete them (is there?).

I went back into normal mode and the only strange thing was that my internet connection was not functional for about five minutes. Even though my modem lights were on I couldn't get IE or FF to load any websites. I also couldn't get MSE to load the updates. But after about five minutes it did come back and worked fine. I even restarted it again and it is seemingly fine.I wonder if this was still the work of the trojan or remnants of it?

I'm not entirely convinced, however, that everything is removed. I mean, I still get the "MOM.exe has encountered a problem and needs to close" error message when getting into normal mode. I wonder if that has anything to do with the trojan? I try not to click on it (just move it out of the way). Is it safe to do so? What do you suspect this error message is all about?

Also, I did find two entries of xul.dll in my search results. One is in C:\Program Files\Mozilla Firefox and the other is in Program Files\HP\Digital Imaging Web Printing\Mozilla Addon 3. I'm not sure if these are related to the XUL Cache 1.0 referenced earlier, or not. Any idea?

Another thing is, earlier today I was able to go to Windows Update and found two high priority updates that needed to be downloaded and installed (KB2518864 and KB2478658). At first they installed but upon downloading they sputtered and gave me an error message about Microsoft Net Services Installation Utility, but after trying again it did work.

Looking forward to communicating with some of the experts on this issue.

Thank you!

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,082 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:20 PM

Posted 28 June 2011 - 10:46 PM

Hello, lets see an MBAM log.
Run TFC by OT (Temp File Cleaner)
Please download TFC by Old Timer and save it to your desktop.
alternate download link

  • Save any unsaved work. TFC will close ALL open programs including your browser!
    Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
    Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
    Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.[/list

    Rerun MBAM (MalwareBytes) like this:

    Open MBAM in normal mode and click Update tab, select Check for Updates,when done
    click Scanner tab,select Quick scan and scan (normal mode).
    After scan click Remove Selected, Post new scan log and Reboot into normal mode.


    Follow with this... I'd like us to scan your machine with ESET OnlineScan
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESET OnlineScan
    • Click the Posted Image button.
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)[list=1]
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 FedUp2011

FedUp2011
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 28 June 2011 - 10:59 PM

Hi,

I tried running TFC from both of those links and I kept getting an error message: "... is not a valid Win32 application." Am I doing something wrong?

#5 FedUp2011

FedUp2011
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 28 June 2011 - 11:10 PM

Just ran MBAM and it is showing three trojans from the TFC links I downloaded. Trojan.Dropper.PGen) Those links are bad, boopme!

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6972

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

6/28/2011 9:10:19 PM
mbam-log-2011-06-28 (21-10-19).txt

Scan type: Quick scan
Objects scanned: 154970
Time elapsed: 4 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Ryan\Desktop\TFC.exe (Trojan.Dropper.PGen) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-776561741-920026266-682003330-1003\Dc4.exe (Trojan.Dropper.PGen) -> Quarantined and deleted successfully.
c:\documents and settings\Ryan\local settings\temporary internet files\Content.IE5\XZNZ1T8E\TFC[1].exe (Trojan.Dropper.PGen) -> Quarantined and deleted successfully.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,082 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:20 PM

Posted 29 June 2011 - 01:10 PM

Lets' upload those files for a second opinion on what it actually is..

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
<filepath>suspect.file

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,082 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:20 PM

Posted 29 June 2011 - 02:49 PM

This appears to have been a false positive. I 've updated MBAM and rescanned and it does not flag it.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 FedUp2011

FedUp2011
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 29 June 2011 - 09:17 PM

Lets' upload those files for a second opinion on what it actually is..

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
<filepath>suspect.file

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/


Okay, I enabled viewing of hidden files and used jotti. I noticed a few hidden items appear on my desktop (Zb thumbnail.info, Thumbs.db, and mjomrbvmfs.tmp) and I scanned them but it found nothing. I also scanned various Firefox files (xul.dll) and got nothing. How do I know what to scan? I thought maybe this scanner would have scanned everything.

What do you advise next?

Thanks for your continued help!

#9 FedUp2011

FedUp2011
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 29 June 2011 - 09:19 PM

This appears to have been a false positive. I 've updated MBAM and rescanned and it does not flag it.


Hmm, why do you suppose that the TFC.exe won't work? Not a valid Win32 application? Is something blocking it?

Should the ESET scanner be ran?

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,082 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:20 PM

Posted 30 June 2011 - 09:23 AM

Is this a 64 bit system? It can be caused by malware.. So run the ESET.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 FedUp2011

FedUp2011
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 30 June 2011 - 10:03 AM

Is this a 64 bit system? It can be caused by malware.. So run the ESET.


No, it's 32 bit.

#12 FedUp2011

FedUp2011
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 30 June 2011 - 02:59 PM

boopme,

I will run the ESET scanner when I get home tonight. Should I keep my files unhidden?

Also, is there an application I can run that will tell me if what I'm running is out of date? I do know that I'm running older versions of Java, Adobe Acrobat, and Firefox.

Thanks.

#13 FedUp2011

FedUp2011
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 30 June 2011 - 10:43 PM

Hi boopme,

Here is the scan from the ESET Scanner:

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\EU5GBKZD\C0[1].php a variant of Java/TrojanDownloader.OpenStream.NAZ trojan deleted - quarantined
C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\6.0\12\3cc664c-4fd74f51 a variant of Java/Exploit.CVE-2010-4452.A trojan cleaned by deleting - quarantined
C:\Documents and Settings\Ryan\Application Data\Sun\Java\Deployment\cache\6.0\27\505d5b5b-23b9bf10 Java/TrojanDownloader.Agent.NCM trojan deleted - quarantined

It appears Java was definitely the culprit. What is the next action? Could these trojans be responsible for the MOM.exe error I keep getting upon starting my pc?

Thank you!

#14 FedUp2011

FedUp2011
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:01:20 PM

Posted 30 June 2011 - 11:59 PM

So I just ran MBAM and found nothing, but then I ran Microsoft Security Essentials full scan and it found TrojanDownloader: Win32/Tracur.B in a System Volume Information\_restore folder and removed it. McAfee detected it and quarantined it too about the same exact time. I think it was labeled as Generic Downloader.x!fzm (trojan).(I know I probably shouldn't have McAfee and MSE running at the same time.) After using the ESET Scanner I was able to update the definitions for MSE (before I rarely could and was always getting a connectivity error). Yesterday, according to the logs, McAfee apparently "repaired (removed)" a potentially unwanted program called Cookie-Insightexpres.

What's interesting is last week it found and removed almost the same Trojan but instead it was Tracur.Q.

Edited by FedUp2011, 01 July 2011 - 12:01 AM.


#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,082 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:20 PM

Posted 01 July 2011 - 11:44 AM

Hi, yes go bac to post and undi,, How to see hidden files in Windows
What version of JAVA,if any, is running?
Go into Control Panel>Add Remove Programs. Be sure the 'Show Updates' box is checked. Go down the list and tell me what Java applications are installed and their version. (Highlight the program to see this).


Also, is there an application I can run that will tell me if what I'm running is out of date?

Secunia PSI
How to detect vulnerable and out-dated programs using Secunia Personal Software Inspector



Microsoft Security Essentials full scan and it found TrojanDownloader: Win32/Tracur.B in a System Volume Information\_restore folder and removed it


Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users