Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Two instances of Firefox running


  • This topic is locked This topic is locked
3 replies to this topic

#1 orhank

orhank

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 19 February 2012 - 10:24 AM

I am new to this forum but I thought I should bring this issue to the attention of the community.

My computer (running XP Pro, Quadcore Pentium, 3 gigs of RAM, with KIS and Malwarebytes Anti-Malware running and updated regularly) became very sluggish last night. Task Manager and MBM showed very heavy CPU usage of about 90%.Task Manager also showed two instances of firefox.exe running, one with about 140 MB and the other about 8MB of memory usage.

A search in Mozilla Knowledge Base revealed that Mozilla regarded this problem as a definite malware infection (unless it is caused by a locked profile or misbehaving Firefox extensions/plugins). I followed the instructions in Mozilla KB to pinpoint the problem to no avail. Even after rebooting several times, and not starting Firefox, Task Manager showed firefox.exe running with 8MB of memory print. Full scans of KIS and Malwarebytes Anti-Malware reported nothing harmful.

I killed firefox.exe in Task Manager several times but it re-appeared in 5-10 seconds. Killing the process with its PID did not help either, it re-spawned. Proces Hacker showed that, after killing firefox.exe, a program called reader.exe started and stopped immediately after which the rogue firefox.exe appeared in the list of processes. The network tab in Process Hacker showed that Firefox was connected to port 1399 of 212.7.208.155. A whois search produced no useful results, nor there was any useful information on reader.exe in search engines.

I located reader.exe in c:\program files\adobe. It was created almost two hours before my computer started acting strangely. Scans by KIS and Malwarebytes Anti-Malware reported a clean file. I uploaded the file to Virus Total. The report came clean with the exception of Comodo which said it looked suspicious. The properties tab showed that the file was version 45.xx.xx, all other fields being filled with gibberish like Mrtvy, hhhh, etc. The file was digitally signed by Internet Widgits Pty Ltd. A Google search revealed that this company was notorious for making up its own security certificate.

I deleted the reader.exe file, which re-appeared almost instantly. I killed explorer.exe, then killed the rogue firefox process in Task Manager, re-started explorer.exe and found that firefox.exe was no longer in the process list.

I re-booted the box, and there it was again, connected to that IP number at port 1399.

I searched the registry and found 3 entries with reader.exe (One with HKLM/Software/Microsoft/Windows/Current Version/Run). I deleted the registry entries, renamed reader.exe and re-booted. A full scan by Malwarebytes Anti-Malware now reported the renamed reader.exe as trojan agent.

I found this whole episode very unsettling. As I scan and run sandboxed all files downloaded from the Internet I am at a loss at how reader.exe found its way to the Adobe directory. Also, I cannot explain why Malwarebytes Anti-Malware did not find anything suspicious until after the registry entries were deleted.

I'm not even sure if this is the correct platform to post this incident, but as I said, I thought I should let the community know about it.

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,191 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:38 AM

Posted 24 February 2012 - 10:49 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

Posted Image
Download DDS and save it to your desktop from here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    • DDS.txt
    • Attach.txt
  • Save both reports to your desktop.

Please just paste the contents of the DDS.txt log in your next post.
===

Third party programs if not up to date can be an open door for an infection

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the logs for my review.

#3 orhank

orhank
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 25 February 2012 - 09:19 AM

Uhm, thank you for the reply. I suspected I was posting in the wrong thread. I do not need any assistance at the moment, having successfully killed the runaway firefox.exe, the trojan agent reader.exe and deleting the infected registry keys. I posted merely to let the community know what happened to my XP box and why. But, then again, thank you.

#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,191 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:38 AM

Posted 25 February 2012 - 09:42 AM

Thank your for the feedback.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users