Posted 19 February 2012 - 10:24 AM
I am new to this forum but I thought I should bring this issue to the attention of the community.
My computer (running XP Pro, Quadcore Pentium, 3 gigs of RAM, with KIS and Malwarebytes Anti-Malware running and updated regularly) became very sluggish last night. Task Manager and MBM showed very heavy CPU usage of about 90%.Task Manager also showed two instances of firefox.exe running, one with about 140 MB and the other about 8MB of memory usage.
A search in Mozilla Knowledge Base revealed that Mozilla regarded this problem as a definite malware infection (unless it is caused by a locked profile or misbehaving Firefox extensions/plugins). I followed the instructions in Mozilla KB to pinpoint the problem to no avail. Even after rebooting several times, and not starting Firefox, Task Manager showed firefox.exe running with 8MB of memory print. Full scans of KIS and Malwarebytes Anti-Malware reported nothing harmful.
I killed firefox.exe in Task Manager several times but it re-appeared in 5-10 seconds. Killing the process with its PID did not help either, it re-spawned. Proces Hacker showed that, after killing firefox.exe, a program called reader.exe started and stopped immediately after which the rogue firefox.exe appeared in the list of processes. The network tab in Process Hacker showed that Firefox was connected to port 1399 of 188.8.131.52. A whois search produced no useful results, nor there was any useful information on reader.exe in search engines.
I located reader.exe in c:\program files\adobe. It was created almost two hours before my computer started acting strangely. Scans by KIS and Malwarebytes Anti-Malware reported a clean file. I uploaded the file to Virus Total. The report came clean with the exception of Comodo which said it looked suspicious. The properties tab showed that the file was version 45.xx.xx, all other fields being filled with gibberish like Mrtvy, hhhh, etc. The file was digitally signed by Internet Widgits Pty Ltd. A Google search revealed that this company was notorious for making up its own security certificate.
I deleted the reader.exe file, which re-appeared almost instantly. I killed explorer.exe, then killed the rogue firefox process in Task Manager, re-started explorer.exe and found that firefox.exe was no longer in the process list.
I re-booted the box, and there it was again, connected to that IP number at port 1399.
I searched the registry and found 3 entries with reader.exe (One with HKLM/Software/Microsoft/Windows/Current Version/Run). I deleted the registry entries, renamed reader.exe and re-booted. A full scan by Malwarebytes Anti-Malware now reported the renamed reader.exe as trojan agent.
I found this whole episode very unsettling. As I scan and run sandboxed all files downloaded from the Internet I am at a loss at how reader.exe found its way to the Adobe directory. Also, I cannot explain why Malwarebytes Anti-Malware did not find anything suspicious until after the registry entries were deleted.
I'm not even sure if this is the correct platform to post this incident, but as I said, I thought I should let the community know about it.