Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unremoveable fake Firefox extension, ISP warns of bot activity


  • Please log in to reply
5 replies to this topic

#1 Aaes

Aaes

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:43 AM

Posted 03 June 2014 - 12:37 PM

Mod Edit: moved from WIN 7 to the Am I Infected forum ~~ boopme

I recieved an E-mail from my ISP - Comcast - a few days ago that one of the computers on my network is showing signs of possible bot activity. I scan my computer regularly with Avast, MalwareBytes, Spybot S&D, I also run Comodo and Peerblock, as well as many security extensions. I recieved the same email again last night (which I read this morning). I have scanned the whole PC and found nothing (well I found a few things, but they were just bad cookies). Then this morning I opened my browser and was prompted that a program on my computer wanted to install an extention called "Total Browser Security 1.0.7" . I saw the owner as Mozilla and it seemed legit so I let it install. Then I immediately got a bad feeling because I recall reading that it's easy to fake a signature, so I went to disable it. I could disable it, but I couldn't remove it from the browser, and when I went through Mozilla's safemode/manual uninstall, but the folder for the extension didn't even exist (at least not where it should have been) so it's sitting in my browser disabled. I ran some quick Google searches and there were only 2 pages with someone having the issue, one was unresolved and the other simply said it would be best to get help here on BleepingComputer (original poster said it was called Total Browser Security 8.1.5), also stated he/she believed the culprit program was a game called Robort Unicorn they had downloaded (likely from a bogus site) and that every time the game was run, the extension would reinstall (how the heck did he/she uninstalled it originally i don't know). Both posts were from 2012 so it's sort of dated.

It's obviously fake and I feel totally unsafe with it on my PC. I have no idea what program I had downloaded that would have installed bogus extensions for Firefox, as the only thing I downloaded yesterday was 'Simple Shutdown Timer" which I've used in the past and I downloaded from Cnet (direct download, not through the downloader bullsh**, because that has all kinds of thrid party bogus). I'm not sure if maybe theres been something on my computer for a long time that just now decided to add the extension (considering for a week Comcast has said my internet activity shows signs of bot activity (which could also be the other computer on my wifi, as it's used by children who know nothing of safe browsing practices)). Or if my computer is badly infected with something, since none of my scans have shown anything. Either way I'm frankly scared for my internet safety right now, and I'm running another full scan with Avast and a program I downloaded today called Ad-Aware, and another called SuperAntiSpyware(which found a bunch of cookies and that was all). I also have things like hijkackthis and can provide logs and things, Im just not sure what information you guys need from me.

Simply put I want to get this extension removed, or least find the program that added the extension. I've attached a screenshot of the extensions page in the addons manager which shows its by Mozilla (which it totally is not). Sorry if there is a lack of explaination I'll be checking back every minute so I can reply with more information promptly. Thanks!

Additionally I just noticed when i took the screenshot that it stateds it was updated on the 2nd of June, whereas it installed this morning, the 3rd. Odd.

UPDATE: Avast found something this time! Win32:Adware-Gen, in a microsoftupdate.dll. Deleted and rebooted. Fake extension still in Mozilla though!

UPDATE: The other computer on my home wifi also has 'Total Browser Security' in it's extensions. My father says he allowed it a few days ago thinking it was legit. I'm connected to modem via ethernet, the other computer is on Wifi. the computers aren't on a shared network or anything so I'm really not sure how both computers were infected within days of eachother AND the fact that Comcast thinks we have a bot. This seriously looks bad.
 

<script charset="UTF-8" src="chrome://hdv/content/hdv.js" type="application/javascript"> </script>

Attached Files


Edited by Aaes, 03 June 2014 - 01:27 PM.


BC AdBot (Login to Remove)

 


#2 kaz20

kaz20

  • Members
  • 165 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 03 June 2014 - 01:36 PM

personally i would try running malwarebytes in safemode.



#3 wpgwpg

wpgwpg

  • Members
  • 1,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US of A
  • Local time:02:43 AM

Posted 03 June 2014 - 01:46 PM

 In addition to running Malwarebytes in Safe Mode as Kaz20 suggests, you could always use System Restore to a date prior to 6/2.


Everyone with a computer should back his system up to an external hard drive regularly.  :thumbsup:

#4 Aaes

Aaes
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:43 AM

Posted 03 June 2014 - 01:53 PM

Thanks guys, I can't believe I didn't think of a system restore! As for the malwarebytes scan, my second FULL scan came up with a few threats this time around(I realized the first time I scanned it was a 'quick' scan), mostly optional PUPs from some install files I still had in my downloads folder, but also something called Malware.Trace.E in a file called apachesrvin.vbs in my appdata/raoming folder. I'm gonna clean 'em up and reboot into safemode and rescan again to be safe. Will update again if I have some success, otherwise I'm still infected with this fake extension.


Edited by Aaes, 03 June 2014 - 01:59 PM.


#5 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Members
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:01:43 AM

Posted 03 June 2014 - 04:00 PM

Did you check using Am I Botted??

You are correct that when there is a network involved it could be on any computer connected to the network.

Then again, there may be NO bot.

You mentioned getting an email from Comcast:
Unless they changed the wording of the notice, it says
 

Constant Guard from XFINITY identified that one or more of your computers may be infected with a bot.


That does not necessarily mean there is one. Same thing applies if they used the word "POSSIBLE".

They will not be able to tell you which computer "MAY" have a bot.

And in the Comcast help forum, where there are NUMEROUS posts about this you could be told by an employee (if one happens to stumble upon your post) that they observed signs of likely malware infection. If questioned they will then say you "likely" have a bot.

The notice is tied to your MODEM which is why if there is a network you don't know which computer MAY have a bot.

From cc_adame Comcast National Engineering in the Comcast help forum

 

The notice is tied to your modem

http://forums.comcast.com/t5/Security-and-Anti-Virus/constant-guard-alert-bot/m-p/1466883/highlight/true#M89772


Something using your cable modem is exhibiting the behaviour of a bot.

http://forums.comcast.com/t5/Security-and-Anti-Virus/constant-guard-alert-bot/m-p/1466891/highlight/true#M89773


we're only alerting you because we are seeing activity from *something* behind your modem that is bot traffic. We can't tell you which device it is because that would require us to do Deep Packet Inspection, which nobody wants - we care about your privacy, and will not do that.

I recommend you contact CSA, who can further assist you with figuring out which device behind your modem is infected and can remove the notice.

Normal business hours (6:00 am to 2:00 am EST, 7 days a week) 888-565-4329http://forums.comcast.com/t5/Security-and-Anti-Virus/constant-guard-alert-bot/m-p/1467167/highlight/true#M89784


First aid following a botnet notice is to run a full scan with your AV software. If that comes up clean, try the free version of Malwarebytes Anti-Malware.

Do those scans, wait 24 hours and then check Am I Botted? again. You will need to scan ALL computers in your house.
(if you get curious you can check before then)

At this point in time don't panic and don't worry about it to much. If Am I Botted does keeps saying you are THEN you can do whatever it takes to determine whether it's fact or fiction. The malware removal folks here at Bleeping Computer will be glad to help you.
 

1) going to the amibotted does not rescan it just reports that they saw activity in the last 24-26 hours.
2) Comcast clears the you are botted message after a few hours so it you wait 27-30 hours the website will say you do not have a bot until the magical bot activity is seen again.

http://forums.comcast.com/t5/Security-and-Anti-Virus/constant-guard-alert-bot/m-p/1559963/highlight/true#M91304


You may or may not have used the so-called self-help guide. This is totally useless and won't do anything to help you determine IF there is a bot and on which computer. The procedures do not show any infections/malware. It will want you to download and install the Constant Guard Protection Suite, which includes Norton Security.

I got one of those you may be botted emails in Feb. 2013. I did scan 2 of the 4 computers on my network and scans came up clean. After that I decided to wait the 24 hours and check again. When I did Am I Botted said all clear.

Edited by Queen-Evie, 03 June 2014 - 04:03 PM.


#6 Aaes

Aaes
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:43 AM

Posted 03 June 2014 - 06:23 PM

Awesome! thanks everyone, I've cleaned out my system and have successfully removed the fake Firefox extension after some registry tweaks as to keep it uninstalled.

For the Bot issue, Am I Botted shows I have 2 Infections. I will begin scanning and cleaning the other computer today and will check back with Am I Botted 24 hours from when I consider the other computer to be clean.

If by Thursday I continue to show Bot activity I will open a new thread to address the issue, thanks again everyone for your help!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users