Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Keep getting popup about Firefox update


  • Please log in to reply
13 replies to this topic

#1 DuvallBuck

DuvallBuck

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 21 January 2017 - 03:01 PM

I get the fake Firefox screen asking me to update Firefox. I know this is fake but I want to get rid of it popping up all the time. I also get the dreaded infected Windows warning asking me to call a special phone number for help. I've tried to clean this up but I don't like to do much beyond what I understand.

Attached Files



BC AdBot (Login to Remove)

 


#2 DuvallBuck

DuvallBuck
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 22 January 2017 - 01:05 PM

This is the URL for the website about updating Firefox.

https://aemahapp-kostenlos.org/779841144995/9983790b2fc973ef687179f520da8881/4280c3ceb2ce6288bf61127141780757.html

Mod Edit

Link decativated

NickAu


Edited by NickAu, 23 January 2017 - 11:23 PM.
Mod Edit


#3 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:04:14 PM

Posted 24 January 2017 - 06:14 PM

hi,

 

Still having the issue? Are the pop ups happening when you use any browser or is it just a certain browser?  can you tell if its only when your on a certain web site or is it pretty random?

 

Usually on line one or twice per day so you may not get a response back from me until the following day.


How Can I Reduce My Risk to Malware?


#4 DuvallBuck

DuvallBuck
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 24 January 2017 - 10:10 PM

Thanks for the questions. This happens on Firefox when I first open the browser. There is a redirect to the above URL and the nice looking almost official Firefox orange branding and logo landing page. The issue comes and goes and doesn't happen every time. I don't use other browsers, only Firefox. I'm in no hurry because I've programmed computers since 1982 but I can't find out why this keeps popping up. I know better than to click on bogus links. I've ran Malwarebytes and Avira but I know they don't find all the problems. I looked through the FRST and Additions files but I'm not trained to understand all that is listed but nothing stood out for me.



#5 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:04:14 PM

Posted 25 January 2017 - 05:43 PM

ok, thanks for the info. Lets get a download to run first and if pop up still there you can start disabling the extensions you have installed in Fire Fox and see if you notice a difference.

 

Please download adwcleaner and save to your desktop.
 
    http://www.bleepingcomputer.com/download/adwcleaner/
 
    Right click AdwCleaner.exe and select "run as admin"
    Accept the disclaimer
    Click on the Scan button.
    Once the scan is done, Click the Clean button
    Press OK when asked to close all programs and follow the on screen prompts.
    Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
    After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically
    Copy and paste the contents of that logfile in your next reply.
    A copy of that logfile will also be saved in the C:\AdwCleaner folder.


How Can I Reduce My Risk to Malware?


#6 DuvallBuck

DuvallBuck
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 25 January 2017 - 06:00 PM

# AdwCleaner v6.042 - Logfile created 25/01/2017 at 14:52:48
# Updated on 06/01/2017 by Malwarebytes
# Database : 2017-01-25.2 [Server]
# Operating System : Windows 8.1  (X64)
# Username : DuvallBuck_2 - BACKROOM
# Running from : C:\Users\DuvallBuck_2\Downloads\AdwCleaner.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****



***** [ Folders ] *****



***** [ Files ] *****



***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****



***** [ Registry ] *****



***** [ Web browsers ] *****

[-] [C:\Users\DuvallBuck_2\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: aol.com
[-] [C:\Users\DuvallBuck_2\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: ask.com


*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [994 Bytes] - [25/01/2017 14:52:48]
C:\AdwCleaner\AdwCleaner[S0].txt - [1318 Bytes] - [25/01/2017 14:49:37]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [1139 Bytes] ##########
 



#7 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:04:14 PM

Posted 27 January 2017 - 09:50 AM

Thanks for the info. We will use FRST to remove some items and reset FF back to its defaults and see if that helps, assuming your still getting the pop ups that is.

 

Copy/paste whats below into notepad.

Save it as fixlist.txt in the same location you have FRST saved to.

Start FRST like before except this time click on the fix button.

Machine will reboot to finish. Upon restart it will display a new log called fixlog.txt which you can copy paste into your reply.

HKU\S-1-5-21-3416462248-3271320636-1147315974-1013\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-3416462248-3271320636-1147315974-1013-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [AdobeBridge] => [X]
2016-01-20 18:24 - 2016-01-20 18:24 - 0003584 _____ () C:\Users\DuvallBuck_2\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-09-15 10:56 - 2015-12-22 19:07 - 0007177 _____ () C:\Users\DuvallBuck_2\AppData\Local\HWVendorDetection.log
2016-01-23 12:48 - 2016-01-23 12:48 - 0004888 _____ () C:\Users\DuvallBuck_2\AppData\Local\recently-used.xbel
C:\Users\DuvallBuck\AppData\Local\Temp\avgnt.exe
C:\Users\DuvallBuck\AppData\Local\Temp\ose00000.exe
C:\Users\DuvallBuck_2\AppData\Local\Temp\AcDeltree.exe
C:\Users\DuvallBuck_2\AppData\Local\Temp\avgnt.exe
C:\Users\DuvallBuck_2\AppData\Local\Temp\jre-8u121-windows-au.exe
C:\Users\DuvallBuck_2\AppData\Local\Temp\LiveUpdater.exe
C:\Users\DuvallBuck_2\AppData\Local\Temp\Setup-Wacom.exe
C:\Windows\SysWOW64\nsprs.dll
C:\Windows\SysWOW64\serauth1.dll
C:\Windows\SysWOW64\serauth2.dll
Empty Temp:

To "refresh" FireFox:

https://malwaretips.com/blogs/reset-firefox-settings/

 


How Can I Reduce My Risk to Malware?


#8 DuvallBuck

DuvallBuck
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 29 January 2017 - 09:27 PM

I ran the fixlist.txt via FRST for over 4 hours. It placed the first entry in the beginning but didn't do anything after that. Not sure if it was stuck in an infinite loop but I killed the task. I couldn't close FRST clicking on the 'X'. Here is what the fixlog.txt has. AdobeBridge is an application from Adobe, avgnt.exe is part of my virus protection software from Avira, Setup-Wacom.exe is a tablet I use for my digital art hobby, jre-8u121-windows-au.exe is a java runtime. Are these possible malware hidden with fake names to look legitimate?

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 29-01-2017
Ran by DuvallBuck_2 (29-01-2017 15:32:53) Run:1
Running from C:\Users\DuvallBuck_2\Downloads
Loaded Profiles: DuvallBuck_2 (Available Profiles: DuvallBuck & DuvallBuck_2)
Boot Mode: Normal
==============================================

fixlist content:
*****************
HKU\S-1-5-21-3416462248-3271320636-1147315974-1013\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-3416462248-3271320636-1147315974-1013-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [AdobeBridge] => [X]
2016-01-20 18:24 - 2016-01-20 18:24 - 0003584 _____ () C:\Users\DuvallBuck_2\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-09-15 10:56 - 2015-12-22 19:07 - 0007177 _____ () C:\Users\DuvallBuck_2\AppData\Local\HWVendorDetection.log
2016-01-23 12:48 - 2016-01-23 12:48 - 0004888 _____ () C:\Users\DuvallBuck_2\AppData\Local\recently-used.xbel
C:\Users\DuvallBuck\AppData\Local\Temp\avgnt.exe
C:\Users\DuvallBuck\AppData\Local\Temp\ose00000.exe
C:\Users\DuvallBuck_2\AppData\Local\Temp\AcDeltree.exe
C:\Users\DuvallBuck_2\AppData\Local\Temp\avgnt.exe
C:\Users\DuvallBuck_2\AppData\Local\Temp\jre-8u121-windows-au.exe
C:\Users\DuvallBuck_2\AppData\Local\Temp\LiveUpdater.exe
C:\Users\DuvallBuck_2\AppData\Local\Temp\Setup-Wacom.exe
C:\Windows\SysWOW64\nsprs.dll
C:\Windows\SysWOW64\serauth1.dll
C:\Windows\SysWOW64\serauth2.dll
Empty Temp:
*****************

HKU\S-1-5-21-3416462248-3271320636-1147315974-1013\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge => value removed successfully



#9 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:04:14 PM

Posted 01 February 2017 - 04:36 PM

Sorry for the delay. The FRST script should run within seconds, then reboot your machine. Everything in there is pretty much optional to remove, dont see any malware related items. Did you try refreshing FF?

 

 

malware hidden with fake names to look legitimate?

No, Just cleaning up the temp folder by removing some .exe in there


How Can I Reduce My Risk to Malware?


#10 DuvallBuck

DuvallBuck
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 02 February 2017 - 01:05 AM

Here is the fixlog.txt. Apparently this line was hanging up.

 

HKU\S-1-5-21-3416462248-3271320636-1147315974-1013-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\...\Run: [AdobeBridge] => [X]

 

So I went to regedit and found the first part that I set to bold above but couldn't find the last part. When I opened up this email in Firefox that popup asking me to save the firefox-patch.exe file again. Still keeps randomly popping up.

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 29-01-2017
Ran by DuvallBuck_2 (01-02-2017 21:49:36) Run:3
Running from C:\Users\DuvallBuck_2\Downloads
Loaded Profiles: DuvallBuck & DuvallBuck_2 (Available Profiles: DuvallBuck & DuvallBuck_2)
Boot Mode: Normal
==============================================

fixlist content:
*****************
HKU\S-1-5-21-3416462248-3271320636-1147315974-1013\...\Run: [AdobeBridge] => [X]
2016-01-20 18:24 - 2016-01-20 18:24 - 0003584 _____ () C:\Users\DuvallBuck_2\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2015-09-15 10:56 - 2015-12-22 19:07 - 0007177 _____ () C:\Users\DuvallBuck_2\AppData\Local\HWVendorDetection.log
2016-01-23 12:48 - 2016-01-23 12:48 - 0004888 _____ () C:\Users\DuvallBuck_2\AppData\Local\recently-used.xbel
C:\Users\DuvallBuck\AppData\Local\Temp\avgnt.exe
C:\Users\DuvallBuck\AppData\Local\Temp\ose00000.exe
C:\Users\DuvallBuck_2\AppData\Local\Temp\AcDeltree.exe
C:\Users\DuvallBuck_2\AppData\Local\Temp\avgnt.exe
C:\Users\DuvallBuck_2\AppData\Local\Temp\jre-8u121-windows-au.exe
C:\Users\DuvallBuck_2\AppData\Local\Temp\LiveUpdater.exe
C:\Users\DuvallBuck_2\AppData\Local\Temp\Setup-Wacom.exe
C:\Windows\SysWOW64\nsprs.dll
C:\Windows\SysWOW64\serauth1.dll
C:\Windows\SysWOW64\serauth2.dll
Empty Temp:
*****************

HKU\S-1-5-21-3416462248-3271320636-1147315974-1013\Software\Microsoft\Windows\CurrentVersion\Run\\AdobeBridge => value not found.
C:\Users\DuvallBuck_2\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini => moved successfully
C:\Users\DuvallBuck_2\AppData\Local\HWVendorDetection.log => moved successfully
C:\Users\DuvallBuck_2\AppData\Local\recently-used.xbel => moved successfully
C:\Users\DuvallBuck\AppData\Local\Temp\avgnt.exe => moved successfully
C:\Users\DuvallBuck\AppData\Local\Temp\ose00000.exe => moved successfully
C:\Users\DuvallBuck_2\AppData\Local\Temp\AcDeltree.exe => moved successfully
C:\Users\DuvallBuck_2\AppData\Local\Temp\avgnt.exe => moved successfully
C:\Users\DuvallBuck_2\AppData\Local\Temp\jre-8u121-windows-au.exe => moved successfully
C:\Users\DuvallBuck_2\AppData\Local\Temp\LiveUpdater.exe => moved successfully
C:\Users\DuvallBuck_2\AppData\Local\Temp\Setup-Wacom.exe => moved successfully
C:\Windows\SysWOW64\nsprs.dll => moved successfully
C:\Windows\SysWOW64\serauth1.dll => moved successfully
C:\Windows\SysWOW64\serauth2.dll => moved successfully

=========== EmptyTemp: ==========

BITS transfer queue => 12582912 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 44280282 B
Java, Flash, Steam htmlcache => 91821 B
Windows/system/drivers => 709846613 B
Edge => 0 B
Chrome => 110321602 B
Firefox => 381180019 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 117090884 B
systemprofile32 => 0 B
LocalService => 30216614 B
NetworkService => 1494 B
DuvallBuck => 11060173 B
DuvallBuck_2 => 12314527726 B

RecycleBin => 20218362594 B
EmptyTemp: => 31.6 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 21:51:54 ====



#11 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:04:14 PM

Posted 02 February 2017 - 07:01 PM

Did you try disabling any extensions or "refeshing" FF. We will get another download to see if it drags anything up:

 

Please download free verion of RogueKiller.exe and save to the desktop.


    http://www.bleepingcomputer.com/download/roguekiller/
 
    Follow the prompts to install the software
    Start a scan with the SCAN button. May take some time to complete
    It will display any threats found. Dont fix anything yet. Not everything it lists is malware.When scan is finished:
    Click on the Open Report button. In the new window click on Open TXT to show what it found
    Copy/paste that txt in your reply

   click on the Home button at the top and close Roguekiller
  


How Can I Reduce My Risk to Malware?


#12 DuvallBuck

DuvallBuck
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 02 February 2017 - 08:11 PM

Here is what was produced by RogueKiller.

 

RogueKiller V12.9.6.0 (x64) [Jan 30 2017] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : DuvallBuck_2 [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 02/02/2017 16:17:09 (Duration : 00:39:52)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 3 ¤¤¤
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {5FB020E4-8A91-475B-AF69-DF71E53B2C7B} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Users\DuvallBuck_2\AppData\Local\Temp\InsBA62\Setup.exe|Name=Samsung Universal Print Driver 2 Installer| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {55BD34C5-2090-44E4-B831-33360E74D8BC} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Users\DuvallBuck_2\AppData\Local\Temp\InsBA62\Setup.exe|Name=Samsung Universal Print Driver 2 Installer| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {5B473089-839C-4CCC-B316-B944A3B5A6FF} : v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|App=C:\Users\DuvallBuck_2\AppData\Local\Temp\InsBA62\Setup.exe|Name=Samsung Universal Print Driver 2 Installer| [x] -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST1000DX001-1CM162 +++++
--- User ---
[MBR] c58a03525dc6f176059b4d2e3e6f7ee0
[BSP] bac35f08ba9bd03e77802786ff15b6a4 : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 350 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 718848 | Size: 953517 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: WD 5000BEV External USB Device +++++
--- User ---
[MBR] 8a0110e15fa1a49876a3849131b7e7a9
[BSP] 1343860dbef73a961735f1522ff55311 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 476937 MB [Windows XP Bootstrap | Windows XP Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([32] The request is not supported. )

 



#13 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:04:14 PM

Posted 05 February 2017 - 09:50 AM

Dont see anyything there to be worried about or anything in the previous logs that can be pinpointed as the cause.

I would suggest that you completely uninstall firefox including data and your profile, reboot then reinstall it.

 

https://support.mozilla.org/en-US/kb/uninstall-firefox-from-your-computer


How Can I Reduce My Risk to Malware?


#14 DuvallBuck

DuvallBuck
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 05 February 2017 - 06:21 PM

Thanks for your help. I will uninstall Firefox as you suggest.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users