Firefox-patch.js Attack Clean-up

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by petman16, Dec 20, 2016.

  1. petman16

    petman16 Private E-2

    Hello.

    A relative of mine recently fell foul of a firefox-patch.js attack that tricked them into downloading and running a javascript file by claiming it was a critical update to their Firefox browser. I have been asked to clean up their Windows 7 PC and was hoping to get your expert advice on the matter.

    I have followed all steps of your Malware Removal Guide (all scans were run with the computer in either Safe Mode or Safe Mode with Networking), however I must note 2 irregularities that occurred during the process.

    The first is that Malwarebytes always freezes during the scan, so I was unable to complete that step. I have tried running it both in Safe Mode and a normal boot, it makes no difference, and I have let it run a full 24 hours without it advancing another file (that time it froze with 24,260 items scanned). In lieu of a scan log, I am attaching two screenshots of the items it detected on two different attempts before getting stuck (MBscan1.png and MBscan2.png).

    The second is that HitmanPro_x64 crashed whenever I tried to save a .log file to the desktop, however I was able to save the XML formatted log file without any problem. I'm attaching that with linebreaks inserted and changed to a .txt extension.
     

    Attached Files:

    petman16, Dec 20, 2016
    #1
  2. petman16

    petman16 Private E-2

    In addition to the rest of the scan logs, I am also attaching a copy of the malicious JavaScript my relative downloaded and ran. The only changes I have made to it are to insert some line breaks and change the file extension to .txt (firefox-patch.txt). I include it in hopes it may shed some light on what was done to this PC.
     

    Attached Files:

    petman16, Dec 20, 2016
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Please do not attach MGlogs.rar files that you created. Only attach the MGlogs.zip file that is automatically created by MGtools. If you have problems running MGtools then please explain what problems you had.

    Let's begin the cleanup by first uninstalling Spybot Search and Destroy which could be getting in our way.
    Then backup your bookmarks >> Export BookMarks

    Now uninstall Firefox since it may have been badly infected and it is a good idea to cleanup all of the folders for it. Do not reinstall until requested to do so.


    Please download OTM by Old Timer and save it to your Desktop.
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of the code box
    • Make sure that you scroll all the way to the bottom of the code box to get the whole fix!
    Code:
    :Processes
explorer.exe

 
:Files
C:\Users\Kris\AppData\Local\iac
C:\Users\Kris\AppData\Local\IAC
C:\Users\Kris\AppData\Roaming\Strongvault
C:\Users\Jim\AppData\LocalLow\AskToolbar
C:\Program Files (x86)\Conduit
C:\Program Files (x86)\Coupons
C:\Program Files (x86)\Mozilla Firefox
C:\Users\Kris\AppData\Roaming\Mozilla\Firefox


:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{07CDAAD9-1226-4C6D-B774-C00E7B323484}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{1CAE874F-F5C7-4BCC-BA46-9AD26DF35B93}]
[-HKEY_USERS\S-1-5-21-1676323385-812654355-1092481893-1001\Software\Conduit]
[-HKEY_USERS\S-1-5-21-1676323385-812654355-1092481893-1001\Software\ImInstaller]
[-HKEY_USERS\S-1-5-21-1676323385-812654355-1092481893-1001\Software\AppDataLow\Software\Conduit]
[-HKEY_CURRENT_USER\Software\Conduit]
[-HKEY_CURRENT_USER\Software\ImInstaller]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Conduit]
[-HKEY_LOCAL_MACHINE\SOFTWARE\SearchProtect]
[-HKEY_LOCAL_MACHINE\SOFTWARE\SEARCHPROTECT]
[-HKEY_CURRENT_USER\Software\Conduit]
[-HKEY_CURRENT_USER\Software\AppDataLow\Software\Conduit]
[-HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins]
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{4C4C7AAB-5854-4241-A414-E2F1EF119C4A}]
[-HKEY_USERS\S-1-5-21-1676323385-812654355-1092481893-1001\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}]
[-HKEY_USERS\S-1-5-21-1676323385-812654355-1092481893-1001\Software\Microsoft\Internet Explorer\SearchScopes\{4BDF4CE8-D64A-448C-A689-5B365D9DA61B}]
[-HKEY_USERS\S-1-5-21-1676323385-812654355-1092481893-1001\Software\Microsoft\Internet Explorer\SearchScopes\{7556DB20-7925-43F7-BC64-A6242D562F34}]
[-HKEY_USERS\S-1-5-21-1676323385-812654355-1092481893-1001\Software\Microsoft\Internet Explorer\SearchScopes\{BAA4FC13-A8C8-47E5-BEA4-056567D6A8E2}]
[-HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes\{4C4C7AAB-5854-4241-A414-E2F1EF119C4A}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{4BDF4CE8-D64A-448C-A689-5B365D9DA61B}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{7556DB20-7925-43F7-BC64-A6242D562F34}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{BAA4FC13-A8C8-47E5-BEA4-056567D6A8E2}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{4BDF4CE8-D64A-448C-A689-5B365D9DA61B}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{7556DB20-7925-43F7-BC64-A6242D562F34}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{BAA4FC13-A8C8-47E5-BEA4-056567D6A8E2}]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista, Win7, 8 or 10, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7, Win8 or Win10, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.TXT log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Dec 25, 2016
    #3
  4. petman16

    petman16 Private E-2

    Thank you for your assistance.

    I have uninstalled Firefox and Spybot Search & Destroy (in that order; hopefully that isn't a problem) and run the utilities as instructed. Please find the logs attached.

    As to how things are working, I haven't noticed anything wrong with the system itself except for the inability of Malwarebytes to run a scan to completion I mentioned before, so it's hard to say qualitatively whether or not things are fixed.
     

    Attached Files:

    petman16, Dec 28, 2016
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Your logs look fine. You can try reinstalling Firefox now and Import the saved bookmarks. Then check to make sure that the problems you were previously having with Firefox are gone.

    Malwarebytes could have been having issues with Spybot or potentially Microsoft Security Essentials. Since Spybot is now uninstalled, you can try disabling the Real Time Protection in Microsoft Security Essentials and then running a scan with Malwarebytes.
     
    chaslang, Dec 28, 2016
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds