firefox.exe always open

[the-edmeister]

Is this a random coincidence or is this a significant find:?:
There have been literally dozens of reports of lost bookmarks after the 2.0 update, and until now I have not seen anything that indicated why this is happening. If this user's comments can be taken at face value - it seems to suggest that bookmarks may be lost when 2.0 installs while a firefox.exe process is still running. And if the user was infected by a 'Poison Ivy'-type trojan then we can almost certainly say that a firefox.exe process was running in the background without their knowledge....

Might not be a bad idea to edit the Lost Bookmarks KB article to include a link to the KB article about "Firefox.exe always open".
http://kb.mozillazine.org/Lost_bookmark ... on_Windows
Possible connection?
https://bugzilla.mozilla.org/show_bug.cgi?id=357922#c4

As I said weeks ago, I have a hunch that we may be seeing the start of a big problem. Lost bookmarks with a 2.0 upgrade - connected to whatever has been happening with the localstore.rdf that seemd to start around the time that 1.5.0.5 was released? Or do that many users have one of these infections and just don't realize it yet because the AV program they are running doesn't look for those exploits?


Ed

[bastrozombie]

Just wanted to share my experience with this problem:

I had a similar issue with firefox.exe appearing in the task manager at startup. I first noticed this when I installed FF2. After fixing the lost bookmarks issue, I noticed that FF2 would periodically hang up and I would be forced to reboot (couldn't access tskmgr). I came to this forum looking for advice and noticed the posts regarding two instances of firefox.exe in the processes list. Sure enough, this is what was happening to me. One instance of the process was loading at startup, and the other appeared when I opened FF2 on my own (leading to conflict and system hang, I guess). FF is set as my default browser, so I changed it to IE, and sure enough, iexplorer.exe was loading at startup instead of FF!!

I run Norton AV and nothing was showing up on scans, neither with Ad-Aware or Defender. I noticed from an earlier post that a backdoor/trojan was showing up with AntiVir (among others), so I tried running it and presto: it flagged two files in my windows system folder as being infected with BDS/bifrose.ztb :

C:\WINDOWS\system32\winlogin32.exe
[DETECTION] Contains a signature of the (dangerous) backdoor program BDS/Bifrose.ZtB Backdoor server programs

C:\System Volume Information\_restore{DAAD8284-5896-4B40-A753-8454BDC2E5A5}\RP323\A0038840.exe
[DETECTION] Contains a signature of the (dangerous) backdoor program BDS/Bifrose.ZtB Backdoor server programs



After quarantining these files, the phantom browser.exe no longer appears at startup

I'm apparently supposed to delete the winlogin32.exe from the registry (which is definitely there), but I'm scared about messing with my registry. Is winlogin32.exe normally a legit process? If it is, will deleting it make it worse? I've backed up my registry but I'm scared to finish the job!!

Thoughts? suggestions?

thx,
Scott

[old FatJohn]

If you already quarantined the file (moved it away and possibly renamed it) the registry entry doesn't point to the file and the only drawback of having it there is it clogs your registry a tiny weeny bit. On the other hand especially since you say you've backed up your reg, there really is no harm in trying to edit it. Just don't monkey around there but instead surgically remove the offending key/branch. I don't think there's a legit process with that name. Tried googling for it but all I came up was malware. Either way, there's no problem. The real problem is the fact that there are viruses and other malware to begin with. Myself I use Ubuntu GNU/Linux and can forget about all those issues.

[RenegadeX]

The file 'winlogin32.exe' is a FAKE and can be deleted safely.

It is a spoof on the legit file 'winlogon32.exe' - the idea being that most people won't notice the slight difference in name in either their Task Manager (if it hasn't hidden itself when it executes) or their Windows\system32 directory.

[VanillaMozilla]

As I said weeks ago, I have a hunch that we may be seeing the start of a big problem. ...that seemd to start around the time that 1.5.0.5 was released?

I've been wondering too. I have a problem on a Win98SE computer that started with 1.5.0.7 and continued with version 2. So I reverted to 1.5.0.6 and it continued, even with a new profile.

The problem is that Fx frequently hangs on startup, and each time I start it I get a ghost process. The same can happen with Eudora, and my AV update sometimes stops and cannot be terminated normally. I have been unable to find the problem, although most of the detection tools do not run on Win98.

I don't know if this is the same problem, but it's suspect. I mention it to note that other programs appear to be affected too. The system has been completely healthy until now.

Hmm... I wonder why most AV tools don't find it? Protected by a rootkit? Or do they just not look for the right kinds of malware?

[old FatJohn]

Or just a new variant. The good guys are always behind in this silly rat race. Fortunately I'm not part of it any more.

[VanillaMozilla]

My AV signatures are renewed <i>daily</i>. This has been going on for weeks or months.

[VanillaMozilla]

But I have to wonder, if there is malware, I wonder why ZoneAlarm hasn't caught it phoning home.

[old FatJohn]

If your box is compromised, there are ways around ZA or anything else on your box.

[bastrozombie]

Thanks to FatJohn and RenegadeX for their advice. I suppose I may have brought this on myself, really. A few months back, I got tired of ZoneAlarm taking up my precious system resources, and decided to fly solo using only the Windows Firewall (foolishly thinking it would suffice).

Now that I've had this issue with the trojan, i've reinstalled ZA. I'm now getting repeated alerts about blocked attempts by my computer to access the internet (UDP packets) through a range of ports (1041-1741). The DNS address (64.59.144.16) is to my cable internet provider. Is this normal activity? I'm pretty paranoid now!

Also just found a winlogin32.dat file in my system32 folder. I suppose I should delete this too, yes?

cheers,
Scott

[VanillaMozilla]

Yeah, maybe. But how the heck can anyone catch this?

[old FatJohn]

bastrozombie if my box would get pwned I'd do a full system reinstall. That way I'd be able to sleep my nights again. I don't know about that file. Neither does google.

VanillaMozilla, I guess one could catch something using an external proxy to see what really happens.

[VanillaMozilla]

Hmmm... Not a bad idea. A proxy will catch outgoing info and report back to me? I'm not sure how that works. Can you suggest one?

I don't know if my Linksys WRT54GL router will log that stuff, but I'll try.

[old FatJohn]

I'm not too familiar at all with that. Maybe somebody else would provide the details. I just noticed you've got the legendary router. Seen this http://en.wikipedia.org/wiki/WRT54G#Thi ... e_projects ?

That might help you accomplish it if the thing doesn't do it with the original firmware. (You know what they say about Linux geeks... )

[VinDSL]

...there are ways around ZA or anything else on your box.

One thing I might mention...

If you use ZoneAlarm (I've used it since Day 1, just like Phoenix/Firebird/Firefox) -- be sure to run TeaTimer (part of Spybot S&D)!

ZA catches suspicious outgoing packets -- TT catches suspicious changes to Windows Registry.

Working together, they're a deadly combination!!!

BTW, TeaTimer.exe has a bug in it that keeps the notification window from displaying properly (in English). I've patched it...

If you would like a copy of my patched TeaTimer executable: http://www.lenon.com/download/TeaTimer.zip