firefox.exe always open

User Help for Mozilla Firefox
Locked
Flash (Guest)
Guest

Post by Flash (Guest) »

I have found another variation of this keylogger and thx to your info here I was able to, hopefully at least, eliminate it! It installed a file called slrund.exe in C:\WINDOWS. And logged all keystrokes to a file called slrund in the same directory. None of the virus checks at the virustotal.com site was able to identify this program as a virus, most disturbing indeed.

Anyway, it was easy to remove thx to the method you mentioned here. It also seemed to mess with my ZoneAlarm, it seemed to stop some of the security alerts that ZA pop up when a program wants to access the web. It just “locked” up the whole of XP and the system had to be restarted, since it was not possible to open or access any windows at all. Thanks again for your help!
Flash (Guest)
Guest

Post by Flash (Guest) »

... and another thing, it never seemd to "call home". I just stumbled across the keylogger when trying to fix my ZA problems. It must have tried to get me to disable ZA before it would try to send its information. Anyway thought someone might find this information usefull...
Rokroland
Guest

Another variant causing dual Firefox processes

Post by Rokroland »

Hello,

thanks to this forum I was able to track down my problem with dual firefox.exe processes. My variant lives in C:\Windows\Rundll32.exe and apparently stores its data into a file called plugin1.dat in the same folder.

How I got this worm, I really don't know. It's been hanging around my hard drive for over a month now, it would seem. How I discovered this was strange problems with my keyboard: the keys ¨ and ^ which are supposed to wait for the next key to be pressed, to produce, say, a ô symbol, instantly generated two occurences (i.e. ^^ with a single key press).

Now I'm thinking how I got it, and more importantly what passwords to change... I probably should change all of them but there's just too many systems, sites and passwords to possibly remember to change all of 'em.

Also, now I feel dirty, like I've been violated. I'm gonna take better care of my personal data security from now on.
User avatar
VinDSL
Posts: 484
Joined: June 17th, 2004, 9:56 am
Location: Location: Arizona (USA) Site Admin: Disipal Site Site Admin: Nuke Cops Site Admin: Lenon.com
Contact:

Post by VinDSL »

As an aside, I talk to the 'IT' guys at work, from time-to-time... they're an odd lot!

Anyway, one of these 'IT' guys told me keyloggers are the #1 problem they run across in our workplace...

Who knows where they come from, but they're the bane of our organization these days! ;)
Flash (Guest)
Guest

Post by Flash (Guest) »

I got mine on a freshly built machine, same day as I installed XP SP2 on a newly formated drive. The problem started after I installed Firefox 2, maybe Firefox isn't that safe any more hmmm....
PJR
Posts: 24
Joined: January 24th, 2004, 12:00 am

Post by PJR »

Try installing Adobe Flash Player even if you block the damn thing from working.

I tried everything posted above to no avail and purely by chance found that installing flash player did the trick. I use Adblock Plus to block flash player and this is apparently "acceptable".

Adobe Flash Player: http://www.adobe.com/
CBS
Guest

Post by CBS »

Thank you all for telling me how to get rid of this problem. No virus scan could find it.

I had to boot in safe mode and take out the key that contained slrund.exe

Then I searched for all files with slrund in the name and deleted them.

Now I don't have the fake firefox, my computer is no longer shutting down, I can update windows, and play my MOMPRG.

Thanks agian guys!
x2Fusion
Guest

PI - Programmer...

Post by x2Fusion »

Hello all I would like to say via things I have seen here.

I was one of the lead Dev's on Poison Ivy yes its what you are talking about but you don't know that,
I will in some way help you...

There is only one way to remote this remote-admin/Trojan...
That is to remove the stud in the reg as some have found out but it also hi-jacks explorer.exe
So this meaning firefox.exe or if IE is your default are started but are hidden that was my idea to actualy trick the person so the lead is off explorer.exe

Now if you have to go in to both these to search..

WINDOWS <- Windows XP ;D Yes
System32

Now in there if you find a file that is looking highly strange like SYS.exe or say SYS.com so on now that is what you gonna be on the look for well not the same name as we made it so any one can change the name so on.

Rightyo... there is also a logfile usualy with the same name this will be the keylog if you look at it you will know when you were infected .

Now when you got rid or think you have got rid of the file do this...

Delete explorer.exe to find it do a search of the name,
When thats gone soming like 5 secs after it will show again a new copy that is backed up.
Now restart an be happy.

=D
Guest
Guest

Post by Guest »

RenegadeX wrote:
alteredcarbon167 wrote:my first thought is that based upon your scant details offered here, your system may or may not be hijacked.
Funny, I came to the same conclusion, but I'm leaning more on the 'not' side.. :lol:

Try this first ...
Open Task Manager and make sure firefox.exe is not still running (do an "End Process").
Go to your Firefox install directory, and look for a folder called "updates".
Delete it.

Start Firefox. If ok, do "Check for Updates".
If Updates are found, install. Restart.
Regardless, close & restart to check if ok now.

Tell me I'm a God..
(or not, but tell me either way!)
xapaho
Guest

Post by xapaho »

Well that thing is still spreading (and fast ?), I was yet another victim of the evil :)

Thanks to Blackstep's guidelines, I could get rid of it.
The biggest effort was to understand what it was about, and to access the guidelines here above !

Notes (if important) :
- the core were %SYSTEM32%\Windll32.exe (and Windll32 as data, I presume)
- hopefully indeed, only one reg key had just a stubpath item, hence recognizable (!!)
- safe mode was not required to get rid of them, killing explorer first appeared enough
- as of today, neither of the following (fully up to date) softwares, did detect the pain :
Avast, SpyBoy S&D, Lavasoft AdAware, Sysinternals RootkitRevealer

Freaky !

As with the firefox.exe process, was its identity just being /used/ by the malware, or was the firefox /program/ used (but not altered, apparently) for the purpose of transmitting information (hence passing firewalls, maybe) ?

In the second case, would that be possible to prevent such "hijack" of firefox in the future ?

Anyway, thanks again.
xapaho
Guest

Post by xapaho »

Just found your article
http://kb.mozillazine.org/Firefox.exe_always_open

Many thanks for this work, will read it tomorrow.
Would Google be so kind to index it better by the way ? :)
Good night
xapaho
Guest

Post by xapaho »

read it, it is fully comprehensive -- that's quality, RenegadeX

If it helps -

I do confirm that I could get rid of the malware w/o the need to boot into "Safe" mode.
( that mode name is so meaningful under m$ OSs, what a pity ;-) )
But the reason for this, I guess, is that I do *not* use System Restore ?

Could there be a way to make Firefox "more secure" in the future, I mean against such malware, to forbid their retrieval of passwords that were already stored before the attack :

1) preventing other apps to script it for such operations, w/o user knowledge ? Requiring interactive confirmation maybe, the user could have to click some randomly generated/graphical button (so the APIs can't bypass it with button controls ?) to allow the password retrieval, or at least validate the session start ? Of course, this would slow down a little bit the user experience, but if this is the price to pay.. is it achievable ?

2) does the "master password" feature in Firefox, also achieve similar functionality ? If yes, would we just need a "blank" master password as an intermediate feature, just enforcing the interactive process ?

3) is there any password manager replacement (a firefox extension maybe ? cross-platform welcome !), that already takes care of such interactive check, and is coded strictly enough so you would recommend its use ?

Many thanks again.

PS. Be aware, when all security systems will be fingerprints-based, cyber criminals will collect our fingers while we sleep !!
Firefox Kid
Guest

Ivy.exe

Post by Firefox Kid »

Hi,

I've read about the virus that causes firefox.exe to remain open, and I was wondering if it does any damage to my system? I've gotten alot of viruses in the past, so I'm unplugging my internet for good, and now I'm only going to use it to do my homework (Switched-on Schoolhouse) now. So I was wondering if Ivy.exe will effect me doing offline things, or if it is just something that records passwords you enter online? Please respond quickly. Thanks.
User avatar
RenegadeX
Posts: 892
Joined: January 21st, 2005, 5:29 am
Location: Canada

Post by RenegadeX »

'Firefox Kid' - PoisonIvy (and other similar apps called 'remote administration' tools) allow a user to control and monitor another computer remotely (over a network or Internet). They can be used legitimately to control perhaps a file server on a home network (useful as now the server doesn't need its own monitor/LCD) There's 2 parts - the remote administration application (kept on the computer that is going to do the monitoring) and the server executable (which is installed on the remote host). Virus scanners will detect both as suspicious because of the potential to be used maliciously. But if a hacker re-packs the server executable inside another file, it's now a 'trojan horse', and harder to detect. If they also re-pack that file with encryption (so that the actual code is scrambled), it makes it even more difficult for the server executable (trojan) to be detected.

So if you don't have an active internet connection, a hacker can't connect to your computer. However, as long as the trojan is active on your system, it can log every keystroke you enter into your computer. The next time you connect your system, the hacker will get a little pop-up on his system saying "Firefox Kid connected" and he'll be able to retrieve the keylogger file from your system.

Btw, 'ivy.exe' is just one reported filename that was used and reported by a Firefox user. It can be *anything* -- but whatever it is, it will be identified in the Registry in that entry that only has 'Stubpath' and nothing else. I would suspect that in the near future, new versions of these tools will add other bogus entries to make them not stand out so much.

** FYI: Hijackthis, MS Windows Defender, SpyBot S&D, the lot of them - do NOT presently detect the Registry changes that PoisonIvy (& others similar to it) are making **. I know because I've tested them myself.

Btw, there are other similar Remote Admin tools that are out there and being used (almost exclusively) maliciously. I picked on PoisonIvy because it is is the only one that I'm aware of that has a "Persistance" option - meaning that when you kill the server file (ex: fake firefox.exe), it will restart by itself. This is why so many people complained "firefox.exe is always open", and why tracking complaints of those symptoms led to at least one person identifying the trojan as 'PoisonIvy.20.A' - identifying the tool being using. With other Remote Admin tools, you kill it, it's gone (until the next reboot).

To answer what 'xapaho' asked - I'm not sure that Firefox can do anything about it - PoisonIvy hooks into the Default Browser and Explorer.exe, it could easily hook into any app. In fact, a newer revision of PoisonIvy as well as another similar and popular Remote Admin tool (that I won't name here) allows the user to inject into the app of their choice before trying the Default Browser -- for example, I've long-seen people quite a few people complain that their MSN Messenger has been targeted. Anyhow, the reason for picking on Default Browser is because everyone has one set, they have certain Port access already and most users think nothing when their firewall software says "Firefox.exe would like to use Port 1234 - OK?".

Oh, and one last thing - I suggested using Safe Mode rather than just manually killing explorer.exe as it's a 'clean' environment in which to run virus scans, delete files that may otherwise be locked, etc. But yes, I'm aware that you can just kill Explorer.exe in order to (temporarily, for that session) kill the fake firefox.exe

** One further thing that PoisonIvy (new version) allows to be stolen -- router WEP keys! **
User avatar
VinDSL
Posts: 484
Joined: June 17th, 2004, 9:56 am
Location: Location: Arizona (USA) Site Admin: Disipal Site Site Admin: Nuke Cops Site Admin: Lenon.com
Contact:

Post by VinDSL »

RenegadeX wrote:** FYI: Hijackthis, MS Windows Defender, SpyBot S&D, the lot of them - do NOT presently detect the Registry changes that PoisonIvy (& others similar to it) are making **. I know because I've tested them myself.

Have you tested it with TeaTimer, aka 'Spybot-SD Resident', running in the background?!?!?
Locked