firefox.exe always open

User Help for Mozilla Firefox
Locked
RedFury
Guest

firefox.exe always open

Post by RedFury »

been having this for a while, and system hangs when i try to use net.
opened up Security Task Manager, and i clicked ont he other one,
It is trying to send to 80.219.69.15 on port 3460.

which is the ip for hispeed.ch.
Im confused, i have no extentions or themes, and i just tried reinstalling firefox,
Same problem again.

im really quite clueless at this point.
User avatar
alteredcarbon167
Posts: 250
Joined: March 28th, 2006, 11:08 am
Location: Golden State

Post by alteredcarbon167 »

I'm curious as to what you mean when you say you opened "Security Task Manager" and clicked on "the other one." What is security task manager or are you just confused and referring to plain ol' task manager?

I attempted to ID the IP address 80.219.69.15 and found nothing so it leads me to conclude that it must be your own private network. If you open the run prompt and type in "cmd" then hit enter, then type in ipconfig /all, if you see the above-referenced IP address, then you know it's your own IP. Or you could just go to www.whatismyip.com. As to the port, well, it could be anything and I'm not going to engage in wild FUD speculation, however my first thought is that based upon your scant details offered here, your system may or may not be hijacked.

I would strongly enocourage you to investigate exactly what kind of processes are running on your system and which apps, if any, are coming into or getting out to the Net with or without your knowledge because it sounds fishy to me. You can download a free app called process explorer from sysinternals.com to see exactly what is running. Thereafter, if you aren't already using it, then I would start using the "ICF" generic firewall that should already be running on your system, assuming you are using a Win XP OS, that is.

Lastly, and worst case scenario, I would download and install something called "hijack this" If you google it then you'll hit the sites that you can download it from. Whatever is going on in your system, you need to find out exactly what it being transmitted and/or received on port 3460. I would be highly suspicious if I were you at this point and would find someone to take a closer look at your system if you don't know anything about pc security.

One last thing I just thought of - Open run again and type in cmd again. This time type in netstat -an This will show you everything that your system is listening for, already established or waiting. I would focus on established connections and make note of the IP address and the port. If you see something unidentifiable and it's connected to the port in question, well, then you know your problems are a lot deeper than just FF not launching.
User avatar
RenegadeX
Posts: 892
Joined: January 21st, 2005, 5:29 am
Location: Canada

Post by RenegadeX »

alteredcarbon167 wrote:my first thought is that based upon your scant details offered here, your system may or may not be hijacked.
Funny, I came to the same conclusion, but I'm leaning more on the 'not' side.. :lol:

Try this first ...
Open Task Manager and make sure firefox.exe is not still running (do an "End Process").
Go to your Firefox install directory, and look for a folder called "updates".
Delete it.

Start Firefox. If ok, do "Check for Updates".
If Updates are found, install. Restart.
Regardless, close & restart to check if ok now.

Tell me I'm a God..
(or not, but tell me either way!)
Kettle
Guest

Post by Kettle »

Same problem here... I just don't understand. Help ;)
Old Limpet235
Posts: 0
Joined: December 31st, 1969, 5:00 pm

Post by Old Limpet235 »

Please disregard this post...:D
Last edited by Old Limpet235 on December 5th, 2006, 9:50 am, edited 1 time in total.
User avatar
RenegadeX
Posts: 892
Joined: January 21st, 2005, 5:29 am
Location: Canada

Post by RenegadeX »

It would have been nice for the original poster, 'RedFury' to report back whether my suggestion worked.
I found it on a German messageboard where a few members were having a similar issue and the above fix was reported by them to have worked.
Kettle
Guest

Post by Kettle »

RenegadeX wrote:It would have been nice for the original poster, 'RedFury' to report back whether my suggestion worked.
I found it on a German messageboard where a few members were having a similar issue and the above fix was reported by them to have worked.


I tried this, it is not working... :(

The most freaky thing is that when i try to end process, it comes back instantly...

Here is what my Sygate Firewall is reporting :

File Version : 1.8.20060.26282
File Description : Firefox (firefox.exe)
File Path : C:\Program Files\Mozilla Firefox\firefox.exe
Process ID : 0xA24 (Heximal) 2596 (Decimal)

Connection origin : local initiated
Protocol : TCP
Local Address : 192.168.23.2
Local Port : 1117
Remote Name : shayan.dyndns.info
Remote Address : 84.56.103.134
Remote Port : 3460 (EDM-MANAGER - EDM Manger)

Ethernet packet details:
Ethernet II (Packet Length: 80)
Destination: 00-07-cb-36-0a-94
Source: 00-13-d4-aa-a7-84
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 64
Protocol: 0x6 (TCP - Transmission Control Protocol)
Header checksum: 0x9da0 (Correct)
Source: 192.168.23.2
Destination: 84.56.103.134
Transmission Control Protocol (TCP)
Source port: 1117
Destination port: 3460
Sequence number: 1262501260
Acknowledgment number: 0
Header length: 32
Flags:
0... .... = Congestion Window Reduce (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Checksum: 0xfe40 (Correct)
Data (0 Bytes)

Binary dump of the packet:
0000: 00 07 CB 36 0A 94 00 13 : D4 AA A7 84 08 00 45 00 | ...6..........E.
0010: 00 34 06 BE 40 00 40 06 : A0 9D C0 A8 17 02 54 38 | .4..@.@.......T8
0020: 67 86 04 5D 0D 84 4B 40 : 3D 8C 00 00 00 00 80 02 | g..]..K@=.......
0030: FF FF 40 FE 00 00 02 04 : 05 B4 01 03 03 04 01 01 | ..@.............
0040: 04 02 FE B7 0E D1 2E 36 : 8C F1 E0 83 13 89 E3 FE | .......6........
K8L
Posts: 10
Joined: October 2nd, 2006, 11:15 am
Location: France

Post by K8L »

I forgot to tell you something... I just read another dump packet : personal infos inside!

Moreover, my Paypal account has been used yesterday to buy an account on rapidshare.de (24euros) it has been refunded in the night because I told paypal and removed my credit card... I use AVAST! antivirus, it's up to date but it doesn't find anything suspect... I also scanned my system with Ad-Aware, Ad-square and spybot : nothing found. My Windows XP version is up to date...

No extensions / plugins installed...

Also tried to msconfig, turning of everything at the boot... Same result.

I'm getting really anxious. The only way to stop it is to uninstall firefox (no iexplorer.exe stays in memory after Firefox uninstall).

Really curious, isn't ?

A bientot!
-= K8L - LECLECTIC.ORG =-
User avatar
RenegadeX
Posts: 892
Joined: January 21st, 2005, 5:29 am
Location: Canada

Post by RenegadeX »

I previously referred to a German site - and a few users there had the exact same issue with a 2nd firefox.exe process appearing as soon as you kill it in Task Manager. For them, the simple 'delete the update folder' fix seems to have worked, which is why I initially was siding with *not* a hijack. Not sure why the fix I repeated worked for them, but I guess my hunch was wrong as it appears that in all likelihood, it *is* a hijack(via backdoor trojan).

Here is the original post complaining of the port 3460 violation:
  • http://www.firefox-browser.de/forum/viewtopic.php?t=38991 (in German)
    .. which refers to the 'delete the Update folder' post on their forums:
  • http://www.firefox-browser.de/forum/viewtopic.php?t=38502
However, doing further research shows similar reports have also been filed on:
  • http://www.pc-experience.de/wbb2/thread.php?threadid=22048 (in German)
  • http://www.xbitlabs.com/forum/viewtopic.php?t=11242
    .. which mentions the Gromozon Rootkit, worth checking out.
  • http://forum.kaspersky.com/index.php?showtopic=22485&st=0
  • http://www.adslgr.com/forum/showthread.php?t=33786 (in Greek)
... all of which suspect or indicate a backdoor trojan.

** A couple of people mentioned that being frustrated with Firefox because of this problem, they dumped it and made another browser their Default Browser -- only to experience the same issue with that - so it does not appear to be a Firefox-exclusive problem. It's curious though why the only reports have been from Firefox users.

2 people in the above forums claim to have rid themselves of this annoying problem:
  • the pc-experience.de poster who says:
    docmarten77 on pc-experience.de forums wrote:UPDATE:

    Thus the free Antivir scan shows the signature of Backdoor BDS/PoisonIvy.20.A in the file C:\Windows\Startup.exe found (which IMHO shouldn't be there)

    I deleted these after deactivating System Restore in Safe Mode. The System seems to be clean now and the fake Browser.exe is gone :)
  • and the Greek poster, who says
    cleever, on adslgr.com wrote:.. at last! It was a trojan.. I ran NOD32 [antivirus] and it found it immediately!
    c:\windows\system32\ivy.exe file Win32/Delf.AKA trojan Alert was generated during the system startup file check.
Therefore I would recommend first searching your Windows folders (inc System32) for a 'startup.exe' file and/or an 'ivy.exe' file. You might be able to delete them and be done with it, but it certainly better to run an antivirus app in case there are other files affected on your system.

However, what is interesting about this apparent trojan is that it is not raising alarm bells in most of the major spyware and antivirus apps (Kapersky, Ad-Aware, Spybot S&D, BitDefender 9, Trend Micro Housecall, Ewido, SysInternals, Rootkit Revealer were all mentioned to have missed it and even HijackThis didn't show any evidence of it). 'docmarten77' said he was using free Antivir to successfully detect the Backdoor BDS/Poisonivy trojan, and 'cleever' said he used NOD32.

The aforementioned website for NOD32 doesn't mention it in their threat list, but cleever's post indicates that apparently it'll detect it. The only other AV products that I currently find which include BDS/PoisonIvy.20.A in their virus definition files are Spy Sweeper (click for their info on this trojan) and a product by Avira Spy Sweeper has a free scan (install on hd and run, it will detect, but not fix viruses, have to pay for full version). Never heard of Avira before, but I gather they're a large German computer security company. - free 30-day trial license key upon request - might be worth checking out. [edit: I just realized that 'Antivir' is also by Avira - and of course it's free for personal use].

As this trojan seems to be quite sneaky, it might be advisable to disable System Restore (instructions here, scroll down to XP section), reboot in (Windows)Safe Mode (press tab F8 repeatedly on the system boot-up screen before the loading WinXP graphic appears), and then once in, perform a virus scan. If there was a startup.exe file or ivy.exe file found earlier, delete it now. While still in Safe Mode, I would also clean out my Temp folders by doing a Disk Cleanup (Start->All Programs->Accessories->System Tools) in case a virus (perhaps undetected) was lurking in its depths. Finally, while still in Safe Mode, I would uninstall Firefox in case the .exe had been modified (it sounds like that may be what the virus is doing), verify that the Programs folder it had installed itself into was empty and gone, empty my Recycle Bin, and then reboot. (Your Firefox Profile will be untouched and available for use once you re-download and reinstall FF). Then re-enable System Restore, and re-install Firefox.

Other than that, i don't know what to suggest at this point.
Good luck.
Last edited by RenegadeX on October 7th, 2006, 1:04 pm, edited 3 times in total.
K8L
Posts: 10
Joined: October 2nd, 2006, 11:15 am
Location: France

Post by K8L »

Hi !

Some news : this morning explorer.exe crashed, then, when it reloaded, i could quickly see some kind of 'Initialization settings' (something handled by win xp) but too quick to read... Then explorer reloaded, and I had no firefox.exe in processes anymore. Then I rebooted... No more firefox.exe in processes...
I'll reload my ghost to check if killing 'explorer.exe' process may solve the problem...

Weird.

PS : i'm not talking about iexplore.exe but explorer.exe.
-= K8L - LECLECTIC.ORG =-
Guest
Guest

port 3460 - poison ivy !

Post by Guest »

Connecting to port 3460 - very likely its the trojan poison ivy.
I found it 12 hours ago and wireshark told me its connecting to mmohacks.no-ip.info on port 3460.
Use Spy Sweeper to get rid of this.
User avatar
RenegadeX
Posts: 892
Joined: January 21st, 2005, 5:29 am
Location: Canada

Post by RenegadeX »

^ Thanks, I edited my long post above and added some info, including Spy Sweeper, which has PoisonIvy in their virus definition database now. The info there says that the PoisonIvy trojan is usually transmitted via email, as an attachment - possibly disguised as a 'harmless' software program.

If you suspect you have experienced the behaviour described in this thread, you may have been infected with PoisonIvy.. For your own sake, be sure!

If a spyware/virus-scan shows that you are infected,
BE AWARE THAT:
It is recommended that you change all of your passwords AFTER removing this [trojan] program. If you bank online, you might consider changing your credit card and bank account numbers. You should also monitor your credit card and bank statements carefully over the next several months for signs of fraudulent activity.
User avatar
RenegadeX
Posts: 892
Joined: January 21st, 2005, 5:29 am
Location: Canada

Post by RenegadeX »

Hey, just curious -- anyone that was infected - by any chance do you play Runescape?
I found this post: http://www.zerogamers.com/submit-files/ ... -hack.html from July 22nd - that indicates that a Runescape hack posted on a forum was infected - it's the earliest mention of the trojan that I can find.

Interestingly, even then, at least 6 AV/spyware scanners detected it.
Blackstep
Guest

Post by Blackstep »

Hi all.. I wanted to post a reply here because you guys helped point me in the right direction. I too had poison ivy, and just managed to get rid of it. I originally stumbled across this forum thread after a google search for "port 3460 +trojan" at the time I didn't realise Firefox.exe was always running.. but sure enough, it was. I wont go through the laborious steps I went through to isolate and kill this thing.. but here's the solution-

I found the website and forums the bastards who made this program go to, it's http://www.chasenet.org/home/

I looked through their forums for a removal solution and here's what I found in this thread here-
http://forums.chasenet.org//index.php?showtopic=10189

1. Kill explorer.exe
2. Kill all running instances of your browser (just to be sure).
3. Remove the runkey (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components), look for a key with only a stubpath item.
4. Remove the exe the runkey is pointing to.

My mileage varied slightly. I had to boot into safe mode and delete the registry key and then the files the key pointed to - which were in C:\Windows\System32\ and called RegMen.exe, there was also a RegMen file without an extension which looked like it contained captured data/.dat stuff.

After deleting the key and files and booting into normal windows, no more connections out on Port 3460. (mine were pointing to a .de address also). So I'm pretty confident it's gone.
Previous to finding this forum post I threw antivirus/trojan/malware etc scanners at it and NOTHING detected it.

Now I'm just concerned about what this thing did whilst it was running. Going to watch my bank accounts very closely and change all my passwords, for everything!

Hope this helps some of you.. and please pass this info on to those who it might benefit.

Cheers.
Caballo
Guest

Post by Caballo »

Hello there.

I got a clue of this thing playing a multiplayer. One day, it becomes slower when i push a key and move the mouse. i thought it was a lack of ram for that session, so didn't gave it importance. Later that day, it become unresponsibly, so i run the task manager, and guess what i found? the firefox thing. i looked over all the computer using Zonelabs antivirus, and it founded nothing. then i runned the avast and find nothing too, so i looked at the windows\system and System32 (because of some bad experiences with trojans in the past) to see if i found something interesting.

I catch the regmen running in safe mode. and now i got it in another hard drive waiting for someone who wants it to see how it works and how to disable it.

ANYONE WANT'S A VIRUS?

:D
Locked