Jump to content

Potentional 'Update.exe' Trojan detected


Recommended Posts

Malwarebytes has notified me of a potential trojan, running as what seems to be a fake Firefox update. Located in C:\Program Files (x86)\Common Files\ElementWeb the 'update.exe' has made numerous outgoing connection attempts to various random sites (porn sites etc). It's showing up as a duplicate Firefox(1) program in my firewall control, as well as the actual Firefox.

Firefox is installed on my system .

 

Thanks for help in advance.

Addition_14-04-2020 01.30.12.txt FRST_14-04-2020 01.30.12.txt malwarelog.txt

Link to post
Share on other sites

Hi,     :welcome:
My name is Maurice. I will be helping and guiding you, going forward on this case.
Let me know what first name you prefer to go by.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.
If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible.
 
Please only just attach   all report files, etc  that I ask for as we go along.

.

To start with, please do what follows.

I would like you to do a new scan with Malwarebytes for Windows.  One of the major goals here is to have it remove all that it detects.  If it finds anything that is.
Start Malwarebytes from the Windows  Start menu.
Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.
Then click the Security tab.   Look for the section "Automatic Quarantine".   Be sure it is clicked On   ( to the far right side)

Then scroll down to the section Potentially Unwanted items.   We need the next 2 lines   ( for P U P  & for P U  M)  to be set to "Always ( Recommended) ".
You can make the change by clicking on the down-arrow selection list-control.   We want all P U P  &  P U M to be marked for removal.

Next, click the small x on the Settings line   to go to the main Malwarebytes Window.
Next click the blue button marked Scan.
When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.
Then click on Quarantine selected.

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

 

 

Link to post
Share on other sites

Thanks for your reply. Everything set up as per your instructions and scan completed. It found no threats, file attached.

Interestingly, I was browsing this morning for any info I could find on the apparent fake Firefox 'update.exe' that threw up the RTD warning in Malwarebytes last night and found this https://www.reddit.com/r/antivirus/comments/erm3px/am_i_infected_pinnacle_game_profiler_has_a_malware/

What this person describes is almost identical to the issue I had last night, as likewise I had just installed Pinnacle Game Profiler, but the install apparently failed, when attemtpting to run it, Pinnacle did not open. However, around that time, both Kaspersky and then Malwarebytes then starting giving me multiple warnings about outgoing connections to random websites, pointing to that 'update.exe' as the culprit. And like him, the odd 'AMozilla' folder and contents, plus the ElementWeb folder and contents (including 'update'exe') appeared on my system

Looking in my task manager at the time, despite Pinnacle not visibily opening, it was still running. Thinking it was just faulty, I uninstalled Pinnacle and since that have apparently not had any issues or further warnings.

As in that person's post though, having run Malwarebytes today with no warnings, those folders (and the fake 'update.exe') are still on my system though, namely the C:\Users\dakov\AppData\Local\AMozilla and C:\Program Files (x86)\Common Files\ElementWeb

mwb1.txt

Link to post
Share on other sites

Thank you for the report & the other information.   This custom fix should take care of the bogus "update" issues for the Firefox.

Just please be sure that Firefox is closed when you run this.

 

Please Close and Save any open work you may have open.
Please close as many un-needed app-windows that you yourself may have open at this point.   So you can have a clear field of view.

This custom script is for  Taggle    only / for this machine only.
Close and save any open work files before starting this procedure.

Please Close and save any open work files before you start this next step.  It will involve a Windows Restart at the end of it.
I am sending a   custom Fix script which is going to be used by the FRST64 tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  F:\Downloads  folder

The tool named FRST64.exe   tool    is already on the F:\Downloads folder
Start the Windows Explorer and then, to the F:\Downloads folder.


RIGHT click on  FRST64    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

image.png.d118ccbc1c33516edd712d404db1c8cb.png
 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Also, let me know the overall status of Firefox.   And if you need other help at that point.

Cheers.

 

Fixlist.txt

Link to post
Share on other sites

Hi again

By necessity I had to do a complete reinstall of windows 10, so that effectively solved the problem for me without having to use the fixit file. Thanks though and for future readers I will leave this link here, warning people not to download Pinnacle Game Profiler from the official site, as the software is compromised. It looks like the website has been hacked or something similar. Hopefully, if it isn't already, Malwarebytes can get this sorted so it will flag a warning for PGP, should anyone attempt to install it. (link confirming my own experience here.

 

Link to post
Share on other sites

Hello.

I did get your reply.  I understand that you essentially "paved over" the prior Windows installation and did a whole new one.

Here are just some best practices tips to stay safer.

 

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

  
You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera. 
Scroll down to the tips section "How do I disable them". 

If this pc has the Google Chrome browser, or the Brave browser, I suggest you install the Malwarebytes Browser guard for Chrome. 
To get & install the Malwarebytes Browser Guard extension for Chrome, 
 

Open this link in your Chrome   browser: 
https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

  
Then proceed with the setup. 


.
If the pc has Mozilla Firefox, to get & install the Malwarebytes Browser Guard  Firefox extension. 
Open this link in your Firefox browser:    
https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/
Then proceed with the setup. 
That link is for English US.   There are other language version.  Just go to the very bottom right of the page and look at “Change language” list drop down.

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html

Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 
Do a Windows Update.

Make certain that Automatic Updates is enabled.
https://support.microsoft.com/en-us/help/12373/windows-update-faq

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"
.
I do wish you all the best.

Stay safe.

Sincerely,

Maurice

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.