Eheka Pytyvõha

Emboyke pytyvõha apovai. Ndorojeruremo’ãi ehenói térã eñe’ẽmondóvo pumbyrýpe ha emoherakuãvo marandu nemba’etéva. Emombe’u tembiapo imarãkuaáva ko “Marandu iñañáva” rupive.

Kuaave

Adware keeps Taking Over Firefox, Firefox@helper2

  • 47 Mbohovái
  • 2 oguereko ko apañuãi
  • 5 Hecha
  • Mbohovái ipaháva falaniz

more options

Starting back about two weeks ago, I got a weird series of pop-ups on Mozilla Firefox's latest version. I figured it was something easily nukable with MalwareBytes, so I had it do its job, and it seemed to stop... for about a day.

After that, the Malware reasserted itself, and soon, MalwareBytes wasn't getting rid of it, even with a rootkit scan. So, I downloaded and ran the Kaspersky Labs rescue disc, let it run overnight. I start up Firefox, and lo and behold... it is still there.

Firefox Helper 2 comes back the very next day. Malwarebytes detects nothing.

Starting back about two weeks ago, I got a weird series of pop-ups on Mozilla Firefox's latest version. I figured it was something easily nukable with MalwareBytes, so I had it do its job, and it seemed to stop... for about a day. After that, the Malware reasserted itself, and soon, MalwareBytes wasn't getting rid of it, even with a rootkit scan. So, I downloaded and ran the Kaspersky Labs rescue disc, let it run overnight. I start up Firefox, and lo and behold... it is still there. Firefox Helper 2 comes back the very next day. Malwarebytes detects nothing.

Opaite Mbohovái (20)

more options

Actually, this little utility program shows me several more recently run tasks (sample screen shot attached). I'm not sure why the discrepancy but if nothing interesting shows up in Windows' Task Manager, you could try it.

http://www.nirsoft.net/utils/task_scheduler_view.html

more options

The firefox@helper2 is installed in the extensions folder in the Firefox profile folder.

  • C:\\Users\\Frank\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\iipxbbs7.default-1462029000861\\extensions\\firefox@helper2
  • Installation date: 1462653511368 = May 7, 2016 20:38:31 GMT
more options

cor-el,

So what do I do to get rid of it and prevent it from returning?

more options

You can try to uninstall that extension or delete that firefox@helper2 extensions folder and check at what time it returns to see if you can match that with a specific task.

See also Process Monitor:

more options

I have checked Firefox Add-Ons and do not see anything there so I will delete the folder tonight and keep an eye out for its return tomorrow. I also downloaded the Process Monitor. I am guessing the you mean to have me run Process Monitor and look for a process start date/time that corresponds with the creation date of the firefox@helper2 extension file once it returns.

more options

The popup alerts have returned. The firefox@help2 has a modified date/time of 5/10/2016 @ 7:47 AM. Looking at the Process Monitor the first thing I see at that time is the Flash Player plugin...

more options

There are hundreds of entries listed at that time in Process monitor. Weeding thought them to determine which is related to the Help2 extension is a real task. Is there anything in particular that I should be looking for?

more options

You should be able to filter the output for firefox@helper2 or for the Firefox profile folder (iipxbbs7.default).

more options

Here is what it shows after filtering for firefox@helper2. There are over 1500 listed but I think the initial (earliest) entries are the ones to focus on.

more options

It looks like atask exe is that executable that starts the infection. The question is what triggers it?

more options

I have taken advise from everyone here and made changes to see if it resolves the problem.

jscher2000

Removed the line user_pref("xpinstall.signatures.required", false); from the perf.js once again.

Identified suspicious tasks using Task Scheduler View and disabled them (see attachment).

cor-el

Using Process Monitor I Identified a program, atask.exe, that ran at the time of the firefox@helper2 extension file creation. The atask.exe resides in C:\Program Files (x86)\Beta Software (which looks suspicious) and I have renamed that folder.

I have rebooted my desktop and I am now waiting to see if the problem returns.

I have identified the executable but and I still do not know what triggers it.

more options

Hmm, I think we're getting somewhere.

If you right-click > Properties on astask.exe what Details do you find there?

Some variants of that files seem to be very bad news, but others seem to be a low threat. There are too many variants to say without adding some details to the query:

https://www.google.com/search?q=%22astask.exe%22+site:reasoncoresecurity.com

more options

Description states... Est ut quaerat in porro quis id.

more options

Hi falaniz, could you check the Details tab (sorry, I left out the word tab before).

more options

The only hit I recieved on "Est ut quaerat in porro quis id." is ... http://www.freefixer.com/library/file/tmjob.exe-232802/

more options

Freefixer helped Identify a Scheduled Task called "Beta Software Worker" and I found it in Task Schedule View and have disabled it!

more options

The previous screenshot shows "C:\Program Files (x86)\Beta Software!!" as the location of the astask.exe file.

Did you look in Windows Control Panel > Programs whether there is software installed during the time(s) it mentions in the screenshot?

You can possibly search the registry for "Beta Software!!".

more options

I have identified a scheduled task in Task Schedule View and disabled it. Waitng to see if that fixes things.

more options

Problem still exists... the Scheduled Task called "Beta Software Worker" some how is present and has been enabled.

  1. 1
  2. 2
  3. 3