Adware keeps Taking Over Firefox, Firefox@helper2
Starting back about two weeks ago, I got a weird series of pop-ups on Mozilla Firefox's latest version. I figured it was something easily nukable with MalwareBytes, so I had it do its job, and it seemed to stop... for about a day.
After that, the Malware reasserted itself, and soon, MalwareBytes wasn't getting rid of it, even with a rootkit scan. So, I downloaded and ran the Kaspersky Labs rescue disc, let it run overnight. I start up Firefox, and lo and behold... it is still there.
Firefox Helper 2 comes back the very next day. Malwarebytes detects nothing.
Opaite Mbohovái (20)
Actually, this little utility program shows me several more recently run tasks (sample screen shot attached). I'm not sure why the discrepancy but if nothing interesting shows up in Windows' Task Manager, you could try it.
The firefox@helper2 is installed in the extensions folder in the Firefox profile folder.
- C:\\Users\\Frank\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\iipxbbs7.default-1462029000861\\extensions\\firefox@helper2
- Installation date: 1462653511368 = May 7, 2016 20:38:31 GMT
cor-el,
So what do I do to get rid of it and prevent it from returning?
You can try to uninstall that extension or delete that firefox@helper2 extensions folder and check at what time it returns to see if you can match that with a specific task.
See also Process Monitor:
I have checked Firefox Add-Ons and do not see anything there so I will delete the folder tonight and keep an eye out for its return tomorrow. I also downloaded the Process Monitor. I am guessing the you mean to have me run Process Monitor and look for a process start date/time that corresponds with the creation date of the firefox@helper2 extension file once it returns.
The popup alerts have returned. The firefox@help2 has a modified date/time of 5/10/2016 @ 7:47 AM. Looking at the Process Monitor the first thing I see at that time is the Flash Player plugin...
There are hundreds of entries listed at that time in Process monitor. Weeding thought them to determine which is related to the Help2 extension is a real task. Is there anything in particular that I should be looking for?
You should be able to filter the output for firefox@helper2 or for the Firefox profile folder (iipxbbs7.default).
Here is what it shows after filtering for firefox@helper2. There are over 1500 listed but I think the initial (earliest) entries are the ones to focus on.
It looks like atask exe is that executable that starts the infection. The question is what triggers it?
I have taken advise from everyone here and made changes to see if it resolves the problem.
jscher2000
Removed the line user_pref("xpinstall.signatures.required", false); from the perf.js once again.
Identified suspicious tasks using Task Scheduler View and disabled them (see attachment).
cor-el
Using Process Monitor I Identified a program, atask.exe, that ran at the time of the firefox@helper2 extension file creation. The atask.exe resides in C:\Program Files (x86)\Beta Software (which looks suspicious) and I have renamed that folder.
I have rebooted my desktop and I am now waiting to see if the problem returns.
I have identified the executable but and I still do not know what triggers it.
Hmm, I think we're getting somewhere.
If you right-click > Properties on astask.exe what Details do you find there?
Some variants of that files seem to be very bad news, but others seem to be a low threat. There are too many variants to say without adding some details to the query:
https://www.google.com/search?q=%22astask.exe%22+site:reasoncoresecurity.com
Description states... Est ut quaerat in porro quis id.
Hi falaniz, could you check the Details tab (sorry, I left out the word tab before).
The only hit I recieved on "Est ut quaerat in porro quis id." is ... http://www.freefixer.com/library/file/tmjob.exe-232802/
Freefixer helped Identify a Scheduled Task called "Beta Software Worker" and I found it in Task Schedule View and have disabled it!
Details
The previous screenshot shows "C:\Program Files (x86)\Beta Software!!" as the location of the astask.exe file.
Did you look in Windows Control Panel > Programs whether there is software installed during the time(s) it mentions in the screenshot?
You can possibly search the registry for "Beta Software!!".
I have identified a scheduled task in Task Schedule View and disabled it. Waitng to see if that fixes things.
Problem still exists... the Scheduled Task called "Beta Software Worker" some how is present and has been enabled.