Possible Firefox Infection Issue

simrick · 04 Nov 2016

I just had the strangest thing happen. Firefox has been wanting to update for a while, (I have it set to manual), so I finally let it go to v49. Then bam! - problems. Nothing will download, pages have scripting problems, some have difficulty loading, not responding errors - even the bookmarks would not export - all like an infection. Opera was working fine though.

So I manually saved my profile, and manually updated to v50, thinking that v49 had bugs. Nope, same thing. So I uninstalled it completely. Ran ADWCleaner and it found a bunch of HKLM\SOFTWARE keys, which, when searched, are positive for something called TROJ_MULDROP.AC! WHAT? From a FF update? Everything was working fine until I updated FF, so it has to be.

Amazing.......what a waste of an hour........

Barman58 · 04 Nov 2016

Am running FF 49.02 - so at least three 49.n builds and have seen no issues - just running ADWcleaner to check but nothing from my AV or malwarebytes Pro

COMPUTIAC · 04 Nov 2016

simrick said:

I just had the strangest thing happen. Firefox has been wanting to update for a while, (I have it set to manual), so I finally let it go to v49. Then bam! - problems. Nothing will download, pages have scripting problems, some have difficulty loading, not responding errors - even the bookmarks would not export - all like an infection. Opera was working fine though.

So I manually saved my profile, and manually updated to v50, thinking that v49 had bugs. Nope, same thing. So I uninstalled it completely. Ran ADWCleaner and it found a bunch of HKLM\SOFTWARE keys, which, when searched, are positive for something called TROJ_MULDROP.AC! WHAT? From a FF update? Everything was working fine until I updated FF, so it has to be.

Amazing.......what a waste of an hour........

Barman58 said:

Am running FF 49.02 - so at least three 49.n builds and have seen no issues - just running ADWcleaner to check but nothing from my AV or malwarebytes Pro

Well poo. I have 49.02 also so gonna run it to check also. Dern it.

simrick · 04 Nov 2016

Barman58 said:

Am running FF 49.02 - so at least three 49.n builds and have seen no issues - just running ADWcleaner to check but nothing from my AV or malwarebytes Pro

I'm back to 48.0, and now I'm getting notifications that 50 is available. ADWCleaner and JRT have given the all-clear; ESET NOD32 never even peeped; will run MBAM after Sohpos is finished, and maybe a FRST just to see if anything is lingering. Very strange...
Love your sig Nigel!

Barman58 · 04 Nov 2016

My 49.02 is stating that I am Up to date - no V 50 here

COMPUTIAC · 04 Nov 2016

Dang it, 26 ?

***** [ Registry ] *****

Key Found: HKLM\SOFTWARE\Classes\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{C27CCE32-8596-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{C27CCE33-8596-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{C27CCE34-8596-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{C27CCE35-8596-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{C27CCE36-8596-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{C27CCE37-8596-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{C27CCE38-8596-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{C27CCE39-8596-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{C27CCE3A-8596-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{C27CCE3B-8596-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{C27CCE3C-8596-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{C27CCE3D-8596-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{C27CCE3E-8596-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{C27CCE3F-8596-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{C27CCE40-8596-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{C27CCE41-8596-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{C27CCE42-8596-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}

kado897 · 04 Nov 2016

COMPUTIAC said:

Dang it, 26 ?

***** [ Registry ] *****

Key Found: HKLM\SOFTWARE\Classes\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{DD9DA666-8594-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{C27CCE32-8596-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{C27CCE33-8596-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{C27CCE34-8596-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{C27CCE35-8596-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{C27CCE36-8596-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{C27CCE37-8596-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{C27CCE38-8596-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{C27CCE39-8596-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{C27CCE3A-8596-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{C27CCE3B-8596-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{C27CCE3C-8596-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{C27CCE3D-8596-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{C27CCE3E-8596-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{C27CCE3F-8596-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{C27CCE40-8596-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{C27CCE41-8596-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{C27CCE42-8596-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}
Key Found: HKLM\SOFTWARE\Classes\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}

I've just run AWCleaner too and got the same result but FF 49.02 seems stable.

Barman58 · 04 Nov 2016

I had some at least of those, there appears to be a debate at ToolsLib - False Postiive Registry entries - Forum "discussing the validity of these detections.

I cleaned mine with ADWcleaner and have tested with a targeted malwareBytes pro registry scan and it gives all clear.

Will run full system wide MalwareBytes Pro scan to be sure - will report back if anything "interesting" shows up

COMPUTIAC · 04 Nov 2016

Barman58 said:

I had some at least of those, there appears to be a debate at ToolsLib - False Postiive Registry entries - Forum "discussing the validity of these detections.

I cleaned mine with ADWcleaner and have tested with a targeted malwareBytes pro registry scan and it gives all clear.

Will run full system wide MalwareBytes Pro scan to be sure - will report back if anything "interesting" shows up

Yes, I read that also. Went ahead and cleaned them any way.
Ran a scan of MBAM Pro and came up clean, same with Hitman Pro.

simrick · 04 Nov 2016

Barman58 said:

My 49.02 is stating that I am Up to date - no V 50 here

Directory Listing: /pub/firefox/releases/50.0b9/

It's available and my FF is asking to update, but you can also get it manually.