MozillaZine

Firefox.exe always open

From MozillaZine Knowledge Base

This article concerns an issue reported by Firefox users on Windows (but which could affect any browser) in which the Firefox process is always present in the Windows Task Manager.

WARNING: The symptoms described on this page are typical of a malicious trojan.

While there are legitimate reasons why the firefox.exe process may be present in the Windows Task Manager when a user does not expect nor wish it to be, this article concerns instances where the problem is due to the infection of a malicious backdoor trojan. Until a trojan, virus, keylogger or other malware can be ruled out, it is advisable to treat the issue with the attention and immediacy that a serious breach in system security deserves. Commonly-reported symptoms (as well as legitimate explanations for unusual behavior) and methods of detection are listed below.

Contents

Background

Since June of 2006, numerous users have reported experiencing similar issues with their browser which were later found attributable to a malicious trojan - specifically one based on Poison Ivy, an advanced "reverse connection", firewall-bypassing remote administration tool. The trojan creates a 'server' file on the affected system which alerts the trojan-maker when an affected system is online and which then gives access to, monitoring of, and even complete control of an infected user's system - giving him (among other things) the possibility to steal usernames & passwords, banking or credit card info, or any other private information that may have been stored, typed or viewed on-screen while the computer is infected. The default settings is for the malicious 'server' file to inject itself into the target system's Default Browser memory space and then run as a phony 'duplicate' browser process, which enables it to bypass detection by firewalls and routers. So while many Firefox users naturally assumed the problems they were experiencing were a 'Firefox problem', they would in fact have happened whichever browser was set as their system Default.

While there are other similar Remote-Admin apps used by trojan-makers, Poison Ivy quickly became popular for a number of reasons - it was new, it could be deployed without arousing much suspicion, it injected itself into the Default Browser process, and it had an attractive range of monitoring & set-up features. One such feature was the apparently unique 'Persistence' option - if enabled, the server file located on the infected system will restart itself even when the process is manually killed by the user - which means more 'up time' for the hacker - no waiting for the infected user to reboot their system or manually restart an affected application. Another handy feature is the 'Melt' function - which deletes the original infected file upon first run, so that a user cannot inspect it or uploaded to an anti-virus company's database.

This may explain why many of the popular spyware & antivirus utilities - and even the usual rootkit detectors - fail to detect anything malicious on affected systems. The first reported successful detection of an 'ivy'-related trojan (in the context of the Firefox-related symptoms, listed below) appears to have been with 'NOD32 Antivirus' ($), and not long after, it seems 'Avira AntiVir' (free) added Poisonivy.20.A to their definition file. The Webroot SpySweeper site now lists Poison Ivy, flagged with Severity: CRITICAL and the BitDefender site now lists Backdoor.Poisonivy.CV with one of the symptoms being, An instance of Firefox running in background even after Firefox is closed. Some users have reported the symptoms and then successful detection of malware of various names - but it is hard to say whether these are identical culprits as competing a/v companies often give the same trojan differing names, or just give them a generic name with little or no supporting info. It should also be noted that the Poison Ivy utility is under ongoing development and the server files can be remotely updated by the hacker as needed - which may further complicate detection.

While SpySweeper suggests that the Poison Ivy trojan is normally spread via email attachment, one of the first reports of PoisonIvy.20.A detection was an infected Runescape (online multiplayer game) hack posted on a gaming message board, and shortly afterwards a similarly posted Diablo II hack was also found infected with the same. It seems that many of the Firefox users affected by the symptoms admit to playing other online multiplayer games - giving some credence to the idea that infected game hacks(cheats) is a more frequent source of infection. Of course, any executable file whose origin/authenticity is uncertain could be a culprit.

Symptoms

Numerous users have reported experiencing one or more of the following issues:

  • firefox.exe automatically loads on Windows boot up (a Poison Ivy server-file build-option).
  • Windows Task Manager's Processes tab shows 2 or more copies of firefox.exe (use "Ctrl+Alt+Delete" to bring up Task Manager).
  • firefox.exe persists in Task Manager's Processes tab after Firefox is closed down normally from within the browser.
  • firefox.exe persists in Task Manager's Processes tab after its process is manually killed via "End Process".
  • Firewall alerts that Firefox is trying to connect to an unrequested IP address on a remote port (typically Port 3460, which is Poison Ivy's default Port setting - though any Port# may have been chosen).
  • Firefox/system is mysteriously sluggish (The hacker may be searching for or transferring files, taking screen captures, keylogging, packet-sniffing, etc).
  • Unusual activity is noticed that seems to be being controlled by 'remote control' - such as unexpected mouse movement or perhaps character movement in online multi-player games (The hacker is controlling the cursor).

Legitimate explanations for the symptoms

There may be rational explanations for some of these issues, so it's best to rule them out before getting unnecessarily worried that your system has been maliciously attacked. Often - especially on a shared computer - a user may be unaware of (or have forgotten about) a manual change to the configuration which might explain the problem(s). Note: the following list may not cover all possibilities, so use discretion.

  • You exited Firefox but, due to a glitch, the firefox.exe process did not close. (However, once manually killed, it should never restart & reappear by itself.) Read Firefox hangs - Hang at exit for common causes and solutions.
This may be due to problematic extensions, plugins, or Internet security software installed on your computer.
This may be due to a corrupted Profile - follow the *Standard diagnostic - Firefox for troubleshooting procedures.
Your Firefox profile may be "in use" (locked). See the article Profile in use for steps to resolve.
  • Firefox has been manually added to the Windows Startup folder. (Start Button -> All Programs -> Startup)
  • Firefox has been manually added to the msconfig start up via the Windows System Configuration utility. (Start Button -> Run, type 'msconfig', click OK, and then look through the Items in the Startup tab)
  • Another instance of Firefox is running, either as a result of using a 3rd-party utility, the -no-remote command line option or the SET MOZ_NO_REMOTE system environment call.
  • The Firefox Preloader utility has been installed and due to a Bug, the firefox.exe process continues in the background after unloading.
  • Due to a bug or extension issue, the main Firefox window may close normally, but child windows (Download Manager, Addons, Help Contents, etc) that were open remain open yet hidden (by another open Task window) - and are nowhere to be found on the Task Bar.
.. Try hitting the Show Desktop icon in the Quick Launch bar to check to see if they were hidden, and also double-check multiple Windows Explorer items on the Task Bar as sometimes Firefox inexplicably finds itself there. An "End Task" in Task Manager should kill the process.
  • There is a legitimate request on Port 3460 (unlikely, but possible), or whichever Port the trojan-maker decided to use.
  • Internet connection problems (check by using another browser / check firewall settings / reset router/modem).
  • High CPU and/or system memory usage creates a delayed response to commands and/or keyboard input.
  • Faulty mouse creates erratic cursor movement.

Confirming the presence of malware

If you have ruled out all of the above, then there's a good chance that the problems being experienced are caused by a malicious trojan, specifically one based on Poison Ivy, or similar remote-admin utility. The first course of action should be to:

  • Update your AV/spyware software and run a full system scan
.. though as previously mentioned, Poison Ivy may go undetected by some(or even most) utilities.


There are a few things you can do to manually confirm its presence:

  • Set another web browser as your system's Default Browser, reboot and see if its .exe loads when Windows boots or if it's duplicated in Task Manager when that browser is running. Setting the Default Browser can be done either from within the respective browser's Options or, to set Internet Explorer as Default, do: Start Button -> Control Panel -> Internet Options -> Programs Tab -> Make default.
  • As this type of trojan is known to create a Registry entry which points to the malicious executable file(s) that it has dropped onto your system,
    • Run Registry Editor (Start Button -> Run, then type 'regedit' and click OK) and find the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components
  • .. and look for any sub-Key(s) that have only a StubPath entry in the Name column (legitimate entries typically have Version, Locale, or ComponentID at the very least).
  • Make note of the name & location of any files that are pointed to in the 'Data' column of the StubPath, typically in either the C:\Windows\System32 directory (default), or in C:\Windows)
  • Do a file Search, locate and verify the authenticity of any file(s) mentioned in the above StubPath
  • Look for a similar filename to the above, but with no file extension (this is typically the keylogging/activity-tracking data file)
tip: Sort your files by 'Type', and then look for files of the generic 'File' type (no extension).

Though the server (& logfile) could use *any* filename, confirmed reported filenames have included: - RegMen.exe - lssas.exe (Note: do not confuse with legitimate file, 'lsass.exe') - svlchost.exe (Note: do not confuse with legitimate file, 'svchost.exe') - ivy.exe - XP-Clean.exe - cmdow.exe (Note: this legitimate tool allows a user to hide, open & close windows; may be installed maliciously by a trojan.) - startup.exe .. + of course a respective 'no-extension' key-logging file of the same name.

  • Upload suspicious files to a (free) online multi-scan service such as VirusTotal. (Note: they don't guarantee their results)

Removal

If your current antivirus or antispyware security software does not detect and remove the trojan, even though it is fully updated, you should consider installing a dedicated anti-spyware program to scan your system. You may also want to visit a forum specializing in malware removal, before taking any further action. Recommended programs and forums are listed here. [1]

Manual removal

Caution: While these steps should be safe to perform if followed correctly, you should never edit the registry if you don't feel confident or are unsure of what you are doing. If your anti-virus or anti-spyware software failed to remove the trojan, but you are not comfortable removing it yourself, please seek support from your security software provider, your pc manufacturer or a local repair shop - or anyone you trust with your machine.

If any of the above tell-tale signs were found but your AV/spyware scanner failed to quarantine/clean a trojan from your system, you can use the following steps to manually remove the trojan and its all related traces from your system:

  1. Reboot into Windows Safe Mode (Reset the computer and press the F8 key repeatedly until Safe Mode prompt comes up prior to Windows startup)
  2. Run Registry Editor (Start Button -> Run, then type "regedit" and click OK) and find the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components and look for, back up, and remove any sub-key(s) that *only* have a StubPath entry. It's advisable to back up any registry keys before you remove them (just in case). Right-click on the appropriate Key(s) in the left-side pane and choose Export from the context-menu. Give the file a name and save it to your Desktop as a .reg file. ex: SuspiciousKey1.reg. If you later wish to undo the deletion of the Key, double-click the .reg file and say "Yes" to merge the Key back into your registry.
  3. Delete the suspicious files you found during the 'confirming the presence of malware' step (above).
  4. Reboot into Windows (normal mode).
  5. Double-check everything to make sure it hasn't returned!
  6. Please Note: As of April 6, 2007; Ivy will re-create the registry key. Instead of deleting the random key, change the value of "stubpath" to something that is not a file path, such as: Disabled This will ensure the process does not start again, and should clear your task manager up.

Alert!

Worth mentioning again: If you were indeed affected by Poison Ivy or a similar trojan, be warned that a hacker may have had access to all of your user-names, passwords and other private information that was either stored on your computer or that you had typed during the period that you were infected. The Webroot SpySweeper webpage for the Poison Ivy trojan warns:

It is recommended that you change all of your passwords AFTER removing this [trojan]. If you bank online, you might consider changing your credit card and bank account numbers. You should also monitor your credit card and bank statements carefully over the next several months for signs of fraudulent activity.

Prevention

  • Be especially wary of downloading & installing executable files posted on messageboards or arriving via email. If you weren't expecting the file but it appears to be from someone you know, email them back and confirm that they sent it - viruses are known for using Address Books to spread.
  • Update your virus scanner / spyware software regularly.
  • Go into your firewall configuration's Program Control area and remove all references to Firefox so that any inadvertently-allowed Ports that may have previously been granted access privileges can be reset.
  • Pay attention to firewall alerts. If you were not expecting a Port to be accessed, take the time to find out what it is, where it is, and why it is trying to connect to your computer. Perform a web-search on the IP address and on the Port number, and on the application filename that requested it. You are probably not the first to experience it and question it. Use that to your advantage - be safe rather than sorry.
  • Be aware of what processes normally run on your system so that you can recognize any unusual activity. It's possible to add the Task Manager to your Startup Folder, and change its Properties to 'Run Minimized' so that it loads with Windows and hides in the tray where it's always quickly accessible.

External Links