Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
D
D
dollar2015-10-18 12:56:37
Malware
dollar, 2015-10-18 12:56:37

How to find malware when trying to install an extension?

The backstory is this. When starting firefox (I rarely run it, but this time I just missed it with the mouse), I got the following message:
7344732.png
The message shows that a certain program is trying to install an extension. It is not clear which program. And this is what needs to be found out. Because removing the extension is a treatment for the symptoms, not the disease. Thank God that at least the path to the expansion itself is shown and can be studied.
Why is this malware? If only because I don't know any programs that could afford such impudence. Just in case, I checked the extension itself. The cssupdate.com domain is immediately striking instead of cssupdater.com, which Google immediately yells about:
7383647.png
The vidadblocker94.com domain does not exist at all.
If you dig deeper, you can find the webovernet.com domain, in Google they say only bad things about it.
Etc.
If it helps, then here is the extension itself: https://yadi.sk/d/CBHHsfdKjovZJ
But the main goal is to find the program that this extension is trying to install. How to do it?
Antivirus (DrWeb Cureit) did not find anything on the computer (Windows 7 64 bit). And the extension also does not arouse suspicion from virustotal (and from Yandex.Disk, so I calmly posted it).

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
Y
Yuri Chudnovsky, 2016-04-28
@dollar

What kind of program - firelis does not know, because he simply found a new one in the folder with extensions, which is not listed as installed through the standard mechanism. Who put the files there - you can only find out by tracking the process of copying files there using procmon, filemon, etc. or by setting up an audit.
In the general case, the malware has already worked its way out and may not even exist on the disk anymore.

Report
A
Andrey, 2015-10-18
@reaferon

As a half measure: agree to install the extension, and after installation, just disable it (without uninstalling). The malware will assume that the extension is already installed.

Report
K
KPOBABAK, 2015-10-19
@KPOBABAK

Track access to the specified files through Procmon.
Well, as an option ... is there nothing superfluous in the Label for FF?

Similar questions
T
tayanov2015-07-03 15:25:13
How to remove viruses in Debian headless server? 2Reply
S
szx2015-07-24 08:10:40
Where have the files gone? 1Reply
T
TomasHuk2017-07-03 16:55:11
Does Petya encrypt files with a modified extension? 1Reply
L
Lyser7772019-12-16 16:44:43
What is Trojan ( 004dfe6d1 )? 1Reply
V
Volgarastraport2015-08-20 09:01:18
How to monitor the virus on the site? 7Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question