Darknlight
asked on
unknown process - should I be concerned
Hello everyone,
Earlier today, I had gone in to the task manager to have a look at what processes I had running; something I do from time to time as a way to make sure nothing new has made it's way onto the comp without my intent.
Sure enough I noticed a new process on the list, which was as follows:
lupdater.exe *32
cpu usage 00
memory usage 42,184k
Description - Firefox
This immediately raised a red flag for me for 2 reasons,
1. I always make sure new programs are set to *ask* about updates, as opposed to automatically installing them.
2. I've *never* touched or downloaded anything made by Mozilla on this comp, so I know for a fact, there should be no "Firefox" on this computer.
I've done a full Virus scan using Microsoft Security Essentials, which came back with no threats found. I'm about to go ahead and run a scan with MalwareBytes to see if it comes back with any results, as I know no single antivirus or antimalware program is fullproof. I may even give BitDefender a try.
If none of these end up coming back with results, does anyone have any input or experience with this process? Should it be removed immediately or is it running for a reason?
The location of the process is as follows, in the event that it helps at all:
"C:/Program Files (x86)/Common Files/ ComObject/"
I'll post again if I get any results from the additional virus / malware scans.
Thanks in advance for any help on the matter.
-Dark
*Ps, I'm fully up to date with my WAU as well.
Earlier today, I had gone in to the task manager to have a look at what processes I had running; something I do from time to time as a way to make sure nothing new has made it's way onto the comp without my intent.
Sure enough I noticed a new process on the list, which was as follows:
lupdater.exe *32
cpu usage 00
memory usage 42,184k
Description - Firefox
This immediately raised a red flag for me for 2 reasons,
1. I always make sure new programs are set to *ask* about updates, as opposed to automatically installing them.
2. I've *never* touched or downloaded anything made by Mozilla on this comp, so I know for a fact, there should be no "Firefox" on this computer.
I've done a full Virus scan using Microsoft Security Essentials, which came back with no threats found. I'm about to go ahead and run a scan with MalwareBytes to see if it comes back with any results, as I know no single antivirus or antimalware program is fullproof. I may even give BitDefender a try.
If none of these end up coming back with results, does anyone have any input or experience with this process? Should it be removed immediately or is it running for a reason?
The location of the process is as follows, in the event that it helps at all:
"C:/Program Files (x86)/Common Files/ ComObject/"
I'll post again if I get any results from the additional virus / malware scans.
Thanks in advance for any help on the matter.
-Dark
*Ps, I'm fully up to date with my WAU as well.
Sounds dodgy, especially as you dont have firefox installed, have done a search and there is nothing out there on it, which is also odd, as it would come up a lot more if it was genuine. It looks to me like it might be a new virus that has not been picked up yet, or if not it is something that you are not going to use.
I would disable it from startup, go to start>run and type msconfig and hit ok, then disable the program from starting up. You can always turn it back on if it is needed
M@
I would disable it from startup, go to start>run and type msconfig and hit ok, then disable the program from starting up. You can always turn it back on if it is needed
M@
Run process explorer.>right click and run as admin<
In it ,hit options and select "verify image signatures"
Then hit view,select columns and check "verified signer"
Get a screen shot of process and attach images
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
Also try a scan with Hitmanpro
http://www.surfright.nl/en/hitmanpro
In it ,hit options and select "verify image signatures"
Then hit view,select columns and check "verified signer"
Get a screen shot of process and attach images
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
Also try a scan with Hitmanpro
http://www.surfright.nl/en/hitmanpro
ASKER
*update
@mattclarified, unfortunately I already checked msconfig and it doesn't show up as one of the startup processes, nor services, which was what added to my suspicion.
@optoma, I did as you instructed and have attached the screenshot from the process explorer. Strangely enough it's claiming to have a verified signer of "Mozilla Corperation". Again, however, I do not have, nor have I ever had, any installation of Firefox on this computer (I did a clean reformat a couple months back so I'm positive).
I was able to find something that looks related, on a Danish website using Google Translate. They mention the exact same process in the same location. Is this any help?:
http://translate.google.com/translate?hl=en&sl=da&u=http://sikkerhed.tdc.dk/publish.php%3Fid%3D25234&ei=gnoaTIHpI6PwNKiPnJwF&sa=X&oi=translate&ct=result&resnum=5&ved=0CCwQ7gEwBA&prev=/search%3Fq%3Dlupdater.exe%2Bfirefox%26hl%3Den%26rls%3Dcom.microsoft:en-us:IE-Address
I'll post again after running the hitmanpro scan.
Thank you
process-explr-scrn1.jpg
@mattclarified, unfortunately I already checked msconfig and it doesn't show up as one of the startup processes, nor services, which was what added to my suspicion.
@optoma, I did as you instructed and have attached the screenshot from the process explorer. Strangely enough it's claiming to have a verified signer of "Mozilla Corperation". Again, however, I do not have, nor have I ever had, any installation of Firefox on this computer (I did a clean reformat a couple months back so I'm positive).
I was able to find something that looks related, on a Danish website using Google Translate. They mention the exact same process in the same location. Is this any help?:
http://translate.google.com/translate?hl=en&sl=da&u=http://sikkerhed.tdc.dk/publish.php%3Fid%3D25234&ei=gnoaTIHpI6PwNKiPnJwF&sa=X&oi=translate&ct=result&resnum=5&ved=0CCwQ7gEwBA&prev=/search%3Fq%3Dlupdater.exe%2Bfirefox%26hl%3Den%26rls%3Dcom.microsoft:en-us:IE-Address
I'll post again after running the hitmanpro scan.
Thank you
process-explr-scrn1.jpg
Its verified so it should be ok.
Check programs and features in control panel.
Is Firefox listed?
Check programs and features in control panel.
Is Firefox listed?
Hi there,
possibly stupid question: Do have any other mozilla program installed?
Like Thunderbird, Lightning or Sunbird?
--TheDoctor
possibly stupid question: Do have any other mozilla program installed?
Like Thunderbird, Lightning or Sunbird?
--TheDoctor
ASKER
There's no installation of Firefox on this computer, nor Thunderbird, Lightning, or Sunbird.
I've changed the name of the process to "renamed.exe" to see what would happen if the program name couldn't be found, and I've noticed a new program running from the same directory.
This new program is wSock.exe *32, and it was taking up about 13% cpu for a minute, then went down to 0%
Not sure how to get rid of this if the antivirus's aren't finding it. Should I simply delete the folder they're in? or delete the .exe?
I've changed the name of the process to "renamed.exe" to see what would happen if the program name couldn't be found, and I've noticed a new program running from the same directory.
This new program is wSock.exe *32, and it was taking up about 13% cpu for a minute, then went down to 0%
Not sure how to get rid of this if the antivirus's aren't finding it. Should I simply delete the folder they're in? or delete the .exe?
Run Eset online scanner
Check to "scan archives"
Under advanced options:
Have all three boxes checked
Attach its logfile
Location:C:\Program Files\EsetOnlineScanner\lo g.txt
Eset online scan http://www.eset.com/onlinescan/
Check to "scan archives"
Under advanced options:
Have all three boxes checked
Attach its logfile
Location:C:\Program Files\EsetOnlineScanner\lo
Eset online scan http://www.eset.com/onlinescan/
ASKER
**update**
OK, I'm fairly certain I've found out which virus this is exactly at the following link:
http://www.sophos.com/security/analyses/viruses-and-spyware/trojdropfs.html
It starts with lupdater, then adds one process after another (like wSock.exe). Though I'm more concerned now as to what I'm going to do if none of these antivirus scans can pick it up.
I tried deleting (temporarily) the ComObject folder all together to see how it would react, and after about 10 minutes, I received a pop up saying:
"Windows Script Host
Script: C:\Program Files (x86)\CommonFiles\ComObjec t\Liveupda te.js
Line: 107
Char: 2
Error: The system cannot find the file specified.
Code: 80070002
Source: (null)"
I have no problem with leaving this pop up window up to avoid letting this virus continue to add programs.
Any suggestions?
OK, I'm fairly certain I've found out which virus this is exactly at the following link:
http://www.sophos.com/security/analyses/viruses-and-spyware/trojdropfs.html
It starts with lupdater, then adds one process after another (like wSock.exe). Though I'm more concerned now as to what I'm going to do if none of these antivirus scans can pick it up.
I tried deleting (temporarily) the ComObject folder all together to see how it would react, and after about 10 minutes, I received a pop up saying:
"Windows Script Host
Script: C:\Program Files (x86)\CommonFiles\ComObjec
Line: 107
Char: 2
Error: The system cannot find the file specified.
Code: 80070002
Source: (null)"
I have no problem with leaving this pop up window up to avoid letting this virus continue to add programs.
Any suggestions?
Heres what I suggest,
go to msconfig and disable everything that is non-essential, e.g. leave AV and anything you consider really important, deffo disable anything in the common files directory.
go to C:\Program Files (x86)\CommonFiles\ComObjec t\Liveupda te.js right click on this file and click edit, as it is a js file you should be able to see the code in there and get a vague understanding of what its doing, feel free to post the contents on here, and im sure one of us will be able to tell you exactly what to do.
If you really feel uncomfortable with this you could roll back to a previous system restore point, the files will still be on your system, but they will not have been actioned so you can delete any that you dont trust
go to msconfig and disable everything that is non-essential, e.g. leave AV and anything you consider really important, deffo disable anything in the common files directory.
go to C:\Program Files (x86)\CommonFiles\ComObjec
If you really feel uncomfortable with this you could roll back to a previous system restore point, the files will still be on your system, but they will not have been actioned so you can delete any that you dont trust
You would need to also remove the relevant registry values to stop the error as it still try to load the file.
You might also try either one of these scanners and see if it finds all the relevant reg entries apart from the "Run" values and files from Sophos' link.
1. Download OTL to your Desktop
http://oldtimer.geekstogo.com/OTL.exe
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Under the Custom Scan box paste this in
netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spoo l\prtprocs \w32x86\*. dll
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dl l /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\conf ig\*.sav
%systemroot%\system32\user 32.dll /md5
%systemroot%\system32\ws2_ 32.dll /md5
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
2. Download OTS to your Desktop and double-click on it to run it.
http://oldtimer.geekstogo.com/OTS.exe
• Make sure you close all other programs and don't use the PC while the scan runs.
• Now click the "Run Scan" button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
You might also try either one of these scanners and see if it finds all the relevant reg entries apart from the "Run" values and files from Sophos' link.
1. Download OTL to your Desktop
http://oldtimer.geekstogo.com/OTL.exe
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Under the Custom Scan box paste this in
netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spoo
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dl
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\conf
%systemroot%\system32\user
%systemroot%\system32\ws2_
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
2. Download OTS to your Desktop and double-click on it to run it.
http://oldtimer.geekstogo.com/OTS.exe
• Make sure you close all other programs and don't use the PC while the scan runs.
• Now click the "Run Scan" button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I don't agree with this question being closed. You can quite easily see that the issue has been solved with help of the experts. The user has asked for advice and help on what he believes to be a suspect file, many of the comments have deduced that the file is not to be trusted and does sound like a virus/malware. Also many times msconfig was mentioned to stop the virus from running, and the user has stated that they used this to solve part of the problem.
It is my opinion that had the user not asked the question on experts-exchange, that they would still have the problem, or would have had to work significantly harder to alleviate it.
M@
It is my opinion that had the user not asked the question on experts-exchange, that they would still have the problem, or would have had to work significantly harder to alleviate it.
M@
ASKER
I still feel it should be closed as is.
While experts clearly gave input (process explorer, virus scans they trusted) ultimately it was myself who , as you can see, did all the in depth searching and posted every single link with any possible info on the virus.
I would say that the prime benefit was being able to have reassurance that this process was indeed a problem, by the second and third opinions of others.
In regards to the msconfig, if you point your attention to my second post (which was even directed @mattclarified at the time), you'll note that I had *already* checked msconfig (one of the first things I did) for any start up processes as well as services that shouldn't have been there.
Further more, msconfig was not used to stop the virus, the sophos antivirus that I had found (see 4th post) was the only antivirus able to remove the it. msconfig was used to stop the startup script for Windows Script Host, which only became an entry in msconfig's startup after the virus was removed.
In a nutshell:
1. None of the expert suggested Antivirus programs were able to detect the virus.
2. As previously stated, msconfig had already been checked before it was suggested and in no way stopped or removed the virus. It only stopped a startup script that was failing once the virus had been removed.
3. The process explorer didn't assist in the removal of the virus, as it claimed the virus was digitally signed by Mozilla, which it obviously wasn't (not that I don't appreciate the useful tool, but it didn't help in solving the problem, as it created confusion on the authenticity of the process).
4. Any info on the virus that could be found online (and used to remove it) was found by myself, as you can see from my posts. No one else posted any findings on the virus with a successful way to remove it.
The experts helped solidfy my suspicion that the process was bad. Beyond that, I did the research and digging around, I found an accurate record of the virus as well as the antivirus that ended up being able to remove it.
I feel without a doubt, I would have been able to solve this without the suggestions given.
While experts clearly gave input (process explorer, virus scans they trusted) ultimately it was myself who , as you can see, did all the in depth searching and posted every single link with any possible info on the virus.
I would say that the prime benefit was being able to have reassurance that this process was indeed a problem, by the second and third opinions of others.
In regards to the msconfig, if you point your attention to my second post (which was even directed @mattclarified at the time), you'll note that I had *already* checked msconfig (one of the first things I did) for any start up processes as well as services that shouldn't have been there.
Further more, msconfig was not used to stop the virus, the sophos antivirus that I had found (see 4th post) was the only antivirus able to remove the it. msconfig was used to stop the startup script for Windows Script Host, which only became an entry in msconfig's startup after the virus was removed.
In a nutshell:
1. None of the expert suggested Antivirus programs were able to detect the virus.
2. As previously stated, msconfig had already been checked before it was suggested and in no way stopped or removed the virus. It only stopped a startup script that was failing once the virus had been removed.
3. The process explorer didn't assist in the removal of the virus, as it claimed the virus was digitally signed by Mozilla, which it obviously wasn't (not that I don't appreciate the useful tool, but it didn't help in solving the problem, as it created confusion on the authenticity of the process).
4. Any info on the virus that could be found online (and used to remove it) was found by myself, as you can see from my posts. No one else posted any findings on the virus with a successful way to remove it.
The experts helped solidfy my suspicion that the process was bad. Beyond that, I did the research and digging around, I found an accurate record of the virus as well as the antivirus that ended up being able to remove it.
I feel without a doubt, I would have been able to solve this without the suggestions given.
have you checked the binary for additional information like file properties
or digital signing?
--TheDoctor