InformAction Forums

You are correct, addons are installed haphazardly in unpredictable orders and yes they can conflict with each other depending on which asserts itself first. Usually deleting your extension.ini, rdf, cache tends to cause them to reassert in a new order which sometimes fixes it or you have to do it a couple of times. I find it an asinine system and very disappointed in Fx for having it like this but as with any OS piece of work, you get what you don't pay for. After all, even if you managed to figure out which order to put them in, when they update, they won't update in the same order.

computerfreaker wrote:What ISP do you use? (Real question, do they make you install any s/w to use their service?

They "offer" a complete package -- AV, etc. -- but I don't use it. Just plug in the modem, plug the router into the modem, wireless laptop to the router. (Both wireless network and router administration properly secured/encrypted, of course, and WAN-side router administration disabled. UPnP disabled. Etc.)

I use AOL, and they make me install their s/w to even connect to the 'net - including a bunch of tray apps & background services)

One reason I ditched AOL after a five-month free trial on my first puter, long since gone to the recycling dump. But I understand that there are other reasons that you keep it. Good question whether Montagar has any ISP sw, though.

Tom T. wrote:WHOA! Montagar, do you have LogMeIn Hamachi VPN? I had a support issue with the version installed, didn't remember the date, but the Program Files folder shows "modified 10/29/2009" for both hamachi-2.exe and hamachi-2-ui.exe. BUT ... that was 12 hours after the above post about *not* seeing the issue. Close, but no cigar.

computerfreaker wrote:Maybe there's something there... Montagar, do you have Hamachi?
Even if the infection vanished before the modified date for Hamachi, that doesn't mean it was gone before Hamachi updated - changing the modified date/time for a file is as simple as an API call. (I know from personal experience with file time-changing VB6 code; EVERY time - accessed, created, & modified - can be changed with an API)

Worthwhile question. @ Montagar: Got Hamachi?

Tom T. wrote:Still hope Autoruns shows something.

computerfreaker wrote:Ditto...

Another idea - any unusual audio/video codecs on your computer?

Not on mine -- actually removed a number of them when I back-graded from WMP 10 to WMP 6.4. (simpler and cleaner)
Montagar?

Tom T. wrote: But could you do packet monitoring with IE or Opera, and see if there is any difference under the identical circumstances on Fx?

computerfreaker wrote:.... Edit .... he should try going to Google with IE or Chrome, and keep an eye on the network packets while he does that.

Exactly. Sorry if I didn't phrase that clearly.

computerfreaker wrote:Tom, did you do any kind of deletion before the infection vanished? Cache-clearing? Registry editing? Anything????

The Fx cache is auto-cleared, along with all other browsing data, every time the browser is closed. So if that would have done it, I would have had to acquire the "infection" in the same browsing session in which the issue was discussed, before closing it to disable/re-enable extensions.

*Plus* I run in Sandboxie almost 100% of the time. (Sole exception: Use an admin-priv browser to get NS updates or other AMO updates, so unless AMO, or perhaps Giorgio's dev build link, is corrupted , not an issue.) The sandbox itself is emptied at every browser close -- which reinforces the question of how an infection would get to the HD, or did it arrive only during that session? -- then disappear when the sandbox was emptied.

It would sound more like the search engines were hacked, except that no one seems to be able to reproduce it any more except for the unfortunate Montagar.

computerfreaker wrote:
If it was an addon, the order in which you disabled/enabled them could be significant... I know, I know, it shouldn't be - but I've heard addon conflicts ]are sometimes solved by disabling/enabling addons in a certain order. Even the installation order can be important in an addon conflict... is it possible, maybe, that the order you disabled/enabled the addons is important (critical) here?

(emphasis mine)
But a *conflict* shouldn't let a rogue script loose. Usually conflicts cause malfunctions -- one or the other doesn't work right, or pages or page features break, etc... And NS wasn't the victim of such a conflict, because it properly reported the attempt by innoshot, and properly blocked it.

computerfreaker wrote:Running out of ideas,

Ditto.

Autoruns and perhaps ISP sw seem the only present possibilities on the table. Hamachi is remotely possible, but it's all via SSL, and since the company specializes in secure VPN and remote access, one *hopes* that their servers weren't compromised. Easy yes or no: if Montagar doesn't have it, that's off the list.

I'm awaiting the Autoruns fine-tooth comb.

Edit: Agree with Guardian that the randomness of extension updates, etc. makes the order an even more unlikely suspect, in addition to what's said above.

Tom T. wrote:

computerfreaker wrote:Tom, did you do any kind of deletion before the infection vanished? Cache-clearing? Registry editing? Anything????

The Fx cache is auto-cleared, along with all other browsing data, every time the browser is closed. So if that would have done it, I would have had to acquire the "infection" in the same browsing session in which the issue was discussed, before closing it to disable/re-enable extensions.

*Plus* I run in Sandboxie almost 100% of the time. (Sole exception: Use an admin-priv browser to get NS updates or other AMO updates, so unless AMO, or perhaps Giorgio's dev build link, is corrupted , not an issue.) The sandbox itself is emptied at every browser close -- which reinforces the question of how an infection would get to the HD, or did it arrive only during that session? -- then disappear when the sandbox was emptied.

Sounds almost like it arrived during that session... here's a timeline that might work.
* Infection arrives
* Montagar notices, posts
* Tom T. notices Montagar's posts, notices malware
* Tom T. disables addons, restarts
* Sandbox destroys malware
* Tom T. re-enables addons, restarts
* Tom T. notices malware's gone

That might cover it, although I don't know... Tom, does that match your activity? (Of course, you wouldn't know when the malware arrived or left, but I'm referring to the other entries)

Tom T. wrote:It would sound more like the search engines were hacked, except that no one seems to be able to reproduce it any more except for the unfortunate Montagar.

Maybe they were hacked, just for Montagar!!!!!
Montagar, try Fx in safe mode, and have it restore your default search engines. It's possible, just barely, that some of your search engine plugins were hacked... I don't know if it's possible, but perhaps the plugin could "listen" to the sites you go to and put up innoshot code for Google et al... (maybe a bad idea, but I'm scraping the bottom of the barrel right now...)

Tom T. wrote:

computerfreaker wrote:
If it was an addon, the order in which you disabled/enabled them could be significant... I know, I know, it shouldn't be - but I've heard addon conflicts ]are sometimes solved by disabling/enabling addons in a certain order. Even the installation order can be important in an addon conflict... is it possible, maybe, that the order you disabled/enabled the addons is important (critical) here?

(emphasis mine)
But a *conflict* shouldn't let a rogue script loose. Usually conflicts cause malfunctions -- one or the other doesn't work right, or pages or page features break, etc... And NS wasn't the victim of such a conflict, because it properly reported the attempt by innoshot, and properly blocked it.

NS wasn't the victim of a conflict - what I was trying to say is that perhaps, like a conflict, this thing relied on the order in which you installed/enabled/disabled addons.

Tom T. wrote:Autoruns and perhaps ISP sw seem the only present possibilities on the table. Hamachi is remotely possible, but it's all via SSL, and since the company specializes in secure VPN and remote access, one *hopes* that their servers weren't compromised. Easy yes or no: if Montagar doesn't have it, that's off the list.

Codecs too... and Montagar, try running HijackThis and post the log here. That's an unbelievably useful tool in detecting & destroying malware, especially browser-based malware...

Tom T. wrote:I'm awaiting the Autoruns fine-tooth comb.

Likewise. I'd especially like to see a HJT (HijackThis) log as well...

Tom T. wrote:Edit: Agree with Guardian that the randomness of extension updates, etc. makes the order an even more unlikely suspect, in addition to what's said above.

Conceded, not a likely idea. Still, IMHO every idea should be brought out... maybe some stupid idea will turn on the light bulb in ways the poster never anticipated... (it's happened to me countless times, I provide a not-so-good idea and somebody goes in a completely different direction with it, ending up with success)

Tom T. wrote:Good question whether Montagar has any ISP sw, though.

No ISP software.

Tom T. wrote:Worthwhile question. @ Montagar: Got Hamachi?

Nope.

Tom T. wrote:Still hope Autoruns shows something.

Working on it.

Another idea - any unusual audio/video codecs on your computer?

Checking into that.

Tom T. wrote: But could you do packet monitoring with IE or Opera, and see if there is any difference under the identical circumstances on Fx?

Network traffic looks the same.

computerfreaker wrote:Tom, did you do any kind of deletion before the infection vanished? Cache-clearing? Registry editing? Anything????

I have FF set to clear everything when I close the browser.

Here is the HijackThis file.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Admin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1256867822875
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Montagar wrote:

Tom T. wrote:Still hope Autoruns shows something.

Working on it.

Another idea - any unusual audio/video codecs on your computer?

Checking into that.

btw, you can use AutoRuns to see your audio/video codecs, too... (idk if you know that; if not, that'll save you some time)

Montagar wrote:

Tom T. wrote: But could you do packet monitoring with IE or Opera, and see if there is any difference under the identical circumstances on Fx?

Network traffic looks the same.

So innoshot is trying to connect over IE and Opera as well? How about Chrome?

Montagar wrote:

computerfreaker wrote:Tom, did you do any kind of deletion before the infection vanished? Cache-clearing? Registry editing? Anything????

I have FF set to clear everything when I close the browser.

I was asking Tom those questions to try and find some reason why his infection is gone while yours remains.
Could be pertinent info, though... and probably is.

Montagar wrote:Here is the HijackThis file.
<snip>

It all looks clean to me... maybe Guardian or Tom will think differently, but it all looks normal. Just wondering, though, why are you running Google Update? (Probably a side topic rather than something relevant, but still......)

Thanks for the HJT log, it cleans up a lot of the problem by eliminating a lot of possibilities...

Montagar, when you said you unplugged the network cable from the computer but the innoshot script still tried to run, I assume your computer was totally isolated? No LAN connections to other computers? No wireless connection? No dialup or other wired connection? No connection of any kind?

CF @ OP: It's possible, just barely, that some of your search engine plugins were hacked...

But I *don't have* any search engine plugins. In fact, the entire Search plugin folder was deleted. I just bookmark Scroogle, adding safety at the cost of two clicks. So even if it's a possible vector, it's not a commonality between Montagar and me.

* Infection arrives
* Montagar notices, posts
* Tom T. notices Montagar's posts, notices malware
* Tom T. disables addons, restarts
* Sandbox destroys malware
* Tom T. re-enables addons, restarts
* Tom T. notices malware's gone

But where did it come from? Keeping in mind that I never use any of those search engines ... and it would have to have arrived *in that session*, since I'd probably already closed/restarted SB and FX (fill in the blank) times that day already.

I should have documented it at the time, but IIRC, I probably closed the browser and reproduced it after re-opening a few more times *that day*. I can't swear to that, but one strong hook is that http://www.yahoo.com is blocked in my Hosts file to stop the annoying redirects when logging out of their mail, so I probably would have shut down the browser to edit Hosts to allow yahoo for the test. Maybe not, though, in which case, yeah, it got into the sandbox somehow, but only *once*.

Then why would it not show up the next day, if it's capable of re-infecting? If it isn't, why does Monty (hey, I feel like we're old friends by now1 ) still have it?

Not trying to be difficult, and I know you're trying hard and brainstorming well, but just agreeing on how hard it is to find any plausible scenario.

CF @ Mont.: why are you running Google Update? (Probably a side topic rather than something relevant, but still......)

Agree it's scary, given Google's horrendous privacy record. But I don't run it, so it's eliminated as a *common* vector. (There could be more than one, of course.)

CF: I'm scraping the bottom of the barrel right now...)

The real bottom: Back up all of your data, app installers, Fx profile, etc.
Nuke the drive clean with something like Darik's Boot and Nuke.
Re-install from either Win disk or (more common) OEM "recovery" disk.
Fresh install of AV and firewall.
Fresh Fx reinstall from Mozilla.
Fresh NS install.
Try to reproduce.
If unable, add back *fresh install* of all extensions, plugins, etc. one at a time, trying to reproduce after each.
If still unable, add back other apps one at a time, run them, try to reproduce.
If still not, add back non-dangerous data (.txt files), then any potentially dangerous data (video/audio/image, Word, pdf, and all the other stuff that now can run executables, etc.), periodically checking for issue.
If reinstall is complete and problem has disappeared, you're good. But if curious (and especially if you have full-disk-image-backup sw like Norton Ghost, Acronis, etc.), you could try substituting the old Fx extensions, etc. one at a time, to see if reproducible.

But at this point, since no one else has reported it, you might be happy just to know you have a clean machine.

Edit: Whoops, missed one:

CF: Montagar, when you said you unplugged the network cable from the computer but the innoshot script still tried to run, I assume your computer was totally isolated? No LAN connections to other computers? No wireless connection? No dialup or other wired connection? No connection of any kind?

I was on a wireless laptop with nothing else on the WPA-2 secure home LAN except a printer/scanner.

Tom T. wrote:

CF @ OP: It's possible, just barely, that some of your search engine plugins were hacked...

But I *don't have* any search engine plugins. In fact, the entire Search plugin folder was deleted. I just bookmark Scroogle, adding safety at the cost of two clicks. So even if it's a possible vector, it's not a commonality between Montagar and me.

*Headache develops*

Tom T. wrote:

* Infection arrives
* Montagar notices, posts
* Tom T. notices Montagar's posts, notices malware
* Tom T. disables addons, restarts
* Sandbox destroys malware
* Tom T. re-enables addons, restarts
* Tom T. notices malware's gone

But where did it come from? Keeping in mind that I never use any of those search engines ... and it would have to have arrived *in that session*, since I'd probably already closed/restarted SB and FX (fill in the blank) times that day already.

*Headache gets worse*
Wait a moment, wait a moment...
You said you haven't installed anything recently, but you also said you never use Google so you wouldn't have noticed but for Montagar's post. Is it possible this thing piggybacked on another install, sometime, anytime in the past?

Tom T. wrote:I should have documented it at the time, but IIRC, I probably closed the browser and reproduced it after re-opening a few more times *that day*. I can't swear to that, but one strong hook is that http://www.yahoo.com is blocked in my Hosts file to stop the annoying redirects when logging out of their mail, so I probably would have shut down the browser to edit Hosts to allow yahoo for the test. Maybe not, though, in which case, yeah, it got into the sandbox somehow, but only *once*.

THAT'S IT!
Maybe I'm just tired today, but this seems plausible...
* Tom T. installs something, infection piggybacks on it (yes, even a legit app - I recall reading about a Fx addon that was accidentally shipped with a virus (!) and 30,000 people downloaded & installed it before anybody noticed)
* Malware somehow makes it into sandbox (shouldn't be hard to do, since the malware's coming from the PC - if addons can load through the Sandboxie session, why not a piece of malware? As long as it's on the HD, that shouldn't be difficult...)
* Montagar posts
* Tom T. goes to Google, notices malware
* Somehow, infection loses ability to get into the sandbox (maybe gets deleted when sandbox closes???? Not likely at all, but with this ghost, anything's possible)

Tom T. wrote:Then why would it not show up the next day, if it's capable of re-infecting? If it isn't, why does Monty (hey, I feel like we're old friends by now1 ) still have it?

The only thing I can think of is listed above... and Montagar's (yes, I feel like we've known each other for a long, long time too... stressful situations do that) infection stuck around because he didn't use Sandboxie.

I know there are probably flaws in that, but it's the best I can do ATM...

Tom T. wrote:Not trying to be difficult, and I know you're trying hard and brainstorming well, but just agreeing on how hard it is to find any plausible scenario.

I know you're not trying to be difficult, and it's actually really nice to cross off a few dozen possible vectors because they're not common vectors...
EDIT: oh no, oh no, oh no. What if (similar to what happened with Conficker) there doesn't need to be a common vector? Conficker spread through several different methods, why not this thing?

Tom T. wrote:

CF @ Mont.: why are you running Google Update? (Probably a side topic rather than something relevant, but still......)

Agree it's scary, given Google's horrendous privacy record. But I don't run it, so it's eliminated as a *common* vector. (There could be more than one, of course.)

Common vector eliminated, but maybe not totally... (see comment above)

Tom T. wrote:

CF: I'm scraping the bottom of the barrel right now...)

The real bottom: Back up all of your data, app installers, Fx profile, etc.
Nuke the drive clean with something like Darik's Boot and Nuke.
Re-install from either Win disk or (more common) OEM "recovery" disk.
Fresh install of AV and firewall.
Fresh Fx reinstall from Mozilla.
Fresh NS install.
Try to reproduce.
If unable, add back *fresh install* of all extensions, plugins, etc. one at a time, trying to reproduce after each.
If still unable, add back other apps one at a time, run them, try to reproduce.
If still not, add back non-dangerous data (.txt files), then any potentially dangerous data (video/audio/image, Word, pdf, and all the other stuff that now can run executables, etc.), periodically checking for issue.
If reinstall is complete and problem has disappeared, you're good. But if curious (and especially if you have full-disk-image-backup sw like Norton Ghost, Acronis, etc.), you could try substituting the old Fx extensions, etc. one at a time, to see if reproducible.

But at this point, since no one else has reported it, you might be happy just to know you have a clean machine.

yes, getting a clean machine could be the best possible scenario here... although I have to confess, I would like to know what this thing is and how it got onto the computer...

Tom T. wrote:Edit: Whoops, missed one:

CF: Montagar, when you said you unplugged the network cable from the computer but the innoshot script still tried to run, I assume your computer was totally isolated? No LAN connections to other computers? No wireless connection? No dialup or other wired connection? No connection of any kind?

I was on a wireless laptop with nothing else on the WPA-2 secure home LAN except a printer/scanner.

Well, let's see what Montagar says...

computerfreaker wrote:]You said you haven't installed anything recently, but you also said you never use Google so you wouldn't have noticed but for Montagar's post. Is it possible this thing piggybacked on another install, sometime, anytime in the past?

Definitely. That thought had occurred to me, too -- that it could have been there a year and be there another year -- but if it's a local infection, why run *only* when a few sites are visited? ... Possible answer is to hook to only the most popular sites (why not Wikipedia, usually ranked around #6?), but since many users whitelist those sites, and "untrust" third parties like yieldmanager.com, it would make it more obvious when the usually-blue NS icon turns partly red.... ?

But it's true that since I don't use those sites, I wouldn't have noticed it but for OP. But with Google alone getting a million hits a minute, plus the hits at yahoo, etc. and probably at least ten million regular users of NoScript, how is it that no one else who has this has noticed and bothered to come here -- out of a pool of however many people installed the infected whatever? -- which we still haven't identified, as there aren't a lot of commonalities here.

* Tom T. installs something, infection piggybacks on it (yes, even a legit app - I recall reading about a Fx addon that was accidentally shipped with a virus (!) and 30,000 people downloaded & installed it before anybody noticed)

Certainly possible. One would hope that AV would have detected that. I scan all installers for viruses before installing. If it hides or morphs or whatever, the AV is supposed to provide real-time scanning at all times.

* Malware somehow makes it into sandbox (shouldn't be hard to do, since the malware's coming from the PC - if addons can load through the Sandboxie session, why not a piece of malware? As long as it's on the HD, that shouldn't be difficult...)

Oh, definitely not a problem for the malware, if it's inside Fx, a plug-in, or the small portion of the user reg hive cloned by SB for the session. SB allows apps to *read* from the HD as necessary, just not to *write* to it. But again, a session reads only what's needed to create the virtual browser and supporting items ... so we're back to figuring out where in the Fx/extension/plugin/reg hive world this thing is. *And* why it disappeared the next day, since if it were indeed on the HD, it should be cloned each time Fx is started.

* Montagar posts
* Tom T. goes to Google, notices malware
* Somehow, infection loses ability to get into the sandbox (maybe gets deleted when sandbox closes???? Not likely at all, but with this ghost, anything's possible)

See above. All I was doing, IIRC, was opening a browser, going to the search engines, coming here, and to Yahoo mail. If it got into the SB on any required clone, it's hard to see how it wouldn't be automatically cloned for the next session -- so it must have disappeared from the HD. ... which runs into the same brick wall: How?
Montagar, do you use Yahoo mail?

The only thing I can think of is listed above... and Montagar's (yes, I feel like we've known each other for a long, long time too... stressful situations do that) infection stuck around because he didn't use Sandboxie.

As said, I feel *fairly* certain that I would have opened/closed the browser (the shortcut is set up to automatically invoke SB at browser launch, and to auto-empty the SB at close) several times while reproducing it.

I'd like to know, too. I don't think Montagar has given us the final results of the Autoruns/codecs test. If they show nothing, it's up to him whether to pursue or clean the machine. .... *unless* ... he is willing to create a virtualized (safe) environment, via SB or the many other virtual solutions out there, *let the script run* while disconnected, then examine the contents of the sandbox for the results of letting it run. Post any unusual code that's found. Or if really willing, let it run while connected, and monitor the packets. NOTE: If I were to do this, I would *not* store passwords in Fx (I don't anyway, for safety reasons), as one function of the malware could well be to sniff such things. No other traffic or sensitive info loaded before or during the test.

No other network connections for me either.

I do not use Yahoo mail.

Still looking through the Autoruns info, but so far everything looks okay.

When I said that the network packet info looks the same with FF (NoScript enabled) and IE, it means that when I use IE to access http://www.google.com I do not see any attempts to contact the server that is contained in the innoshots script. This would indicate that the problem is located within FF because if it was external I would expect to see traffic generated by the script.

I would really like to find the culprit because it does not appear to be able to be found by Malwarebytes or anti-virus programs. So even if I do a clean install, there is no guarantee that it will not show up again.

Montagar wrote:...I would really like to find the culprit because it does not appear to be able to be found by Malwarebytes or anti-virus programs. So even if I do a clean install, there is no guarantee that it will not show up again.

No argument there, although presumably it would have to be included in some Fx-related file. I'd like to know, too... and even more, I'd like to know how it disappeared for me the next day.

What you said above does seem to be eliminating things outside the Fx envelope. Do you have virtualization available, to try letting the script run while disconnected, then examine the contents of the sandbox? Sandboxie has a 30-day free trial (and you can keep using it for free if you're willing to put up with the nag screens). I know that there are others out there, and I'm not trying to tout it; it's just the one that I'm familiar with and comfortable with.

You haven't mentioned wireless, IIRC, so you just have a cable from machine to modem, right? What if the modem were disconnected from the internet, but the machine-to-modem cable were plugged in? ... Then you could let the script run and capture the packets leaving the machine, right? -- still sandboxed for safety, of course.

Since we're about to the bottom of the barrel, about all else I can think of ATM is the idea above of saving your present HD image, fresh reinstall everything, and if you can't catch it there, make another full-disk backup (so you don't have to do yet *another* full reinstall of everything), and substitute each of the older extension and plugin folders in turn (from your pre-reinstall backup), trying to make it show up again. Then if you identify the culprit, you would reinstall the "clean" image. Lengthy, I know... do you have full-disk-imaging sw? (Not a bad idea to have, anyway!) Cheers.

Well, my time away from the forums gave me some new ideas...

#1. Montagar, Tom, where did you guys get your Firefox copies from? I've heard about malware sites that take full advantage of Fx's popularity to host "Firefox" - cracked, virus-laden versions of Firefox. Maybe one of you fell for that... not likely, but hey, anything's possible.

#2. Montagar, did you try accessing Google with Chrome or Safari? I can't imagine why a piece of malware would travel through Chrome or Safari and leave IE alone, but, once again, anything's possible...

#3. Has anybody managed to get some info about hxxp://innoshot.com (deliberately changed link protocol so nobody gets infected)? I tried to get some information on it, but nobody seems to know anything about it...

#4. Are your computer dates & times accurate? I've heard of viruses that self-destruct on a certain day - maybe this is one of those???

#5. Montagar, did you try running Fx Portable? (Don't recall, sorry)
If you did, did innoshot try to connect?

#6. Tom, after you noticed innoshot trying to run, did you change any firewall settings, move any files, etc.? Maybe, if you did, the script is getting blocked by a firewall or can't find the sandboxed browser anymore.

#7. Tom, did you reboot your system while you were hunting innoshot? Maybe the thing got destroyed on reboot...

Tom T. wrote:But with Google alone getting a million hits a minute, plus the hits at yahoo, etc. and probably at least ten million regular users of NoScript, how is it that no one else who has this has noticed and bothered to come here -- out of a pool of however many people installed the infected whatever? -- which we still haven't identified, as there aren't a lot of commonalities here.

More ideas there.

#1. Maybe this is some weird infection vector that very few people are vulnerable to.

#2. Maybe most NoScript users, being the privacy-conscious bunch we are , don't use Google - I know I personally use Scroogle, and maybe others do too.

#3. Maybe some NoScript users just turn it on and ignore it, or don't pay attention to the specific scripts NS is turning up. For example, I don't have Google whitelisted, so the whole NS icon is red while I'm on Google.com. I wouldn't notice an external script unless I had some reason to look for one...if it's a local infection, why run *only* when a few sites are visited? ...

Tom T. wrote:Possible answer is to hook to only the most popular sites (why not Wikipedia, usually ranked around #6?), but since many users whitelist those sites, and "untrust" third parties like yieldmanager.com, it would make it more obvious when the usually-blue NS icon turns partly red.... ?

Well, I think (hope) most users try to keep their whitelists as small as possible, for security's sake... see my comment above, some users might never notice the attempt to connect to innoshot...

Here are the answers to your questions.

#1. Montagar, Tom, where did you guys get your Firefox copies from? I've heard about malware sites that take full advantage of Fx's popularity to host "Firefox" - cracked, virus-laden versions of Firefox. Maybe one of you fell for that... not likely, but hey, anything's possible.

I downloaded it via firefox.com

#2. Montagar, did you try accessing Google with Chrome or Safari? I can't imagine why a piece of malware would travel through Chrome or Safari and leave IE alone, but, once again, anything's possible...

Yes, it was clean as far as I can tell using packet sniffing.

#3. Has anybody managed to get some info about hxxp://innoshot.com (deliberately changed link protocol so nobody gets infected)? I tried to get some information on it, but nobody seems to know anything about it...

The script that I am dealing with is slightly different from Tom's. The script I am dealing with attempts to connect to "innoshots.org"

#4. Are your computer dates & times accurate? I've heard of viruses that self-destruct on a certain day - maybe this is one of those???

Yes, they are accurate.

#5. Montagar, did you try running Fx Portable? (Don't recall, sorry)
If you did, did innoshot try to connect?

Yes, and it did attempt to run the suspect script, but there are many questions as to what Portable FF shares with a local installation, and I have not attempt to "remove" my local installation as of yet.

Montagar wrote:Here are the answers to your questions.

#1. Montagar, Tom, where did you guys get your Firefox copies from? I've heard about malware sites that take full advantage of Fx's popularity to host "Firefox" - cracked, virus-laden versions of Firefox. Maybe one of you fell for that... not likely, but hey, anything's possible.

I downloaded it via firefox.com

Maybe now we're getting someplace. Mozilla.org is the place to get Firefox. While firefox.com currently redirects to mozilla.org, it might not have been that way awhile ago...
If you're feeling adventurous, try completely hosing your local Fx install (I mean completely hosing it, profile and all), downloading Firefox from Mozilla.org, and re-installing it, then see what happens.

Montagar wrote:

#2. Montagar, did you try accessing Google with Chrome or Safari? I can't imagine why a piece of malware would travel through Chrome or Safari and leave IE alone, but, once again, anything's possible...

Yes, it was clean as far as I can tell using packet sniffing.

One more reason why firefox.com seems important at this point - Chrome, Safari, IE, etc. wouldn't care about the local Fx install.

Montagar wrote:

#3. Has anybody managed to get some info about hxxp://innoshot.com (deliberately changed link protocol so nobody gets infected)? I tried to get some information on it, but nobody seems to know anything about it...

The script that I am dealing with is slightly different from Tom's. The script I am dealing with attempts to connect to "innoshots.org"

Ah. NOW we're getting someplace - perhaps you and Tom had two different, although similar, infections!

Montagar wrote:

#4. Are your computer dates & times accurate? I've heard of viruses that self-destruct on a certain day - maybe this is one of those???

Yes, they are accurate.

OK

Montagar wrote:

#5. Montagar, did you try running Fx Portable? (Don't recall, sorry)
If you did, did innoshot try to connect?

Yes, and it did attempt to run the suspect script, but there are many questions as to what Portable FF shares with a local installation, and I have not attempt to "remove" my local installation as of yet.

Portable Fx shares plugins with a local install; AFAIK, that's it.

1) I've always gotten Fx from mozilla.org, although it now redirects to mozilla.com. Don't know if it's always been that way. I've never used firefox.com, AFAIK, unless possibly redirected there by MZ at some point in the past.

3) When I first connected there, it was written almost entirely in an Asian language, so I don't know anything about it. I've noticed some Scroogle links are in Cyrillic (Russian) alphabet.

4) Yes. But the discrepancy would now have to be more than two weeks for mine to have self-destructed and Montagar's not.

5) Yes, but only after it had disappeared. No issue on 3.5.3 Portable.

6) Not that I can remember.

7) Not during the day that I could reproduce it. I would have shut the machine off for the night and rebooted it the next day, when it disappeared. For some reason, some people leave their machine on 24/7 (waste of electricity!), so,

@ Montagar: Have you rebooted at any time since this first appeared?
If so, then it seems that would eliminate that possiblility.

CF: #2. Maybe most NoScript users, being the privacy-conscious bunch we are , don't use Google - I know I personally use Scroogle, and maybe others do too.

IIRC, didn't you start using Scroogle only in the past few weeks? Agree that there's some percent of NS users who don't use Google, but it's surely not 100%. Also, the issue was reproduced at yahoo.com, which is a complete portal, not just a search engine. And to which you are redirected after logging out of any login Yahoo service. Surely some significant number of NS users would have been to Yahoo, either as a portal to their other services, or by being redirected there. Also, issue arose on ask. com, and *at first*, not at bing.com, but later, Montagar found it at bing.com, IIRC.

CF: I don't have Google whitelisted, so the whole NS icon is red while I'm on Google.com.

I have all of Google "untrusted", which has the same effect of turning the NS icon blue -- no scripts from Google are asking to run. (They show in Menu > Untrusted.) So a new third-party script, not yet in the Untrusted list, would indeed induce a color change in the NS logo.

if it's a local infection, why run *only* when a few sites are visited? ...

That would be easy enough for the programmer to accomplish. Possible motive -- large, popular sites. Infect as many as possible without splashing your malcode all over the Internet.

#1. Maybe this is some weird infection vector that very few people are vulnerable to.

But what is it that creates that vuln? Montagar and I seem to have not too much sw in common, other than Fx/NS.

Montagar wrote:The script that I am dealing with is slightly different from Tom's. The script I am dealing with attempts to connect to "innoshots.org"

computerfreaker wrote:Ah. NOW we're getting someplace - perhaps you and Tom had two different, although similar, infections!

Yes, I noticed that in my first reply to OP. I tried going to innoshots.org, and got a Forbidden error. Montagar could try that -- with NS locked down, of course.) Innoshot.com is in fact a web site of some type, and that is the domain of the script that I saw. So yes, maybe they are slightly different malcodes, which might account for the fact that mine disappeared: For some reason, the .org variant is more persistent or better hidden.

Montagar wrote: Yes, and it did attempt to run the suspect script, but there are many questions as to what Portable FF shares with a local installation, and I have not attempt to "remove" my local installation as of yet.

CF wrote:Portable Fx shares plugins with a local install; AFAIK, that's it.

CF has dug pretty deeply into the documentation of the portable apps. Early in this thread, I noted that when I went to my Portable Fx, it was still using NS .11, whereas the native Fx had been updated to .14. So Portable does have its own Extensions folder and Profile folder, and plugins do seem to be the only thing shared with the local install.

Which more and more seems to narrow this to a plugin.

It could be that you took some action as routine that took care of the issue but he has not so the issue persists. Unfortunately no way to really know what you did and what the differences are and so on.