Mon 16 Feb 2009
New Firefox Virus Causes Redirects to Adsites
Posted by Sindri under Web Tools
[34] Comments
How to fix it, how to avoid it.
Vundo, Tojan.Vundo, Virtumonde, Virtumondo, MS Juan: These are the common names of a Trojan (spyware or malware) that is known to cause popups and advertising for rogue antispyware programs, and even performance degradation and denial of service with some websites including Google and Facebook.
This annoying infection has been perplexing the security forums since January 2009. Answers seem to be scarce. Most detection software is not yet able to remove it. However, you can remove it manually, and luckily for you, I have found where this Trojan lives and will tell you exactly how to kill it. It isn’t hard. I will give you the steps. Nothing here will cost you anything. (The best malware programs are free anyway.)
Symptoms:
You are clicking on your search results and instead of going to the intended target, you are going everywhere else: Yahoo Hotjobs, Fake Anti-Virus sites, Second rate search sites, or you are getting Error 404 Page not found. You may also be seeing popups though popups are blocked. You may also find Internet Explorer (iexplore.exe) running in your Task Manager as a backgound process, even though you have not opened it.
The bad news:
Chances are you have a virus and a Trojan, or several. These are exploiting a vulnerability in Java in order to write a small script into the Firefox folder which constantly redirects your search results to infected servers which may be constantly loading more and more crap onto your drives. Annoying for you, but profitable for the “black hat” script author who is likely recieving affiliate marketing revenue from the traffic he is diverting to these advertising websites.
The good news:
Most of these redirect scripts are not likely to do harm to your data or to steal your personal info. This latest round just simply hijacks your search results making your life on the web miserable.
The short fix:
You will find this one living in the extensions folder of Firefox. What you need to do is find the offending file, delete or encrypt it, then replace it with a blank dummy file.
Here are the steps:
- Navigate to: C:Program FilesMozilla Firefoxextensions, look for a folder that is a string of letters, created around the time you began having the problem. Something like “{BCB94CDD-5542-403F-9FB3-07D3DB1E9951}”
- Open the folder, and then open the folder called “chrome”, then “content”, and look for a file inside called overlay.xul (variants may have different names).
- Verify that it is the virus: does it have code similar to this: click to see code
- If you have found the culprit, delete the file (or encrypt with Axcrypt which is reversible).
- Replace it with a blank text file with the same name and extension.
- Repeat the process – you may have multiple copies in multiple folders.
- Test: Go back to Google, try your search results again.
- If no redirects: Sing Hallelujah.
The better fix:
What you will do here is the short fix listed above, plus you will also run several Malware programs, remove all old versions of Java and download the new Java. If that doesn’t cure your problem you may need to run some more serious software. Here are the steps:
- Do the “short fix” listed above.
- Remove old versions of Java by downloading JavaRa and unziping it to your desktop.
- Double-click on JavaRa.exe to start the program and Click on Remove Older Versions.
- Download and install the latest version of Java (Most likely the first download you see here).
- Install Malwarebytes and SuperAntiSpyware
- Update them, run them, and delete all bad stuff.
- Shutdown, restart, run them again.
- If you are clean then test for redirects in Google.
- If no redirects: Sing Hallelujah.
If none of the above worked then you may need some expert guidance. Fortunately you can get this for free: Register on a Malware forum at one of the locations listed at the bottom of this post. All of these forums have rules for posting, read them and follow them! Do not follow advice given to others on any forums you may read. All advice is given based on detailed analysis of every individual system. Wait for an expert to evaluate your situation and provide you with specific advice. All of these forums will ask for a HJT Log. You can download HJT for free and watch a video about how to use it by clicking here.
Try these forums:
Sindri
Thank you so much for posting this! You have saved me much frustration and worry!
thank you so much, this has saved me a lot of agony.
Wow After looking and trying numerous so called fix I found something that actually worked the first time I tried it. Thanks a Million.
For me Firefox was popping up a window that said something like “congratulations you’re the winner for this website for this day” or “did you know that women staying at home made this much money.” I followed the short fix and found a file similar to the description. I deleted the file and so far I haven’t had the pop up again. Time will tell.
Hi
Disabling MySearch add-on seems to have worked for me. I don’t know if this is connected but Task Manager shows a process called Vlaria.exe (which doesn’t sound good) but I can find nothing at all on the net for this. Any idea what this is??
Thx.
Thank you SO much. This was a headache but “The Better Fix” got rid of it FINALLY after 2 weeks of trying everything else.
XXXXXXXXXXXX [Offensive remark deleted]
Let me explain to you what’s happening. It’s called DNS poisoning. An adserver gets attacked, redirected t oa malware-installing site, and any page that has this ad on it will send you to it. And guess what? Firefox isn’t the only browser that displays ads. This happens on IE, on Safari, on Opera, anything that does not have an adblocker or good protection running.
You want to prevent it? here’s three handy steps:
1: Dump norton/mcafee/avg and get something that WORKS WORTH A DAMN. Avast, Avira, Microsoft Security Essentials. all free. All protect in realtime, 24/7.
2: adblock plus, use it.
3: Run the windows updates, they’re not automatic.
Hey “CompDoc”, this post is a year old. At that time nothing was effectively removing this problem. Besides that it was infecting computers with adblock, anti-spy, anti-virus, etc…
Works fine if you run the 2 malware and SUPERantispyware programs !
The first (Malware) found 3 items :
HKEY_CURRENT_USER\SOFTWARE\fcn (Rogue.Residue) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\kr_done1 (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kr_done1 (Malware.Trace) -> Quarantined and deleted successfully.
Then i run the second (SuperAntySpyware) and found 1 item Adware.Vundo variant (C:\WINDOWS\System32\PR19.DLL)
Regards
ah this sounds so good…i wish i came across this website BEFORE i reformatted my computer lol
but i bookmarked it for next time
but does this mean that downloading firefox will bring more viruses than using IE?
much thanks to the author of this helpful article. as an aside, hpe malware authors get as good (or bad) as they give.
I am having this problem. When I open Firefox, then processes, etc and get to the file that was created around the time I started having problems, I can’t go any further because I can’t open that file! It keeps saying “Windows cannot open this file. File : Install.rdf
Any idea on where to go from there? I asked it to use the web to open the file and it couldn’t do it. Sorry, I am not very computer tech literate so I don’t know all the lingo.
I too am having the same problem..,when i open the weird lettered file called {972ce4c6-7e08-4474-a285-3208198ce6fd}
all i see in the file is install.rdf…i really need help
im having the same problem. help
Thank you so much, Sindri! I’ve had this virus for months. I am not very computer savvy and did not know what to do. Today I googled “firefox virus” and found your solution. I just did the short fix and the problem is solved!
thank you thank you thank you thank you!!!! that was driving me crazy!!!
Wish I had found this when I caught the MS Juan virus, back in March 09. I managed to remove the infeciton manually (which also managed to diable Avast btw, thank goodness for Malwarebytes!!) but It seems its suffered some collateral damage, and now all browsers, iTunes, WMP etc etc cannot connect to the internet, and only Firefox will work, even when uninstalled/reinstalled.
It was a weird one too, I turned it off the night before with apparently nothing wrong with it (no pop-ups, slowdowns, unusual processes etc) and as soon as I turn it on the next day, I am gettting popups, horrendus performance and so on. Was a strange one to say the least.
Anyway, had to get a new computer thanks to the little bligter. Curse you Malware writers!!!
“Answers seem to be scarce” – indeed. Spent 5 hours trawling the internet for answers, found nothing. So had to figure it out myself. No anti-virus could have stopped it :/
thank you SO SO SO MUCH, you’re a saint!!!
The file extension I have is .rdf – when I tried making a dummy file it didn’t work.
I already have Malwarebytes on my computer but the program will not open. I installed SuperAntiSpyware but my computer is preventing that from running as well. I did uninstall Java and replace it with the latest update.
I’m not very computer literate, so any help would be greatly appreciated.
Yeah i’ve did this too but my computer crashed whil installing the new Java. Now i can only work in safe-mode.
i don’t understand what you mean when you say change file extension. how do i do that?
File extension is the part after the “.” as in “my-diary.doc” or “grocery-list.txt”. It is the “.doc” or “.txt”. Windows hides common file extensions by default. You can change this from any folder by going to “Tools”, “Folder options”, “view” and scroll to “Hide extensions for known file types” and make sure it is unchecked. Click OK. Now when you “rename” files, the extension is part of the name and you can change it easily. Does that help?
yes. thank you. i followed your instructions and at first the only thing that happened was that redirecting was less frequent, but after restarting firefox the search engines work perfectly. thanks for the help!
i had this problem as well!!!!! mozilaa firefox was infected. i couldnt even uninstall in control panel. i went to my computer , c drive, and deleted the whole firefox!!!then ran microsoft security essentials which is free. easy fix!!!
Tried both the short and better fix on some malware similar to this, alas it didn’t work. I guess it uses a slightly different method or maybe is too new to be picked up by MalwareBytes or SuperAntiSpyware.
Curse malware writers! I hope they all develop an anal fissure and it gets infected and stuff!
I somehow got this virus, made my weblife living hell, searched the web for help and tried all sorts of solutions and nothing. found your webpage, follwed the instructions and am currently surfing happily. Thank You Sindri for sharing your know how with the rest of usw it is very much appreciated
I also contracted this nasty bit of unfun. I just uninstalled Firefox and am using Opera for a while. It took me 5 days of trying everything under the sun until I found your post. I eventually began to suspect browser vulnerability….your post confirmed. THANKS!
Oh and Bob, am I to believe that Linux is totally immune from virus contraction? Please.
Thank you for following me on Twitter. I have read your pages with interest, esp. the spiritual material. I love your Pasternak quotation.
I am particularly intrigued by your small sculpture icon of the ‘?goddess’ with her hand to her ear: what, I wonder, is the origin of this piece?
So, basically you got all your fix ideas from a conglomeration of users from a MozillaZine thread . Good job on not giving props.
I do give you credit for putting it all together in one post and the time it took.
At least, if anything there is now your blog that will show up in a search and the Zine.
Thanks, I think?
If it was only that simple I wouldn’t have endured over a week of suffering without my computer. The reality is that I got most of my help for my infection from spybot forums, but still, it just never would go away. I came to realize that at that time no one had this new firefox virus pinned down. If there was any source that had all the pieces put together I never found it despite a great deal of searching. So I convinced Abram (of SpillSpace) to let me post it here. Sorry if the post seems cocky, I guess in the end, my “Eureka” ferver got the best of me.
Anyway, I hope the post helps others.
This didn’t work for me, even though I try it a few times. I did do every thing that was said up top, plus deleted Java dir, Firefox dir, reinstalled. Still didn’t fix it. The one and only thing that did fix it was this link. The last post on page 3 worked for me.
http://forums.spybot.info/showthread.php?t=45529&page=3
This should work for most, but not all, which is why I posted the forum links (including spybot).
I am assuming the step that helped you was the one that involved OTMoveIt3? Don’t use OTMoveIt without supervision. Its user manual is not publicly available for a reason. It is a powerful tool that can do a lot of unrecoverable damage if used improperly and should only be used under the supervision of an expert who has reviewed your individual system. But I am glad your system is clean
Good news!
Sindri
THANXXX
Who knew!
Actually the best fix would be to dump Windows and get Linux.