Mon 16 Feb 2009
New Firefox Virus Causes Redirects to Adsites
Posted by Sindri under Web Tools
[73] Comments
How to fix it, how to avoid it.
Vundo, Tojan.Vundo, Virtumonde, Virtumondo, MS Juan: These are the common names of a Trojan (spyware or malware) that is known to cause popups and advertising for rogue antispyware programs, and even performance degradation and denial of service with some websites including Google and Facebook.
This annoying infection has been perplexing the security forums since January 2009. Answers seem to be scarce. Most detection software is not yet able to remove it. However, you can remove it manually, and luckily for you, I have found where this Trojan lives and will tell you exactly how to kill it. It isn’t hard. I will give you the steps. Nothing here will cost you anything. (The best malware programs are free anyway.)
Symptoms:
You are clicking on your search results and instead of going to the intended target, you are going everywhere else: Yahoo Hotjobs, Fake Anti-Virus sites, Second rate search sites, or you are getting Error 404 Page not found. You may also be seeing popups though popups are blocked. You may also find Internet Explorer (iexplore.exe) running in your Task Manager as a backgound process, even though you have not opened it.
The bad news:
Chances are you have a virus and a Trojan, or several. These are exploiting a vulnerability in Java in order to write a small script into the Firefox folder which constantly redirects your search results to infected servers which may be constantly loading more and more crap onto your drives. Annoying for you, but profitable for the “black hat” script author who is likely recieving affiliate marketing revenue from the traffic he is diverting to these advertising websites.
The good news:
Most of these redirect scripts are not likely to do harm to your data or to steal your personal info. This latest round just simply hijacks your search results making your life on the web miserable.
The short fix:
You will find this one living in the extensions folder of Firefox. What you need to do is find the offending file, delete or encrypt it, then replace it with a blank dummy file.
Here are the steps:
- Navigate to: C:\Program Files\Mozilla Firefox\extensions\, look for a folder that is a string of letters, created around the time you began having the problem. Something like “{BCB94CDD-5542-403F-9FB3-07D3DB1E9951}”
- Open the folder, and then open the folder called “chrome”, then “content”, and look for a file inside called overlay.xul (variants may have different names).
- Verify that it is the virus: does it have code similar to this: click to see code
- If you have found the culprit, delete the file (or encrypt with Axcrypt which is reversible).
- Replace it with a blank text file with the same name and extension.
- Repeat the process – you may have multiple copies in multiple folders.
- Test: Go back to Google, try your search results again.
- If no redirects: Sing Hallelujah.
The better fix:
What you will do here is the short fix listed above, plus you will also run several Malware programs, remove all old versions of Java and download the new Java. If that doesn’t cure your problem you may need to run some more serious software. Here are the steps:
- Do the “short fix” listed above.
- Remove old versions of Java by downloading JavaRa and unziping it to your desktop.
- Double-click on JavaRa.exe to start the program and Click on Remove Older Versions.
- Download and install the latest version of Java (Most likely the first download you see here).
- Install Malwarebytes and SuperAntiSpyware
- Update them, run them, and delete all bad stuff.
- Shutdown, restart, run them again.
- If you are clean then test for redirects in Google.
- If no redirects: Sing Hallelujah.
If none of the above worked then you may need some expert guidance. Fortunately you can get this for free: Register on a Malware forum at one of the locations listed at the bottom of this post. All of these forums have rules for posting, read them and follow them! Do not follow advice given to others on any forums you may read. All advice is given based on detailed analysis of every individual system. Wait for an expert to evaluate your situation and provide you with specific advice. All of these forums will ask for a HJT Log. You can download HJT for free and watch a video about how to use it by clicking here.
Try these forums:
Sindri
73 Responses to “ New Firefox Virus Causes Redirects to Adsites ”
Trackbacks & Pingbacks:
-
scripts, themes…
[…]New Firefox Virus Causes Redirects to Adsites | SpillSpace.com | Web Tools[…]…
-
Long lasting jar candles…
[…]New Firefox Virus Causes Redirects to Adsites | SpillSpace.com | Web Tools[…]…
beliberdetsonkapets https://www.samsung.com
Our goal to provide you with excellent teaching of beauty services, help in achieving your goals, and undivided attention you deserve.
Our experienced, professional educational staffs, assist and instruct the students in the use of the latest technologies. Each and every students have extensive training and truly loves this industry. We love nothing more than helping you to realize how great your experience at our learning institute can be.
All courses are fully accredited by the KHDA, Dubai, UAE.
GLAM CREATIVE is a representative of exclusive professional products of the beauty industry in Middle East
We invite to cooperation trainers and founders of professional brand with expert products and treatments.
I never imagined how much information you could find on the internet on this!
Thank you for making it all simple to figure out
Had problem with right hand column adverts and some hyperlinks corrupted – each providing unsolicited links to external web sites. Java is not installed on the P.C. used. Uninstalling Firefox and re-installing has appeared to have resolved the problem.
With havin so much content do you ever run into any issues of plagorism or copyright infringement?
My website has a lot of completely unique content I’ve either created myself or outsourced but it appears a lot of it is popping it up all over the internet without my authorization. Do you know any solutions to help reduce content from being ripped off? I’d really appreciate it.
Sure, it happens. It is a problem coextensive with the advent of the net. And, if I were making my living from my content I would have to be concerned about it. But the purpose of my site is to point towards the mystery and beauty of the world around me, and not necessarily to promote myself (hence my anonymous status on this site). That said, I appreciate proper link-backs posted, but I wont lose sleep over it when people don’t do so.
THANK YOU!
instructions for OTL most certainly are available: http://www.geekstogo.com/forum/topic/277391-otl-tutorial-how-to-use-oldtimer-listit/
however, granted, only advanced users should attempt this.
NOT SURE BUT CONTINUES TO SAY I DONT HAVE FIREFOX ETC.. NOT A CMPTR WHIZ SO THIS IS NOT EASY TO EXPLAIN.. THERE SHOULD B A PROGRAM WITHIN THAT PREVENTS THIS…
Where can I “navigate to” C:Program FilesMozilla Firefoxextensions? Is it on the “computer” or “documents” tab of my “start” menu?
Computer.
Assuming your have XP, click start, My Computer, then the C drive.
Good Luck.
Thanks for the prompt reply-But when I go to that folder, it only has “components” and inside that folder, there is only a file that says “Scriptff.dll”
Thanks for your comments!
You may have a different virus/malware issue than the one addressed by this article. Make sure you are viewing any hidden files as well. This shows how: http://www.bleepingcomputer.com/tutorials/tutorial62.html#winxp
If all fails, you can re-install your last know backup of your partition. Make sure you backup your data folders first and you can re-install (copy/paste) them back after you re-install your archive.
Hi,
you can install Firefox 4 final too. After that all problems are gone forever.
The virus naturally is still resident but its no more virulent.
The virus is very complex. If someone fulfilled your remove steps it is still there, for it uses an polymorphal camouflage strategy together with a completely new file-hiding technique.
There is no virus tool, that is at the time able to remove it.
Best regards
Axel Arnold Bangert – Herzogenrath 2011
Hi,
for those who only want an extrem simple – quick and dirty – stop of the symptoms:
RENAME:
Firefox.exe
TO (for example):
FIREFOX1111.exe
and the symptoms are gone. This is because, the virus dll calls by “process_name” parameter, which is “firefox.exe”.
The virus itself does no spywork – it’s “only” an illegal (criminal) SEO tool.
Best regards
Yours sincerely
Axel Arnold Bangert – Herzogenrath 2011
Clever, I like this idea. A very quick and simple method to rid yourself of the annoyance. But simply changing the name to firefox1.exe may affect updates and may have to be repeated after updates.
Yes,
I know that – but where is the problem? You rename it and thats it – like I said quick and dirty – perhaps you remember.
Thank you! This was incredibly helpful. I was getting ready to pull out my hair.
As a follow-up in case it’s useful to anyone else, after using the short fix, I ran two thorough scans with Spybot Search & Destroy and managed to remove Virtumonde, which was repeatedly loading a garbage .dll file it had installed in my C:\Windows folder.
Thanks again!
Hi,
for those who want an extrem simple quick and dirty stop of the symptoms:
RENAME:
Firefox.exe
TO f.e:
FIREFOX1.exe
and the symptoms are gone. This is because, the virus dll calls the process name, which is firefox.exe.
The virus itself does no spywork – its “only” an illegal (criminal) SEO tool.
Best regards
Yours sincerely
Axel Arnold Bangert – Herzogenrath 2001
Clever! I like it. Changing the name to firefox1.exe may affect updates and may have to be repeated after updates. But as an instant solution to stop the annoyance, it is a very quick and simple method.
use search panel to look for overlay.xul in c: drive. found mine in java weird..but fixed the problem replace with empty file works a treat thanks !!! so happy
Wow, got the same re-directing problem (Firefox -> Google -> Advertising Sites) , but after doing everything recommended, still no fix here! I am going to have to use different search engine, but maybe that is a good thing.
I could not find the overlay.xul file where you said it was. I searched my whole system and found two of them. I deleted both and that seems to have fixed it.
Yay!
Excellent, worked flawlessly! I recommend malware erasing software first, then you should be able to finish the job with the short fix.
Worked like a champ. Thanks for the tip.
I ran into this last night. I used add/remove to uninstall firefox and than went to program files to see there was still a firefox folder in there. When going to delete, I recieved a message saysing restricted. I also found the same in the temp folder in the sys 32 folder. I rebooted to safe mode and deleted both temp and firefox folders and the computer ran a little bit better. Upon reinstalling firefox the issue was still persisting so it looks like a full removal from the registry may need to be done as well.
im having this problem i reformatted last week and then reinstalled firefox same thing happened again and emisoft picked up a win32 trojan on 2 sun java files and removed them but im still having the same probs. Ive looked in mozilla firefox c:programme files and i can not find the file content i looked in chrome etc
When I had this virus, I did the above fix, but the virus kept coming back. Turned out it was a rootkit virus. I used TDSS Killer, and that removed the rootkit virus permanently. It is a freeware program, and I make no guarantees it will work for you. In fact, there is always a chance it will mess up your registry. That said, it was the only thing that permanently got rid of the virus.
TDSS Killer just fixed mine too. Thanks a lot for the suggestion.
Thank you so much for posting this! You have saved me much frustration and worry!
thank you so much, this has saved me a lot of agony.
Wow After looking and trying numerous so called fix I found something that actually worked the first time I tried it. Thanks a Million.
For me Firefox was popping up a window that said something like “congratulations you’re the winner for this website for this day” or “did you know that women staying at home made this much money.” I followed the short fix and found a file similar to the description. I deleted the file and so far I haven’t had the pop up again. Time will tell.
Hi
Disabling MySearch add-on seems to have worked for me. I don’t know if this is connected but Task Manager shows a process called Vlaria.exe (which doesn’t sound good) but I can find nothing at all on the net for this. Any idea what this is??
Thx.
Thank you SO much. This was a headache but “The Better Fix” got rid of it FINALLY after 2 weeks of trying everything else.
XXXXXXXXXXXX [Offensive remark deleted]
Let me explain to you what’s happening. It’s called DNS poisoning. An adserver gets attacked, redirected t oa malware-installing site, and any page that has this ad on it will send you to it. And guess what? Firefox isn’t the only browser that displays ads. This happens on IE, on Safari, on Opera, anything that does not have an adblocker or good protection running.
You want to prevent it? here’s three handy steps:
1: Dump norton/mcafee/avg and get something that WORKS WORTH A DAMN. Avast, Avira, Microsoft Security Essentials. all free. All protect in realtime, 24/7.
2: adblock plus, use it.
3: Run the windows updates, they’re not automatic.
Hey “CompDoc”, this post is a year old. At that time nothing was effectively removing this problem. Besides that it was infecting computers with adblock, anti-spy, anti-virus, etc…
Works fine if you run the 2 malware and SUPERantispyware programs !
The first (Malware) found 3 items :
HKEY_CURRENT_USER\SOFTWARE\fcn (Rogue.Residue) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\kr_done1 (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kr_done1 (Malware.Trace) -> Quarantined and deleted successfully.
Then i run the second (SuperAntySpyware) and found 1 item Adware.Vundo variant (C:\WINDOWS\System32\PR19.DLL)
Regards
Thanks for the tip! Will check it out later. I’m aywals looking for new tools to add to my arsenal. Cheers,Boogie
ah this sounds so good…i wish i came across this website BEFORE i reformatted my computer lol
but i bookmarked it for next time
but does this mean that downloading firefox will bring more viruses than using IE?
much thanks to the author of this helpful article. as an aside, hpe malware authors get as good (or bad) as they give.
I am having this problem. When I open Firefox, then processes, etc and get to the file that was created around the time I started having problems, I can’t go any further because I can’t open that file! It keeps saying “Windows cannot open this file. File : Install.rdf
Any idea on where to go from there? I asked it to use the web to open the file and it couldn’t do it. Sorry, I am not very computer tech literate so I don’t know all the lingo.
I too am having the same problem..,when i open the weird lettered file called {972ce4c6-7e08-4474-a285-3208198ce6fd}
all i see in the file is install.rdf…i really need help
im having the same problem. help
I, unfortunately, have the same problem. Am I doing something wrong or am I dealing with something different?
I’m hoping this site is still active *crosses fingers*
THANK YOU very much for all the help you’ve done for everybody!
Thank you so much, Sindri! I’ve had this virus for months. I am not very computer savvy and did not know what to do. Today I googled “firefox virus” and found your solution. I just did the short fix and the problem is solved!
thank you thank you thank you thank you!!!! that was driving me crazy!!!
Wish I had found this when I caught the MS Juan virus, back in March 09. I managed to remove the infeciton manually (which also managed to diable Avast btw, thank goodness for Malwarebytes!!) but It seems its suffered some collateral damage, and now all browsers, iTunes, WMP etc etc cannot connect to the internet, and only Firefox will work, even when uninstalled/reinstalled.
It was a weird one too, I turned it off the night before with apparently nothing wrong with it (no pop-ups, slowdowns, unusual processes etc) and as soon as I turn it on the next day, I am gettting popups, horrendus performance and so on. Was a strange one to say the least.
Anyway, had to get a new computer thanks to the little bligter. Curse you Malware writers!!!
“Answers seem to be scarce” – indeed. Spent 5 hours trawling the internet for answers, found nothing. So had to figure it out myself. No anti-virus could have stopped it :/
thank you SO SO SO MUCH, you’re a saint!!!
The file extension I have is .rdf – when I tried making a dummy file it didn’t work.
I already have Malwarebytes on my computer but the program will not open. I installed SuperAntiSpyware but my computer is preventing that from running as well. I did uninstall Java and replace it with the latest update.
I’m not very computer literate, so any help would be greatly appreciated.
Danielle,
boot into safe mode,
delete the dummy file and the other overlay files,
try to open malwarebytes
if not download it again and again until it works
Uninstall Java and keep it that way
If not, reinstall windows- it will fix your problem.
Yeah i’ve did this too but my computer crashed whil installing the new Java. Now i can only work in safe-mode.
i don’t understand what you mean when you say change file extension. how do i do that?
File extension is the part after the “.” as in “my-diary.doc” or “grocery-list.txt”. It is the “.doc” or “.txt”. Windows hides common file extensions by default. You can change this from any folder by going to “Tools”, “Folder options”, “view” and scroll to “Hide extensions for known file types” and make sure it is unchecked. Click OK. Now when you “rename” files, the extension is part of the name and you can change it easily. Does that help?
yes. thank you. i followed your instructions and at first the only thing that happened was that redirecting was less frequent, but after restarting firefox the search engines work perfectly. thanks for the help!
i had this problem as well!!!!! mozilaa firefox was infected. i couldnt even uninstall in control panel. i went to my computer , c drive, and deleted the whole firefox!!!then ran microsoft security essentials which is free. easy fix!!!
Tried both the short and better fix on some malware similar to this, alas it didn’t work. I guess it uses a slightly different method or maybe is too new to be picked up by MalwareBytes or SuperAntiSpyware.
Curse malware writers! I hope they all develop an anal fissure and it gets infected and stuff!
I somehow got this virus, made my weblife living hell, searched the web for help and tried all sorts of solutions and nothing. found your webpage, follwed the instructions and am currently surfing happily. Thank You Sindri for sharing your know how with the rest of usw it is very much appreciated
I also contracted this nasty bit of unfun. I just uninstalled Firefox and am using Opera for a while. It took me 5 days of trying everything under the sun until I found your post. I eventually began to suspect browser vulnerability….your post confirmed. THANKS!
Oh and Bob, am I to believe that Linux is totally immune from virus contraction? Please.
Thank you for following me on Twitter. I have read your pages with interest, esp. the spiritual material. I love your Pasternak quotation.
I am particularly intrigued by your small sculpture icon of the ‘?goddess’ with her hand to her ear: what, I wonder, is the origin of this piece?
So, basically you got all your fix ideas from a conglomeration of users from a MozillaZine thread . Good job on not giving props.
I do give you credit for putting it all together in one post and the time it took.
At least, if anything there is now your blog that will show up in a search and the Zine.
Thanks, I think?
If it was only that simple I wouldn’t have endured over a week of suffering without my computer. The reality is that I got most of my help for my infection from spybot forums, but still, it just never would go away. I came to realize that at that time no one had this new firefox virus pinned down. If there was any source that had all the pieces put together I never found it despite a great deal of searching. So I convinced Abram (of SpillSpace) to let me post it here. Sorry if the post seems cocky, I guess in the end, my “Eureka” ferver got the best of me.
Anyway, I hope the post helps others.
You’re being way too kind to a poster who is not.
Excellent job — it helped me.
This didn’t work for me, even though I try it a few times. I did do every thing that was said up top, plus deleted Java dir, Firefox dir, reinstalled. Still didn’t fix it. The one and only thing that did fix it was this link. The last post on page 3 worked for me.
http://forums.spybot.info/showthread.php?t=45529&page=3
This should work for most, but not all, which is why I posted the forum links (including spybot).
I am assuming the step that helped you was the one that involved OTMoveIt3? Don’t use OTMoveIt without supervision. Its user manual is not publicly available for a reason. It is a powerful tool that can do a lot of unrecoverable damage if used improperly and should only be used under the supervision of an expert who has reviewed your individual system. But I am glad your system is clean 😉 Good news!
Sindri
THANXXX
Who knew!
Actually the best fix would be to dump Windows and get Linux.
Linux is fail