"clickfeedmanager.com" virus targets Firefox

[DAVETROLL]

thanks to thedeadjester and brian_o and thier excelant discription of how to remove this annoying virus my computer's clean again. THANKYOU

[Guest]

The problem is that, after you delete the chrome/content/overlay.xul tree, then logout / login, the file and the redirects are back again.

So what's the real answer?

[the-edmeister]

The problem is that, after you delete the chrome/content/overlay.xul tree, then logout / login, the file and the redirects are back again.

So what's the real answer?

Did you try what was posted here?
viewtopic.php?p=5714095#p5714095

.

[Guest]

Hey the-edmeister

If you're referring to this:

1. Close Firefox
2. Navigate to the Mozilla firefox folder in program files
3. Go into the extensions folder
4. There will be several folders with funny characters (i.e. {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}). Look for the folder with a modified date on or around the date your noticed firefox acting funny and re-directing you to other pages.
5. Delete this folder. (if there is only one folder here I am not sure what this will do but you might want to consider the possibility of losing firefox specific data or having to re-install firefox if you remove this)
6. Re-open firefox.... and enjoy!

then the answer is Yes. I clobbered the folder, rebooted or logged out / in again, and voila the folder is back and so are the luvly redirects.

Thanks for responding
Alan

[KarenLK]

I've been annoyed by this nasty little virus for about a week now, so I'm glad to have found a way to stop it. Finally, when I killed the folder with the overlay.xul file, it stopped redirecting my Google search results in Firefox. I rebooted and checked again, and it hasn't respawned. If it does come back, I'm thinking of closing Firefox and replacing that folder (and the files within) with a dummy version of the overlay.xul file. This has worked on previous viruses. In Windows XP, this is what I'd do:

1. Create a new text file called overlay.xul.
2. Turn on the file extensions so you can delete the .txt extension. Windows will complain; ignore it.
3. You now have a 0 KB file called overlay.xul in the same position as the original, real virus.
4. Hopefully, the virus is stupid enough not to realize a dummy file has taken its place, and it will think it already replicated.
5. No more redirects, in theory.

Will try this if it respawns, and let you know what happens.

[Guest]

Nice call KarenLK

"the virus is stupid enough not to realize a dummy file has taken its place"

I gave your suggestion a go and it worked. This will do until the experts have a chance to release something that really deals with it.

Alan

[GKO]

heh. that was easy. suck on that puny you little script kiddy.
Thanks so much for your time rookie and dj

[jpshortstuff]

Hi all,

I have updated the GooredFix removal tool to get this extension:
http://jpshortstuff.247fixes.com/GooredFix.exe

Hopefully that should identify (Option#1) and remove (Option#2) the infection for you.

Cheers,

-jpshortstuff

[austinspace2]

Thank you for this fix - works great! The extensions folder that I deleted did not come back after reboot. Presumably my past attempts at removing it removed the worm.

I can stop banging my head against the wall now !

[wintercell]

Yay that worked! How annoying, nothing I used detected it.
How does it install itself? clickfraudmanager.com and virusremover2008 were installed somehow at the same time

[drrchrds]

THANK YOU THANK YOU!!!
This is the single most helpful forum I have found after a week of agony!

This worked for me:
1. Navigated to: C:\Program Files\Mozilla Firefox\extensions\{BCB94CDD-5542-403F-9FB3-07D3DB1E9951}\chrome\content\overlay.xul
(Note: I had overlay.xul in 2 folders created within 1 min of each other and followed these steps for both)
2. Encrypted overlay.xul with AxCrypt (I did that so that I can render it useless but still be able to undo it if I am screwing something up)
3. Created a blank version of overlay.xul
Result: NO MORE REDIRECTS - even after restarting a couple times.

YET another problem continues so....
Question:
I contracted Trojan.Vundo.h at the same time these overlay.xul files were created, have any of you had that?
AND can anyone get rid of it? I have been on the spybot forum for a week following the advice of a "Security Warrior" and have run every "fix" under the sun.
After all that I still had redirects and Malwarebytes still finds Trojan.Vundo after I restart.
My spybot advisor concluded by saying "it is just a software problem because your computer is clean".
If I am clean why does Malwarebytes find a trojan?
Any Ideas out there?

Thanks!!!!!!!!!!!!!

[Guest]

Awesome! Like others I turned to the web after several days of frustration, and finally found my answer here. A gigantic THANKS to the posters here, especially thedeadjester, whose solution matched my problem.

My story: I was getting all sorts of web-related problems: my google searches in firefox were getting redirected, and IE kept popping up by itself with random websites. After doing lots of web searches, here's what I ended up doing:
1. Downloaded malwarebytes and ran it (http://www.malwarebytes.org/). I first did a quick scan and a complete scan. It found a bunch of viruses and killed them.

My IE problems disappeared, but I kept getting the Firefox google redirection (IE was fine, but I almost never use IE).

2. Turned off javascript in Firefox as a temporary workaround (redirections were suppressed).

3. Downloaded superantispyware and ran it (http://www.superantispyware.com/). It found a bunch more viruses and killed them, but this didn't fix my firefox problems.
4. Downloaded spybot (http://www.safer-networking.org/en/index.html). It found more viruses and killed them, but this didn't fix my firefox problems.

Presumably I could have kept downloading more antivirus software and finding more viruses, but at this point I think the problem was not a resident virus but just traces left by a previous virus.

5. Followed the steps in this forum (deleted the offending folder in C:\Program Files\Mozilla Firefox\extensions\). Turned firefox back on, turned javascript back on, and it seems to be back to normal! After several restarts, the offending folder hasn't reappeared.


To those who deleted the folders only to have them reappear, perhaps you need to clean your computer of viruses first.

Again, thanks so much!

[acemackenzi]

I also have this same problem. Except I have no overlay xul file in firefox. So what is my solution.

[drrchrds]

I also have this same problem. Except I have no overlay xul file in firefox. So what is my solution.

Ace,
First try disabling Java in your browser, does the problem go away? If no then you have something different.
If yes, then If I were you I would look for the same or similar script in the same basic places, but perhaps under a different name.
If you know roughly when you contracted the problem, look for a folder in C:\Program Files\Mozilla Firefox\extensions which was created about that time.
Good Luck.

[drrchrds]

Interesting!
http://spillspace.com/2009/new-firefox-virus/