"clickfeedmanager.com" virus targets Firefox

[Guest]

we have got porn and casino sites popping uip in Firefox randomly (but not IE). This is happening on both PC's on our network, and we have both found a file called ipvvmp.exe in several folders all over our computers. We have removed this file, but can't seem to detect any adware, virus or anything else. We have tried everything but cannot seem to get rid of the pop ups. Is this the same thing that is happening here?

[maheshjr2000]

It took a DAY for you guys to identify, isolate, and provide a fix. I am soooo out geeked here.

[Guest]

I HAD the exact same problem

I tried all the malware removal tools... nothing worked. I went through all the forums (bleepingcomputer...etc) and downloaded all the malware/spyware tools out there (over 10 different ones). None of them found anything!

I refuse to download a plugin just to take back my browser and I am not one to wait around till someone else figures it out so I went in on my own and looked around. I believe I have a workaround that doesn't involve a complete re-install... however it is close to a re-install and it is a little messy so use at your own risk! It worked for me so there is hope it can work for you.

1. Close Firefox
2. Navigate to the Mozilla firefox folder in program files
3. Go into the extensions folder
4. There will be several folders with funny characters (i.e. {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}). Look for the folder with a modified date on or around the date your noticed firefox acting funny and re-directing you to other pages.
5. Delete this folder. (if there is only one folder here I am not sure what this will do but you might want to consider the possibility of losing firefox specific data or having to re-install firefox if you remove this)
6. Re-open firefox.... and enjoy!

Note: individual results may vary and I am NOT responsible for any porn links you may lose in the process

This worked perfectly! Thank you!

In addition: if you know any programming you could probably see that main.js is doing something funny as it starts with listing different search engines.

Just for the Google-hits: webrelevantsearch.com, webrelevantsearch.com, webrelevantsearch.com, webrelevantsearch.com, webrelevantsearch.com, webrelevantsearch.com, webrelevantsearch.com, webrelevantsearch.com, webrelevantsearch.com, webrelevantsearch.com, webrelevantsearch.com (yea, that's the one that popped up first in my list, the second one looked OK but was redirected)

Again; thank you!

[Guest]

You guys rock. I thought I was going to have to start using IE again! Thanks!

[tgmorris]

I had just cleared up this problem using GooredFix on my work PC after searching 2 days for a solution. Last night my personal PC got hit but GooredFix can't find anything wrong. The symptom is slightly different in that the redirects are all using "http://www.google.com/url" to get passed along. Turning off Javascript kills the redirect but isn't a permanent solution.

Suggestions?

[LoudNoise]

Daifne's list of Malware removers/suggestions

Install and run these programs.
Malwarebytes' Anti-Malware
SuperAntispyware
AdAware
Spybot Search & Destroy

If these don't find it or can't clear it, post in one of these forums for specialized malware removal help:
http://www.spywarewarrior.com/index.php
http://forum.aumha.org/
http://www.spywareinfoforum.com/

[tgmorris]

Daifne's list of Malware removers/suggestions

Install and run these programs.
Malwarebytes' Anti-Malware
SuperAntispyware
AdAware
Spybot Search & Destroy

If these don't find it or can't clear it, post in one of these forums for specialized malware removal help:
http://www.spywarewarrior.com/index.php
http://forum.aumha.org/
http://www.spywareinfoforum.com/

Thanks.

I'd already done some of those and the remaining came up empty. I also manually poked around all the extension folders I could find and came away with nothing useful so I backed up my bookmarks and did a total uninstall of FF. The reinstall went cleanly and the problem is gone - for now.

[cdunn16]

I tried a search and nothing came up with overlay.xul. I have several files starting with {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}. I have deleted the two most recent dates. However I still get redirected to Coupon Mountain. I downloaded GooredFix, tried following the prompts but it would not let me slect 1 or 2. It did identify these CARREFAC folders. Should I delete all these files, which goes back to 2007? Any suggestions?

[TT13TP]

I couldnt find it in your posted directory but i found the file here

C:\Program Files\Java\jre6\lib\deploy\jqs\ff\chrome\content

[San4x]

I couldnt find it in your posted directory but i found the file here

C:\Program Files\Java\jre6\lib\deploy\jqs\ff\chrome\content

I found overlay.xul in that same directory.
The content of that file may be valid, no idea:

Code: Select all

<?xml version="1.0"?>
<overlay id="jqs-overlay"
         xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
  <script src="overlay.js"/>
</overlay>

I also found two chrome {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} files in my plugins folder, with ffjcext.xul in them. I deleted them both. Tested Google and this seems to work. Perhaps a name change?

[so lost]

where in the hell do i find program files! HELP!!!!

[Guest]

Hello, I believe the same problem has been popping up again. If anyone has suggestions how to solve it, thank you so much!

it seems to be different from before.. the GooRedFix does not work, and there's only one extention file for me. Anyone suggestions?

[heralchemy]

the Scour redirect seems to return after a while after using comobofix and gooredfix... this is driving my NUTS NUTS NUTS

[digital-root]

In my case, the problem really stopped after having also deleted all the ffjcext.zip files - I found 3 times in the java folders - ie located in: C:\Program Files\Java\jdk1.6.0_20\jre\lib\deploy.

All gone now - hooray!

[stall_out]

I HAD the exact same problem

I tried all the malware removal tools... nothing worked. I went through all the forums (bleepingcomputer...etc) and downloaded all the malware/spyware tools out there (over 10 different ones). None of them found anything!

I refuse to download a plugin just to take back my browser and I am not one to wait around till someone else figures it out so I went in on my own and looked around. I believe I have a workaround that doesn't involve a complete re-install... however it is close to a re-install and it is a little messy so use at your own risk! It worked for me so there is hope it can work for you.

1. Close Firefox
2. Navigate to the Mozilla firefox folder in program files
3. Go into the extensions folder
4. There will be several folders with funny characters (i.e. {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}). Look for the folder with a modified date on or around the date your noticed firefox acting funny and re-directing you to other pages.
5. Delete this folder. (if there is only one folder here I am not sure what this will do but you might want to consider the possibility of losing firefox specific data or having to re-install firefox if you remove this)
6. Re-open firefox.... and enjoy!

Note: individual results may vary and I am NOT responsible for any porn links you may lose in the process

Wow this works great. I can't believe all the crap I went through with hijack/malawarebytes etc etc and this cured it. THANKS