MozillaZine

Updated Firefox, got a nasty extension

User Help for Mozilla Firefox
GeorgeFive
 
Posts: 159
Joined: May 1st, 2004, 6:44 am

Post Posted November 14th, 2008, 4:54 pm

Last night, I got the notification that there was a new version of Firefox available, so I updated. After it had installed and I restarted, I noticed that the add-ons box popped up and it said that a new add-on had been installed, but I didn't actually see anything new (and during the post-install "checking for updates", none of my installed add-on's had updates). So, I figured it was a system setting or something along those lines and forgot about it... until I did a Google search.

http://www.malwarebytes.org/forums/inde ... topic=7467

In case that thread dies or you don't feel like clicking: the first result of every Google and Yahoo search changed to a malware site called goored.com. I assume it's related to the above "new add-on" message, as (if you click the above link) you'll see that removing a certain folder fixes it.

Anyone else seen this? Any ideas as to whether it's related to the new version or an extension gone bad? Pure coincidence that it happened right after I updated?

Virus scan - nothing.
Spyware scan - a few results, but nothing related (at least, the problem wasn't fixed after removing them)

My installed add-ons:
Adblock Plus
Adsense Notifier
Download Statusbar
FireGPG (installed but disabled)
Forecastfox
Foxmarks Bookmark Synchronizer
Greasemonkey
IE Tab
Live HTTP Headers
SQLite Manager (installed but disabled)

Themes:
Default

Plugins:
Adobe Acrobat
IE Tab Plug-in
Java(TM) Platform SE 6 U7
Microsoft(R) DRM
Microsoft(R) DRM
Microsoft(R) Windows Media Player Firefox Plugin
Mozilla Default Plug-in
QuickTime Plug-in 7.5 (861)
RealJukebox NS Plugin
RealOne Player Version Plugin
RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit)
Shockwave Flash
Shockwave for Director
Silverlight Plug-In
Windows Media Player Plug-in Dynamic Link Library

Frank Lion

User avatar
 
Posts: 17441
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist... United Kingdom

Post Posted November 14th, 2008, 5:07 pm

GeorgeFive wrote: I assume it's related to the above "new add-on" message, as (if you click the above link) you'll see that removing a certain folder fixes it.

Fixes what? What 'nasty extension' symptoms did you have? You make no mention of getting any redirection.
Metal Lion latest Firefox Themes -Tiger SP, Tiger, Graphite, Australis
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)

GeorgeFive
 
Posts: 159
Joined: May 1st, 2004, 6:44 am

Post Posted November 14th, 2008, 5:16 pm

Sorry, I didn't think that rehashing that thread was necessary...

Anywho, let's say you search for something on Google or Yahoo (ask.com was mentioned as well, but I didn't try that). Let's also say that the first result for your search is http://www.mozilla.com. When you mouseover the link, you see http://www.mozilla.com in the status bar, but when you click it, you go to something like...

http //123.goored.com/url=http://www.mozilla.com

...which Google picks up as a malware site (Yahoo seems to redirect you to any number of spam sites).

steviex
Moderator

User avatar
 
Posts: 28902
Joined: August 12th, 2006, 8:27 am
Location: Middle England

Post Posted November 14th, 2008, 5:18 pm

I am breaking the links in your above posts, to protect the unwary....

Try using ALL the programs here... It sounds like you have already picked up some ingfections... The problem might not be picked up by the program you have used, but might get caught be one of these.

I DO suggest you go to one of these forums for more help...

It is also possible that you might have a spyware infection on your machine. Install and run these programs.
SuperAntispyware
AdAware
Spybot Search & Destroy
Malwarebytes' Anti-Malware


If these don't find it or can't clear it, post in one of these forums for specialized malware removal help:
http://castlecops.com/
http://www.spywarewarrior.com/index.php
http://forum.aumha.org/
http://forums.spywareinfo.com/ http://www.spywareinfoforum.com/

(Thanks to Daifne for the list)
Last edited by steviex on December 14th, 2008, 6:47 pm, edited 1 time in total.
Reason: Updated spywareinfo address based on Alice's post on the next page.
Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. -Albert Einstein

Please DO NOT PM me for support... Lets keep it on the board, so we can all learn.

Frank Lion

User avatar
 
Posts: 17441
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist... United Kingdom

Post Posted November 14th, 2008, 5:24 pm

GeorgeFive wrote:Sorry, I didn't think that rehashing that thread was necessary...

I have read the other thread and the related GoogleGroup link.

I am trying to establish if you personally have experienced redirection of your searches or if you are assuming so based on reading those threads and the fact that you received a 'New Addon Installed' message.
Metal Lion latest Firefox Themes -Tiger SP, Tiger, Graphite, Australis
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)

GeorgeFive
 
Posts: 159
Joined: May 1st, 2004, 6:44 am

Post Posted November 14th, 2008, 5:29 pm

I've already got it fixed... as mentioned on the first link, you need to delete the folder:

Documents and Settings\(your name)\Local Settings\Application Data\{33238016-EFEB-43AA-8BCE-3CA12861EE79}

{33238016-EFEB-43AA-8BCE-3CA12861EE79} seems to be unique to each computer - mine was named {385E83C1-7EFE-491C-B303-2F462B11E491}. I still have these files if anyone wants to see them, just let me know and I'll upload somewhere.

You also need to delete the registry entry HKEY_LOCAL_MACHINE/SOFTWARE/Mozilla/Firefox

My main concern was that this spyware / malware / trojan / virus / whatever seemed to come through Firefox's upgrade process. Again, I'm not sure if it was the Firefox updater itself or an extension gone bad, but I got it after updating. Something related to Firefox pulled it down.

1) Got the "new version" notification
2) Updated Firefox
3) Restarted
4) "Checking for add-on updates"
5) "No updates found." -- "One new add-on installed"
6) No new add-ons seen.
7) Problem started here.

Alice

User avatar
 
Posts: 2613
Joined: April 23rd, 2003, 11:47 am

Post Posted November 14th, 2008, 5:31 pm

GeorgeFive,

Sorry to hear about your problems with goored.com. As mentioned in the Google "Strange Behavior and Malicious Software: Strange pop-ups, toolbars, redirects, or results" help page linked from the other forum, you need to scan your system with a dedicated Spyware scanner. Steviex mentioned some good choices.

Firefox does make it possible for other software to install extensions via the Windows Registry. The registry key you mentioned, HKEY_LOCAL_MACHINE/SOFTWARE/Mozilla/Firefox can be used to automatically install a Firefox extension even by legitimate programs, which Firefox will pick up the next time it is run. For more information see
http://kb.mozillazine.org/Uninstalling_add-ons#Windows_Registry_extension
Last edited by Alice on November 14th, 2008, 5:32 pm, edited 1 time in total.
Alice Wyman

GeorgeFive
 
Posts: 159
Joined: May 1st, 2004, 6:44 am

Post Posted November 14th, 2008, 5:32 pm

Frank Lion wrote:I am trying to establish if you personally have experienced redirection of your searches or if you are assuming so based on reading those threads and the fact that you received a 'New Addon Installed' message.


Yep, I personally experienced this. I noticed that all redirects went through goored.com, I googled that address, found the link I posted in my initial post, fixed it, and came here to see if this was widespread or not. It's not entirely impossible that I picked it up somewhere else, but all signs point to it coming from either Firefox or an extension.

GeorgeFive
 
Posts: 159
Joined: May 1st, 2004, 6:44 am

Post Posted November 14th, 2008, 5:35 pm

Alice wrote:Firefox does make it possible for other software to install extensions via the Windows Registry. The registry key you mentioned, HKEY_LOCAL_MACHINE/SOFTWARE/Mozilla/Firefox can be used to automatically install a Firefox extension even by legitimate programs, which Firefox will pick up the next time it is run. For more information see
http://kb.mozillazine.org/Uninstalling_add-ons#Windows_Registry_extension


hrm... I assumed this registry entry was related to the problem, as the only entry inside pointed to the malware folder.

--------
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox]

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions]
"{385E83C1-7EFE-491C-B303-2F462B11E491}"="C:\\Documents and Settings\\Windows XP\\Local Settings\\Application Data\\{385E83C1-7EFE-491C-B303-2F462B11E491}"
--------

The {385E83C1-7EFE-491C-B303-2F462B11E491} folder is where the malware was stored.

So, this is a legit entry? By default, what entries are stored in here?

steviex
Moderator

User avatar
 
Posts: 28902
Joined: August 12th, 2006, 8:27 am
Location: Middle England

Post Posted November 14th, 2008, 5:39 pm

I do suggest you clean up your machine.... It could have been brought in by something else, but the Install was triggered by the update.
It could have been sitting dormant, waiting for the update to happen.

I suggest you THOROUGHLY cleanse your machine, then when Firefox 3.0.5 comes out in a month and a day, then you can see if it happens again....
Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. -Albert Einstein

Please DO NOT PM me for support... Lets keep it on the board, so we can all learn.

GeorgeFive
 
Posts: 159
Joined: May 1st, 2004, 6:44 am

Post Posted November 14th, 2008, 6:17 pm

steviex wrote:Try using ALL the programs here... It sounds like you have already picked up some ingfections... The problem might not be picked up by the program you have used, but might get caught be one of these.

I DO suggest you go to one of these forums for more help...

It is also possible that you might have a spyware infection on your machine. Install and run these programs.
SuperAntispyware
AdAware
Spybot Search & Destroy
Malwarebytes' Anti-Malware


Do you (or anyone else here) have any experience with the Anti-Malware program? I already had AdAware and Spybot, but I went ahead and tried the Anti-Malware one just to check. It did find some suspicious files, but it also found some false positives... it says that EditPad is a Fake.Dropped.Malware (it's not, it's a fairly well-known text editor, and I redownloaded / rescanned to be sure), and it said that my c:\a folder is a Trojan.Agent (again, it's not - that's where I rip my music to, and I double-checked for hidden files - nothing). I'm a bit hesitant to rely on that one with 3/6 false positives...

mightyglydd

User avatar
 
Posts: 7505
Joined: November 4th, 2006, 7:07 pm
Location: Hollywood Ca.

Post Posted November 14th, 2008, 7:05 pm

And what did SuperAntispyware find?
# KeepFightingMichael

Alice

User avatar
 
Posts: 2613
Joined: April 23rd, 2003, 11:47 am

Post Posted November 15th, 2008, 8:01 am

GeorgeFive wrote:hrm... I assumed this registry entry was related to the problem, as the only entry inside pointed to the malware folder.

--------
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox]

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions]
"{385E83C1-7EFE-491C-B303-2F462B11E491}"="C:\\Documents and Settings\\Windows XP\\Local Settings\\Application Data\\{385E83C1-7EFE-491C-B303-2F462B11E491}"
--------

The {385E83C1-7EFE-491C-B303-2F462B11E491} folder is where the malware was stored.

So, this is a legit entry? By default, what entries are stored in here?

The article, http://kb.mozillazine.org/Uninstalling_add-ons#Windows_Registry_extension explains that these registry keys CAN be used by legitimate programs:
KEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions\
HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\

By default, nothing is stored in the Extensions keys. See the linked forum post, which says that the latest Java 6.0 Update 10 uses the HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\ key to install the Java Quick Starter extension in Firefox, and there are other legitimate programs that use these keys, which are referenced in the KB article.

I don't have any Extensions keys at either location (I don't have JRE 6 Update 10). My HKEY_CURRENT_USER\Software\Mozilla\Firefox\ only includes a Crash Reporter key and my HKEY_LOCAL_MACHINE\Software\Mozilla\ key doesn't include a "Firefox" key at all (only "Mozilla Firefox" keys).
Alice Wyman

Guest
Guest
 

Post Posted November 16th, 2008, 1:02 pm

Yes, this is happening to me also. The fix listed here works only until I reboot my computer. Once I reboot, the extension re-installs. This is very frustrating! I ran deep scans with both McAfee and AdAware and neither of them found anything.

Any ideas?

Guest
Guest
 

Post Posted November 16th, 2008, 1:06 pm

Oh, I forgot to mention that I also started in Safe mode and disabled all my extensions. I only run 3 of them: Download Helper 3.4, McAfee SiteAdvisor 26.6 and StumbleUpon 3.26. Then I rebooted and restarted FireFox and it again re-installed the unknown extension. Redirects from 1st Google result. Ok, any other ideas?

Return to Firefox Support


Who is online

Users browsing this forum: Bing [Bot] and 24 guests