Updated Firefox, got a nasty extension

[GeorgeFive]

Indeed all around... again, I have a little experience in this area

Windows Updates - turned on and installed the day they come out
Acrobat Reader - up to date
Flash - up to date
Java - up to date
Quicktime - not installed
RealPlayer - not installed

I never use IE except for when I'm testing my own sites for compatibility, Firefox is obviously updated on the day patches are released, same with extensions, and of course, I don't install extensions from shady sites.

[frustratedgal]

I am having the same issue. Deleted the registry key and the file under C:\Documents and Settings\USERNAME\Local Settings\Application Data...but it hasn't worked. This sucks, running malwarebytes now, ran spybot, superantispyware, and avast...picked up nothing. Is there anything else you can recommend? I am not altogether computer savvy, so anything suggested, please explain to me in detail. Thank you so much in advance.

[GeorgeFive]

1) Close Firefox
2) Delete the registry key again
3) Delete the folder again
4) Let that Malwarebytes program finish its scan, remove the things it finds

For #4, make sure that the files it finds aren't legitimate files; for example, it told me that editpad.exe was a trojan, when it actuality, it's my text editor of choice. You'll probably see files with random file names (ie, jdfnfwjk.exe).... those are the ones you want to remove.

Take care of that and you should be good to go.

[majorhavok99]

Was there ever a solution to this problem? I too have a problem that every time I try to yahoo or Hotbot search, when i click on the item I get sent to all sorts of odd pages. When I try to load any of the virus downloads listed, or the cites to discuss virus/malware it goes nowhere except to an error. Avg.com is the same as is spybot search and destroy. Because of this AVG cannot update, nor can spybot install because they need to access their addresses. Has anyone come up with a solution to this or am I going to have to re-install the entire computer.

[GeorgeFive]

Have you tried the steps in the post directly above yours?

[Szalkow]

I've examined the contents of the folder in AppData with a none-too-experienced eye and have deduced that it contains a modified version of the old Mozilla Redirect and XUL support add-ons, as indicated by some of the manifest files and leftover author information (both add-ons were by the same author but were originally trusted and legitimate. Someone has apparently modified said add-ons for malicious purposes. Note that I have never installed these add-ons, and legitimately-installed versions do show up in add-ons). This folder, while deletable, reinstalls itself with a unique name after rebooting.

I fired up the regedit and located the Mozilla directory mentioned in other fixes, which instead of having the usual friendly Default entry had two entries with filepaths containing the same serial number formatting as our unfriendly folder in AppData. I've gotten rid of all but the Default entry for now, if the redirect garbage reinstalls itself I may try disabling the Default as well. Don't know if any of my amateur sleuthing has brought anything new to the table, but it might help.

[naklefty]

I have gotten the same goored redirect "extension" installed a couple of times, no clue where it's coming from... I delete the folder and hkey and it comes back after a couple days

[GeorgeFive]

Did you do the Malwarebytes step?

[majorhavok99]

Well all I can say is I tried these steps, the software that everyone claimed was the magic bullet locked the entire system up. AVG's support staff had the solution. Ran aproblem called qmer that found the program and send the data to them, then ran a program to disable the driver, reset the computer and ran AVG's rootkit program it ripped the entire thing out.

[daTerminehtor]

Well all I can say is I tried these steps, the software that everyone claimed was the magic bullet locked the entire system up. AVG's support staff had the solution. Ran aproblem called qmer that found the program and send the data to them, then ran a program to disable the driver, reset the computer and ran AVG's rootkit program it ripped the entire thing out.

I see, so, you installed the rootkit... willingly (either by being click-happy or not), you run a system that allows a rootkit install, you run a system where a browser locks it up, and you hold Firefox accountable for this?

Really, as I've said many times, Firefox is NOT the be all to end all, it is simply the beginning and is not the cure for end user errors.

[Katana_1970]

I assumed this registry entry was related to the problem, as the only entry inside pointed to the malware folder.

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox]

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions]
"{385E83C1-7EFE-491C-B303-2F462B11E491}"="C:\\Documents and Settings\\Windows XP\\Local Settings\\Application Data\\{385E83C1-7EFE-491C-B303-2F462B11E491}"
--------

The {385E83C1-7EFE-491C-B303-2F462B11E491} folder is where the malware was stored.

Hi GeorgeFive,

I work on the malware forums, and there are a few people with this problem now.
If we can confirm that the file path is listed in the HKEY~\Extensions key, then we can get it added to the removal tools.

[GeorgeFive]

I'm not positive about this one, see this post:
viewtopic.php?p=4990635#p4990635

What I do know is that in my case, the malware was stored in the folder referenced:

C:\Documents and Settings\[my user name]\Local Settings\Application Data\{385E83C1-7EFE-491C-B303-2F462B11E491}

...and this was the only thing referenced in both:

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox]
and
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions]

[Katana_1970]

Thanks for the quick reply George,

I'm helping one person with this problem, and I'm tracking another topic that has just started.
We'll soon see if we can use this to remove it.

[cromag]

I would just like to report that I've got it too. I apparently picked it up during a virus attack I underwent last Thursday. I have Avast!, Spybot (with Teatimer running), Ad-Aware, and Malwarebytes Anti-Malware. Something still got past me. While I was trying to clamp down on the trojan reports from Avast! I got a Firefox Add-on update window. I'm sure I clicked on "no" (I really wasn't interested in updating right then) but it may have been a faked window and any click may have opened the door.

Right now all my scans with Avast!, Anti-Malware, Spybot, SUPERAntiSpyware, and others are showing "no infected files" but obviously something is still going on -- I'm still getting redirects. I also had a devil of a time trying to find this thread. I tried a google search on "goored redirect" and when I clicked on the mozillazine page result it sent me somewhere else. I finally got here by opening a cached page that linked here. After I confirmed it was relevant I logged on.

Which makes me worry about what might be going on that I don't know about.



Anyway, I'll be touching base.

Thanks.

[Guest]

I am also getting the zfsearch thing. When I first got it, I had the accompanying goored redirect. I never found any of the files described (in this thread or otherwise) as being related to the trojan. Also, no suspicious HKEYs. However, HijackThis revealed a couple of suspicious-looking files which I delete (took some creativity to do so). Since I've made these deletions I have yet to see goored, but I am still getting my searches filtered through zfsearch.com. Adaware, Spybot, and Malware Bytes are all showing a clean system.

Anyone have any general ideas?