Firefox Google Redirect Virus - SOLVED

October 16, 2012 at 08:45:25
Specs: Windows 7
Simple steps:
1: Get password exporter add-on for firefox by going to the add-ons menu/get add-ons ect.
2. Go to add-ons and use password exporter to export your stuff.
3. Open bookmarks / show all bookmarks - and export your bookmarks
4. uninstall firefox - everything including personal data ect. then delete any lingering mozilla firefox folders in "program files" and "users/ your name here / app data"
5. reinstall firefox
6. get password exporter add-on again
7. import passwords ect using password exporter
8. import bookmarks file from within "show all bookmarks" menu
9, relax.


See More: Firefox Google Redirect Virus - SOLVED

Report •

#1
October 16, 2012 at 15:27:06
Thx for info - someone might find it useful.

Always pop back and let us know the outcome - thanks


Report •

#2
October 16, 2012 at 15:46:12
Can you provide more detail into how you came to the conclusion that the system was clean by following these steps?

I only ask because I fail to see how this would remove the virus 100% as most infections that result in Google redirects hook into the WinSock stack via a hidden executable or system level driver, the removal of which this method does not address. This method also assumes that Firefox is the only browser installed and affected, while most infections would target both Firefox and IE as it is a native part of the OS.

IMHO, these instructions may mask the redirects by "removing" a component, add-in, or extension in Firefox that is causing the physical redirect symptoms, but the system would still be compromised until the underlying virus files are found and removed.

-----
IT Desktop & Network Consultant - MOS Master Certified, MCP, MCSA, MCITP - Windows 7, CCNA Certificate Pending, A+, Network +

::geek::


Report •

#3
October 16, 2012 at 15:49:21
I'm just a victim of abuse trying to save others the pain :)
Just try this first before you install and run a full system scan by every app on the market. It worked for me after everything else failed.

IE was not affected - nothing found with MB, SBSD, KP T killer, combofix, ect ect.

Firefox was compromised, nothing else that could be detected. If a problem arises, I'll post it. In the meantime, I'm no longer getting redirected at all.


Report •

Related Solutions

#4
October 16, 2012 at 15:53:04
Yes, it would be worthwhile at least running your AV scans and the freebie MalwareBytes just to see if they unearth anything obvious lurking there.
http://www.filehippo.com/download_m...

EDIT:
We overlapped - I was posting this when you added more to #3 about what scans you had run.

Always pop back and let us know the outcome - thanks


Report •

#5
October 16, 2012 at 16:06:51
I should mention that at the time firefox was compromised, I had the java platform plugin enabled - which I think is the likely exploit here, where I believe a firefox file was simply replaced, not actually infected - hence the inability of scanners to find a problem. Disable the java platform until you need it at a trusted site - then turn it off again.

Report •

#6
October 16, 2012 at 16:44:46
Idjot,

That is likely the case. Both Java and PDF reader add-ins are a frequently exploited vector of infection since they can both provide access to virtual code assembly in memory, thereby bypassing a lot of active malware scanners due to Zero-day exploits and either encrypted or randomly mutating code.

If I may ask, were you using a user account with limited user rights when infected or did you have full admin privileges? I'm just wondering if it was stopped and forced to remain only in the Java cache/DPF or extension area due to being unable to proceed further into the OS.

-----
IT Desktop & Network Consultant - MOS Master Certified, MCP, MCSA, MCITP - Windows 7, CCNA Certificate Pending, A+, Network +

::geek::


Report •

#7
October 16, 2012 at 19:00:00
My user account has full admin rights - but I wasn't logged in as admin - not sure how deep my version of the plugin could play either way (SE 6 U29 6.0.290.11). Whatever you can tell me would be appreciated.

EDIT: To clarify, I was logged in with my regular user account that has full admin rights but I did not run firefox as admin.


Report •

#8
October 16, 2012 at 19:31:34
Idjot,

Running Firefox as admin would not be necessary to allow the infection to proceed deeper into the machine and the malware that is assembled in memory would be running with your user privileges as it would be started from within your user session.

Also, the Java plug-in that you are using is outdated. The latest Java version is 7 Update 9. This could have been why the infection was able to get in. There are known security vulnerabilities with older versions of Java and since Web Applets and other Java programs can request specific versions, it creates a perfect avenue for infection. I would recommend updating Java to the latest version and removing the older ones unless they are specifically needed for a programs operation.

This is definitely an odd case. I would say that you are lucky that it did not progress beyond Firefox. It's a shame that none of the scanners found the infected/modified file as I would have loved to find out what malware variant is was.

-----
IT Desktop & Network Consultant - MOS Master Certified, MCP, MCSA, MCITP - Windows 7, CCNA Certificate Pending, A+, Network +

::geek::


Report •

#9
October 16, 2012 at 20:47:24
Thanks SongCloud. I do feel lucky that it didn't spread (assuming it didn't that is).

I can't help but wonder if what I had was not even capable of getting outside of Firefox. If it could have - I could be in serious trouble with a completely undetectable bug running amok in my system. Only time will tell.

One more thing I should share with you. Around the time just before I noticed the redirects, there was a moment where I clicked a link from a search for color-changing paint (odd indeed) - firefox suddenly restarted, just as it does when you enable/disable an add-on. I was perplexed for a moment because I knew that something weird must have just happened, but it wasn't until the next time I googled something that I noticed anything was actually wrong.

Running firefox w/o add-ons did not help - and there were no new files - hidden or otherwise - to correspond with the new behavior. The whole experience felt like searching for bigfoot - in a shopping mall parking lot.


Report •

#10
October 17, 2012 at 12:08:00
My guess is that it either replaced or corrupted an existing Firefox file. If it was a zero-day attack, that could also explain why none of the scanners were able to detect it.

I'll keep watching my security sources to see if there are any other reports of odd behavior with Firefox or if any bugs vulnerabilities are published.

I would also highly suggest getting the Web Of Trust (WOT) add-on for Firefox as it shows the reputation of various websites and search engine results at a glance using a color coded system. Not only do I use it myself on all of my computers, but I have also implemented it at several of my clients with favorable results.

Let me know if you have any questions.

-----
IT Desktop & Network Consultant - MOS Master Certified, MCP, MCSA, MCITP - Windows 7, CCNA Certificate Pending, A+, Network +

::geek::


Report •

Ask Question