ابحث في الدعم

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

"New" Firefox Search Result Hijacker

  • 25 ردًا
  • 1 has this problem
  • 141 views
  • آخر ردّ كتبه flau

more options

Hi,

I recently downloaded and installed some Android emulator named "Andy". Unfortunately, the .exe also installed all kinds of other Software on my Windows 7 system.

I removed most of the unwanted Software but one problem remained: A search result hijacker was part of the package. It replaces the top 4 results with some cryptic redirect links that are luckily displayed in a different font, otherwise I wouldn't have noticed at all.

I tracked the issue down to a addon in Firefox (see attached screenshot) that I cannot remove, no matter what I try.

What I tried to remove it: - I tried to remove the addon via about:config - I tried to run Firefox in safe mode and uninstall it - I tried to factory reset Firefox - I Installed Avira and made a system scan - I installed MalwareBytes and made a system scan - I check all the extension folders for addons that I do not know but can't find anything - I checked my whole system for any xpi-files but couldn't find any.

I am out of ideas. I can disable the addon but thats about it. After a while Firefox will shut itself down and the next time I start it, the addon is on again. When I resinstall FIrefox, the same thing happens. The addon is always back.

When I inspect the element it loads some invisible icon file that is supposedly located in "src="jar:file:///C:/Windows/Installer/%7BB28AF4A4-C997-4A5B-A111-FD1E65138A8D%7D/%7B02E337C0-4D70-452D-AA64-92D0A8C5D953%7D.xpi!/icon48.png"", if that helps. But the location doesn't exist on my system.

Can anyone here help me? I alread sent a problem report via the official tool.

Sincerely Florian

Attached screenshots

الحل المُختار

Thus far it seems like reinstalling Node.js and npm solved the problem. At least I haven't had any unwanted attempts at accessing the de.nodejs.net website and no visible parts of the malware seems to be present on my system.

As a quick summary:

0. The Adware comes as a byproduct from software like Audacity or Andy and many others 1. The Malware is called "DownloadProtect" 2. It affects every Browser on the system & replaces search results to generate ad revenue 3. MalwareByte can detect and remove it, but it hides itself in typical applications like "Node.js", but that can differ. Make sure to leave on the trojan protect feature of MalwareBytes to see what Application tries to access the internet. 4. To solve the issue, run MalwareByte to remove all the parts and reinstall the affected Software in which the reinstall-trojan hides 5. EDIT (28.11.2020) The virus was also in the windows\Temp folder. Delete it too. MalwareBytes will block internet accesses from that folder.

That seems to finally have fixed it for me.

Thanks for all the input & kind regards Flau

Read this answer in context 👍 0

All Replies (20)

more options

It’s very sad, but many software downloaders/ installers will trick you into installing not only their program, but other programs as well.

You have heard of the fine print in shady contracts, right? Well, some installers you need to look at the itsy bitsy teeny weeny fine print.

You are thinking you are giving the installer permission to install the program you want by using the recommended option. But if you use the Manual Option Instead, you discover all kinds of stuff that you do not even know what it is or what it does.

From now on, everyone needs to Use The Manual Option to put a stop to this.

Note that these programs can also change browser/computer settings.

Helpful?

more options

Start Firefox in Safe Mode {web link}

A small dialog should appear. Click Start In Safe Mode (not Refresh).

Then try removing the unwanted extension. Is the problem still there?

Helpful?

more options

Well... I did use the manual option and I turned off all the additional stuff, but a lot of things got installed nonetheless.

And I also tried to remove the addon in safe-mode. Sadly, that doesn't help at all, as it reinstalls itself very soon. Whatever that is, it is pretty well hidden.

Thank you for your time though!

Sincerely Flau

Helpful?

more options

Hi Flau, if you type or paste about:policies in the address bar and press Enter to load it, is there anything listed there? Normally it's just:

The Enterprise Policies service is inactive.

However, policy entries in the Windows Registry or a policy file would be one way to force-install an add-on.

Helpful?

more options

Also, You may have ad/mal-ware. Further information can be found in this article; https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-caused-malware?cache=no

Run most or all of the listed free to use malware scanners. Each works differently. If one program misses something, another may pick it up.

Helpful?

more options

You can check the extensions.json file in the profile folder.

You can use the button on the "Help -> Troubleshooting Information" (about:support) page to go to the current Firefox profile folder or use the about:profiles page.

Modified by cor-el

Helpful?

more options

The Extensions.json file gave me some additional insight. After the conversion, this entry here emerged:

Version: 2.4.9 21.1.2014 07:53:23 8.11.2020 17:01:20 Extension Disabled {02E337C0-4D70-452D-AA64-92D0A8C5D953} Sideloaded through Windows Registry (C:\Windows\Installer\{B28AF4A4-C997-4A5B-A111-FD1E65138A8D}\{02E337C0-4D70-452D-AA64-92D0A8C5D953}.xpi)

The problem remains though that I have no idea how to preven the side-loading process. But that might help others here =)

Thank you for this @cor-el !

@jscher2000

The is nothing listed but the term you stated, "sadly"

@FredMcD

I'll see if I run som more of them and see what happens...

Helpful?

more options

The Extensions.json file gave me some additional insight. After the conversion, this entry here emerged:

Version: 2.4.9 21.1.2014 07:53:23 8.11.2020 17:01:20 Extension Disabled {02E337C0-4D70-452D-AA64-92D0A8C5D953} Sideloaded through Windows Registry (C:\Windows\Installer\{B28AF4A4-C997-4A5B-A111-FD1E65138A8D}\{02E337C0-4D70-452D-AA64-92D0A8C5D953}.xpi)

The problem remains though that I have no idea how to preven the side-loading process. But that might help others here =)

Thank you for this @cor-el !

The other options did not help though I am afraid. The policies is empty and I can only try more anti malware...

Helpful?

more options

I manually deleted the registry entry and the addons seems to be gone. I will report back if this is a lasting fix!

Sincerely Flau

Helpful?

more options

I am afraid that the Hijacker is back. It was gone for two days from the addon list but today Firefox closed itself again and the addon was back.

Any other ideas?

Sincerely Flau

Helpful?

more options

Hi Flau, modern versions of Firefox should no longer side-load extensions from the registry. There must be some other way the malware is injecting the extension into Firefox. Did you run the malware cleanup tools?

Helpful?

more options

Hi jscher2000!

I have already scanned my system with the MalwareBytes Software, Ariva and yesterday with the official Microsoft Safety Scanner - without success. It takes a few hours for a scan to complete. Those tools did not do the deed.

Right now I test Spybot S&D and later I will try adwcleaner_8.0.8 and tdsskiller.

I will report back with news on the opther tools, but I am without much hope to be honest.

Sincerely Flau

Modified by flau

Helpful?

more options

Earlier you checked for Policies. Another thing to check for would be an Autoconfig file. This is a little hard to explain because the files can have a wide variety of names. However, you would always be able to track down the first one by checking a specific folder. This depends on where Firefox is installed, but you can see which one you have:

  • C:\Program Files\Mozilla Firefox\defaults\pref
  • C:\Program Files (x86)\Mozilla Firefox\defaults\pref

This folder normally contains a single file named channel-prefs.js (if Windows doesn't show the .js extension, turn on viewing of extensions using the steps in the following article: https://www.bleepingcomputer.com/tutorials/how-to-show-file-extensions-in-windows/)

Any other file here may instruct Firefox to load another script file at startup that could make wide-ranging modifications to Firefox.

Helpful?

more options

Hi jscher2000!

In the prefs.js I found the following entry (I forgot to mention it, but I deleted it earlier too - but it came back): user_pref("extensions.webextensions.uuids", "{\"doh-rollout@mozilla.org\":\"5a8689fd-a200-4585-aa12-656ce3929466\",\"formautofill@mozilla.org\":\"191e946e-5193-41d2-af6f-66853bb94580\",\"screenshots@mozilla.org\":\"e548911c-1efc-46d6-b304-92eb30115493\",\"webcompat-reporter@mozilla.org\":\"6e1cbedb-03f7-4535-b1cc-f95366a96c01\",\"webcompat@mozilla.org\":\"54201459-e103-405a-a679-e4ec354013b0\",\"default-theme@mozilla.org\":\"0dc843c5-75e6-444f-9fd7-f23f5f7d07cd\",\"google@search.mozilla.org\":\"d8052db8-65fd-4651-8826-27a85d50dcf6\",\"leo_ende_de@search.mozilla.org\":\"07b2ea4a-9a6b-48b2-8f60-8b04eda9c3f1\",\"ecosia@search.mozilla.org\":\"2ccdea55-def0-4548-b01e-fb149530056e\",\"wikipedia@search.mozilla.org\":\"9538d4cc-00cf-43cb-ad02-2b5d5ac58f33\",\"bing@search.mozilla.org\":\"72133c14-6186-4cb2-91fb-0dc0573ace11\",\"amazon@search.mozilla.org\":\"a4dde9e2-2216-478b-975f-c8f9f6ec3b64\",\"ddg@search.mozilla.org\":\"ae9b08a7-9123-43f2-81f2-e88997a25721\",\"ebay@search.mozilla.org\":\"0b177a56-098d-4413-b145-921c32e5c9aa\",\"e389d8c2-5554-4ba2-a36e-ac7a57093130@gmail.com\":\"f3a48654-95f1-4cd7-be97-b2efc2f0cb2e\",\"{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}\":\"93707929-8489-46d8-addc-92b210ebe1cd\",\"{73a6fe31-595d-460b-a920-fcc0f8843232}\":\"91acab29-c483-46b2-b042-4a01a89ce9d7\",\"https-everywhere@eff.org\":\"b8dc07f4-b1a1-444e-87ea-43aa2a3fee72\",\"languagetool-webextension@languagetool.org\":\"1f01ec24-9982-4bd4-8b31-64f01809daa6\",\"{02E337C0-4D70-452D-AA64-92D0A8C5D953}\":\"c14e311a-37d6-4ced-9854-5ed2a60eb7db\",\"zotero@chnm.gmu.edu\":\"defb7f3a-97a0-4c01-a429-a6c67bd42107\",\"firefox-compact-dark@mozilla.org\":\"99c045a3-c68f-4a3b-a62e-97b4c1298d37\",\"{b9acf540-acba-11e1-8ccb-001fd0e08bd4}\":\"fc0d074a-1cf7-4e8e-afc9-3cadf7e7f64c\"}");

Its a bit unreadable, but registry entry goes by the same name "02E337C0-4D70-452D-AA64-92D0A8C5D953" and is also referenced in that file.

Apart from that there is only a user.js file in the same folder (I assume all the json files, sqlite files, shm files and txt files do not count).

Is that useful new information?

Sincerely Flau

PS: All the other tools did not find anything either. Further, I left the addon "installed" but disabled this time and none of the tool even detected it.

Helpful?

more options

Hi flau, the extensions.webextensions.uuids preference stores the random IDs Firefox assigns to each installed extension. This local ID is used to create URLs (for example, for extensions that show an options page or new tab page) and in the names of folders for storage files used by the extension.

In an earlier post, you discovered the path to the extension:

C:\Windows\Installer\{B28AF4A4-C997-4A5B-A111-FD1E65138A8D}

as the file {02E337C0-4D70-452D-AA64-92D0A8C5D953}.xpi

Will Windows let you right-click > Rename that file with a different extension, such as .zip ? (XPI files are ZIP archives, actually.)

Possibly you will need to run File Explorer as an administrator: in the Windows system level search box on the Task Bar, type or paste explorer.exe then right-click it on the Start menu results panel and choose Run as Administrator.

That would break the connection with the registry entry and also Firefox won't see the XPI file any more.

It would be interesting to watch for whether the file gets renamed or reinstalled at a later time, or whether this was a one-time installation and there's no ongoing infection.

Helpful?

more options

I located that copy of the .xpi file and anothert one on the system. I tried to delete both and I will now wait and see what happens. Thanks for your input!

Had to Type the path to the installer folder (C:\Windows\Installer) directly into the file explorer "search bar". For some reason I could not see the folder otherwise.

I'll let you know if this helps.

Sincerely Flau

Helpful?

more options

Well,

after a night of sleep and a computer restart, the addon is back and I am back to square one.

Any other ideas?

As a small addition: The addon is also there in chrome.

Sincerely Flau

Modified by flau

Helpful?

more options
doh-rollout@mozilla.org:  "5a8689fd-a200-4585-aa12-656ce3929466";
formautofill@mozilla.org:  "191e946e-5193-41d2-af6f-66853bb94580";
screenshots@mozilla.org:  "e548911c-1efc-46d6-b304-92eb30115493";
webcompat-reporter@mozilla.org:  "6e1cbedb-03f7-4535-b1cc-f95366a96c01";
webcompat@mozilla.org:  "54201459-e103-405a-a679-e4ec354013b0";
default-theme@mozilla.org:  "0dc843c5-75e6-444f-9fd7-f23f5f7d07cd";
google@search.mozilla.org:  "d8052db8-65fd-4651-8826-27a85d50dcf6";
leo_ende_de@search.mozilla.org:  "07b2ea4a-9a6b-48b2-8f60-8b04eda9c3f1";
ecosia@search.mozilla.org:  "2ccdea55-def0-4548-b01e-fb149530056e";
wikipedia@search.mozilla.org:  "9538d4cc-00cf-43cb-ad02-2b5d5ac58f33";
bing@search.mozilla.org:  "72133c14-6186-4cb2-91fb-0dc0573ace11";
amazon@search.mozilla.org:  "a4dde9e2-2216-478b-975f-c8f9f6ec3b64";
ddg@search.mozilla.org:  "ae9b08a7-9123-43f2-81f2-e88997a25721";
ebay@search.mozilla.org:  "0b177a56-098d-4413-b145-921c32e5c9aa";
e389d8c2-5554-4ba2-a36e-ac7a57093130@gmail.com:  "f3a48654-95f1-4cd7-be97-b2efc2f0cb2e";
{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:  "93707929-8489-46d8-addc-92b210ebe1cd";
{73a6fe31-595d-460b-a920-fcc0f8843232}:  "91acab29-c483-46b2-b042-4a01a89ce9d7";
https-everywhere@eff.org:  "b8dc07f4-b1a1-444e-87ea-43aa2a3fee72";
languagetool-webextension@languagetool.org:  "1f01ec24-9982-4bd4-8b31-64f01809daa6";
{02E337C0-4D70-452D-AA64-92D0A8C5D953}:  "c14e311a-37d6-4ced-9854-5ed2a60eb7db";
zotero@chnm.gmu.edu:  "defb7f3a-97a0-4c01-a429-a6c67bd42107";
firefox-compact-dark@mozilla.org:  "99c045a3-c68f-4a3b-a62e-97b4c1298d37";
{b9acf540-acba-11e1-8ccb-001fd0e08bd4}:  "fc0d074a-1cf7-4e8e-afc9-3cadf7e7f64c";

Helpful?

more options

He is another try at supplying useful information. When I go to my about:config, the recently changed entries are usually displayed in dark black. Since I haven't changed any of them, I must assume some other program did. I'll just list the changes made to my about:config:

devtools.webextensions.{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.enabled - true extensions.activeThemeID - firefox-compact-dark@mozilla.org extensions.blocklist.pingCountVersion - -1 extensions.databaseSchema - 33 extensions.getAddons.databaseSchema - 6 extensions.getAddons.cache.lastUpdate - 1605119934 extensions.incognito.migrated - true extensions.recommendations.hideNotice - true extensions.ui.dictionary.hidden - true extensions.ui.extension.hidden - false extensions.ui.locale.hidden - true extensions.webcompat.enable_picture_in_picture_overrides - true extensions.webcompat.enable_shims - true extensions.webcompat.perform_injections - true extensions.webcompat.perform_ua_overrides - true

This Morning the addon was back directly on firefox startup, without any shutdown.

Sincerely Flau

Helpful?

more options

Okay, I am mildly confident that I got it this time. The other MalwareByte software (adwcleaner_8.0.8.exe) was able to locate the .xpi file in question and tagged it as "adware" and moved it to quarantine. However, it did not detect the changed registry (type regedit into the search bar and look for the addon name) and that alone did lead to a reinstall.

When I did a scan, quarantined the .xpi-file and before restarting FireFox also changed the registry, the addon does not seem to come back.

Thank you for your help!

Sincerely Flau

Helpful?

  1. 1
  2. 2
اطرح سؤالا

عليك الولوج إلى حسابك للردّ على المشاركات. من فضلك اطرح سؤالًا جديدًا لو لم يكن لديك حساب بعد.