X
Tap here to go to the mobile version of the site.
Your Firefox is out of date and may contain a security risk! Firefox আপগ্রেড

Support Forum

A website is posing as Firefox update site, forces you to download a probably malicious fake firefox-update.exe

Posted

The site http:// firefox.perl .sh/ is posing as a firefox update site, and tries to get you to run an executable (firefox-update.exe)

Edited to disable the link - TonyE

Modified by TonyE

Chosen solution

There have been quite a few sites like that one recently. They report either Firefox or Flash needs to be updated in an attempt to get people to install malicious software.

You can report those sites by using the "Report web forgery" option in the Help menu.

Read this answer in context 6

Additional System Details

Installed Plug-ins

  • Shockwave Flash 10.1 r85
  • Version 1.5.1.0
  • Google Talk Plugin Video Accelerator version:0.1.43.3
  • np-mswmp
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • Adobe PDF Plug-In For Firefox and Netscape "9.4.1"
  • Default Plug-in
  • Google Update
  • Pando Web Plugin
  • Next Generation Java Plug-in 1.6.0_22 for Mozilla browsers
  • 4.0.50917.0
  • Windows Presentation Foundation (WPF) plug-in for Mozilla browsers
  • DRM Netscape Network Object
  • Npdsplay dll
  • DRM Store Netscape Plugin

Application

  • User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 ( .NET CLR 3.5.30729; .NET4.0E)

More Information

TonyE
  • Moderator
1041 solutions 8840 answers

Chosen Solution

There have been quite a few sites like that one recently. They report either Firefox or Flash needs to be updated in an attempt to get people to install malicious software.

You can report those sites by using the "Report web forgery" option in the Help menu.

Modified by TonyE

Question owner

Thanks, I didn't notice the "Report web forgery" option before. Reported.

Modified by ncryptor

James
  • Top 25 Contributor
  • Moderator
437 solutions 3156 answers

Mozilla has been working with the Google safe browsing folks and the anti-virus vendors to try to get these sites blocked as quickly as possible, and also have outside counsel contacting the folks who run .co.cc and .co.cz to try to get them to stop selling domain names to whoever is behind this. These efforts may explain why this same page has shown up on other domains outside of .co.cc and .co.cz lately.

This site is reported by the way.

sweet_sjr_20 0 solutions 1 answers

How do I uninstall the malware if it downloaded onto my desktop? I noticed changes on my computer like music and advertisements will start playing even when i don't have anything open. I want to uninstall it, but I cant figure out how

TonyE
  • Moderator
1041 solutions 8840 answers

Try running several malware scanners. It is best to run several as each will pick up things that the others miss. Some scanners you can try are:

If the above malware scanners do not find any malware or can not clear it, you should consider posting in one of these forums for specialized malware removal help:

nessarose 0 solutions 1 answers

I had the same problem with my computer, and found this post from bleepingcomputer helpful:

http://www.bleepingcomputer.com/forums/topic68402.html

What fixed it for me was: A) Disabling TeaTimer B) Restarting my computer in safe mode C) Running HijackThis D) Deleting the .exe file (I don't remember its exact name, but I googled every .exe file HijackThis until I found results telling me it was malware) E) Restarting my computer in normal mode.

It did the trick. I hope this helps!

JJBlue 0 solutions 2 answers

I had something similar happen to me a couple of days ago but the page was what looked like a 'Firefox Reported Attack Site' page!

I went to Google and searched for 'Mystical pictures of London'>clicked 'Images' and on the first page of Google Images there was a picture that was out of place and lets say a little explicit. I couldn't make it out properly so clicked on the Pic. That's when i got redirected to what looked like the Firefox Reported Attack Site page, but it had a 'Download Updates' tab instead of the usual 'Get me out of Here' tab. I then got a Prompt saying:

'The Website has been blocked based on your security preferences.
 Click 'OK' to download and install firefox updates.


I clicked 'ok' knowing i would then get the prompt to save the file, so i could have a better look at what it was! I then took a screenshot of the pop up prompt and clicked cancel. Then run a full scan with Malwarebytes and it found a 'Rough Installer' Virus!

Now i need to find a way of reporting this!?

(Leaving a space or spaces in the links)

The link on the Pic said:

mysticalparty. png

On the prompt it said: You have chosen to open firefox_update_2011. exe

Which is a: Binary File from: http:// dl. av2011. co. cc

I have also saved the Log from my MBAM scan.


I hope i have not broken any rules putting the info up here, but i'm no Techno Wizz...I just don't want anyone else to make the same mistake as me and want this site Reported and closed down!

Any Help or Advise would be Great!

James
  • Top 25 Contributor
  • Moderator
437 solutions 3156 answers

The link you posted http:// dl. av2011. co. cc is not found now.

Best place to report a site trying to do stuff like this, like serving a trojan exe as a Firefox update is at http://www.mozilla.com/en-US/legal/fraud-report/index.html

Like I said Mozilla has be pressuring the co.cc to not allow this fake update page to go up so it is no surprise if it is down now.

Modified by James

JJBlue 0 solutions 2 answers

Thank you so much for your reply James. The link you gave me is exactly what i was looking for! I've passed all the information i have on to them and lets hope Firefox or even Google (as this is where i got the link in the first place) crack down on co.cc for letting these pages go through the net!

The page looked exactly as it does in this link: http://technonxt.wordpress.com/2010/10/20/reported-attack-page-a-latest-malicious-trick-from-security-tool-rogue-anti-virus/

...but not from the site that is explained on technoxt.wordpress page. Thanks again!!