The interesting change that I noticed the last time I got this and as noted by SirReno7 was the switch to a javascript file. Initially it was an exe. So this guy is evolving his approach over time. I'm not nearly smart enough to understand the implications, but it is interesting.

SirReno7 said

... So anyway, my browser got redirected to the orange page to download the malware.. I knew almost RIGHT AWAY that it was malware (because this is NOT the way Firefox usually updates), ...

Not that many people would realize that. Good catch!

I have Firefox setup for automatic updates which it has done in the past. Last night I got a pop up from Avast saying Firefox needed to update. I opened the menu, went to help, and when I clicked 'about', it automatically updated to 48.0. I had been getting the fake Firefox update pop ups for a few weeks and got another one tonight.

The firefox "urgent update" malware is definitely alive and well. Another company's website where this is being delivered up as a paid advertisement, and the one that I always get redirected to it from, is http://fiostrending.verizon.com/news/

These companies really need to choose a better source for their advertisements, if they insist on forcing them on their customers, if their sites are being hijacked by this malware!

Interestingly enough, the hit-and-run website that I'm being redirected to NEVER shows up in my browsing history.

I got this pop-up for the first time today. I got it when I exited my AT&T Email to the AT&T/Yahoo Home Page:

https://att.yahoo.com/

which is full of mouse-over scam and spam ads. Like the previous poster, I feel these companies should vett their advertisers more closely, or better yet, just let me exit my email back to my browser's home page, which in my case is my router's diagnostics page. That would be much safer, but then they would not reap all that ad money.

I got the Urgent Firefox Update orange page yesterday evening (about 3 hours ago).

https://eumahdcamb.net/6632889358445/69858b915c24ecdebde3151a96edefed.html

apparently from 

http://www.accuweather.com/en/us/philadelphia-pa/19107/weather-radar/350540

About half an hour ago I tried that site again to see if the malware message would repeat, and it did not.

The page you visited might produce a new phony-update tomorrow, with a new URL, which I would welcome knowing the full URL as well as which company registered the phony site, but so far never the same orange screen twice in one day. By tomorrow, whois will show site is available to purchase.

Just the latest site that redirects to the Urgent Update hijack is http://www.ibtimes.co.uk

I've had this problem for a while and using uBlock addon does work, however many sites require you to disable adblock software to view content and this was the case today.

I also believe that Shockwave Flash add-on may be a potential issue.

Thanks for following up. I think I sent you the full URL, https://eumahdcamb.net/6632889358445/69858b915c24ecdebde3151a96edefed.html

If you want, I'm willing to carefully save, NOT run, and send you or whoever wants it a well-labeled folder containing the exe or whatever file is the malware package. I did download and save it yesterday before realizing what was going on (and immediately deleting it); my Windows Defender quick scan didn't find any problem on my computer, and I'm going to do the full scan at night anyway, so an additional save shouldn't be any extra risk. Let me know if you want it (assuming that I get the orange page again).

John

cliffontheroad said

The page you visited might produce a new phony-update tomorrow, with a new URL, which I would welcome knowing the full URL as well as which company registered the phony site, but so far never the same orange screen twice in one day. By tomorrow, whois will show site is available to purchase.

Thanks for the latest malware URL. It currently is being cancelled and no more visits are possible and could not duplicate getting the redirection while visiting IBTIMES. Tomorrow is another story starting at 2AM when a new URL has been approved.. Probable the bad guys are being selective in who takes the "left turn" via the ad site. BTW, the same registering company was used again. So much for their preventive mesures, and I told them so! Reminder, while I'm interested, do not let this consume you.

replicounts said

Thanks for following up. I think I sent you the full URL, https://eumahdcamb.net/6632889358445/69858b915c24ecdebde3151a96edefed.html If you want, I'm willing to carefully save, NOT run, and send you or whoever wants it a well-labeled folder containing the exe or whatever file is the malware package. .... John

Hi John, Depending on how it was deleted you may have it in your Rubbish bin and be able to get it back from there even if you no longer get the orange screens.

If you do come across such files you could submit them to virustotal.com that helps ensure they will be picked up by AV software. In this case it apparently was picked up as malware which is good and means many potential victims will be protected. It is especially good if Windows Defender picks it up as even those with no specialist AV should have that.

If you submit it to virustotal.com you will get a report back saying if the file was scanned before what we probably need to watch for are new versions that have not been scanned and which are not detected by many AV programs. Initially they seemed to use .exe files but now seem to have moved on to .js files.

Ever since I've had this pop-up I have had a trojan removed over and over again. I uploaded the image from HitMan Pro. I also have another weird thing going on. I don't know if its related. When I start the Windows 10 computer I see a window that wants to know what application to used to open files with an extension of .8d5b4f2. I've attached an image of where I found this type of file in 2 locations (hidden files). Does anyone else have this?

Saturday, 9-3-16 - adding an image of the popup with firefoxpatch.js file with a link. Hope this helps - The firefox image is behind it. I just hit cancel and it goes away. I have loaded uBlock Origin on 9-2-16 and it has not happened again.

Have not experienced the above. Have you looked in the Register for the location (?) you have in your attachment? Is there a vaue there besides "default"? Look now and after you reboot but B 4 U do anything else. I'd unplug your modem line before startup. Why? Someone will say "wrong" but my homespun guess (not supposed 2 do that here) is it might be network related. In HKEY_USERS I have an S-1-5-18 and 19 and 20 and two 21s. When I use Properties, I see several user privledges. (tangent below). The long ID of the ...21 might be the Fourth User shown in Task Monitor. That's why I suggested the data line disconnect.

1. 2 idea; your find&fix program seems to check the register, but perhaps not the trojen program itself. OR, more than likely, the mal-program is generated / renamed by some other program so that you get rid of it once but it reappears (and can be run anew at a later time.)

1. 3 restore points are great but the machine can store only so many of them. Someday you may want to go back really far and you won't be able to. I know of two automatice routines which ceate restore points and I dislike when THEY make decisions for me. But 4 some people, auto-create is the only way the RP woud be created.

1. 4 tangent on Windows 7 when I right-click on a file/icon and pick properties, then security, I usually see "System", myuser, Admin-myuser. 3 items. Likely the 18,19,20 from above. But lately, a few have a 4th user listed called DENY, with special privleges. It's werd, just like Windows and this FF update-via-advertisment. Just how powerful are certain commandsto change things inside my machine?

1. 5 it is good the extension of .8d5b4f2 can not be run. Go find the full item ID. Unfortunately, I won't be able to help.

I guess, by rights, this/my post should be removed and the above by MB should be posted separate from this topic. Search support MB; you may not be alone with the trojan

It always happens when I am playing a game on Facebook. Always. It will stop and pop up in the middle of the game and I lose whatever I am doing. It's not that big of a deal to start over, but it happens all the time. The game is: Frohe Weihnachten (Merry Christmas)- a matching game.

MBinCarmal or MissChaulkDust? Provide more details of the popup, the game, and the URL. See, no one has gotten just the download popup without the orange screen. Try hitting back-page. But MB's registry entry may not be related to the popup download attempt. Maybe your game will resume playing. Generally, something makes the 'left turn' and so far, an ad. Does the game show ads? Can you get to page-info during the game and check the box to stop the output of gif images?

Had this same issue, website it showed originating from:

https://oceigmuseum-cafe.org/4582916631118/1473130638794292/firefox-patch.js

AdwCleaner removed this for me. I've used this in the past to remove similar adware with luck. It can be found here:

https://toolslib.net/downloads/viewdownload/1-adwcleaner/

Just received my second incident of this popup about 30 minutes ago. This time it appeared to be attached to one of the popup ads that appear in the right hand sidebar of my AT&T email inbox. So far, I have not found a way to report this to AT&T, but not really sure they would care if I did.

Hi tnicoson, I think most AT&T users get their mail on the Yahoo platform, so feel free to report it to Yahoo if you see a link for that.

tnicoson, thanks for the latest. I took the time to LOOK at the above posts and I see where you included the link to https://att.yahoo.com/ for your previous one in mid August.

I did not get the orange screen, but for anyone who wants to search out what ads or middlemen for the ads are involved, the "where you came from" is important. I agree that ATT/Yahoo would not care too much as long as they get their advertising $.

4PM is unusual. Would like the orange screen URL (just the 1st part) to see who registered them. There are other tools/utilities I am playing with but timing is critical. The day after, even hours after, is too late.

Looking over the source code as I type, but I don't expect to find anything except a 1000 ways to make things impossible to track.

I finally registered so I could ask if anybody ever condidered if this is caused by a common add-on/extension/plug-in we all have. I have noticed that it is irrelevant to what web page you're on, as it can be a safe well known page, or anything else. It's a different page everytime, unless you visit a common page a lot, then it may happen there more than once. I use: Download youtube videos as mp4 Google translator for firefox Hide Tab bar with one tab SearchWP Yahoo mail hide ad panel