Is a verification of FF installed code possible?
Strongly desired is a 'verification' of programs loaded vs mozilla copy. This to suppliment 'you are on the latest release.' Reasoning is lately when a web page is replaced by 'update firefox' orange screen and a pop-up of 'opening firefox-patch.exe' which wants to save a binary file. But it is not a FF patch. The result could be malware. Months ago I fell for this ploy, or a similar FLASH update and endured problems (ie, svchost.exe running taking 50% of my CPU all the time.)
Might be caused by a rotating 'ad' related, or that FLASH is blocked, or maybe html5 is running. Unknown. I have other notes. PS windows security essentials finds a trojan KIVTER in my temp file soon thereafter. I don't know where it is stored after that.
Chosen solution
We are very aware of what is going on. There is a contributors support thread about these fake updates over here: https://support.mozilla.org/en-US/forums/contributors/712056?last=69507
One of our moderators here - James - has taken the 'lead' on this situation by keeping us informed and 'cataloging' the the various domain names that seem to be 'supplying' the fake patch.
Read this answer in context 👍 0All Replies (3)
Chosen Solution
We are very aware of what is going on. There is a contributors support thread about these fake updates over here: https://support.mozilla.org/en-US/forums/contributors/712056?last=69507
One of our moderators here - James - has taken the 'lead' on this situation by keeping us informed and 'cataloging' the the various domain names that seem to be 'supplying' the fake patch.
If you get a pop-up message asking to update Firefox or plugins or scanning for malware then such a message is likely a scam and you should never respond to such an alert to avoid getting infected with malware.
- Only update Firefox via "Help > About" or by downloading and installing Firefox from the Mozilla server and never via a pop-up or link on a web page.
- plugins should only be updated via the plugin itself or by visiting the home page of the plugin.
You can find the full version of the current Firefox release (47.0.1) in all languages and all operating systems here:
Note the Kovter trojan may be fileless and as such able to hide in the Registry and RAM without creating a malware file to detect and remove. Symantec have a free tool to remove this
- Notes & tool link: "Symantec Official Blog Kovter malware learns from Poweliks with persistent fileless registry update" http://www.symantec.com/connect/blogs/kovter-malware-learns-poweliks-persistent-fileless-registry-update
- Instructions for Trojan.Kotver Removal Tool https://www.symantec.com/security_response/writeup.jsp?docid=2015-092321-2230-99
- https://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixToolKotver64.exe https://www.symantec.com/content/en/us/enterprise/media/security_response/tools/FixToolKotver32.exe
- I have deliberately broken those links as it is against forum policy to post links to executables ln the forum. Please use the link in the Instructions page, OR copy and paste the address into your addressbar
- If you do use that tool it reports if nothing is found, or it generates a log file. If anything is found it would be interesting to see the content of your log file.
These are the instructions for catching the ad information
{#c16}If ... affected users) could tell us what the ad URLs are, that would be helpful.
They would need to right-click on the ad image, choose "This Frame -> View Frame Info", and copy/paste the following info:
General tab: Address (URL)
Media tab: Location (URL) of each item in the list of media in that frame.
This will help us isolate the affected ad networks so we can contact them and inform them of the malware.
Thanks!