X
Tap here to go to the mobile version of the site.

Support Forum

xul runner 1.9.1 added mysteriously-redirects google-how remove

Posted

XUL runner 1.9.1 self loaded at some point. By trial and error I found out it was redirecting my Google searches for "Anti Virus Software" to web site other than I clicked on. I have looked in registry and found no reference. I did a clean re-install of Firefox and it is still there. The extensions "uninstall" button is greyed-out.

XUL runner 1.9.1 self loaded at some point. By trial and error I found out it was redirecting my Google searches for "Anti Virus Software" to web site other than I clicked on. I have looked in registry and found no reference. I did a clean re-install of Firefox and it is still there. The extensions "uninstall" button is greyed-out.

Additional System Details

Installed Plug-ins

  • np-mswmp
  • getplusplusadobe16263
  • Adobe PDF Plug-In For Firefox and Netscape "9.3.3"
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • Default Plug-in
  • The QuickTime Plugin allows you to view a wide variety of multimedia content in Web pages. For more information, visit the QuickTime Web site.
  • The Hulu Desktop Plugin allows Hulu.com to integrate with the Hulu Desktop application.
  • Google Update
  • Shockwave Flash 10.0 r45
  • iTunes Detector Plug-in
  • GEPlugin
  • Next Generation Java Plug-in 1.6.0_21 for Mozilla browsers
  • 4.0.50524.0
  • NPWLPG

Application

  • User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8

More Information

* np-mswmp
* getplusplusadobe16263
* Adobe PDF Plug-In For Firefox and Netscape "9.3.3"
* NPRuntime Script Plug-in Library for Java(TM) Deploy
* Default Plug-in
* The QuickTime Plugin allows you to view a wide variety of multimedia content in Web pages. For more information, visit the QuickTime Web site.
* The Hulu Desktop Plugin allows Hulu.com to integrate with the Hulu Desktop application.
* Google Update
* Shockwave Flash 10.0 r45
* iTunes Detector Plug-in
* GEPlugin
* Next Generation Java Plug-in 1.6.0_21 for Mozilla browsers
* 4.0.50524.0
* NPWLPG

hoops 0 solutions 5 answers

It's actually infecting Google results with the google.ad.sgdoubleclick.net and googleads.g.doubleclick.net redirect.

I've proved this using Fiddler, and by changing my hosts file. Disabling XULRunner addon fixes the problem. How do you uninstall it or repair it?

It's actually infecting Google results with the google.ad.sgdoubleclick.net and googleads.g.doubleclick.net redirect. I've proved this using Fiddler, and by changing my hosts file. Disabling XULRunner addon fixes the problem. How do you uninstall it or repair it?
hoops 0 solutions 5 answers

I found it in the registry, in my case it was

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions\{01E4B69D-9BF0-4FDE-983A-BFF3E928F9FE}

Delete the registry key, delete the folder it points to.

I found it in the registry, in my case it was HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions\{01E4B69D-9BF0-4FDE-983A-BFF3E928F9FE} Delete the registry key, delete the folder it points to.
hoops 0 solutions 5 answers

I found it in the registry, in my case it was

HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions\{01E4B69D-9BF0-4FDE-983A-BFF3E928F9FE}

Delete the registry key, delete the folder it points to.

I found it in the registry, in my case it was HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions\{01E4B69D-9BF0-4FDE-983A-BFF3E928F9FE} Delete the registry key, delete the folder it points to.
cor-el
  • Top 10 Contributor
  • Moderator
17540 solutions 158604 answers
Se also [/tiki-view_forum_thread.php?forumId=1&comments_parentId=658523]

Question owner

In my case, the key to eliminating the XUL Runner 1.9.1 was in finding the registry entry:

HKEY_USERS\S-1-5-21-4084633196-3991238857-972333920-1000/software/mozilla/firefox/chrome. The “chrome” folder contained two files and a sub-folder named “content”. The Chrome folder contained the files “chrome manifest” and “install.rdf”. The content sub-folder contained the files “cfg.js” and “overlay.rdf”.

I found this path thanks to another poster here who tipped me off to the fact that the problem might be being caused by a Firefox extension. Then I was able to stop the problem by selectively disabling my extensions one by one till I found the one causing the redirections. I still wanted to uninstall the extension.

Finding the registry path was strictly hit-or-miss because I didn’t know the name of the files I was looking for. If someone else comes up with this problem, I’d suggest searching the registry for “cfg.js” and/or “overlay.rdf”. This should reveal the registry entry and enable them to eliminate it. Before I deleted the registry key, I took the precaution of saving the files and registry entries in a newly created file in My Documents in case whoever wrote this crap found a way to disable my computer if they were missing from the location where he stuck them.

In my case, the key to eliminating the XUL Runner 1.9.1 was in finding the registry entry: HKEY_USERS\S-1-5-21-4084633196-3991238857-972333920-1000/software/mozilla/firefox/chrome. The “chrome” folder contained two files and a sub-folder named “content”. The Chrome folder contained the files “chrome manifest” and “install.rdf”. The content sub-folder contained the files “cfg.js” and “overlay.rdf”. I found this path thanks to another poster here who tipped me off to the fact that the problem might be being caused by a Firefox extension. Then I was able to stop the problem by selectively disabling my extensions one by one till I found the one causing the redirections. I still wanted to uninstall the extension. Finding the registry path was strictly hit-or-miss because I didn’t know the name of the files I was looking for. If someone else comes up with this problem, I’d suggest searching the registry for “cfg.js” and/or “overlay.rdf”. This should reveal the registry entry and enable them to eliminate it. Before I deleted the registry key, I took the precaution of saving the files and registry entries in a newly created file in My Documents in case whoever wrote this crap found a way to disable my computer if they were missing from the location where he stuck them.
st4rdog 0 solutions 11 answers

Disable the addon. Run the Malwarebytes program too, in Quick Scan at least. Restart.

Start > Run > regedit > HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions - {EE65D1F4-246B-4494-9762-AF54854E258F}

It will point to "C:\Documents and Settings\USERNAME\Local Settings\Application Data\{EE65D1F4-246B-4494-9762-AF54854E258F}"

Delete the registry key, and the folder. It will be gone from your addons.

Disable the addon. Run the Malwarebytes program too, in Quick Scan at least. Restart. Start > Run > regedit > HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions - {EE65D1F4-246B-4494-9762-AF54854E258F} It will point to "C:\Documents and Settings\USERNAME\Local Settings\Application Data\{EE65D1F4-246B-4494-9762-AF54854E258F}" Delete the registry key, and the folder. It will be gone from your addons.
Okix25 0 solutions 1 answers

I've had this problem for quite a while, 2-4 months to say the least, but I disabled it so it wasn't much of a problem. It only resurfaced when I tried the 4.0RC.

As per most suggestions disable the update first.

I tried probing the registry and using scanners, but to no luck, there wasn't a trace in the registry nor did Malwarebytes detect anything unusual.

However, I probed even more, and browsed the AppData (Application Data in XP) folders in Windows. I found an entry ({5A3043C5-C1F6-4C2F-B30E-3241A7E69EE3}) in the AppData/Local Folder and it was slightly renamed versions of said files (such as _cfg.js, and overlay.xul). Thus solving my problem.

So if scanning the registry or Malware scanners don't work, just try hacking through your AppData folders.

Tested on Windows 7 Ultimate x64, Firefox 3.6.15/4.0RC

I've had this problem for quite a while, 2-4 months to say the least, but I disabled it so it wasn't much of a problem. It only resurfaced when I tried the 4.0RC. As per most suggestions disable the update first. I tried probing the registry and using scanners, but to no luck, there wasn't a trace in the registry nor did Malwarebytes detect anything unusual. However, I probed even more, and browsed the AppData (Application Data in XP) folders in Windows. I found an entry ({5A3043C5-C1F6-4C2F-B30E-3241A7E69EE3}) in the AppData/Local Folder and it was slightly renamed versions of said files (such as _cfg.js, and overlay.xul). Thus solving my problem. So if scanning the registry or Malware scanners don't work, just try hacking through your AppData folders. Tested on Windows 7 Ultimate x64, Firefox 3.6.15/4.0RC
StewLG 0 solutions 1 answers

Helpful Reply

I agree with the other posters - it appears that something is capable of infecting a copy of XULRunner.

Finding the ID of this extension is the key to getting rid of it. This isn't directly available from the Extension manager, so go to Help -> Troubleshooting Information. From there the XULRunner extension should be listed with an ID.

Search for this ID in two places: 1) On your file system 2) In your registry

Delete both wherever they appear.

I agree with the other posters - it appears that something is capable of infecting a copy of XULRunner. Finding the ID of this extension is the key to getting rid of it. This isn't directly available from the Extension manager, so go to Help -> Troubleshooting Information. From there the XULRunner extension should be listed with an ID. Search for this ID in two places: 1) On your file system 2) In your registry Delete both wherever they appear.
skillcraft 0 solutions 1 answers

I had the same issue and it was quite annoying so I did a little analysis on it if anyone is interested:

http://devnu11.tumblr.com/post/4420292270/deconstructing-a-browser-redirect-virus

I had the same issue and it was quite annoying so I did a little analysis on it if anyone is interested: http://devnu11.tumblr.com/post/4420292270/deconstructing-a-browser-redirect-virus
eadthem 0 solutions 2 answers

So after some analysis i started to deobfuscate the overlay.xul that comes with this virus. Dose anyone know what the scope of this is? Is it only a browser redirector, Can it read forum data from secure sites such as IRS or bank of America?

Dose Firefox protect HTTPS and SSL coded pages from any viewing, modifying, editing by addons, extensions? if not when will it?overlay.xul and _cfg.js

So after some analysis i started to deobfuscate the overlay.xul that comes with this virus. Dose anyone know what the scope of this is? Is it only a browser redirector, Can it read forum data from secure sites such as IRS or bank of America? Dose Firefox protect HTTPS and SSL coded pages from any viewing, modifying, editing by addons, extensions? if not when will it?[http://final.servegame.com/xulrunnervirus/ overlay.xul and _cfg.js]
tempy 0 solutions 1 answers

I had this problem too - all of my searches from google.com were being re-directed to spam sites. There were two other symptoms though:

1) google image search would never display images past page 2 - just blank thumbnails. 2) google image search preview (mouseover) would not work.

I put up with it for a while, until yesterday.

This is the reason I am posting here. One of the links I was re-directed to crashed firefox, and all of a sudden I was staring at 'malware protector' scanning my system - it had even created a shortcut on my desktop.

Every time I booted up this program ran and I could not do anything. Eventually I just had to do a system restore.

I then found this thread, disabled XUL runner in firefox, and all of my google issues were instantly fixed - redirects and image search issues. I found XUL runners key, but I cannot find anything related to the key on my system.. but everything is fixed so I am happy.

So this XUL runner is potentially very dangerous if you happen to be redirected to a bad link. I even had MSE running, it did nothing to help.

Thanks to you guys for the solution.

I had this problem too - all of my searches from google.com were being re-directed to spam sites. There were two other symptoms though: 1) google image search would ''never'' display images past page 2 - just blank thumbnails. 2) google image search preview (mouseover) would not work. I put up with it for a while, until yesterday. This is the reason I am posting here. One of the links I was re-directed to crashed firefox, and all of a sudden I was staring at 'malware protector' scanning my system - it had even created a shortcut on my desktop. Every time I booted up this program ran and I could not do anything. Eventually I just had to do a system restore. I then found this thread, disabled XUL runner in firefox, and all of my google issues were instantly fixed - redirects ''and'' image search issues. I found XUL runners key, but I cannot find anything related to the key on my system.. but everything is fixed so I am happy. So this XUL runner is potentially very dangerous if you happen to be redirected to a bad link. I even had MSE running, it did nothing to help. Thanks to you guys for the solution.
Xircal 334 solutions 3835 answers

I'm afraid I have to pour cold water on the hotbed of hysteria surrounding XUL Runner. If you read the background info @ https://developer.mozilla.org/en/XULRunner_1.9.1_Release_Notes you'll see that it merely provides the Framework necessary to run other apps.

If you don't want it, then run the uninstaller: https://developer.mozilla.org/en/XULRunner_1.9.1_Release_Notes#Uninstalling_XULRunner but don't label it as some mysterious virus because that's not what its all about.

I'm afraid I have to pour cold water on the hotbed of hysteria surrounding XUL Runner. If you read the background info @ https://developer.mozilla.org/en/XULRunner_1.9.1_Release_Notes you'll see that it merely provides the ''Framework ''necessary to run other apps. If you don't want it, then run the uninstaller: https://developer.mozilla.org/en/XULRunner_1.9.1_Release_Notes#Uninstalling_XULRunner but don't label it as some mysterious '''virus''' because that's not what its all about.
cor-el
  • Top 10 Contributor
  • Moderator
17540 solutions 158604 answers

Helpful Reply

The XULRunner extension that you can see in Tools > Add-ons > Extensions has nothing to do with the Firefox XULRunner back end that is used to run the Firefox program. Firefox can't run without the XULRunner, so do not uninstall the Mozilla XULRunner, but find the offending extension and remove that extension.

That XULRunner 1.9.1 extension is only using that name to make it appear that is a legit program instead of some malware. A lot of malware uses that method. That 1.9.1 name is currently outdated anyway as Mozilla has progressed to Gecko 1.9.2 (Firefox 3.6.x) and Gecko 2.0 (Firefox 4.)

See also:

The XULRunner extension that you can see in Tools > Add-ons > Extensions has nothing to do with the Firefox XULRunner back end that is used to run the Firefox program. Firefox can't run without the XULRunner, so do not uninstall the Mozilla XULRunner, but find the offending extension and remove that extension. That XULRunner 1.9.1 extension is only using that name to make it appear that is a legit program instead of some malware. A lot of malware uses that method. That 1.9.1 name is currently outdated anyway as Mozilla has progressed to Gecko 1.9.2 (Firefox 3.6.x) and Gecko 2.0 (Firefox 4.)<br /> See also: *[/questions/743526]
eadthem 0 solutions 2 answers

I believe the XULrunner virus is related to mebroot/sinowal witch i found i was infected with. but i believe xul runner was the start and one of the pages I was redirected to installed mebroot.

I strongly recommend anyone having xulrunner Google redirects seek help from "bleeping computer" or other help sites.

I believe the XULrunner virus is related to mebroot/sinowal witch i found i was infected with. but i believe xul runner was the start and one of the pages I was redirected to installed mebroot. I strongly recommend anyone having xulrunner Google redirects seek help from "bleeping computer" or other help sites.
horseshwish 0 solutions 1 answers

OK. I had the exact same problem. It was driving me crazy for months.

I even stopped using Firefox altogether and switched to Opera.

Then, I installed Firefox 4.0 in Feb 2011, and the problem disappeared.

I am convinced that it was an infected Firefox add-on, which was causing the problem. Obviously the new version of the Browser is not subject to that pernicious malware.

OK. I had the exact same problem. It was driving me crazy for months. I even stopped using Firefox altogether and switched to Opera. Then, I installed Firefox 4.0 in Feb 2011, and the problem disappeared. I am convinced that it was an infected Firefox add-on, which was causing the problem. Obviously the new version of the Browser is not subject to that pernicious malware.
mezman 0 solutions 1 answers

I had this happen as well, being redirected and also not being able to load images after the second. At first I thought I had been infected with a redirect virus. But it started happening after Firefox crashed, and when I restarted the addon window opened and indicated I had installed an addon. Since the redirect only affected Firefox, I disabled the XULrunner addon, and the problem disappeared.

I had this happen as well, being redirected and also not being able to load images after the second. At first I thought I had been infected with a redirect virus. But it started happening after Firefox crashed, and when I restarted the addon window opened and indicated I had installed an addon. Since the redirect only affected Firefox, I disabled the XULrunner addon, and the problem disappeared.