X
Tap here to go to the mobile version of the site.

Support Forum

I have a 'System Update Required' message. I don't trust it, anybody know what it is? Here's the link: https://d3lvr7yuk4uaui.cloudfront.net/inst/FirefoxUpgrade.xpi

Posted

At the top of the browser window it reads "Firefox prevented this site (whatever site I'm on, ie: support.mozilla.com) from asking you to install software on your computer." Right below that is this message "SYSTEM UPDATE REQUIRED - A critical software update is needed for your browser. Click 'Allow' to update now." The URL for the update download is in my original question. Sounds like a scam to me.

At the top of the browser window it reads "Firefox prevented this site (whatever site I'm on, ie: support.mozilla.com) from asking you to install software on your computer." Right below that is this message "SYSTEM UPDATE REQUIRED - A critical software update is needed for your browser. Click 'Allow' to update now." The URL for the update download is in my original question. Sounds like a scam to me.

Additional System Details

This happened

Every time Firefox opened

This started when...

Just this morning, and it repeats every time I browse to a new site.

Installed Plug-ins

  • Runs 3-D games and interactive applets
  • npmnqmp 989898989877
  • Mozilla ActiveX control and plugin module
  • Adobe Acrobat Plug-In Version 7.00 for Netscape
  • NapsterLink
  • My Web Search Plugin Stub for 32-bit Windows
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • The QuickTime Plugin allows you to view a wide variety of multimedia content in Web pages. For more information, visit the QuickTime Web site.
  • Default Plug-in
  • Shockwave Flash 10.2 r152
  • Adobe Shockwave for Director Netscape plug-in, version 11.5
  • Garmin Communicator Plug-In 2.6.4.0
  • 4.0.60129.0
  • Windows Presentation Foundation (WPF) plug-in for Mozilla browsers
  • Rhapsody Player Engine Plugin
  • Free Realms Installer
  • Google Update
  • Yahoo! activeX Plug-in Bridge
  • Java(TM) Platform SE binary
  • Next Generation Java Plug-in 1.6.0_17 for Mozilla browsers
  • Npdsplay dll
  • DRM Store Netscape Plugin
  • DRM Netscape Network Object

Application

  • User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.15) Gecko/20110303 Firefox/3.6.15 GTB7.1 ( .NET CLR 3.5.30729) SearchToolbar/1.2 Creative ZENcast v2.00.13

More Information

TonyE
  • Moderator
1034 solutions 8840 answers

Helpful Reply

I would not trust that either, it is not from Mozilla and Firefox does not update using a .xpi file. There have previously been attempts to get people to install malware using this approach.

I would not trust that either, it is not from Mozilla and Firefox does not update using a .xpi file. There have previously been attempts to get people to install malware using this approach.

Question owner

Thanks for the confirmation TonyE. Anybody know how to make it go away?

Thanks for the confirmation TonyE. Anybody know how to make it go away?
Ryoki 0 solutions 1 answers

Helpful Reply

I have a solution to your issue. The file via HTTP is malware as well as the Cloudfront "d3lvr7yuk4uaui" distribution. According to a scan of the MD5 file Virus Total MD5 AV Vendor coverage which is an MD5 of the normalized URL the virus/adware variant is currently covered detected by 3/ 42 (7.1%) major Anti-virus vendors, Avast5 as Win32:GamePlayLabs, DrWeb as Adware.GamePlayLabs.2 and NOD32 as Win32/Adware.GamePlayLabs. Funny enough Microsoft does have a How to clean Adware Win32bit is published but their AV product does not detect or clean the issue.

The main thing is if you are running Windows you must shut off your system restore before you start cleaning. If you don't Windows sets a restore point automatically which contains a piece of the malicious code so you can't ever clean the infection.

The infection takes advantage of a browser vulnerability so keep in mind what your current version of Firefox is in comparison to what is available. Also, if you have used the password manager to store any passwords be aware they might have been compromised by this malware. These pieces of malware can also be written to hide from your Anti-virus. Check which anti-virus you have installed and when it was last updated.

1. Turn off your automatic system restore if enabled. How to check system restore 2. Update you Anti-Virus 3. Update your FireFox browser, to check when it was last officially updated go to tools, options, advanced, update, show update history button. 4. In FireFox, Tools, Options, Privacy flush all cookies, and all saved data. Be sure to copy any data you might loose; however, be aware that the infection might involve poisoned cookies or other malicious code so treat any electronic data from the browser as suspect. 5. Update your browser 6. Run your anti-virus, full scan. 7. If you anti-virus does not find anything the matter check out Trend Micro's Hijack This HijackThis inspects your computer’s browser and operating system settings to generate a log file of the current state of your computer. Using HijackThis you can selectively remove unwanted settings and files from your computer. Remove any remaining settings and restart your computer.


Repeat steps until all infection behavior ceases or you trust the integrity of the computer.

8. Check out using a password application instead of your browser. I use Kee Pass Password Application, there are others. Be aware some are Trojan's posing as legitimate password applications but instead store your passwords then steal them. 9. Use NoScript when using FireFox and don't let untrusted JavaScript run in your browser.

I have a solution to your issue. The file via HTTP is malware as well as the Cloudfront "d3lvr7yuk4uaui" distribution. According to a scan of the MD5 file [http://www.virustotal.com/file-scan/report.html?id=be16327683e7b99fd9e94cf296f34104e6942fd5767f6b321f49d7acd992e99d-1308068681 Virus Total MD5 AV Vendor coverage] which is an MD5 of the normalized URL the virus/adware variant is currently covered detected by 3/ 42 (7.1%) major Anti-virus vendors, Avast5 as Win32:GamePlayLabs, DrWeb as Adware.GamePlayLabs.2 and NOD32 as Win32/Adware.GamePlayLabs. Funny enough Microsoft does have a [http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Adware%3AWin32%2FGamePlayLabs How to clean Adware Win32bit] is published but their AV product does not detect or clean the issue. The main thing is if you are running Windows you must shut off your system restore before you start cleaning. If you don't Windows sets a restore point automatically which contains a piece of the malicious code so you can't ever clean the infection. The infection takes advantage of a browser vulnerability so keep in mind what your current version of Firefox is in comparison to what is available. Also, if you have used the password manager to store any passwords be aware they might have been compromised by this malware. These pieces of malware can also be written to hide from your Anti-virus. Check which anti-virus you have installed and when it was last updated. 1. Turn off your automatic system restore if enabled. [http://support.microsoft.com/kb/310405 How to check system restore] 2. Update you Anti-Virus 3. Update your FireFox browser, to check when it was last officially updated go to tools, options, advanced, update, show update history button. 4. In FireFox, Tools, Options, Privacy flush all cookies, and all saved data. Be sure to copy any data you might loose; however, be aware that the infection might involve poisoned cookies or other malicious code so treat any electronic data from the browser as suspect. 5. Update your browser 6. Run your anti-virus, full scan. 7. If you anti-virus does not find anything the matter check out [http://free.antivirus.com/hijackthis/#faq1 Trend Micro's Hijack This] HijackThis inspects your computer’s browser and operating system settings to generate a log file of the current state of your computer. Using HijackThis you can selectively remove unwanted settings and files from your computer. Remove any remaining settings and restart your computer. Repeat steps until all infection behavior ceases or you trust the integrity of the computer. 8. Check out using a password application instead of your browser. I use [http://keepass.info/ Kee Pass Password Application], there are others. Be aware some are Trojan's posing as legitimate password applications but instead store your passwords then steal them. 9. Use NoScript when using FireFox and don't let untrusted JavaScript run in your browser.