Поиск в Поддержке

Избегайте мошенников, выдающих себя за службу поддержки. Мы никогда не попросим вас позвонить, отправить текстовое сообщение или поделиться личной информацией. Сообщайте о подозрительной активности, используя функцию «Пожаловаться».

Learn More

"New" Firefox Search Result Hijacker

  • 25 ответов
  • 1 имеет эту проблему
  • 122 просмотра
  • Последний ответ от flau

more options

Hi,

I recently downloaded and installed some Android emulator named "Andy". Unfortunately, the .exe also installed all kinds of other Software on my Windows 7 system.

I removed most of the unwanted Software but one problem remained: A search result hijacker was part of the package. It replaces the top 4 results with some cryptic redirect links that are luckily displayed in a different font, otherwise I wouldn't have noticed at all.

I tracked the issue down to a addon in Firefox (see attached screenshot) that I cannot remove, no matter what I try.

What I tried to remove it: - I tried to remove the addon via about:config - I tried to run Firefox in safe mode and uninstall it - I tried to factory reset Firefox - I Installed Avira and made a system scan - I installed MalwareBytes and made a system scan - I check all the extension folders for addons that I do not know but can't find anything - I checked my whole system for any xpi-files but couldn't find any.

I am out of ideas. I can disable the addon but thats about it. After a while Firefox will shut itself down and the next time I start it, the addon is on again. When I resinstall FIrefox, the same thing happens. The addon is always back.

When I inspect the element it loads some invisible icon file that is supposedly located in "src="jar:file:///C:/Windows/Installer/%7BB28AF4A4-C997-4A5B-A111-FD1E65138A8D%7D/%7B02E337C0-4D70-452D-AA64-92D0A8C5D953%7D.xpi!/icon48.png"", if that helps. But the location doesn't exist on my system.

Can anyone here help me? I alread sent a problem report via the official tool.

Sincerely Florian

Hi, I recently downloaded and installed some Android emulator named "Andy". Unfortunately, the .exe also installed all kinds of other Software on my Windows 7 system. I removed most of the unwanted Software but one problem remained: A search result hijacker was part of the package. It replaces the top 4 results with some cryptic redirect links that are luckily displayed in a different font, otherwise I wouldn't have noticed at all. I tracked the issue down to a addon in Firefox (see attached screenshot) that I cannot remove, no matter what I try. What I tried to remove it: - I tried to remove the addon via about:config - I tried to run Firefox in safe mode and uninstall it - I tried to factory reset Firefox - I Installed Avira and made a system scan - I installed MalwareBytes and made a system scan - I check all the extension folders for addons that I do not know but can't find anything - I checked my whole system for any xpi-files but couldn't find any. I am out of ideas. I can disable the addon but thats about it. After a while Firefox will shut itself down and the next time I start it, the addon is on again. When I resinstall FIrefox, the same thing happens. The addon is always back. When I inspect the element it loads some invisible icon file that is supposedly located in "src="jar:file:///C:/Windows/Installer/%7BB28AF4A4-C997-4A5B-A111-FD1E65138A8D%7D/%7B02E337C0-4D70-452D-AA64-92D0A8C5D953%7D.xpi!/icon48.png"", if that helps. But the location doesn't exist on my system. Can anyone here help me? I alread sent a problem report via the official tool. Sincerely Florian
Приложенные скриншоты

Выбранное решение

Thus far it seems like reinstalling Node.js and npm solved the problem. At least I haven't had any unwanted attempts at accessing the de.nodejs.net website and no visible parts of the malware seems to be present on my system.

As a quick summary:

0. The Adware comes as a byproduct from software like Audacity or Andy and many others 1. The Malware is called "DownloadProtect" 2. It affects every Browser on the system & replaces search results to generate ad revenue 3. MalwareByte can detect and remove it, but it hides itself in typical applications like "Node.js", but that can differ. Make sure to leave on the trojan protect feature of MalwareBytes to see what Application tries to access the internet. 4. To solve the issue, run MalwareByte to remove all the parts and reinstall the affected Software in which the reinstall-trojan hides 5. EDIT (28.11.2020) The virus was also in the windows\Temp folder. Delete it too. MalwareBytes will block internet accesses from that folder.

That seems to finally have fixed it for me.

Thanks for all the input & kind regards Flau

Прочитайте этот ответ в контексте 👍 0

Все ответы (5)

more options

As last time, I was too fast with my judgement. The Adware is back the same way it has been back before. It seems to be very deeply igrained into my system. At this point I strongly consider a full system wipe...

Any other ideas?

Sincerely Flau

more options

I found some additional information on a German Tojan board: https://www.trojaner-board.de/200047-nodejs-malware-firehooker-downloadprotect-3.html

Apparently, the software comes shipped with a German version of audacite and not with the Android simulator. The software further uses a node.js script to reinstall itself after it has been deleted by the MalwareByte products. No virus scanner thus far detected the modifications to Node.js, but MalwareBytes protect blocks the access attempt.

The software that causes the trouble seems to be "DownloadProtect", an adware that just replaces search results to generate ad income.

I am not sure if uninstalling Node.js solves the problem, as I use Node a lot for my Angular projects.

Sincerely Flau

more options

Hi Flau, if you can't trust your Node installation, you probably should uninstall/reinstall it. However, I don't know how to avoid losing data in the process.

more options

Hello,

I am glad to hear that your problem has been resolved. If you haven't already, please select the answer that solves the problem. This will help other users with similar problems find the solution.

Thank you for contacting Mozilla Support.

more options

With pleasure! I just had to wait until an admin allowed my post top be read by others!

Sincerely Flau

  1. 1
  2. 2