Поиск в Поддержке

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

New add-on appeared after cleaning malware infection - is it legitimate?

  • 12 ответов
  • 52 имеют эту проблему
  • 294 просмотра
  • Последний ответ от Scott Wilson

more options

I cleaned up a malware infection and, upon opening Firefox, I got a notice that a new add-on had been installed. It is called XULRunner 1.9.1 and appears to be from Mozilla. Given that I'd just had the malware infection, though, I'm suspicious of anything new adding itself.

Could anyone tell me if this is a legitimate add-on and what exactly it's for/does? Thank you very much!

Все ответы (12)

more options

Just to add, I think there may be some remnant of the malware and am going to re-run all my AV and malware programs.

When I reopened Firefox, after a couple mins, a search results window appeared in an already-opened tab. It was from abhn.com and listed in its search box the exact text I'd searched on Google prior to closing it ("Firefox New Add-On XULRunner").

Something is obviously still wrong. I wonder if this XULRunner has anything to do with the problem. I'll try again to be sure my system is clean while I await an answer about this add-on. I would greatly appreciate any info anyone may have about the XULRunner add-on -- I'm worried it's not legitimate (or not a legitimate instance of it, at least). Thank you!

more options

http://en.wikipedia.org/wiki/XULRunner XULRunner is from Mozilla - a "back-end" for XUL applications.

See Cor-el's posting further down the page.

Изменено the-edmeister

more options

I have the same problem on two of my machines, both running Windows XP Professional with SP3. One machine has McAfee internet security and the other has McAfee Virus scan Enterprise.

On start-up the AV software detects and removes Trojan JS/Redirector.ab. The files are located in folder with.

C:\Documents and Settings\myname\Local Settings\Application Data\{BA82CD75-8E23-4B17-86CA-AF21BB71D52E}*

  • The the hex filename seems to be randomly generated on each restart. These folders can be deleted, but a new one respawns on every restart.

Here's a printfolder report:-

Volume in drive C:\ is WindowsXP

Directory of C:\Documents and Settings\myname\Local Settings\Application Data\{BA82CD75-8E23-4B17-86CA-AF21BB71D52E}\

. <DIR> .. <DIR> chrome <DIR>

chrome.manifest 1 KB 19/08/2010 install.rdf 1 KB 19/08/2010

Volume in drive C:\ is WindowsXP

Directory of C:\Documents and Settings\myname\Local Settings\Application Data\{BA82CD75-8E23-4B17-86CA-AF21BB71D52E}\chrome\content\

_cfg.js 3 KB 19/08/2010 overlay.xul 7 KB 19/08/2010

McAfee Enterprise reports both of the files (_cfg.js and overlay.xul) in the \chrome\content\ folder as infected with JS/Redirector.ab

Although these files get cleaned by the AV; a new instance of XULRunner 1.9.1 Add-on is installed in Firefox (V3.6.4 and 3.6.8). Each instance can be disabled but not uninstalled.

On our home PC we had 31 instances on my wife's user profile and 18 on mine. There are 3 instances on the laptop.

I've followed all recommendations regarding the registry cleanup with XULRunner, but the problems still exist.

I regularly scan all my machines with Malwarebytes and nothing is detected after the AV programmes have cleaned up.

I removed one program (Tomtom Home PC software) that appeared to be associated XULRunner that was installed on the PC only. There is nothing as far as I know on the laptop.

I've searched many forums for a solution and have drawn a blank.

Regrettably I've had to uninstall Firefox from both machines, but I still get the AV warning and new folder created. I hope this is temporary, but until I can restart without seeing the Trojan warning, I'm having to use IE8 which is so slow!

Any help or ideas would be appreciated.

Изменено Steve_d_5

more options

To solve this issue Downlaod MalwareBytes and scan adn remove all threats for free this will resolve your issues.

more options

According to the-edmeister, it is not malicious software.

But if you really want to remove it, try the step from wjack2010. If MalwareBytes could not detect it, try to run it again in Windows Safe Mode to see if it can detect it. There are times that MalwareBytes cannot detect a virus in Windows Normal Mode but could in Safe Mode.

more options

It is malicious software that is masquerading itself as a Firefox extension with a trusted name and you should remove it.

It has been mentioned before on this forum.

more options

This is not a folder where extensions get installed. C:\Documents and Settings\myname\Local Settings\Application Data\

I would suspect Malware, as cor-el mentioned.

more options

In frustrationi I decided to close all of my Firefox add-ons. When i did this, the Google re-directs went away. I enabled my add-ons one at a time and after I enabled XULRunner 1.9.1 the re-directs started again. Thats proof enough for me. I would like to remove the application from my computer if anyone can help me locate it, I'd appreciate that.

more options

Did you delete or rename the folder that you mentioned above ?

If you can't do it in normal mode then try to boot Windows in Safe mode (F8 at boot screen).

You can also check the registry:


See https://developer.mozilla.org/en/Adding_Extensions_using_the_Windows_Registry

more options

In my case, the key to eliminating the XUL Runner 1.9.1 was in finding the registry entry:

HKEY_USERS\S-1-5-21-4084633196-3991238857-972333920-1000/software/mozilla/firefox/chrome. The “chrome” folder contained two files and a sub-folder named “content”. The Chrome folder contained the files “chrome manifest” and “install.rdf”. The content sub-folder contained the files “cfg.js” and “overlay.rdf”.

I found this path thanks to another poster here who tipped me off to the fact that the problem might be being caused by a Firefox extension. Then I was able to stop the problem by selectively disabling my extensions one by one till I found the one causing the redirections. I still wanted to uninstall the extension.

Finding the registry path was strictly hit-or-miss because I didn’t know the name of the files I was looking for. If someone else comes up with this problem, I’d suggest searching the registry for “cfg.js” and/or “overlay.rdf”. This should reveal the registry entry and enable them to eliminate it. Before I deleted the registry key, I took the precaution of saving the files and registry entries in a newly created file in My Documents in case whoever wrote this crap found a way to disable my computer if they were missing from the location where he stuck them.

more options

Disable the addon. Run the Malwarebytes program too, in Quick Scan at least. Restart.

Start > Run > regedit > HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions - {EE65D1F4-246B-4494-9762-AF54854E258F}

It will point to "C:\Documents and Settings\USERNAME\Local Settings\Application Data\{EE65D1F4-246B-4494-9762-AF54854E258F}"

Delete the registry key, and the folder. It will be gone from your addons.

more options

I found with Malwarebytes:

Files Infected: C:\Documents and Settings\All Users\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully. C:\END (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Then removed "C:\Documents and Settings\USERNAME\Local Settings\Application Data\{079C582D-7CC4-42C6-967B-FE78077E1011}" and from registry HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions - {079C582D-7CC4-42C6-967B-FE78077E1011}

That removed XULRunner.

Thanks jimcou and st4rdog.