85 replies to this topic

[coastalbuck]

I found this.

<?xml version="1.0"?>
<RDF xmlns="http://www.w3.org/19...rdf-syntax-ns#"
xmlns:em="http://www.mozilla.o.../2004/em-rdf#">
<Description about="urn:mozilla:install-manifest">
<em:name>XUL Cache</em:name>
<em:id>{998650b0-ec08-4197-bbf6-6011d7d8edbc}</em:id>
<em:version>1.0</em:version>
<em:creator>Canonical Ltd.</em:creator>
<em:description>XUL cache support for firefox extensions/plugins.</em:description>
<em:type>2</em:type>
<em:hidden>true</em:hidden>
<em:targetApplication>
<Description>
<em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id>
<em:minVersion>1.5</em:minVersion>
<em:maxVersion>4.*</em:maxVersion>
</Description>
</em:targetApplication>
</Description>
</RDF>

The folder was named 998650b0-ec08-4197-bbf6-7011d7d8ebdc,

Hope that's what your looking for.

[Noviciate]

That's grand. As long as the redirects have stopped, i'd say that all was well. I don't know enough about FF and it's add-ons to try and root out the remnants of this, but if it's not messing i'd go with it for now. If you are bothered, you can back up FF without the extensions and then just reinstall the browser and the legit extensions - assuming you can still get hold of them. I've got half an idea for something to help detect this in future, so i'd be grateful if you could keep an eye on this thread for a couple of days while I try something on my system. I'd also like you to keep your existing setup for a bit as uninstalling will get rid of it and then I won't have anything to play with. Obviously this is up to you as this is the first one i've come across and you may just have picked up a stray that won't appear again and so it's hardly the end of the world if you just want shut of it.

[coastalbuck]

Hey the least I can do is help out. In fact I'm glad to do it. I'll keep it like it is and play around with searches and stuff. I'll let you know if anything strange happens. Let me know what you find out. I'd like to get as clean and efficient as possible, and if I can help out others, so much the better...

[Noviciate]

I'd like you to download the attachment in this post, unzip it and double click the .vbs file it contains and post the results. In theory you should get a text file called Test.txt dropped alongside the vbscript file a second or two after the pop-up telling you the script has completed - that's the plan anyway! It takes a matter of seconds to run and the script does nothing more than check through some Firefox folders and list some details about the contents. It neither deletes nor creates anything, other than the single text file mentioned, assuming that it doesn't crash, which it doesn't on my system but you never can tell. Thanks.

Attached Files

•  Test3.zip   1.11KB   391 downloads

[coastalbuck]

Here you go. C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqa89jlj.default\extensions\firefox@tvunetworks.com Size: 5090907 bytes Date Created: 11/22/2009 6:50:25 PM Date Last Accessed: 12/2/2009 1:34:14 PM Date Last Modified: 11/22/2009 6:50:25 PM Folders: META-INF plugins Files: chrome.manifest install.rdf C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqa89jlj.default\extensions\firefox@tvunetworks.com\install.rdf Size: 777 bytes Date Created: 11/22/2009 6:50:25 PM Date Last Accessed: 11/22/2009 6:50:25 PM Date Last Modified: 10/16/2009 3:50:38 PM File Attributes: Archive, File Type: RDF File ~~~~~~~~~~~~~~~~~~~~~~~~ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqa89jlj.default\extensions\osutheme@coachtressel.com Size: 3245066 bytes Date Created: 11/22/2009 6:50:29 PM Date Last Accessed: 12/2/2009 1:34:14 PM Date Last Modified: 11/22/2009 6:50:40 PM Folders: chrome Files: chrome.manifest icon.png install.rdf preview.png C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqa89jlj.default\extensions\osutheme@coachtressel.com\install.rdf Size: 1059 bytes Date Created: 11/22/2009 6:50:40 PM Date Last Accessed: 11/22/2009 6:50:40 PM Date Last Modified: 10/9/2008 6:06:20 AM File Attributes: Archive, File Type: RDF File ~~~~~~~~~~~~~~~~~~~~~~~~ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqa89jlj.default\extensions\personas@christopher.beard Size: 366987 bytes Date Created: 11/22/2009 6:50:42 PM Date Last Accessed: 12/2/2009 1:34:14 PM Date Last Modified: 11/22/2009 6:50:42 PM Folders: defaults modules Files: chrome.jar chrome.manifest install.rdf C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqa89jlj.default\extensions\personas@christopher.beard\install.rdf Size: 3447 bytes Date Created: 11/22/2009 6:50:42 PM Date Last Accessed: 11/29/2009 6:53:56 AM Date Last Modified: 11/13/2009 12:34:54 AM File Attributes: Archive, File Type: RDF File ~~~~~~~~~~~~~~~~~~~~~~~~ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqa89jlj.default\extensions\{20a82645-c095-46ed-80e3-08825760534b} Size: 31094 bytes Date Created: 11/22/2009 11:21:26 AM Date Last Accessed: 12/2/2009 1:34:14 PM Date Last Modified: 11/22/2009 6:50:43 PM Folders: chrome defaults Files: chrome.manifest install.rdf C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqa89jlj.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}\install.rdf Size: 1271 bytes Date Created: 11/22/2009 11:21:27 AM Date Last Accessed: 11/29/2009 6:49:57 AM Date Last Modified: 3/18/2009 1:40:40 PM File Attributes: Archive, File Type: RDF File ~~~~~~~~~~~~~~~~~~~~~~~~ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqa89jlj.default\extensions\{2458abc0-f443-11dd-87af-0800200c9a66} Size: 836709 bytes Date Created: 11/22/2009 6:50:43 PM Date Last Accessed: 12/2/2009 1:34:14 PM Date Last Modified: 11/29/2009 6:51:51 AM Folders: chrome Files: chrome.manifest icon.png install.rdf preview.png Thumbs.db C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqa89jlj.default\extensions\{2458abc0-f443-11dd-87af-0800200c9a66}\install.rdf Size: 1101 bytes Date Created: 11/22/2009 6:50:44 PM Date Last Accessed: 11/30/2009 11:00:49 AM Date Last Modified: 7/2/2009 1:43:30 PM File Attributes: Archive, File Type: RDF File ~~~~~~~~~~~~~~~~~~~~~~~~ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqa89jlj.default\extensions\{40397044-467d-11dc-8314-0800200c9a66} Size: 822639 bytes Date Created: 11/22/2009 6:50:46 PM Date Last Accessed: 12/2/2009 1:34:15 PM Date Last Modified: 11/29/2009 6:53:28 AM Folders: chrome Files: chrome.manifest icon.png install.rdf preview.png Thumbs.db C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqa89jlj.default\extensions\{40397044-467d-11dc-8314-0800200c9a66}\install.rdf Size: 1924 bytes Date Created: 11/22/2009 6:50:51 PM Date Last Accessed: 11/30/2009 11:00:49 AM Date Last Modified: 8/11/2007 10:54:00 PM File Attributes: Archive, File Type: RDF File ~~~~~~~~~~~~~~~~~~~~~~~~ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqa89jlj.default\extensions\{998650b0-ec08-4197-bbf6-6011d7d8edbc} Size: 4526 bytes Date Created: 11/22/2009 6:50:51 PM Date Last Accessed: 12/2/2009 1:34:15 PM Date Last Modified: 11/22/2009 6:50:51 PM Folders: chrome defaults Files: chrome.manifest install.rdf C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqa89jlj.default\extensions\{998650b0-ec08-4197-bbf6-6011d7d8edbc}\install.rdf Size: 771 bytes Date Created: 11/22/2009 6:50:51 PM Date Last Accessed: 11/29/2009 6:55:19 AM Date Last Modified: 10/14/2009 11:22:24 AM File Attributes: Archive, File Type: RDF File ~~~~~~~~~~~~~~~~~~~~~~~~ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqa89jlj.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696} Size: 352147 bytes Date Created: 11/22/2009 6:50:51 PM Date Last Accessed: 12/2/2009 1:34:15 PM Date Last Modified: 11/22/2009 6:50:52 PM Folders: chrome components Files: chrome.manifest install.js install.rdf C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqa89jlj.default\extensions\{AE93811A-5C9A-4d34-8462-F7B864FC4696}\install.rdf Size: 2468 bytes Date Created: 11/22/2009 6:50:52 PM Date Last Accessed: 11/22/2009 6:50:52 PM Date Last Modified: 10/30/2009 2:37:52 PM File Attributes: Archive, File Type: RDF File ~~~~~~~~~~~~~~~~~~~~~~~~ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqa89jlj.default\extensions\{d122ad80-ff45-11dd-87af-0800200c9a66} Size: 850478 bytes Date Created: 11/22/2009 6:50:52 PM Date Last Accessed: 12/2/2009 1:34:15 PM Date Last Modified: 11/29/2009 6:53:43 AM Folders: chrome Files: chrome.manifest icon.png install.rdf preview.png Thumbs.db C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqa89jlj.default\extensions\{d122ad80-ff45-11dd-87af-0800200c9a66}\install.rdf Size: 1107 bytes Date Created: 11/22/2009 6:50:52 PM Date Last Accessed: 11/30/2009 11:00:49 AM Date Last Modified: 8/11/2009 3:35:30 PM File Attributes: Archive, File Type: RDF File ~~~~~~~~~~~~~~~~~~~~~~~~ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqa89jlj.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3} Size: 136990 bytes Date Created: 11/22/2009 6:50:52 PM Date Last Accessed: 12/2/2009 1:34:15 PM Date Last Modified: 11/22/2009 6:50:53 PM Folders: content defaults locale skin Files: chrome.manifest install.rdf C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqa89jlj.default\extensions\{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}\install.rdf Size: 1973 bytes Date Created: 11/22/2009 6:50:53 PM Date Last Accessed: 11/22/2009 6:50:53 PM Date Last Modified: 11/6/2009 7:52:16 PM File Attributes: Archive, File Type: RDF File ~~~~~~~~~~~~~~~~~~~~~~~~ Did it work correctly???

[Noviciate]

Yup, ta. I'd like you to run the following and see if this picks up the crud:

Download GooredFix by jpshortstuff from one of the links below and save it to your Desktop:

• Download Mirror #1
• Download Mirror #2
  
• Ensure all Firefox windows are closed.
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
• When prompted to run the scan, click Yes.
• GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

[coastalbuck]

This the right file? GooredFix by jpshortstuff (27.11.09.1) Log created at 19:41 on 02/12/2009 (Owner) Firefox version 3.5.5 (en-US) ========== GooredScan ========== ========== GooredLog ========== C:\Program Files\Mozilla Firefox\extensions\ {972ce4c6-7e08-4474-a285-3208198ce6fd} [13:44 22/11/2009] {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} [23:51 22/11/2009] {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [23:51 22/11/2009] {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} [23:51 22/11/2009] {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [23:51 22/11/2009] {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} [23:51 22/11/2009] {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [23:51 22/11/2009] {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [18:37 02/12/2009] [HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions] "{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox" [11:16 18/04/2009] "avg@igeared"="C:\Program Files\AVG\AVG8\Toolbar\Firefox\avg@igeared" [20:29 05/10/2009] "{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [00:36 22/08/2009] "jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [14:32 22/02/2009] -=E.O.F=- I can't tell what it did?????

[Noviciate]

It checks for and automatically removes a type of FireFox hijacker. I was wondering if it would also spot the slime you had, but it obviously didn't. If you can find an Uninstall button in the same place that you Disabled it, see if that removes it from your system.
The folder that the crud appears to reside in is C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\pqa89jlj.default\extensions\{998650b0-ec08-4197-bbf6-6011d7d8edbc}, so once you've uninstalled it and rebooted, see if the folder still exists and let me know how you get on.

[coastalbuck]

It did have an uninstall button. I found it in the tools, add-ons tab in firefox. I uninstalled, and rebooted. Worked fine and the folder is nowhere to be found in windows explorer.

[Noviciate]

I thought that I had replied to this one, but it seems that it never made it for some reason - my bad! I think that you'll not be troubled by this again, so you're about done. You get the generic "All clear" speech:

I want you to run your PC as normal for a few days and when you are happy that everything is fine, do the following:

Disable System Restore,
Reboot your PC,
Re-enable System Restore,
Create a Restore Point - this will give a clean one should you need it in the future.
A tutorial for System Restore is available here.

The reason for waiting is that if removing the malware has caused a problem, which it occasionally does, you can put your PC back to how it was before the fix. This will re-install the malware, but an infected PC is better than an expensive paperweight!

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I appreciate the fact that you held onto the slime for a little while longer than necessary as I have a little script that should help to identify this crud more easily in future, given a little more tweaking when I get the time. Thanks again.

[Noviciate]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.