Closed
Bug 277368
Opened 20 years ago
Closed 20 years ago
FindWhatEverNow hijacked Firefox? (spyware)
Categories
(Firefox :: General, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: gabrielpalomares, Assigned: bugzilla)
Details
Attachments
(3 files)
screenshot-in order-1
I've been hijacked. Today I was looking at a search site & my PC did unnessesary installation. 2 minutes later, I typed an incorrect website name, but instead seeing a message box it looked like an IE MSN cannot-be-found search page. It looked suspisious, and had no graphics like the original IE MSN-cannot-be-found search page. I searched my website in the search box, clicked Search and it took me into an adult site. I have used spy, ad & hijacking removal software, but still doesn't remove. I thought Firefox has the ability to remove these kind of stuff. Can you remove it, so the message box only appears?
|
||
Comment 1•20 years ago
|
||
Did you install extensions (the dialog with bold "Don't install software from sites you don't trust" text and an Install Now button), which ones?
|
Reporter | |
Comment 2•20 years ago
|
||
(In reply to comment #1) > Did you install extensions (the dialog with bold "Don't install software from > sites you don't trust" text and an Install Now button), which ones? nothing happened like that. i was just browsing... i think it's spyware installing. it must be.
|
|
||
Comment 3•20 years ago
|
||
Can you please tell us what is your version string in Help -> About dialog? It should look like Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0, it's at the bottom of the dialog, selectable.
|
|
Reporter | |
Comment 4•20 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.5) Gecko/20041110 Firefox/1.0
|
||
Comment 5•20 years ago
|
||
Is your problem similar to Bug 231720 'Malformed URL with extra http, semi-colon, causes redirect to http://www.microsoft.com/ ("http://http://", "http:://", "http;//") because of Google "I'm feeling lucky"'? Could you have installed something outside your web browser that has changed your network settings and caused you to use a proxy? Malware hi-jacking Firefox sounds like a very rare occurence and I am sure that someone would like to know how to reproduce it.
|
|
Reporter | |
Comment 6•20 years ago
|
||
no proxy has been changed, checked. this problem is not related to double http://s as it doesn't redirect me, and still has the URL in place. i've comfirmed this on 5 incorrect urls. someone does know how to hijack firefox and installs it via hidden malware. it must be possible. we just don't know who it is.
|
|
Reporter | |
Comment 7•20 years ago
|
||
update: i have uninstalled every unnessesary program there is on my computer. it has gone except for the google keyword search. i have screenshots of this.
|
|
Reporter | |
Comment 8•20 years ago
|
||
|
|
Reporter | |
Comment 9•20 years ago
|
||
|
|
Reporter | |
Comment 10•20 years ago
|
||
|
|
Reporter | |
Comment 11•20 years ago
|
||
additional information: when i type www.google.com it also displays the page.
|
|
||
Comment 12•20 years ago
|
||
could you rename (not delete) the firefox application directory and its profiles folder (%APPDATA%\Mozilla\Firefox\Profiles) to see if the problem persists after reinstalling?
|
|
Reporter | |
Comment 13•20 years ago
|
||
problem persists
|
||
Comment 14•20 years ago
|
||
This sounds like something more on the lines of DNS or HOSTS file redirection, which is outside of the browser and really beyond our control. If google.com gets resolved by Windows as 222.222.222.222 or whatnot, then we connect to 222.222.222.222 expecting that its Windows. We don't remove/kill spyware, we just have a security model that prevents bits like this from happening in most cases. However, if the OS is compromised, we can't really tell that site X's IP address is being replaced maliciously.
|
||
Comment 15•20 years ago
|
||
It looks like you've got FindWhatEverNow, see http://www.scanspyware.net/info/FindWhateverNow.htm for removal tips. Try Ad-Aware Personal SE (it is free) to remove it, see http://www.lavasoft.de/support/download/.
Summary: Unknown program hijacked Firefox → FindWhatEverNow hijacked Firefox? (spyware)
|
|
||
Comment 16•20 years ago
|
||
(In reply to comment #15) > It looks like you've got FindWhatEverNow, see > http://www.scanspyware.net/info/FindWhateverNow.htm for removal tips. I may be (just) out of my depth here, but the page above refers to FindWhateverNow as being an Internet Explorer toolbar. If FindWhateverNow is capable of subverting Firefox by poisoning services on which networking depends then we ought to have a page describing the problem from that point of view. It may be desirable to avoid stating/alleging that Internet Explorer toolbars are functional in Firefox (if they are not) and perhaps more importantly that Firefox is vulnerable to malware masquerading as Internet Explorer toolbars (if it is not) The page does indeed give removal tips which is all the poster claimed. See http://www.dark-e.com/forums/lofiversion/index.php/t1959.html (about half way down there is an account of the DNS settings found when FindWhateverNow is installed).
|
|
Reporter | |
Comment 17•20 years ago
|
||
Problem Resolved when following Additional Comment #15
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
|
||
Comment 18•20 years ago
|
||
Reporter, you cannot have fixed what was not broken. Firefox was not broken. You and no one else applied a patch to this bug to fix it. -> reopen
Status: RESOLVED → UNCONFIRMED
Resolution: FIXED → ---
|
|
||
Comment 19•20 years ago
|
||
This is, simply put, invalid. Third-party software for IE hijacking the OS networking stack is not a bug or an issue specific to Firefox. Really, any browser installed on the system will be affected by the same issues. (Since they're controlling DNS requests, any browser request goes through them, from any browser.)
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago → 20 years ago
Resolution: --- → INVALID
|
|
||
Comment 20•20 years ago
|
||
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8a6) Gecko/20050108 Firefox/1.0+ (Asbestos Suit) The reporter should be thanked for responding quickly and generously to various questions posed and suggestions made. I agree that whenever fourth party add-ins for a third party browser causes problems for a second party OS, it is not going to help resolution of the problem (if any) by trying to attribute this to a defect in Firefox that requires attention. IMHO there remains the question of how software so far down the food chain got root privileges in order to poison the hosts file/DNS settings. Was Firefox involved in downloading it? Installing it? Providing authorising or authentication pathways? Unless I am mistaken, Mozilla's installers by design can modify any file on the system, and there should be a set of HCI provisions to make it hard for unnecessary installation, incorrect websites, phishing et cetera to happen under the nose of even the most dilatory user. In short, security is a process ... Was there really no way that this could have been prevented?
|
|
||
Comment 21•20 years ago
|
||
from the original description ("& my PC did unnessesary installation.") it's
hard to tell whether it is a serious bug in Firefox or reporter used other
vulnerable software which installed FindWhatEverNow. In second case the bug is
indeed invalid.
Gabriel, are you sure that Firefox installed the spyware? It is supposed to ask
user before installing anything, if it doesn't - that's a bug. If you think it's
really a bug in Firefox, we need more information - what is the page that causes
automatic install.
You need to log in
before you can comment on or make changes to this bug.
Description
•