Several of my clients report this trojan since Jan. 14th. Seems to be a varient of the Cool Web Search trojan, adapted for Firefox. Has anyone encountered this and have advice for removal?

Point of entry: User receives an email with a "Reply-to" field entry of a known acquaintance, recommending a Firefox extension. User adds the extension to Firefox, usually some kind of search bar or weather service.

Behavior: Extension works, but one to several minutes after opening, three separate firefox windows open and then each begins to spawn tabs. Several of the tabs contain what appears to be google search results for various porn sites with addresses URL encoded, others contain seriers of links to porn and off shore gambling sites. Subsequent tabs appear to be the pages linked to by the first tabes. When user closes tabs, new ones are spawned making closure extremely difficult. Many tabs contained direct links to media such as WMVs and pictures.

The extension also appares to monitor whether the user visits common mail servers like yahoo and gmail, and attempts to load email address out of the pages viewed. Does not appear to have a key listener component or a local directory search.

Likely intent: We guess that it is attempting simulate clickthrus from different users, to augment google search placement and to generate revenue directly from sites paying per click for advertising

Countermeasures: Removed Firefox completely from system using Erase Beyond Recovery mode, and all temporary file areas. Note - did not appear in HiJack this.

10 Years
Discussion Span
Last Post by artis_newbie

This has been circulating around the web pretty quickly the last few weeks. It seems it is a straight-up extension, which takes over Firefox without any virus or worm coding or DLLs like Cool Web Search. Thus, while it simulates CWS in behavior, it does not in coding.

Simply deleting the extension and reinstalling Firefox appears to work. The extension may have connected back to the spawning server to communicate email addresses of trusted acquaintances, but no residual server code has been found.

As part of Firefox, it would not show up in HiJack this or CWS Shredder


Thank you so much for posting this. I was going bezerk. We didn't get it from the email though, we downloaded an extension (can't remember the site, sorry, but it was obviously not the official mozillla.org on -- I know,"stupid").

I removed firefox and all the directories associated with it, upon reinstall, it seems back to normal.

The "close other tabs" works to close all but one and doesn't spawn children. But the best thing would be not to download extensions from untrustworthy sites :)

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.