Posts Comments

Fire Fox Alert. Visiting this site may pose a security threat to your System!

By admin on April 26, 2011 Leave a Comment

While the Fire Fox Alert. Visiting this site may pose a security threat to your System! warning from Firefox may seem legitimate it's part of a scam that is promoting a fake security client.

Fire Fox Alert. Visiting this site may pose a security threat to your System!

Fire Fox Alert. Visiting this site may pose a security threat to your System!

The above image shows just how real this warning is and users who are tricked into thinking that Firefox is the one recommending the bogus security client.

Part of the scam is to block you from accessing websites and the other part is to block most executables from being run on your computer.  The goal of this malware maker is to back the PC user into a corner and force them to into making a purchase of the FALSE security client.

As always RemoveVirus.org has your back.  Read on to learn how to fully remove this threat from your computer.

Automaticly Remove Fire Fox Alert. Visiting this site may pose a security threat to your System!

Online Repair Service

computer repair

Manual Removal of Fire Fox Alert. Visiting this site may pose a security threat to your System!

Step 1.  Download Spyware Doctor with Antivirus here if you are able to run executables.  Install and update the client and re-boot the computer if asked.  While you can install many other free trial clients, Spyware Doctor with Antivirus will quarantine this threat to allow for easier manual removal.  The free trial version will not remove threats unless you make a purchase,  still it's the easiest way to go.

Step 2. You will have to kill the following process first as the initial step to remove this fake security client causing the Firefox Highjack:

  • [RANDOM].exe ( IN OUR TESTINGS IT's BEEN 3 CHARACTERS LONG. )

The main executable of this threat is random. This makes removing such threats that much harder. The threat is normally found in %AppData%\Local\[RANDOM].exe and %UserProfile%\Local Settings\Application Data\[RANDOM].exe

Keep in mind that in our testings the executable was three characters long.

The following files and folders will also need to be deleted: 

%UserProfile%\Templates\t3e0ilfioi3684m2nt3ps2b6lru
%UserProfile%\Local Settings\Application Data\[RANDOM].exe
%AppData%\Local\[RANDOM].exe

Remove / Edit Registry Settings: Cleaning the Registry

Once you are done with deleting the files listed above, don't forget to clean your registry. You will have to get rid of the following registry keys or edit them as needed. Because this step is very involved and editing the registry is dangerous, we encourage users to instead think about makinga purchase of Spyware Doctor with Antivirus to do this for you or to use a regisry cleaning program like PC Health Advisor.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[RANDOM].exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode'
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[RANDOM].exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"'
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[RANDOM].exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"'
  • HKEY_CLASSES_ROOT\.exe\shell\runas\command "IsolatedCommand" = '"%1" %*'
  • HKEY_CLASSES_ROOT\.exe\shell\runas\command "(Default)" = '"%1" %*'
  • HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[RANDOM].exe" /START "%1" %*'
  • HKEY_CLASSES_ROOT\.exe\shell\open\command "IsolatedCommand" = '"%1" %*'
  • HKEY_CLASSES_ROOT\.exe\DefaultIcon "(Default)" = '%1'
  • HKEY_CLASSES_ROOT\exefile\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[RANDOM].exe" /START "%1" %*'
  • HKEY_CLASSES_ROOT\exefile\shell\open\command "IsolatedCommand" = '"%1" %*'
  • HKEY_CLASSES_ROOT\exefile\shell\runas\command "IsolatedCommand" = '"%1" %*'
  • HKEY_CLASSES_ROOT\exefile "Content Type" = 'application/x-msdownload'
  • HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon "(Default)" = '%1' = '"%UserProfile%\Local Settings\Application Data\[RANDOM].exe" /START "%1" %*'
  • HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command "IsolatedCommand" – '"%1" %*'
  • HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "IsolatedCommand" = '"%1" %*'
  • HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command "(Default)" = '"%1" %*'
  • HKEY_CURRENT_USER\Software\Classes\exefile\DefaultIcon "(Default)" = '%1'
  • HKEY_CURRENT_USER\Software\Classes\exefile "Content Type" = 'application/x-msdownload'
  • HKEY_CURRENT_USER\Software\Classes\exefile "(Default)" = 'Application'
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command "IsolatedCommand" = '"%1" %*'
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command "(Default)" = '"%1" %*'
  • HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[RANDOM].exe" /START "%1" %*'
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "IsolatedCommand" = '"%1" %*'
  • HKEY_CURRENT_USER\Software\Classes\.exe "Content Type" = 'application/x-msdownload'
  • HKEY_CURRENT_USER\Software\Classes\.exe "(Default)" = 'exefile'

Conclusion

This threat is one of the harder threats to remove. The false security client can go by several different names like Win 7 anti-virus, Win 7 Antispyware, Win 7 Security 2011, Win XP Security 2011 an on and on. Many users are reporting that they can not open any files on their computer and in some cases can't even get online. If your back is up against the wall I really do recommend hiring a pro to remove this threat. It's one of the harder to remove threats that I have come across so far in 2011. I spoke with a tech over on www.pcninja.com and they are telling me they are seeing this malware virus a lot lately. If you can't get online to even seek remote computer repair help I would recommend calling the www.pcninja.com guys up. I you plan on using their repair service they will be able to walk you through a few different ways to contect to them online so they can remote in and fix your computer.

Filed Under: Virus Removal Tagged With:

Speak Your Mind

*

RemoveVirus.org cannot be held liable for any damages that may occur from using our community virus removal guides. Viruses cause damage and unless you know what you are doing you may loose your data. We strongly suggest you backup your data before you attempt to remove any virus. Each product or service is a trademark of their respective company. We do make a commission off of each product we recommend. This is how removevirus.org is able to keep writing our virus removal guides. All Free based antivirus scanners recommended on this site are limited. This means they may not be fully functional and limited in use. A free trial scan allows you to see if that security client can pick up the virus you are infected with.