I keep getting a pop up window that says "Urgent Firefox Update"download now. The website address is https://ohchuk...81e4778b.html. Is this from Firefox?
I am using a public library computer, so I can't check the security settings.
The website address that is sending this pop up window, is https://ohchuk...81e4778b.html
Is this an actual update from Firefox, or is this a phony?
All Replies (1)
As you say this is malware. Do not run or open the file.
We are trying to find our more about this. The trojan could be particularly dangerous and possibly able to reside in the memory and registry without using files, that makes it dificult to detect and remove.
There are two things you could do.
- First just in case you are infected with this malware use a specific removal tool. (Only necessary if the file may have run)
- Second if you would like to help us see if you can catch the actual advert and its details. (The orange splash screen in a full page of its own does not help as the malware keeps changing the site it uses for that)
Note the removal tool will tell you if you if it does not find anything. If it does find something it will generate a log file. It would be interesting to see the content of the log file if one is generated. It is probably safer and good policy not to use an Admin account for day to day computer work and ordinary Browsing, however note you do need to run the removal tool from an Admin account.
- Notes & tool link: "Symantec Official Blog Kovter malware learns from Poweliks with persistent fileless registry update" http://www.symantec.com/connect/blogs/kovter-malware-learns-poweliks-persistent-fileless-registry-update
- Instructions for Trojan.Kotver Removal Tool https://www.symantec.com/security_response/writeup.jsp?docid=2015-092321-2230-99
- https://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixToolKotver64.exe https://www.symantec.com/content/en/us/enterprise/media/security_response/tools/FixToolKotver32.exe
- I have deliberately broken those links as it is against forum policy to post links to executables ln the forum. Please use the link in the Instructions page, OR copy and paste the address into your addressbar
These are the instructions for catching the ad information
{#c16}If ... affected users) could tell us what the ad URLs are, that would be helpful.
They would need to right-click on the ad image, choose "This Frame -> View Frame Info", and copy/paste the following info:
General tab: Address (URL)
Media tab: Location (URL) of each item in the list of media in that frame.
This will help us isolate the affected ad networks so we can contact them and inform them of the malware.
Thanks!