This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Virus automaticaly installed by Js / Firefox just viewing a page

  • 10 tontu
  • 20 am na jafe-jafe bii
  • 3 views
  • i mujjee tontu mooy maroon2

more options

On Firefox 3.6 windows XP, security failure seems to allow installation of a virus code just by viewing a page with the code bellow and javascript activated. How can i avoid this? What are the effects of the virus, do I have to worry about my data being stolen or other trojan installed? (Note that I have updated to 3.6.3 after getting the virus, but I don't know if it makes Firefox safe) Thanks you for your help

This happened

Not sure how often

== viewing a page that contains the javascript code

On Firefox 3.6 windows XP, security failure seems to allow installation of a virus code just by viewing a page with the code bellow and javascript activated. How can i avoid this? What are the effects of the virus, do I have to worry about my data being stolen or other trojan installed? (Note that I have updated to 3.6.3 after getting the virus, but I don't know if it makes Firefox safe) Thanks you for your help == This happened == Not sure how often == viewing a page that contains the javascript code

All Replies (10)

more options

What web site and what bug are you referring to? It is quite unlikely that a website can install a virus on your computer via JavaScript. Nonetheless, you should install a virus scanner on your computer (like Symantec, McAfee, etc.) and keep it up to date.

more options

1. Firefox 3.6, 3.6.1 and 3.6.2 had a critical security bug which allowed remote code execution. I'm glad you have installed 3.6.3 which solves this bug.

2. Right now my Firefox reports this page as fishing site and blocks it so that it would be difficult for user to visit it.

The bat file you show tries to delete Internet Explorer from your computer. If you are a Limited User, it will not work because it will not have enough privileges.

3. Update Java!!! Maybe, it was exploitation of Java vulnerability.

In this post the same virus was found, and the same version of Java (1.5.0_06) was installed.

Also update Shockwave Flash, Adobe Reader and Adobe Acrobat and anything else you can update.

4. I would recommend installing NoScript extension for Firefox. It will block by default all Java, Javascript, Flash, etc, so you will manually allow running of scripts for trusted sites (like Google, Wikipedia, etc) while others will be blocked. One more benefit is that some advertisements will be blocked, too.

more options

Thank you for your feedback.

I found this script on an private "professional" intranet page that requires to log in to find this script. So I can't give you the address. But you can copy and paste the script to try and, at least with ff 3.6 only the javascript does the trick.

I do have an up to date virus scanner but it does not detect anything wrong with file wwwzuc32.exe

To wikiwide: 1. I hope it was a critical security fixed on 3.6.3, but I'd rather avoid to try it again!

2. Unfortunately, I had to desactivate the fishing site feature (because of network configuration concerns), so it didn't worked for me

I don't worry about the bat file but with the wwwzuc32.exe (property info shows name Totalcommander)

3. I'm quite sure it is not a java exploit. I think I don't use java at all, I might just delete it then. I made xp updates; i will check for others thank you for the advice.

4. I use webdeveloper and have java always desactivated. I will try noscript too, thanks

I read again the post you mention, but it doesn't explain what kind of infection it was. Anyhow, I guess I don't have anything else to do, except hoping it didn't steal or destroy data...

Thanks again for your help

more options

There are more file's installd on my system. look for smss32.exe, 41.exe, es15.exe, 6334.exe, 18467.exe, helpers32.dll, orphan_11, and usnjrnl. i can not start regedit. i can not start task manager.

i will not make contact with that system to internet.

more options

Well I haven't found any of these files.

But the trojan is still not detected by antivir nor spybot...

Thanks

more options

Disable Adobe Acrobat plugin, it's the weakest link. It's often use in conjunction with Java. But disable acrobat first, see how it goes.

more options

Just a follow up...

Antivirus is very important. Often times, it will prevent the script from running, so make sure your "shield" is up!

But if you do decide to disable your antivirus temporarily (on rare occasion), please either:

1. Don't connect to the internet. 2. Use Chome (haven't infected me thus fas, we'll see) 3. Disable "javascript", "java", and "acrobat" plugins. They are often the source of exploit.

more options

Another follow up...

If you do get infected, instead of cleaning it up manually, or with you antivirus, try to do a system restore first. That will usually solve your problem. It will prevent the malicious code/executable from starting up. Then run your antivirus to remove all traces of the virus or trojan (mostly trojan) scattered in the harddisk.

more options

Thanks for the informations. By the time, i have learned to live with it (without I hope) since it's too late to do a restore, and no virus nor trojan are detected (not a good point as i do have the virus in a backup file in a safe place).

more options

Have this problem when visiting user profiles on: http://www.pbxinfo.com/index.php

e.g. http://www.pbxinfo.com/index.php?action=profile;u=128882

http://www.pbxinfo.com/Themes/default/script.js?fin11

document.write('<style>.r0cw8x6ak { position:absolute; left:-1719px; top:-1633px} </style> ');var smf_formSubmitted = false;

everyone's profile page seems to contain an iframe to the java exploit and whatever else, launches an executable along the lines of fox~it1.exe and a few java applets. Works on the latest version of Firefox + Java.

maroon2 moo ko soppali ci