Firefox redirects to a page that says important firefox update, it then starts to downloading a virus.
This does not happen every time I am on Firefox but is happening more often. I will be on a trusted web site, "says Norton" and all of sudden I am redirected to a full screen orange page that says there is a important Firefox update. It then pops up a little box that says you have chosen to download this update. It then starts to download without me clicking on anything. It puts a virus in my hidden folder "appdata". My virus software catches it and removes it. I am using Norton Internet Security on Windows 10 64 bit home edition. This is a list of the viruses that downloaded in last few days: Norton Auto-Protect caught "firefox-patch.exe, Trogen. Gen.2" this was a bad one, it attached to one of my Windows msi file and another third-party software msi before it was caught and I had to restort my computer to get back the files Norton deleted. Norton Download-Insight caught "lqqcorm.js.part (JS.Downloader)" and "nir+_8hr.js.part (JS.Downloader). I don't know why this keeps happening but could this be a security issue in Firefox? Is there any way to prevent these redirects from happening? I have my Security settings set on in Options but this has no effect on the redirects, I don't know if any reports are being sent to Firefox when this happens. Is there anything that you can do? I love Firefox and don't want to stop using it. I don't have any images because I close Firefox as soon as this happens. Sorry.
தீர்வு தேர்ந்தெடுக்கப்பட்டது
Hi, thanks for reporting a fake update. Please see the article I found a fake Firefox update.
If you are in any doubt about the authenticity of update pop-ups etc., it's always best to ignore them and check for yourself by opening the 3-bar menu > Help (question mark at bottom right) > About Firefox. Alternatively, you can press the Alt key to bring up the main menu bar > Help > About Firefox. More - Update Firefox to the latest release.
For reference only - please don't post here - this forum is for Mozilla Support Contributors only. https://support.mozilla.org/en-US/forums/contributors/712056?last=69507
A possible workaround is to install an ad-blocker like https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/ Or https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/
If your question is resolved by this or another answer, please take a minute to let us know. Thank you.
Read this answer in context 👍 2All Replies (10)
தீர்வு தேர்ந்தெடுக்கப்பட்டது
Hi, thanks for reporting a fake update. Please see the article I found a fake Firefox update.
If you are in any doubt about the authenticity of update pop-ups etc., it's always best to ignore them and check for yourself by opening the 3-bar menu > Help (question mark at bottom right) > About Firefox. Alternatively, you can press the Alt key to bring up the main menu bar > Help > About Firefox. More - Update Firefox to the latest release.
For reference only - please don't post here - this forum is for Mozilla Support Contributors only. https://support.mozilla.org/en-US/forums/contributors/712056?last=69507
A possible workaround is to install an ad-blocker like https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/ Or https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/
If your question is resolved by this or another answer, please take a minute to let us know. Thank you.
I added the uBlock-Origin version 1.8.4 to my Firefox and so far I have not had any more problems. I hope this was the fix that I needed. Thanks for all your help.
I encounter this at least once a day -- and always when leaving a trusted site -- everything from nytimes to ebay and many, many others.
I even experienced it once when leaving the mozilla.org site.
The address that showed up with this phony 'critical Firefox update' today was https://oochaons96.org/6851796059713/fab1504bcd12cfd745184be7d0260f90.html -- I don't know if it is always this address as I have just been closing it, but this time I copied the address, hoping to find a way to completely block it..
Go to that address and the phony update download will come up.
I would like to be able to block this site completely. While the advice above - "If you are in any doubt about the authenticity of update pop-ups etc., it's always best to ignore them and check for yourself" - is good, there is no doubt about this garbage being phony, and it would be preferable if this https://oochaons96.org/ could be completely blocked. The advice about installing an ad blocker is also good, but this does not appear to be any kind of an ad.
Remember that this only comes up when you close the tab for a trusted, legitimate site. And since it even happened once when leaving mozilla.org, I seriously doubt that it is an infection at the site.
By the way, while it is a very, very small possibility, is there any chance that a mozilla 'contributer' slipped some kind of redirect into the firefox browser? In the past several months, a lot of my friends have mentioned that they are also experiencing this redirect upon closing a trusted site. And it has only been in the last six or seven months -- after one of the real Firefox updates.
Like I said, that may be a very, very small possibility, but frankly, who would be in a better position to engineer this?
Finally, Is there a way to block sites like this? In the user settings, you have a way of filtering out adult content, so I am hoping that a way can be provided to block a specific site. If that capability is not yet available, I would like to request that it be incorporated soon.
Thank you.
I would like to be able to block this site completely.
Those fake update domains are created daily, a few of them daily, so blocking one won't do anything to block others that you may find. And the sites that users have reported here "go dark" rather quickly, many times before one of us contributors can even check it out.
This has been going on since mid-June and from what I saw mentioned at reddit last week, it is affecting Chrome users now, too. It's proving to be a real challenge to shut that "script kiddie" down; by the time someone finds him he's gone, or so it seems.
That crap is being distributed by advertising networks that have been compromised, so for user's the best thing is to be proactive and just block advertising altogether. Maybe once the websites that are the inadvertent targets of this garbage start losing revenue (decrease in ad views), they'll scream at their advertising networks and get some action to stop this "kid".
This extension has been proven to effectively block that "stuff". https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/
HenryELenz said
I would like to be able to block this site completely.
If only it was that simple https://support.mozilla.org/en-US/forums/contributors/712056
And yes Chrome users on Windows are getting hit with a similar kind of fake update sites also and may be from the same person(s) due to same disposable sites being used for both fake Firefox and fake Chrome updates. https://productforums.google.com/forum/#!topic/chrome/HcXgFFaO9WU
James மூலமாக
I see what you mean about fake sites, edmeister. The phony update page came up again as I was scrolling down the page on ebay.
This time it was https://keeshelcuara.net/7251796059713/eab953e3e89144a2ed2e238b4c1a1ce3.html
What gets me though, is that this time it came up as I was scrolling down the page, not when leaving the page or clicking on any link whatsoever on it.
Time to get that add-on you mentioned.
Thanks.
BTW, a somewhat interesting side note -- while the ICANN whois lookup says there is no listing for https://oochaons96.org, it does show a listing for https://keeshelcuara.net
It shows that it was created 09/06/2016
Too bad the name and number in the whois listing are probable phony, or I would call the jackass and give him a piece of my mind.
If specific address can't be blocked, what about particular domains?
I have a followup question about ublock-origin.
I installed it and so far I haven't seen the phony Firefox download page, but it seems to have created another issue.
On ebay, when I pull up my watch list, none of the item images come up on the page, and previously you could look at an item image and hover the cursor for an expanded view - but now that feature is gone altogether.
I tried disabling ublock for ebay pages but it did not help. And when I go to the 'setting' page for ublock, none of the links work.
Frankly, as soon as I find out how, I am going to disable ublock as it is one of the cases where the 'cure' is worse than the diesease.
Now that I removed the adblocker, the phony update comes up again.
This time the phony site was IERAIDREAMLAND.ORG
I immediately went to the ICANN whois page and looked it up -- this phony update page was created by the EXACT SAME individual that did the last one (keeshelcuara.net)
When I looked keeshelcuara.net yesterday, the record came up. Today ICANN Whois says it doesn't exist. However, I saved the page from that one, and from today's phony update popup.
Aside from the domain name,, all the other information matches - from the persons name to their address to their phone number. While this information is probably also phony, it would be great if there was an avenue for reporting this jerk.
The person's info is:
Showing results for: IERAIDREAMLAND.ORG Original Query: ieraidreamland.org Contact Information Registrant Contact Name: Chad N. Wessels Organization: NA Mailing Address: 4145 Diane Street, Atascadero California 93422 US Phone: +1.8054618382 Ext: Fax: Fax Ext: Email:wesselsch@tutanota.com
The jerks Registrar is:
Registrar WHOIS Server: URL: http://www.PublicDomainRegistry.com Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com IANA ID: 303 Abuse Contact Email: Abuse Contact Phone
Is there anything that can be done?
HenryELenz மூலமாக
HenryELenz said
I have a followup question about ublock-origin. I installed it and so far I haven't seen the phony Firefox download page, but it seems to have created another issue. On ebay, when I pull up my watch list, none of the item images come up on the page, and previously you could look at an item image and hover the cursor for an expanded view - but now that feature is gone altogether. I tried disabling ublock for ebay pages but it did not help. And when I go to the 'setting' page for ublock, none of the links work. Frankly, as soon as I find out how, I am going to disable ublock as it is one of the cases where the 'cure' is worse than the diesease.
I did not have any of the problems you reported on Ebay. All my images and mouse overs still work just fine with ublock.