Mozila FireFox system tools 17.54.5468
When we got up this morning my mum had a message on her computer telling her to download Mozila FireFox system tools 17.54.5468 - the message popped up when she tried to play a facebook game. We clicked it and downloaded it and the computer seemed fine after that (but we did notice something called uniblue was now on her computer). Then i got onto my computer and when i tried to get into yahoo groups i got the same message. I also got a different message when half way thru watching a video on youtube a screen came up saying that the certificates for youtube were invalid or didn't exist. I deleted firefox completely - including the folder in programs (x86) - reinstalled it and i can once again play youtube videos (so far) but i'm still getting a message for Mozila FireFox system tools 17.54.5468 when i try to get into yahoo groups. My question - is 'Mozila FireFox system tools 17.54.5468' a real message from you guys and if its not, does anyone know how i get rid of it? I have Windows 7 and its a desktop if anyone needs to know.
All Replies (20)
Hello! I had the same issues. The message came when I tried to enter: www.yahoo.com (in all variants) as well with www.facebook.com. The message came, when the address was http://... Always, when I changed it to https I got an error with the certificate.
I had this on all Laptops. Always it started good and each side worked once and then started failing.
What changed the thing: I exchanged the dsl router from tplink to siemens. With the new router I had no more issue reaching yahoo over https. At the beginning, the wrong route was still there and I saw the message. Now the Redirect to https works and I cannot get the message any more.
One thing to mention: I reinstalled one win8 Laptop. After reinstallation the https certificate still did not work and yahoo was not available. BUT: as well the wrong message was not there!
So it seems, that something is still on the Laptops, which could provide the message!! I do not know how to get rid of it. Indeed: with the new router yahoo works now.
Hopefully we find the Virus!!
@abecrabt
I recently started getting the same issues as everyone in this thread. From what I've seen after testing everything I could, it's not a simple virus. Two laptops in our home get redirected to this "Mozila FireFox System Tools" page when trying to access Facebook, and the "Untrusted Connection" when trying to get to Youtube. However, my iPhone also gets redirected when trying to access Facebook in Safari - the error message changes, however, to "Microsoft System Tools 16.3846 download" with the same generic crap about "our users provided us with feedback over the years". Note that Safari isn't a Microsoft program.
I have reset my router many times as well, coming to the conclusion that it must be something wrong with it. Obviously this hasn't worked. But, my router is not a TP-Link like yours, it's an Edimax AR7284wna. Furthermore, my DNS is set to the exact same as yours - 94.102.63.137 and 8.8.8.8.
Googling these issues doesn't yield many results, so I guess it's a very new issue. Can't tell if it's router side or ISP side though. My router's firmware doesn't appear to have been updated in a while, so I seem to be up to date.
(Sorry for wall)
Clearly the Edimax is a badged TP-link. The reason all PCs and smartphones have the problem is that the router has been hacked. The DNS setting has been overwritten with a rogue server in Holland - see my links. What a DNS does is to translate for example "www.yahoo.com" into a numeric IP address. This rogue server mostly translates correctly, but very occassionally translates an address to a rogue location that tries to get you to download a windows EXE file that I would assume contained viruses, spyware, malware and so on. You need to at the very least: 1. Change the DNS addresses back to those of your ISP. Look up the addresses you should set on your ISP help. 2. Change the admin password on your router, because the hackers have got it now. 3. Upgrade the firmware on your router. This is not as hard as it sounds and you should be able to download it and follow some easy steps. It's a chore, but it's necessary. 4. Find out if there is some remote access method to your router. I'm still struggling to work this out on my TPLINK!
Take this problem very seriously - this is a sly attack and it can be sorted I'm sure, but fix it and then check it doesn't recur!
FredMobbiing - I'm not sure whether the certificate message is because you clicked on the link and installed or maybe more likely that site got marked by Firefox as suspect somehow. I'm no expert on that sort of thing.
At all events a virus check is needed.
I notice the link downloads a file called:
Mozila.systemtools17.FireFox.54.5468__7818_i930854344_il6790280.exe
from a site called www.GeneralDownloads.com
I also notice that the link is on getfl.com, and this was only created a month ago: http://whois.domaintools.com/getfl.net So this is a new scam. I've reported it to Symantec.
That's great information. Not sure what it is all about but something is sadly wrong. I will tag as escalate and link to another contributors thread.
Another thing that I think people should do is follow TPLINK's instructions how to block incoming traffic in http://uk.tp-link.com/article/?faqid=569 They state block "ALL" when you'd think Web traffic on Port 80 alone would be sufficient
That's a bit theoretical though - I am finding it impossible to get this router to accept the restrictive route. This seems to be a rather shoddy router to me.
abecrabt மூலமாக
Hello! Thanks for the further Information. Of course I did not click the link. I have seen as well in the html code, that the link reached somewhere Netherland.
I tested some Virus Scan SW, but they did not find anything.
I did some traceroute to www.yahoo.com and while having the TP-links router active somewhen it was routed via netherland.
On the new router it was not the case. Since the IP for yahoo and the behavior was different on all Laptops, I did not find a clue, where the mis-routing took place. It was not really visible, that the router was the reason alone. Well, currently the new one works.
I still think, something is left on the Laptops, that might harm the router again. I am not sure, if the router was hacked from outside.
Another thing I recognized: It always started, when I loggout out Yahoo Email and that link seem to be http only and not https. Maybe this is the trap? But there is no chance to logout with an https direct link.
Greetings FredMobbing
Lord_Brainstorm
That down loadlink looks worth investigating.
I have a TP-Link modem and I'm quite sure that IT is the problem, but I don't know what to do now. I can't access in my router's settings maybe because the admin and the password have been changed by someone (could it be?!). I think I have to reset it like I had to do few months ago (with the "Please Install Flash Player Update (Recommended)” virus). But I'm not good with all this ISP and DNS "language", can someone help me explaining what I have to do in the router's settings (if there is something to do, I didn't understand!), please? Thanks
Now the problem seems disappeared on my pc (I don't know but Wikipedia and Yahoo are not blocked anymore at the moment), but it's still present on the two mobile devices that I described on the post earlier.
is the router actually responding? Can you select menu elements?
Mine has completely stopped responding so I'll probably have to reset it, although it's still routing, it con't seem to manage admin at all.
These seem poor routers to me.
It seems responding, I can select menu elements but I don't know if I have to change settings or something... Probably I'm going to change router soon because this has given me lots of problems in the last months...
So, I used my time i did not have, looking for a reason / cure. As you can imagine, mine is a TP-Link router too (TD-W8961NB).
>abecrabt< talked about the 94.102.63.137 and the 8.8.8.8 a few postings above. But as far I am no IT-guru, I had no idea where to look for the altered DNS in the router settings. Searching the web I found a german IT-Security website, which had this exact Router security problem in an web-article on 4th March 2014.
heise Security article (german)
According to a comment in this article, I was finaly able to check the DNS path: (worked for my Windows 7 System) [windows key]+[r] to open the execute window [c] [m] [d] [Enter] to open the command window typed in "nslookup" (without "") to reveal me the standard-server and the address.
There I found the 1st adress >abecrabt< has mentioned: Standartserver: Unknown Address : 94.102.63.137
Which should be 194.25.2.129 for the T-Online DNS (deutsche Telekom).
... As I say, I'm no a complete IT-noob (but be aware and skeptic enough to not download the "system tools" file) what are the next steps?
Changing all online passwords, maybe checking some bank cards, ordering a new access-phrase from my provider - further to resetting the Router with the genuine settings in offline mode, deactivating the "remote access function" (explained in >abecrabt<'s Link) and updating the router to the recent firmware - seems not good enough for me, because:
Can there still remain some bad-ware in my computer which resets the DNS in a few day's again? avast! antivirus did not find any residue after 3 scans - so is it necessary to complete reset the computer / set it up new again=
...and last but not least: Has anybody a clue how the change happened? Surfing at an infected website? Using an infected file?
...
Thanks for your strive in advance.
Greetings
- - - -
Edit: 23.06.2014 - 00:07
I've found a reason an a possible solution!
According to a TP-Link article: TP-Link solution (german) but with further links (maybe there is an option to change the language to your favorite)
"CSRF - Diese Schwachstellen nutzten Angreifer, um den DNS-Server des Routers zu verändern, nachdem der Anwender einen präparierten Hyperlink angeklickt oder ein präpariertes Bild geladen hat. Der Angreifer macht sich hier die im Browser gespeicherten Login-Informationen zunutze, er muss sich nicht in die Verwaltungs-Seite des Routers einloggen."
...and: "Mediatek-Chipsatz - Bei Routern mit aktiviertem Remote-Management sind Angreifer in der Lage, die Konfigurationsdatei des Routers herunterzuladen, ohne dass sie sich authentisieren müssen. Der Angreifer scannt per Zufallsprinzip oder systematisch einen Pool von IP-Adressen und versucht, mit Hilfe eines spezifischen Links die Konfigurationsdatei herunterzuladen. Hat er diese Datei, kann er den Namen und das Passwort des Anwenders entnehmen, sich remote in den Router einloggen und die DNS-Einstellungen oder die Logindaten verändern."
...
There are two possibilitys to infect your router:
1st of all: an altered hyperlink or picture gives the oppertunety to bypass the router login. 2nd: With "remote-management" enabled, it's possible to download your router config file in some ways and than 'they' can read out your name and password, so that a change via remote is possible.
The "solution" TP-Link gives, in short:
new firmware, deactivate the [remote management], change the password.
Lord_Brainstorm மூலமாக
I don't think you've got this right. The problem is that a hacker is able to connect to your ROUTER, read its ROM, find your admin password, log in remotely as admin and change the router's configured primary DNS to be a different one in the Netherlands.
When you are on the web that server mostly works normally but occasionally tells your browser the wrong IP address for a link, causing that server to be accessed instead of Facebook,Hotmail or whatever you're clicking. You are then asked to upgrade Firefox (or Internet Explorer.) If you did not click that link you won't have malware. If you did, you might, and as far as I can see noone yet knows what that link installs.
However your router remains maliciously configured and if you cannot figure out how to return the dns to its correct setting, then block Web requests using the ACL (and also preferably upgrade firmware,) then it's better you get a new router or get someone who can understand.
It's all pretty unpleasant - I'm not impressed with tp-link.
Yes, so far we're talking about the same.
..but isn't it possible, that this redirection to an other (netherland) malware-domain is only the obvious/apparent/evident problem?
Maybe I'm to cautios but isn't it possible to download other digital scum via drive-by-download or get victim of some phishing-Websites?
It is not my router at home, it's just that I've discovered it yesterday while I was vistiting my parent and logged online. I don't know how long this DNS-change was in place (maybe since 4th of March) and what my family did online while I was at my college accomodation.
Fact ist, that I have to deal with It. Starting tomorrow with "Why is the internet gone?", followed by "where the hell is the router!?"
:-/
I checked yesterday for any new firmware updates for the router, as I was having an issue getting email on my iPhone that came out of nowhere (now obviously linked to the router issue since I changed the DNS on my phone and it's fine). There haven't been any new firmware updates for my router - do you think it will be enough to change the password and, assuming it's actually possible with this router, disable remote access? As a side note, will disabling remote access mean that no one using wifi in our home access the router as well?
Just thought i'd mention that i'm getting a new message now when i try and get onto youtube (there should be a screenshot attached)
Finally I've been able to check my DNS on the router's settings, but mine has not changed like @abecrabt has shown with the attached image in an earlier post, mine is this (sorry, it's in Italian but I've tried to translate it):
DNS Relay: "Use auto discovered DNS server only" Primary DNS server: N/A Secondary DNS server: N/A
giaz மூலமாக
This is for the future;
Whenever you get a message / popup that software / files need to be updated,
DO NOT USE ANY OF THE PROVIDED LINKS.
While this may be a legitimate message, it could also be Malware or a Virus. Any time you want or need to check for upgrades, go to the web site of the True Owner of the program in question. For example, to check out Firefox, go to Mozilla.org. {web link}
You can sent a report to The FBI via their web site Internet Crime Complaint Center (IC3) {web link}
You can also report such a site at; Google Report Phishing Page {web link} which is the same when done while on site by going to Help > Report Web Forgery
Help us safeguard Mozilla’s trademarks by reporting misuse {web link}
Oops sorry
FredMcD மூலமாக
So, is there any solution? I suppose the malware is inside the router, becouse I have same problem in 3 Pc and 1 Tablet connected in the same network. I've used malwarebyte and Avast in my pc and there is not virus.
Is it posible a virurs or malware in Router? if this is the problem how can I solve? Some kind of router format or something else?