Possible false alarm with Firefox

Discussion in 'NOD32 version 2 Forum' started by Howard, Jul 29, 2006.

Thread Status:
Not open for further replies.
  1. Howard

    Howard Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    313
    Location:
    Wales, UK
    Hi, since I installed the latest security update for Firefox - now version 1.5.0.5 - NOD32 is often signalling an identical detection:

    C : \ D o c u m e n t s a n d S e t t i n g s \ xxxxxxxxxx \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 4 a 1 z m i 3 c . d e f a u l t \ l o c a l s t o r e . r d f H T M L / T o r n a d o t . A t r o j a n

    I can now repeat this alert simply by opting to view a larger image of the front cover of a book at Amazon.co.uk and then closing the larger image. Within a few seconds of closing the enlarged image, up pops the NOD32 alert as copied above. Obviously I have not tried this with every book at Amazon.co.uk but it has so far 'worked' with every one I have tried. I do not receive this alert if I repeat the process using IE.

    I have sent a quarantined version of the file to Eset via ThreatSense.

    I am wondering if anyone else is experiencing anything similar with Firefox 1.5.05 and NOD32?
     
  2. Howard

    Howard Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    313
    Location:
    Wales, UK
    I can add a little more: I have now been able to reproduce precisely the same alert at another web site What this web site has in common with Amazon.co.uk is that it also offers the option to view a larger image - this time not of books, but of clothing. Again closing the enlarged image results in an alert popping up as described in my previous post. Again this alert does not occur if I use IE. It is only happening with Firefox 1.5.0.5

    note: the web site in question can easily be found by Googling for Charles Tyrwhitt
     
  3. phasechange

    phasechange Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    359
    Location:
    Edinburgh
    Hmmm I don't seam to be getting this problem on my Firefox. I'm browsing Amazon.co.uk now.

    Strange. Let's see what ESET say.

    Fairy
     
  4. Suggers

    Suggers Guest

    I have been browsing amazon with firefox 1.5.0.5 and nod32, and I've just checked some pictures on Charles Tyrwhitt website and have not received any warnings.

    Regards
     
  5. phasechange

    phasechange Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    359
    Location:
    Edinburgh
    Have you tried closing firefox and :

    1. doing an on demand scan of the hard disk with NOD32
    2. run EWIDO and do a system scan
    3. delete everything you find

    It sounds like something may be amiss on your machine.

    Fairy
     
  6. Howard

    Howard Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    313
    Location:
    Wales, UK
    Thanks for replying Fairy and Suggers, and for checking out the web sites. Bit of a puzzle this one ...
     
  7. Howard

    Howard Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    313
    Location:
    Wales, UK
    Now I am thoroughly confused. After opening and closing Firefox - received the familiar alert from NOD32 (described in my first post in this thread) when I closed Firefox - I now do not get an alert when accessing larger images in either of the web sites I have mentioned. I noticed some of my toolbar options had been removed so I reinstated these. No changes to NOD32 configuration; no virus signature updates.

    Ho hum ...
     
  8. Elwood

    Elwood Registered Member

    Joined:
    Sep 12, 2005
    Posts:
    205
    Location:
    Mis'sippi
    Sounds like localstore.rdf may be corrupt, close Firefox and delete it. You may have to reset your toolbar buttons after.

    You haven't opened any unexpected attachments lately have you? There is a trojan downloader on the loose that affects Firefox in the form of an "extension", but it's not a normal .xpi file like normal extensions, it comes as an executable file attached to a bogus email from WalMart (or other) customer service.
     
  9. Howard

    Howard Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    313
    Location:
    Wales, UK
    I think you may be right about the corrupt localstore.rdf. I believe what happened when I did close Firefox (as described in my previous post beginning "Now I am thoroughly confused ...") is that NOD32 deleted the corrupt file for me. This would explain why I had to reset my toolbar buttons and also why I have not had an alert since.

    (I can say for definite, BTW, that I have not opened any unexpected attachments.)
     
  10. phasechange

    phasechange Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    359
    Location:
    Edinburgh
    is everything fixed now? Or what problems remain?
     
  11. Howard

    Howard Registered Member

    Joined:
    Sep 3, 2004
    Posts:
    313
    Location:
    Wales, UK
    Thanks for asking :) No problems, everything fixed. I have just completed an in-depth analysis with NOD32 and everything is as it should be.

    As far as I can tell the problem was a corrupt localstore.rdf file in Firefox (possibly caused during latest security update) that NOD32 was identifying as/infected with HTML/Tornadot.A trojan BOClean and ProcessGuard have remained perfectly happy throughout ...
     
  12. Elwood

    Elwood Registered Member

    Joined:
    Sep 12, 2005
    Posts:
    205
    Location:
    Mis'sippi
    There is going to be another Fx update soon (1.5.0.6), because 1.5.0.5 breaks some pages with streaming media.
     
Thread Status:
Not open for further replies.