Possible false alarm with Firefox

Hi, since I installed the latest security update for Firefox - now version 1.5.0.5 - NOD32 is often signalling an identical detection:

C : \ D o c u m e n t s a n d S e t t i n g s \ xxxxxxxxxx \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ 4 a 1 z m i 3 c . d e f a u l t \ l o c a l s t o r e . r d f H T M L / T o r n a d o t . A t r o j a n

I can now repeat this alert simply by opting to view a larger image of the front cover of a book at Amazon.co.uk and then closing the larger image. Within a few seconds of closing the enlarged image, up pops the NOD32 alert as copied above. Obviously I have not tried this with every book at Amazon.co.uk but it has so far 'worked' with every one I have tried. I do not receive this alert if I repeat the process using IE.

I have sent a quarantined version of the file to Eset via ThreatSense.

I am wondering if anyone else is experiencing anything similar with Firefox 1.5.05 and NOD32?

 

I can add a little more: I have now been able to reproduce precisely the same alert at another web site What this web site has in common with Amazon.co.uk is that it also offers the option to view a larger image - this time not of books, but of clothing. Again closing the enlarged image results in an alert popping up as described in my previous post. Again this alert does not occur if I use IE. It is only happening with Firefox 1.5.0.5

note: the web site in question can easily be found by Googling for Charles Tyrwhitt

 

Hmmm I don't seam to be getting this problem on my Firefox. I'm browsing Amazon.co.uk now.

Strange. Let's see what ESET say.

Fairy

 

I have been browsing amazon with firefox 1.5.0.5 and nod32, and I've just checked some pictures on Charles Tyrwhitt website and have not received any warnings.

Regards

 

Have you tried closing firefox and :

1. doing an on demand scan of the hard disk with NOD32
2. run EWIDO and do a system scan
3. delete everything you find

It sounds like something may be amiss on your machine.

Fairy

 

Thanks for replying Fairy and Suggers, and for checking out the web sites. Bit of a puzzle this one ...

 

Now I am thoroughly confused. After opening and closing Firefox - received the familiar alert from NOD32 (described in my first post in this thread) when I closed Firefox - I now do not get an alert when accessing larger images in either of the web sites I have mentioned. I noticed some of my toolbar options had been removed so I reinstated these. No changes to NOD32 configuration; no virus signature updates.

Ho hum ...

 

Sounds like localstore.rdf may be corrupt, close Firefox and delete it. You may have to reset your toolbar buttons after.

You haven't opened any unexpected attachments lately have you? There is a trojan downloader on the loose that affects Firefox in the form of an "extension", but it's not a normal .xpi file like normal extensions, it comes as an executable file attached to a bogus email from WalMart (or other) customer service.

 

I think you may be right about the corrupt localstore.rdf. I believe what happened when I did close Firefox (as described in my previous post beginning "Now I am thoroughly confused ...") is that NOD32 deleted the corrupt file for me. This would explain why I had to reset my toolbar buttons and also why I have not had an alert since.

(I can say for definite, BTW, that I have not opened any unexpected attachments.)

 

is everything fixed now? Or what problems remain?

 

Thanks for asking No problems, everything fixed. I have just completed an in-depth analysis with NOD32 and everything is as it should be.

As far as I can tell the problem was a corrupt localstore.rdf file in Firefox (possibly caused during latest security update) that NOD32 was identifying as/infected with HTML/Tornadot.A trojan BOClean and ProcessGuard have remained perfectly happy throughout ...

 

There is going to be another Fx update soon (1.5.0.6), because 1.5.0.5 breaks some pages with streaming media.