Adware in My Firefox Status Bar?

Album Cover: Abbey Road

"She's killer-diller when she's dressed to the hilt."
The Beatles / Polythene Pam

Posted on July 14, 2009 12:50 AM in Browsers
Warning: This blog entry was written two or more years ago. Therefore, it may contain broken links, out-dated or misleading content, or information that is just plain wrong. Please read on with caution.

I'm not sure where it came from, but tonight, out of nowhere, I started seeing large, blue underlined text appearing in the bottom right-hand corner of Firefox, right between the Google Reader Notifier and IE Tab icons in my status bar. As I navigated from one site to the next, the text would change, but seemed to cycle among the phrases, "Biting," "The Rang Prices" and "Rung." Nothing appeared when I hovered over the text, and I could not see anything suspicious in my list of installed add-ons.

Eventually, not knowing what else to do, I decided to *gasp* click on the link. It immediately launched a tab and started redirecting to numerous websites. I quickly hit the stop button to kill the process, but not before I had gathered enough history to at least assemble a trail of what happened after that initial click. That trail looks something like this:

  1. Script at feed.validclick.com with a reference to www.NexTag.com
  2. Another script at feed.validclick.com with a reference to www.NexTag.com
  3. Yet another script at feed.validclick.com with a reference to www.NexTag.com
  4. Request to phatmusictunes.com with additional query parameters tacked on
  5. Another request to phatmusictunes.com without the additional query parameters
  6. Redirect to a script at http://c.vioij.com/

For all I know, had I let them, the redirects might have continued on after that, but that is where I killed the process. Now, having clicked on the link in my status bar, it no longer shows up, even after restarting Firefox. To make things worse, Google searches for anything related to the aforementioned issue return nothing useful, as far as I can tell.

Anyone seen anything like this before, or have any idea what might have caused this to happen? I've certainly collected my fair share of tracking cookies and what not over the years, but I've never seen any kind of adware that takes over a portion of the browser chrome without my consent before. I'm stumped.

Update: Here's a screenshot of what it looks like (I hadn't yet seen this "Kelley Blue Book Car" example when I originally posted):

Screenshot of Adware in Firefox

Comments

Peter Gasston on July 14, 2009 at 2:18 AM:

I have seen this too, and when I Twittered it I had a couple of other people respond. Nobody knows what it is, or what triggers it.

Permalink

Arieh Kovler on July 14, 2009 at 2:25 AM:

I was having the same problem - my link said "Ebay : UK site" and the redirect tree went on from c.vioij.com to ebay itself.

It survived shutdowns etc, but has suddenly vanished. Perhaps it's waiting for a new target site?

Permalink

Peter Gasston on July 14, 2009 at 2:34 AM:

FYI, I've filed a bug in Bugzilla:

https://bugzilla.mozilla.org/show_bug.cgi?id=504050

Feel free to add more detail to it.

Permalink

Ryan on July 14, 2009 at 2:36 AM:

I haven't seen it, but that is the sort of thing that (I think) only a Firefox add-on can manage. So, what add-ons do you have installed? What add-ons do others that have seen it have installed? Take the intersection of these sets and you have a suspect list. This seems like a reasonable place to start.

My first guess is that an auto-update to a plugin you already had actually ended up with a bit of malware the latest version, maybe without the author even knowing about it.

Permalink

Matt Rycroft on July 14, 2009 at 3:10 AM:

Ahhh it appears to be a plugin called Screengrab. I think, its gone now i uninstalled that

Permalink

Peter Gasston on July 14, 2009 at 3:57 AM:

But I don't have Screengrab installed on the two machines I've seen it happen on. The add-ons they have in common are:

Google Reader Notifier
Yahoo! Mail Notifier
Gmail Manager
Firebug (can't remember if I have this installed on one machine, or both)

Permalink

Peter Gasston on July 14, 2009 at 7:11 AM:

Seems that this is an issue with Google Reader Notifier:

https://bugzilla.mozilla.org/show_bug.cgi?id=504050

If you want to express your dis-satisfaction, do so here:

https://addons.mozilla.org/en-US/firefox/reviews/display/3977

Permalink

Bernie Zimmermann on July 14, 2009 at 8:01 AM:

Peter, I appreciate you stopping by and adding that additional information. I'm a bit shocked that this is coming as part of Google Reader Notifier. I've been using that add-on for years without any trouble. Those ads are extremely annoying, though, so I'm going to remove it until things get sorted out (if they ever do).

Thanks again.

Permalink

Rey Bango on July 14, 2009 at 9:54 AM:

Hi Bernie, we're looking into this. When you saw the ads, were they one specific websites? I'm trying to determine how to get them to display as I've not been able to yet.

Rey
Add-ons Community Lead
Mozilla

Permalink

h2h on July 15, 2009 at 10:31 AM:

I ran into the same problem today after I keyed a search on google for a movie. Then from that moment on, the link ad on my status bar appears. I came to this blog because I was trying to find the solution and indeed it was google reader. I have removed it until this gets fixed.

Permalink

Paul on July 15, 2009 at 7:24 PM:

I just noticed the same thing, I thought for sure it was some website I'd visited. I ran spyware scans and everything, but it turns out that that extension was the problem. That's sad.

Permalink

KiwiYankee on July 16, 2009 at 6:31 PM:

Yes definitely was Google Reader Notifier. I have also been using this for years and I am very dissappointed. Oh well Google Reader Watcher is the answer.

Permalink

Bernie Zimmermann on July 16, 2009 at 6:55 PM:

Rey, sorry for the delay in answering your question. Sometimes the ads did disappear, but I found that by navigating to various websites they would reappear. I went to Google and some Google News search pages and I recall them showing up on those. They didn't seem to be relevant to the page I was viewing, though (but then again, when is "Rung" ever relevant?).

In the little time I spent before removing the add-on, I saw the pesky ads more often than I didn't.

Permalink

Wintersweet on July 20, 2009 at 9:53 AM:

Just happened to me too. Most unhappy! Thanks for the lead.

Permalink

Doug on July 30, 2009 at 1:13 AM:

I've just seen this spyware for the first time.

Disabled Google Reader Notifier 0.76 and it went.

Permalink

JamesVG on July 31, 2009 at 6:21 AM:

Rey -- The ads are triggered by specific websites. I first noticed that ad was triggered by wsj.com (Wall Street Journal = I need a BlackBerry, ad routed through CellPhonePlans-dot-com).

*** All -- I've had success with installing version 0.70 of the addon. No ads have shown and the functionality remains.

Get version 0.70
https://addons.mozilla.org/en-US/firefox/addons/versions/3977

Alternate download (cc licensed)
http://jamesvg.com/misc/GoogleReaderNotifier{0.70}.zip

My best guess to what happened is that a new author took control of the project - probably under false pretense - from the original author and then inserted the adware code knowing we'd all get updates.

All the best in finding alternatives. - JVG

Permalink

paul on October 05, 2009 at 5:17 PM:

This just happened to me. Thanks for the heads up. Uninstalled Google Reader Notifier and it seems to have gone. Annoyed and disappointed that an addon (and a good one previously at that) should turn into spyware. Anyway, your help was appreciated.

Permalink

Post Comments

If you feel like commenting on the above item, use the form below. Your email address will be used for personal contact reasons only, and will not be shown on this website.

Name:

Email Address:

Website:

Comments:

Check this box if you hate spam.