Your computer is infected with malicious software? Do you have pop-ups on your PC?
If so, search this blog for removal instructions or browse computer threats by category.

Wednesday, January 11, 2012

Malicious Youtube Extension, YXH-youtube_player.xpi and YXH-youtube_player.crx (Uninstall Guide)

Tell your friends:
Cyber criminals have spammed out malicious web browser extension attack posing as Youtube Player. Malicious web browser extensions called YXH-youtube_player.xpi and YXH-youtube_player.crx that infect Mozilla Firefox and Google Chrome are currently spreading through Facebook. Attackers rely mostly on social engineering attacks to spread their malicious extensions. This noxious campaign becomes a lot worse when infected users post links on websites that are using Facebook Comments Box. At least those links that lead to fake youtube websites are non-clickable.



The bit.ly link redirects users to a website impersonating youtube.com. The user is then prompted via a pop-up screen to click a notification and then install a Youtube HD Player.



Actually, you don't even need to click a notification, a download of malicious extension starts automatically.



It goes without saying that you shouldn't install add-ons from websites that you don't trust. Unfortunately, it seems that people are willing to do whatever it takes to watch videos that have caught their attention. After all, this is what social engineering attacks are all about.

YXH-youtube_player.crx (Youtube Player 6.1.8) extension installed in Google Chrome:



Extensions's files:



Let's take a look inside go.js to see how key functions are implemented.


As you can see, it calls another javascript file http://bbpeonf.info/script.js which at the moment we investigated this threat redirected us to 50.56.234.67/s.js.


The malicious browser extension YXH-youtube_player.xpi is currently detected by only 2 out of the 42 antivirus engines available on Virus Total. VT report YXH-youtube_player.xpi. ESET detects this extension as JS/TrojanClicker.Agent.NDA and Fortinet detects it as W32/Agent.FBH!phish.

As far as I know programs classified as JS.Trojan-Clicker are designed to increase the number of visits to certain sites in order to boost the number of hits for online ads, conduct Denial of Service attacks on a particular servers or simply redirect victims to infected websites. One way or another, you need to remove such malicious web browser extensions from your computer immediately. To remove JS/TrojanClicker.Agent.NDA from your computer, please follow the removal instructions below. If you have any questions, please leave a comment below. Good luck and be safe online!


Remove YXH-youtube_player.xpi in Mozilla Firefox:

1. Open Mozilla Firefox. Go to ToolsAdd-ons.



2. Select Extensions. Choose Youtube Player 6.1.8 and click Uninstall button.




Remove YXH-youtube_player.crx in Google Chrome:

1. Click on Customize and control Google Chrome icon and select ToolsExtensions.



2. Choose Youtube Player 6.1.8 and click Remove button.



Finally, scan your computer with anti-malware software.


Associated Youtube Player 6.1.8 files:
  • C:\Documents and Settings\[User]\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jsgfrtofdhsjrelrjmspsjrtdcrslsjsnrt\6.1.8_0
  • C:\Documents and Settings\[User]\Application Data\Mozilla\Firefox\Profiles\o45jfr56.default\extensions\admin@youtubeplayer.com
Share this information with your friends:

4 comments:

Anonymous said...

I have a similar problem. I haven't installed this Youtube player, but Chrome asks me to install it every time I open a webpage. Chrome warns and I quit the installation every time. But how can I stop this at all?

James Colman said...

simply removing it from your extensions won't work! It keeps coming back, trying to add itself to your extensions, but if it isn't doing it to you ignore this but for those who had the same problem, simply uninstall google chrome and then re-installed it. it's ok, it saves all pages you've saved and pass entries and so forth so uninstalling chrome shouldn't be a think twice thing, you just re-install it and the virus extension disappears but only after you've removed the extension.

James Colman said...

sorry, I didn't mean to spam that :( I didn't know they were being sent for approval and thought it wasn't working but yeah, if it doesn't work try again after deleting YouTube.crx in my computer, just simply search for that and delete it and try uninstalling again. Thankyou.

Anonymous said...

Here is my solution.
I haved this problem, a pop up showing: "crx xpi installer: file not found (Acept)"

I found two applications running: "facel.exe" and "extension.exe"

- first thing I did was to close those two applications from the task manager

-I could then find its executables in a folder within : C:\Documents and Settings\[User]\Local Settings\Application Data\

Just search for the .exe and delete them.