HitmanPro 3.6 Build 159

Today we’ve released a new version of HitmanPro 3.6 to our users. Build 159 includes many improvements over earlier releases. But I would like to blog about one particular new feature today: the detection of the XULRunner malware.

XULRunner redirect
This particular malware, a browser hijacker, affects the Mozilla Firefox browser and redirects Google Search results to e.g. happili.com.

Contrary to sophisticated bootkits that usually cause search redirects (like TDL4 and ZeroAccess), the XULRunner is a fairly basic program. To stay somewhat concealed, it installs a legitimate-seeming add-on in the Firefox browser to ‘hide’ itself: the malware impersonates and abuses the XULRunner name to fool users into believing the add-on is a core part of the browser. The real XULRunner is actually the internal XUL runtime developed by Mozilla, to run XUL-based applications in Firefox: http://en.wikipedia.org/wiki/XULRunner

The XULRunner malware typically creates a folder with a random name in the “Application Data” folder below the user’s profile. Example: C:\Documents and Settings\John\Local Settings\Application Data\{2C02AAE7-C9F9-4B88-8233-CD0895C71420}\

The script that causes the redirects is called overlay.xul. When looking at this JavaScript file, a trained eye can see that it affects popular search engines:

if (loc.match(/google.*\/(search|cse).*[&\?]q=/) || loc.match(/\/search\.yahoo.*search.*[&\?]p=/) || loc.match(/ask.com.*\/web.*[&\?]q=/) || loc.match(/bing.com\/search.*[&\?]q=/) || loc.match(/aol\/search.*(query|q)=/))

To manually determine whether or not your Firefox browser contains the malicious XULRunner add-on, click in Firefox on the Tools menu and select Add-ons:

To get rid of this malware, HitmanPro build 159 (or newer) will detect and thoroughly remove the XULRunner malware, including its files, folders and registry keys.

Full release notes of HitmanPro

  • ADDED: Windows 8 Release Preview support.
  • ADDED: Detection and removal of XULRunner redirect scripts.
  • ADDED: /fb command-line option to perform Force Breach.
  • ADDED: HitmanPro switches the desktop to ensure visibility.
  • Some Ransomware use a dedicated desktop to prevent applications from popping up.
  • IMPROVED: Force Breach to kill more processes.
  • IMPROVED: Force Breach now works under SYSTEM or SERVICE account.
  • IMPROVED: Detection and removal of ZeroAccess/Sirefef CLSID variant.
  • IMPROVED: Improved removal of MaxSS bootkit.
  • IMPROVED: Improved Volume Boot Record (VBR) handling.
  • FIXED: A problem where Default scheduled scan would not scan for cookies.
  • FIXED: SafeBoot Minimal was not working.
  • FIXED: Behavioral scoring on WOW64 uninstall keys.
  • FIXED: Compatibility issue with Dataplex caching software from NVELO.
  • UPDATED: Portugues language.
  • UPDATED: Internal white lists.


32-bit: http://dl.surfright.nl/HitmanPro36.exe
64-bit: http://dl.surfright.nl/HitmanPro36_x64.exe

Comments are closed.

%d bloggers like this: