From MozillaZine Knowledge Base

This article starts off with,
Note: This article concerns an issue reported by Windows-based Firefox users, but which could affect any browser
....and then continues with:
WARNING: The symptoms described on this page are typical of the trojan "Backdoor BDS/PoisonIvy.20.A" (and similar variants).
The Background section again mentions Poisonivy.20.A and additional trojans, Win32/Delf.AKA BackDoor CEP.svr and Backdoor.Darkmoon. Later on in the article, a Removal section includes specific instructions for booting into Windows safe mode to remove the suspected malware via editing the registry and deleting files from the C:\Windows\System32 folder.

1. The article needs specific references for "Backdoor BDS/PoisonIvy.20.A" and other named trojans or, at least, a reference for a generic "PoisonIvy" backdoor trojan, which includes removal instructions. I found one for Backdoor.Win32.PoisonIvy.a, linked from Kaspersky Labs Forum > FireFox Outbound.
2. Telling the user to scan his system for spyware and virus infection and suggesting specific cleaners is fine, as is pointing out possible registry entries or files that can point to the existence of malware, but I don't think that instructing users on manual removal is appropriate. Instead, I think a link should be given to a Windows or Security-related forum or website specializing in malware or spyware removal. My 2¢, anyway. Alice Wyman 04:56, 3 November 2006 (UTC)

#1 - This KB article is a compilation of all of the *confirmed* cases of the described symptoms and *confirmed* detections and removal methods, as documented in the MozillaZine forum thread listed under 'External Links'. This KB article is not intended to be a complete reference/encyclopedia of the documentation going back 5 almost months - it is meant to be a simple step-by-step 'what you need to know in order to troubleshoot the problem'. Users wishing to read up on it can use their initiative and use the MozillaZine forum link provided, or Google whatever it is they need to know, as I did in order to find all of this out.

#1b) - The link you posted above for 'Backdoor.Win32.PoisonIvy.a' has not to my knowledge been reported in the context of Firefox and/or any of the symptoms I describe in the article. In fact, the OP of that Kaspersky thread admitted to having given up and formatting his harddrive (as done by many others in other forum posts that I've documented or come across and we'll never know what specifically it was). Regardless, my removal instructions will quickly allow a user to detect that particular trojan and remove it.

#1c) - There is not 1 single AV/Spyware product page in existence that I know of that I can link to that describes 'PoisonIvy.20.A' and the symptoms (in regards to Firefox or Internet Explorer), all of the confirmed reported files affected and removal instructions. If there was, I would have simply linked to it and not bothered doing this!! Most of my sources of information were not in English and even with online-translation services, not completely understandable without more than a little effort.

#2) Similar to above, there is not 1 single AV/Spyware forum post that documents the problem in the detail that I have done - unless people want to sift through pages and pages of "try this.. no didn't work.. try this.. no didn't work.. try this ... I formatted my harddrive". PoisonIvy.20.A or whatever you want to call it does NOT show up in HiJackThis logs, does not show up in many of the usual AV/Spyware apps, and does not(did not?) show up in many rootkit detectors. Therefore, most threads are a struggle and they'll end up back here anyway, as I've already documented it. And again, of the few existing threads out there, most of them are not in English. -- [[RenegadeX 10:11, 4 November 2006 (UTC)]] --

There are pros and cons here. Most of the tools don't run on Win 98, so manual removal may be welcome. But before I would start removing register keys, it would be helpful to know why and to see some documentation if it's not too much trouble.

There is also a problem with the removal directions. Step 3 refers to the previous step. The link is not helpful. I think I know what is meant, but it would be much better if the original author fixed it, to avoid further mistakes. --AnotherGuest. 3 Nov 06

^ Documentation in link at bottom. Fair enough - I'll edit the link text to say so.

^ Fixed - I noticed it myself before I saw your comment. Thanks though! -- [[RenegadeX 10:11, 4 November 2006 (UTC)]] --

Most of the tools don't run on Win 98, so manual removal may be welcome. I meant that I don't think that we should be giving details for Windows users to edit the registry or remove files from the Windows System folder to remove a trojan horse program, especially without documentation. If I'm reading this article right, these trojan programs create a new browser process for whichever is set as the default browser .... if the user changes the default browser to Internet Explorer, the rogue process changes to "iexplore.exe".... so this is basically a Windows security issue, best handled on a Windows forum specializing in security issues such as CastleCops SpywareInfo or aumha.net Alice Wyman 21:42, 3 November 2006 (UTC)

P.S. A related topic I found in the SpywareInfo forums, mentioning both firefox.exe and iexplore.exe duplicate processes, depending in which is the default browser: Multiple IEXPLORE.EXE ...I'm linking it to show how a security-related forum troubleshoots these types of problems using fix-it tools such as HijackThis and malware scans. Another topic I just found googling on "Port 3460 firefox.exe", in the techguy.org security forum: Solved: Firefox Hijack?. I guess my point here is, maybe some of these security-related forum threads should be added to the "External links" section. Alice Wyman 06:03, 4 November 2006 (UTC)

LoL - you're kidding me. In BOTH of those examples you've posted, they tried everything they could and both posters still ended up formatting as nobody knew what it was. For the millionth time, PoisonIvy.20.A and this strain of similar trojan have proved to be not detectable by HJT or rootkit detectors. Those guys didn't know what they were up against so they don't know how to go about solving it. Concerning the 1st link you gave above: for weeks, a Google search for "Port 3460 firefox" has had the #1 hit as the MozillaZine forum thread (which has included the 'fix' since Oct 11th) - so they wasted 2 weeks troubleshooting before eventually giving up!! Concerning the 2nd, user 'Tweeble' posted 1 specific 'fix' 11 days after it was posted on MozillaZine - and no doubt only because he found it due to it being the top hit in Google. Do future users affected by the symptoms want to go through the same fruitless procedure on AV forums? I doubt it. Besides, there are many legitimate reasons why they might experience some of the symptoms, as I've stated in the KB article, so by simply sending them off to a AV forum - they may be off on a wild goose-chase. If a user still cannot solve the problems with the steps I've listed here, it's up to them to find a site they feel comfortable receiving advice from - I have no desire to link the article to any 1 AV forum. -- [[RenegadeX 10:23, 4 November 2006 (UTC)]] --

RenegadeX, you said, This KB article is not intended to be a complete reference/encyclopedia of the documentation going back 5 almost months - it is meant to be a simple step-by-step 'what you need to know in order to troubleshoot the problem'. My objections include the authoritative tone taken and almost total lack of references for the named malware, except for the generic Webroot SpySweeper "Trojan-Backdoor-Poison Ivy" reference. Even if references are contained in the MozillaZine forum thread (which, for the most part, they're not) you should still link to them directly. The article starts off, The symptoms described on this page are typical of the trojan "Backdoor BDS/PoisonIvy.20.A" (and similar variants). Do you have even a single reference for "Backdoor BDS/PoisonIvy.20.A" or variants (in English, please)? For example, I found a reference for BackDoor CEP.svr Trojan (McAfee) ... another for Backdoor.Darkmoon (both mentioned in the article). For comparison, see the post by harrywaldron in the MozillaZine Tech forum topic on the FormSpy malware (note the multiple reference links): FormSpy - Spyware program hooks into Mozilla Firefox. Alice Wyman

As for being a simple step-by-step... I don't mind pointing out how to identify possible spyware infestations (even to the extent of identifying the specific files and registry entries) but stopping there. However, (repeating myself now) as far as instructions for removing Windows system files and registry entries, that's certainly something better left to Windows and security-related forums. I suggested adding those other forum links to refer people to places better suited for that type of help. I'll say it again, a MozillaZine KB article shouldn't be the place to instruct users how to manually remove spyware, especially via Windows Safe Mode, manual edit of the registry and deleting Windows system files. Alice Wyman 17:22, 5 November 2006 (UTC)

I wonder too why commercial programs can't detect and remove problems, although users can do so just be inspecting a few registry entries, etc. I'm confused. By the way, I admit to being personally interested because I have a problem with a computer that I haven't been able to fix. --AnotherGuest. 6 Nov 06

The usual causes of this issue

Is the cause of this issue in the vast majority of cases malware?--Np 19:11, 30 December 2006 (UTC)