I have the exact same problem. Platform - windows 7 64. It does not only attack firefox. It hacks all your web browsers (firefox, i.e. and I'm guessing it also would have done chrome, too)... that means it's either installed as an extension or as some piece of global cached scripting code (for all browsers)...or maybe even something more global.
I've managed to "hack" a "bandaid" solution to the problem - namely to block these ip's with windows firewall, and also to download the firefox adblock extension, but that does not address the underlying problem, namely that the system itself has been hacked.
PARTIAL RESOLUTION (solves most of the visual misery):
Search your windows directory, and edit either "lmhosts" or "hosts" to map these url's to
"localhost":
(promo.cityads.ru)
(track.impreskin.pl)
(rcm-na.amazon-adsystem.com)
(www.juicyads.com)
-or-
block these remote ip's in firewall settings
(72.21.202.62)
(81.177.161.202)
(54.192.118.235)
(199.83.129.149)
-and-
install adblock for firefox.
This will =still= leave you with the hacker's name on your pages.
UNRESOLVED ANGLES TO FIX THE REST:
I'm still working on this part... but I'm trying a disk file contents search for .js and/or php / css files containing:
"wygladzanie zmarsczek"
and the above url's
^remove related files
Barring success, see about clearing all .js, php and css caching... sorry, but I'm still working on finding out how to do that.
None of that proves you have really cleaned all the malware from your pc. It's just addressing a symptom (like if you had a disease but took aspirin to reduce the pain). There might be alot more this virus left on the pc.
So this solution is a far cry from "perfection", which would be to understand the attack vector this virus used, to close the security hole, and to remove all files it may have deposited -- but it's still alot better than nothing.
If anyone can come up with the formal name for this attack and answer any of those questions, it would help to build a public understanding which resolves the problem.
RESULTS:
These files came back associated with that search signature:
C:\Users\computer_name\AppData\Local\Mozilla\Firefox\Profiles\pxxczg4r.default\cache2\entries\2E0C4058E084A83FFD5E59DF25634B4708213893
C:\Users\computer_name\AppData\Local\Mozilla\Firefox\Profiles\pxxczg4r.default\cache2\entries\C116A7489A2D13D65DA56BD218030121E46D2476
C:\Users\computer_name\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\HND03M2G\ga[1].js
Relativize the path for your own pc by replacing "computer_name" with your own self-referential pc name. Those cache files are generated with what might be a random name under firefox... nuking the entire cache might be the best solution.
1I'm not sure why you are thinking it is as a malware. It's just a banner. You would see them everywhere on internet. – Haplo – 2014-10-27T15:03:16.940
2because this ads is not for that sites , ads display in stackoverflow or my personal website that i not add this ads in my site – mohammad6006 – 2014-10-27T16:20:13.463
Are you also using Edimax router as me?
– Martin Prikryl – 2014-10-29T07:09:14.760@MartinPrikryl : No , i am using D-link wireless modem are you think this virus source is one pc or mobile that connect to this modem? – mohammad6006 – 2014-10-29T19:07:48.133
@MartinPrikryl : Do you know name of this kind virus? – mohammad6006 – 2014-10-29T20:33:56.173
@mohammad6006 Do you mean your PC/mobile or attacker's PC/mobile? I do not believe the source of the problem is infected PC/mobile. I do not even think that someone hacked your Wi-Fi (and re-configured the router afterwards). As the problem seems world-wide, remote exploiting of some router vulnerability is more likely. – Martin Prikryl – 2014-10-30T07:04:24.003
@MartinPrikryl i want research about this kind of vulnerabilities. can you help me what keywords should i search? – mohammad6006 – 2014-10-31T07:37:47.623
@mohammad6006 I do not know. I had difficulties myself finding anything about it. – Martin Prikryl – 2014-10-31T07:52:04.397
Something like "D-link/Edimax router vulnerability". I've found Router Vulnerability. Though it mentions Edimax only, not D-link.
– Martin Prikryl – 2014-10-31T07:57:59.087