mozilla.cfg infected with Adware.PL.Besttoolbars.vl
Gridinsoft Anti-Malware v.4.2.66 Report file date: 3/4/2023 14:35:47 Last update: 3/4/2023 14:35:47
Quick Scan started Scanning process...
c:\program files\mozilla firefox\mozilla.cfg ---- General PartOfThreat
Adware.PL.Besttoolbars.vl MD5: 18F38A5E209C9812EB124D0BB62E76C1:800
I have tried all means to remove this but still get the warning after each reboot with this infected file. Ran Spybot Search and Destroy, Gridinsoft Anti-Malware, MRT (twice, 23 hours each time), MSERT (twice)..., RogueKiller, and a few others.
الحل المُختار
Okay, it seems that the files are related, but I don't know why they were created. Maybe Spybot has some documentation on it.
Read this answer in context 👍 0All Replies (5)
Are you able to view the contents of the mozilla.cfg file? For example, right-click > Open With, then choose Notepad or Wordpad (or another plain text editor).
It would be part of a two file startup script that modifies Firefox in some way. The other part would be here:
C:\Program Files\Mozilla Firefox\defaults\pref
In that folder, you should only find one file, named
channel-prefs.js
Any other file there is a customization you can remove. If your computer is managed by an IT department, though, check with them first.
Two Additional Notes:
(1) By default, Windows hides the .js file extension. You can set Windows to show all file extensions so it is clearer what kinds of files you are dealing with. This site has steps: https://www.bleepingcomputer.com/tutorials/how-to-show-file-extensions-in-windows/
(2) Do not double-click a .js file -- that causes Windows to execute it as a system script. To view its contents, right-click the file and choose Edit.
text says:
lockPref("extensions.blocklist.enabled", true); lockPref("browser.safebrowsing.phishing.enabled", true); lockPref("browser.safebrowsing.malware.enabled", true); lockPref("browser.safebrowsing.blockedURIs.enabled", true); lockPref("browser.safebrowsing.downloads.enabled", true); lockPref("browser.safebrowsing.downloads.remote.enabled", true); lockPref("browser.safebrowsing.downloads.remote.block_dangerous", true); lockPref("browser.safebrowsing.downloads.remote.block_dangerous_host", true); lockPref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", true); lockPref("browser.safebrowsing.downloads.remote.block_uncommon", true); lockPref("browser.pagethumbnails.capturing_disabled", false); lockPref("webgl.disabled", false); lockPref("webgl.enable-webgl2", true);
And C:\Program Files\Mozilla Firefox\defaults\pref has two files, here is screenshot of the second one. Beacon is part of Spybot.
Could the c:\program files\mozilla firefox\mozilla.cfg be a false positive?
If you right-click > Edit antibeacon.js, does it point Firefox to mozilla.cfg?
Either way, the contents of mozilla.cfg do not look dangerous so I don't know what the alert was about, unless it also cleaned the file.
pref("general.config.filename", "mozilla.cfg"); pref("general.config.obscure_value", 0);
الحل المُختار
Okay, it seems that the files are related, but I don't know why they were created. Maybe Spybot has some documentation on it.