Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Keep getting this in firefox

  • 7 ŋuɖoɖowo
  • 2 masɔmasɔ sia le wosi
  • 1 view
  • Nuɖoɖo mlɔetɔ Bunker

more options

Trojan:HTML/Phish!pz file: \Device\HarddiskVolumeShadowCopy15\Users\Dean\AppData\Local\Mozilla\Firefox\Profiles\2lamkcbc.default-release\cache2\entries\007C6A02D270A6BD3D63FB53453745ADFB1CD69A

Trojan:HTML/Phish!pz file: \Device\HarddiskVolumeShadowCopy15\Users\Dean\AppData\Local\Mozilla\Firefox\Profiles\2lamkcbc.default-release\cache2\entries\007C6A02D270A6BD3D63FB53453745ADFB1CD69A
Screen ƒe photowo kpe ɖe eŋu

All Replies (7)

more options

This is explained in bug 1872395. Please remove cache2 folder.

more options

Microsoft Defender has been the only scanner reporting this alleged Trojan in the Cache folder for a while now. Check for definitions updates if any in your scanner.

You are not infected if this was only found in the Cache folder as it is harmless if left alone there. It will either get overwritten over time as Cache gets used or deleted if you clear the Cache. https://support.mozilla.org/en-US/kb/how-clear-firefox-cache

This old KB article was for older versions of Firefox in mind with the settings, however still relevant. https://support.mozilla.org/en-US/kb/Firefox%20cache%20file%20was%20infected%20with%20a%20virus

more options

Note that this could be a problem with making the backup when Firefox is running by using a special ShadowCopy technique that takes a snapshot, you can never be sure that restoring such a backup would work properly as the disk cache is updated extensively and the cache index files may only be written to the hard drive when you close Firefox, so there is likely a mismatch.

There is no real need to backup data stored in the secondary profile location in "AppData\Local" as only the disk cache and other temporary is stored there. The main profile folder with your personal data like bookmarks and logins is stored in "AppData\Roaming".

more options

Thank you all i think it's sorted now

more options

I have exact same problem. I understand this is being investigated as bug 1872395, but I'm hedging my bets that this could possibly be an actual trojan spread across multiple websites. I viewed the "infected" cache entry/file, and it looks like a mix of javascript and binary data. The cache entry filesystem file timestamp that I found matched an entry in the about:cache listing, but the file size was significantly different. I didn't find any entries in the about:cache list that matched the # of bytes in the file that MS Defender is flagging as infected with Phish!pz. I can provide it to anyone who wants to investigate in depth. I placed a copy in another folder that is included in the backup. I manually scanned it with MS Defender, and it was not flagged as infected. I'll see if it gets flagged in the next backup. The javascript in the "infected" file was a suspect-looking, but I'm not sure. I am going to clear the cache (and delete the shadow copies) and stop using FireFox for a few days and look for clean backups. Then I will return (only) to the site where I think I picked up the trojan (seen within in the infected cache file) and see if MS Defender flags it again.

more options

The entries in the cache folder contain a lot of meta data like the HTTP response headers apart from the actual file data, so you can't compare the file size. As you can see in the link, Defender complains about data in the HarddiskVolumeShadowCopy and not about actual data in the profile folder. Defender copies this data from the cache2 folder to the HarddiskVolumeShadowCopy at some point in time and thus entries might not be complete and the file data can also be compressed and thus can contain all kind of binary data that Defender doesn't know about.

more options

Thanks very much for the lesson (and for being a moderator and top contributor) @cor-el. I understand and agree with most of your reasoning. Where I'm getting stuck is "thus entries might not be complete and the file data can also be compressed and thus can contain all kind of binary data." That would tend to make the data copied to the shadow copy more random in nature, and less likely to be consistently flagged by Defender as many times as this issue appears to be occurring. I understand why MS doesn't publish the IOCs it uses to detect this threat. I hope (and mostly believe) that it impossible for the FF source code chain to be compromised without causing test failures (i.e. probably a bug), but it is going to be an uphill battle to convince the others up-the-chain from me. Godspeed in getting this fixed or negotiated with MS!