Need help killing nasty Firefox virus / adware
One of the computers in my office has a nasty Firefox virus / adware. Only Firefox is affected, Chrome and IE are okay. Get lots of advertising pop-ups even though pop-up blocking is enabled. Lots of nonstandard advertisement pictures appear on most web pages. Hyperlinks show more advertising pop-ups when you hover over some of them. Firefox performance is very slow. When I use "Copy Link Location" over hyperlinks and pop-ups they each have a different core URL - too many to try to block through firewall or virus software. AVG anti-virus scan, Malwarebytes scan, AdwCleaner, HitmanPro all come up clean. All Firefox plug-ins and extensions are disabled. Reset of Firefox didn't fix it. Deinstall/reinstall of Firefox didn't either. Ran CCleaner on both files and registry. No suspicious programs show up in Control Panel. Ran anti-virus, Malwarebytes, AdwCleaner, CCleaner again while in safe mode. No joy.
Any ideas?
Thanks,
Rob
Mafitar da aka zaɓa
Occasionally, malware might change settings in Firefox's program folders. To address that:
Clean Reinstall
We use this name, but it's not about removing your settings, it's about making sure the program files are clean. As described below, this process does not disturb your existing settings. Do NOT uninstall Firefox, that's not needed.
(1) Download a fresh installer for Firefox 37.0 from https://www.mozilla.org/firefox/all/ to a convenient location. (Scroll down to your preferred language.)
(2) Exit out of Firefox (if applicable).
(3) Rename the program folder
(64-bit Windows folder names)
C:\Program Files (x86)\Mozilla Firefox
to
C:\Program Files (x86)\OldFirefox
(32-bit Windows folder names)
C:\Program Files\Mozilla Firefox
to
C:\Program Files\OldFirefox
(4) Run the installer you downloaded in #1. It should automatically connect to your existing settings.
Any difference?
Note: Some plugins may exist only in that OldFirefox folder. If something essential is missing, look in these folders:
- \OldFirefox\Plugins
- \OldFirefox\browser\plugins
All Replies (8)
rerickson said
One of the computers in my office has a nasty Firefox virus / adware. Only Firefox is affected, Chrome and IE are okay. Get lots of advertising pop-ups even though pop-up blocking is enabled. Lots of nonstandard advertisement pictures appear on most web pages. Hyperlinks show more advertising pop-ups when you hover over some of them. Firefox performance is very slow. When I use "Copy Link Location" over hyperlinks and pop-ups they each have a different core URL - too many to try to block through firewall or virus software. AVG anti-virus scan, Malwarebytes scan, AdwCleaner, HitmanPro all come up clean. All Firefox plug-ins and extensions are disabled. Reset of Firefox didn't fix it. Deinstall/reinstall of Firefox didn't either. Ran CCleaner on both files and registry. No suspicious programs show up in Control Panel. Ran anti-virus, Malwarebytes, AdwCleaner, CCleaner again while in safe mode. No joy. Any ideas? Thanks, Rob
I forgot to mention - OS is Windows 8.1.
Could you check whether Firefox has a non-standard connection setting? You can do that here:
"3-bar" menu button (or Tools menu) > Options > Advanced > Network mini-tab > "Settings" button
The default "Use system proxy settings" should piggyback on your Windows/IE "LAN" settings. But you can try "No proxy" to see whether that makes any difference.
It sounds as though you have undertaken the standard clean-up measures, but just in case: Here's my suggested procedure for tracking down and cleaning up bad add-ons.
(1) Open the Windows Control Panel, Uninstall a Program. After the list loads, click the "Installed on" column heading to group the infections, I mean, additions, by date. This can help in smoking out undisclosed bundle items that snuck in with some software you agreed to install. Take out as much trash as possible here.
(2) Open Firefox's Add-ons page using either:
- Ctrl+Shift+a
- "3-bar" menu button (or Tools menu) > Add-ons
In the left column, click Plugins. Set nonessential and unrecognized plugins to "Never Activate".
In the left column, click Extensions. Then, if in doubt, disable (or Remove, if possible) unrecognized and unwanted extensions.
Often a link will appear above at least one disabled extension to restart Firefox. You can complete your work on the tab and click one of the links as the last step.
Any improvement?
(3) You can search for remaining issues with the scanning/cleaning tools listed in our support article: Troubleshoot Firefox issues caused by malware. These on-demand scanners are free and take considerable time to run. If they finish quickly and especially if they require payment, you may have a serious infection. I suggest the specialized forums listed in the article in that case.
Success?
Zaɓi Mafita
Occasionally, malware might change settings in Firefox's program folders. To address that:
Clean Reinstall
We use this name, but it's not about removing your settings, it's about making sure the program files are clean. As described below, this process does not disturb your existing settings. Do NOT uninstall Firefox, that's not needed.
(1) Download a fresh installer for Firefox 37.0 from https://www.mozilla.org/firefox/all/ to a convenient location. (Scroll down to your preferred language.)
(2) Exit out of Firefox (if applicable).
(3) Rename the program folder
(64-bit Windows folder names)
C:\Program Files (x86)\Mozilla Firefox
to
C:\Program Files (x86)\OldFirefox
(32-bit Windows folder names)
C:\Program Files\Mozilla Firefox
to
C:\Program Files\OldFirefox
(4) Run the installer you downloaded in #1. It should automatically connect to your existing settings.
Any difference?
Note: Some plugins may exist only in that OldFirefox folder. If something essential is missing, look in these folders:
- \OldFirefox\Plugins
- \OldFirefox\browser\plugins
Thanks jscher2000. I tried everything in both your posts. The very last thing - Clean Reinstall - appears to have done the trick. Keeping my fingers crossed it stays dead. Thanks so much for taking the time to help.
Rob
Seems someone over at Bleeping Computers found the route of the problem.
http://www.bleepingcomputer.com/forums/t/571984/ads-by-name/page-3#entry3671244
The short version of it is to try renaming "C:\Program Files (x86)\Mozilla Firefox\browser\defaults\preferences\my-prefs.js" & "C:\Program Files (x86)\Mozilla Firefox\my.cfg" to something like "oldmy-prefs.js" & "oldmy.cfg" then restart Firefox. If that fixes the problem, delete the files you named old and you are clean!
This seems to be a very recent virus/adware exploiting an issue with Firefox. Hopefully this will get passed on to Mozillas Dev Team to take a look at.
An gyara
Hi JimmyTwoShoes, the
C:\Program Files (x86)\Mozilla Firefox\browser\defaults\preferences\somerandomname.js
file is used to set default preferences or even to "lock" preferences in Firefox. It points to a particular
C:\Program Files (x86)\Mozilla Firefox\anyrandomname.cfg
file. I think there have been one or two other unwanted programs doing a similar thing in the past.
Because the file names could be anything, we generally recommend using the "Clean Reinstall" procedure as a quick way to replace the program folder instead of trying to investigate the files. But if you prefer a more surgical approach, it makes sense to be suspicious of anything in
C:\Program Files (x86)\Mozilla Firefox\browser\defaults\preferences\
which normally only has a channel-prefs.js file in it with one active line after the comment block:
pref("app.update.channel", "release");
Just a note for whom the above "clean install" did not fix this nasty problem. (I'm using WINXP.) I had the same symptoms as rerickson iterated. Sometimes I had so many popups on my window in one case (had popups turned off in Firefox, of course), that I could see only a tiny bit of the web page in the middle ! I would also get new ad web pages being spawned when I just clicked on the background of a web page.
I tried uninstalling and even deleted (besides the "Program Files" directory) my Firefox files in "Documents & Settings" (i.e. I deleted almost all files except my "places.." and "cookies..." files). This all had no effect on the damned popups and cursor-popups. The problem affected only Firefox and not IE.
The cause turned out to be that I had a POS called "intelliterm" installed. It's binary is called "itsvc.exe" and if you see that running in your taskmgr, you know you have this same problem. As a quick fix, just killing the itsvc.exe process stopped the web ads and junk. You want to uninstall the intelliterm product under "Add or remove programs".
Hope this helps those who couldn't fix the malware with the clean re-install. I'm surprised that one of the developers here hasn't had this problem. I guess they are more conservative surfers than I am.
Hi c2mail, thank you for the tip.
There are numerous programs that can cause this problem, and the original poster had already run through the routine steps for malware cleanup and add/remove programs, so we jumped to some other issues rather than starting at the beginning.