How do I get rid of malware entries in my Prefs.js file (stored in my profile folder)?
I want to get rid of anything that contains the string "claro" in it. Here is part of my prefs.js file that shows what I want to clear:
\Mozilla\\\\Firefox\\\\Profiles\\\\a6s51y6q.default-1347242978286\\\\extensions\\\\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi\"},\"jid1-LSHV456F7wAw9g@jetpack\":{\"version\":\"1.1\",\"type\":\"extension\",\"descriptor\":\"C:\\\\Users\\\\Clayton\\\\AppData\\\\Roaming\\\\Mozilla\\\\Firefox\\\\Profiles\\\\a6s51y6q.default-1347242978286\\\\extensions\\\\jid1-LSHV456F7wAw9g@jetpack.xpi\"}}"); user_pref("extensions.bprivacy.DataDir", "C:\\Users\\Clayton\\AppData\\Roaming\\Macromedia"); user_pref("extensions.bprivacy.LSOcount", 23); user_pref("extensions.bprivacy.donotaskonexit", true); user_pref("extensions.bprivacy.initiated", 3); user_pref("extensions.bprivacy.lastSession", "Sunday, September 09, 2012 10:13:43 PM"); user_pref("extensions.bprivacy.removed", 291); user_pref("extensions.bprivacy.removedSession", 287);
user_pref("extensions.claro.admin", false); user_pref("extensions.claro.aflt", "babsst"); user_pref("extensions.claro.autoRvrt", "false"); user_pref("extensions.claro.dfltLng", "en"); user_pref("extensions.claro.excTlbr", false); user_pref("extensions.claro.id", "72da1096000000000000001fc604ff56"); user_pref("extensions.claro.instlDay", "15610"); user_pref("extensions.claro.instlRef", "sst"); user_pref("extensions.claro.prdct", "claro"); user_pref("extensions.claro.prtnrId", "claro"); user_pref("extensions.claro.tlbrId", "claro"); user_pref("extensions.claro.vrsn", "1.6.4.1"); user_pref("extensions.claro.vrsni", "1.6.4.1"); user_pref("extensions.claro_i.newTab", false); user_pref("extensions.claro_i.smplGrp", "none"); user_pref("extensions.claro_i.vrsnTs", "1.6.4.19:51:28");
An gyara
All Replies (7)
Additional info:
I also found these lines in my user.js file. How do I get rid of them? (They are also the ONLY lines in user.js.)
(Claro is known malware and these entries were not discovered by the malware "malbytes" program).
user_pref("extensions.claro.admin", false); user_pref("extensions.claro.aflt", "babsst"); user_pref("extensions.claro.autoRvrt", "false"); user_pref("extensions.claro.dfltLng", "en"); user_pref("extensions.claro.excTlbr", false); user_pref("extensions.claro.id", "72da1096000000000000001fc604ff56"); user_pref("extensions.claro.instlDay", "15610"); user_pref("extensions.claro.instlRef", "sst"); user_pref("extensions.claro.prdct", "claro"); user_pref("extensions.claro.prtnrId", "claro"); user_pref("extensions.claro.tlbrId", "claro"); user_pref("extensions.claro.vrsn", "1.6.4.1"); user_pref("extensions.claro.vrsni", "1.6.4.1"); user_pref("extensions.claro_i.newTab", false); user_pref("extensions.claro_i.smplGrp", "none"); user_pref("extensions.claro_i.vrsnTs", "1.6.4.19:51:28");
And if that weren't enough, I found a reference to "isearch" in my "search.json" file:
Files\\Mozilla Firefox\\searchplugins\\amazondotcom.xml"},{"_id":"[app]/avg-secure-search.xml","_name":"AVG Secure Search","_hidden":false,"description":"AVG Secure Search","__searchForm":"https://isearch.avg.com/","_iconURL":"data:image/x-icon,%00%00%01%00%01%00%10%10%00%00%00%00%20%00h%04%00%00%16%00%00%00(%00%00%00%10%00%00%00%20%00%00%00%01%00%20%00%00%00%00%00%40%04%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00pn%03%1Fb%83%15%25U%911
And one to "Babylon" in my search-metadata.json file (also malware) as follows:
"{"[app]/babylon.xml":{"hidden":true,"alias":null},"[app]/yahoo.xml":"
See [/questions/934390]
You can remove that user.js file if you didn't create it yourself.
If you did and want to keep some settings then only remove the unwanted user_pref() lines.
An gyara
The Reset Firefox feature can fix many issues by restoring Firefox to its factory default state while saving your essential information. Note: This will cause you to lose any Extensions, Open websites, and some Preferences.
To Reset Firefox do the following:
- Go to Firefox > Help > Troubleshooting Information.
- Click the "Reset Firefox" button.
- Firefox will close and reset. After Firefox is done, it will show a window with the information that is imported. Click Finish.
- Firefox will open with all factory defaults applied.
Further information can be found in the Refresh Firefox - reset add-ons and settings article.
Did this fix your problems? Please report back to us!
I closed FF, deleted my user.js file, and removed the lines containing "Claro" from my prefs.js file.
Will resetting FF do anything to my current "search.json" file and my "search-metadata.json" file?
I had a rather rough experience the last time I reset FF and it took me quite a while to get it back to the way I wanted it.
Reseetin Firefox will create a new profile and only some data gets imported and this doesn't include search engines that were manually installed in the old profile. Only search engines installed via the Firefox program folder will be installed.
If you remove the search.json file then Firefox will regenerate a new file.
What is the content of the "search-metadata.json" file if you inspect it with a text editor?
The following is the entire content of search-metadata.json as opened by notepad:
{
"[app]/babylon.xml":{"hidden":true,"alias":null}, "[app]/yahoo.xml":{"hidden":true,"alias":null}, "[app]/bing.xml":{"hidden":true,"alias":null}, "[app]/eBay.xml":{"hidden":true,"alias":null}, "[app]/twitter.xml":{"hidden":true,"alias":null}, "[app]/wikipedia.xml":{"hidden":true,"alias":null}
}
I suspect there is no harm in simply deleting the line containing "Babylon".
From my search.json file:
Files\\Mozilla Firefox\\searchplugins\\amazondotcom.xml"},{"_id":"[app]/avg-secure-search.xml","_name":"AVG Secure Search","_hidden":false,"description":"AVG Secure Search","__searchForm":"https://isearch.avg.com/","_iconURL":"data:image/x-icon,%00%00%01%00%01%00%10%10%00%00%00%00%20%00h%04%00%00%16%00%00%00(%00%00%00%10%00%00%00%20%00%00%00%01%00%20%00%00%00%00%00%40%04%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00pn%03%1Fb%83%15%25U%911
Does the bolded text above mean anything to you? Possibly placed there by the malware to circumvent AVG? (I've posted that question to the AVG forum but haven't received any reply yet.)
That search engine is probably added by AVG Secure Search