Firefox has a process running right from starting my pc which uses 70% or more of cpu and renders normal tasks undoable until I manually close it.
It shows up as a different process than normal and if I close it while Firefox is open, nothing happens except my pc runs better. Firefox continues to work normally.
Since it starts up at Windows startup, I changed the toolkit value in about:config to false. No changes. I started Firefox in safe mode to see if any extensions were causing the issue. Nope, the process was still there. It seems to be an independent process closing which doesn't affect Firefox at all, even while running but the location of this process is still the Firefox.exe in the install directory. I'm going to try a full clean installation with revo Uninstaller to see if anything changes. I love Firefox and it's the only reason I wanna fix it instead of just switching.
Any help would be really really appreciated.
Vybrané riešenie
Thanks for the report and hopefully it's gone for good!
Čítať túto odpoveď v kontexte 👍 0Všetky odpovede (14)
Hi Phoenix Shade, this sounds a bit malware-ish to me, so running some well-regarded cleaning tools as a supplement to your regular security software may be in order. This article has a list: Troubleshoot Firefox issues caused by malware.
Meanwhile, you can check whether it's even the main installation of Firefox running. In the Windows 10 Task Manager, there's a tab called Details which allows adding a "Command Line" column. (In Windows 7, it was on the Processes tab.) Does the mystery process start from the main Firefox installation or from some other folder? Usually the other folder pattern indicates unwanted software disguising its traffic.
I missed this part:
Phoenix Shade said
It seems to be an independent process closing which doesn't affect Firefox at all, even while running but the location of this process is still the Firefox.exe in the install directory.
Does the command line show a particular profile being used or any other unusual parameters?
jscher2000 said
I missed this part:Phoenix Shade said
It seems to be an independent process closing which doesn't affect Firefox at all, even while running but the location of this process is still the Firefox.exe in the install directory.Does the command line show a particular profile being used or any other unusual parameters?
That's the issue. I thought it was some malware, and it still could be I'm still trying to see, but when i went to the details of the process, it was firefox.exe and when i opened the file location of the process it was the .exe file in the folder in which firefox is installed. That is what confuses me, it looks legit.
And how do I see the parameters and what would be considered unusual?
Phoenix Shade said
And how do I see the parameters and what would be considered unusual?
Add the Command Line column to your Details tab in the Windows Task Manager.
Normally, the main process Command Line looks like this:
"C:\Program Files\Mozilla Firefox\firefox.exe"
and child processes spawned by the main process have a Command Line like this:
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="numbers" ...
What would be unusual is any URL specified, or any profile specified, etc.
There's also a tool from Microsoft that shows a parent child relationship between processes which is sometimes handier:
https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer
I just did a reinstall after uninstalling using revo uninstaller. once installed, after a restart, this started happening again.
jscher2000 said
Phoenix Shade said
And how do I see the parameters and what would be considered unusual?Add the Command Line column to your Details tab in the Windows Task Manager.
Normally, the main process Command Line looks like this:
"C:\Program Files\Mozilla Firefox\firefox.exe"
and child processes spawned by the main process have a Command Line like this:
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="numbers" ...
What would be unusual is any URL specified, or any profile specified, etc.
It doesn't seem unusual. The processes that start from running my current window of firefox and the problem process (the highlighted one) are quite similar. And I ran a full system scan with microsoft security, no problems were detected.
I don't know if it's relevant, but I recently upgraded to windows 10 2004. So, is it possible that it might be a factor?
So the one that says -headless is meant to be invisible to you and it uses -no-remote and -P "user" to avoid locking your regular profile.
Something in that user profile would be a clue to why it uses so much CPU. Maybe it's just a little cryptomining for profit or maybe it's something worse. However, it's hard to describe how best and most safely to investigate that further.
I suggest renaming that user profile to see whether that makes it difficult for the unwanted process to start up. Here's how:
Profile Manager Page
Inside Firefox, type or paste about:profiles in the address bar and press Enter/Return to load it.
This page should list at least one profile and could list many. (Each profile has two folders and one or more buttons. Do not use any Remove buttons!)
Find the one that says:
Profile: user
and use its Rename button to hide it using, say, test instead.
Please also review your Scheduled Tasks for any startup task that has a similar command line.
Checking that command line a bit more, it seems to direct Firefox to connect to a subdomain under window-updates-service.com -- sounds legit, but not really according to some Google results:
https://www.google.com/search?q=%22window-updates-service.com%22
Wow, this seems to be more sinister what it appeared to be. I have the same problem as the guy in the reddit post but they just said that the website was quite cpu intensive, while your theory of cryptominers makes much more sense.
So, i changed the name of the profile "user" to "test". By next restart, the test profile was still there but another profile named user had popped up, with the process still going on in the background. The renaming didn't stop it from starting.
As for the task scheduler, there is a task from what it says to be Mozilla, but after your lesson, I'm not so sure. It does seem suspicious that it starts up at 00:01 every day and in the conditions, it is said to retry if the scheduled startup time is missed.
So what should i do now? How do i get rid of that miner? And how did it get there in the first place, as i mostly use it for my college work and steam, so i don't download stuff from outside.
I think that Mozilla task might be related to whether Firefox is default browser. Since this is more of a startup issue, I guess actually Autoruns would be a better tool to find it than the Task Scheduler:
https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
But please return to my original suggestion and run some additional malware cleaners, or go to the forums listed in the article for advanced troubleshooting.
jscher2000 said
I think that Mozilla task might be related to whether Firefox is default browser. Since this is more of a startup issue, I guess actually Autoruns would be a better tool to find it than the Task Scheduler: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns But please return to my original suggestion and run some additional malware cleaners, or go to the forums listed in the article for advanced troubleshooting.
I installed Autoruns and saw a log on process named windows update service. It led me to a file named Windows Updates Service.vbe and after searching on the web, it led me to this
So i installed Malwarebytes and ran a scan. It detected the file and its registry entries as malware. After quarantining and deleting it, the problem seems to be solved.
Now that i know that this problem was not in Firefox but in my PC, I'm even more grateful for your help! Thanks a lot!
Vybrané riešenie
Thanks for the report and hopefully it's gone for good!