MF profile is compromised with Redirecting to Advertiser virus
I reinstalled the whole PC from the scratch. Both partitions were deleted (not just formatted even!) and recreated, then I reinstalled the Windows. I downloaded a new, clean .exe from the official MF website. Installed perfectly clean MF (this was literally the first programme I installed on the PC). It was all fine until I logged into my girlfriend's account in order to synchronize the newly installed MF with her profile (bookmarks, history, etc). Then that Redirecting to Advertiser virus came up. Then I reinstalled the Windows again and repeated everything all over again. It happened again on the very same moment - when I logged in her MF account. Which, obviously, means that her account is hacked/has virus. I tried literally everything that I found on the Internet, nothing really helped. I even removed MF + deleted ALL the entries in the Registry which relates to MF. When I did clear instal of MF, I got it again. Which probably means that once I log into the compromised account, the virus goes to the PC somehow (and somewhere).
PLEASE HELP ME GET RID OF THIS THING!!! Thank you very much in advance! :)
Additional System Details
- Adobe PDF Plug-In For Firefox and Netscape 11.0.12
- Google Update
- Office Authorization plug-in for NPAPI browsers
- The plug-in allows you to open and edit files using Microsoft Office applications
- Shockwave Flash 18.0 r0
- iTunes Detector Plug-in
- User Agent: Mozilla/5.0 (Windows NT 6.1; rv:39.0) Gecko/20100101 Firefox/39.0
I've called the big guys to help you. Good luck.
The Firefox Sync service can include add-ons that were installed into an individual user profile (it excludes add-ons installed in program folders outside of Firefox). See: How to sync your add-ons with another copy of Firefox. That seems like the thing to investigate first.
Open Firefox's Add-ons page using either:
- "3-bar" menu button (or Tools menu) > Add-ons
- in the Windows "Run" dialog, type or paste
In the left column, click Plugins. Set nonessential and unrecognized plugins to "Never Activate".
In the left column, click Extensions. Then, if in doubt, disable (or Remove, if possible) unrecognized and unwanted extensions.
Often a link will appear above at least one disabled extension to restart Firefox. You can complete your work on the tab and click one of the links as the last step.
As I said, I tried everything before I ended up here. Literally everything I found on the Internet about similar problem(s). Without even checking, the first thing I did was exactly that - to remove every possible add-on/thing from MF. It now has only 2 plugins but they came with the clean installation of the MF. I even tried to disable them, sync-out/sync-in again and again - 0 progress. And usually I use only couple of add-ons - Adblock, Flashblock, maybe some other minor, but well proven over time add-on. The thing is that happened a month ago when she was browsing and she installed something on her PC (she's not the best PC user anyway). She got these massive Advertisers, many of them. I tried to remove them, nothing really helped. Then I did this massive erase of the PC, reinstall, etc. But when I sync her profile, boom - the Advertiser comes again. So I am 99% positive it's from the profile (which basically means that it is hacked or somehow with a virus). Thanks for your replays guys! I am looking forward for an answer from "the big guys". :) P.S. I guess I am not the first/only one with such a problem, so if they find the leak and help me out, that might help others out as well. Good luck and I am looking forward to your next replays! Thanks!
I was unable to come up with any information using remove Redirecting to Advertiser as the keywords in this Google search to try to help you. A lot of variations, but nothing that I feel comfortable referring you to as a probable 'fix'. So please review the articles that search came up with and compare what you read with what you have already done to try to solve this problem. One major problem with garbage like that is the 'names used' change frequently and it's hard for anti-malware software and advocacy sites to keep up with all the name changes.
As far as Sync goes, it basically 'dumb'. It doesn't 'screen' the data that is being Synchronized, working on the assumption that the user has effective anti-virus and anti-malware protection on their devices and dta data being syn'd is 'clean'. Also, Sync wasn't intended to backup an to restore Firefox data for a single device, it was designed to synchronize 'clean' data across multiple devices. But that's neither here nor there on this devices problem. You were able to retrieve the Sync data, albeit with some 'data' you don't 'need' any longer As far as Sync getting 'hacked' goes, just ain't gonna happen. Sync 'traffic' is heavily encrypted both ways when traversing the internet and when the user data is sitting on a Sync server there is no way for that data to be accessed or 'fiddled with' - by anyone. Just to hard to break the encryption and make it right / usable again. The worst that would happen might be the data could be corrupted and wouldn't even get back into a Firefox installation as usable data in any way, shape, or form.
At this point my advice is to export bookmarks in HTML format via the Library > Import & Backup. And see about exporting the passwords using the Password Exporter extension into a CSV file. https://support.mozilla.org/en-US/kb/export-firefox-bookmarks-to-backup-or-transfer https://addons.mozilla.org/en-US/firefox/addon/password-exporter/ That should cover what I consider the most important data that can be recovered safely or without carrying that malware over again.
Also keep a backup of that Profile folder, just in case you need to recover specific data files as you get her Profile rebuilt afresh. Depending upon the extensions she uses, you might be able to recover specific files at a later data as you realize what is lost - those files might not be compromised.
Thank you for your answer. I was also considering this - to get the most needed date, as you said - boomarks/passwords, and just reinstall everything all over again without syncing. That way, however, I wouldn't be able to retrieve any data from her profile from that moment on. I guess that at the very second I sync her profile with any of her devices, the PC will get "advertised" again, which means that her profile becomes useless. In order to make a new MF profile, she'll need to register a new email, which, as we know, is not the way it is suppose to be when one is trying to solve a problem, albeit being a sort of solution. P.S. Maybe I wasn't clear about something (which might be interesting to the "big guys", if the big guys are the MF's developers) - when I installed MF on the clean Windows and when I got the "ad" thing, I deleted every possible thing related to MF - both on C: and in registry (only 1 registry left but it wasn't possible to delete it through Windows, maybe somehow through Bios?). So I thought I'll be good to go with a clean MF installation. Nope, the moment I installed MF, I got "the thing" again, without even syncing this time. So it was already on the PC/MF somehow? I hope that will be helpful somehow to someone!
Thanks once again for your answers. We are waiting for the big guys and let's see how that will go. Fingers crossed! :)
P.S. Later today (it's 11AM here) I'll try to follow your steps and see what happens. I'll get back at you guys!
Modified by IlkoSarafski
If you request a new password [after using Disconnect ... for all other devices that you wouldn't be using when you reset the Sync password] all the data sitting on the Sync server will be deleted. So she won't need to create a new account using a different email address.
As far as your 1st PS - if you picked up "the thing" before connecting to Sync, I doubt is Sync was part of the problem. Sorry if I misinterpreted something you posted in your initial posting.
With "everything" you tried did you run any rootkit remover or detection programs or "tools". Sounds like that PC nay have something 'hidden' that the format / repartition / fresh OS installation didn't fix. Something like this - https://www.malwarebytes.org/antirootkit/ Not that I am an expert on bad infections like that, never got one myself and I tend run a self-built PC for 7 to 10 years, first as the primary and then as my backup PC. And I tend to use the same programs over the years - still using two utility programs (ClipTrakker and Parsons Screen Shot) that I bought for a Win98 PC in 1999 - they still work on Win7 32-bit, much to my surprise. I did do a little PC repair work 15-16 years ago, but too many of my clients kept making the same stupid mistakes by installing all sorts of "free" garbage within days after I got done fixing the last problem. I grew weary of re-fixing stuff at no charge to keep them happy.
I wouldn't hold my breath while waiting for "the big guys" to respond ... I have been around here since before this forum went live in 2008, doing the beta testing for this fora to help support Mozilla, and I have never met "them".
If this isn't a well known/documented problem, we need you to describe exactly how the problem manifests itself. Please be as detailed as possible. For example:
- unwanted page appears in place of the home page
- it appears even though the home page setting is correct in Options
- unwanted page appears in place of the new tab page
- it appears even though the browser.newtab.url setting is correct in about:config
- unwanted search engine makes itself the default and can't be changed
- unwanted search engine intercepts requests even though Firefox should be using the default
- unwanted site randomly appears when loading other websites
- is there any pattern about the types of sites, for example, when clicking search engine results?
Discovered Hidden Add-on On Firefox. How To Check Yours https://support.mozilla.org/en-US/forums/support-forum-contributors/711335
By the way, did you ever try using Refresh to partially purge the infected profile? This article describes what is kept and what is lost in a Refresh: Refresh Firefox - reset add-ons and settings.