hello, firefox downloads directly from mozilla.org are free of any sort of malware. in addition updates are handled automatically by firefox so you don't have to download anything (you can initiate a check for updates in firefox > help > about firefox).

it may have been a fake popup trying to trick you into installing malicious software - so you might also want to run a full scan of your system with the security software already in place and different tools like the free version of malwarebytes, adwcleaner & kaspersky security scan in order to make sure that there isn't already some sort of malware active on your system that triggers these false alerts.

Troubleshoot Firefox issues caused by malware

I will run my Kaspersky virus scan and see what happens. I thought it odd that this would happen right after I updated Firefox. I have done no other updates nor installations since.

Your resident AV [Kaspersky] is one of the top performing antiviruses, so should be able to clean most malware from a computer. Malwarebytes Anti-malware has a good reputation for cleaning up malware "infections", and is well worth having as a second opinion back-up. So too is SurfRight's Hitman Pro. That will give you 30 days to find malware, after that it will be necessary to buy a license to get clean-up support.

I do not know adwcleaner, but it appears to be well regarded at Wilders Security Forums.

You might like to consider a "portable" "installation" of Firefox as a means of exploring functionality which is not native to Firefox, but can be added to Firefox by means of one or two extensions which you might not want to install in your main installation, even after you have put them through their paces. Using these add-ons will allow you to explore the issue which perhaps explains your "Buttersurf" infection.

Unfortunately, some time fairly recently, last year perhaps, someone decided to put the popular browsers through a test to determine how they coped with blocking a set of known malware websites. Unfortunately, Firefox scored about 20% in that test, but that would be the "vanilla" edition from Mozilla. However, Firefox can do better, if enhanced with the right add-ons. If it suits you to explore the utility of a 'shadow' installation, you will be able to examine this phenomenon.

PortableApps http://portableapps.com/ http://portableapps.com/apps/internet/firefox_portable

NoScript Security Suite :: Add-ons for Firefox The best security you can get in a web browser! Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks. https://addons.mozilla.org/en-US/firefox/addon/noscript/

RequestPolicy :: Add-ons for Firefox Be in control of which cross-site requests are allowed. Improve the privacy of your browsing by not letting other sites know your browsing habits. Secure yourself from Cross-Site Request Forgery (CSRF) and other attacks. RequestPolicy is an extension that improves the privacy and security of your browsing by giving you control over when cross-site requests are allowed by webpages you visit. https://addons.mozilla.org/en-US/firefox/addon/requestpolicy/

RequestPolicy will provide a full lockdown on all calls to websites/servers not listed in the address bar ["Awesome bar"], and will reveal exactly how much cross-site scripting is involved with even websites which should know better. Sometimes makes browsing hard work [eg. AVG Threat Labs], but you might appreciate the extra protection?

Wilders Security Forums http://www.wilderssecurity.com

SurfRight http:///www.surfright.nl http://hitmanpro.wordpress.com/

'"Ninety-five percent of successful exploits are Java- or PDF-based,” said Bustamante in a meeting at CNET’s San Francisco offices last June.' ZeroVulnerabilityLabs ExploitShield http://www.insanitybit.com/2012/09/28/zerovulnerabilitylabs-exploitshield/ [See the Wilders Security Forums for discussions "about other anti-malware and system protection technology". http://www.wilderssecurity.com/forumdisplay.php?s=e9d75404f5a08307c0be9586c5402925&f=35]

Delivering an executable without an executable The VRT looks at a massive amount of exploit kits a day, but this one caught our eye so we thought we'd share. While this technique isn't new, it is very interesting and further illustrates what we all believe to be true in the security world, you can't trust anything. Thursday, September 26, 2013 VRT: Delivering an executable without an executable http://vrt-blog.snort.org/2013/09/delivering-executable-without-executable.html [VRT: The Sourcefire Vulnerability Research Team.]

"Does anybody still believe browsing the Web with Flash and JavaScript promiscuously enabled and no XSS protection is a good idea?" Malware 2.0 is Now! http://hackademix.net/2008/01/12/malware-20-is-now/ http://noscript.net/features#contentblocking

Pick A Download… Part 2 Last week I wrote a blog post on the dangers of ads posing as fake download buttons on various download web sites. Since then I received a lot of feedback from our readers and other security researchers on different tools available to help users avoid these dangers by blocking the ads entirely. http://blog.malwarebytes.org/intelligence/2012/10/pick-a-download-part-2/

Bluhell Firewall offers a more compact, and faster, rule set than Adblock Plus, but Adblock Plus [without a filter subscription] remains useful as it supports custom filters which will block other spam and irritants [aka "content"] which Bluhell or Adblock might miss.

Bluhell Firewall Lightweight Ad-Blocker and Privacy Protector. https://addons.mozilla.org/en-US/firefox/addon/bluhell-firewall/

Adblock Plus :: Add-ons for Firefox https://addons.mozilla.org/en-US/firefox/addon/adblock-plus/ [The Mozilla search engine will offer nine other matches for 'Adblock']

Ghostery :: Add-ons for Firefox, Chrome, Opera Protect your privacy. See who's tracking your web browsing and block them with Ghostery. https://addons.mozilla.org/en-US/firefox/addon/ghostery/

Web of Trust - WOT :: Add-ons for Firefox https://addons.mozilla.org/en-US/firefox/addon/wot-safe-browsing-tool/ [Provides useful clues as to which websites are safe, and which are best avoided.]

"URLVoid.com is a free service developed by NoVirusThanks Company Srl that allows users to scan a website address with multiple website reputation engines and domain blacklists to facilitate the detection of possible dangerous [annoying, or unsavoury] websites..." [A potentially brilliant "front-end" to multiple website reputation engines; however, check any of the listed links; not all are currently read correctly by NoVirusThanks software.] http://www.urlvoid.com/

[Sorry. This support facility has messed up this posting by removing carriage returns. However, despite the messed up punctuation, this posting should still be readable.]

Please be cautious when using the links above from Quaestor, they may be malicious and haven't been vetted by SUMO forum community members

If you see it again, could you capture a screen shot of it?

Firefox may display the new add-on warning if, after a restart, it discovered an unexpected new extension in one of its folders. Typically this would have been installed from outside of Firefox. Removing unwanted software through the control panel might have stranded the extension there, but this is speculation on my part.

Jscher2000, I will do a screen if/when it happens again.. maybe after the next update of firefox. I have removed all traces of this program from my computer and am still running my virus program.. it found 2 malewares so far.

This was installed on mine after I got a pop-up recommending install of a firefox update

There was no dialog asking if I wanted this malware

There is no 'remove' button as the mozilla instructions would tell you to use

It installed a folder named 'BetterSurf' in the program files folder

Delete that folder and restart firefox

That is exactly what happened with me yet Firefox is not taking responsibility for it being part of the upgrade. Maybe they need to check out the upgrade to make sure it is not infected with this maleware.

I did delete everything. Firefox is now asking me to update again. Be interesting to know if it happens again.

Hi moxieweb and terry5732, I recommend closing any pop-ups enticing you to update Firefox and instead using

Help > About Firefox > Check for Updates

Unfortunately, some websites and some add-ons promote updates bundled with undisclosed software such as an updater, and perhaps worse.

If you cannot find a Remove button for an extension on the Add-ons page, you should first check the Windows Control Panel, Programs and Features (or Add/Remove Programs) for a way to uninstall it. If that isn't available, it can be manually deleted, or often cleaned out with malware removal tools (some recommended ones in the support article: Troubleshoot Firefox issues caused by malware).

moxieweb, again the Firefox from mozilla.org nor the updates in Firefox does NOT come with BetterSurf.

Mozilla would lose far far too much for what tiny gain they could get by including malware. No version has done so in past over eleven years of this browser's life and Mozilla is not about to start now.

Lately people have been finding crap and malware installed in Firefox after say installing something they download from say Cnet that Cnet bundled the installer with their own adware and whatnot.

How about this for proof as they recently added this malware to blocklist.

https://addons.mozilla.org/en-US/firefox/blocked/i486

BetterSurf (malware) has been blocked for your protection.

James, just wanted to let you know that I did not install anything on my computer from Cnet or anywhere else that would put a maleware on my machine.. the only update I did was Firefox. My main goal here was to warn Firefox that this happened.

This has been an interesting conversation. I'm going to click 'solved this problem. I will continue to use Firefox as it is my preferred browser and hopefully it will not happen again on the next update.

Well it will not happen as Mozilla never did add Bettersurf or another malware in Firefox setup or update for any version for any OS from mozilla.org

If it were true then there would have been a lot more threads and discussion about it also.

https://support.mozilla.org/en-US/search?q=Bettersurf&num_voted=0&num_votes=&asked_by=&answered_by=&q_tags=&created=0&created_date=&updated=0&updated_date=&sortby=1&a=1&w=2

In addition to being blocked, it seemed to install silently, likely what happened to you.

• "This add-on appears to be malware and is installed silently in violation of the Add-on Guidelines."

From the same blocklist James posted in one of his earlier posts.

• https://addons.mozilla.org/en-US/firefox/blocked/i486

BetterSurf secretly downloaded itself onto my computer last night. There was no warning - I only became aware of its presence when the screen began to distort, and links began to appear at random on the screen.

This has gotten me very concerned, as I am using the latest version of FF and the security settings were set to warn me about sites trying to install add-ons or extensions, but it seems to have completely evaded them. I hadn't even been near any suspicious sites (I had been on Ebay, Amazon, etc.). Nor have I downloaded anything recently. From what I have seen on the internet, the BS nuisanceware is very recent (it seems to have manifested just over a week ago) and has been affecting FF, IE and Google Chrome browsers.

I managed to delete the BS folder that had been created in the programs (x86) folder, and so far there has been no further sign of it. But I am worried that it might have left something nasty behind, such as info stealing software. I have done a full scan using Norton, and even used the Power Eraser option but nothing suspicious has been detected.

Nevertheless I am anxious that further undetected malware might be residing in the system. I know that it might be a bit too early to ask, but has anyone had any further problems after getting rid of BS? At present I am extremely reluctant to log on into my Ebay, PayPal and Amazon accounts.

Just a bit of further info - it was listed as BetterSurf 1.1 in the extensions list, with 12x3q4@3244516.com as its ID

Hi hiding-behind-the-sofa, was there any entry in the Control Panel > Uninstall a Program? Sorting that dialog by date can indicate what else might have been installed around the same time that could be related. Also, you might check your browser download history (in Firefox, Ctrl+j) for that time to see whether that provides any indication of the origin.

Hi jscher2000

Thank you for replying to my post. There were entries in the download history (there was an unidentified installer present) and x86 files but in a haste to get rid of them I didn't see at exactly what time they were downloaded. I could've used them to try and work out from which website the malware came from (it looks likely that this was the result of a drive-by download).

hello, just fyi - we now got the better surf 1.1 addon blacklisted too, so it will be deactivated in all firefox instances: https://addons.mozilla.org/en-US/firefox/blocked/i493

BetterSurf 1.1 has just managed to download itself again this morning!! I thought it was supposed to be blacklisted?

If anyone else is reading this, I was on YouTube when this happened, and I have heard others mention that YT is something of a blackspot when it comes to catching BS.

Sorry, as much as I love FF, I seriously need to think about switching to another browser