This thread was archived. Please ask a new question if you need help.
Firefox Exploit Screen-Captures
Hi guys, Well, I think I bring here a very interesting thing for the Mozilla team. I found I have some sort of exploit which takes screen captures whenever I click on any web page. It is specially active whenever you are entering sensitive information like when I log-in onto site accounts, o whenever I check something on the bank. I checked processes using process explorer, and everything points at Mozilla being very active and nothing else. I check the creation of those screen captures and they are always, there. I normally kill every process which is not necessary, and the ones left are just essential. I ran several bootable antivirues like Eset, Kaspersky and Bitdefender and they don't detect anything weird. I removed from a bootable CD all temp files this "thing" creates while making files and take snap of my screen. I goes back on when you are back on Windows. I know that something was going on when on the bank site I had a AVG-antivirus alert saying that an exploit was active and gave me the option to remove it. Other than that, you don't feel a thing. As said, it goes back the alert everytime you visit the bank and some other log-ins, specially while banking. I also disable all Firefox add-ons, as well as the Java on my computer -I believe there's some connection with Java here-. I have the suspicion that it is pdf/exploit coz I saw a glimpse of that name while uninstalling something which I thing was Facemoods. Not too sure how it got there. So there, guys!! I don't know where this "thing" resides, really does -it could be doing more things-, or how to get rid of it. PS: I saw a while ago that I have to mozilla folder hanging from "program files". One is mozilla.bak. I'm digging into this now. Any shed on this, you pros!! I'm not a pro myself, yet I love IT :-) Thanks a bunch in advance to anyone taking the time to solve the one big problem Firefox has and is going to have in the short run. BR F
All Replies (8)
Scan your machine for malware. https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-caused-malware
Modified by christ1
Where do you find those thumbnails or how do you know that such a thumbnail is saved?
Note that Firefox creates thumbnails to be used on the about:newtab page.
You can create this Boolean pref on the about:config page to prevent Firefox from generating thumbnails for the about:newtab page.
- name: browser.pagethumbnails.capturing_disabled with value: true
Delete the thumbnails folder in the Firefox profile folder with Firefox closed to remove already stored web page thumbnails.
Hi there, Yes, I scanned the pc with MalwareBytes, and nothing spotted. I ran Antivirus rescue bootable CDs with an updated virus database before scanning of Kaspersky, Eset and Bitdefender..., and nothing. The Browser was downloaded from Mozilla.org. The folder was in user\xxx\appdata\mozilla\zldwk2opj3lkd\doomed\profiles\safpñlskdfasl\thumbnails. The route is an approximation as I don't remember the exact path now. I search on C:\ for *.* so every single thing on my C: was there, then ordered, but the data being the newer at the top. This \doomed\ folder was creating lots of files at the top whenever I did something in the mozilla browser. Lots!!! Thumbnails and many others which I didn't really know what they were for >:-E
The route of where it resided was given by the detection of the script/exploit by AVG by a pop-up while on the bank. Then I started to dig in and saw all this activity with my data being captured, scary! I blocked an IP from Stockholm, which was suspicious via ZoneAlarm, but you never know, right!
I solved the problem as after one and a half days I did not progress at all and data was being compromised. I needed the computer to sort a few things. I installed a fresh OS copy and ran the same Bootable antivirus, just in case. I also change browser to Chrome as I read they are less "attackable" and they have a sandbox system which could be of great help, let's see. Mozilla has been a great browser till last week. However, things are on the move and this new Script&exploits pose a real threat to anyone browsing. Problems are solved, but let's go on digging into it -I wouldn't close this forum thread- as this is going to be the next generation of threats. People do everything with browsers and they are the window to "the out there". We are missing tools to detect this..., pdf/exploit checkers, or script-exploit checkers in general without risking to get something new and then fall onto other looming dangers. Many thanks for your queries guys. Let's work on this a bit! They are invisible! Fistro
If you can, send the link for this page; https://support.mozilla.org/en-US/questions/1024867 to your anti-virus and one or more anti-mal-ware sites.
As this is something they need to know about to better protect us.
That is the location that Firefox uses to store thumbnail images for the about:newtab page like I posted above.
See this article about the New Tab page (about:newtab):
You can create the Boolean pref browser.pagethumbnails.capturing_disabled to prevent Firefox from creating new thumbnails like posted above.
You can open the about:config page via the location/address bar. You can accept the warning and click "I'll be careful" to continue.
Hi there, I'll do that Fred. I found about about a very interesting thing for that plus of protection. it's called Sandboxie. It is a program which sandboxes other files so any potential problem is contained. Yo delete everything after giving it a shot and end of story. this sandboxing system seems a pretty decent tackle for many unforeseen script/exploits. Worth considering!! Keep it up guys!!!
I understand that this was an escalated thread, however it seems as if the question has shifted from what is this weird script running on my bank site in Firefox after I tried to uninstall Funmoods to how can I exploit unforeseen security threats in Firefox.
Mozilla.bak may not be a default file in the profile folder. It is possible to back it up http://kb.mozillazine.org/Profile_backup before making changes you may not want to loose.
This is an extensive guide how to remove funmoods if you are worried its still there http://www.anvisoft.com/resources/how-to-remove-start-funmoods-com-red... please ignore if this is old news.
There was also a security concern for dns fraud that was fixed in version 32.0.3 that I highly recommend you update. https://www.mozilla.org/security/know.../firefox.html
Other than that, ask the security team for more specific info as well. This is about the extent of my knowledge.