X
Tap here to go to the mobile version of the site.

Support Forum

getting unwanted add-ons without warning despite checking box asking to be warned if a site attempts to install an add-on

Posted

I keep getting unwanted add-ons like Golden Coupon installed without my knowledge or permission, even though I have 1) checked the box in the security settings asking to be warned when sites attempt to install add-ons, and 2) have no exceptions in the Add-Ons Installation. How is this happening? What can I do to stop it? Thanks.

I keep getting unwanted add-ons like Golden Coupon installed without my knowledge or permission, even though I have 1) checked the box in the security settings asking to be warned when sites attempt to install add-ons, and 2) have no exceptions in the Add-Ons Installation. How is this happening? What can I do to stop it? Thanks.

Additional System Details

Installed Plug-ins

  • Adobe PDF Plug-In For Firefox and Netscape 11.0.10
  • Amazon MP3 Downloader Plugin 1.0.17
  • Citrix Receiver Plugin (Win32)
  • GEPlugin
  • Google Update
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • Next Generation Java Plug-in 11.40.2 for Mozilla browsers
  • The plug-in allows you to open and edit files using Microsoft Office applications
  • Office Authorization plug-in for NPAPI browsers
  • LastPass Plugin
  • NVIDIA 3D Vision Streaming plugin for Mozilla browsers
  • NVIDIA 3D Vision plugin for Mozilla browsers
  • Shockwave Flash 17.0 r0
  • 5.1.30514.0
  • NPWLPG
  • iTunes Detector Plug-in

Application

  • Firefox 37.0.1
  • User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
  • Support URL: https://support.mozilla.org/1/firefox/37.0.1/WINNT/en-US/

Extensions

  • LastPass 3.1.92 (support@lastpass.com)
  • Zotero 4.0.26.4 (zotero@chnm.gmu.edu)
  • Zotero Word for Windows Integration 3.1.19 (zoteroWinWordIntegration@zotero.org)
  • Skype Click to Call 6.9.0.12585 ({82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}) (Inactive)
  • Trend Micro BEP Firefox Extension 8.0.0.1173 (tmbepff@trendmicro.com) (Inactive)
  • Trend Micro NSC Firefox Extension 6.8.0.1120 ({22C7F6C6-8D67-4534-92B5-529A0EC09405}) (Inactive)
  • Trend Micro Toolbar 7.0.0.1243 ({22181a4d-af90-4ca3-a569-faed9118d6bc}) (Inactive)

Javascript

  • incrementalGCEnabled: True

Graphics

  • adapterDescription: NVIDIA GeForce GT 740
  • adapterDescription2:
  • adapterDeviceID: 0x0fc8
  • adapterDeviceID2:
  • adapterDrivers: nvd3dumx,nvwgf2umx,nvwgf2umx nvd3dum,nvwgf2um,nvwgf2um
  • adapterDrivers2:
  • adapterRAM: 4095
  • adapterRAM2:
  • adapterSubsysID: 37483842
  • adapterSubsysID2:
  • adapterVendorID: 0x10de
  • adapterVendorID2:
  • direct2DEnabled: True
  • directWriteEnabled: True
  • directWriteVersion: 6.2.9200.16571
  • driverDate: 3-13-2015
  • driverDate2:
  • driverVersion: 9.18.13.4788
  • driverVersion2:
  • info: {u'AzureCanvasBackend': u'direct2d 1.1', u'AzureFallbackCanvasBackend': u'cairo', u'AzureContentBackend': u'direct2d 1.1', u'AzureSkiaAccelerated': 0}
  • isGPU2Active: False
  • numAcceleratedWindows: 1
  • numTotalWindows: 1
  • webglRenderer: Google Inc. -- ANGLE (NVIDIA GeForce GT 740 Direct3D11 vs_5_0 ps_5_0)
  • windowLayerManagerRemote: True
  • windowLayerManagerType: Direct3D 11

Modified Preferences

Misc

  • User JS: No
  • Accessibility: No
jscher2000
  • Top 10 Contributor
8758 solutions 71655 answers

Helpful Reply

There may be some other program on your system that is pushing extensions into Firefox. Sometimes freeware includes such an "updater" program.

Here's my suggested procedure for tracking down and cleaning up bad add-ons. I know it seems long, but it's not that bad.

(1) Open the Windows Control Panel, Uninstall a Program. After the list loads, click the "Installed on" column heading to group the infections, I mean, additions, by date. This can help in smoking out undisclosed bundle items that snuck in with some software you agreed to install. Don't be fooled by seemingly innocent or important names if you do not remember choosing to install them. Take out as much trash as possible here.

(2) Open Firefox's Add-ons page using either:

  • Ctrl+Shift+a
  • "3-bar" menu button (or Tools menu) > Add-ons
  • in the Windows "Run" dialog, type or paste
    firefox.exe "about:addons"

In the left column, click Plugins. Set nonessential and unrecognized plugins to "Never Activate".

In the left column, click Extensions. Then, if in doubt, disable (or Remove, if possible) unrecognized and unwanted extensions. (Note: you might not be able to manually Disable extensions in Safe Mode because they are disabled automatically.)

Often a link will appear above at least one disabled extension to restart Firefox. You can complete your work on the tab and click one of the links as the last step.

Any improvement?

(3) You can search for remaining issues with the scanning/cleaning tools listed in our support article: Troubleshoot Firefox issues caused by malware. These on-demand scanners are free and take considerable time to run. If they finish quickly and especially if they require payment, you may have a serious infection. I suggest the specialized forums listed in the article in that case.

Success?

There may be some other program on your system that is pushing extensions into Firefox. Sometimes freeware includes such an "updater" program. Here's my suggested procedure for tracking down and cleaning up bad add-ons. I know it seems long, but it's not that bad. (1) Open the Windows '''Control Panel''', Uninstall a Program. After the list loads, click the "Installed on" column heading to group the infections, I mean, additions, by date. This can help in smoking out undisclosed bundle items that snuck in with some software you agreed to install. ''Don't be fooled by seemingly innocent or important names if you do not remember choosing to install them.'' Take out as much trash as possible here. (2) Open Firefox's '''Add-ons page''' using either: * Ctrl+Shift+a * "3-bar" menu button (or Tools menu) > Add-ons * in the Windows "Run" dialog, type or paste <br><code>firefox.exe "about:addons"</code> In the left column, click '''Plugins'''. Set nonessential and unrecognized plugins to "Never Activate". In the left column, click '''Extensions'''. Then, if in doubt, disable (or Remove, if possible) unrecognized and unwanted extensions. (Note: you might not be able to manually Disable extensions in Safe Mode because they are disabled automatically.) Often a link will appear above at least one disabled extension to restart Firefox. You can complete your work on the tab and click one of the links as the last step. Any improvement? (3) You can search for remaining issues with the '''scanning/cleaning tools''' listed in our support article: [[Troubleshoot Firefox issues caused by malware]]. These on-demand scanners are free and take considerable time to run. If they finish quickly and especially if they require payment, you may have a serious infection. I suggest the specialized forums listed in the article in that case. Success?

Question owner

Thanks for your detailed reply. Actually, I've taken all these steps already. 1. No unwanted programs in Uninstall a Program. It is possible that some piece of freeware I willingly installed at some point is opening a door, although I am not sure how that would happen. 2. There are no unwanted plugins. 3. I remove unwanted extensions as soon as I find them, so there are no unwanted extensions. 4. I run both Trend Micro and MalwareBytes Anti-Malware, and whenever I find and delete one of these things, I run a scan to make sure my system is clean.

The mystery for me is how they are getting installed without warning me when I have explicitly set preferences to warn before installation. But it keeps happening. On this pass, I tried unchecking the box in Preferences for Extensions marked "Update Add-ons Automatically." Is it possible that even though I have removed the virus extension, Firefox keeps track of such extensions and continues to reimport them as an update?

Thanks for your detailed reply. Actually, I've taken all these steps already. 1. No unwanted programs in Uninstall a Program. It is possible that some piece of freeware I willingly installed at some point is opening a door, although I am not sure how that would happen. 2. There are no unwanted plugins. 3. I remove unwanted extensions as soon as I find them, so there are no unwanted extensions. 4. I run both Trend Micro and MalwareBytes Anti-Malware, and whenever I find and delete one of these things, I run a scan to make sure my system is clean. The mystery for me is how they are getting installed without warning me when I have explicitly set preferences to warn before installation. But it keeps happening. On this pass, I tried unchecking the box in Preferences for Extensions marked "Update Add-ons Automatically." Is it possible that even though I have removed the virus extension, Firefox keeps track of such extensions and continues to reimport them as an update?
jscher2000
  • Top 10 Contributor
8758 solutions 71655 answers

Helpful Reply

Is there any pattern to when the extension reappears? For example, when exiting and starting Firefox up again, or when shutting down and restarting Windows, or at a particular time of day?

In the first case, Advanced SystemCare and some other programs may roll back settings changes between sessions of Firefox.

In the second and third cases, you might check the Windows Task Scheduler to see whether something there could be pushing the file back into Firefox.


Next time you see it, could you make a note of its "ID"? This is the value that appears on the support information page (either):

  • "3-bar" menu button > "?" button > Troubleshooting Information
  • (menu bar) Help > Troubleshooting Information
  • type or paste about:support in the address bar and press Enter

You often will need to scroll down to see the Extensions table.

Then do a global search of the C drive for that ID to see where it is found. You may need to specify searching hidden and system files if your Windows hides those (it is the default setting).


To address possible alien code in Firefox's program files, could you try:

Clean Reinstall

We use this name, but it's not about removing your settings, it's about making sure the program files are clean. As described below, this process does not disturb your existing settings. Do NOT uninstall Firefox, that's not needed.

(1) Download a fresh installer for Firefox 37.0.1 from https://www.mozilla.org/firefox/all/ to a convenient location. (Scroll down to your preferred language.)

(2) Exit out of Firefox (if applicable).

(3) Rename the program folder

(64-bit Windows folder names)

C:\Program Files (x86)\Mozilla Firefox

to

C:\Program Files (x86)\OldFirefox

(32-bit Windows folder names)

C:\Program Files\Mozilla Firefox

to

C:\Program Files\OldFirefox

(4) Run the installer you downloaded in #1. It should automatically connect to your existing settings.

Any improvement?

Note: Some plugins may exist only in that OldFirefox folder. If something essential is missing, look in these folders:

  • \OldFirefox\Plugins
  • \OldFirefox\browser\plugins
Is there any pattern to when the extension reappears? For example, when exiting and starting Firefox up again, or when shutting down and restarting Windows, or at a particular time of day? In the first case, Advanced SystemCare and some other programs may roll back settings changes between sessions of Firefox. In the second and third cases, you might check the Windows Task Scheduler to see whether something there could be pushing the file back into Firefox. ---- Next time you see it, could you make a note of its "ID"? This is the value that appears on the support information page (either): * "3-bar" menu button > "?" button > Troubleshooting Information * (menu bar) Help > Troubleshooting Information * type or paste about:support in the address bar and press Enter You often will need to scroll down to see the Extensions table. Then do a global search of the C drive for that ID to see where it is found. You may need to specify searching hidden and system files if your Windows hides those (it is the default setting). ---- To address possible alien code in Firefox's program files, could you try: '''Clean Reinstall''' We use this name, but it's not about removing your settings, it's about making sure the program files are clean. As described below, this process does not disturb your existing settings. Do NOT uninstall Firefox, that's not needed. (1) Download a fresh installer for Firefox 37.0.1 from https://www.mozilla.org/firefox/all/ to a convenient location. (Scroll down to your preferred language.) (2) Exit out of Firefox (if applicable). (3) Rename the program folder ''(64-bit Windows folder names)'' C:\Program Files (x86)\Mozilla Firefox to C:\Program Files (x86)\OldFirefox ''(32-bit Windows folder names)'' C:\Program Files\Mozilla Firefox to C:\Program Files\OldFirefox (4) Run the installer you downloaded in #1. It should automatically connect to your existing settings. Any improvement? Note: Some plugins may exist only in that OldFirefox folder. If something essential is missing, look in these folders: * \OldFirefox\Plugins * \OldFirefox\browser\plugins

Question owner

Thanks very much. I'll try.

I would give anything to have more data about how and when they get installed. I generally spot them either 1) when the browser becomes inexplicably sluggish, or 2) when the web page redirects start. There doesn't seem to be any way to track exactly when and how they got installed.

I'll check for the ID next time.

I refreshed Firefox recently (within the last two weeks). Didn't solve my problem.

Do you know how exactly it could get installed without generating a warning?

Thanks very much. I'll try. I would give anything to have more data about how and when they get installed. I generally spot them either 1) when the browser becomes inexplicably sluggish, or 2) when the web page redirects start. There doesn't seem to be any way to track exactly when and how they got installed. I'll check for the ID next time. I refreshed Firefox recently (within the last two weeks). Didn't solve my problem. Do you know how exactly it could get installed without generating a warning?
jscher2000
  • Top 10 Contributor
8758 solutions 71655 answers

I don't think they are installing from a website in the usual way, but instead being slipped into your Firefox settings (profile) folder. But I'm not sure exactly how that is happening.

I don't think they are installing from a website in the usual way, but instead being slipped into your Firefox settings (profile) folder. But I'm not sure exactly how that is happening.

Question owner

Thanks very much for your help. I will keep an eye on this and next time both look for the ID and look in the profile folder for a time and date of installation to see if I can figure out what is happening. Maybe something is overwriting the addons.json. I could change it to read only . . .although I really want to know exactly what is happening.

Thanks very much for your help. I will keep an eye on this and next time both look for the ID and look in the profile folder for a time and date of installation to see if I can figure out what is happening. Maybe something is overwriting the addons.json. I could change it to read only . . .although I really want to know exactly what is happening.

Question owner

I wonder if it tries to write in addons.json, and that file is set to read only, if this would pop up useful error information in Windows Manager events.

I wonder if it tries to write in addons.json, and that file is set to read only, if this would pop up useful error information in Windows Manager events.
the-edmeister
  • Top 25 Contributor
  • Moderator
5406 solutions 40224 answers

"Direct" installations of unwanted addons into Firefox from the web just don't happen; they're going thru the "back door" or "on the back" of a legitimate program the user installs on purpose. With Windows, basically anything a program installation wants to install is accepted by Windows once the user starts the installation procedure - and it seems that anti-malware programs aren't all that effective at stopping them.

Typically the user purposely installs a program that carries garbage like that which gets into the Windows Registry as Firefox extension "hooks" and the extension stays hidden. Once Windows is launched or / and Firefox is launched the extension get's installed into Firefox. Since the user installed the "carrier program", Firefox assumes [incorrectly] that it is an "authorized" extension that the user wants. And totally blocking the "installation" thru the Registry would break a whole bunch of legitimate stuff.

Recently many "download" websites have been packaging popular "free" programs in their own installer, and adding crap like unwanted extensions or Malware.


Well, that is going to be stopped with Firefox 40 (or maybe 41) - Mozilla will only allow the installation of signed add-ons, regardless of where they come from. Bad news is that I suspect that "Firefox users" will lose a whole bunch of addon developers and their extension as a result of this change. Has happened three times before when Mozilla changed the "rules" for extensions; and the issue those times was more of "policy" and excessive delays with the approval process than the changes developers had to make to their addons.

"Direct" installations of unwanted addons into Firefox from the web just don't happen; they're going thru the "back door" or "on the back" of a legitimate program the user installs on purpose. ''With Windows, basically anything a program installation wants to install is accepted by Windows once the user starts the installation procedure - and it seems that anti-malware programs aren't all that effective at stopping them.'' Typically the user purposely installs a program that carries garbage like that which gets into the Windows Registry as Firefox extension "hooks" and the extension stays hidden. Once Windows is launched or / and Firefox is launched the extension get's installed into Firefox. Since the user installed the "carrier program", Firefox assumes ''[incorrectly]'' that it is an "authorized" extension that the user wants. ''And totally blocking the "installation" thru the Registry would break a whole bunch of legitimate stuff.'' Recently many "download" websites have been packaging popular "free" programs in their own installer, and adding crap like unwanted extensions or Malware. ----------- Well, that is going to be stopped with Firefox 40 (or maybe 41) - Mozilla will only allow the installation of '''signed''' add-ons, regardless of where they come from. ''Bad news is that I suspect that "Firefox users" will lose a whole bunch of addon developers and their extension as a result of this change. Has happened three times before when Mozilla changed the "rules" for extensions; and the issue those times was more of "policy" and excessive delays with the approval process than the changes developers had to make to their addons.''

Question owner

Thanks. This is what is puzzling me. The trajectory you describe would mean that one installs software in a bad wrapper and the next time you turn on Windows or Firefox, the addon is added to Firefox. However, I have not installed any software recently, and I keep having to swat these unwanted Firefox addons. Checking "Uninstall Programs'" for updates that might have auto-installed shows that the last installation was a week ago (Adobe Flash Player 17 NPAPI and Adobe Flash Player 17 ActiveX). So if it is something with its hooks in my registry, it was installed some time ago, is not detected by MalwareBytes scan, and activates periodically rather than on the next boot of Windows or Firefox. Perhaps an undetected Trojan?

Thanks. This is what is puzzling me. The trajectory you describe would mean that one installs software in a bad wrapper and the next time you turn on Windows or Firefox, the addon is added to Firefox. However, I have not installed any software recently, and I keep having to swat these unwanted Firefox addons. Checking "Uninstall Programs'" for updates that might have auto-installed shows that the last installation was a week ago (Adobe Flash Player 17 NPAPI and Adobe Flash Player 17 ActiveX). So if it is something with its hooks in my registry, it was installed some time ago, is not detected by MalwareBytes scan, and activates periodically rather than on the next boot of Windows or Firefox. Perhaps an undetected Trojan?
user293 39 solutions 279 answers

Some add-ons have been known to hide themselves from the addons page in firefox. It's possible that you have an existing addon that is hiding itself and periodically installing other addons. Try starting firefox in safe mode by holding down the shift key, and looking at the addons page again. Starting firefox this way disables all addons, so there wouldn't be a chance for the addon to hide itself.

Some add-ons have been known to hide themselves from the addons page in firefox. It's possible that you have an existing addon that is hiding itself and periodically installing other addons. Try starting firefox in safe mode by holding down the shift key, and looking at the addons page again. Starting firefox this way disables all addons, so there wouldn't be a chance for the addon to hide itself.

Question owner

That's disturbing, and a good thing to know. I checked, but no additional add-ons were revealed in Safe Mode.

I'll wait until it happens again, and come back to this thread with more information.

That's disturbing, and a good thing to know. I checked, but no additional add-ons were revealed in Safe Mode. I'll wait until it happens again, and come back to this thread with more information.

Question owner

OK, it happened again this morning, shortly after updating Firefox to version 37.02 MalwareBytes caught it and located it:

PUP.Optional.Multiplug.A, C:\Program Files (x86)\Mozilla Firefox\dbghelp.dll, Quarantine, [3304bcb30d7de2546a07391d0bfac040]

OK, it happened again this morning, shortly after updating Firefox to version 37.02 MalwareBytes caught it and located it: PUP.Optional.Multiplug.A, C:\Program Files (x86)\Mozilla Firefox\dbghelp.dll, Quarantine, [3304bcb30d7de2546a07391d0bfac040]
FredMcD
  • Top 10 Contributor
4254 solutions 59583 answers

It’s very sad, but many of the software down-loaders / installers will trick you into installing not only their program, but other programs as well. You have heard of the fine print in shady contracts, right? Well, some installers you need to look at the itsy bitsy teeny weeny fine print. You are thinking you are giving the installer permission to install the program you want by using the recommended option. But if you use the Manual Option Instead, you discover all kinds of stuff that you do not even know what it is or what it does. From now on, everyone needs to Use The Manual Option to put a stop to this.


I had an issue with an unknown add-on. No name, just numbers. Web search showed nothing. But when I asked others to look at it, they thought it was some kind of spy-ware.

It’s very sad, but many of the software down-loaders / installers will trick you into installing not only their program, '''but other programs as well'''. You have heard of the '''fine print in shady contracts''', right? Well, some installers you need to look at the '''itsy bitsy teeny weeny fine print'''. You are thinking you are giving the installer permission to install the program you want by using the '''recommended''' option. But if you use the '''Manual Option Instead''', you discover all kinds of stuff that '''you do not even know what it is or what it does'''. From now on, everyone needs to '''Use The Manual Option''' to put a stop to this. ------------------------------- I had an issue with an unknown add-on. No name, just numbers. Web search showed nothing. But when I asked others to look at it, they thought it was some kind of spy-ware.

Question owner

Yes. I am aware of the problem of bad wrappers. However, in this case I am not downloading software. Addons are being installed, being detected by antivirus software, and quarantined without triggering an install warning and without software downloads. Antivirus scans show the system as clean.

Yes. I am aware of the problem of bad wrappers. However, in this case I am not downloading software. Addons are being installed, being detected by antivirus software, and quarantined without triggering an install warning and without software downloads. Antivirus scans show the system as clean.
jscher2000
  • Top 10 Contributor
8758 solutions 71655 answers

I think some other program on your system is reinjecting it. However, I don't know what program that is and have already listed all of the methods I know about to investigate recent installations and scan for problems. Presumably it's something you want and therefore haven't tried removing, or which sounds too innocent to suspect. Or it's something that evades normal malware scans (e.g., protected by a rootkit).

If you search that malware description online, you can find other articles with suggested vectors for its installation, such as http://malwaretips.com/blogs/pup-optional-multiplug-a-virus/.

I think some other program on your system is reinjecting it. However, I don't know what program that is and have already listed all of the methods I know about to investigate recent installations and scan for problems. Presumably it's something you want and therefore haven't tried removing, or which sounds too innocent to suspect. Or it's something that evades normal malware scans (e.g., protected by a rootkit). If you search that malware description online, you can find other articles with suggested vectors for its installation, such as [http://malwaretips.com/blogs/pup-optional-multiplug-a-virus/].

Question owner

Thanks for the link. I followed the steps and deleted a lot of cr*p off my computer that had not been detected by either MalwareBytes or Trend Micro. Sadly, I now realize that these addons could be injected in a lot of ways. I am particularly suspicious of Windows Task Scheduler, which could explain why it kept loading up independent of visiting web pages or downloading software. Unfortunately there are so many scheduled tasks in there that I have no idea how to ferret out ones that don't belong . . .

Many thanks for your help!

Thanks for the link. I followed the steps and deleted a lot of cr*p off my computer that had not been detected by either MalwareBytes or Trend Micro. Sadly, I now realize that these addons could be injected in a lot of ways. I am particularly suspicious of Windows Task Scheduler, which could explain why it kept loading up independent of visiting web pages or downloading software. Unfortunately there are so many scheduled tasks in there that I have no idea how to ferret out ones that don't belong . . . Many thanks for your help!
jscher2000
  • Top 10 Contributor
8758 solutions 71655 answers

I'm not sure of the best way to sort out which tasks are important/legit. I think the ones in strange location or with unrecognized publishers would be worth investigating.

I'm not sure of the best way to sort out which tasks are important/legit. I think the ones in strange location or with unrecognized publishers would be worth investigating.
FredMcD
  • Top 10 Contributor
4254 solutions 59583 answers

There is a way without going crazy. First, lets see if the Task Scheduler is the source. Go to the Windows Run bar, and start; msconfig

On the top bar, select Services

In the menu, look for and uncheck Task Scheduler You can sort the list be pressing Service on the top of the list.

This action should not harm the computer in the short term.

Press Okay, let the program close, then reboot the computer.

Use Firefox, and see if those add-ons come back. If they do or don't, then we know.

There is a way without going crazy. First, lets see if the Task Scheduler is the source. Go to the Windows Run bar, and start; '''msconfig''' On the top bar, select '''Services''' In the menu, look for and uncheck '''Task Scheduler''' You can sort the list be pressing '''Service''' on the top of the list. This action should not harm the computer in the short term. Press '''Okay,''' let the program close, then reboot the computer. Use Firefox, and see if those add-ons come back. If they do or don't, then we know.

Question owner

Thanks. I will keep this in mind. However, the addons appear on average once every week or two, so it would mean keeping all other scheduled tasks from running for that period of time, which might be problematic.

Thanks. I will keep this in mind. However, the addons appear on average once every week or two, so it would mean keeping all other scheduled tasks from running for that period of time, which might be problematic.