This thread was archived. Please ask a new question if you need help.
getting unwanted add-ons without warning despite checking box asking to be warned if a site attempts to install an add-on
I keep getting unwanted add-ons like Golden Coupon installed without my knowledge or permission, even though I have 1) checked the box in the security settings asking to be warned when sites attempt to install add-ons, and 2) have no exceptions in the Add-Ons Installation. How is this happening? What can I do to stop it? Thanks.
All Replies (19)
There may be some other program on your system that is pushing extensions into Firefox. Sometimes freeware includes such an "updater" program.
Here's my suggested procedure for tracking down and cleaning up bad add-ons. I know it seems long, but it's not that bad.
(1) Open the Windows Control Panel, Uninstall a Program. After the list loads, click the "Installed on" column heading to group the infections, I mean, additions, by date. This can help in smoking out undisclosed bundle items that snuck in with some software you agreed to install. Don't be fooled by seemingly innocent or important names if you do not remember choosing to install them. Take out as much trash as possible here.
(2) Open Firefox's Add-ons page using either:
- "3-bar" menu button (or Tools menu) > Add-ons
- in the Windows "Run" dialog, type or paste
In the left column, click Plugins. Set nonessential and unrecognized plugins to "Never Activate".
In the left column, click Extensions. Then, if in doubt, disable (or Remove, if possible) unrecognized and unwanted extensions. (Note: you might not be able to manually Disable extensions in Safe Mode because they are disabled automatically.)
Often a link will appear above at least one disabled extension to restart Firefox. You can complete your work on the tab and click one of the links as the last step.
(3) You can search for remaining issues with the scanning/cleaning tools listed in our support article: Troubleshoot Firefox issues caused by malware. These on-demand scanners are free and take considerable time to run. If they finish quickly and especially if they require payment, you may have a serious infection. I suggest the specialized forums listed in the article in that case.
Thanks for your detailed reply. Actually, I've taken all these steps already. 1. No unwanted programs in Uninstall a Program. It is possible that some piece of freeware I willingly installed at some point is opening a door, although I am not sure how that would happen. 2. There are no unwanted plugins. 3. I remove unwanted extensions as soon as I find them, so there are no unwanted extensions. 4. I run both Trend Micro and MalwareBytes Anti-Malware, and whenever I find and delete one of these things, I run a scan to make sure my system is clean.
The mystery for me is how they are getting installed without warning me when I have explicitly set preferences to warn before installation. But it keeps happening. On this pass, I tried unchecking the box in Preferences for Extensions marked "Update Add-ons Automatically." Is it possible that even though I have removed the virus extension, Firefox keeps track of such extensions and continues to reimport them as an update?
Is there any pattern to when the extension reappears? For example, when exiting and starting Firefox up again, or when shutting down and restarting Windows, or at a particular time of day?
In the first case, Advanced SystemCare and some other programs may roll back settings changes between sessions of Firefox.
In the second and third cases, you might check the Windows Task Scheduler to see whether something there could be pushing the file back into Firefox.
Next time you see it, could you make a note of its "ID"? This is the value that appears on the support information page (either):
- "3-bar" menu button > "?" button > Troubleshooting Information
- (menu bar) Help > Troubleshooting Information
- type or paste about:support in the address bar and press Enter
You often will need to scroll down to see the Extensions table.
Then do a global search of the C drive for that ID to see where it is found. You may need to specify searching hidden and system files if your Windows hides those (it is the default setting).
To address possible alien code in Firefox's program files, could you try:
We use this name, but it's not about removing your settings, it's about making sure the program files are clean. As described below, this process does not disturb your existing settings. Do NOT uninstall Firefox, that's not needed.
(1) Download a fresh installer for Firefox 37.0.1 from https://www.mozilla.org/firefox/all/ to a convenient location. (Scroll down to your preferred language.)
(2) Exit out of Firefox (if applicable).
(3) Rename the program folder
(64-bit Windows folder names)
C:\Program Files (x86)\Mozilla Firefox
C:\Program Files (x86)\OldFirefox
(32-bit Windows folder names)
C:\Program Files\Mozilla Firefox
(4) Run the installer you downloaded in #1. It should automatically connect to your existing settings.
Note: Some plugins may exist only in that OldFirefox folder. If something essential is missing, look in these folders:
Thanks very much. I'll try.
I would give anything to have more data about how and when they get installed. I generally spot them either 1) when the browser becomes inexplicably sluggish, or 2) when the web page redirects start. There doesn't seem to be any way to track exactly when and how they got installed.
I'll check for the ID next time.
I refreshed Firefox recently (within the last two weeks). Didn't solve my problem.
Do you know how exactly it could get installed without generating a warning?
I don't think they are installing from a website in the usual way, but instead being slipped into your Firefox settings (profile) folder. But I'm not sure exactly how that is happening.
Thanks very much for your help. I will keep an eye on this and next time both look for the ID and look in the profile folder for a time and date of installation to see if I can figure out what is happening. Maybe something is overwriting the addons.json. I could change it to read only . . .although I really want to know exactly what is happening.
I wonder if it tries to write in addons.json, and that file is set to read only, if this would pop up useful error information in Windows Manager events.
"Direct" installations of unwanted addons into Firefox from the web just don't happen; they're going thru the "back door" or "on the back" of a legitimate program the user installs on purpose. With Windows, basically anything a program installation wants to install is accepted by Windows once the user starts the installation procedure - and it seems that anti-malware programs aren't all that effective at stopping them.
Typically the user purposely installs a program that carries garbage like that which gets into the Windows Registry as Firefox extension "hooks" and the extension stays hidden. Once Windows is launched or / and Firefox is launched the extension get's installed into Firefox. Since the user installed the "carrier program", Firefox assumes [incorrectly] that it is an "authorized" extension that the user wants. And totally blocking the "installation" thru the Registry would break a whole bunch of legitimate stuff.
Recently many "download" websites have been packaging popular "free" programs in their own installer, and adding crap like unwanted extensions or Malware.
Well, that is going to be stopped with Firefox 40 (or maybe 41) - Mozilla will only allow the installation of signed add-ons, regardless of where they come from. Bad news is that I suspect that "Firefox users" will lose a whole bunch of addon developers and their extension as a result of this change. Has happened three times before when Mozilla changed the "rules" for extensions; and the issue those times was more of "policy" and excessive delays with the approval process than the changes developers had to make to their addons.
Thanks. This is what is puzzling me. The trajectory you describe would mean that one installs software in a bad wrapper and the next time you turn on Windows or Firefox, the addon is added to Firefox. However, I have not installed any software recently, and I keep having to swat these unwanted Firefox addons. Checking "Uninstall Programs'" for updates that might have auto-installed shows that the last installation was a week ago (Adobe Flash Player 17 NPAPI and Adobe Flash Player 17 ActiveX). So if it is something with its hooks in my registry, it was installed some time ago, is not detected by MalwareBytes scan, and activates periodically rather than on the next boot of Windows or Firefox. Perhaps an undetected Trojan?
Some add-ons have been known to hide themselves from the addons page in firefox. It's possible that you have an existing addon that is hiding itself and periodically installing other addons. Try starting firefox in safe mode by holding down the shift key, and looking at the addons page again. Starting firefox this way disables all addons, so there wouldn't be a chance for the addon to hide itself.
That's disturbing, and a good thing to know. I checked, but no additional add-ons were revealed in Safe Mode.
I'll wait until it happens again, and come back to this thread with more information.
OK, it happened again this morning, shortly after updating Firefox to version 37.02 MalwareBytes caught it and located it:
PUP.Optional.Multiplug.A, C:\Program Files (x86)\Mozilla Firefox\dbghelp.dll, Quarantine, [3304bcb30d7de2546a07391d0bfac040]
It’s very sad, but many of the software down-loaders / installers will trick you into installing not only their program, but other programs as well. You have heard of the fine print in shady contracts, right? Well, some installers you need to look at the itsy bitsy teeny weeny fine print. You are thinking you are giving the installer permission to install the program you want by using the recommended option. But if you use the Manual Option Instead, you discover all kinds of stuff that you do not even know what it is or what it does. From now on, everyone needs to Use The Manual Option to put a stop to this.
I had an issue with an unknown add-on. No name, just numbers. Web search showed nothing. But when I asked others to look at it, they thought it was some kind of spy-ware.
Yes. I am aware of the problem of bad wrappers. However, in this case I am not downloading software. Addons are being installed, being detected by antivirus software, and quarantined without triggering an install warning and without software downloads. Antivirus scans show the system as clean.
I think some other program on your system is reinjecting it. However, I don't know what program that is and have already listed all of the methods I know about to investigate recent installations and scan for problems. Presumably it's something you want and therefore haven't tried removing, or which sounds too innocent to suspect. Or it's something that evades normal malware scans (e.g., protected by a rootkit).
If you search that malware description online, you can find other articles with suggested vectors for its installation, such as http://malwaretips.com/blogs/pup-optional-multiplug-a-virus/.
Thanks for the link. I followed the steps and deleted a lot of cr*p off my computer that had not been detected by either MalwareBytes or Trend Micro. Sadly, I now realize that these addons could be injected in a lot of ways. I am particularly suspicious of Windows Task Scheduler, which could explain why it kept loading up independent of visiting web pages or downloading software. Unfortunately there are so many scheduled tasks in there that I have no idea how to ferret out ones that don't belong . . .
Many thanks for your help!
I'm not sure of the best way to sort out which tasks are important/legit. I think the ones in strange location or with unrecognized publishers would be worth investigating.
There is a way without going crazy. First, lets see if the Task Scheduler is the source. Go to the Windows Run bar, and start; msconfig
On the top bar, select Services
In the menu, look for and uncheck Task Scheduler You can sort the list be pressing Service on the top of the list.
This action should not harm the computer in the short term.
Press Okay, let the program close, then reboot the computer.
Use Firefox, and see if those add-ons come back. If they do or don't, then we know.
Thanks. I will keep this in mind. However, the addons appear on average once every week or two, so it would mean keeping all other scheduled tasks from running for that period of time, which might be problematic.