The FirefoxPatch.exe IS NOT from Mozilla.org

There is no such .exe Patches as Firefox is not just for Windows and Mozilla has never provided updates for Firefox from random sites outside of mozilla.org

The desktop Firefox for Windows, Mac OSX, and Linux from www.mozilla.org get internal updates in Firefox itself (with .mar files) or by download from www.mozilla.org or www.mozilla.org/firefox/all

Scammers have been doing this so called .exe patch in the last short while are using the popularity of Firefox to trick less experienced Firefox and or Windows users into thinking it was a update for Firefox browser so it can infect Windows.

Since you installed this unkown .exe and infected your computer you need to do some cleaning.

https://malwaretips.com/blogs/remove-cryptolocker-virus/

Sometimes a problem with Firefox may be a result of malware installed on your computer, that you may not be aware of.

You can try these free programs to scan for malware, which work with your existing antivirus software:

• Microsoft Safety Scanner
• MalwareBytes' Anti-Malware
• Anti-Rootkit Utility - TDSSKiller
• AdwCleaner (for more info, see this alternate AdwCleaner download page)
• Hitman Pro
• ESET Online Scanner

Microsoft Security Essentials is a good permanent antivirus for Windows 7/Vista/XP if you don't already have one. Windows 8 has antivirus built-in already.

Further information can be found in the Troubleshoot Firefox issues caused by malware article.

Malware being advertised as a Firefox update is unfortunately not something that Mozilla can solve. You will always need user vigilance and security software.

I'm surprised that Cryptolocker was able to get through your security software. Do you want to cast aspersions on your current vendor by name?

Also, you should check for any possible local cause of hitting that site in the first place. Here's my suggested procedure for tracking down and cleaning up bad add-ons, hijackers, and ad injectors. I know it seems long, but it's not that bad.

(1) Open the Windows Control Panel, Uninstall a Program. After the list loads, click the "Installed on" column heading to group the infections, I mean, additions, by date. This can help in smoking out undisclosed bundle items that snuck in with some software you agreed to install. Be suspicious of everything you do not recognize/remember, as malware often uses important or innocent sounding names to discourage you from removing it. Take out as much trash as possible here.

(2) Open Firefox's Add-ons page using either:

• Ctrl+Shift+a
• "3-bar" menu button (or Tools menu) > Add-ons
• in the Windows "Run" dialog, type or paste
  firefox.exe "about:addons"

In the left column, click Plugins. Set nonessential and unrecognized plugins to "Never Activate".

In the left column, click Extensions. Then, if in doubt, disable (or Remove, if possible) unrecognized and unwanted extensions. Bear in mind that all extensions are optional, none come with Firefox, and you can learn more about them by checking their reviews on the Add-ons site.

Often a link will appear above at least one disabled extension to restart Firefox. You can complete your work on the tab and click one of the links as the last step.

(3) You can search for remaining issues with the scanning/cleaning tools listed in our support article: Troubleshoot Firefox issues caused by malware. These on-demand scanners are free and take considerable time to run. If they finish quickly and especially if they require payment, you may have a serious infection. I suggest the specialized forums listed in the article in that case.

Success?

This does not solve the problem as the install prompt occurs when FireFox queries for updates. The task is highjacked and you are prompted to install the .exe file. There has to be a way on FireFoxes end to stop this. I know its not from FireFox, but not all my users do, so they click this and Cryptolocker encrypts all the files on their computer!

harvestland said

This does not solve the problem as the install prompt occurs when FireFox queries for updates.

The update URL is listed in about:config. Can you check whether it has been modified?

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.

(2) In the search box above the list, type or paste update.u and pause while the list is filtered

(3) If the app.update.url preference is bolded and "user set" that would be suspicious, or if it is italicized and "locked", that would be doubly suspicious

Or could malware be hijacking the Mozilla Maintenance Service? I'm not sure how that works.

harvestland said

This does not solve the problem as the install prompt occurs when FireFox queries for updates. The task is highjacked and you are prompted to install the .exe file. There has to be a way on FireFoxes end to stop this. I know its not from FireFox, but not all my users do, so they click this and Cryptolocker encrypts all the files on their computer!

Mozilla has never provided any junk with Firefox installs for any OS or in internal updates so Mozilla nor Firefox browser is to blame for Cryptolocker being on your PC. It would hurt Mozilla far too much for what little money gain to add some extras in especially something like Cryptolocker.

When you do Help > Check for updates in Firefox, it only gives you Firefox and nothing else.

https://malwaretips.com/blogs/remove-cryptolocker-virus/

It was the fake FirefoxPatch.exe that you downloaded from some random site and you installed that infected your Windows.

Mozilla.org nor the Firefox browser has anything to do with it.

Unfortunately you need to educate your users to not be downloading and installing random .exe's and to only do Firefox updates in Firefox itself (which it normally does by default) or by download from www.mozilla.org or www.mozilla.org/firefox/all

Here is what is in app.update.url https://aus5.mozilla.org/update/3/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml

Look If Firefox updates (there has not been one since 42.0 Release on November 4th) on Windows was coming with Cryptolocker it would be a VERY HOT topic of discussion here, at independent forums.mozillazine.org, Mozilla newsgroups, and Tech sites around.

Hi harvestland, that update URL looks normal. The parameters are filled in with your current version, build ID, language, OS, etc.

Updates in Firefox are not even a .exe file but a .mar file.

You can see for example with en-US locale for 32-bit Windows at https://ftp.mozilla.org/pub/firefox/releases/42.0/update/win32/en-US/

edit: here is the Firefox 42.0 complete .mar en-US for example. Detection ratio: 0 / 55 https://www.virustotal.com/en/file/f57f30450841c2a4fd17abbf2f86861b64ca89a639b35ca2bd361d492a92baf4/analysis/1449529306/

You can check for problems with preferences.

Delete possible user.js and numbered prefs-##.js files and rename (or delete) the prefs.js file to reset all prefs to the default value including prefs set via user.js and prefs that are no longer supported in current Firefox releases.

• http://kb.mozillazine.org/Preferences_not_saved
• http://kb.mozillazine.org/Resetting_preferences

You can use this button to go to the current Firefox profile folder:

• Help > Troubleshooting Information > Profile Directory: Show Folder (Linux: Open Directory; Mac: Show in Finder)
• http://kb.mozillazine.org/Profile_folder_-_Firefox

Do a clean reinstall and delete the Firefox program folder before (re)installing a fresh copy of the current Firefox release.

• Download the Firefox installer and save the file to the desktop
  https://www.mozilla.org/en-US/firefox/all/

If possible uninstall your current Firefox version to cleanup the Windows registry and settings in security software.

• Do NOT remove "personal data" when you uninstall your current Firefox version, because this will remove all profile folders and you lose personal data like bookmarks and passwords including data in profiles created by other Firefox versions.

Remove the Firefox program folder before installing that newly downloaded copy of the Firefox installer.

• (32 bit Windows) "C:\Program Files\Mozilla Firefox\"
• (64 bit Windows) "C:\Program Files (x86)\Mozilla Firefox\"

• It is important to delete the Firefox program folder to remove all the files and make sure that there are no problems with files that were leftover after uninstalling.
• http://kb.mozillazine.org/Uninstalling_Firefox

Your personal data like bookmarks is stored in the Firefox profile folder, so you won't lose personal data when you uninstall and (re)install or update Firefox, but make sure NOT to remove personal data when you uninstall Firefox as that will remove all Firefox profile folders and you lose your personal data.

If you keep having problems then create a new profile.

• http://kb.mozillazine.org/Profile_folder_-_Firefox
• http://kb.mozillazine.org/Profile_backup

• http://kb.mozillazine.org/Standard_diagnostic_-_Firefox#Clean_reinstall