Fake Adobe PDF addon installs with FF updates
Every time FF updates, upon restarting I have a page (URL: https://addonbrowser.com/open-with-adobe-pdf?v=1.2.3&type=install) which looks as if Adobe PDF Reader would be installed. It is trojan malware.
An American female voice invites me to call a phone number to have adware virus removed.
"http://www.ddinbb.ml is requesting your username and password. The site says: “MAC OS is infected with Viruses and other malicious applications. It is necessary to Call Apple Support 0800-404-8452. Viruses must be removed and sys…”"
I have to kill FF and restart again to shut it up.
How can I prevent this page from opening up after every update?
Additional System Details
- User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1 Safari/605.1.15
hi, when you enter about:config into the firefox address bar (confirm the info message in case it shows up) & search for the preference named startup.homepage_override_url to check if it has the offending website in it. if so, just right-click and reset this entry to its default value.
Thank you for the suggestion. The preference you refer to has no value (i.e. blank). I searched for "ddinbb" as well but it found nothing :(
What Extensions do you have installed as no version of desktop Firefox internal updates or downloads from mozilla.org have ever come with this.
Good question... and thank you.
I have just found Add-ons Manager and listed there is an extension called Open with Adobe PDF Reader 1.2.3 and a homepage of https://addonbrowser.com/open-with-adobe-pdf
To my untrained eye it looks suspect. Have just Googled and found there's a virus called Browser.addon I've run Malwarebytes before and its come up clean. Will deleting the extension get shot of this damn thing?
Uninstalling the extension will be a good start.
Addons.mozilla.org is the place to get Extensions. Check the reviews and what the support/homepage listing is before installing.
Normally extensions hosted at AMO are safe but some can get get through review to public.
The addonbrowser .com now mybrowseraddon .com seems to post extensions from AMO as their own.
A number from that site seemed to have been hosted on addons.mozilla.org but were removed after discovery of this malware or being a (modified) repost of a original extension hosted at AMO.
A extension under a similar name had a coin miner and was blocked months ago.
Coinminer malware in "Open with Adobe PDF Reader" extension https://bugzilla.mozilla.org/show_bug.cgi?id=1426582
Modified by James
Thanks yet again. Should I be worried that "Normally extensions hosted at AMO are safe but some can get get through review to public" ... sounds a little unsafe. That said, if one has installed the pukka Adobe Reader then I assume no extension is needed? Apologies, I'm showing my ignorance.
Just look at the reviews or do a review search on the addons and that should give you more info about it.
Extensions should never appear mysteriously without explanation, and everything you see listed on the Extensions panel of the Add-ons page is your choice to keep or toss, and your responsibility to manage. Don't let unknown software run on your system.
Most "open with" extensions are designed to connect links automatically to external programs so you don't need to interact with the download dialog. You don't need them, and they require installing non-reviewed external applications, so they are less safe than fully self-contained extensions.