Hijacked network settings (proxy)
I am running windows 7, and using Firefox 4.0b7.
Somehow I got a hold of the "backdoor:win32/cycbot.b". I ran "Dr.Web CureIt!" and then "MalwareBytes". It was found and removed, but now, whenever I open Firefox, the connection setting defaults to using http proxy of 127.0.0.1, with a port setting of 55030.
I have to go in, delete the proxy and reset every time I launch Firefox. IE, once backdoor was removed, is opening just fine and retains its settings.
I also noticed in the file named prefs.js, the following lines appear and can not be removed. When I do remove them, they reappear as soon as I launch FF.
user_pref("network.http.max-persistent-connections-per-server", 4); user_pref("network.proxy.http", "127.0.0.1"); user_pref("network.proxy.http_port", 55030); user_pref("network.proxy.type", 1);
Modified
Chosen solution
See if that happens with a new Profile - just test it, don't add anything to the new Profile.
http://kb.mozillazine.org/Creating_a_new_Firefox_profile_on_Windows
All Replies (5)
See if you have a user.js file in your Profile folder and if those prefs are there.
If so, delete those prefs from there.
I do have a user.js file, but the contents are:
user_pref("network.http.max-persistent-connections-per-server", 4); user_pref("nglayout.initialpaint.delay", 600);
Also in the internet settings, each time FF is launched, defaults to: "Manual Proxy Configuration" HTTP Proxy: 127.0.0.1 Port: 55030
Chosen Solution
See if that happens with a new Profile - just test it, don't add anything to the new Profile.
http://kb.mozillazine.org/Creating_a_new_Firefox_profile_on_Windows
PERFECT!!!! Thanks, this worked. Now, if I can only figure out "why" it acted like that in the first place.
. . . I looked for files modified at the time I thought a similar Malware acted on my PC.
Found 3 lines added to the:
C:/users/xxxxxmyprofile/appdata/roaming/mozilla/firefox/profiles/xxxxx.default/extensionsfoxmarks@kei.com/default/preferences/prefs.js
I removed them, and I saved the prefs.js file again. They were like: user_pref("network.proxy.http", "127.0.0.1"); user_pref("network.proxy.http_port", 58505); user_pref("network.proxy.type", 1); More or less.
My suggestions: Check all *.js files in firefox/ subfolders, plugins included (in my case, as you can see, it was in foxmarks subfolder).
Took me a while, finally solved.
Modified