Mozilla will shut down Pocket’s services on July 8, 2025. At that time users will no longer be able to access the Pocket website, apps and API. You can export your saved items and API data until October 8, 2025 before they are permanently removed. For more information, see this article.

Avatar for Username

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

This thread was archived. Please ask a new question if you need help.

Hijacked network settings (proxy)

  • 5 replies
  • 68 have this problem
  • 6 views
  • Last reply by betabeta1

rpdenney
rpdenney

I am running windows 7, and using Firefox 4.0b7.

Somehow I got a hold of the "backdoor:win32/cycbot.b". I ran "Dr.Web CureIt!" and then "MalwareBytes". It was found and removed, but now, whenever I open Firefox, the connection setting defaults to using http proxy of 127.0.0.1, with a port setting of 55030.

I have to go in, delete the proxy and reset every time I launch Firefox. IE, once backdoor was removed, is opening just fine and retains its settings.

I also noticed in the file named prefs.js, the following lines appear and can not be removed. When I do remove them, they reappear as soon as I launch FF.

user_pref("network.http.max-persistent-connections-per-server", 4); user_pref("network.proxy.http", "127.0.0.1"); user_pref("network.proxy.http_port", 55030); user_pref("network.proxy.type", 1);

I am running windows 7, and using Firefox 4.0b7. Somehow I got a hold of the "backdoor:win32/cycbot.b". I ran "Dr.Web CureIt!" and then "MalwareBytes". It was found and removed, but now, whenever I open Firefox, the connection setting defaults to using http proxy of 127.0.0.1, with a port setting of 55030. I have to go in, delete the proxy and reset every time I launch Firefox. IE, once backdoor was removed, is opening just fine and retains its settings. I also noticed in the file named prefs.js, the following lines appear and can not be removed. When I do remove them, they reappear as soon as I launch FF. user_pref("network.http.max-persistent-connections-per-server", 4); user_pref("network.proxy.http", "127.0.0.1"); user_pref("network.proxy.http_port", 55030); user_pref("network.proxy.type", 1);

Modified by rpdenney

Chosen solution

See if that happens with a new Profile - just test it, don't add anything to the new Profile.
http://kb.mozillazine.org/Creating_a_new_Firefox_profile_on_Windows

Read this answer in context 👍 3

All Replies (5)

the-edmeister
the-edmeister
  • Moderator

See if you have a user.js file in your Profile folder and if those prefs are there.

If so, delete those prefs from there.

rpdenney
rpdenney Question owner

I do have a user.js file, but the contents are:

user_pref("network.http.max-persistent-connections-per-server", 4); user_pref("nglayout.initialpaint.delay", 600);

Also in the internet settings, each time FF is launched, defaults to: "Manual Proxy Configuration" HTTP Proxy: 127.0.0.1 Port: 55030

the-edmeister
the-edmeister
  • Moderator

Chosen Solution

See if that happens with a new Profile - just test it, don't add anything to the new Profile.
http://kb.mozillazine.org/Creating_a_new_Firefox_profile_on_Windows

rpdenney
rpdenney Question owner

PERFECT!!!! Thanks, this worked. Now, if I can only figure out "why" it acted like that in the first place.

betabeta1
betabeta1

. . . I looked for files modified at the time I thought a similar Malware acted on my PC.



Found 3 lines added to the:




C:/users/xxxxxmyprofile/appdata/roaming/mozilla/firefox/profiles/xxxxx.default/extensionsfoxmarks@kei.com/default/preferences/prefs.js



I removed them, and I saved the prefs.js file again. They were like: user_pref("network.proxy.http", "127.0.0.1"); user_pref("network.proxy.http_port", 58505); user_pref("network.proxy.type", 1); More or less.




My suggestions: Check all *.js files in firefox/ subfolders, plugins included (in my case, as you can see, it was in foxmarks subfolder).



Took me a while, finally solved.

Modified by betabeta1