X
Tap here to go to the mobile version of the site.

Support Forum

adware has hijacked Firefox can't find it in extension nor in programs. This is Dejvu IE 6 all over again

Posted

I did a cleanup with malwarebytes, Adware remover, Spybot search and destroy. Nothing I can find. I was infected with offer4u and similar product malware that kept showing offers and other products when I was on a shopping website.

EVEN that did not show up anywhere, It was not in programs. It somehow installs in firefox hidden. Even my firefox start page was hijacked and the search by something I don't remember.

All of that got cleared out. But the other day I still got the Offer4u popup. I disabled it forever have not seen it since.

Now whenever I visit any shopping website it gets redirected to this url. http://api.pitlap.info/v1/users/wMfSaZPIqrU=/tips.json?where_created=sg&api_key=da4b9237bacccdf19c0760cab7aec4a8359010b0&secret=eb3e8ac05132bbaeb79f6e8eb53b67e753d79da3&pr=1&bring_info=0&method=post&url=http://www.tienda.com/?affid=cj This is the exact url for tienda.com As you can see that when I visit a shopping website it tries to reload that page with a particular referral id.

I just can't find this anywhere and nothing can remove it. Its is a huge security flaw in firefox I am sure. So its not being detected as an adware.

Its hard to even browse as the referral ids and urls are wrong and it ends up redirecting to the home page.

Yes I know that I can install firefox again from a scratch but It will be pain getting all the extension back again.

How did FIrefox become like IE. This is dejavu. It seems like a good time to switch to chrome.

There seems to be no support or anyone recognizing this issue in the forums. Looks like nobody is bothered

I did a cleanup with malwarebytes, Adware remover, Spybot search and destroy. Nothing I can find. I was infected with offer4u and similar product malware that kept showing offers and other products when I was on a shopping website. EVEN that did not show up anywhere, It was not in programs. It somehow installs in firefox hidden. Even my firefox start page was hijacked and the search by something I don't remember. All of that got cleared out. But the other day I still got the Offer4u popup. I disabled it forever have not seen it since. Now whenever I visit any shopping website it gets redirected to this url. http://api.pitlap.info/v1/users/wMfSaZPIqrU=/tips.json?where_created=sg&api_key=da4b9237bacccdf19c0760cab7aec4a8359010b0&secret=eb3e8ac05132bbaeb79f6e8eb53b67e753d79da3&pr=1&bring_info=0&method=post&url=http://www.tienda.com/?affid=cj This is the exact url for tienda.com As you can see that when I visit a shopping website it tries to reload that page with a particular referral id. I just can't find this anywhere and nothing can remove it. Its is a huge security flaw in firefox I am sure. So its not being detected as an adware. Its hard to even browse as the referral ids and urls are wrong and it ends up redirecting to the home page. Yes I know that I can install firefox again from a scratch but It will be pain getting all the extension back again. How did FIrefox become like IE. This is dejavu. It seems like a good time to switch to chrome. There seems to be no support or anyone recognizing this issue in the forums. Looks like nobody is bothered

Chosen solution

Did you check your extensions list in Firefox's Safe Mode? This deactivates the ability of extensions to hide themselves from the Add-ons page.

Anything custom in your connection settings? You can check here:

orange Firefox button (or Tools menu) > Options > Advanced > Network mini-tab > "Settings" button

The default is "Use system proxy settings" (adopts settings from IE); you also could try "No proxy".


If you do not have an extension or proxy causing this, you may need to clear out your Firefox program folder and reinstall Firefox. Note: do not uninstall Firefox or remove your settings, this is just about the program folder.

Clean Reinstall

The process is: rename the program folder and then reinstall Firefox. In this process, the Firefox installer should recognize and automatically connect with your existing profiles.

(Still, it might be a good idea to make a backup. This article has suggestions: Back up and restore information in Firefox profiles.)

You can download the installer for Firefox 27.0.1 from here:

https://www.mozilla.org/firefox/all/ (scroll down to your language)

Then after exiting Firefox, rename the folder

C:\Program Files (x86)\Mozilla Firefox

something like

C:\Program Files (x86)\OldFirefox

And run the installer.

Any improvement?

Note that some plugins and extensions install into the program folder. You can extract them later if you discover them missing, but to minimize contamination, please do not bulk copy those folders over.


Regarding how to open a new topic, you can always start a new question using the "Ask a Question" link at the top of the page.

Is the request to have stronger anti-malware integrated into Firefox? Currently the phishing and malware protection is limited to what Google is willing to provide and it does not provide the same list to Firefox users as it does to Chrome users. Going forward, Mozilla is considering adding more services to the browser. The question is whether anything better is available for free or whether it would need to be a paid service, in which case, using commercial antivirus software might be better than having a Firefox-only solution.

Read this answer in context 0

Additional System Details

Installed Plug-ins

  • Shockwave Flash 12.0 r0
  • VLC media player Web Plugin 2.1.3
  • Google Talk Plugin Video Accelerator version:0.1.44.29
  • Version 5.1.2.17113
  • Next Generation Java Plug-in 10.45.2 for Mozilla browsers
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • Adobe PDF Plug-In For Firefox and Netscape 10.1.9
  • Google Update
  • A plugin to detect whether the Adobe Extension Manager is installed on this machine.
  • The plugin allows you to have a better experience with Microsoft Lync
  • 5.1.20913.0
  • The plugin allows you to have a better experience with Microsoft SharePoint
  • A plugin to detect whether the Adobe Application Manager is installed on this machine.
  • Yahoo Application State Plugin version 1.0.0.7
  • The QuickTime Plugin allows you to view a wide variety of multimedia content in Web pages. For more information, visit the QuickTime Web site.
  • RealPlayer(tm) LiveConnect-Enabled Plug-In
  • 6.0.12.448

Application

  • User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0

More Information

Gingerbread Man 403 solutions 1537 answers

You need to seek help on a forum specializing on malware removal. Since you have Malwarebytes Anti-malware, I recommend

Also see the "How do I prevent malware from being installed?" section of the following article.

You need to seek help on a forum specializing on malware removal. Since you have Malwarebytes Anti-malware, I recommend * https://forums.malwarebytes.org/index.php?showforum=7 Also see the "How do I prevent malware from being installed?" section of the following article. * [[Troubleshoot Firefox issues caused by malware]]
jscher2000
  • Top 10 Contributor
3768 solutions 33377 answers

Speaking of extensions, have you reviewed yours recently? Try this:

Disable ALL nonessential or unrecognized extensions on the Add-ons page. Either:

  • Ctrl+Shift+a
  • orange Firefox button (or Tools menu) > Add-ons

In the left column, click Extensions. Then, if in doubt, disable.

Usually a link will appear above at least one disabled extension to restart Firefox. You can complete your work on the tab and click one of the links as the last step.

If the problem continues, you might have a hidden extension that only is visible/removable in Firefox's Safe Mode.

You can restart Firefox in Safe Mode using

Help > Restart with Add-ons Disabled

In the dialog, click "Start in Safe Mode" (not Reset)

Any difference?

Speaking of extensions, have you reviewed yours recently? Try this: Disable ALL nonessential or unrecognized extensions on the Add-ons page. Either: * Ctrl+Shift+a * orange Firefox button (or Tools menu) > Add-ons In the left column, click Extensions. Then, if in doubt, disable. Usually a link will appear above at least one disabled extension to restart Firefox. You can complete your work on the tab and click one of the links as the last step. If the problem continues, you might have a hidden extension that only is visible/removable in Firefox's Safe Mode. You can restart Firefox in Safe Mode using Help > Restart with Add-ons Disabled In the dialog, click "Start in Safe Mode" (''not'' Reset) Any difference?

Question owner

I have nothing that I am not sure of. All the extension were there before this attack happened. I am pretty sure cause I just went through all my extensions(which are not much) to correct a google+ comments bug. I had disabled all extension and added it one by one. A whois extension was causing the problem. That time I uninstalled many extensions I was not using as Firefox takes up 1.9GB of memory and exhausts my system memory(4GB) I have to restart Firefox it starts at around 1.2 GB or 1.5GB.

So I am pretty sure there is no extension of any software installed on my system that I am not aware of. The earlier Malware I corrected with malwarebytes

The bigger problem(And how do I open a thread for this or bring it to notice) is a security hole that allows this to happen without consent. It happened after I installed Miro. I unchecked installation of their additional software but this still happened.

I can't find Miro listed as a malware. It was around this same time my Anti-virus expired and I had uninstalled it. Installed a new license only after 5 days as I could not decide which antivirust to go for.

Now I am not a n00b been browsing since 1997 am a webdeveloper 10 years ago I used to keep cyber cafe/browsing center free of viruses and malwares.

I know I just clicked on something by mistake and close the tab before It would even load.

It seems its either Miro or this link that has installed the malware without even asking for permission. I am pretty sure I said no to everything as this is not the first time I am installing Miro.

This is a serious security issue.

I have nothing that I am not sure of. All the extension were there before this attack happened. I am pretty sure cause I just went through all my extensions(which are not much) to correct a google+ comments bug. I had disabled all extension and added it one by one. A whois extension was causing the problem. That time I uninstalled many extensions I was not using as Firefox takes up 1.9GB of memory and exhausts my system memory(4GB) I have to restart Firefox it starts at around 1.2 GB or 1.5GB. So I am pretty sure there is no extension of any software installed on my system that I am not aware of. The earlier Malware I corrected with malwarebytes The bigger problem(And how do I open a thread for this or bring it to notice) is a security hole that allows this to happen without consent. It happened after I installed Miro. I unchecked installation of their additional software but this still happened. I can't find Miro listed as a malware. It was around this same time my Anti-virus expired and I had uninstalled it. Installed a new license only after 5 days as I could not decide which antivirust to go for. Now I am not a n00b been browsing since 1997 am a webdeveloper 10 years ago I used to keep cyber cafe/browsing center free of viruses and malwares. I know I just clicked on something by mistake and close the tab before It would even load. It seems its either Miro or this link that has installed the malware without even asking for permission. I am pretty sure I said no to everything as this is not the first time I am installing Miro. This is a serious security issue.
Waka_Flocka_Flame 441 solutions 5048 answers

Have you tried the Search Reset Tool? This will remove preferences of the program from your Firefox.

If the searchreset tool did not work, you can try to delete the user.js file in the profile folder (if present).

To remove the user.js file follow the instructions below:

  1. Go to the orange Firefox button, click the help menu, then click the Troubleshooting Information submenu item.
  2. A new page should now open, scroll down to the Application Basics section and click the Open Folder (Open Directory on Linux) button.
  3. Now a file manager window should show, close Firefox, then right-click the file labeled user or user.js and delete it.
  4. Then, start firefox, your problem should now be resolved.

More information on deleting the user.js file is in the How to fix preferences that won't save.

For more information on search hijacks overall, please read the Remove a toolbar that has taken over your Firefox search or home page article.

Have you tried the [https://addons.mozilla.org/en-US/firefox/addon/searchreset/ Search Reset Tool]? This will remove preferences of the program from your Firefox. If the searchreset tool did not work, you can try to delete the user.js file in the profile folder (if present). To remove the user.js file follow the instructions below: #Go to the orange Firefox button, click the help menu, then click the ''Troubleshooting Information'' submenu item. #A new page should now open, scroll down to the ''Application Basics'' section and click the ''Open Folder (Open Directory on Linux)'' button. #Now a file manager window should show, close Firefox, then right-click the file labeled ''user'' or ''user.js'' and delete it. #Then, start firefox, your problem should now be resolved. More information on deleting the user.js file is in the [[How to fix preferences that won't save]]. For more information on search hijacks overall, please read the [[Remove a toolbar that has taken over your Firefox search or home page]] article.

Question owner

When I started in safemode I found a sitefinder addon that was not appearing before. In safe mode I could see it. There was the remove button. I removed it and it was gone.

But its cannot be seen in normal mode. I guess this is a vulnerability with firefox.

sitefinder was one of the malwares Since I could not find it in my addons I had to use malwarebytes.

Malwarebytes and spybot may have deleted the files that is why the ad popup and recommendation were not appearing. But the extension was still "hidden" and installed and only this redirection was working.

BTW this redirection identifies any shopping website and then redirects it to the same website after adding an affiliate id.

So its really a virus like activity that is trying to make money off every transaction.

I think its gone now. But this is very bad. I am not a n00b. Am very careful where I click and I will not allow anything to get installed. Still this happened. Which means the browser has been hijacked by some website silently. Without asking me for confirmation

Whatever is installed cannot be detected. I assumes that whatever installed it should be either in addons or as a software installed in my programs.

Anyways this is solved. Thanks for your replies

When I started in safemode I found a sitefinder addon that was not appearing before. In safe mode I could see it. There was the remove button. I removed it and it was gone. But its cannot be seen in normal mode. I guess this is a vulnerability with firefox. sitefinder was one of the malwares Since I could not find it in my addons I had to use malwarebytes. Malwarebytes and spybot may have deleted the files that is why the ad popup and recommendation were not appearing. But the extension was still "hidden" and installed and only this redirection was working. BTW this redirection identifies any shopping website and then redirects it to the same website after adding an affiliate id. So its really a virus like activity that is trying to make money off every transaction. I think its gone now. But this is very bad. I am not a n00b. Am very careful where I click and I will not allow anything to get installed. Still this happened. Which means the browser has been hijacked by some website silently. Without asking me for confirmation Whatever is installed cannot be detected. I assumes that whatever installed it should be either in addons or as a software installed in my programs. Anyways this is solved. Thanks for your replies
jscher2000
  • Top 10 Contributor
3768 solutions 33377 answers

Chosen Solution

Did you check your extensions list in Firefox's Safe Mode? This deactivates the ability of extensions to hide themselves from the Add-ons page.

Anything custom in your connection settings? You can check here:

orange Firefox button (or Tools menu) > Options > Advanced > Network mini-tab > "Settings" button

The default is "Use system proxy settings" (adopts settings from IE); you also could try "No proxy".


If you do not have an extension or proxy causing this, you may need to clear out your Firefox program folder and reinstall Firefox. Note: do not uninstall Firefox or remove your settings, this is just about the program folder.

Clean Reinstall

The process is: rename the program folder and then reinstall Firefox. In this process, the Firefox installer should recognize and automatically connect with your existing profiles.

(Still, it might be a good idea to make a backup. This article has suggestions: Back up and restore information in Firefox profiles.)

You can download the installer for Firefox 27.0.1 from here:

https://www.mozilla.org/firefox/all/ (scroll down to your language)

Then after exiting Firefox, rename the folder

C:\Program Files (x86)\Mozilla Firefox

something like

C:\Program Files (x86)\OldFirefox

And run the installer.

Any improvement?

Note that some plugins and extensions install into the program folder. You can extract them later if you discover them missing, but to minimize contamination, please do not bulk copy those folders over.


Regarding how to open a new topic, you can always start a new question using the "Ask a Question" link at the top of the page.

Is the request to have stronger anti-malware integrated into Firefox? Currently the phishing and malware protection is limited to what Google is willing to provide and it does not provide the same list to Firefox users as it does to Chrome users. Going forward, Mozilla is considering adding more services to the browser. The question is whether anything better is available for free or whether it would need to be a paid service, in which case, using commercial antivirus software might be better than having a Firefox-only solution.

Did you check your extensions list in Firefox's Safe Mode? This deactivates the ability of extensions to hide themselves from the Add-ons page. Anything custom in your connection settings? You can check here: orange Firefox button (or Tools menu) > Options > Advanced > Network mini-tab > "Settings" button The default is "Use system proxy settings" (adopts settings from IE); you also could try "No proxy". ---- If you do not have an extension or proxy causing this, you may need to clear out your Firefox program folder and reinstall Firefox. Note: do not uninstall Firefox or remove your settings, this is just about the program folder. '''Clean Reinstall''' The process is: rename the program folder and then reinstall Firefox. In this process, the Firefox installer should recognize and automatically connect with your existing profiles. (Still, it might be a good idea to make a backup. This article has suggestions: [[Back up and restore information in Firefox profiles]].) You can download the installer for Firefox 27.0.1 from here: https://www.mozilla.org/firefox/all/ (scroll down to your language) Then after exiting Firefox, rename the folder C:\Program Files (x86)\Mozilla Firefox something like C:\Program Files (x86)\OldFirefox And run the installer. Any improvement? ''Note that some plugins and extensions install into the program folder. You can extract them later if you discover them missing, but to minimize contamination, please do not bulk copy those folders over.'' ---- Regarding how to open a new topic, you can always start a new question using the "Ask a Question" link at the top of the page. Is the request to have stronger anti-malware integrated into Firefox? Currently the phishing and malware protection is limited to what Google is willing to provide and it does not provide the same list to Firefox users as it does to Chrome users. Going forward, Mozilla is considering adding more services to the browser. The question is whether anything better is available for free or whether it would need to be a paid service, in which case, using commercial antivirus software might be better than having a Firefox-only solution.

Question owner

Yes exactly that happened. I posted a reply. That it was the sitefinder extension from sitefinder.com It was hidden only after I started in safemode it could be seen.

But is that not a security issue a vulnerability?

Also I just don't remember installing anything anything that said that. Only clicking on a few links by mistake when I my adblock was deactivated(as I was trying to solve google+ comments issue) so a lot of ads in some website I used to visit. I never they had so many ads. I clicked on some by mistake trying to navigate but quickly close them. They had not even loaded.

Its seems that these extension are targetting some vulnerablity which needs to be fixed

Yes exactly that happened. I posted a reply. That it was the sitefinder extension from sitefinder.com It was hidden only after I started in safemode it could be seen. But is that not a security issue a vulnerability? Also I just don't remember installing anything anything that said that. Only clicking on a few links by mistake when I my adblock was deactivated(as I was trying to solve google+ comments issue) so a lot of ads in some website I used to visit. I never they had so many ads. I clicked on some by mistake trying to navigate but quickly close them. They had not even loaded. Its seems that these extension are targetting some vulnerablity which needs to be fixed
jscher2000
  • Top 10 Contributor
3768 solutions 33377 answers

Firefox normally prompts you twice when installing an extension that isn't from the list of pre-approved sites. First, you have to allow the site, then secondly you see the install dialog.

By the way, you can review the list of allowed sites here:

orange Firefox button (or Tools menu) > Options > Security

It's behind the first Exceptions button on the right.

Do you think the extension bypassed those obstacles?


I do think it's troubling that extensions can hide themselves, and I'm not sure why that is allowed. Other than keeping "parental controls" in force, I'm not aware of anyone giving a good justification for using that feature.

Firefox normally prompts you twice when installing an extension that isn't from the list of pre-approved sites. First, you have to allow the site, then secondly you see the install dialog. By the way, you can review the list of allowed sites here: orange Firefox button (or Tools menu) > Options > Security It's behind the first Exceptions button on the right. Do you think the extension bypassed those obstacles? ---- I do think it's troubling that extensions can hide themselves, and I'm not sure why that is allowed. Other than keeping "parental controls" in force, I'm not aware of anyone giving a good justification for using that feature.

Modified by jscher2000

Question owner

Yes I am aware of that. Like I said I never allowed anything.

I went to the security and found a ton of websites added to the exceptions. One of them was sexlinks others are just numbers and names vague ones so I am assuming these are spam/virus wesbites.

How did these websites get added I have no idea.

I have noticed that if I install any software that has an extension. When I restart my firefox it will ask me to approve that extension. So for stuff I know like Flashgot I say yes. for stuff I don't know or don't want I say no.

But with this attack no warning at all. The hijacking of the search bar and the New tab/Home page also was "silent" I never accepted anything.

This happened during the time I had disabled my add on to troubleshoot the google+ bug.

I would not think its troubling either, but if a malware can use it to hide itself while installing itself automatically Its troubling, more than troubling.

Yes I am aware of that. Like I said I never allowed anything. I went to the security and found a ton of websites added to the exceptions. One of them was sexlinks others are just numbers and names vague ones so I am assuming these are spam/virus wesbites. How did these websites get added I have no idea. I have noticed that if I install any software that has an extension. When I restart my firefox it will ask me to approve that extension. So for stuff I know like Flashgot I say yes. for stuff I don't know or don't want I say no. But with this attack no warning at all. The hijacking of the search bar and the New tab/Home page also was "silent" I never accepted anything. This happened during the time I had disabled my add on to troubleshoot the google+ bug. I would not think its troubling either, but if a malware can use it to hide itself while installing itself automatically Its troubling, more than troubling.
jscher2000
  • Top 10 Contributor
3768 solutions 33377 answers

Hi creeem, it's easy for external software to change your home page, new tab page, and keyword.URL settings by creating a user.js file in your profile folder. The setting to warn you about sites installing software also could be switched using the same file.

I have not previously heard of malware adding software installation exceptions, which are stored in a database file. It is worth investigating how that happened, but I'm not sure how you would track it back without starting over and reinstalling unwanted software...

Hi creeem, it's easy for external software to change your home page, new tab page, and keyword.URL settings by creating a user.js file in your profile folder. The setting to warn you about sites installing software also could be switched using the same file. I have not previously heard of malware adding software installation exceptions, which are stored in a database file. It is worth investigating how that happened, but I'm not sure how you would track it back without starting over and reinstalling unwanted software...

Question owner

Yes I know its easy, I believe there shud be some protection in place for the user.js modification.

I installed Miro the video player. I had also disabled all extensions during this time. Like adblock, which manages to block a lot of malware.

I have a sandbox. Maybe I will try installing firefox and miro on that and see what it does

Yes I know its easy, I believe there shud be some protection in place for the user.js modification. I installed Miro the video player. I had also disabled all extensions during this time. Like adblock, which manages to block a lot of malware. I have a sandbox. Maybe I will try installing firefox and miro on that and see what it does