SUMO community discussions
A bug has been filed by Cww
https://bugzilla.mozilla.org/show_bug.cgi?id=719561
I suggest you to subscribe it. Many many thanks to scoobidiver who suggested the cause and the solution.
underpass said
Many many thanks to scoobidiver who suggested the cause and the solution.
Abraxas found it for the first time in that post on December, 30th.
It should be documented.
@scoobidiver: maybe you should add in the bug report that the problem also happens with fr-FR localized versions of Firefox.
Изменено Underpass
So, I gather that disabling the Ask.com Toolbar in the Firefox Add-ons Manager extensions list (assuming it's listed there) or running in Firefox Diagnose Firefox issues using Troubleshoot Mode doesn't help? (Plugins remain enabled in Safe Mode so Flash should still work, but extensions are disabled.)
Ask.com's instructions for uninstalling the toolbar using Windows Control Panel list of installed programs link to a ToolbarUtilityTool.exe file, so if we document this issue, shouldn't we link to this page for removal help first (rather than recommending a third-party malware removal tool)... or doesn't it work?
Изменено AliceWyman
@Alice: from what we have seen, Safe Mode doesn't help.
Didn't know about that particular removal tool. We should give it a try first, though.
scoobidiver said
Since Firefox 9, all issues with slow Flash content or hangs in the French support forum have been caused by the Ask toolbar although users have uninstalled it with the Windows Removing Program feature. Sometimes, they don't even know it was installed. AdwCleaner can remove it completely. This software seems also to be useful against the Babylon toolbar that causes also many troubles.
I would reconsider recommending that tool based on Bug 722614 comments 4-8.
If normal uninstall steps (via Disable or remove Add-ons and Cannot remove an add-on (extension or theme) (via Windows Control Panel), Search Bar removal and Reset Firefox preferences to troubleshoot and fix problems (which resets keyword.URL and other preferences, including the home page) don't remove it completely, I would either refer users to a malware removal forum or to Ask.com's instructions for uninstalling the toolbar at http://asksupport.custhelp.com/app/answers/detail/a_id/2908
P.S. If it causes such problems, Ask.com should also be added to Fix problems with your home page or search.
Изменено AliceWyman
I agree with you, Alice. Recently, one user complained that that tool removed one dll realated to Windows Messenger. It has no "backup" feature. Indeed it's useful, but it could cause potential damage.
I sent an email to the developper about these two problems.
I made a pending revision to to add Ask Toolbar to the Fix problems with your home page or search article which should probably be renamed (discussion thread).
I had an answer from Xplode and I give you a summary:
I am aware of complaints about Firefox preferences. Anyway, either the detection is tolerant and there may be still occurrences of some pieces of malware or it's strict and there may be false positives. He will try to change the balance to detect less false positives.
underpass said
Recently, one user complained that that tool removed one dll related to Windows Messenger.
This dll is a threat. See http://www.threatexpert.com/files/msimg32.dll.html
scoobidiver said
This dll is a threat. See http://www.threatexpert.com/files/msimg32.dll.html
What dll? Just to clarify, msimg32.dll is a Microsoft Windows operating system file. I have multiple copies under Windows\System32, Windows\SysWOW64 and other locations. That link gives its location under %programfiles% or %temp%
In any case, we shouldn't be in the business of malware removal. That should be left up to the experts.
Hi,
You're right Alice, msimg32.dll can be badware or goodware, it depends on which directory it is located. AdwCleaner detects this dll if it's path is %ProgramFiles%\windows live\messenger\msimg32.dll and only in this case.
I've been surprised when i've seen comments like "it seems to be a horribly designed piece of code without any sanity checks whatsoever" on this link : https://bugzilla.mozilla.org/show_bug.cgi?id=722614#c4
Any tool can be subject of false positive, and feedbacks are made for that. I'll work to create a whitelist based on firefox preferences ( like WOT and NoScript ) but as i've said to scoobidiver, if filters are too restrictives, you can't detect all parts of badware. And if filters are too flexible, you have false postive.
Best regards, and sorry if my english is not perfect ( i'm french ). Xplode.
Hi, Xplode. Thanks for the information on AdwCleaner and msimg32.dll
I did some googling and removing %ProgramFiles%\windows live\messenger\msimg32.dll should be OK (unless you've installed Messenger Plus or another Messenger add-on - see reference below) , since that file normally isn't installed in the Windows Live Messenger folder and Messenger will use the copy in the Windows folder. However, I still think we should use the information included in KB articles like Flash Plugin - Keep it up to date and troubleshoot problems, Fix problems with your home page or search, or Troubleshoot Firefox issues caused by malware instead of recommending a removal tool like yours that isn't widely known.
Even if your tool works great to remove the Ask Toolbar, it may cause other problems, especially if there is no backup feature to restore deleted files, like underpass mentioned. I think it would be better to refer people to Ask.com's removal instructions, or else to a forum that specializes in removal of malware or other unwanted software .
Getting back to the subject of this thread, the problem with Flash is Updater.exe installed with the Ask Toolbar so the solution should be to remove Ask.com's software (or else stop Updater.exe from running ... but that would cause the Ask Toolbar to become outdated which might cause other problems). Ref:
Изменено AliceWyman
AliceWyman said
I still think we should use the information included in KB articles like Flash Plugin - Keep it up to date and troubleshoot problems, Fix problems with your home page or search, or Troubleshoot Firefox issues caused by malware...
Yes. That's why I've already added AdwCleaner in the French version of Troubleshoot Firefox issues caused by malware because it seems more efficient about problems caused in Firefox than Malwarebytes' Anti-Malware and SuperAntispyware (no French website), it has no bad feedback in the French support forum, and its database is public. I've also added ask, babylon, etc. as keywords to this article.
@Alice: today I made another test with a user seeking advice. I had him scan the system with AdwCleaner and then he successfully removed the Ask.com Toolbar (that did not appear in Add/Remove Programs) with the removal tool from Ask.com support page.
underpass said
@Alice: today I made another test with a user seeking advice. I had him scan the system with AdwCleaner and then he successfully removed the Ask.com Toolbar (that did not appear in Add/Remove Programs) with the removal tool from Ask.com support page.
Could you explain that better? Which removal tool got rid of the Ask Toolbar?
Sorry, I meant the executable file referenced at the end of this page
I may be rather naive about this issue but will comment anyway, I am sure others will quickly correct any misapprehensions.
I have not tried this tool.
If the comment from the bug report that Xplode is linking to is accurate there may sometimes be problems in trying to use the AdwCleaner. I do not think I myself would try or recommend a tool that apparently deletes files without warning. (That is my understanding of the bug comment)
EDIT Reading the AdwCleaner site information.previously linked: http://general-changelog-team.fr/outils/289-adwcleaner#englishadwcleaner
It appears that the tool does have both a scan mode and a deletion mode, I wonder if the person posting the bug comment realised that?
Presumably in this instance we are dealing with toolbar files, that try to avoid detection by using the names of genuine files.
If the tool just listed suspect files it may be safer for system integrity. In this scenario we are merely trying to remove malware affecting search results and Firefox, not malware that causes direct damage or startup crashes.
I take the point about a file of any particular name being possibly essential in one location, but when in another location it may be malware. Checking file properties date, and size, and a checksum may help in deciding whether the file is genuine. Maybe it would be better if the tool only identified the apparent malware and left the user to deal with deletion.
Anyhow I suppose a compromised dll may be in its original location and have its original name and still be malware, but if that happens almost certainly a correct file needs re-installing so just deleting it may not solve all problems. Also consider something found in an unexpected location may indeed be malware, but it could equally be a backup copy of a genuine file.
Изменено John99
AdwCleaner doesn't have quarantine because the search/deletion is based on a database, not heuristic search so false positive on file/folders can't exist. ( unless I add myself a file that can be a false positive..). Only heuristic search is to detects bad lines on FF/Chome/Opera preferences file.
Moreover, the tool has a "Search" option which must be used before "Delete" mode. You will got a report and you will se if there is a false positive, and in this case not running delete mode.
The DLL mentionned above is not a bad dll. It's the GDIX Dll client which must be present to execute programs who need this.. But the normal path for this dll must be %windir%\system32 , as many others dll. AdwCleaner is a tool that deletes only PUP ( potentially unwanted programs ) such as toolbar, adware. It is not an Antivirus. I'm alone in the development. This dll located on Windows Messenger path is related to MyWebSearch, which is an adware.
But you're right, the more important is not the file name, it's where the file is located. For example, explorer.exe is safe when it's in %windir% folder but when it's in %windir%\system32 , it's a malware.
The other case is when a PE infector virus infects a file , the file is patched but is located on the correct path.
But AdwCleaner doesn't aiming the detection of that kind of malware, it's just a tool dedicated to eradicate PUPs. Do not forget that AdwCleaner is a removal tool like Combofix, Ad-Remover, etc.. and it's not an antivirus.
Regards, Xplode.
underpass said
Sorry, I meant the executable file referenced at the end of this page http://asksupport.custhelp.com/app/answers/detail/a_id/2908
Thanks. So, seeing that the ToolbarUtilityTool.exe from the above Ask support page works, then we should refer people there who want to remove the Ask Toolbar.
