You need to seek help on a forum specializing on malware removal. Since you have Malwarebytes Anti-malware, I recommend

• https://forums.malwarebytes.org/index.php?showforum=7

Also see the "How do I prevent malware from being installed?" section of the following article.

• Troubleshoot Firefox issues caused by malware

Speaking of extensions, have you reviewed yours recently? Try this:

Disable ALL nonessential or unrecognized extensions on the Add-ons page. Either:

• Ctrl+Shift+a
• orange Firefox button (or Tools menu) > Add-ons

In the left column, click Extensions. Then, if in doubt, disable.

Usually a link will appear above at least one disabled extension to restart Firefox. You can complete your work on the tab and click one of the links as the last step.

If the problem continues, you might have a hidden extension that only is visible/removable in Firefox's Safe Mode.

You can restart Firefox in Safe Mode using

Help > Restart with Add-ons Disabled

In the dialog, click "Start in Safe Mode" (not Reset)

Any difference?

I have nothing that I am not sure of. All the extension were there before this attack happened. I am pretty sure cause I just went through all my extensions(which are not much) to correct a google+ comments bug. I had disabled all extension and added it one by one. A whois extension was causing the problem. That time I uninstalled many extensions I was not using as Firefox takes up 1.9GB of memory and exhausts my system memory(4GB) I have to restart Firefox it starts at around 1.2 GB or 1.5GB.

So I am pretty sure there is no extension of any software installed on my system that I am not aware of. The earlier Malware I corrected with malwarebytes

The bigger problem(And how do I open a thread for this or bring it to notice) is a security hole that allows this to happen without consent. It happened after I installed Miro. I unchecked installation of their additional software but this still happened.

I can't find Miro listed as a malware. It was around this same time my Anti-virus expired and I had uninstalled it. Installed a new license only after 5 days as I could not decide which antivirust to go for.

Now I am not a n00b been browsing since 1997 am a webdeveloper 10 years ago I used to keep cyber cafe/browsing center free of viruses and malwares.

I know I just clicked on something by mistake and close the tab before It would even load.

It seems its either Miro or this link that has installed the malware without even asking for permission. I am pretty sure I said no to everything as this is not the first time I am installing Miro.

This is a serious security issue.

Have you tried the Search Reset Tool? This will remove preferences of the program from your Firefox.

If the searchreset tool did not work, you can try to delete the user.js file in the profile folder (if present).

To remove the user.js file follow the instructions below:

1. Go to the orange Firefox button, click the help menu, then click the Troubleshooting Information submenu item.
2. A new page should now open, scroll down to the Application Basics section and click the Open Folder (Open Directory on Linux) button.
3. Now a file manager window should show, close Firefox, then right-click the file labeled user or user.js and delete it.
4. Then, start firefox, your problem should now be resolved.

More information on deleting the user.js file is in the How to fix preferences that won't save.

For more information on search hijacks overall, please read the Remove a toolbar that has taken over your Firefox search or home page article.

When I started in safemode I found a sitefinder addon that was not appearing before. In safe mode I could see it. There was the remove button. I removed it and it was gone.

But its cannot be seen in normal mode. I guess this is a vulnerability with firefox.

sitefinder was one of the malwares Since I could not find it in my addons I had to use malwarebytes.

Malwarebytes and spybot may have deleted the files that is why the ad popup and recommendation were not appearing. But the extension was still "hidden" and installed and only this redirection was working.

BTW this redirection identifies any shopping website and then redirects it to the same website after adding an affiliate id.

So its really a virus like activity that is trying to make money off every transaction.

I think its gone now. But this is very bad. I am not a n00b. Am very careful where I click and I will not allow anything to get installed. Still this happened. Which means the browser has been hijacked by some website silently. Without asking me for confirmation

Whatever is installed cannot be detected. I assumes that whatever installed it should be either in addons or as a software installed in my programs.

Anyways this is solved. Thanks for your replies

Did you check your extensions list in Firefox's Safe Mode? This deactivates the ability of extensions to hide themselves from the Add-ons page.

Anything custom in your connection settings? You can check here:

orange Firefox button (or Tools menu) > Options > Advanced > Network mini-tab > "Settings" button

The default is "Use system proxy settings" (adopts settings from IE); you also could try "No proxy".

If you do not have an extension or proxy causing this, you may need to clear out your Firefox program folder and reinstall Firefox. Note: do not uninstall Firefox or remove your settings, this is just about the program folder.

Clean Reinstall

The process is: rename the program folder and then reinstall Firefox. In this process, the Firefox installer should recognize and automatically connect with your existing profiles.

(Still, it might be a good idea to make a backup. This article has suggestions: Back up and restore information in Firefox profiles.)

You can download the installer for Firefox 27.0.1 from here:

https://www.mozilla.org/firefox/all/ (scroll down to your language)

Then after exiting Firefox, rename the folder

C:\Program Files (x86)\Mozilla Firefox

something like

C:\Program Files (x86)\OldFirefox

And run the installer.

Any improvement?

Note that some plugins and extensions install into the program folder. You can extract them later if you discover them missing, but to minimize contamination, please do not bulk copy those folders over.

Regarding how to open a new topic, you can always start a new question using the "Ask a Question" link at the top of the page.

Is the request to have stronger anti-malware integrated into Firefox? Currently the phishing and malware protection is limited to what Google is willing to provide and it does not provide the same list to Firefox users as it does to Chrome users. Going forward, Mozilla is considering adding more services to the browser. The question is whether anything better is available for free or whether it would need to be a paid service, in which case, using commercial antivirus software might be better than having a Firefox-only solution.

Yes exactly that happened. I posted a reply. That it was the sitefinder extension from sitefinder.com It was hidden only after I started in safemode it could be seen.

But is that not a security issue a vulnerability?

Also I just don't remember installing anything anything that said that. Only clicking on a few links by mistake when I my adblock was deactivated(as I was trying to solve google+ comments issue) so a lot of ads in some website I used to visit. I never they had so many ads. I clicked on some by mistake trying to navigate but quickly close them. They had not even loaded.

Its seems that these extension are targetting some vulnerablity which needs to be fixed

Firefox normally prompts you twice when installing an extension that isn't from the list of pre-approved sites. First, you have to allow the site, then secondly you see the install dialog.

By the way, you can review the list of allowed sites here:

orange Firefox button (or Tools menu) > Options > Security

It's behind the first Exceptions button on the right.

Do you think the extension bypassed those obstacles?

I do think it's troubling that extensions can hide themselves, and I'm not sure why that is allowed. Other than keeping "parental controls" in force, I'm not aware of anyone giving a good justification for using that feature.

Yes I am aware of that. Like I said I never allowed anything.

I went to the security and found a ton of websites added to the exceptions. One of them was sexlinks others are just numbers and names vague ones so I am assuming these are spam/virus wesbites.

How did these websites get added I have no idea.

I have noticed that if I install any software that has an extension. When I restart my firefox it will ask me to approve that extension. So for stuff I know like Flashgot I say yes. for stuff I don't know or don't want I say no.

But with this attack no warning at all. The hijacking of the search bar and the New tab/Home page also was "silent" I never accepted anything.

This happened during the time I had disabled my add on to troubleshoot the google+ bug.

I would not think its troubling either, but if a malware can use it to hide itself while installing itself automatically Its troubling, more than troubling.

Hi creeem, it's easy for external software to change your home page, new tab page, and keyword.URL settings by creating a user.js file in your profile folder. The setting to warn you about sites installing software also could be switched using the same file.

I have not previously heard of malware adding software installation exceptions, which are stored in a database file. It is worth investigating how that happened, but I'm not sure how you would track it back without starting over and reinstalling unwanted software...

Yes I know its easy, I believe there shud be some protection in place for the user.js modification.

I installed Miro the video player. I had also disabled all extensions during this time. Like adblock, which manages to block a lot of malware.

I have a sandbox. Maybe I will try installing firefox and miro on that and see what it does