pups prefs.js keep coming back found by malwarebytes plus several tries to hack my email account
I found some infos but I do not trust myself just deleting the files in question since they ared all over my system. The following I found per malwarebytes which found the pups every day up to now:
PUP.Optional.DefaultSearch is Malwarebytes’ detection name for a family of browser hijackers targeting Chrome, Firefox and Internet Explorer. Symptoms The browsers’ default search engine was changed to one that belonged to the threat-actors. I am german so probably I need your patience in helping me to clean my system resp. Mozilla.
Looking forward Ingrid
Выбранное решение
Hi Ingrid, along the lines of cor-el's last reply, can you find these preferences if you check internally in Firefox itself:
(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button accepting the risk.
(2) In the search box in the page, type or paste this search pattern: newtab*url
Firefox should filter the list and show any current matches.
Do you see either of the ones cor-el discovered in your pastebin file?
cor-el said
Could be about these lines in the YABwy5Hk file: user_pref("browser.newtab.url", "https://defaultsearch.co/homepage?hp=1&pId=CH180901FF&iDate=2020-07-07 12:48:23&bName=&bitmask=0600"); user_pref("browser.newtabpage.url", "https://defaultsearch.co/homepage?hp=1&pId=CH180901FF&iDate=2020-07-07 12:48:23&bName=&bitmask=0600");
Note: these preferences are ignored by Firefox, so they are harmless, but Malwarebytes still doesn't like them.
(3) To remove an unwanted alien preference, click the trash can icon at the end of the row.
Firefox will change the row to showing a bar to re-add the preference. Ignore that bar, you don't want to re-add it.
More info on about:config: Configuration Editor for Firefox.
Hopefully that will flush it and make Malwarebytes happy.
Прочитайте этот ответ в контексте 👍 0Все ответы (20)
The prefs.js file contains settings for Firefox. Sometimes what happens is a link or coding causes the anti-virus to flag it.
Hi Ingrid, if you had a questionable extension installed and later removed it, it's possible Firefox kept a record of its name, just in case you reinstall it. Unfortunately, this would be embedded in a list of all your extensions, and erasing that list may cause you to lose the data saved by your add-ons (Firefox will treat them as new installations on the next startup). That data might just be a couple settings, but depending on the add-on, it could be saved sessions, block lists, and so on. If any of your add-ons save valuable data, check whether it has an option to export the data before erasing the prefs.js file.
Best would be to keep a backup copy of prefs.js to be able to restore the extensions UUID if necessary.
Thanks a lot for your answers. I´m thinking you do not see a problem since I am receiving bad news from MWB every day. How is it possible that the same pups renew theirselves every day.
I paste some of the log news from the last few days: Malwarebytes www.malwarebytes.com
-Protokolldetails- Datum des Schutzereignisses: 15.09.21 Uhrzeit des Schutzereignisses: 11:50 Protokolldatei: 65ba5e0a-160a-11ec-bdf7-60eb694b41cc.json
-Softwaredaten- Version: 4.4.6.132 Komponentenversion: 1.0.1453 Version des Aktualisierungspakets: 1.0.44976 Lizenz: Testversion
-Systemdaten- Betriebssystem: Windows 10 (Build 19043.1165) CPU: x64 Dateisystem: NTFS Benutzer: System
-Einzelheiten zu blockierten Websites- Bösartige Website: 1 , C:\Program Files\Mozilla Firefox\firefox.exe, Blockiert, -1, -1, 0.0.0, ,
-Website-Daten- Kategorie: Riskware Domäne: chip-cluster.de IP-Adresse: 83.125.106.237 Port: 443
Malwarebytes
www.malwarebytes.com
-Protokolldetails- Scan-Datum: 21.09.21 Scan-Zeit: 10:49 Protokolldatei: e1a7e7f0-1ab8-11ec-b7f4-60eb694b41cc.json
-Softwaredaten- Version: 4.4.6.132 Komponentenversion: 1.0.1453 Version des Aktualisierungspakets: 1.0.45150 Lizenz: Testversion
-Systemdaten- Betriebssystem: Windows 10 (Build 19043.1237) CPU: x64 Dateisystem: NTFS Benutzer: System
-Scan-Übersicht- Scan-Typ: Bedrohungs-Scan Scan gestartet von: Zeitplaner Ergebnis: Abgeschlossen Gescannte Objekte: 542394 Erkannte Bedrohungen: 2 In die Quarantäne verschobene Bedrohungen: 0 Abgelaufene Zeit: 1 Std., 15 Min., 38 Sek.
-Scan-Optionen- Speicher: Aktiviert Start: Aktiviert Dateisystem: Aktiviert Archive: Aktiviert Rootkits: Deaktiviert Heuristik: Aktiviert PUP: Erkennung PUM: Erkennung
-Scan-Details- Prozess: 0 (keine bösartigen Elemente erkannt)
Modul: 0 (keine bösartigen Elemente erkannt)
Registrierungsschlüssel: 0 (keine bösartigen Elemente erkannt)
Registrierungswert: 0 (keine bösartigen Elemente erkannt)
Registrierungsdaten: 0 (keine bösartigen Elemente erkannt)
Daten-Stream: 0 (keine bösartigen Elemente erkannt)
Ordner: 0 (keine bösartigen Elemente erkannt)
Datei: 2 PUP.Optional.DefaultSearch, C:\USERS\INGRID\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\S1WALZNK.DEFAULT-ESR\PREFS.JS, Keine Aktion durch Benutzer, 330, 932426, 1.0.45150, , ame, , 6FC46B750EF9EA58995EA368383600D3, CA0BB5C3BFBDC6D66A2697BA79CF8471C62118993130215B092A6055A15F622C PUP.Optional.DefaultSearch, C:\USERS\INGRID\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\S1WALZNK.DEFAULT-ESR\PREFS.JS, Keine Aktion durch Benutzer, 330, 932427, 1.0.45150, , ame, , 6FC46B750EF9EA58995EA368383600D3, CA0BB5C3BFBDC6D66A2697BA79CF8471C62118993130215B092A6055A15F622C
@cor-el: I am very sorry but I do not understand one word. "to be able to restore the extensions UUID if necessary." ????
I also remember thaT I found an old question with the nearly same problem here and it took several steps to get rid of it. But I can´t find it anymore that's the reason I am here now.
You can try this idea:
Type about:support<enter> in the address bar.
Under the page logo on the left side, you will see Application Basics. Under this find Profile Folder. To its right press the button Show Folder. This will open your file browser to the current Firefox profile. Now Close Firefox.
Locate the prefs.js file.
Is the file text only? And not huge?
Open a text/word program and load the file. Left-click once. Now <Control> A to highlight everything, then <Control> C to copy it.
Next, have your web browser go to; https://pastebin.com/
Paste <Control> P the content of the file in the window. Note: On the bottom, fill out the boxes as best you can.
Now press Create A New Paste. The page will reload. Copy the new web address, and post it here.
iethomas said
I´m thinking you do not see a problem since I am receiving bad news from MWB every day. How is it possible that the same pups renew theirselves every day. ... Datei: 2 PUP.Optional.DefaultSearch, C:\USERS\INGRID\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\S1WALZNK.DEFAULT-ESR\PREFS.JS, Keine Aktion durch Benutzer, 330, 932426, 1.0.45150, , ame, , 6FC46B750EF9EA58995EA368383600D3, CA0BB5C3BFBDC6D66A2697BA79CF8471C62118993130215B092A6055A15F622C PUP.Optional.DefaultSearch, C:\USERS\INGRID\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\S1WALZNK.DEFAULT-ESR\PREFS.JS, Keine Aktion durch Benutzer, 330, 932427, 1.0.45150, , ame, , 6FC46B750EF9EA58995EA368383600D3, CA0BB5C3BFBDC6D66A2697BA79CF8471C62118993130215B092A6055A15F622C
I can't tell whether Malwarebytes is providing information on a specific line in the file, so we can only guess about what it doesn't like. Actually, I also found this article that mentions defsearchp@gmail.com.xpi:
https://blog.malwarebytes.com/detections/pup-optional-defaultsearch/
It might be possible to find and remove the section of the file where that is mentioned, but since extension data is written in a somewhat complicated way, it would only be worth the effort if you have add-on data and settings you do not want to lose by simply quarantining the entire file.
thanks , will do tomorrow. lost my nerves trying to send posts. found addonStartup.json.LZ4 in my current profile.
Hi, Fred,
thanks for your help. I tried similar way with profile show. There is one current and 6 others without my doing so. Also I find prefs.js file and others js1-6 (see Screenshot) which I cannot open. Windows script host pops up and says:error:waiting for object (my translation) Code: 800A138F
Rename the prefs.js file by adding .txt to the end. Do as I posted above. Then rename the file back.
If you are nervous about doing this, Copy the file to another location and work on the copy.
You can remove all numbered prefs-#.js (1-6) temp files as those numbered files are leftover from times when there was a problem with renaming the temp file to prefs.js.
Изменено
I just see I did Nr. 1 of the other files : Prefs1.js
Does it help or should I do the one without number?
https://pastebin.com/YABwy5Hk here is the one
Could be about these lines in the YABwy5Hk file:
user_pref("browser.newtab.url", "https://defaultsearch.co/homepage?hp=1&pId=CH180901FF&iDate=2020-07-07 12:48:23&bName=&bitmask=0600"); user_pref("browser.newtabpage.url", "https://defaultsearch.co/homepage?hp=1&pId=CH180901FF&iDate=2020-07-07 12:48:23&bName=&bitmask=0600");
EDIT: You can reset these prefs on the about:config page as the aren't used by Firefox and looks they are added by some other software in 2020 according to the date in the URL.
Do you remember having problems during that time that coincides with the dates of the numbered prefs-#.js files?
Изменено
Why do you send me a bing-link?
Выбранное решение
Hi Ingrid, along the lines of cor-el's last reply, can you find these preferences if you check internally in Firefox itself:
(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button accepting the risk.
(2) In the search box in the page, type or paste this search pattern: newtab*url
Firefox should filter the list and show any current matches.
Do you see either of the ones cor-el discovered in your pastebin file?
cor-el said
Could be about these lines in the YABwy5Hk file: user_pref("browser.newtab.url", "https://defaultsearch.co/homepage?hp=1&pId=CH180901FF&iDate=2020-07-07 12:48:23&bName=&bitmask=0600"); user_pref("browser.newtabpage.url", "https://defaultsearch.co/homepage?hp=1&pId=CH180901FF&iDate=2020-07-07 12:48:23&bName=&bitmask=0600");
Note: these preferences are ignored by Firefox, so they are harmless, but Malwarebytes still doesn't like them.
(3) To remove an unwanted alien preference, click the trash can icon at the end of the row.
Firefox will change the row to showing a bar to re-add the preference. Ignore that bar, you don't want to re-add it.
More info on about:config: Configuration Editor for Firefox.
Hopefully that will flush it and make Malwarebytes happy.
yes, found and deleted the both.
No, I do not remember having trouble in 2020 but possible.
The files 1-6 also disappeared when I deleted the 2 in question in about:config.
After new start it seems clear, for now.
Tomorrow Mwb runs again and I will tell the news.
Till then - Thanks to all the nice gentlemen helping the dumb old lady :-)
No worries, none of us was born knowing about PUPs... we're all learning this as we go.
One last question: Beside the current Profile - ESR - there are three others. Why are they there and should I keep or delete them?
Again many thanks for all your help.
Greetings from Berlin Ingrid
I forgot to mention that everything is o.k., MWB is satisfied and me too.