Поиск в Поддержке

Избегайте мошенников, выдающих себя за службу поддержки. Мы никогда не попросим вас позвонить, отправить текстовое сообщение или поделиться личной информацией. Сообщайте о подозрительной активности, используя функцию «Пожаловаться».

Learn More

Why would Malwarebytes shows potential threat to Firefox Profile

  • 26 ответов
  • 5 имеют эту проблему
  • 92 просмотра
  • Последний ответ от Ari94

more options

Recently I installed Malwarebytes (free version) and after scan it detect Firefox profile. What could be the threat by Firefox I can't understand?

Any advice, suggestion or help will be appreciated.

Thank you PS may be after posting I will be able to post screen shots.

Recently I installed Malwarebytes (free version) and after scan it detect Firefox profile. What could be the threat by Firefox I can't understand? Any advice, suggestion or help will be appreciated. Thank you PS may be after posting I will be able to post screen shots.

Выбранное решение

I think the problem is, you restarted Firefox before deleting user.js. Firefox imports user.js into prefs.js at every startup. So you'll need to clear those preferences (about:config or direct edit of prefs.js) to finally eliminate them.

Прочитайте этот ответ в контексте 👍 0

Все ответы (20)

more options

Here is a screen shot for the above question. Thank you

more options

It might be a false alarm, Also try to scan it with some other malware detecting softwares to make sure that it is not a false alarm.

Hope this helps.

more options

Thank you for quick reply. Me too thinking the same "false alarm"

more options

Hello,

I am glad to hear that your question has been answered.

If you have not already, please mark this thread as solved by marking the solution. This will help other users experiencing similar problems find help faster and more efficiently.

I hope you continue using our products and thank you for contacting Mozilla Support.

more options

Most definitely NOT a false alarm. That is the pernicious Babylon toolbar. If you didn't install it deliberately It will have installed itself surreptitiously

If you don't want it I suggest you remove it from there and everywhere else.

[Check Programmes and Features etc.]

Please read this: http://malwaretips.com/blogs/remove-babylon-toolbar/

more options

Thank you for reply. I am very careful and do not install any toolbar. Also there isn't any Babylon tool bar so I could uninstall.

Refer screen shot.

Thank you once again.

more options

In order to be able to find the correct solution to your problem, we require some more non-personal information from you. Please do the following:

  • Click the Firefox button at the top left, then click the Help menu and select Troubleshooting Information from the submenu. If you don't have a Firefox button, click the Help menu at the top and select Troubleshooting Information from the menu.

Now, a new tab containing your troubleshooting information should open.

  • At the top of the page, you should see a button that says "Copy text to clipboard". Click it.
  • Now, go back to your forum post and click inside the reply box. Press Ctrl+V to paste all the information you copied into the forum post.

If you need further information about the Troubleshooting information page, please read the article Use the Troubleshooting Information page to help fix Firefox issues.

Thanks in advance for your help!

more options

You DID install the Babylon toolbar. That is what Malwarebytes discovered and quarantined. PUP means Potentially Unwanted Program.

Babylon install their toolbar, sometimes without permission, when you download something else. Please follow the uninstall procedures I linked to above.

more options

There isn't any Babylon thing except inside Firefox/Profile file with js extension. Whenever I search for the Babylon I get these two. I wonder why inside Firefox folder? Refer screen shot.

Thank you.

more options

Hi, I do not think sharing such information in a public place is a good idea. If there is e-mail address I might send you that copied text.

But by your guidance when I was reading the copied text I found this entry which seems suspicious.

user.js Preferences


Your profile folder contains a user.js file, which includes preferences that were not created by Firefox.

Refer screen shot.

Thank you

more options

Thats how malware works. Please just follow the instructions in my link.

more options

Both prefs.js and user.js are text files that can't do direct harm as they only initialize some Firefox settings.

What is the content of the user.js file?

The user.js file is only present if you or other software has created this file and normally it wouldn't be there. You can check its content with a plain text editor (right-click: Open with) if you didn't create this file yourself.

The user.js file is read each time Firefox is started and initializes preferences to the value specified in this file, so preferences set via user.js can only be changed temporarily for the current session.

You can delete a possible user.js file and numbered prefs-##.js files and rename (or delete) the prefs.js file to reset all prefs to the default value including prefs set via user.js and prefs that are no longer supported in the current Firefox release.

See also:

more options

Also, please post the information from about:support, it doesn't contain anything personally identifiable and will go a long way in helping us diagnose this issue.

more options

Hi Ari94, a few things:

(1) The user.js file is read at startup and will override the settings you saved during your previous session. Usually there are no important settings in it on a personal system; if your Firefox is in a business environment, it may contain some settings created by your IT department. Try renaming it to olduser.js as a test and/or view it in a text editor (don't double-click script files; try right-click > Edit).

(2) Tyler's suggestion will help us to know what settings in your prefs.js file might be related to an add-ons or malware. After pasting the text into your post, use the Preview button to see whether there is any sensitive information and delete it before posting.

(3) If you want to take a look first, try this:

In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.

In the search box above the list, type or paste babylon and pause while the list is filtered.

What appears may be some of the settings that Malwarebytes is objecting to. In many cases, you can clear unwanted settings by right-clicking them and choosing Reset. However, if you're not sure of the importance of the settings, you can post your Troubleshooting Information here for comment.

more options

Hi, jscher2000

Glad finally you replied.

First regarding copying and pasting Trouble shooting result(as some suggested) here, I am not sure if that is safe or not.

Next, as you suggested about:config I searched Babylon and got some results please refer screen shot.

I wish I can send you by e-mail trouble shooting text result.

Thank you

more options

I know to get solution to my problem I must give you details but I am not convinced to copy trouble shooting details here.

I think I should try to reset preference and see what Malwarebyte does.

Thank you.

more options

Ari94:

As many contributors, moderators, and even an administrator have said, your troubleshooting information will help us identify the issue.
The troubleshooting information DOES NOT contain any personal information that could identify you! If you still are not convinced, then I will post my own troubleshooting information in order to convince you that nothing personal is stored in there.


Here is mine:

Application Basics

Name: Firefox-Trunk Version: 31.0a1 User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0

Extensions


Name: Adblock Plus Version: 2.5.1 Enabled: true ID: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

Name: Ubuntu Firefox Modifications Version: 2.7 Enabled: true ID: ubufox@ubuntu.com

Important Modified Preferences


accessibility.typeaheadfind.flashBar: 0 browser.cache.disk.capacity: 358400 browser.cache.disk.smart_size_cached_value: 358400 browser.cache.disk.smart_size.first_run: false browser.cache.disk.smart_size.use_old_max: false browser.places.smartBookmarksVersion: 7 browser.sessionstore.upgradeBackup.latestBuildID: 20140326100610 browser.startup.homepage_override.buildID: 20140326100610 browser.startup.homepage_override.mstone: 31.0a1 browser.tabs.loadInBackground: false dom.mozApps.used: true extensions.lastAppVersion: 31.0a1 network.cookie.prefsMigrated: true places.database.lastMaintenance: 1397394410 places.history.expiration.transient_current_max_pages: 104858 plugin.disable_full_page_plugin_for_types: application/pdf plugin.importedState: true privacy.cpd.cookies: false privacy.cpd.sessions: false privacy.sanitize.migrateFx3Prefs: true privacy.sanitize.timeSpan: 0 security.disable_button.openCertManager: false storage.vacuum.last.index: 1 storage.vacuum.last.places.sqlite: 1397151084

Graphics


Adapter Description: ATI Technologies Inc. -- AMD Radeon HD 7640G Device ID: AMD Radeon HD 7640G Driver Version: 4.3.12618 Compatibility Profile Context 13.251 GPU Accelerated Windows: 0/1 Basic Vendor ID: ATI Technologies Inc. WebGL Renderer: ATI Technologies Inc. -- AMD Radeon HD 7640G windowLayerManagerRemote: false AzureCanvasBackend: cairo AzureContentBackend: cairo AzureFallbackCanvasBackend: none AzureSkiaAccelerated: 0

JavaScript


Incremental GC: true

Accessibility


Activated: false Prevent Accessibility: 0

Library Versions


NSPR Expected minimum version: 4.10.5 Beta Version in use: 4.10.5 Beta

NSS Expected minimum version: 3.16 Basic ECC Version in use: 3.16 Basic ECC

NSSSMIME Expected minimum version: 3.16 Basic ECC Version in use: 3.16 Basic ECC

NSSSSL Expected minimum version: 3.16 Basic ECC Version in use: 3.16 Basic ECC

NSSUTIL Expected minimum version: 3.16 Version in use: 3.16

Experimental Features


Now, can you do as everyone in this thread has asked you to do and post your troubleshooting information to see if there is a problem we can see there.

Изменено Moses

more options

I have moved the Pref.js file and a new one is created I also have to set my home page again. Also read user.js file is not created by Firefox. Below copying trouble shooting info.

Application Basics


Name: Firefox Version: 28.0 User Agent: Mozilla/5.0 (Windows NT 6.0; rv:28.0) Gecko/20100101 Firefox/28.0

Crash Reports for the Last 3 Days


All Crash Reports

Extensions


Name: Adblock Plus Version: 2.5.1 Enabled: true ID: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}

Name: DownloadHelper Version: 4.9.22 Enabled: true ID: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}

Name: EPUBReader Version: 1.4.2.4 Enabled: true ID: {5384767E-00D9-40E9-B72F-9CC39D655D6F}

Name: Flagfox Version: 5.0.2 Enabled: true ID: {1018e4d6-728f-4b20-ad56-37578a4de76b}

Name: Microsoft .NET Framework Assistant Version: 0.0.0 Enabled: true ID: {20a82645-c095-46ed-80e3-08825760534b}

Name: Mozilla Archive Format Version: 3.0.0 Enabled: true ID: {7f57cf46-4467-4c2d-adfa-0cba7c507e54}

Name: Rainbow Version: 1.6 Enabled: true ID: rainbow@colors.org

Name: Dark Side Of The Prism Version: 1.0 Enabled: false ID: jid1-zlXnEvw93j6qAA@jetpack

Name: Ghostery Version: 5.2.0 Enabled: false ID: firefox@ghostery.com

Name: ImTranslator Version: 7.8 Enabled: false ID: {9AA46F4F-4DC7-4c06-97AF-5035170634FE}

Name: Lightbeam Version: 1.0.9 Enabled: false ID: jid1-F9UJ2thwoAm5gQ@jetpack

Name: Norton Toolbar Version: 2014.7.0.43 Enabled: false ID: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}

Name: Norton Vulnerability Protection Version: 12.2.0.5 - 1 Enabled: false ID: {BBDA0591-3099-440a-AA10-41764D9DB4DB}

Name: Personas Plus Version: 1.7.3 Enabled: false ID: personas@christopher.beard

Name: PopVideo Version: 0.6.8 Enabled: false ID: lmnPopVideo@lshai.com

Name: RealDownloader Version: 1.3.2 Enabled: false ID: {FCE04E1F-9378-4f39-96F6-5689A9159E45}

Name: Screengrab (fix version) Version: 0.97.24c Enabled: false ID: {02450914-cdd9-410f-b1da-db004e18c671}

Name: Skype Click to Call Version: 6.10.0.13089 Enabled: false ID: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}

Name: Toggle Private Browsing Version: 1.8 Enabled: false ID: toggleprivatebrowsing@supernova00.biz

Important Modified Preferences


browser.cache.disk.capacity: 1048576 browser.cache.disk.smart_size.first_run: false browser.cache.disk.smart_size_cached_value: 880640 browser.places.smartBookmarksVersion: 6 browser.sessionstore.upgradeBackup.latestBuildID: 20140314220517 browser.startup.homepage: http://www.yahoo.com/ browser.startup.homepage_override.buildID: 20140314220517 browser.startup.homepage_override.mstone: 28.0 dom.mozApps.used: true extensions.lastAppVersion: 28.0 gfx.direct3d.last_used_feature_level_idx: 1 network.cookie.prefsMigrated: true places.history.expiration.transient_current_max_pages: 93878 plugin.disable_full_page_plugin_for_types: application/pdf plugin.importedState: true privacy.sanitize.migrateFx3Prefs: true

user.js Preferences


Your profile folder contains a user.js file, which includes preferences that were not created by Firefox.

Graphics


Adapter Description: NVIDIA GeForce 8600M GT Adapter Drivers: nvd3dum nvwgf2um,nvwgf2um Adapter RAM: 256 Device ID: 0x0407 Direct2D Enabled: true DirectWrite Enabled: true (7.0.6002.23200) Driver Date: 12-29-2012 Driver Version: 9.18.13.1090 GPU #2 Active: false GPU Accelerated Windows: 1/1 Direct3D 10 Vendor ID: 0x10de WebGL Renderer: Google Inc. -- ANGLE (NVIDIA GeForce 8600M GT Direct3D9Ex vs_3_0 ps_3_0) windowLayerManagerRemote: false AzureCanvasBackend: direct2d AzureContentBackend: direct2d AzureFallbackCanvasBackend: cairo AzureSkiaAccelerated: 0

JavaScript


Incremental GC: true

Accessibility


Activated: false Prevent Accessibility: 0

Library Versions


NSPR Expected minimum version: 4.10.3 Version in use: 4.10.3

NSS Expected minimum version: 3.15.5 Basic ECC Version in use: 3.15.5 Basic ECC

NSSSMIME Expected minimum version: 3.15.5 Basic ECC Version in use: 3.15.5 Basic ECC

NSSSSL Expected minimum version: 3.15.5 Basic ECC Version in use: 3.15.5 Basic ECC

NSSUTIL Expected minimum version: 3.15.5 Version in use: 3.15.5


Lets see what could be done by the above information. Thank you.

more options

Hi Ari94, thank you for the screen shot. Did you already right-click > Reset those preferences?

When you remove an extension, Firefox retains its related preferences in case you plan to reinstall it. Since you don't want to reinstall this one, it is safe to reset those preferences. Firefox then will clean them out of prefs.js (not sure if that is immediate or when you exit Firefox) and Malwarebytes should be happy (or happier).

But there's a potential catch: if those preferences exist in user.js, they will be reinserted into Firefox, so make sure to address that file as well.

more options

Hi, thank you for the reply.

I did by right-clicking them and choosing Reset.

Also I did remove the Pref.js file and in next boot Firefox was showing Google as home page which I had to reset to Yahoo. I also checked once again about:config and noticed all Babylon entries as seen in my previous screen shot were returned.

In other post I have also provided trouble shooting text.

Thank you

  1. 1
  2. 2