Adware keeps Taking Over Firefox, Firefox@helper2
Starting back about two weeks ago, I got a weird series of pop-ups on Mozilla Firefox's latest version. I figured it was something easily nukable with MalwareBytes, so I had it do its job, and it seemed to stop... for about a day.
After that, the Malware reasserted itself, and soon, MalwareBytes wasn't getting rid of it, even with a rootkit scan. So, I downloaded and ran the Kaspersky Labs rescue disc, let it run overnight. I start up Firefox, and lo and behold... it is still there.
Firefox Helper 2 comes back the very next day. Malwarebytes detects nothing.
All Replies (20)
hello, you may have malicious addons present, so please perform all these steps:
- refresh firefox (this will keep your bookmarks and passwords)
- afterwards go to the firefox menu ≡ > addons > extensions and in case there are still extensions listed there, disable them.
- finally run a full scan of your system with different other security tools like the adwcleaner, the junkware removal tool and eset online one-time scanner to make sure that adware isn't present in other places of your system as well.
I have reset Firefox, run adware cleaner and JRT.exe! Nothing seems to be a permanent solution. They seem to find the problem Firefox@Helper2 and remove it but it returns the next day!
when it's coming back in regular intervals, it might have left some malicious trails in the autorun section of your system or the task scheduler - https://blog.malwarebytes.org/cybercrime/2015/03/scheduled-tasks/
if the automatic tools can't get rid of it fully, you should probably consult a forum specialised in malware removal like http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/ about this to help you further...
Do a clean reinstall of the current Firefox release and delete the Firefox program folder before installing a fresh copy of the current Firefox release.
- Download the Firefox installer and save the file to the desktop
*https://www.mozilla.org/en-US/firefox/all/
If possible uninstall your current Firefox version to cleanup the Windows Registry and settings in security software.
- Do NOT remove "personal data" when you uninstall your current Firefox version, because this will remove all profile folders and you lose personal data like bookmarks and passwords including data in profiles created by other Firefox versions.
Remove the Firefox program folder before installing that newly downloaded copy of the Firefox installer.
- (32 bit Windows) "C:\Program Files\Mozilla Firefox\"
- (64 bit Windows) "C:\Program Files (x86)\Mozilla Firefox\"
- It is important to delete the Firefox program folder to remove all the files and make sure that there are no problems with files that were leftover after uninstalling.
- http://kb.mozillazine.org/Uninstalling_Firefox
Your personal data like bookmarks is stored in the Firefox profile folder, so you won't lose personal data when you uninstall and reinstall or update Firefox, but make sure NOT to remove personal data when you uninstall Firefox as that will remove all Firefox profile folders and you lose your personal data.
If you keep having problems then create a new profile to test if your current profile is causing the problem.
Daily return strongly suggests a scheduled task -- probably with an innocent name but in an unexpected location or with an unexpected command line.
Also, do you have Firefox set to its default setting of deactivating unsigned extensions? I would be surprised if this was a signed extension. Perhaps changing that setting is part of its master plan.
Let's not start Firefox to find out, let's leave Firefox closed.
You can check your settings in your profile folder, which you can open by pasting this into the Windows 10 search box (or the Run dialog) and pressing Enter:
%APPDATA%\Mozilla\Firefox\Profiles
Double-click into your currently active folder (if there are multiple semi-randomly-named folders, check which has the most recently updated files).
Make sure Windows is set to show all file extensions for this next step. This article has the steps: http://windows.microsoft.com/en-us/windows/show-hide-file-name-extensions
Right-click prefs.js and choose Edit to open it in Notepad (or you can use a different text editor if you like). In the file, search for xpin. If you have this line, delete the entire line and then save the changed file:
user_pref("xpinstall.signatures.required", false);
Next, look for a file named user.js and if you find one, right-click > Edit to see whether that line can be found inside that file. If so, delete it. Also, what else is in there -- it affect how your Firefox runs at startup? But I wouldn't delete this file. Instead, after closing it, try right-click > Properties and select Read Only and OK that. (We can at least try not to get the unwanted line back again.)
If you are familiar and comfortable with the regedit.exe program, I would be curious whether this extension advertises itself in the Windows Registry rather than being "dropped" into the currently active profile folder. These are the keys used for that:
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions -- if you are using the 64-bit version of Firefox on 64-bit Windows 10
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Firefox\Extensions -- if you are using the 32-bit version of Firefox on 64-bit Windows 10
The key "Extensions" key exists but there is nothing in it...
Default REG_SZ (value not set)
Do a malware check with several malware scanning programs on the Windows computer.
Please scan with all programs because each program detects different malware. All these programs have free versions.
Make sure that you update each program to get the latest version of their databases before doing a scan.
- Malwarebytes' Anti-Malware:
http://www.malwarebytes.org/mbam.php - AdwCleaner:
http://www.bleepingcomputer.com/download/adwcleaner/
http://www.softpedia.com/get/Antivirus/Removal-Tools/AdwCleaner.shtml - SuperAntispyware:
http://www.superantispyware.com/ - Microsoft Safety Scanner:
http://www.microsoft.com/security/scanner/en-us/default.aspx - Windows Defender:
http://windows.microsoft.com/en-us/windows/using-defender - Spybot Search & Destroy:
http://www.safer-networking.org/en/index.html - Kasperky Free Security Scan:
http://www.kaspersky.com/security-scan
You can also do a check for a rootkit infection with TDSSKiller.
- Anti-rootkit utility TDSSKiller:
http://support.kaspersky.com/5350?el=88446
See also:
- "Spyware on Windows": http://kb.mozillazine.org/Popups_not_blocked
falaniz said
The key "Extensions" key exists but there is nothing in it...
Default REG_SZ (value not set)
Thanks for checking. In that case, it is most likely the malware is dropping the extension into your profile folder(s) from somewhere on disk or from a fresh download.
jscher2000,
I took your advise and removed user_pref("xpinstall.signatures.required", false) from the prefs.js. So Far, after 3 reboots and Firefox starts I have not seen any of the previous alert popups. user.js did not exist so I didn't have to do anything there.
I am not sure exactly what removing the line from pref.js does but it may have fixed things. Time will tell!
cor-el
I previously had and tried most of the malware scanning programs you suggested with the exception of SpyBot. The scanning software I used, prior to posting this issue, to identify the problem is called Security Task Manage and it listed the Firefox@Helper2 in the security tips and allowed me to remove it but it always came back.
I did install SpyBot after running a scan I did not see Firefox@Help2 in its findings so I am not sure exactly what actually fixed the problem.
So far thing look good but I will have to give a a couple of days to be sure.
Hi falaniz, the change to prefs.js causes Firefox ignore the extension, but it's probably still lurking on the system. Hopefully as news of this infection spreads around various discussion boards, someone will uncover a foolproof way to clean this up.
It's Back! This really stinks because I have been using Firefox as my preferred browser for years and I am honestly thinking about switching. How difficult can it be for Firefox to find a solution?!?!
Hi falaniz, it's on your system, but is it disabled in Firefox? The prefs.js change we made should keep it disabled.
If you haven't removed it yet, could you do a little investigation here:
(0) Select and copy the following shortcut text:
%APPDATA%\Mozilla\Firefox\Profiles
(1) Open the Scratchpad tool from the Developer menu, either:
- menu button > Developer > Scratchpad
- Tools menu > Web Developer > Scratchpad
(2) Click the Open File button and paste the shortcut in the file name space and press Enter. This should take you to a folder with one or more semi-randomly-named folders, your profile folder(s).
Double-click into the folder or if there are multiple folders, the one that looks most current. Scroll down to extensions.json and open it.
(3) The file loads as a single long line. Click the "Pretty Print" button to lay out the data in a more readable format. Then use Find (Ctrl+f) to search for help2 or helper or other terms associated with that extension. This should take you to a listing of its exact file name and location on disk, as well as other information.
Could you select and copy that information into a reply?
Here's an example for a legit extension:
{ 'id': '[email protected]', 'syncGUID': '7DB34GR-Zdf6', 'location': 'winreg-app-global', 'version': '2.0', 'type': 'extension', 'internalName': null, 'updateURL': null, 'updateKey': null, 'optionsURL': null, 'optionsType': null, 'aboutURL': null, 'icons': { }, 'iconURL': 'chrome://web2pdfextension/skin/C_AdobeLogo_48x48.png', 'icon64URL': 'chrome://web2pdfextension/skin/C_AdobeLogo_64x64.png', 'defaultLocale': { 'name': 'Adobe Acrobat - Create PDF', 'description': 'Converts a web page to PDF', 'creator': 'Adobe Systems Incorporated', 'homepageURL': 'http://www.adobe.com/' }, 'visible': true, 'active': true, 'userDisabled': false, 'appDisabled': false, 'descriptor': 'C:\\Program Files (x86)\\Adobe\\Acrobat 11.0\\Acrobat\\Browser\\WCFirefoxExtn', 'installDate': 1448257077226, 'updateDate': 1453998002148, 'applyBackgroundUpdates': 1, 'bootstrap': false, 'skinnable': false, 'size': 335734, 'sourceURI': null, 'releaseNotesURI': null, 'softDisabled': false, 'foreignInstall': false, 'hasBinaryComponents': false, 'strictCompatibility': false, 'locales': [ ], 'targetApplications': [ { 'id': '{ec8030f7-c20a-464f-9b0e-13a3a9e97384}', 'minVersion': '4.0', 'maxVersion': '46.0' } ], 'targetPlatforms': [ ], 'multiprocessCompatible': false, 'signedState': 2, 'seen': true },
The tech support infection alerts are back on my system. I initially removed the line you pointed out and when I checked again, after the alerts resurfaced, I found it was there again.
I went to the shortcut, %APPDATA%\Mozilla\Firefox\Profiles, which open an explorer window...
Sorry what do mean... Open the Scratchpad tool from the Developer menu? could you be a little more specific? What Developer menu?
Hi falaniz, the Scratchpad is a developer tool inside Firefox.
Did you go through the Windows Task Scheduler to see whether you can stop the re-infection there, and/or discover what program is doing the deed?
Here is what I go after following your instructions...
{
'schemaVersion': 17, 'addons': [ { 'id': 'firefox@helper2', 'syncGUID': 'OQ9-hADl6k8I', 'location': 'app-profile', 'version': '1.0', 'type': 'extension', 'internalName': null, 'updateURL': null, 'updateKey': null, 'optionsURL': null, 'optionsType': null, 'aboutURL': null, 'icons': { }, 'iconURL': null, 'icon64URL': null, 'defaultLocale': { 'name': 'Firefox Helper2', 'description': null, 'creator': 'Gomita', 'homepageURL': null }, 'visible': true, 'active': true, 'userDisabled': false, 'appDisabled': false, 'descriptor': 'C:\\Users\\Frank\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\iipxbbs7.default-1462029000861\\extensions\\firefox@helper2', 'installDate': 1462653511368, 'updateDate': 1462653511368, 'applyBackgroundUpdates': 1, 'bootstrap': false, 'skinnable': false, 'size': 2279, 'sourceURI': null, 'releaseNotesURI': null, 'softDisabled': false, 'foreignInstall': false, 'hasBinaryComponents': false, 'strictCompatibility': false, 'locales': [ ], 'targetApplications': [ { 'id': '{ec8030f7-c20a-464f-9b0e-13a3a9e97384}', 'minVersion': '30.0', 'maxVersion': '100.0' } ], 'targetPlatforms': [ ], 'multiprocessCompatible': true, 'signedState': 0, 'seen': true }, { 'id': '[email protected]', 'syncGUID': 'I09ANy1lcckV', 'location': 'app-system-defaults', 'version': '1.0', 'type': 'extension', 'internalName': null, 'updateURL': null, 'updateKey': null, 'optionsURL': null, 'optionsType': null, 'aboutURL': null, 'icons': { }, 'iconURL': null, 'icon64URL': null, 'defaultLocale': { 'name': 'Multi-process staged rollout', 'description': 'Staged rollout of Firefox multi-process feature.', 'creator': null, 'homepageURL': null }, 'visible': true, 'active': false, 'userDisabled': true, 'appDisabled': false, 'descriptor': 'C:\\Program Files (x86)\\Mozilla Firefox\\browser\\features\\[email protected]', 'installDate': 1462457072015, 'updateDate': 1462457072015, 'applyBackgroundUpdates': 1, 'bootstrap': true, 'skinnable': false, 'size': 4782, 'sourceURI': null, 'releaseNotesURI': null, 'softDisabled': false, 'foreignInstall': false, 'hasBinaryComponents': false, 'strictCompatibility': false, 'locales': [ ], 'targetApplications': [ { 'id': '{ec8030f7-c20a-464f-9b0e-13a3a9e97384}', 'minVersion': '46.0.1', 'maxVersion': '46.0.1' } ], 'targetPlatforms': [ ], 'multiprocessCompatible': false, 'seen': true }, { 'id': '[email protected]', 'syncGUID': '4zDuRP3-aoq6', 'location': 'app-system-defaults', 'version': '1.0', 'type': 'extension', 'internalName': null, 'updateURL': null, 'updateKey': null, 'optionsURL': null, 'optionsType': null, 'aboutURL': null, 'icons': { }, 'iconURL': null, 'icon64URL': null, 'defaultLocale': { 'name': 'Pocket', 'description': 'When you find something you want to view later, put it in Pocket.', 'creator': null, 'homepageURL': null }, 'visible': true, 'active': false, 'userDisabled': true, 'appDisabled': false, 'descriptor': 'C:\\Program Files (x86)\\Mozilla Firefox\\browser\\features\\[email protected]', 'installDate': 1462457072009, 'updateDate': 1462457072009, 'applyBackgroundUpdates': 1, 'bootstrap': true, 'skinnable': false, 'size': 893215, 'sourceURI': null, 'releaseNotesURI': null, 'softDisabled': false, 'foreignInstall': false, 'hasBinaryComponents': false, 'strictCompatibility': false, 'locales': [ ], 'targetApplications': [ { 'id': '{ec8030f7-c20a-464f-9b0e-13a3a9e97384}', 'minVersion': '46.0.1', 'maxVersion': '46.0.1' } ], 'targetPlatforms': [ ], 'multiprocessCompatible': false, 'seen': true }, { 'id': '[email protected]', 'syncGUID': 'qzYjAT7oMlR1', 'location': 'app-system-defaults', 'version': '1.2.6', 'type': 'extension', 'internalName': null, 'updateURL': null, 'updateKey': null, 'optionsURL': null, 'optionsType': null, 'aboutURL': null, 'icons': { }, 'iconURL': null, 'icon64URL': null, 'defaultLocale': { 'name': 'Firefox Hello', 'description': 'Web sharing for Firefox', 'creator': 'Mozilla', 'homepageURL': null }, 'visible': true, 'active': false, 'userDisabled': true, 'appDisabled': false, 'descriptor': 'C:\\Program Files (x86)\\Mozilla Firefox\\browser\\features\\[email protected]', 'installDate': 1461279552000, 'updateDate': 1461279552000, 'applyBackgroundUpdates': 1, 'bootstrap': true, 'skinnable': false, 'size': 4185303, 'sourceURI': null, 'releaseNotesURI': null, 'softDisabled': false, 'foreignInstall': false, 'hasBinaryComponents': false, 'strictCompatibility': false, 'locales': [ ], 'targetApplications': [ { 'id': '{ec8030f7-c20a-464f-9b0e-13a3a9e97384}', 'minVersion': '46.0a1', 'maxVersion': '46.*' }, { 'id': '[email protected]', 'minVersion': '0', 'maxVersion': '10' } ], 'targetPlatforms': [ ], 'multiprocessCompatible': false, 'seen': true }, { 'id': '{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}', 'syncGUID': 'Q0GGgoOPid3k', 'location': 'app-global', 'version': '8.1.0.9134', 'type': 'extension', 'internalName': null, 'updateURL': null, 'updateKey': null, 'optionsURL': 'data:text/xml,<placeholder/>', 'optionsType': '2', 'aboutURL': null, 'icons': { }, 'iconURL': 'data/skypelogo_64.png', 'icon64URL': null, 'defaultLocale': { 'name': 'Skype', 'description': 'Quickly access Skype for Web and Share on Skype through your browser', 'creator': 'Microsoft Corporation', 'homepageURL': null }, 'visible': true, 'active': false, 'userDisabled': true, 'appDisabled': false, 'descriptor': 'C:\\Program Files (x86)\\Mozilla Firefox\\browser\\extensions\\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}.xpi', 'installDate': 1461957780000, 'updateDate': 1461957780000, 'applyBackgroundUpdates': 1, 'bootstrap': true, 'skinnable': false, 'size': 301281, 'sourceURI': null, 'releaseNotesURI': null, 'softDisabled': false, 'foreignInstall': false, 'hasBinaryComponents': false, 'strictCompatibility': false, 'locales': [ ], 'targetApplications': [ { 'id': '{ec8030f7-c20a-464f-9b0e-13a3a9e97384}', 'minVersion': '38.0a1', 'maxVersion': '43.0' } ], 'targetPlatforms': [ ], 'multiprocessCompatible': false, 'signedState': 2, 'seen': true }, { 'id': '{972ce4c6-7e08-4474-a285-3208198ce6fd}', 'syncGUID': 'CnoYoi3lBOxC', 'location': 'app-global', 'version': '46.0.1', 'type': 'theme', 'internalName': 'classic/1.0', 'updateURL': null, 'updateKey': null, 'optionsURL': null, 'optionsType': null, 'aboutURL': null, 'icons': { '32': 'icon.png', '48': 'icon.png' }, 'iconURL': null, 'icon64URL': null, 'defaultLocale': { 'name': 'Default', 'description': 'The default theme.', 'creator': 'Mozilla', 'homepageURL': null, 'contributors': [ 'Mozilla Contributors' ] }, 'visible': true, 'active': true, 'userDisabled': false, 'appDisabled': false, 'descriptor': 'C:\\Program Files (x86)\\Mozilla Firefox\\browser\\extensions\\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi', 'installDate': 1462457072020, 'updateDate': 1462457072020, 'applyBackgroundUpdates': 1, 'skinnable': true, 'size': 22012, 'sourceURI': null, 'releaseNotesURI': null, 'softDisabled': false, 'foreignInstall': false, 'hasBinaryComponents': false, 'strictCompatibility': true, 'locales': [ ],
Task Scheduler
falaniz said
Here is what I go after following your instructions...
Thanks, it's the first one. There's a malware dropper installing it directly into your currently active profile. It doesn't reveal the location of the malware on disk, unfortunately.
In your Task Scheduler, click the "Last Run Time" column heading to sort the most recently run tasks to the bottom of the list and then examine whether they seem legit. The "Author" column should be the identification from inside the executable, but it might be possible to fake. The command line may point to an unusual location. Etc. I wish I knew of an easier way.