Updating Firefox from Menu > Help > About yields ransomware
I received a Firefox notice that an upgrade was available, so I clicked "not now" and triggered the update by Menu > Help > About. Firefox apparently downloaded its update, then asked me to restart Firefox. I did so and got a "ransomware" notice from my antivirus program, saying it fixed the problem (but not how). Trying to run Firefox repeats the notice. Does Firefox now have malware in it?
A Web search turns up nothing. I am posting this question from Google Chrome.
Windows 10 Home Malwarebytes premium (latest)
Valittu ratkaisu
Thank you all for your help!
I think the problem is definitely resolved as a false positive in Malwarebytes. Pretty scary, as I once received a real ransomware attack in the days before antivirus programs could detect them, which I was able to fix myself just by starting Windows in Safe Mode and deleting some suspicious files.
Anyhow, here is what I just did:
I took a leap of faith and turned off ransomware detection. Then I created a new shortcut to firefox.exe (the old one was showing a default Windows icon) and clicked it. Firefox started up. I closed Firefox, then turned on ransomware detection. I clicked the new link and got to Firefox okay. I closed Firefox and tried again and it was fine.
Now you can tell others how to fix this problem. I tried to login to the Malwarebytes forum to post there, but they did not recognize my login credentials.
Thanks again.
Lue tämä vastaus kontekstissaan 👍 0Kaikki vastaukset (12)
hello
David Spector,
i understand your problem follow the given instruction and step:
Clear all cookies, site data and cache
- Click the ≡ menu button top right and select Options.
- Select the Privacy & Security panel and go to the Cookies and Site Data section.
- Click the Clear Data… button. The Clear Data dialog will appear.
- Click Clear.
Would you give this a try :
- Type about: config in the address bar (press Enter) (promise to be careful, if asked)
- Type app.update.silent in the search bar and look for the preference.
- Click + icon and change the value
- and set its value to true
IMPORTANT: Restart browser and computer both be must.
i hope resolved your problem then reply back to me and mark solution ,
Thank you and regards,
Arman
Then close and restart Firefox in order for the change to take effect.
That is probably a false positive from your security software.
You can contact them for support.
You can possibly download and install the full Firefox version of the current release (78.0.1).
Muokattu
Arman, I can't see how your advice could possibly remove ransomware from the Firefox download site. Please explain what your instructions are intended to do in detail.
cor-el, I don't think I can trust "probably". What if the Firefox distribution site is infected with ransomware? If I exclude Firefox or Mozilla from my antivirus program, what happens if my computer gets infected? Will you pay me compensation? Of course not. This problem needs to be investigated.
Please update your own Firefox browsers to the latest version and let me know if you find a problem.
David
We regularly see reports like yours where security software flags a Firefox update or the small Firefox stub installer as suspect and this is always false alarm.
The updater uses a hash in the update.xml file to check the validity of the downloaded file and wouldn't install it if it doesn't match.
You can download the full installer and verify this file yourself via the SHA512SUMS file.
Hi David, did Malwarebytes mention the specific file name it was detecting?
You're probably familiar with the progress bar that displays when Firefox is applying an update at startup. Did the alert appear during that process of unpacking and replacing files, or after that bar went away and Firefox was starting?
(I didn't get any alerts when I installed the update, but I don't run Malwarebytes.)
There are some posts on the Malwarebytes forum. In this ongoing thread, the ones for 78.0.1 start here:
One factor that seems to be of possible relevance is whether a user moved their profile folder to a different drive. However, I don't know why that would be a factor in the detection.
cor-el, I will download and check the checksum, thanks.
jscher2000, Here are the specific malware reports (which are not very specific):
-Ransomware Details- File: 3 Malware.Ransom.Agent.Generic, C:\Users\david\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Firefox.lnk, Blocked, 0, 392685, 0.0.0 Malware.Ransom.Agent.Generic, C:\PROGRA~1\MOZILL~1\firefox.exe, Blocked, 0, 392685, 0.0.0 Malware.Ransom.Agent.Generic, C:\Program Files\Mozilla Firefox\firefox.exe, Blocked, 0, 392685, 0.0.0
The notification happens after I click the button to restart Firefox, so it is after the update.
Thanks for trying out the update yourself.
I haven't gotten a malware notification for Firefox ever before (which doesn't mean that the problem has to be in Firefox).
cor-el, I downloaded but I can't find the correct checksum. There are so many checksum files! The SHA-256 value was DBA8A6BA7EBC915566EFC0BF13BA89FD74707B15D1E854123C1D1EDCA6CF1E0C .
jscher2000, I looked at some of the Malwarebytes postings you referenced, and it is the exact same problem, although not the same cause (my profile is in another folder on the same drive). It certainly looks like a Malwarebytes problem at this point, even though I cannot verify the checksum.
Note: this forum is unnecessarily slow due to unnecessary delays in posting posts from experienced users.
David Spector said
Note: this forum is unnecessarily slow due to unnecessary delays in posting posts from experienced users.
Due to a spate of scam spam, there are link and phone number filters on new posts. These are still evolving.
Valittu ratkaisu
Thank you all for your help!
I think the problem is definitely resolved as a false positive in Malwarebytes. Pretty scary, as I once received a real ransomware attack in the days before antivirus programs could detect them, which I was able to fix myself just by starting Windows in Safe Mode and deleting some suspicious files.
Anyhow, here is what I just did:
I took a leap of faith and turned off ransomware detection. Then I created a new shortcut to firefox.exe (the old one was showing a default Windows icon) and clicked it. Firefox started up. I closed Firefox, then turned on ransomware detection. I clicked the new link and got to Firefox okay. I closed Firefox and tried again and it was fine.
Now you can tell others how to fix this problem. I tried to login to the Malwarebytes forum to post there, but they did not recognize my login credentials.
Thanks again.
Interesting (NANP_REGEX):
- /[0-9]{3}-?[a-zA-Z2-9][a-zA-Z0-9]{2}-?[a-zA-Z0-9]{4}/.test("DBA8A6BA7EBC915566EFC0BF13BA89FD74707B15D1E854123C1D1EDCA6CF1E0C") => true