JDownloader virus
Hello,
Downloading this JDownloader from http://jdownloader.org/download/index gets blocked as virus by IE, Chrome and Windows Defender. However, NOT from Firefox!
If you install the adware bundled with this software, you get a horrible virus that injects fake google results. There is no fix that I can find of.
Can you deal with this virus? Can you issue a fix?
Thanks
Chosen solution
I realize this is going to take a good amount of time, but it's either you or me. ;-)
Please check their respective pages on the Add-ons site to see whether there are any reviews reporting foul play for any of them.
Also, a classic method is to disable 50%, test, if that didn't work, re-enable those, disable the other 50%, test, and so on, until by the process of elimination you discover which one is the problem.
Note: One other thing that is disabled by Firefox's Safe Mode are customizations made via a userChrome.css and userContent.css file. If those don't sound familiar, you probably don't have them. (While style rules can't easily insert dynamic ads into Google results, it's conceivable they could insert images or static text.)
Read this answer in context 👍 0All Replies (12)
Can you confirm that you have the "dangerous content block" feature enabled? Firefox uses data shared by Google for that block. This article has the details: How does built-in Phishing and Malware Protection work?
Regarding the unwanted software, here's my suggested procedure for tracking down and cleaning up bad add-ons and other hijackers. I know it seems long, but it's really not that bad.
(1) Open the Windows Control Panel, Uninstall a Program.
After the list loads, click the "Installed on" column heading to group the infections, I mean, additions, by date. This can help in smoking out undisclosed bundle items that snuck in with some software you agreed to install. Be suspicious of everything you do not recognize/remember, as malware often uses important or innocent sounding names to discourage you from removing it.
Take out as much trash as possible here. If you're not sure, feel free to post program names or a screenshot of the list.
(2) Open Firefox's Add-ons page using either:
- Ctrl+Shift+a (Mac: Command+Shift+a)
- "3-bar" menu button (or Tools menu) > Add-ons
- in the Windows "Run" dialog, type or paste
firefox.exe "about:addons"
In the left column, click Extensions. Then, if in doubt, disable (or Remove, if possible) unrecognized and unwanted extensions. All extensions are optional; the troublemaker might not be obvious from its name.
Any improvement?
(3) You can search for remaining issues with the scanning/cleaning tools listed in this support article: Troubleshoot Firefox issues caused by malware. These on-demand scanners are free and take considerable time to run. If they finish quickly and especially if they require payment, you may have a serious infection. I suggest the specialized forums listed in the article in that case.
Hopefully that will flush anything on your system and in your Firefox that could be a problem.
Yes I have done all the things you list with no result.
I think Mozilla should download and examine this adware. I think it is called BingProvidedSearch. It had an Uninstall entry but the fake google results are still here in Firefox.
It is very persistent virus and no antivirus tool can fix it. Is there anyone from Mozilla or other security company who can investigate and help?
The url you gave comes out clean : https://www.virustotal.com/#/url/4b235a182710cd319c48b6390301670648c878bd73675cc6ecda8ed0c7a097a1/detection
Please use more than 1 scanner as each uses diff tech :
Save your Report and google each before deleting anything as do not want to delete something you need, If need help :
Post in only 1 forum, then wait.
Please let us know if this solved your issue or if need further assistance.
struct said
I think Mozilla should download and examine this adware. I think it is called BingProvidedSearch. It had an Uninstall entry but the fake google results are still here in Firefox.
Strange that a program called BingProvidedSearch would modify Google results.
New Profile Test
This takes about 3 minutes, plus the time to run test searches.
Inside Firefox, type or paste about:profiles in the address bar and press Enter/Return to load it.
Click the Create a New Profile button, then click Next. Assign a name like May2018, ignore the option to relocate the profile folder, and click the Finish button.
After creating the profile, scroll down to it and click the Set as default profile button below that profile, then scroll back up and click the Restart normally button. (There are some other buttons, but please ignore them.)
Firefox should exit and then start up using the new profile, which will just look brand new. If Firefox asks about enabling extensions that it found on your system, DO NOT DO IT. Keep Firefox clean.
Do searches work any better in the new profile?
When you are done with the experiment, open the about:profiles page again, click the Set as default profile button for your normal profile, then click the Restart normally button to get back to it.
Clean Reinstall
This takes about 5 minutes. It's not about your settings -- that was the previous test -- it's about making sure the program files are clean (no inconsistent or alien code files). As described below, this process does not disturb your existing settings. It's not essential to uninstall Firefox, but you can if you like, saying No to any request about removing personal data.
It only takes a few minutes.
(A) Download a fresh installer for Firefox to a convenient location:
https://www.mozilla.org/firefox/all/
(B) Exit out of Firefox (if applicable).
If you use Microsoft Office, please change your default browser to Internet Explorer temporarily before the next step.
(C) Using Windows Explorer/My Computer (hold down the Windows key and press E to launch it), right-click > rename the program folder as follows (you might have one or both):
C:\Program Files (x86)\Mozilla Firefox =to=> C:\Program Files (x86)\OldFirefox
C:\Program Files\Mozilla Firefox =to=> C:\Program Files\OldFirefox
(D) Run the installer you downloaded in step (A). It should automatically connect to your existing settings.
Any improvement?
It is very persistent virus and no antivirus tool can fix it. Is there anyone from Mozilla or other security company who can investigate and help?
If the free cleaning tools do not solve it, you should try the security forums listed in the support article.
jscher2000 said
struct saidI think Mozilla should download and examine this adware. I think it is called BingProvidedSearch. It had an Uninstall entry but the fake google results are still here in Firefox.Strange that a program called BingProvidedSearch would modify Google results. New Profile Test
Thanks, this new profile test works. But what's next? 1) How can I identify the source of the problem? 2) How can I continue with my old settings, info, data etc? Do I need to switch to my old profile? Do I need to continue with the new one? How do I transfer all my settings, logins, cookies, etc?
Thanks
If the problem is in your profile, it could be an add-on. Could you use the about:profiles page to set your normal profile and then:
Try starting Firefox in "Safe Mode." In its Safe Mode, Firefox temporarily deactivates extensions, hardware acceleration, and some other advanced features to help you assess whether these are causing the problem.
If Firefox is not running: Hold down the Shift key when starting Firefox. (On Mac, hold down the option/alt key instead of the Shift key.)
If Firefox is running: You can restart Firefox in Safe Mode using either:
- "3-bar" menu button > "?" Help button > Restart with Add-ons Disabled
- (menu bar) Help menu > Restart with Add-ons Disabled
and OK the restart.
Both scenarios: A small dialog should appear. Click "Start in Safe Mode" (not Refresh).
Any improvement?
jscher2000 said
If the problem is in your profile, it could be an add-on. Could you use the about:profiles page to set your normal profile and then: Try starting Firefox in "Safe Mode." In its Safe Mode, Firefox temporarily deactivates extensions, hardware acceleration, and some other advanced features to help you assess whether these are causing the problem. Any improvement?
Restarting with my old profile and with addons disabled fixes the problem. But I don't know which addon causes the problem, I never had problem with any of these (see attached image).
I have the suspicion that the virus installed a Greasemonkey script, how can I check that out? Or maybe there is one of those advanced Firefox settings that got infected?
EDIT: it's not Greasemonkey, there isn't any script installed
Modified
Chosen Solution
I realize this is going to take a good amount of time, but it's either you or me. ;-)
Please check their respective pages on the Add-ons site to see whether there are any reviews reporting foul play for any of them.
Also, a classic method is to disable 50%, test, if that didn't work, re-enable those, disable the other 50%, test, and so on, until by the process of elimination you discover which one is the problem.
Note: One other thing that is disabled by Firefox's Safe Mode are customizations made via a userChrome.css and userContent.css file. If those don't sound familiar, you probably don't have them. (While style rules can't easily insert dynamic ads into Google results, it's conceivable they could insert images or static text.)
jscher2000 said
I realize this is going to take a good amount of time, but it's either you or me. ;-) Please check their respective pages on the Add-ons site to see whether there are any reviews reporting foul play for any of them. Also, a classic method is to disable 50%, test, if that didn't work, re-enable those, disable the other 50%, test, and so on, until by the process of elimination you discover which one is the problem. Note: One other thing that is disabled by Firefox's Safe Mode are customizations made via a userChrome.css and userContent.css file. If those don't sound familiar, you probably don't have them. (While style rules can't easily insert dynamic ads into Google results, it's conceivable they could insert images or static text.)
I am fairly confident that the addons are okay, I never had problem with them. Unless the JDownloader virus uninstalled one and installed a foul copy.
The css case also seems very reasonable. How do I check these?
I will run the 50%-50% method and will report back, but to be honest, the addons are quite tested, I didn't install anything new recently.
Eventually found it!
It was this: https://discourse.mozilla.org/t/copy-all-links-2-2-5-extension-is-injected-with-malware/28038
Thanks!
The Copy All Links extension has been removed. https://addons.mozilla.org/firefox/addon/copy-all-links/
Great work!
Unfortunately, this seems to creep into extensions from time to time, where they are good for years and then there's a mysterious update that ruins them. I don't know if developers are losing control of their accounts or what.