Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

various security tools not detecting browser profile path


  • Please log in to reply
15 replies to this topic

#1 Grandus

Grandus

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 12 May 2014 - 11:47 AM

Hello,

since the latest update of Cyberfox, a 64 bit fork of Firefox which used to use the exact same profil (path), my Cyberfox profile isn't detected anymore by those security programs.

This affects all programs which have a feature to check browsers for malware related changes. So far these are:

- FRST (Farbar Recovery Scan Tool)
- Adwcleaner (I've already contacted them at their offical forums, though another requesting party might not be bad)
- Junkware Removal Tool (JRT)
- Roguekiller (whereas this could be low priority since it's only listening the extensions)
and probably more which don't come to mind.

Can someone please contact the creators of those tools (especially Farbar) to make a feature request that they add Cyberfox (and possible other forks) in their programs? It's just another location, so instead of %appdata%\Mozilla\Firefox\Profiles the location to the new Cyberfox profile is %appdata%\8pecxstudios\Cyberfox\Profiles
extensions and everything else is basically the same as Mozilla Firefox (the %localappdata% path is also with "8pecxstudios\Cyberfox" instead of "Mozilla\Firefox").

Aside from that, I've got a question:
are multiple profiles from a supported browser (e.g.: Mozilla Firefox, Google Chrome) detected by those tools, the default one (which you've set) or the one which comes first (in an alphabetical order)?

regards
Grandus
 


Edited by Grandus, 12 May 2014 - 11:52 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:21 AM

Posted 12 May 2014 - 03:15 PM


I have sent a note to Farbar, developer or FRST.

You can ask the developer (Xplode) a question, report an issue or suggestion at his home site: AdwCleaner Feedback <- there is a drop down menu at the top right to "Select language" (English)

You can ask the developer (thisisu) a question, report an issue or suggestion in this topic which he monitors for issues with JRT. And you can always ask a question (leave a comment/suggestion) on thisisu's JRT Blog.

You can ask the developer (Tigzy) a question, report an issue or suggestion at his home site: RogueKiller Feedback
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Grandus

Grandus
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 13 May 2014 - 12:05 AM

Thank you for your help, I guess for me FRST and adwcleaner are the most important tools to check.
I either don't use the others that much or don't look that much at the corresponding extensions section since I'm already doing it while running FRST.

edit: also contacted Thisisu on the forums. So all that's left is to wait and see for either the developpers to reply or for the programs to update. :thumbup2:


Edited by Grandus, 13 May 2014 - 12:10 AM.


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:21 AM

Posted 13 May 2014 - 12:39 AM

Hello Grandus,

 

The truth is that including listing all brands of the internet browsers will take a lot of time. Please note that for a tool like FRST not only the scan should be included but also the fixing of each listed entry. x64 systems might even give more entries.  Listing Opera (which is similar to Chrome) is on my list since a pretty long ego but haven't manged to do it yet. So when I have some free time, I'll install Cyberfox to see how much work it requires.

 

Aside from that, I've got a question:
are multiple profiles from a supported browser (e.g.: Mozilla Firefox, Google Chrome) detected by those tools, the default one (which you've set) or the one which comes first (in an alphabetical order)?

 

When multiple profiles are present, the system loads the default one. So FRST scans the default one too.



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:21 AM

Posted 13 May 2014 - 05:10 AM

Thank you for your help.

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Grandus

Grandus
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 13 May 2014 - 06:50 AM

Hello Farbar,

thank you for your answer. I can say so far, that listing and fixing (removing minor addons and/or searchplugins for a test) changes to Cyberfox before 28.0.1, when the profil path was still %appdata%\Mozilla\FirefoxProfiles, used to work just fine. So the only real change would be to add %appdata%8pecxstudios\Cyberfox\Profiles and possible the corresponding %localappdata% path (%localappdata%8pecxstudios\Cyberfox\Profiles) in case this is also important.

One question still remains:

 

When multiple profiles are present, the system loads the default one. So FRST scans the default one too.

What if the default profile is used for, let's say the original Mozilla Firefox 32 bit and a secondary profile would be created on the same directory (in this example: %appdata%\Mozilla\Firefox) for a secondary, Firefox based browser (it could be even the beta, Aurora or Nightly version from Mozilla):
Would FRST be able to detect both of them or only one of them?

edit: If both profiles are not detected at the same time, how are you supposed to check for modifications in the corresponding browsers?




 


Edited by Grandus, 13 May 2014 - 07:25 AM.


#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:21 AM

Posted 14 May 2014 - 04:29 PM

FRST currently scans the default profile. In case there are multiple profiles in Firefox and you suspect malware on other profiles, you can installe the Firefox add-on ProfileSwitcher. Not only loading other profiles will be easier but you can use the profile manger of it to set another profile as the default profile then run FRST.

 

This is a general recommendation: in case adware got to the system, it is strongly recommended to deal with it like a usual program and uninstall it from Programs and Features in the Control Panel. FRST (Addition.txt) flags many of them under list of install programs. In many cases, using the uninstaller of the adware not only removes the adware effectively, but also it restore any changed configuration. Only after uninstalling the adware you can run the malware/adware removing programs or fix any remaining entry with FRST.



#8 Grandus

Grandus
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 15 May 2014 - 02:40 AM

Yes, uninstalling adware and other potentially unwanted applications should be certainly the first step for removing them. But if that's the case, I'd rather reset my profile than use FRST to fix any adware related entry it can find in case there would be still some entries in my profile.

 

Does that ProfileSwitcher also switch between profiles on the %appdata%\Mozilla\profiles path for two different, Firefox based browsers?
Also, wouldn't there be a conflict if I were to use both profiles at the same time (opening both different browsers simultaneously)?
Besides, even if an extension isn't installed, as long as the folder in the profile path exits, FRST will recognize that extension, so the detection isn't even perfect for a single, firefox based browser on the default profile path, anyway.

From this guide under fixing, there's a limit on what you can fix with FRST on Chrome. Yet it does at least show all important information.

So my main question now is: Why is there a problem in adding only the information gathering feature of FRST for as many browsers as possible instead of waiting for a testing phase untill at least some basic fixing works?

In case I would get severly infected, I'd rather follow this guide instead of trusting that another one could fix all malware related entries, so not having a fixing feature is by far not as important as not having an information gathering feature in my opinion.

Slightly offtopic, but it seems that winlogon.exe has been modified since the last Windows update, so the file check is slightly out of date.

edit: Back to topic: In case you're worried about amateurs trying to fix stuff and it would break, simply put in a disclaimer in the FRST.txt that fixing should be only done under instructions of a malware removal expert and/or that fixing might be potentially dangerous and that you are not responsible for data loss or any other harm resulted by using the fixing feature.
Actual malware removers should first test a feature on their own testing machines before giving a fix for a new added browser recognition on a different computer.
 


Edited by Grandus, 15 May 2014 - 03:13 AM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:21 AM

Posted 15 May 2014 - 01:47 PM

Farbar has taken the time to answer questions, explain what FRST does and what it doesn't do in regards to profiles....and the time restriction. As he noted previously, listing all brands of the Internet Browsers (for scanning and fixing) would be very time consuming.

Please be aware that Staff and Security Experts are all volunteers who assist members as time permits. No one is paid for their work or assistance to members of our community. We have jobs in the real world, families and other commitments which take priority over anything we do here.

We are grateful for whatever free work our volunteer Security Developer's can dedicate to creating and updating specialized fix tools that help so many of our members with malware related problems. And while our volunteer Security Developer's welcome feedback and suggestions, we cannot realistically expect them to address every question, make changes or incorporate fixes for every scenario users may encounter. Usually when enough users encounter and have reported a reoccurring issue, our developers do make every attempt to find solutions but that too can take time.

Thanks for understanding.
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Grandus

Grandus
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 15 May 2014 - 02:58 PM

explain what FRST does and what it doesn't do in regards to profiles....and the time restriction.

From what I could get out of Farbar's answer in posting #7, it only detects one profile of each Internet Explorer, Google Chrome or Mozilla Firefox based browser.
However, If you were to use different profiles for one browser group (in this example: two Mozilla Firefox based browser even if they were Aurora/Nightly/Beta on the one side and the original Firefox on the other) it would not detect the other profile, because it's either not set as default or in my case only changed location to %appdata%\8pecxstudios\Cyberfox\Profiles instead of the default %appdata%\Mozilla\Firefox\Profiles path, even though listing and fixing worked so far flawlessly.

What do you mean by "in regards to [...] the time restriction"?
 

As he noted previously, listing all brands of the Internet Browsers (for scanning and fixing) would be very time consuming.

I know, but he could start with adding the %appdata%\8pecxstudios\Cyberfox\Profiles path since it's basically the same as every Firefox profile before Australis.
That shouldn't be much work to do since all that is required is adding an additional path for a Firefox based browser.
 

Please be aware that Staff and Security Experts are all volunteers who assist members as time permits.

I don't need to have an answer as soon as possible, since I also don't have time to hang out here that much, but when they take the time, I'd like for them to clearly answer my questions and put some ironclad arguments against my points.

 

Usually when enough users encounter and have reported a reoccurring issue, our developers do make every attempt to find solutions but that too can take time.

Implying that quantity is more important than quality in terms of feature requests. In the first place, there aren't much normal users who use such specialized tools for diagnostic purposes, so one with a not supported browser or profile path should stay forever without a proper and simple checking feature unless he or she is technically capable enough to make a tool for him- or herself or switches back to a supported browser or profile path?

Edited by Grandus, 15 May 2014 - 03:07 PM.


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:21 AM

Posted 15 May 2014 - 03:35 PM

What do you mean by "in regards to [...] the time restriction"?

The truth is that including listing all brands of the internet browsers will take a lot of time. So when I have some free time, I'll install Cyberfox to see how much work it requires.


...he could start with adding the %appdata%\8pecxstudios\Cyberfox\Profiles path since it's basically the same as every Firefox profile before Australis. That shouldn't be much work to do since all that is required is adding an additional path for a Firefox based browser.

Farbar said when he has free time, he will install Cyberfox and check it out.
 

I don't need to have an answer as soon as possible...but when they take the time, I'd like for them to clearly answer my questions and put some ironclad arguments against my points.

It doesn't appear to me he was arguing against any of your points.
 

Implying that quantity is more important than quality in terms of feature requests.

I wasn't implying that quantity is more important. Just that developers are prompted to act a bit quicker looking for solutions to problems that affect many users.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Grandus

Grandus
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 15 May 2014 - 04:13 PM

Hello,
 

It doesn't appear to me he was arguing against any of your points.

I might have phrased it a bit ambiguously: I've only meant some more deeper arguments that do not give the kind of impression like "I'm doing it for free, if you don't like it, don't critisize it and/or don't use it", if he or another one wants to continue with the discussion, whether waiting for fixing features should really take more priority than waiting for only the recognizing feature, even though Chrome is on the list and you can't fully fix those entries with FRST. So far I didn't get that impression from Farbar, but I don't hope it'll turn out like that, because then I'd rather don't want any further answer and just accept it as it is.
 

Just that developers are prompted to act a bit quicker looking for solutions to problems that affect many users.

Yeah, since Google Chrome has a lot more users than Opera and forked browsers, this is a valid point.

Well, let's just leave it at that. I would be delighted if he or a developper from another tool would take his time for answering (further) and/or for implementing the features.

Anything else, I'll see for myself when it gets updated and in case it gets implemented, I'll be sure to write my words of appriciations and thanks here.


best regards

Grandus

Edited by Grandus, 15 May 2014 - 04:17 PM.


#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,758 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:21 AM

Posted 15 May 2014 - 04:25 PM

And best regards to you as well.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 Grandus

Grandus
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 26 November 2014 - 04:03 PM

Hello once again,

I've tested it with moving the Cyberfox profile folder to the usual path (by using it as a Mozilla Firefox profile) and editing the profiles.ini with the new name of random letters and numbers (or alternatively: copying every subfolder and replacing them in the original Firefox profile folder).

Result: every security program mentioned worked flawlessly in the detection. It's just a matter of how the program interprets the profile path. Even successfully detected and removed a useless trash folder with an old version of an extension using FRST.

Is there really no chance to add alternative forks? At the very least, I've heard from AdwCleaner that they've started to add some of the forked browsers just recently: http://forum.general-changelog-team.fr/viewtopic.php?f=53&t=909#p6940

So after almost half a year, I would like to ask what the current progress/plans concerning the support for alternative browsers is/are for the other tools mentioned in the OP or in general.

Regards,

Grandus
 


Edited by Grandus, 26 November 2014 - 04:09 PM.


#15 Grandus

Grandus
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:05:21 AM

Posted 05 December 2014 - 12:12 PM

Adwcleaner now detects Cyberfox Profiles: 
 

[Firefox] - Cyberfox added to handled browsers



https://toolslib.net/downloads/viewdownload/1-adwcleaner/

Edited by Grandus, 05 December 2014 - 12:13 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users