Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bogus Firefox Security Warning - Scanning computer


  • Please log in to reply
36 replies to this topic

#1 ajg617

ajg617

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 04 December 2015 - 05:47 PM

Windows 8.1 Toshiba Satellite.  Running Firefox v.42.0.  About a week ago, I started getting this pop-up randomly (not the same websites) about once a day now.  I get a pop-up indicating there Firefox has detected that I need a patch and is scanning my computer.  I closed the browser each time as soon as the scanning started. 

 

The first time it happened, I ran MalwareBytes and it came up with PUP.Optional.InstallCore which it cleaned.  Ran Webroot scan and nothing came up.  Pop-ups have been coming back every night now with MalwareBytes and Webroot showing no evidence of anything else.  Interestingly, the behavior is such that I get the webpage I want, but FireFox is then taken over by something which replaces the page without opening up another tab.  I'm guessing I have something I don't want hidden away.

 

Apparently not alone as this Mozilla support page would suggest - https://support.mozilla.org/en-US/questions/1092584

 

Thanks in advance,

AJG



BC AdBot (Login to Remove)

 


#2 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:10:36 PM

Posted 04 December 2015 - 05:57 PM

Hello,

 

Please download Rkill to your Desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe
http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/
 

§  Double-click on the Rkill desktop icon to run the tool.

§  If using Windows Vista, 7, 8 or 10 right-click on it and choose Run As Administrator.

§  black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

§  If not, delete the file, then download and use the one provided in Link 2.

§  Do not reboot until instructed.

§  If the tool does not run from any of the links provided, please let me know.

If normal mode still doesn't work, run the tool from Safe Mode.

When the scan is done Notepad will open with rKill log.
Post it in your next reply.

NOTE. rKill.txt log will also be present on your desktop.

---------

 

Please download AdwCleaner by Xplode onto your desktop.

§  Close all open programs and internet browsers.

§  Double click on adwcleaner.exe to run the tool.

§  In EULA window click I agree.

§  In Options uncheck Reset Winsock settings.

§  Click on Scan button.

§  When the scan has finished click on Cleaning button.

§  Your computer will be rebooted automatically. A text file will open after the restart.

§  Please post the contents of that logfile with your next reply.

§  You can find the logfile at C:\AdwCleaner[C1].txt as well.

-----------

 

Please download Junkware Removal Tool  to your desktop.

§  Shut down your protection software now to avoid potential conflicts.

§  Run the tool by double-clicking it. If you are using Windows Vista, 7, 8 or 10; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".

§  The tool will open and start scanning your system.

§  Please be patient as this can take a while to complete depending on your system's specifications.

§  On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

§  Post the contents of JRT.txt into your next message.

---------


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#3 ajg617

ajg617
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 04 December 2015 - 06:10 PM

Will do.  Just found out another little gotcha.  Even though my download choice in firefox is to select the location, I am not getting that option.  Going to try IE.

 

Results of Rkill below.

 

Rkill 2.8.2 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 12/04/2015 06:14:23 PM in x64 mode.
Windows Version: Windows 8.1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 


Edited by ajg617, 04 December 2015 - 06:16 PM.


#4 ajg617

ajg617
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 05 December 2015 - 09:33 AM

RKill result below.  Just realized the above wasn't complete.

 

Rkill 2.8.2 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 12/05/2015 09:25:41 AM in x64 mode.
Windows Version: Windows 8.1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 12/05/2015 09:30:56 AM
Execution time: 0 hours(s), 5 minute(s), and 15 seconds(s)
 



#5 Abzyx

Abzyx

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 06 December 2015 - 12:29 PM

Do not uninstall AdwCleaner until after you have posted logfile contents, or you may lose the logfile like I did. Looks like RKill didn't find anything. I saw the same false Firefox Security Warning two days ago. AdwCleaner did find a few things on my PC, but obviously did not solve the problem because I just saw an Internet Explorer version of the same warning! I will move on to JRT and would be very interested to see how your thread turns out. Here's a Mozillazine link: http://forums.mozillazine.org/viewtopic.php?f=38&t=2972159&sid=f2fa805bac2fab93d08c4f0a5834ebe5



#6 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:10:36 PM

Posted 06 December 2015 - 01:02 PM

@ajg617

 

Run other tools. 


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#7 ajg617

ajg617
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 06 December 2015 - 01:11 PM

AdwCleaner results below.  Running JRT now.

 

# AdwCleaner v5.023 - Logfile created 06/12/2015 at 12:56:33
# Updated 30/11/2015 by Xplode
# Database : 2015-12-03.1 [Server]
# Operating system : Windows 8.1  (x64)
# Username : john.m - MERLINSATELLITE
# Running from : C:\Users\john.m\Desktop\AdwCleaner.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****


***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{C9C42510-9B41-42C1-9DCD-7282A2D07C61}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9C42510-9B41-42C1-9DCD-7282A2D07C61}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C9C42510-9B41-42C1-9DCD-7282A2D07C61}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{C9C42510-9B41-42C1-9DCD-7282A2D07C61}
[-] Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID [{C9C42510-9B41-42C1-9DCD-7282A2D07C61}]
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{C9C42510-9B41-42C1-9DCD-7282A2D07C61}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9C42510-9B41-42C1-9DCD-7282A2D07C61}

***** [ Web browsers ] *****


*************************

:: "Tracing" keys removed
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1481 bytes] ##########
 


Edited by ajg617, 06 December 2015 - 01:18 PM.


#8 ajg617

ajg617
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 06 December 2015 - 01:17 PM

Results from JRT

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.1 (11.24.2015)
Operating System: Windows 8.1 x64
Ran by john.m (Administrator) on Sun 12/06/2015 at 13:13:07.34
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 1

Successfully deleted: C:\ProgramData\esellerate (Folder)



Registry: 2

Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{C0ABE3A3-ED70-4929-BC6E-A4D48AA065C0} (Registry Key)
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 12/06/2015 at 13:14:31.04
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 



#9 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:10:36 PM

Posted 06 December 2015 - 01:22 PM

Do you still have problems?


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#10 ajg617

ajg617
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 06 December 2015 - 03:24 PM

Will check over the next couple of days.  Pop-up was averaging once a day the last thee days but once every couple of days since 29 November.



#11 Abzyx

Abzyx

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 06 December 2015 - 08:34 PM

It's discouraging that there was no ProgramData\esellerate folder on my PC. One thing I have in common with ajg617: JRT removed an Internet Explorer\SearchScopes key:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.1 (11.24.2015)
Operating System: Windows Vista ™ Home Premium x86
Ran by Abzyx (Administrator) on Sun 12/06/2015 at 17:43:40.19
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

File System: 0

Registry: 4

Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\Main\\Start Page (Registry Value)
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{8547E6C7-B8DF-4BAF-8C97-13833FC475CF} (Registry Key)
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\Main\\Default_Page_URL (Registry Value)
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\Main\\Start Page (Registry Value)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 12/06/2015 at 17:44:55.18
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

I have scanned repeatedly with Malwarebytes and MSE (which is better than its reputation), and even Kaspersky Rescue Disk 10. No threats detected. The only new freeware I have installed in recent months is Firefox and VLC media player. @ajg617: Is Yahoo your default search engine in Firefox, and is "Provide search suggestions" checked? (Just a hunch.) Thus far I have only found one other report of the IE version of the fake security warning: http://answers.microsoft.com/en-us/ie/forum/ie11-windows_7/ie-security-network-warning/68b07a90-08b2-4ca5-ad44-33488daba5bb?auth=1



#12 Abzyx

Abzyx

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 08 December 2015 - 11:29 PM

I was redirected to fake Firefox Security Warning again. URL and file size of "FirefoxPatch.exe" were different this time. Ran JRT again in case of reinfection, but it found nothing. (Any special instructions for uninstalling JRT, or can it simply be deleted? Doesn't seem to have created any folders.) One person who unfortunately ran a fake Firefox patch reports Cryptolocker infection: https://support.mozilla.org/en-US/questions/1092693#answer-814979 I uploaded today's 288 KB version of FirefoxPatch.exe to virustotal, detection ratio 9/53.



#13 ajg617

ajg617
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 11 December 2015 - 08:29 PM

Well, got the pop-up/scan today as well after running all three tools.  Worked well for a couple of days, then hit again tonight. Going to run all three tools again to see if anything is picked up. 



#14 Abzyx

Abzyx

  • Members
  • 79 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 11 December 2015 - 10:04 PM

Well, got the pop-up/scan today as well after running all three tools.  Worked well for a couple of days, then hit again tonight. Going to run all three tools again to see if anything is picked up. 

I am not surprised. Since my last post I have ran Bitdefender Rescue CD and SuperAntiSpyware. I update and run Malwarebytes and MSE at least twice a day. No threats detected by anything, and yet I was redirected to the fake Firefox Security Warning again this morning. This bug is hard to beat. I have an image made several months ago that I could restore, but I hate to admit defeat. [Edit] I'm going to use IE exclusively for a while to see if JRT might have solved the issue on that front.


Edited by Abzyx, 12 December 2015 - 12:23 AM.


#15 ajg617

ajg617
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:03:36 PM

Posted 12 December 2015 - 09:37 AM

So ran Rkill, AdWarecleaner, and JRT and the last two found registry keys.  Malwarebytes and Webroot scans came up clean.  Stubborn sucker this one.

 

Rkill 2.8.2 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 12/11/2015 08:30:24 PM in x64 mode.
Windows Version: Windows 8.1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

 * No issues found.

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 12/11/2015 08:35:35 PM
Execution time: 0 hours(s), 5 minute(s), and 10 seconds(s)

 

# AdwCleaner v5.024 - Logfile created 11/12/2015 at 21:19:03
# Updated 07/12/2015 by Xplode
# Database : 2015-12-07.3 [Server]
# Operating system : Windows 8.1  (x64)
# Username : john.m - MERLINSATELLITE
# Running from : C:\Users\john.m\Desktop\adwcleaner_5.024.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****


***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{C9C42510-9B41-42C1-9DCD-7282A2D07C61}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9C42510-9B41-42C1-9DCD-7282A2D07C61}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C9C42510-9B41-42C1-9DCD-7282A2D07C61}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{C9C42510-9B41-42C1-9DCD-7282A2D07C61}
[-] Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID [{C9C42510-9B41-42C1-9DCD-7282A2D07C61}]
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{C9C42510-9B41-42C1-9DCD-7282A2D07C61}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C9C42510-9B41-42C1-9DCD-7282A2D07C61}

***** [ Web browsers ] *****


*************************

:: "Tracing" keys removed
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [1487 bytes] ##########
 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.1 (11.24.2015)
Operating System: Windows 8.1 x64
Ran by john.m (Administrator) on Fri 12/11/2015 at 21:22:52.02
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 0




Registry: 2

Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{C0ABE3A3-ED70-4929-BC6E-A4D48AA065C0} (Registry Key)
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 12/11/2015 at 21:24:58.81
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users