MozillaZine

2 new tabs open all by themselves--why?

User Help for Mozilla Firefox
ronbo
 
Posts: 110
Joined: July 2nd, 2004, 3:52 pm
Location: North Idaho, USA

Post Posted July 31st, 2018, 9:07 am

I am using W7 Pro, FF v52.9.0, which I just recently updated to. I also updated Adobe Flash Player.
Since then after opening FF and looking at 1 or 2 of my 4 open tabs, 2 more tabs open--they do it by themselves--I'm not clicking on anything--just looking.
The first one is has a url of: http musing-hermann-c4f286.bitballoon.com/ it has a totally blank screen.
The 2nd one is: https go.searchlock.com/FireFox/614/turnoff-tracking.html?source=js_6613&cid=w39KR4E30S8097OF1VSBFA2O&country=US&subid_2=lzpv4rsmat.com this one has a screen, with a button to click (no I have not clicked it) and below it the terms of clicking it--but oddly it does not display the full info of the terms, and there is no vertical slider to see them.

I've checked my firewall for apps that I do not recognize and nothing there.
There are no FF add-on that are new and that I don't recognize.
I have run M$ Security Essentials and nothing found there.
I've check the CP/Programs & Features and nothing there unusual.
I don't know what to check next.
Am I infected?? Has something been hijacked.

Any ideas where this is coming from, and more importantly--how to get rid of it.
I appreciate any help,
Ron
Last edited by LIMPET235 on July 31st, 2018, 9:26 am, edited 1 time in total.
Reason: Killed the live link/s. JIC.

LIMPET235
Moderator

User avatar
 
Posts: 38423
Joined: October 19th, 2007, 1:53 am
Location: The South Coast of N.S.W. Oz.

Post Posted July 31st, 2018, 9:30 am

Moving to Firefox Support...
Ancient Amateur Astronomer
Win-7-HP/Intel® DualCore-2.0GHz/500G HDD/4 Gig Ram/550Watt PSU/350WattUPS/Firefox-20.0-57.0-61.0-62.0/T-bird-2.0.0.24/SnagIt-v10.0.1/MWP-7.11.0.
RadioYachting. (Always choose the "Custom" Install.)

Brummelchen
 
Posts: 3799
Joined: March 19th, 2005, 10:51 am

Post Posted July 31st, 2018, 9:35 am

Load adwcleaner and post logs after usage
https://de.malwarebytes.com/adwcleaner/

Sorry guys, german bookmark, see below for english page!
Last edited by Brummelchen on July 31st, 2018, 9:59 am, edited 1 time in total.
users who problaby never will get an answer from me: f*x, f*n, j*n, k*s, k*x, l*y, m*o, m*d, m*x, o*l, p*y, s*e, d*h, l*t, d*e, j*k, f*u*a, h*2

LIMPET235
Moderator

User avatar
 
Posts: 38423
Joined: October 19th, 2007, 1:53 am
Location: The South Coast of N.S.W. Oz.

Post Posted July 31st, 2018, 9:46 am

Err, Brummelchen,
the English version site would be better to post, don't you think?
ref; > https://www.malwarebytes.com/adwcleaner/

&, ronbo,
That > go.searchlock.com" thing appears to be a browser hijacker.
Check/ask at the "bleeping computer forum" on how to remove it or just do a Google.
> https://www.bleepingcomputer.com/forums ... oval-help/
Ancient Amateur Astronomer
Win-7-HP/Intel® DualCore-2.0GHz/500G HDD/4 Gig Ram/550Watt PSU/350WattUPS/Firefox-20.0-57.0-61.0-62.0/T-bird-2.0.0.24/SnagIt-v10.0.1/MWP-7.11.0.
RadioYachting. (Always choose the "Custom" Install.)

Brummelchen
 
Posts: 3799
Joined: March 19th, 2005, 10:51 am

Post Posted July 31st, 2018, 9:58 am

Idd, ty

LIMPET235
Moderator

User avatar
 
Posts: 38423
Joined: October 19th, 2007, 1:53 am
Location: The South Coast of N.S.W. Oz.

Post Posted July 31st, 2018, 10:23 am

Ronbo,
Apparently, malwarebytes free version will remove the offending POG.
> https://www.malwarebytes.com/
Ancient Amateur Astronomer
Win-7-HP/Intel® DualCore-2.0GHz/500G HDD/4 Gig Ram/550Watt PSU/350WattUPS/Firefox-20.0-57.0-61.0-62.0/T-bird-2.0.0.24/SnagIt-v10.0.1/MWP-7.11.0.
RadioYachting. (Always choose the "Custom" Install.)

therube

User avatar
 
Posts: 19109
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Post Posted July 31st, 2018, 1:18 pm

musing-hermann-c4f286.bitballoon.com

https://cdn.minescripts.info/c/xGa0.js

I wonder what that does?


What is your Home Page set to?
What does your desktop shortcut show?
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript

ronbo
 
Posts: 110
Joined: July 2nd, 2004, 3:52 pm
Location: North Idaho, USA

Post Posted July 31st, 2018, 5:45 pm

Thanks for the all the info--I appreciate it. I donwloaded and installled Malwarebytes. I ran the scan and it found 164 potential threats. I quarantined all of then, did a restart and opened FF. The 2 extra tabs have not opened, after doing my normal looking at my open tabs ( US National Weather Service.)
I know you requested a copy of my log---I'll be happy to copy it here, but 164 lines??

Here are a few:
Registry Key: 12
PUP.Optional.WinYahoo, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Yahoo! Powered nocil, No Action By User, [249], [308969],1.0.6145

Registry Value: 6
PUP.Optional.WinYahoo, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|URL, No Action By User, [249], [254683],1.0.6145

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 22
PUP.Optional.OpenCandy, C:\Users\r\AppData\Roaming\OpenCandy\E09132DCEF3D4E9CB7DADF1DBFD509AF, No Action By User, [1041], [173202],1.0.6145
PUP.Optional.SearchManager, C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nahhmpbckpgdidfnmfkfgiflpjijilce\10.1.2.61_0\content, No Action By User, [246], [440037],1.0.6145

File: 124
PUP.Optional.WinYahoo, C:\WINDOWS\SYSTEM32\TASKS\Yahoo! Powered nocil, No Action By User, [249],
[308969],1.0.6145
PUP.Optional.SearchManager, C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\nahhmpbckpgdidfnmfkfgiflpjijilce\10.1.2.61_0\vendor\react-with-addons.min.js, No Action By User, [246], [440037],1.0.6145

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)

It looks like a lot of temporary files. I guess I should have looked at some of those file to see when they were dated. They are now in the Quarantine folder, with odd ball names and todays date.

After all this--I still have no extra tabs open.
I did not go to the https://www.bleepingcomputer.com/forums ... oval-help/
But I will, if either of the 2 tabs opens again.

Thanks again for your help, Ron

Well I spoke too soon. After I posted the above reply, I shutdown my putr. Just now, an hour later, I thurned it back on and mussing-hermann site appeared again. It has always been a blank page. How can I see if something might be running in the background of the blank page?
Ireran malwarebytes and it found nothing. I looked at the processes running and none look odd. There are to processes of Firefox tho. Onlhy 1 shows on my taskbar and the Task Manager/Applications.

I will do a deeper scan using M$ Security Essentials, and visit the Bleepingcomputer forum.
and report back.

therube

User avatar
 
Posts: 19109
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Post Posted August 1st, 2018, 4:12 am

musing-hermann, regardless of displaying "blank" or not, looks to contain a "coin miner", so at the least it is using your CPU to make money - for them.
(Good for them, no so good for you.)

Bleepingcomputer: How to Remove Yahoo! Powered & Us.search.yahoo.com Home Page
(Geez, that's a lot of work.)
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript

ronbo
 
Posts: 110
Joined: July 2nd, 2004, 3:52 pm
Location: North Idaho, USA

Post Posted August 1st, 2018, 5:19 pm

This morning when I logged on, both tabs opened--like before the Malwarebytes. Sometimes they never open, but when they do open it is after 30 seconds after i start FF and my normal tabs open. I ran Rkill and AdwCleaner. Rkil found an Intel.com file and AdwCleaner found:
***** [ Folders ] *****

Deleted C:\Users\r\AppData\Roaming\IHlpr
Deleted C:\Program Files (x86)\Common Files\freemake shared
Deleted C:\Program Files (x86)\Common Files\62B692F391EC7225B9E02C05320153E5

***** [ Files ] *****

Deleted C:\Users\r\AppData\Roaming\Mozilla\Firefox\Profiles\uw9r7k1c.default\searchplugins\yahoo! powered.xml

____my question--Do I need to look for more yahoo named folders & files and delete them?

Deleted HKLM\Software\Wow6432Node\POLICIES\GOOGLE\Chrome

I do use Chrome and never had a problem with it. I use it because--some web sites I like to save my place when I shut down the browser, most time I want to start my browser fresh--using my default tabs.

Ron
Deleted HKLM\SOFTWARE\POLICIES\GOOGLE\Chrome
Deleted HKCU\Software\csastats
Deleted HKLM\Software\Wow6432Node\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Deleted HKLM\Software\Wow6432Node\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Deleted HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules|{7ADD38F0-20BF-41E3-91A0-C910E70CFEB9}


This PM, I renamed my profiles in appdata/local and appdata/roaming, but FF knew I had a 64 bit install so it just told me I had no profile and would not open.

So I d/l 59.9.0 32 bit--so now it looks like a virgin copy. I assume, as someone mentioned--my browser was highjacked--so I hope by not running FF 64bit the miners will not show up again.

I have lots of recent folders in C:/Windows/winsxs (note the small w--most of the folder in Windows begins with a capital) that have a company name in the Details as TrustedInstaller. Is this useful?

I'll use FF 32bit for the next few days and see what happens.

Brummelchen
 
Posts: 3799
Joined: March 19th, 2005, 10:51 am

Post Posted August 2nd, 2018, 9:48 am

minscript is a coin miner. Either hacked site or hacked browser. Both is no longer secure!

Btw you were not advised to run rkill. Why did you?
users who problaby never will get an answer from me: f*x, f*n, j*n, k*s, k*x, l*y, m*o, m*d, m*x, o*l, p*y, s*e, d*h, l*t, d*e, j*k, f*u*a, h*2

ronbo
 
Posts: 110
Joined: July 2nd, 2004, 3:52 pm
Location: North Idaho, USA

Post Posted August 2nd, 2018, 11:17 am

It was mentioned in the link--- https://www.bleepingcomputer.com/virus- ... -home-page
posted above by therube. It was the 1st thing to do after printing the instructions.

After numerous opening and closing and shutdowns etc, FF 32bit ver52.9.0 has not had any tabs opening on their own.
Does this mean the hijacking and miner are no longer active????
Or perhaps--the 32bit version does not show the open tabs but they are running the background.

FF used to have a way to block sites. I can not find anything in V52. It was probably an older version. Chrome help forum had this post;

To block certain websites on your PC, here' s the trick (for Windows):

Step 1: Click the Start button and select Run. Now copy and paste the following text in that Run box:
c:\WINDOWS\system32\drivers\etc\hosts
Choose “Notepad” to open it.

Step 2: Go to the last line of the file, hit the enter key and type in the following format:
127.0.0.1 xxxx.com
Eg: If you want to block facebook.com and myspace.com
127.0.0.1 facebook.com
127.0.0.1 myspace.com

Step 3: Save the modified file

That’s it. None of the above sites can be visited on your computer.
One per line if you want to add more web sites.

In this way you can only block website one by one, if you want to block websites in large scale, you can use a professional web filter(http://goo.gl/QePcl) which will help you easily block websites by keywords or URL.

I wish the above would give in popup when the miniscript tried to get to the net--- kinda like my very old Kerio fierwall used to..

Ron

therube

User avatar
 
Posts: 19109
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Post Posted August 2nd, 2018, 12:09 pm

miner are no longer active

The miner, in this case, only is effective if you actually visit that particular web page (or any particular web page that happens to have a miner on it).

Potentially, you could have malware on your system, outside of anything "browser" that also a mines, but in this case, the miner is run by your browser. So if you don't visit a web page with a miner, or if you're not "sent" to a web page with a miner (your case), then you should be OK (& assuming there is nothing on your system outside of the browser that mines).

Does this mean the hijacking and miner are no longer active????

Sounds like it to me.

Or perhaps--the 32bit version does not show the open tabs but they are running the background.

I'd think not.


As far as a HOSTS file goes, that is still around, & that is one method to block sites.
Depends on whether the particular miner sites are included on the particular HOSTS file.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript

jscher2000

User avatar
 
Posts: 10232
Joined: December 19th, 2004, 12:26 am
Location: Silicon Valley, CA USA

Post Posted August 2nd, 2018, 3:50 pm

ronbo wrote:There are no FF add-on that are new and that I don't recognize.


Unfortunately, sometimes extensions become compromised. If there are any that updated in the past 30 days, and any you can live without for 12 hours, try disabling them. Some legacy extensions may not actually be disabled until you restart Firefox (there will be a link for that purpose on the Add-ons page in that case).

ronbo
 
Posts: 110
Joined: July 2nd, 2004, 3:52 pm
Location: North Idaho, USA

Post Posted August 2nd, 2018, 8:09 pm

thanks for the info,
therube--when you write "So if you don't visit a web page with a miner, or if you're not "sent" to a web page with a miner (your case)" But when a tab loads, like musing-hermann----, isn't that like I am visiting that site? Or do I physically open the tab to view the contents? My tabs are already filled when I click on them.

I just renamed the profile in Local and Roaming, and copied a backup from a few months ago. I have not updated any Add-ons, nor will I for a while---UNLESS they update by themselves. I am going to run the 32bit version--it seems to run much faster and not pause, like something is going on in the background, like the 64 bit always has. Yes my W7 is 64bit :)

jscher2000
A couple of days ago, I did disable some Add-ons, I do not remember which ones tho, but it did not make any difference--I still got the extra tabs.

Return to Firefox Support


Who is online

Users browsing this forum: No registered users and 11 guests