Is This JavaScript Update Legitimate?

[Wiggam72]

A relative of mine took a picture with their phone and sent the screenshot to my phone of an update that was rejected several times. Wisely my relative asked me before DL it since they are close to being totally computer illiterate.

I have never seen this type of update, so this is why I'm asking here to find out if it's okay to DL and install it.

It has what appears to be an official FF logo as the background and the update reads the following:

Critical Firefox update The suspicion for me is that the letter "u" in update is not capitalized.

Underneath the above, in a green rectangular background with white font it reads: Download Now

Underneath that, in a larger white rectangular background with black font it reads:

Opening firefox-patch.js

You have chosen to open:

firefox-patch.js

which is: JavaScript File (8.2 KB)

from https: // nuyeeonline-red.com

Would you like to save this file?

[LIMPET235]

NO!.

Delete it.

[Wiggam72]

Thanks. What can be done to prevent it from popping up every so often? My relative said they rejected it (by clicking Cancel or the X) numerous times and said the last time (yesterday) it popped up was when they accessed a Yahoo page.

[dfoulkes]

I've seen that problem posted around here and I did some searching for it... but I guess my search-param was not good enough... came up with zero hits... so, I googled it and quite a few hits were listed... like this one ...
Solved: Re: suspicious download firefox-patch.js - Mozilla Support Community

I've never seen that message... maybe because I use ubloc and Avast... not sure what is blocking it in here ... so, if I were you I'd do some of your own Net searches to see what people came up with .. to stop it.

[Vitesse]

Googling firefox-patch.js suggests it's malware/trojan of some description. Quite a few solutions out there but most don't seem to be for the non-techie.

If you're not able to get over there to remove it, suggest to your relative that they download and run AdwCleaner. After running a scan, accept all suggested removals and action them. It restarts the system as part of the cleaning process, so all other programs should be closed first. A lot of what it does happens behind an apparently blank screen - and if it's a seriously infected system it may seem like it's taking a very long time. But it will eventually restart, after which it will generate a list of everything it's removed.

https://www.malwarebytes.com/adwcleaner/

[Wiggam72]

Thanks. I'll have them install and run it. Malware is probably on their PC because yesterday my relative called and told me that their PC would not allow them to boot into Windows.

Upon startup, It kept saying something about registering the PC, it displayed info about the default settings for the keyboard, and TeamViewer was open. My relative told me that the trouble started after they clicked on something that said it would make the keyboard operate faster.

After trying to explain to me what was going on for half an hour, I decided to access their PC remotely via TeamViewer. I know what the PC setup looks like, files etc included. I was shocked at what I saw.

Their desktop background and all the folders (about 25) there were gone! Even the Profile info accessed by clicking the Windows logo on the bottom left corner was missing. Almost all of the files on the C drive (in Documents, Pictures etc) were gone too. When I opened FF, it asked to import settings etc. I saw that a fresh installation was made. I checked to see if the old Profile was on the PC but nothing. So, after all of that, I had my relative do a System Restore.

It appears from a cursory look by me (and my relative) that everything was placed back. However, my relative told me that a message said that everything wasn't put back.

I'll have to look into things tomorrow after they scan because I won't be able to do it now or later tonight because I won't be back until it's too late.

[James]

https://support.mozilla.org/t5/Problems ... ta-p/37696

[Wiggam72]

James, that's it! That's the culprit that my relative sent to me! Oh, forgot to mention earlier that I had my relative use a different keyboard in case the problem was caused by the keyboard, or in case there is malware present that is dependent on that particular keyboard. The keyboard is one of those ultra fancy ones with a lot of stuff on there that I wouldn't bother to use.

[dfoulkes]

ublock-origin is my ad blocker... I never see that stuff... maybe it should be installed?

uBlock Origin :: Add-ons for Firefox

[Wiggam72]

Sorry I took so long to reply. My relative and I have schedules that are in conflict with one another and made it difficult for me to access their PC and help out. Also, the scans take quite a bit of time.

Here's the outcome. Malwarebytes found a couple of things and I had my relative remove them. SUPERAntiSpyware found over a thousand things! I had my relative remove them. Microsoft Safety Scanner found nothing. Anti-rootkit utility TDSSKiller found nothing. AdwCleaner found nothing. So far, their PC seems to be running fine now. Almost forgot. My relative told me that they switched back to the keyboard they were using before.

I might install ublock Origin on their PC/browser. There is no popup blocker installed. In fact, there is almost no add-ons installed on FF. I think there are only two.

I use Adblock Plus and Adblock Plus popup Add-on because it seems more user-friendly. I remember a thread I started a little while back which led to a poster introducing me and I'm sure many others to uBlock Origin. I did a cursory check of the program at that time and from what I remember, it was more a of manual program than automatic like Adblock is.

[RobertJ]

.
uBlock origin is superior and all necessary filters are installed as part of the extension. Also does not allow some non-intrusive advertising as ABP does by default.

.

[Wiggam72]

I disabled ABP and re-enabled uBlockOrigin. I'll use it for a while and see if it does what I want. I went back to the thread I referred to and the main reason I disabled it was because I couldn't figure out how to block a site that could only be blocked manually.

A poster let me know that the best way to block that particular site was to use my security software, so I didn't bother to use uBlockOrigin.

Here's the thread. http://forums.mozillazine.org/viewtopic ... 1&start=15

[BobbyPhoenix]

I see this around a lot more lately. Family member gets it at least twice a week from Yahoo News (Slow computer, and has Yahoo set as homepage, so before the adblocker is loaded this sometimes gets loaded first. I finally put a "new page" as the first page when opening Firefox to allow the adblocker to load by the time they get to it). It's super hard to block as a domain/site because it uses random servers/domains that are only temporary, so if you get it and block it, you can still get it again from another server/domain. Not knowing it was fake the first time the download button was clicked on, but the page was up for a while, and by the time it was clicked, a "Server not found" was given as that one was already taken down (thankfully). I can't tell you how much I hate people who take advantage of others in any way. If I could ever find them in person I'd be in jail a little while after that..... Just saying.....

[Wiggam72]

Oh boy, the damn thing came back! My relative sent me another screenshot of it and said it popped up again while in Yahoo email. I just called my relative and asked if the link to the popup was saved and was told no.

If I install uBlockOrigin on that PC, what code should be used to block that popup? Will firefox-patch.js be part of how to block it? Or should I use the security software as I did with the above thread link?

[dfoulkes]

Assuming that uBlock is blocking that here and not anything else like a script blocking that I use ... as installed---> uBlock should take care of it... it does here.