Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

How do I get rid of malware entries in my Prefs.js file (stored in my profile folder)?

  • 7 replies
  • 8 have this problem
  • 11 views
  • Last reply by cor-el

more options

I want to get rid of anything that contains the string "claro" in it. Here is part of my prefs.js file that shows what I want to clear:

\Mozilla\\\\Firefox\\\\Profiles\\\\a6s51y6q.default-1347242978286\\\\extensions\\\\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi\"},\"jid1-LSHV456F7wAw9g@jetpack\":{\"version\":\"1.1\",\"type\":\"extension\",\"descriptor\":\"C:\\\\Users\\\\Clayton\\\\AppData\\\\Roaming\\\\Mozilla\\\\Firefox\\\\Profiles\\\\a6s51y6q.default-1347242978286\\\\extensions\\\\jid1-LSHV456F7wAw9g@jetpack.xpi\"}}"); user_pref("extensions.bprivacy.DataDir", "C:\\Users\\Clayton\\AppData\\Roaming\\Macromedia"); user_pref("extensions.bprivacy.LSOcount", 23); user_pref("extensions.bprivacy.donotaskonexit", true); user_pref("extensions.bprivacy.initiated", 3); user_pref("extensions.bprivacy.lastSession", "Sunday, September 09, 2012 10:13:43 PM"); user_pref("extensions.bprivacy.removed", 291); user_pref("extensions.bprivacy.removedSession", 287);

user_pref("extensions.claro.admin", false); user_pref("extensions.claro.aflt", "babsst"); user_pref("extensions.claro.autoRvrt", "false"); user_pref("extensions.claro.dfltLng", "en"); user_pref("extensions.claro.excTlbr", false); user_pref("extensions.claro.id", "72da1096000000000000001fc604ff56"); user_pref("extensions.claro.instlDay", "15610"); user_pref("extensions.claro.instlRef", "sst"); user_pref("extensions.claro.prdct", "claro"); user_pref("extensions.claro.prtnrId", "claro"); user_pref("extensions.claro.tlbrId", "claro"); user_pref("extensions.claro.vrsn", "1.6.4.1"); user_pref("extensions.claro.vrsni", "1.6.4.1"); user_pref("extensions.claro_i.newTab", false); user_pref("extensions.claro_i.smplGrp", "none"); user_pref("extensions.claro_i.vrsnTs", "1.6.4.19:51:28");

I want to get rid of anything that contains the string "claro" in it. Here is part of my prefs.js file that shows what I want to clear: \Mozilla\\\\Firefox\\\\Profiles\\\\a6s51y6q.default-1347242978286\\\\extensions\\\\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi\"},\"jid1-LSHV456F7wAw9g@jetpack\":{\"version\":\"1.1\",\"type\":\"extension\",\"descriptor\":\"C:\\\\Users\\\\Clayton\\\\AppData\\\\Roaming\\\\Mozilla\\\\Firefox\\\\Profiles\\\\a6s51y6q.default-1347242978286\\\\extensions\\\\jid1-LSHV456F7wAw9g@jetpack.xpi\"}}"); user_pref("extensions.bprivacy.DataDir", "C:\\Users\\Clayton\\AppData\\Roaming\\Macromedia"); user_pref("extensions.bprivacy.LSOcount", 23); user_pref("extensions.bprivacy.donotaskonexit", true); user_pref("extensions.bprivacy.initiated", 3); user_pref("extensions.bprivacy.lastSession", "Sunday, September 09, 2012 10:13:43 PM"); user_pref("extensions.bprivacy.removed", 291); user_pref("extensions.bprivacy.removedSession", 287); user_pref("extensions.claro.admin", false); user_pref("extensions.claro.aflt", "babsst"); user_pref("extensions.claro.autoRvrt", "false"); user_pref("extensions.claro.dfltLng", "en"); user_pref("extensions.claro.excTlbr", false); user_pref("extensions.claro.id", "72da1096000000000000001fc604ff56"); user_pref("extensions.claro.instlDay", "15610"); user_pref("extensions.claro.instlRef", "sst"); user_pref("extensions.claro.prdct", "claro"); user_pref("extensions.claro.prtnrId", "claro"); user_pref("extensions.claro.tlbrId", "claro"); user_pref("extensions.claro.vrsn", "1.6.4.1"); user_pref("extensions.claro.vrsni", "1.6.4.1"); user_pref("extensions.claro_i.newTab", false); user_pref("extensions.claro_i.smplGrp", "none"); user_pref("extensions.claro_i.vrsnTs", "1.6.4.19:51:28");

Modified by Skeezix

All Replies (7)

more options

Additional info:

I also found these lines in my user.js file. How do I get rid of them? (They are also the ONLY lines in user.js.)

(Claro is known malware and these entries were not discovered by the malware "malbytes" program).

user_pref("extensions.claro.admin", false); user_pref("extensions.claro.aflt", "babsst"); user_pref("extensions.claro.autoRvrt", "false"); user_pref("extensions.claro.dfltLng", "en"); user_pref("extensions.claro.excTlbr", false); user_pref("extensions.claro.id", "72da1096000000000000001fc604ff56"); user_pref("extensions.claro.instlDay", "15610"); user_pref("extensions.claro.instlRef", "sst"); user_pref("extensions.claro.prdct", "claro"); user_pref("extensions.claro.prtnrId", "claro"); user_pref("extensions.claro.tlbrId", "claro"); user_pref("extensions.claro.vrsn", "1.6.4.1"); user_pref("extensions.claro.vrsni", "1.6.4.1"); user_pref("extensions.claro_i.newTab", false); user_pref("extensions.claro_i.smplGrp", "none"); user_pref("extensions.claro_i.vrsnTs", "1.6.4.19:51:28");

And if that weren't enough, I found a reference to "isearch" in my "search.json" file:

Files\\Mozilla Firefox\\searchplugins\\amazondotcom.xml"},{"_id":"[app]/avg-secure-search.xml","_name":"AVG Secure Search","_hidden":false,"description":"AVG Secure Search","__searchForm":"https://isearch.avg.com/","_iconURL":"data:image/x-icon,%00%00%01%00%01%00%10%10%00%00%00%00%20%00h%04%00%00%16%00%00%00(%00%00%00%10%00%00%00%20%00%00%00%01%00%20%00%00%00%00%00%40%04%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00pn%03%1Fb%83%15%25U%911

And one to "Babylon" in my search-metadata.json file (also malware) as follows:

"{"[app]/babylon.xml":{"hidden":true,"alias":null},"[app]/yahoo.xml":"

more options

See [/questions/934390]

You can remove that user.js file if you didn't create it yourself.
If you did and want to keep some settings then only remove the unwanted user_pref() lines.

Modified by cor-el

more options

The Reset Firefox feature can fix many issues by restoring Firefox to its factory default state while saving your essential information. Note: This will cause you to lose any Extensions, Open websites, and some Preferences.

To Reset Firefox do the following:

  1. Go to Firefox > Help > Troubleshooting Information.
  2. Click the "Reset Firefox" button.
  3. Firefox will close and reset. After Firefox is done, it will show a window with the information that is imported. Click Finish.
  4. Firefox will open with all factory defaults applied.


Further information can be found in the Refresh Firefox - reset add-ons and settings article.

Did this fix your problems? Please report back to us!

more options

I closed FF, deleted my user.js file, and removed the lines containing "Claro" from my prefs.js file.

Will resetting FF do anything to my current "search.json" file and my "search-metadata.json" file?

I had a rather rough experience the last time I reset FF and it took me quite a while to get it back to the way I wanted it.

more options

Reseetin Firefox will create a new profile and only some data gets imported and this doesn't include search engines that were manually installed in the old profile. Only search engines installed via the Firefox program folder will be installed.

If you remove the search.json file then Firefox will regenerate a new file.

What is the content of the "search-metadata.json" file if you inspect it with a text editor?

more options

The following is the entire content of search-metadata.json as opened by notepad:

{

"[app]/babylon.xml":{"hidden":true,"alias":null},
"[app]/yahoo.xml":{"hidden":true,"alias":null},
"[app]/bing.xml":{"hidden":true,"alias":null},
"[app]/eBay.xml":{"hidden":true,"alias":null},
"[app]/twitter.xml":{"hidden":true,"alias":null},
"[app]/wikipedia.xml":{"hidden":true,"alias":null}

}

I suspect there is no harm in simply deleting the line containing "Babylon".

From my search.json file:

Files\\Mozilla Firefox\\searchplugins\\amazondotcom.xml"},{"_id":"[app]/avg-secure-search.xml","_name":"AVG Secure Search","_hidden":false,"description":"AVG Secure Search","__searchForm":"https://isearch.avg.com/","_iconURL":"data:image/x-icon,%00%00%01%00%01%00%10%10%00%00%00%00%20%00h%04%00%00%16%00%00%00(%00%00%00%10%00%00%00%20%00%00%00%01%00%20%00%00%00%00%00%40%04%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00pn%03%1Fb%83%15%25U%911

Does the bolded text above mean anything to you? Possibly placed there by the malware to circumvent AVG? (I've posted that question to the AVG forum but haven't received any reply yet.)

more options

That search engine is probably added by AVG Secure Search