Avatar for Username

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

话题已存档。 如果需要帮助请提出新问题。

How do I get rid of malware entries in my Prefs.js file (stored in my profile folder)?

  • 7 个回答
  • 8 人有此问题
  • 11 次查看
  • 最后回复者为 cor-el

Skeezix
Skeezix
more options

I want to get rid of anything that contains the string "claro" in it. Here is part of my prefs.js file that shows what I want to clear:

\Mozilla\\\\Firefox\\\\Profiles\\\\a6s51y6q.default-1347242978286\\\\extensions\\\\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi\"},\"jid1-LSHV456F7wAw9g@jetpack\":{\"version\":\"1.1\",\"type\":\"extension\",\"descriptor\":\"C:\\\\Users\\\\Clayton\\\\AppData\\\\Roaming\\\\Mozilla\\\\Firefox\\\\Profiles\\\\a6s51y6q.default-1347242978286\\\\extensions\\\\jid1-LSHV456F7wAw9g@jetpack.xpi\"}}"); user_pref("extensions.bprivacy.DataDir", "C:\\Users\\Clayton\\AppData\\Roaming\\Macromedia"); user_pref("extensions.bprivacy.LSOcount", 23); user_pref("extensions.bprivacy.donotaskonexit", true); user_pref("extensions.bprivacy.initiated", 3); user_pref("extensions.bprivacy.lastSession", "Sunday, September 09, 2012 10:13:43 PM"); user_pref("extensions.bprivacy.removed", 291); user_pref("extensions.bprivacy.removedSession", 287);

user_pref("extensions.claro.admin", false); user_pref("extensions.claro.aflt", "babsst"); user_pref("extensions.claro.autoRvrt", "false"); user_pref("extensions.claro.dfltLng", "en"); user_pref("extensions.claro.excTlbr", false); user_pref("extensions.claro.id", "72da1096000000000000001fc604ff56"); user_pref("extensions.claro.instlDay", "15610"); user_pref("extensions.claro.instlRef", "sst"); user_pref("extensions.claro.prdct", "claro"); user_pref("extensions.claro.prtnrId", "claro"); user_pref("extensions.claro.tlbrId", "claro"); user_pref("extensions.claro.vrsn", "1.6.4.1"); user_pref("extensions.claro.vrsni", "1.6.4.1"); user_pref("extensions.claro_i.newTab", false); user_pref("extensions.claro_i.smplGrp", "none"); user_pref("extensions.claro_i.vrsnTs", "1.6.4.19:51:28");

I want to get rid of anything that contains the string "claro" in it. Here is part of my prefs.js file that shows what I want to clear: \Mozilla\\\\Firefox\\\\Profiles\\\\a6s51y6q.default-1347242978286\\\\extensions\\\\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi\"},\"jid1-LSHV456F7wAw9g@jetpack\":{\"version\":\"1.1\",\"type\":\"extension\",\"descriptor\":\"C:\\\\Users\\\\Clayton\\\\AppData\\\\Roaming\\\\Mozilla\\\\Firefox\\\\Profiles\\\\a6s51y6q.default-1347242978286\\\\extensions\\\\jid1-LSHV456F7wAw9g@jetpack.xpi\"}}"); user_pref("extensions.bprivacy.DataDir", "C:\\Users\\Clayton\\AppData\\Roaming\\Macromedia"); user_pref("extensions.bprivacy.LSOcount", 23); user_pref("extensions.bprivacy.donotaskonexit", true); user_pref("extensions.bprivacy.initiated", 3); user_pref("extensions.bprivacy.lastSession", "Sunday, September 09, 2012 10:13:43 PM"); user_pref("extensions.bprivacy.removed", 291); user_pref("extensions.bprivacy.removedSession", 287); user_pref("extensions.claro.admin", false); user_pref("extensions.claro.aflt", "babsst"); user_pref("extensions.claro.autoRvrt", "false"); user_pref("extensions.claro.dfltLng", "en"); user_pref("extensions.claro.excTlbr", false); user_pref("extensions.claro.id", "72da1096000000000000001fc604ff56"); user_pref("extensions.claro.instlDay", "15610"); user_pref("extensions.claro.instlRef", "sst"); user_pref("extensions.claro.prdct", "claro"); user_pref("extensions.claro.prtnrId", "claro"); user_pref("extensions.claro.tlbrId", "claro"); user_pref("extensions.claro.vrsn", "1.6.4.1"); user_pref("extensions.claro.vrsni", "1.6.4.1"); user_pref("extensions.claro_i.newTab", false); user_pref("extensions.claro_i.smplGrp", "none"); user_pref("extensions.claro_i.vrsnTs", "1.6.4.19:51:28");

由Skeezix于修改

所有回复 (7)

Skeezix
Skeezix 提问者
more options

Additional info:

I also found these lines in my user.js file. How do I get rid of them? (They are also the ONLY lines in user.js.)

(Claro is known malware and these entries were not discovered by the malware "malbytes" program).

user_pref("extensions.claro.admin", false); user_pref("extensions.claro.aflt", "babsst"); user_pref("extensions.claro.autoRvrt", "false"); user_pref("extensions.claro.dfltLng", "en"); user_pref("extensions.claro.excTlbr", false); user_pref("extensions.claro.id", "72da1096000000000000001fc604ff56"); user_pref("extensions.claro.instlDay", "15610"); user_pref("extensions.claro.instlRef", "sst"); user_pref("extensions.claro.prdct", "claro"); user_pref("extensions.claro.prtnrId", "claro"); user_pref("extensions.claro.tlbrId", "claro"); user_pref("extensions.claro.vrsn", "1.6.4.1"); user_pref("extensions.claro.vrsni", "1.6.4.1"); user_pref("extensions.claro_i.newTab", false); user_pref("extensions.claro_i.smplGrp", "none"); user_pref("extensions.claro_i.vrsnTs", "1.6.4.19:51:28");

And if that weren't enough, I found a reference to "isearch" in my "search.json" file:

Files\\Mozilla Firefox\\searchplugins\\amazondotcom.xml"},{"_id":"[app]/avg-secure-search.xml","_name":"AVG Secure Search","_hidden":false,"description":"AVG Secure Search","__searchForm":"https://isearch.avg.com/","_iconURL":"data:image/x-icon,%00%00%01%00%01%00%10%10%00%00%00%00%20%00h%04%00%00%16%00%00%00(%00%00%00%10%00%00%00%20%00%00%00%01%00%20%00%00%00%00%00%40%04%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00pn%03%1Fb%83%15%25U%911

And one to "Babylon" in my search-metadata.json file (also malware) as follows:

"{"[app]/babylon.xml":{"hidden":true,"alias":null},"[app]/yahoo.xml":"

cor-el
cor-el
  • Moderator
  • Top 10 Contributor
more options

See [/questions/934390]

You can remove that user.js file if you didn't create it yourself.
If you did and want to keep some settings then only remove the unwanted user_pref() lines.

由cor-el于修改

user693271
user693271
more options

The Reset Firefox feature can fix many issues by restoring Firefox to its factory default state while saving your essential information. Note: This will cause you to lose any Extensions, Open websites, and some Preferences.

To Reset Firefox do the following:

  1. Go to Firefox > Help > Troubleshooting Information.
  2. Click the "Reset Firefox" button.
  3. Firefox will close and reset. After Firefox is done, it will show a window with the information that is imported. Click Finish.
  4. Firefox will open with all factory defaults applied.


Further information can be found in the Refresh Firefox - reset add-ons and settings article.

Did this fix your problems? Please report back to us!

Skeezix
Skeezix 提问者
more options

I closed FF, deleted my user.js file, and removed the lines containing "Claro" from my prefs.js file.

Will resetting FF do anything to my current "search.json" file and my "search-metadata.json" file?

I had a rather rough experience the last time I reset FF and it took me quite a while to get it back to the way I wanted it.

cor-el
cor-el
  • Moderator
  • Top 10 Contributor
more options

Reseetin Firefox will create a new profile and only some data gets imported and this doesn't include search engines that were manually installed in the old profile. Only search engines installed via the Firefox program folder will be installed.

If you remove the search.json file then Firefox will regenerate a new file.

What is the content of the "search-metadata.json" file if you inspect it with a text editor?

Skeezix
Skeezix 提问者
more options

The following is the entire content of search-metadata.json as opened by notepad:

{ 

"[app]/babylon.xml":{"hidden":true,"alias":null},
"[app]/yahoo.xml":{"hidden":true,"alias":null},
"[app]/bing.xml":{"hidden":true,"alias":null},
"[app]/eBay.xml":{"hidden":true,"alias":null},
"[app]/twitter.xml":{"hidden":true,"alias":null},
"[app]/wikipedia.xml":{"hidden":true,"alias":null}

}

I suspect there is no harm in simply deleting the line containing "Babylon".

From my search.json file:

Files\\Mozilla Firefox\\searchplugins\\amazondotcom.xml"},{"_id":"[app]/avg-secure-search.xml","_name":"AVG Secure Search","_hidden":false,"description":"AVG Secure Search","__searchForm":"https://isearch.avg.com/","_iconURL":"data:image/x-icon,%00%00%01%00%01%00%10%10%00%00%00%00%20%00h%04%00%00%16%00%00%00(%00%00%00%10%00%00%00%20%00%00%00%01%00%20%00%00%00%00%00%40%04%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00pn%03%1Fb%83%15%25U%911

Does the bolded text above mean anything to you? Possibly placed there by the malware to circumvent AVG? (I've posted that question to the AVG forum but haven't received any reply yet.)

cor-el
cor-el
  • Moderator
  • Top 10 Contributor
more options

That search engine is probably added by AVG Secure Search