Jump to content

My - Firefox-patch.js popup


Doddger
 Share

Recommended Posts

I've got the Firefox-patch.js popping up every few days now.

Came to this forum to get help with removal.

 

Following the recommendation by TwinHeadedEagle I read in another thread, I downloaded the 64bit version of Farbar Recovery Scan Tool to my desktop and ran the scan.

I've attached my FRST.txt and Addition.txt logs below.

Help with this would be appreciated.

 

FRST.txt

Addition.txt

Link to post
Share on other sites

  • Root Admin

Please restart the computer first and then run the following steps and post back the logs when ready.

STEP 01
Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus

STEP 02
Let's clean out any adware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista / Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done, you'll see: Pending: Please uncheck elements you don't want to be removed.
  • Now click on the Report button and a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look at the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up, click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want to be restored > now click on Restore.

STEP 03
Download Sophos Free Virus Removal Tool and save it to your desktop.
 

  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View Log file (bottom left-hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found, please confirm that result.

STEP 04
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Link to post
Share on other sites

Moving on to Step 3

Pasted copy of AdwCleaner file below.

 

# AdwCleaner v6.020 - Logfile created 19/09/2016 at 15:49:22
# Updated on 14/09/2016 by ToolsLib
# Database : 2016-09-19.1 [Server]
# Operating System : Windows 10 Pro  (X64)
# Username : ***en - MASTERBEDROOM
# Running from : C:\Users\***en\Desktop\AdwCleaner.exe
# Mode: Clean
# Support : https://toolslib.net/forum

 

***** [ Services ] *****

 

***** [ Folders ] *****

 

***** [ Files ] *****

 

***** [ DLL ] *****

 

***** [ WMI ] *****

 

***** [ Shortcuts ] *****

 

***** [ Scheduled Tasks ] *****

 

***** [ Registry ] *****

[-] Key deleted: HKLM\SOFTWARE\Classes\Toolbar.CT2475029
[-] Key deleted: HKLM\SOFTWARE\Classes\Conduit.Engine
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\Conduit.Engine
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{1663C10B-0D55-438D-8496-19A3DBAEC0E4}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{A43DE495-3D00-47D4-9D2C-303115707939}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
[-] Key deleted: HKU\S-1-5-21-111023754-805910574-853954180-1001\Software\YahooPartnerToolbar
[-] Key deleted: HKU\S-1-5-21-111023754-805910574-853954180-1001\Software\AppDataLow\Software\PriceGong
[-] Key deleted: HKU\S-1-5-21-111023754-805910574-853954180-1001\Software\AppDataLow\Software\Toolbar
[#] Key deleted on reboot: HKCU\Software\YahooPartnerToolbar
[#] Key deleted on reboot: HKCU\Software\AppDataLow\Software\PriceGong
[#] Key deleted on reboot: HKCU\Software\AppDataLow\Software\Toolbar
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}
[#] Key deleted on reboot: [x64] HKCU\Software\YahooPartnerToolbar
[#] Key deleted on reboot: [x64] HKCU\Software\AppDataLow\Software\PriceGong
[#] Key deleted on reboot: [x64] HKCU\Software\AppDataLow\Software\Toolbar


***** [ Web browsers ] *****

[-] [C:\Users\Ken\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: aol.com
[-] [C:\Users\Ken\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: ask.com


*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [2483 Bytes] - [19/09/2016 15:49:22]
C:\AdwCleaner\AdwCleaner[S1].txt - [2698 Bytes] - [19/09/2016 15:26:57]
C:\AdwCleaner\AdwCleaner[S2].txt - [2698 Bytes] - [19/09/2016 15:42:16]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [2702 Bytes] ##########

 

Link to post
Share on other sites

3 minutes ago, AdvancedSetup said:

Please post logs as attachments if possible. The forum software can often change the posted information as it converts it to html.

Thank you

 

 

Will do. My apologies.

Was doing my best trying to follow your instructions to the letter.

My confusion in posting the information instead of attaching the .txt file came from Step 2, about 3/4 the way down where it reads -

"Copy and paste the contents of that logfile in your next reply."

Assumed from that you wanted the entire file posted instead of attached.

Again, your help is much appreciated.

 

Link to post
Share on other sites

  • Root Admin

What are these files ?

 

016-06-21 21:52 - 2016-06-21 21:52 - 0000323 _____ () C:\Users\Ken\AppData\Local\LMIR0001.tmp_r.bat
2012-03-20 22:38 - 2012-03-20 22:38 - 4284902 _____ () C:\Users\Ken\AppData\Local\Temp009.jpg
2014-04-19 02:01 - 2014-04-19 02:01 - 4440228 _____ () C:\Users\Ken\AppData\Local\Temp666.jpg
2014-04-19 02:02 - 2014-04-19 02:02 - 4440228 _____ () C:\Users\Ken\AppData\Local\Temp6660.jpg
2014-04-19 02:01 - 2014-04-19 02:01 - 3518889 _____ () C:\Users\Ken\AppData\Local\Temp667.jpg
2014-04-19 02:02 - 2014-04-19 02:02 - 3518889 _____ () C:\Users\Ken\AppData\Local\Temp6670.jpg
2014-04-19 02:01 - 2014-04-19 02:01 - 3685537 _____ () C:\Users\Ken\AppData\Local\Temp668.jpg

etc.

 

Edited by AdvancedSetup
Link to post
Share on other sites

I opened that folder to take a look see.

The Temp***.jpg files were all misc pictures that I recognized. Don't know why they were in that folder. I sent them to recycle bin then emptied the bin.

Opened the LMIR0001.tmp_r  batch file with notepad. I did receive online help with a Windows rep a while back. Guessing this file was created then? File was created 3 months ago. Was unable to attach a .bat file so I renamed it LMIR0001.tmp_r1 and saved it as a TXT file. It's attached below.

Also attached new FRST scan results.

 

LMIR0001.tmp_r1.txt

FRST.txt

Addition.txt

Link to post
Share on other sites

Not sure if this helps in troubleshooting..

Seems like this may have been popping up while I was on eBay and then while opening a new tab to do a Google search. Just noticed today the my AdblockPlus was turned off on eBay's site. It's on now. Will report back if it makes a difference.

Found this message on another site while searching for the cure. -

"this is a known problem being pushed by advertisements on various sites. The file is a dangerous script that involves Windows administration tools to embed malware on your system. I don't know whether the firefox_patch.js that you captured is the same one others users have reported, but it's probably very similar."

The light bulb went off when I read that as it seemed this "Firefox Update / Firefox-patch.js " always happened when I was on eBay. EBay has advertisements on the right side of some pages. ???

Link to post
Share on other sites

  • Root Admin

I'll review your new logs a bit later tonight. In the meantime please run the following and then restart the computer.

 

Please Run TFC by OldTimer to clear temporary files:

  • Download TFC from here and save it to your desktop.
  • http://oldtimer.geekstogo.com/TFC.exe
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

After the reboot please run a new MBAM scan as well and post back that log too.

Thank you

Ron

 

 

Link to post
Share on other sites

1 hour ago, AdvancedSetup said:

I'll review your new logs a bit later tonight. In the meantime please run the following and then restart the computer.

 

Please Run TFC by OldTimer to clear temporary files:

  • Download TFC from here and save it to your desktop.
  • http://oldtimer.geekstogo.com/TFC.exe
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

After the reboot please run a new MBAM scan as well and post back that log too.

Thank you

Ron

Will do.

Just an FYI...  Windows 10 decided to do an update this evening. Took about 3 hrs at 35Mbps..  Must have been a pretty big update.

Downloaded TFC and ran it. Took a while to run. Didn't ask to restart but I did anyway.

Then downloaded MBAM. Have not run that before. Took a little while to update before starting. Once it updated, I ran that.  Took 30 minutes to run.

 Zero threats found. In order for them to be read, I had to export the Malware and MalwareProtection to txt files. I then sent them to my desktop so i could find them.

Don't know if you needed both of them but they are attached below.

 

 

Malware.txt

malwareProtection.txt

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.