Firefox 57 False Positive

[Pkshadow]

False Positive, please white list ASAP

dsengine.js

https://www.virustotal.com/#/file/0d6ab9a631164711d8427f3f4a66dae310889ca34f3324457425ed1cf9d7e2e4/detection

dsengine.cfg

https://www.virustotal.com/#/file/59c5e5d6e72c8ef44155d4083e93f54d6239d482c88b35e658a2261c7492c8fa/detection

 

 

 

 

firefox57-false-pos.txt

dsengine.zip

dsengine.zip

[Pkshadow]

Maybe not white list it : https://support.mozilla.org/en-US/forums/contributors/712839?last=73210#post-73210

[blender]

Hello,

We're taking a look.

Going by the screenshot in your second post, it looks like you can adjust the home page & search engine through the web companion add-on. Correct?

[Pkshadow]

No idea always telling people to come here to remove it. 

As per screen would think so as person who made that is good at code.

Mine came in Conduit in another program using for years. Took 2 days getting rid of it all until this popped up tonight in nightly scan.  It also changed the engine but not by request and would revert my google selection to bing. So no choice in the matter but think all that controlled it i got out already.   As have had no changing and no problems.  MBAM scan nightly, ADWcleaner scan every 2 days and SuperAntiSpyWare manual scan daily and a Norton Full System Scan today with quick scans couple X daily.

Edited January 3, 2018 by Pkshadow
speell fix

[blender]

It looks like the detections for those 2 files were just added yesterday (2nd) which explains why you are just seeing them now.

Do you or did you have Web Companion from Lavasoft?

Which program did you install that included Conduit?

[Pkshadow]

11 minutes ago, blender said:

It looks like the detections for those 2 files were just added yesterday (2nd) which explains why you are just seeing them now.

Do you or did you have Web Companion from Lavasoft?

Which program did you install that included Conduit?

No never had Web Companion from Lavasoft.

I believe it came in from Fileoptimizer from fileforum.betnews.com offsite download.  There was no warning from Norton download scan and MBAM caught it after the fact. It would not pull it out completely and had to use Hitman Pro to finish it off.  I downloaded the same file from Developers github site (redirect can not remember) and it was clean.

 

File got through fileforum was just called fileoptimzer.exe and file got from developer was fileoptimizersetup.exe

Edited January 3, 2018 by Pkshadow

[blender]

Apparently it will take me a while to find a working mirror download since the default one tells me it will take hours to download. o.O. Installer is quite large.

[Pkshadow]

5 minutes ago, blender said:

Apparently it will take me a while to find a working mirror download since the default one tells me it will take hours to download. o.O. Installer is quite large.

71.7mb

[Pkshadow]

My MBAM has in Quarantine from  12/14/17

6 reg entries from SearchScopes   and  1 file from my Firefox Profile all labelled as Conduit

[blender]

Finally got one. Installed it & it did not make changes to Firefox directory at all. I probably got a clean one.

[blender]

I'll have some other researchers look here as well.

 

[Pkshadow]

Just now, blender said:

I'll have some other researchers look here as well.

 

ok

[Pkshadow]

Seems in AdwCleaner 12/15/17 I have entries in the log for PUP.Optional.Legacy, C:\ProgramData\lavasoft\web companion
PUP.Optional.Legacy, C:\ProgramData\Application Data\lavasoft\web companion
PUP.Optional.Legacy, C:\Program Files (x86)\lavasoft\web companion
PUP.Optional.Legacy, C:\Users\All Users\lavasoft\web companion
PUP.Optional.Legacy, C:\Users\PK\AppData\Roaming\lavasoft\web companion
PUP.Optional.WebCompanion, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lavasoft\WebCompanion and

PUP.Optional.Legacy, C:\Users\PK\AppData\Roaming\Mozilla\Firefox\Profiles\0c2nnghq.default\searchplugins\bing-lavasoft.xml

PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Lavasoft\Web Companion
PUP.Optional.Legacy, [Key] - HKU\S-1-5-21-2930015934-539366596-2404163626-1001\Software\Lavasoft\Web Companion
PUP.Optional.Legacy, [Key] - HKCU\Software\Lavasoft\Web Companion
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\AppID\{278029E0-2347-4254-A65E-204AC55E2508}  (might be Auslogic bought and is blocked from internet.
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\CLSID\{278029E0-2347-4254-A65E-204AC55E2508}  (might be Auslogic
PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\webcompanion.com

additionally entries in 2 more scans same day of various entries.

[blender]

Can you attach the log from Adw Cleaner showing the list above?

Thanks!

[Pkshadow]

AdwCleaner[S43].txt

AdwCleaner[S44].txt

AdwCleaner[S45].txt

AdwCleaner[S46].txt

rogue.txt

[Fatdcuk]

Hi Pkshadow

Just to confirm that dsengine.js and dsengine.cfg are not false positive detections.

Because the files are overriding any changes to default search engine selection in the Firefox browser UI then they are considered as potentially unwanted.

https://support.mozilla.org/en-US/questions/1194334
https://support.mozilla.org/en-US/questions/1197498

RE Lavasoft Web Companion detection by Adware Cleaner then I believe this is an intentional detection by them.

However if you require further clarification then please start a new topic in the following sub forum and the guys that work on it will be able to respond.

https://forums.malwarebytes.com/forum/187-malwarebytes-adwcleaner/

Since your initial report has been responded too i am now going to lock this topic as concluded.