Jump to content

Firefox starts automatically after WLAN reboot and goes to msn.com


Recommended Posts

Hi guys,

I'm a bit unsure where to post this. I hope I picked the right place.

Last Thursday, whenever I started or restarted my WLAN router, Firefox (standard browser) would automatically open a window. The first two times it happend, Firefox tried to open a captive portal (the URL was "http://[my url]/captivePortal.html?url=http://www.msftconnecttest.com/redirect&errorcode=Error_02") but was blocked by NoScript. From the third time and for all further attempts, it just opened msn.com (which is not and never was my default start page). I then went on a trip for a couple of days (WLAN was turned off during that time) and when I returned, the issue was gone.

This happend last Thursday. Just the day before, there was a Firefox update. Could this be a result of said update?

I've read that other people had similar issues in the past. Apparently, Firefox sometimes starts automatically for no apparent reason and then goes to msn.com.

There were no detections by Malwarebytes Anti-Malware, Windows Defender, ESET Online Scanner or Microsoft Safety Scanner.

 

Link to post
Share on other sites

  • Root Admin

Let us get some logs @Lochkartenlocher

 

 

Please do the following so that we can get started and see what's going on.


The Farbar Recovery Scan Tool is a free Windows utility designed to create troubleshooting logs for your computer. These logs help our Support team to identify and resolve issues with your computer.

There are two versions of the Farbar Recovery Scan Tool available for download: 32-bit and 64-bit.
To find which operating system is installed on your computer, refer to Microsoft's article: 32-bit and 64-bit Windows: Frequently asked questions

Download and launch Farbar Recovery Scan Tool

  1. Download the Farbar Recovery Scan Tool
    Do not click on any Ads.
     
  2. Locate the file you downloaded on your computer.
    Downloaded files are often saved to the Downloads folder.
     
  3. Double-click the downloaded file to run the Farbar Recovery Scan Tool.

    DOC-1318-1.png
     
  4. Windows protected your PC notification may appear. This notification is from the Windows Defender SmartScreen Filter which prevents unfamiliar apps from running on your PC.
    Disable smart screen ONLY if it interferes with software we may have to use:  What is SmartScreen and how can it help protect me?

         a.  Click More info.

    https://support.malwarebytes.com/hc/article_attachments/360051190254/DOC-1318-2.png
         b.  Click Run anyway.

    https://support.malwarebytes.com/hc/article_attachments/360051190294/DOC-1318-3.png
  5. When the User Account Control window appears, click Yes.

    image.png

     
  6. To accept the Disclaimer of warranty, click Yes.

    image.png

     
  7. Ensure only the boxes listed below are checked

    image.png

    Registry  Services  Drivers
    Processes  Internet  One month
    Addition.txt

    image.png

     

  8. Disable any Antivirus software you have installed ONLY if it stops software we may use from working.
    Please remember to re-enable any Antivirus software when we are finished running scans

    Click Scan. The scan may take a few minutes to complete.

    image.png
     

  9. When the scan completes, Farbar Recovery Scan Tool shows two messages:

  • Scan completed. FRST.txt is saved in the same directory FRST is located.

    image.png

  • Addition.txt is saved in the same directory FRST is located.

    image.png
     

  • Click OK to close each message window

 

Please attach both of those logs on your next reply, DO NOT copy/paste the contents of the logs directly

https://content.invisioncic.com/Mmalware/monthly_2018_10/_mb_attach.jpg.dbd89b8e360d3763b3bbe33ce83d680d.jpg

 

 

Thanks

 

 

Link to post
Share on other sites

  • Root Admin

Please uninstall the following from Control Panel

Bonjour

 

 

 

FF Notifications: Mozilla\Firefox\Profiles\ywqiimoh.default -> hxxps://web.threema.ch

Are you sure you want this enabled or allowed? Push Notifications on your browser appear to be enabled.

https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

Turn notifications on or off - Google Chrome

Web Push notifications in Firefox

 

Please run the fix below and attach the FIXLOG.txt file once it's done.

Also, please do not edit logs before posting or we'll not be able to properly assist you.

If you're using your own personal names on your computer you can now see what that is a mistake and you should consider changing those names to generic account names.

 

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

Thanks very much for your reply and the further instructions!

I've uninstalled Bonjour. I've also deactivated the push notifications in Firefox.

I didn't realize that editing the name in the log would complicate the process and I'm very sorry for that. The last time I used FRST - a couple years ago in a different forum - I was advised to disguise the name and IP adress. In the future, I'll just use a generic user name on my computer. Thanks for the advice!

Here is the fixlog. Since I've already done it with the first two logs, would it be ok if I disguise the name again? The other parts remain unchanged.

Fixlog.txt

Link to post
Share on other sites

Thanks for your reply. In the last days, the issue did not occur (without me having done anything). However, after deleting the startup cache, it happened again: after activating the WLAN router, Firefox opened automatically and tried to open a Captive Portal. The url was : "http://[my IP adress]/captivePortal.html?url=http://www.msftconnecttest.com/redirect&errorcorde=Error_07"

I then closed Firefox, deactivated the WLAN router and activated it again to see if Firefox would start automatically again, but it didn't. Apparently, it now happens only occasionally.

If it's just Firefox weirdness, it doesn't really bother me. But I'm worried that it could be a threat (maybe some form of exploit or script attack).

Link to post
Share on other sites

  • Root Admin

Please do the following.

Open Firefox to the following link

about:addons

That should show you all of your current add-ons.

For any add-ons that have backups, custom settings, etc. try to save those. Then click on the Help, More Troubleshooting Information again but this time click on the Refresh Settings (this will remove all of your custom settings, including your add-ons)

Write down or print out a list of add-ons in case you want to reinstall any of them.

 

image.png

 

Then restart Firefox. Then restart your WAN connection. Then restart the computer and see if you can get this Firefox behavior to repeat now or not and let me know.

 

Edited by AdvancedSetup
Updated information
Link to post
Share on other sites

Thanks for your reply. I have done that, but unfortunately, Firefox keeps opening windows.

If it is of use: this time, without NoScript (it was removed by the Firefox refresh), Firefox was not able to connect to the Internet. I could not skip the Captive Portal window and had to restart the computer. Before, when NoScript was still active, I could just skip the CaptivePortal attempt (blocked by NoScript) and Firefox would connect to the Internet right away.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.