Persistent Firefox Malware eFix Pro

[cprelude]

Hi all...

I've got a client with some malware specific to her Firefox browser: When she tries to enter details in a form a new tab opens to launch a page advertising "eFix Pro".
I've successfully cleaned this from two other browsers on the machine and also done an antivirus scan throughout the machine in pre-boot mode.
However, the Firefox "version" of the malware is very persistent. I've tried two further attempts with two different anti-malware products, including my tried and tested Malwarebytes (which has never failed me yet). Nothing has worked!
I have note yet had the opportunity to scan in safe mode, as I am supporting the user remote and she is having trouble getting the machine in to Safe Mode with Networking. All that said, any advice on this particular "nasty"?

 

[Kitten Kong]

Have you tried resetting firefox?

 

[ZenTree]

Have you checked for add-ons/toolbars?

I've had a few awkward ones recently but adwcleaner has removed them all so that might be worth a shot if you haven't already.

 

[Moltuae]

Add-ons/plug-ins, as previously mentioned.


Also go into about:config and check for any entries that mention the adware, especially 'browser.newtab.url'. You could try typing 'efix' into the about:config search bar, for example.


Failing that, try closing FF, renaming the profile folder and restarting FF.

 

[mrapoc]

We just had this. Pain in the arse. Zoek did most of the work. Stripped out ff and reinstalled after that

 

[cprelude]

Have you tried resetting firefox?

Hi Nige...Yes, tried that three times at different points in the evening! Also did a full uninstall of Firefox, including deleting content in Users\Appdata, followed by reboot, followed by reinstall.

 

[cprelude]

Have you checked for add-ons/toolbars?

I've had a few awkward ones recently but adwcleaner has removed them all so that might be worth a shot if you haven't already.

Thanks, will give Adwcleaner a go. A new one on me.

 

[cprelude]

Add-ons/plug-ins, as previously mentioned.


Also go into about:config and check for any entries that mention the adware, especially 'browser.newtab.url'. You could try typing 'efix' into the about:config search bar, for example.


Failing that, try closing FF, renaming the profile folder and restarting FF.

Thanks Moltuae, will check out.

 

[cprelude]

We just had this. Pain in the arse. Zoek did most of the work. Stripped out ff and reinstalled after that

Tried installing Zoek just now and it got blocked by Norton Antivirus saying there was a trojan in it! False positive? Is there a legit download site for Zoek?

 

[mrapoc]

http://download.bleepingcomputer.com/smeenk/

 

[B Trevathan]

Have you checked the scheduled tasks and also have you checked for a proxy?

ADWCleaner is a good program.

Another good program is RogueKiller

And UVK (Ultra Virus Killer)

And also JRT (Junkware Removal Tool)
This program will not give you the option of what to remove but it creates a log and uses an embedded program called ERUNT to make a registry backup.

A good program to help with uninstalling is Revo Uninstaller

All these programs are easy to use but you may also find this link helpful.