Firefox Malware detected (hides itself as an extension)

The core of this 'logic' seems to be deriving update/install/remove instructions from:

This host is (among other things) tracking all of your firefox activities using a file called "watcher.js" to intercept and direct them to the above host (as configured in a 'config.js' file included in the add-on, it also monitors every other extension you have installed and automatically replaces itself using a secondary hook which I haven't figured out yet if you should delete it and keep its 'hook' active).

The extension hides itself using this code fragment:

// hide itself immediately
// INFO: relies on
// therefore comes after Watcher.initialize this.addonHide();

and DOES NOT show up as an installed "Add-On" in FireFox, and therefore cannot be removed or disabled in the conventional means.

You will need to manually "unzip" each of your extensions (or simply delete them all and see what's leftover) in order to detect this MALWARE. I STRONGLY suggest everybody who reads this immediately do the following:

1) Firefox -> Tools -> Add-Ons Manager
2) Delete ALL of your add-ons
3) Open your "<Firefox preferences>/profiles/.../extensions/" folder
4) See what's left in that folder

Whatever XPI or directory is left in there, it is hiding itself from FireFox and you will need to manually delete any/all XPIs in there in order to remove them from your system. Thereafter, until Mozilla gets its Add-On library cleaned up, I will just be using 'stock Firefox'...

Good luck.

Asked Jan 18 '15 at 8:28
Add a comment

Know someone who can answer? Share a link to this question via email, Google+, Twitter, or Facebook.

Your Answer