Avast and Malwarebytes identifying FireFox.exe as adware trying to redirect to mobiclean.xyz
Both Avast and Malwarebytes alert when I open a new webpage or navigate through a website. Both state that they have aborted a connection to mobiclean.xyz identifying it as adware. The identified file doing the redirecting is c:\Program Files (x86)\Mozilla Firefox\firefox.exe. This is only a recent issue within the last few updates. I have scanned using both programs and they indicate that there isn't a threat (Avast both smart scan and full scan). Malwarebytes classifies the event as "RTP detection" and Avast classifies it as "Other:Malware-gen [Trj]. I am not sure if this is a false positive, some kind of Trojan, or the code in firefox.exe is being misidentified. Has anybody else experienced this? If so, what did you do? As of this writing I am scanning with Spybot Search and Destroy. Any information is appreciated. Thanks.
Gekozen oplossing
jscher2000: So I used Task Manager as you suggested. I noticed that the Farmville 2 plugin was active although I wasn't on Zynga playing when looking at what FireFox was doing. I haven't played Farmville 2 in ages. The plugin was installed to improve performance. I went ahead and uninstalled it and viola, no more alerts. Perhaps the plugin was calling home or not compatible with newer versions of FF. Either way the alerts have fallen silent. Thanks again for the help.
Dit antwoord in context lezen 👍 1Alle antwoorden (9)
Hi Dan_H, is this a problem on every site, or just one or a few sites in particular?
One possible culprit would be an extension. You can view, disable, and often remove unwanted or unknown extensions on the Add-ons page. Either:
- Ctrl+Shift+a (Mac: Command+Shift+a)
- "3-bar" menu button (or Tools menu) > Add-ons
- type or paste about:addons in the address bar and press Enter/Return
In the left column of the Add-ons page, click Extensions. On the right side, find the "Manage Your Extensions" heading.
If there is at least one extension before the next heading -- "Recommended Extensions" -- please continue:
Cast a critical eye over the list below that heading. Any extensions Firefox installs for built-in features are hidden from this page, so everything listed here is your choice (and your responsibility) to manage. Anything suspicious or that you just do not remember installing or why? If in doubt, disable (or remove). For your privacy and security, don't let mystery programs linger here.
Any improvement?
Bewerkt door jscher2000 - Support Volunteer op
Thanks for the help. I seem to have found the offending extension. The author must have decided they needed money and so changed something. I downloaded the extension from Mozilla a while ago. I've used Avast for a few years now and it never indicated an issue until recently. Thanks again.
What is the Extension name?
I may have spoken too soon. I deleted the extension, but it was a dark mode for YouTube and FB. I don't remember the name. However, when I attempted to use the "find more add-ons" from the options tab Malwarebytes alerted and gave me another RTP detection warning indicating that firefox.exe was trying to redirect to mobiclean.xyz. When I accessed this page and others I have not received the same message. One of the IP addresses used is 64.58.126.236 and tries to use port 80. Both Avast and Malwarebytes have alerted, with Avast being the one constantly alerting. I guess I'm back to square one.
Do you have any other extensions you might want to disable as a test? The ones with the little trophy icon next to their name are reviewed by Mozilla for the "Recommended" program so those shouldn't be a problem.
(By the way, port 80 is the standard HTTP port for non-secured connections.)
jscher2000f: I closed FireFox completely and I still have Avast alerting on the mobiclean.xyz. I did disable all extensions that weren't Mozilla recommended. When I was looking on the internet I found an article "Inkr: The New Malicious Browser Extensions Campaign Spreading Across the Net". Some of the IP addresses mobiclean was trying to reach matched reported IP's. The strange thing is Malwarebytes didn't find anything even when it alerted. Malwarebytes has gone quite after I used Spybot Search and Destroy, but not Avast. This is an example of what Malwarebytes alerted on and is similar to what Avast reports.
-Website Data- Category: Adware Domain: mobiclean.xyz IP Address: 64.58.126.236 Port: 80 Type: Outbound File: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Not sure how to proceed when the alert keeps coming even when FireFox is closed. I've tried the advice in the article, but the problem remains.
Hi Dan_H., after you exit out of Firefox and it seems to have shut down, check the Windows Task Manager for any other Firefox processes still running. Here's how:
- Launch the Task Manager using Ctrl+Shift+Esc
- If you see a More Details link on the dialog, click that to open more tabs
- Switch to the Details tab and click the Name column heading to sort by file name
Do you see any instances of firefox.exe listed here?
You can add a Command Line column to this dialog, which will show how each program was started. This sometimes is useful in tracking down what is going on with programs starting unexpectedly. You can keep this window minimized so it is ready immediately if Avast alerts again.
Another good tool is Microsoft's Process Explorer program, which shows "parent-child" relationships when Firefox is launched directly from another program: https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer
Gekozen oplossing
jscher2000: So I used Task Manager as you suggested. I noticed that the Farmville 2 plugin was active although I wasn't on Zynga playing when looking at what FireFox was doing. I haven't played Farmville 2 in ages. The plugin was installed to improve performance. I went ahead and uninstalled it and viola, no more alerts. Perhaps the plugin was calling home or not compatible with newer versions of FF. Either way the alerts have fallen silent. Thanks again for the help.
Thanks for reporting back on that. You can mark your reply as the solution: https://support.mozilla.org/en-US/questions/1294620#answer-1332885