Every time I run MBAM, I get a PUP.Optional.Spigot warning. Is this a problem or is it safe?
Win 10/FF 50.0.2 - about to update after I finish this.
I can't tell if it's the same warning every time, but I would venture a guess that it always has something to do with my Firefox profile. It is FILE 1 below.
Since it is quarantined weekly, I delete the file. I remembered to save it so that I could ask about it.
It is apparently not a threat.
What is it? How can I stop this from recurring? I have no idea how Firefox is built, but I have a feeling that I can either delete the file or add this to an exception, as long as it's safe to do so. I don't use Yahoo search and I can't even imagine how FF uses it. I am sure somebody knows better than I know.
Thank you.
MBAM LOG Scan Type: Threat Scan Result: Completed Objects Scanned: 341255 Time Elapsed: 18 min, 40 sec
Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled
Processes: 0 (No malicious items detected)
Modules: 0 (No malicious items detected)
Registry Keys: 0 (No malicious items detected)
Registry Values: 0 (No malicious items detected)
Registry Data: 0 (No malicious items detected)
Folders: 0 (No malicious items detected)
Files: 1 PUP.Optional.Spigot, C:\Users\,my user name \AppData\Roaming\Mozilla\Firefox\Profiles\my -New\prefs.js, Good: (), Bad: (user_pref("keyword.URL", "https://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=888596&p=");), ,[61f039aa564431051a9856846c975ba5]
Physical Sectors: 0 (No malicious items detected) (end)
Solução escolhida
CiaoBella1 said
The Avira message pops up after (while) I select delete for the PUP Optional Spigot entry in MBAM. I don't know if Avira is telling me that it can't clear it because the PUP is in the registry. I assume that's what the message is - which is why the whole thing (capture and delete?) is confusing to me.
I really don't know what is going on there.
Ler esta resposta 👍 0Todas as respostas (8)
Are you saying the problem keeps coming back week after week even if you quarantine the file? It could be that Firefox is running during that time, so removing the file is not effective. Instead of deleting the prefs.js file -- which would cause many Firefox preferences to experience a factory reset -- try this:
(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.
(2) In the search box above the list, type or paste keyw and pause while the list is filtered
(3) Right-click the keyword.URL preference and choose Reset to clear it
Firefox should save the change to prefs.js within a minute or two. Hopefully future scans will then come up clean. If not, an add-on or external process may be re-inserting that setting.
Good question, Jscher2000,
Two answers: Avira immediately tells me that it's blocked a registry change - so I have no idea what's going on (I used Defender for the past decade and don't understand a lot of the technical language w/this AV).
I don't know and I said I wasn't sure, but it's always Firefox. I am sure FF is always open.
Let me clarify - it's always a PUP Spigot warning (I can't see it to write it correctly) and it always has C:\User\Firefox in it. The message that contains Yahoo search Greentea is the part that I cannot swear is constant.
Result: I got browser.keywordURLPromptDeclined.
Thank you.
Alterado por CiaoBella1 em
I'm not sure I understand this part --
Result: I got browser.keywordURLPromptDeclined.
-- you got that trying to Reset the preference???
I am sorry, jscher2000,
I followed your instructions, When I pasted keyword.URL, that was one of the two choices that appeared. The other choice was less like what you expected me to find,
What does it mean - anything?
Thank you.
CiaoBella1 said
I followed your instructions, When I pasted keyword.URL, that was one of the two choices that appeared.
Hmm, instead of pasting, try typing keyw in the search box above the list and see what appears.
Does the keyword.URL line on about:config show a status of "Locked" or "user set"? If it says "user set", then right-clicking the preference and choosing Reset should clear it. There should not be anything about a prompt or being declined
After re-reading your earlier reply, this part sounds odd:
Avira immediately tells me that it's blocked a registry change - so I have no idea what's going on
When you clear the keyword.URL preference, Firefox should only be editing the prefs.js file and not modifying the Windows Registry. So this is a very strange message to get in this context.
Firefox doesn't use keyword.URL any more because it was so easily hijacked, but it's troubling that some software keeps reinserting it. Does Avira have a feature to prevent or roll back changes to browser settings?
It was user set and I reset it.
The Avira message pops up after (while) I select delete for the PUP Optional Spigot entry in MBAM. I don't know if Avira is telling me that it can't clear it because the PUP is in the registry. I assume that's what the message is - which is why the whole thing (capture and delete?) is confusing to me.
I ran MBAM Friday and there were no issues.
I'll answer your q about Avira if it is still relevant,
Thank you.
Solução escolhida
CiaoBella1 said
The Avira message pops up after (while) I select delete for the PUP Optional Spigot entry in MBAM. I don't know if Avira is telling me that it can't clear it because the PUP is in the registry. I assume that's what the message is - which is why the whole thing (capture and delete?) is confusing to me.
I really don't know what is going on there.
Was this YOUR question? "After re-reading your earlier reply, this part sounds odd:"
"Avira immediately tells me that it's blocked a registry change - so I have no idea what's going on."
it's should be IT HAS blocked.
I have been sloppy. My apologies.