Answer the question
In order to leave comments, you need to log in
How to find malware when trying to install an extension?
The backstory is this. When starting firefox (I rarely run it, but this time I just missed it with the mouse), I got the following message:
The message shows that a certain program is trying to install an extension. It is not clear which program. And this is what needs to be found out. Because removing the extension is a treatment for the symptoms, not the disease. Thank God that at least the path to the expansion itself is shown and can be studied.
Why is this malware? If only because I don't know any programs that could afford such impudence. Just in case, I checked the extension itself. The cssupdate.com domain is immediately striking instead of cssupdater.com, which Google immediately yells about:
The vidadblocker94.com domain does not exist at all.
If you dig deeper, you can find the webovernet.com domain, in Google they say only bad things about it.
Etc.
If it helps, then here is the extension itself: https://yadi.sk/d/CBHHsfdKjovZJ
But the main goal is to find the program that this extension is trying to install. How to do it?
Antivirus (DrWeb Cureit) did not find anything on the computer (Windows 7 64 bit). And the extension also does not arouse suspicion from virustotal (and from Yandex.Disk, so I calmly posted it).
Answer the question
In order to leave comments, you need to log in
What kind of program - firelis does not know, because he simply found a new one in the folder with extensions, which is not listed as installed through the standard mechanism. Who put the files there - you can only find out by tracking the process of copying files there using procmon, filemon, etc. or by setting up an audit.
In the general case, the malware has already worked its way out and may not even exist on the disk anymore.
As a half measure: agree to install the extension, and after installation, just disable it (without uninstalling). The malware will assume that the extension is already installed.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question