when i open Firefox an additional tab keeps opening with yahoon search and %SNF%, how do I remove?
I managed to get infected by SnapDo. I removed it successfully, but when I open Firefox it tries to open an additional tab as well as those I choose to "show my windows and tabs from last time". It tries to go through Yahoo and then opens a search on %snf%. I foudna way to correct this by removing the additional link in teh Firefox properties, shortcut, but it still opens this additional tab on the yahoo search with the following link: https://search.yahoo.com/web?fr=slv502-#92;u0001$REG_sc\u0001&type=\u0001$REG_tc\u0001&url=http%3A%2F%2Fwww.%25snf%25.com%2F I've reset Firefox, troubleshooted, uninstalled yahoo toolbar and all the usual things to try and remove it, but to no avail. Malwarebytes cannot find any further snf or snapdo files on my pc. Can you help please? Regards, Gary
Isisombulu esikhethiweyo
Great, thanks for posting back.
Its simply a variation on the problem you had initially identified. The hijacker modifies shortcuts. Instead of
.... \firefox.exe"
the adware will have added junk
.... \firefox.exe" <some snf webpage>
The icon would have used a shortcut that included added junk about snf at the end. When the icon is use Firefox then instead of just opening Firefox opens Firefox and then goes to the web page specified on the end of the shortcut.
Making a new shortcut icon, or right clicking and editing the properties of the existing one solves that issue. You my still come across other links or shortcuts that were changed for Firefox, and maybe also other browsers. Check your other icons and links work ok.
Funda le mpendulo kwimeko leyo 👍 0All Replies (10)
Follow https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-caused-malware
In addition, reset your current profile to keep only private data: https://support.mozilla.org/en-US/kb/reset-firefox-to-fix-most-problems
Thanks for this Oxylatium. Unfortunately, I've done all of that and the problem still exists, hence why I posted on these help pages. Can you or anyone else offer any different advice please? Thanks in advance.
Malware may change shortcuts as you have discovered. It may also make other lasting changes. In case it has corrupted any of the Firefox core stuff you need to do what we usually refer to as a clean reinstall, using an official site so use getfirefox.com . You need to delete the Firefox program folders and files.
With clean install completed you can then try resetting all Firefox's search settings. Note when working on the profile files it is often best to; at least initially; rename files rather than deleting them. That makes the change reversible. The articles about search settings may be outdated and still mention old types of files from previous Firefox versions.
- Locate your profile from the troubleshooting page whilst Firefox is open. Then close Firefox before making any changes
- Back up and restore information in Firefox profiles_locate-your-profile-folder
- Rename the following files by adding .old to the end. Note you may not always see full names in windows
- search-metadata.json settings
- search.json.mozlz4
- searchplugins A legacy folder with additional optional searches.
- Recover important data from an old profile_search-engines
Profiles - Where Firefox stores your bookmarks, passwords and other user data_what-information-is-stored-in-my-profile - http://windows.microsoft.com/en-us/windows/show-hide-file-name-extensions#show-hide-file-name-extensions=windows-7 (Lets hope Win 8 is similar)
I would be particularly interested to know if you have a search plugins folder, and what it contains*. However this is complicated slightly because you use a yahoo toolbar. Possibly that is faulty or itself vulnerable. I note that although it is hosted as a Mozilla addon it only has a status of preliminarily reviewed
*
I have not fully caught up with recent changes to how Firefox handles the searches now. For instance in Fx38 the folder searchplugins only needed to be temporary but would still modify settings and other files
Hi John99, Gave this a go from start to finish. Should I have removed the new profile files from Mozilla folder when restoring my old data? The only file I could find was the search.json.mozlz4 file. It worked ok with new profile, so suspect there is something in my profile or the Yahoo toolbar as you suggest. I wouldn't know what to look for either when searching through the files, so I'm at a loss now really. Hope that all makes sense? Regards, Gary
Hi Gary, Sounds like good news then.
If it is working then what you have done seems to have been a success.
The search.json.mozlz4 file is the main file for search information and settings and the one most likely to have been attacked. The other file and folder may well not exist on your Firefox.
We have the disadvantage of not having seen exactly what you did or knowing exactly what the malware is or what it changed. A general rule of thumb is that if Firefox profile files are renamed or delete, Firefox replaces them with default versions and values (as long as Firefox's main file are ok). That is good if it removes damage or mischief caused by malware. But is bad if you lose information or customisations. Your profile may contain passwords and bookmarks that are vital to you.
If in doubt about what to do ask first.
Morning John, I've tried to put the new profile search.json.mozlz4 file into my old data, but the Yahoo/snf search still overrides opening on my home page. Again, the new profile worked fine when opening Mozila. Any further ideas please? Could there be something else in my profile? Thanks, Gary
Morning Gary, Sorry you still have problems. I am not absolutely certain exactly what you did or are trying to do now. It's difficult sometimes trying to explain procedures or problems in forum answers.
- What is actually happening now ?
- Is it that your specifies Home Page or pages open, but you get an additional SNF page ?
- Or something else ? Please describe.
You may wish to try to confirm you still do not still have unnecessary toolbars or any unwanted Windows programs that may again be making changes to Firefox or shortcuts.
I will try to clarify my explanations. Please let me know what I am not making clear, and what is going wrong now.
If you have been working with the profile manger and actually created any new profiles please take care and do not delete or rename any profiles using the profile manger without asking first. It is very easy to make mistakes and lose data. On the other hand additional profile only take up a bit more disk room and make the profile manager look slightly untidy, with too many names but cause no harm. If you do remove a profile it is wise to play safe and back it up first. If you make a mistake you may lose passwords etc.
Firefox's Search engines I am not sure what you mean by
.... I've tried to put the new profile search.json.mozlz4 file into my old data, ...
If you are working with a single profile. That profile normally has a single file called search.json.mozl4
search.json.mozl4
- May be deleted (or renamed), preferably whilst Firefox is closed . Firefox will then regenerate a new file with the original name.
- Normally renaming it solves problems because on the next restart Firefox is reset to the default search engines. (Assuming other files are not corrupt - that was the reason for the clean reinstall, and why you needed to check for additional files )
- If you (or maybe adware) make certain changes to the search engines, or the search engines used, those changes are stored in that file.
- The file is not designed to be human readable. (The predecessor in earlier Firefox versions was not human readable but was easy to make readable ) The search.json.mozl4 is compressed in a none standard way.
- I guess that is partly to make it less easy for adware to change it.
snf & Homepage Modification of the shortcuts you use to start Firefox one way adware or hijackers send you to the wrong page.
Try starting Firefox from the Window run dialogue. That way you know what is used. Keyboard shortcut Winkey+R will open that. Try typing in
firefox.exe
Then press the Enter key to execute that. You may need to check and type the full path if it does not work.
"C:\Program Files (x86)\Mozilla Firefox\firefox.exe"
Note you will need to include the (")inverted comas
(On32 bit Windows C:\Program Files\Mozilla Firefox\ )
Modifying the homepage is another trick malware uses.
- Is your Firefox using what you set ?
- If you make changes to what is set do they work ?
- As a test please try changing the homepage to a single homepage as
about:blank
- That should cause Firefox to open a single blank page as a homepage. Does that work ?
- See How to set the home page
- As a test please try changing the homepage to a single homepage as
Hi John, again thanks ever so much for sticking with this. Ok I tried the standard firefox.exe in the run screen and this worked cleanly. The goggle home page I have set up came up first time, with no additional yahoo/snf tab. I have since shut the browser down and then clicked on my taskbar Firefox icon and the problem has reappeared. Does this help with anything?
All fixed John. It was the icon on my taskbar. I completely removed it and replaced with the exe file within programfiles. This seems to have corrected it. Thanks for your patience and I hope the information helps withi future problems of this nature.
Isisombululo esiKhethiweyo
Great, thanks for posting back.
Its simply a variation on the problem you had initially identified. The hijacker modifies shortcuts. Instead of
.... \firefox.exe"
the adware will have added junk
.... \firefox.exe" <some snf webpage>
The icon would have used a shortcut that included added junk about snf at the end. When the icon is use Firefox then instead of just opening Firefox opens Firefox and then goes to the web page specified on the end of the shortcut.
Making a new shortcut icon, or right clicking and editing the properties of the existing one solves that issue. You my still come across other links or shortcuts that were changed for Firefox, and maybe also other browsers. Check your other icons and links work ok.