Closed Bug 657795 Opened 13 years ago Closed 11 years ago

Firefox will not save the "no proxy" option after a restart of the program or a reboot. caused by registry corrupted by malware/virus

Categories

(Firefox :: Settings UI, defect)

Product:
Firefox
Component:
Settings UI
Version:
4.0 Branch
Platform:
x86
Windows Vista
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: kwallace, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows NT 6.0; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Build Identifier: Mozilla/5.0 (Windows NT 6.0; rv:2.0.1) Gecko/20100101 Firefox/4.0.1

Firefox will not save the "no proxy" option after a restart of the program. or a reboot of the computer. A router reset does not work either. I did not have this problem under the prior version. 

Reproducible: Always

Steps to Reproduce:
1.Tools, Options, Set "no proxy", restart loses option
2.
3.


Expected Results:  
proxy option remain stable
Does the issue still occur if you start Firefox in Safe Mode?
https://support.mozilla.com/en-US/kb/Safe+Mode
Version: unspecified → 4.0 Branch
The reporter writes in a private email: "Problem occurs in safe mode".
The reporter writes in two private emails:

"The prefs.js file is changed from:
 
user_pref("network.proxy.type", 0);
 
to:
 
user_pref("network.proxy.http", "127.0.0.1");
user_pref("network.proxy.http_port", 52505);
user_pref("network.proxy.type", 1);
 
UPON STARTUP OF THE PROGRAM, NOT AFTER CLOSING"

-----

"Safe mode did not work.
Deletion of pref.js files did not work.
After changing option to "no proxy" and shutdown of the program, the CORRECT proxy shows in the prefs.js file, however, upon restart of the program, the file suddenly changes, as though the program changes the file itself: (See previous email below):"
Do you have a user.js in your profile folder?
The reporter writes in a private email:

"Yes there is a user.js file in the same file folder as the pref.js file.
 
Contents of the user.js file are as follows:
 
user_pref("yahoo.homepage.dontask", true);"
Identical observation.
Additional comments:
.  Confirm that proxy changes between clicking on firefox.exe and firefox start page shows to enable proxy 127.0.0.1 url with port of 54889.
.  On starting firefox, opning window states firefox is looking for a proxy target that is not accepting calls.
.  Tools|options|advanced allows resetting directed option to no option and returning to opening window and clicking retry opens firefox.  Firefox continues to be operational until closing firefox.  Reopening immediately repeats the above and requires resetting proxy assignment again.
.  Regedit never shows any proxy enable data = 1, always 0.
.  Early debugging found parameter one instance of proxyserver = 127.0.0.1 and port 54889.  This registry enter removed and has not returned
.  I have another computer side-by-side also with the same firefox installed.  It does not have this problem
.  Next, I restored my system to long before this problem arose
      uninstalled firefox and downloaded a new firefox installation and installed into a new directory.  
.  Problem returned.  No change.
.  Searched registry for 54889 (the port number) and 127.0.0.1 and found several 127.0.0.1 instances but in no obvious way associated with firefox.  That url is the standard loopback address and shouldn't affect this program.  The only instance of 54889 was in the above mentioned proxyserver assignment and was removed.
.  This problem started almost, if not exactly when I stepped into a virus affecting the standard windows app csrss by dropping an altered copy of csrss into the temporary internet files which was corrupted.  I removed that copy (leaving the windows standard install in the system-32 location -- assumed original since date was long ago) and removed all references to the corrupted version I could find.
.  I appear to circling all around the problem, but haven't figured it out yet.  Firefox between starting firefox.exe and the opening window, that proxy assignment is changed.  It's not in the firefox program itself and the fact it changes the proxy assignment during startup of firefox suggests that firefox is going outside of it's own programming to pick some parameter in some location other than the registry that results in changing the proxy assignment.  This "guess" is also supported by the fact that resetting the proxy assignment sticks as long as firefox is enabled, and is only changed on a new call to firefox execution.

Puzzled, but hope this info helps someone who can come up with a fix.
BillR
Oops... Forgot.
Running XP on both machines, all up to date.
BillR
Date now August 11.  Problem still exists.  Firefox new 6.0 beta downloaded and installed in new directory after all previous versions removed with standard uninstallers.  

Running MS IE now, but have been spoiled by Firefox.  IE interminably slow.

PLEASE FIX!

BillR
I have also had this problem and I suspect it is malware. I found that it installed an additional prefs.js in the subdirectory of a firefox plugin (in my case live http headers). I have not yet found the source of the problem, but I suspect it is not the plugin itself. Search for prefs.js and you will likely find a file that contains lines like this:

user_pref("network.proxy.http", "127.0.0.1");
user_pref("network.proxy.http_port", 52505);
user_pref("network.proxy.type", 1);

If you disable the plugin, the settings will not be activated. I hope I can soon find out what created/modified this plugin's settings.
I am sure it came from malware.  It happened shortly after I inadvertently downloaded something (I don't remember what) I after the fact knew I shouldn't have.  I also found that code snipped and disabled it, but it returned again on restarting Firefox.  Also, I searched the registry for anything about any of the constants or "proxy," etc. There were several entries that I deleted and/or changed, but on restarting Firefox were reset back to the bad settings.

I don't have a debugger to trace Firefox startup step-by-step to find out where the code was hacked to alter this proxy instruction.  I wish I did.  I used to have such tools in the old days, but that was a long time ago.

BillR
I am trying to hunt this trojan down, and it seems to install itself through java 7 (in my case), which is launched from the plugin-container and then launches a malicius process which gets the ball rolling. I get it by visiting a legitimate website that I administer, so I'm suspecting some kind of XSS attack or so, and it might be a abusing vulnerability in Java, but that's just guessing.
OK, I'm very sure this is a symptom of Having Win32/Cycbot on your system. I was able to isolate the executable and Avast identified it as Win32/Cycbot. Then I found this article that describes how it operates: http://blog.eset.com/2011/07/14/cycbot-ready-to-ride 
It matches my experience exactly.
Did you encounter the issue on latest Firefox version? Thank you
Flags: needinfo?(gwbill)
@petruta.rasa: in my case it was a "JavaScript drive-by download" attack, and it the malware it installed made use of firefox, but since this was two years ago it probably has no relevance to current firefox versions.
resolving per above.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID
I am the originator of this issue and quite a few changes here.  The infected computer went into the local shop for some minor work, and when I got it back, the proxy problem was gone.  I asked the tech what he had done...  He replied that it was not a new problem for him and it involved a location that Firefox went to in the registry routinely to pick up proxy data -- and that location was corrupted by some malware.  Resetting that one location removed the problem.  I'm not into Firefox coding that much, so I can't offer much more that that.  

This happened quite a few months ago,and all of that programming is either gone or has been updated several times.  For me, the issue is closed.  I have nothing more to offer.

Thanks to all who worked on it over these months...  Much appreciated...

Bill Riedeman
Flags: needinfo?(gwbill)
Summary: Firefox will not save the "no proxy" option after a restart of the program. or a reboot of the computer. A router reset does not work either. I did not have this problem under the prior version. → Firefox will not save the "no proxy" option after a restart of the program or a reboot. caused by registry corrupted by malware/virus
You need to log in before you can comment on or make changes to this bug.