This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

My antivirus flagged a mozilla file as possible ransomware. Is this a legit file? c:\program files\mozilla firefox\firefox.exe

  • 15 replies
  • 3 have this problem
  • 1 view
  • Last reply by FredMcD

more options

It could be a false positive. I just want to make sure before I mark it as an exception. It says that a potentially unsafe application attempted to change or delete my files. Targeted folder was c:\users\user name. c:\program files\mozilla firefox\firefox.exe was blocked. Why would it be flagged if it is legit ?

It could be a false positive. I just want to make sure before I mark it as an exception. It says that a potentially unsafe application attempted to change or delete my files. Targeted folder was c:\users\user name. c:\program files\mozilla firefox\firefox.exe was blocked. Why would it be flagged if it is legit ?

All Replies (15)

more options

Make sure you download Mozilla programs only from Mozilla.org.

more options

What AV software do you have?

What file is this about?

From what you wrote it looks that the Firefox.exe program is trying to access a file in your user data area (C:\Users\...).

more options

cor-el said

What AV software do you have? What file is this about? From what you wrote it looks that the Firefox.exe program is trying to access a file in your user data area (C:\Users\...).

Bitdefender. Yes, it showed attempted access of user data. Everything is up to date. Mozilla should not do that -- should it ?

more options

It says desktop is targeted " file " and user is targeted folder. A few weeks ago there was another ransomware flag with " lock " as targeted file and My TOR browser was the targeted folder. In that case tor.exe was blocked.

more options

Just to be safe,

You may have ad/mal-ware. Further information can be found in this article; https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-caused-malware?cache=no

Run most or all of the listed malware scanners. Each works differently. If one program misses something, another may pick it up.

more options

Does BitDefender show what specific file or file path this is about?

more options

cor-el said

Does BitDefender show what specific file or file path this is about?

via c:\users

I ran a system scan and nothing came up. Perhaps a false positive

more options

All files from Mozilla.org are free from anything third party.

more options

You would have to be more specific than c:\users. We would need the full file path including the file name to see what this message is about. Even you profile folder is in this path.

Firefox uses two locations for the Firefox profile folder. Location used for the main profile in "AppData\Roaming" that keeps your personal data.

  • C:\Users\<user>\AppData\Roaming\Mozilla\Firefox\Profiles\<profile>\

Location used for the disk cache and other temporary files in "AppData\Local".

  • C:\Users\<user>\AppData\Local\Mozilla\Firefox\Profiles\<profile>\
more options

That is all the AV notification shows: Target: c:\users\user

Blocked:c:\program files\mozilla firefox\firefox.exe

Ransomware Protection

I think the roaming path has been flagged in the past.

more options

> I think the roaming path has been flagged in the past.

Probably something in your profile folder that's causing issues? The path for the profile BitDefender would've flagged can be found at C:\Users\USER\AppData\Roaming\Mozilla\Firefox\Profiles\xxxxxxxx.default

more options

I keep getting... [PUP.Firefox][File] C:\Users\melen\AppData\Roaming\Mozilla\Firefox\Profiles\2O3gaW38.default\Invalidprefs.js -> as malicious and that it should be removed. Malwarebytes and Rogue Killer indicate as malicious so I removed it. What is this and is it malicious? I haven't encountered any issues after removal but I still want to know if I did the correct thing.

more options

It looks that Firefox copies prefs.js to Invalidprefs.js if there is a problem with the prefs.js file. I don't know what that problem is in your case and whether your security software could be responsible for this corruption in the first place.

See:

more options

cor-el said

It looks that Firefox copies prefs.js to Invalidprefs.js if there is a problem with the prefs.js file. I don't know what that problem is in your case and whether your security software could be responsible for this corruption in the first place. See:

I just remembered that a few weeks ago BitDefender flagged it as malicious. I did remove the prefs.ja file as I mentioned. As of now, Firefox seems to be performing without any issues and I haven't lost any of my bookmarks. Thank you for your valuable advice, I appreciate your time.

more options

These add-ons can be a great help by backing up and restoring Firefox

https://addons.mozilla.org/en-US/firefox/addon/febe/ FEBE (Firefox Environment Backup Extension)

FEBE allows you to quickly and easily backup your Firefox extensions, history, passwords, and more. In fact, it goes beyond just backing up -- It will actually rebuild your saved files individually into installable .xpi files. It will also make backups of files that you choose.

https://addons.mozilla.org/en-US/firefox/addon/opie/ OPIE

Import/Export extension preferences