This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Virus attack when clicking open FireFox

  • 11 replies
  • 2 have this problem
  • 2 views
  • Last reply by star

more options

EVERYTIME I open up Mozilla FireFox, my Norton Security Software pops up with a dialog box that says, it has blocked "Web Attack: Fake Tech Support Website 62". This has been going on for about a 3 days now. Is there anything you can do to your FireWall and Other Security Software from allowing this Virus from trying to attack Mozilla FireFox? Please advise.

EVERYTIME I open up Mozilla FireFox, my Norton Security Software pops up with a dialog box that says, it has blocked "Web Attack: Fake Tech Support Website 62". This has been going on for about a 3 days now. Is there anything you can do to your FireWall and Other Security Software from allowing this Virus from trying to attack Mozilla FireFox? Please advise.

All Replies (11)

more options

You may have ad/mal-ware. Further information can be found in this article; https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-caused-malware?cache=no

Run most or all of the listed malware scanners. Each works differently. If one program misses something, another may pick it up.

more options

i have a new version of this attack.

i hate that it's so hard to find help topics that relate. how this, of all browsers, has no dedicated section to report these attacks is shocking to me.

i will do more scans but malwarebytes and their adwcleaner didn't catch this, (when i used it to scan immediately after norton blocked it)

today, august 9, 2018 as i opened firefox norton caught a malware 'tech support' attack, (not that i click on asks), here's the attack report; Category: Intrusion Prevention Date & Time,Risk,Activity,Status,Recommended Action,IPS Alert Name,Default Action,Action Taken,Attacking Computer,Destination Address,Source Address,Traffic Description 8/10/2018 3:54:57 PM,High,An intrusion attempt by reddleops.pro was blocked.,Blocked,No Action Required,Web Attack: Fake TechSupport Domains 3,No Action Required,No Action Required,"reddleops.pro (199.80.54.115, 443)","10.0.0.45, 63088",reddleops.pro (199.80.54.115),"TCP, https" Network traffic from reddleops.pro matches the signature of a known attack. The attack was resulted from \DEVICE\HARDDISKVOLUME4\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE.

more options

Hi star, here are some possible reasons to see this at startup:

  1. If you have a custom home page, an ad in that home page tried to steer Firefox to that site
  2. One of your add-ons tried to launch a page from that site
  3. An external program modified your Firefox shortcut with an unwanted address
  4. If you use the built-in Firefox home page, a "tile" in the page triggered a request to the unwanted site

For #1, this probably isn't going to happen every time, and Norton is protecting you when it does. No changes needed, other than possibly using an ad blocking add-on.

For #2, you can view, disable, and often remove unwanted or unknown extensions on the Add-ons page. Either:

  • Ctrl+Shift+a (Mac: Command+Shift+a)
  • "3-bar" menu button (or Tools menu) > Add-ons
  • type or paste about:addons in the address bar and press Enter/Return

In the left column of the Add-ons page, click Extensions.

Then cast a critical eye over the list on the right side. Any extensions Firefox installs for built-in features are hidden from this page, so everything listed here is your choice (and your responsibility) to manage. Anything suspicious or that you just do not remember installing or why? If in doubt, disable (or remove).

Any improvement?

For #3, the Firefox icon can be set up to launch one or more specific pages at startup (or more specifically, when you use the icon). To check whether that is set:

First, open the shortcut as follows:

  • Desktop shortcut: right-click the icon, choose Properties
  • Pinned taskbar icon: right-click the icon, right-click Mozilla Firefox, choose Properties

Windows normally will select the Shortcut tab. If not, go ahead and click the Shortcut tab.

You'll see the Target highlighted. On Windows, that usually is no more and no less than the following (depending on 32-bit/64-bit):

"C:\Program Files (x86)\Mozilla Firefox\firefox.exe"
"C:\Program Files\Mozilla Firefox\firefox.exe"

If anything follows after that (for example, "http://example.com"), try clearing it out.

After OK'ing the Properties dialog, you can test right away to confirm that Firefox now launches only your desired home page. Either:

  • double-click desktop shortcut
  • right-click pinned taskbar icon, click Mozilla Firefox

Success?

For #4, it's a little complicated, and if this doesn't happen every time you open a new tab, it's probably not this.

more options

hi, thanks jscher2000 for all this great info. i'll work on it. i really appreciate such fullsome, detailed help and your time and effort to give it. live long and prosper, star

i forgot to add that my regular firefox browser page, at that moment, also opened a second firefox tab;

https://addonbrowser.com/safe-web-with-virustotal?v=1.0.1&type=install

i do have and really like the safe web virus total add-on with the right click check url tool which i got from the mozilla site

Modified by star

more options

Should be going here for answers : https://community.norton.com/forums

more options

star said

i have a new version of this attack. i hate that it's so hard to find help topics that relate. how this, of all browsers, has no dedicated section to report these attacks is shocking to me. i will do more scans but malwarebytes and their adwcleaner didn't catch this, (when i used it to scan immediately after norton blocked it) today, august 9, 2018 as i opened firefox norton caught a malware 'tech support' attack, (not that i click on asks), here's the attack report; Category: Intrusion Prevention Date & Time,Risk,Activity,Status,Recommended Action,IPS Alert Name,Default Action,Action Taken,Attacking Computer,Destination Address,Source Address,Traffic Description 8/10/2018 3:54:57 PM,High,An intrusion attempt by reddleops.pro was blocked.,Blocked,No Action Required,Web Attack: Fake TechSupport Domains 3,No Action Required,No Action Required,"reddleops.pro (199.80.54.115, 443)","10.0.0.45, 63088",reddleops.pro (199.80.54.115),"TCP, https" Network traffic from reddleops.pro matches the signature of a known attack. The attack was resulted from \DEVICE\HARDDISKVOLUME4\PROGRAM FILES\MOZILLA FIREFOX\FIREFOX.EXE.

jscher2000 said

Hi star, here are some possible reasons to see this at startup:
  1. If you have a custom home page, an ad in that home page tried to steer Firefox to that site
  2. One of your add-ons tried to launch a page from that site
  3. An external program modified your Firefox shortcut with an unwanted address
  4. If you use the built-in Firefox home page, a "tile" in the page triggered a request to the unwanted site
For #1, this probably isn't going to happen every time, and Norton is protecting you when it does. No changes needed, other than possibly using an ad blocking add-on. For #2, you can view, disable, and often remove unwanted or unknown extensions on the Add-ons page. Either:
  • Ctrl+Shift+a (Mac: Command+Shift+a)
  • "3-bar" menu button (or Tools menu) > Add-ons
  • type or paste about:addons in the address bar and press Enter/Return
In the left column of the Add-ons page, click Extensions. Then cast a critical eye over the list on the right side. Any extensions Firefox installs for built-in features are hidden from this page, so everything listed here is your choice (and your responsibility) to manage. Anything suspicious or that you just do not remember installing or why? If in doubt, disable (or remove). Any improvement? For #3, the Firefox icon can be set up to launch one or more specific pages at startup (or more specifically, when you use the icon). To check whether that is set: First, open the shortcut as follows:
  • Desktop shortcut: right-click the icon, choose Properties
  • Pinned taskbar icon: right-click the icon, right-click Mozilla Firefox, choose Properties
Windows normally will select the Shortcut tab. If not, go ahead and click the Shortcut tab. You'll see the Target highlighted. On Windows, that usually is no more and no less than the following (depending on 32-bit/64-bit): "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" "C:\Program Files\Mozilla Firefox\firefox.exe" If anything follows after that (for example, "http://example.com"), try clearing it out. After OK'ing the Properties dialog, you can test right away to confirm that Firefox now launches only your desired home page. Either:
  • double-click desktop shortcut
  • right-click pinned taskbar icon, click Mozilla Firefox
Success? For #4, it's a little complicated, and if this doesn't happen every time you open a new tab, it's probably not this.
more options

I just started having same issue today. I believe firefox just updated to version 62.0 also. Norton listed Attacker URL https://reddleops.pro/ciDJ9e6ZbX2.5NI/SRW/QX9fMjjMkRweO/TVI/1VMBSd0KyAOiTCAY5fMBz/Y/5/

Network traffic was detected that matches the signature of a known attack. The attack was resulted from C:\Program Files\Mozilla Firefox\firefox.exe.

Please help with this issue

Modified by Rtippitt

more options

Rtippitt How/when does this happen?

You may have ad/mal-ware. Further information can be found in this article; https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-caused-malware?cache=no

Run most or all of the listed malware scanners. Each works differently. If one program misses something, another may pick it up.

more options

the above posts by FredMcD, Pkshadow and especially the really detailed one by jscher2000 were helpful. fortunately norton was doing it's job. i have duck duck go search so they don't allow add on type things. i checked my addons in firefox>tools>add ons, they were fine. i have live norton thru comcast and i use it to manually clear files and then do a live update then i also run the free version of malwarebytes every day before i log off so the next time i log in i'm clear. i downloaded the free portable version of superantispyware, iused that and it snagged a couple of pums, i have windows so i went on their microsoft sight and got a temporary cleaner. there's a malwarebytes adware cleaner, zemana and roguekiller too. i know that running too many virus and malware programs can cause problems so i get the free versions run them manually, not all the time live like norton, and either delete them after i check a problem or don't upgrade so i only manually use them. i don't trust windows defender for some reason, so i use the norton i'm paying for thru comcast, plus i like the live running plus manual features of the norton suite. i did a norton power eraser when i had this issue and i run it anytime i have an issue or once a month. i'm careful on the web but i will recommend safeweb with virus total to right click urls which i got thru firefox but just now when i went to firefox>tools>addons, clicked more from safeweb with virus total and then clicked on their mozilla listed homepage, it opened an add ons browser and norton reported an attack from this same 3 tech support thing; reddleops.pro (199.08.54.115)

the https://addonbrowser.com/safe-web-with-virustotal from mozilla has the secure green lock on the url box and says info pane says it's got a secure connection thru this certificate; sni88220.cloudflaressl.com

addonbrowser.com from comodo ca limited but then this pops open; https://o12zs3u2n.com/1577914.html?q Your connection is not secure

The owner of o12zs3u2n.com has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

Learn more…

Report errors like this to help Mozilla identify and block malicious sites


o12zs3u2n.com uses an invalid security certificate. The certificate is only valid for the following names: low-xdns.xfinity.com, www.low-xdns.xfinity.com Error code: SSL_ERROR_BAD_CERT_DOMAIN

i cleared the cookies thru the url info dropdown, norton and mozilla both caught it but it's thru the mozilla sites addons browser, and safe web virus total listed homepage. it seems to me that mozilla techies should run this down and clear it up.

despite their own threat blocked alert, norton says; https://safeweb.norton.com/report/show?name=virustotal.com

virustotal.com virustotal.com Web Site Location United States of America icoSafe SAFE Site Owner? Click here Norton Rating Norton Safe Web has analyzed virustotal.com for safety and security problems. Summary Norton Safe Web found no issues with this site.

   Computer Threats: 0
   Identity Threats: 0
   Annoyance factors: 0

Total threats on this site: 0 The Norton rating is a result of Symantec's automated analysis system. Learn more. The opinions of our users are reflected separately in the community rating on the right.

View Community Reviews ( 39 ) Ecommerce Safety Information (what's this?) small-untrusted-dv Domain Validated SSL No information about the site has been validated. Your data is protected, but providing personal and financial information is not recommended.

then i find this wired article from 4 years ago which is an eternity in computer tech years. https://www.wired.com/2014/09/how-hackers-use-virustotal/

   Author: Kim ZetterKim Zetter
   security
   09.02.14
   06:30 am

A Google Site Meant to Protect You Is Helping Hackers Attack You

you can check it out if you want to but it's quite outdated.

what i wanted to do was contact safe web with virus total to tell them this stuff without clicking on the homepage link again but i can't see it with an online search yet or thru the first page of get add ons thru mozilla but , hey, there's a well reputed one called ghostery...more research, copy paste url, their page and privacy policy into an email to send to my personal gmail encyclopedia of articles i only use that address for, no spam, for future use.

ahhh the internet, shall i wade in, run screaming or ... go back to bed, 5 hours isn't enough sleep after being awakened by a call from some old guy who says he hit redial because my number was a spam call about his car insurance, so call my phone company, comcast, my number is spoofed and yada yada bleepity bleep freaking wahahooooeyyyy!!! time to submit this wierdness report, do a norton eraser and go back to bed. you helpers are AWESOME thanks. dear mozilla, please fix your addon page; about:addons so we can copy/paste and hunt down that evil web safe with virus total homepage gremlin you list there.

more options

star Your errors all look to be certificate problems.

The owner of o12zs3u2n.com has configured their website improperly

o12zs3u2n.com uses an invalid security certificate

  • uses an invalid security certificate SSL_ERROR_BAD_CERT_DOMAIN
  • configured their website improperly

How to troubleshoot the error code "SEC_ERROR_UNKNOWN_ISSUER" on secure websites https://support.mozilla.org/en-US/kb/troubleshoot-SEC_ERROR_UNKNOWN_ISSUER

more options

thanks fredmcd. i agree with your assessment. i went to that mozilla page which led me to this mozilla page; https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/


Mozilla Security Blog Mozilla Distrust of Symantec TLS Certificates Kathleen Wilson

Mar 12 2018

A Certification Authority (CA) is an organization that browser vendors (like Mozilla) trust to issue certificates to websites. Last year, Mozilla published and discussed a set of issues with one of the oldest and largest CAs run by Symantec. The discussion resulted in the adoption of a consensus proposal to gradually remove trust in all Symantec TLS/SSL certificates from Firefox. The proposal includes a number of phases designed to minimize the impact of the change to Firefox users:

   January 2018 (Firefox 58): Notices in the Browser Console warn about Symantec certificates issued before 2016-06-01, to encourage site owners to replace their TLS certificates.
   May 2018 (Firefox 60): Websites will show an untrusted connection error if they use a TLS certificate issued before 2016-06-01 that chains up to a Symantec root certificate.
   October 2018 (Firefox 63): Distrust of Symantec root certificates for website server TLS authentication.

After the consensus proposal was adopted, the Symantec CA was acquired by DigiCert; however, that fact has not changed Mozilla’s commitment to implement the proposal.

Firefox 60 is expected to enter Beta on March 13th carrying with it the removal of trust for Symantec certificates issued prior to June 1st, 2016, with the exception of certificates issued by a few subordinate CAs that are controlled by Apple and Google. This change affects all Symantec brands including GeoTrust, RapidSSL, Thawte, and VeriSign. The change is already in effect in Firefox Nightly.

Mozilla telemetry currently shows that a significant number of sites – roughly 1% of the top one million – are still using TLS certificates that are no longer trusted in Firefox 60. While the number of affected sites has been declining steadily, we do not expect every website to be updated prior to the Beta release of Firefox 60. We strongly encourage operators of affected sites to take immediate action to replace these certificates.

If you attempt to visit a site that is using a TLS certificate that is no longer trusted in Firefox 60, you will encounter the following error: 

  • (this area on the mozilla page shows a graphic of the error page)

Clicking on the “Advanced” button will allow you to bypass the error and reach the site:

  • (this area on the mozilla page shows a graphic of the error page)

These changes are expected to be included in the final version of Firefox 60 that is planned to be release on May 9th, 2018.

In Firefox 63, trust will be removed for all Symantec TLS certificates regardless of the date issued (with the exception of certificates issued by Apple and Google subordinate CAs as described above).

Wayne Thayer Kathleen Wilson

Categories: Security