This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

mozilla.cfg infected with Adware.PL.Besttoolbars.vl

more options

Gridinsoft Anti-Malware v.4.2.66 Report file date: 3/4/2023 14:35:47 Last update: 3/4/2023 14:35:47

Quick Scan started Scanning process...


c:\program files\mozilla firefox\mozilla.cfg ---- General PartOfThreat

Adware.PL.Besttoolbars.vl MD5: 18F38A5E209C9812EB124D0BB62E76C1:800


I have tried all means to remove this but still get the warning after each reboot with this infected file. Ran Spybot Search and Destroy, Gridinsoft Anti-Malware, MRT (twice, 23 hours each time), MSERT (twice)..., RogueKiller, and a few others.

Gridinsoft Anti-Malware v.4.2.66 Report file date: 3/4/2023 14:35:47 Last update: 3/4/2023 14:35:47 Quick Scan started Scanning process... ----- c:\program files\mozilla firefox\mozilla.cfg ---- General PartOfThreat Adware.PL.Besttoolbars.vl MD5: 18F38A5E209C9812EB124D0BB62E76C1:800 I have tried all means to remove this but still get the warning after each reboot with this infected file. Ran Spybot Search and Destroy, Gridinsoft Anti-Malware, MRT (twice, 23 hours each time), MSERT (twice)..., RogueKiller, and a few others.

Asịsa ahọpụtara

Okay, it seems that the files are related, but I don't know why they were created. Maybe Spybot has some documentation on it.

Gụọ azịza a na nghọta 👍 0

All Replies (5)

more options

Are you able to view the contents of the mozilla.cfg file? For example, right-click > Open With, then choose Notepad or Wordpad (or another plain text editor).

It would be part of a two file startup script that modifies Firefox in some way. The other part would be here:

C:\Program Files\Mozilla Firefox\defaults\pref

In that folder, you should only find one file, named

channel-prefs.js

Any other file there is a customization you can remove. If your computer is managed by an IT department, though, check with them first.

Two Additional Notes:

(1) By default, Windows hides the .js file extension. You can set Windows to show all file extensions so it is clearer what kinds of files you are dealing with. This site has steps: https://www.bleepingcomputer.com/tutorials/how-to-show-file-extensions-in-windows/

(2) Do not double-click a .js file -- that causes Windows to execute it as a system script. To view its contents, right-click the file and choose Edit.

more options

text says:

lockPref("extensions.blocklist.enabled", true); lockPref("browser.safebrowsing.phishing.enabled", true); lockPref("browser.safebrowsing.malware.enabled", true); lockPref("browser.safebrowsing.blockedURIs.enabled", true); lockPref("browser.safebrowsing.downloads.enabled", true); lockPref("browser.safebrowsing.downloads.remote.enabled", true); lockPref("browser.safebrowsing.downloads.remote.block_dangerous", true); lockPref("browser.safebrowsing.downloads.remote.block_dangerous_host", true); lockPref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", true); lockPref("browser.safebrowsing.downloads.remote.block_uncommon", true); lockPref("browser.pagethumbnails.capturing_disabled", false); lockPref("webgl.disabled", false); lockPref("webgl.enable-webgl2", true);


And C:\Program Files\Mozilla Firefox\defaults\pref has two files, here is screenshot of the second one. Beacon is part of Spybot.

Could the c:\program files\mozilla firefox\mozilla.cfg be a false positive?

more options

If you right-click > Edit antibeacon.js, does it point Firefox to mozilla.cfg?

Either way, the contents of mozilla.cfg do not look dangerous so I don't know what the alert was about, unless it also cleaned the file.

more options

pref("general.config.filename", "mozilla.cfg"); pref("general.config.obscure_value", 0);

more options

Asịsa Ahọpụtara

Okay, it seems that the files are related, but I don't know why they were created. Maybe Spybot has some documentation on it.