Who is messing with my file

This isn't really about Firefox -- at leat I think it's more about the
OS** - or I would likely not post it here. You don't have to read too
carefullly because when you get to the end, the problem is solved.

**Or some terrible flaw in the latest release of FF, but if that were
the case, I'd expect to see more complaints in the FF newsgroup.

Ffirefox lost all its profiles except the one I never use, called
default.

Here is how I discovered FF didn't work, and what I did to fix it.

From an earlier thread called Someone is screwing with me.
3) Then just now I noticed that something changed the setting in
Firefox, when opening the program, From: Bring up windows and tabs from
last time. TO Home Page. I don't know when this happened.

Well, I figured out this one. Firefox had a good system for Options but
they changed it to look like webpages, and they changed my option here.

4) And the file I dl'd successfully a couple hours ago, which crashes
during installation, I've tried to dl again, and the FF Downloads page
says it completed but it's not in the downloads folder, even though that
is still where FF says it puts it. So where did it go?

Same thing here. Though it still said Downloads,
it meant My Documents \ Downloads, not C:\Downloads. So they had
changed it -- shame on them -- to this location they don't even describe
well -- double shame.

Well, it's possible something else happened. I have FF open, and I
clicked on a start-up icon for it, and the Profile manager opens up, and
all there is is the default. I used to have 3, that is, 4 profiles, one of
which was named default. All my stuff was in the other profiles.

I looked in Documents and Settings and it looks like I remember it, to
the best of my memory. I had been looking at it yesterday and earlier
today, but I don't think I could have deleted anything accidentally.

Well, afaict now, all of the files really are there, and one, only one,
had been tampered with, profiles.ini .

The mozilla.support.firefox group doesn't seem as technical as the ngs
here have been, (though maybe I'm rushing to judgment). Anyhow googling
for help I found a url
http://kb.mozillazine.org/Recovering...ly_disappeared
that says it's about FF and Thunderbird, but was clearly written for
Thunderbird. I don't know how well it fits, but it does make reference
to profiles.ini. So that's where I started.

I actually have a backup partition so I Search in my backup drive for
profiles.ini and find 5 of them, one for Sea Monkey, one for CompoZer,
one for Firefox back when I had WinME, one named Firefox-8-19-12, and
one for Firefox: This last one is copied below. D: is my system drive.
Back when I understood how things worked, I moved some of my FF profile
stuff to my own D:\Data, but I seem to have missppelled the directory as
Profiiles. I wonder what effect that has had, but it coudn't be the
source of the recent problem because I did this years ago.

[General]
StartWithLastProfile=1

[Profile0]
Name=default
IsRelative=1
Path=Profiles/fkz5hp8p.default
Default=1

[Profile1]
Name=TestSess
IsRelative=0
Path=D:\Data\Firefox\Profiiles
Default=1

[Profile2]
Name=TessSessomBeta
IsRelative=0
Path=D:\Data\Firefox\Profiiles

[Profile3]
Name=OneShot
IsRelative=1
Path=Profiles/8lx8697h.OneShot

Then I looked in my actual D: drive and only the first two sections
were there, nohing past the Profile0 section. I copied over the rest
from the backup to make the original match the backup, but I assumed
I'd have to find everything needed to support the other three
sections. Then I saved the D: profiles.ini, clicked on the
FF icon, and up popped a list of 4 profiles (instead of only one like
I've gotten for the last two days)

But like I say, I figured whatever supported them would be missing.

I clicked on Testsess, the one I use the most, and -- though I hate
the new format that seems to have begun coincidentally -- or is it a
coincidence??? -- I got the Restore Session page for Firefox from 2
nights ago! And I checked and the history and passwords are there
too.

I havent' checked the other two profiles but they probably work and
they're less importanr anyhow.

So, what damaged my profiles.ini ????? I never edited it, and I
never told the program that displays a list of them to delete a profile,
and certainly not 3 of them

It strikes me that it was a bug in the install of version 38 of FF.
Any better ideas? But if that is the case, how come I havent' seen
loads of complaints?

Profiles.ini wasn't garbled or illegible. It was edited or truncated.
That doesn't seem like something a problem harddrive could do. Plus I
seem to find other urls about damaged profiles.ini.

How was an average user to have found this problem. If I didn't have a
bacikup, how would I know what lines to put back in?

micky wrote:
This isn't really about Firefox -- at leat I think it's more about the
OS** - or I would likely not post it here. You don't have to read too
carefullly because when you get to the end, the problem is solved.

**Or some terrible flaw in the latest release of FF, but if that were
the case, I'd expect to see more complaints in the FF newsgroup.

Ffirefox lost all its profiles except the one I never use, called
default.

Here is how I discovered FF didn't work, and what I did to fix it.

From an earlier thread called Someone is screwing with me.
3) Then just now I noticed that something changed the setting in
Firefox, when opening the program, From: Bring up windows and tabs from
last time. TO Home Page. I don't know when this happened.
Well, I figured out this one. Firefox had a good system for Options but
they changed it to look like webpages, and they changed my option here.

4) And the file I dl'd successfully a couple hours ago, which crashes
during installation, I've tried to dl again, and the FF Downloads page
says it completed but it's not in the downloads folder, even though that
is still where FF says it puts it. So where did it go?
Same thing here. Though it still said Downloads,
it meant My Documents \ Downloads, not C:\Downloads. So they had
changed it -- shame on them -- to this location they don't even describe
well -- double shame.
Well, it's possible something else happened. I have FF open, and I
clicked on a start-up icon for it, and the Profile manager opens up, and
all there is is the default. I used to have 3, that is, 4 profiles, one of
which was named default. All my stuff was in the other profiles.

I looked in Documents and Settings and it looks like I remember it, to
the best of my memory. I had been looking at it yesterday and earlier
today, but I don't think I could have deleted anything accidentally.

Well, afaict now, all of the files really are there, and one, only one,
had been tampered with, profiles.ini .

The mozilla.support.firefox group doesn't seem as technical as the ngs
here have been, (though maybe I'm rushing to judgment). Anyhow googling
for help I found a url
http://kb.mozillazine.org/Recovering...ly_disappeared
that says it's about FF and Thunderbird, but was clearly written for
Thunderbird. I don't know how well it fits, but it does make reference
to profiles.ini. So that's where I started.

I actually have a backup partition so I Search in my backup drive for
profiles.ini and find 5 of them, one for Sea Monkey, one for CompoZer,
one for Firefox back when I had WinME, one named Firefox-8-19-12, and
one for Firefox: This last one is copied below. D: is my system drive.
Back when I understood how things worked, I moved some of my FF profile
stuff to my own D:\Data, but I seem to have missppelled the directory as
Profiiles. I wonder what effect that has had, but it coudn't be the
source of the recent problem because I did this years ago.

[General]
StartWithLastProfile=1

[Profile0]
Name=default
IsRelative=1
Path=Profiles/fkz5hp8p.default
Default=1

[Profile1]
Name=TestSess
IsRelative=0
Path=D:\Data\Firefox\Profiiles
Default=1

[Profile2]
Name=TessSessomBeta
IsRelative=0
Path=D:\Data\Firefox\Profiiles

[Profile3]
Name=OneShot
IsRelative=1
Path=Profiles/8lx8697h.OneShot

Then I looked in my actual D: drive and only the first two sections
were there, nohing past the Profile0 section. I copied over the rest
from the backup to make the original match the backup, but I assumed
I'd have to find everything needed to support the other three
sections. Then I saved the D: profiles.ini, clicked on the
FF icon, and up popped a list of 4 profiles (instead of only one like
I've gotten for the last two days)

But like I say, I figured whatever supported them would be missing.

I clicked on Testsess, the one I use the most, and -- though I hate
the new format that seems to have begun coincidentally -- or is it a
coincidence??? -- I got the Restore Session page for Firefox from 2
nights ago! And I checked and the history and passwords are there
too.

I havent' checked the other two profiles but they probably work and
they're less importanr anyhow.

So, what damaged my profiles.ini ????? I never edited it, and I
never told the program that displays a list of them to delete a profile,
and certainly not 3 of them

It strikes me that it was a bug in the install of version 38 of FF.
Any better ideas? But if that is the case, how come I havent' seen
loads of complaints?

Profiles.ini wasn't garbled or illegible. It was edited or truncated.
That doesn't seem like something a problem harddrive could do. Plus I
seem to find other urls about damaged profiles.ini.

How was an average user to have found this problem. If I didn't have a
bacikup, how would I know what lines to put back in?


I don't think I can put all that evidence together well
enough to give a root cause. I'll just make a few
general comments.

Thunderbird is a "copy of Firefox plus a small number
of mail/newsgroup specific files". A guess is, the
appearance and panes you see in Thunderbird, are built
on Firefox browser. (In fact, the Thunderbird three-pane
normal view turns to a large yellow window announcing
an "XML parsing error", when the wheels fall off this
scheme.)

And when you use the Thunderbird build setup,
there is a setting when compiling Thunderbird, that
says whether you want a mail tool or a browser instead.
Thunderbird has more files than Firefox, because it
uses the files of Firefox, plus some of its own.

Your profiles.ini has two Default=1 items. I suspect
it should have only one. With no Profile Manager
involved, it's likely to snag the first instance
of Default=1 it finds. And I don't know what your
StartWithLastProfile does, since it would need
to store that information somewhere. And it's not
in the profile.ini file itself. Maybe prefs.js,
a favorite exploit location ?

The alternate profiles are only likely to matter, if
you launch the Profile Manager at startup (via command
line option). Otherwise, the Mozilla tool is most
likely to grab the Default=1 one.

*******

I think WinXP doesn't support ASLR (a good option on the
very latest OS, for randomizing executable layout at
launch time). WinXP has DEP, and there is a danger
Firefox and Thunderbird aren't protected by default
A possible danger, is a redirection event, which seems
to (eventually) attack some code. Like, something gets
overwritten and any notion of protections Firefox might
have, are overcome. Someone here, is told by what I assume
is PM (Private Message) that TalkBack affects the DEP status
of the programs. (TalkBack is an addon for logging crashes
or something, with Mozilla.)

http://forums.mozillazine.org/viewto...?f=38&t=633325

Of course, it's a little late to be adding armor, if
something got through. The only infection I've had under
Windows, was acquired via Firefox, and it took the trial
version of Kaspersky a number of reboots, to get rid of it.
And it was a jolly great redirect attack, with a ton of
Firefox windows opening until the OS was exploited. How they
do these, is they hack a legitimate site, they only change
a line or two of code on the site, sending you to a site with
a metric ton of stuff to run. So the owners of the legit site
might not notice, unless they regularly scan their filesystem
for changes or something (TripWire). The URLs of the
infection sites, use almost totally random names ceis4.citvke.com
if you catch the traffic in a packet sniffer.

The tool Adwcleaner, checks the "prefs.js" file for added lines.
If Firefox has adware, sometimes a lot of extra stuff is
added to that file (the file ends up 30x bigger than an uninfected
prefs.js). So you can look in there for unusual content.

On Seamonkey, there is a single file which contains a cache
of startup items. I've had some sort of attack done on
Seamonkey, where "startupCache.4.little" becomes bigger than
normal. Right now, mine is 1,894,547 bytes. The nice thing
about that file, is it can be deleted and it will regenerate
itself on the next startup. The size is likely proportional
to the number of addons you have in Seamonkey. So in addition
to "prefs.js", that "startupCache.4.little" file can be
attacked as well.

You could try a scan with this tool. You don't have to
click the "clean" option if you don't want to. The scan
may give you some idea whether adware is present. I find
it strange that your machine hasn't been "tipped over",
with more obvious malware symptoms. Rather than just
"playing around" with a few files. Which would not
be a normal size effect of attempted exploitation.

http://www.bleepingcomputer.com/download/adwcleaner/

Obviously, you can scan with the "usual tools" if you want.
I use the Kaspersky offline scanner CD after something
like this, to see if it sees anything. I keep a USB key
with this on it. (I've burned several CDs with older
versions, but that's just a waste of CDs. The USB key
makes more sense, even if it's writable.)

http://support.kaspersky.com/8092

I've had stuff that sits in the browser cache, and continues
to mess around. Simply cleaning the cache is enough to stop
that, although sometimes I do such cleaning manually to make
sure everything in the cache is gone. Rather than most
everything. I've had a file sitting in the cache, that
was running some sort of timer 12 hours after the file
was first downloaded.

There's no question, that a significant number of issues
on computers can be explained via malware. It's unusual
though, for so few (insignificant) things to be affected.
If I wanted to get your attention, I might set the "hide" bit
on all your data files. I might go "Cryptolocker" and encrypt
all your data files (so your Dropbox uploads the encrypted
files and overwrites your backup copies too). Effective
Malware is like Ebola - it doesn't fool around. I don't
really know how to explain trivial or minor damage. Who
would waste their time doing that ? A mental case ?

Paul