Find solution
How effective is NOSCRIPT with firefox 3?

NoScript failed me and left: what do I do now?

  • How paranoid should I be about my Windows XP Pro machine after hitting a dodgy site with Firefox 3.6, scanning with Microsoft Security Essentials, updating NoScript, scanning with MSE again, and finally using Windows to restore to yesterday's restore point, about 18 hours before hitting that site? Firefox is now missing NoScript completely, but it's been installed for weeks and surely should have been here yesterday morning. Has there been a known issue with NoScript, or am I just a special (and dim) snowflake? I usually have my copy of Firefox running for a day or 2 before I close and restart (one or more windows, many tabs). I update NoScript when prompted, but as I do keep FF running for days sometimes, I may not always update as promptly as I should. I followed a link on a Google search very early this morning and wound up at a site that claimed I was at risk for malware, and even popped up a JavaScript alert with a confusing OK/Cancel choice. I don't know how the alert managed to work in the first place as NoScript was running. I know I was changing some permissions for other sites earlier, but I am just about 100% certain I didn't disable the add-on or allow all sites globally because NoScript generally makes a big fuss about that. I wasn't sure what the alert would really do, and finally used the control panel to force a close of FF. (Dumb.) When I restarted, I got what looked like the usual prompt to update NoScript, which I accepted immediately. (Dumber) This could have just been a scheduled update that I missed, but the timing seems odd. Firefox then appeared as a tiny window in the middle of the screen, and when I enlarged it, I had all my original tabs and that damn page was running again. I finally hit the Cancel button on the alert, then closed Firefox completely. The first MSE quick scan showed nothing. I tried going to istockphoto, but misstyped it as isockphoo dot com and wound up at a site that looked like the photo site but had a long, complex and completely untrustworthy-looking URL. I backed out immediately. Again, it could have just been a coincidence. but after that fake malware warning, I was totally paranoid. I ran MSE again as a quick scan (nothing), I backed up my data, and I restored to Thursday morning with Windows Restore. But when I started FF this morning, a trusted site was full of ads, and I saw that NoScript had been completely uninstalled. So: 1) Should restoring to yesterday morning's restore point have completely wiped out any malware that may have gotten to my machine any time between Thursday morning and now? 2) Has anyone else seen NoScript just disappear like that after a restore following an attack, or under any circumstances, really? (It may be possible it was removed after the attack and I just didn't notice right away. I can't positively say I saw NoScript in place before the restore.) 3) In addition to running MSE as a full scan now, are there any other trusted malware scanners I should try? 4) Or should I just nuke from orbit? 5) Should I ever trust NoScript again? (Looking at my history, I can see the Google searches leading up to the attack, and the isockphoo visit shortly afterwards (URL starting with trellian.com), but I can't see an URL that seems to match the time I hit the bad site. I see the Google search at 4:22, then the NoScript site visit after the update at 4:28, but nothing in between. I guess that was an immediate attempt to cover its tracks.)

  • Answer:

    I've been using AVG (the free version) for a long time and have been very happy with it. On the rare occasions when I feel like I might have been compromised, I'll use http://www.malwarebytes.org/ (at the computer place I used to work for, we caught and cleaned up a lot of stuff with this), and http://www.safer-networking.org/index2.html. There's also http://free.antivirus.com/hijackthis/, BUT that doesn't tell you what's good or bad, it just tells you what's running and you need to either be able to recognize bad registry entries, etc., or know someone who can interpret the results for you. I have also been using NoScript for a long time and have never heard of anything that was able to uninstall it. I know you said you're just about 100% certain, but is it really completely uninstalled and not just disabled?

The True Wheel at Ask.Metafilter.Com Visit the source

Was this solution helpful to you?

Other answers

Reporting back after a successful nuking. I really appreciate the detailed advice on using non-destructive tools to diagnose and fix malware (thus the best answers), but I went for a full formatting and clean install because: 1) I just reinstalled a couple of weeks ago after a hard drive failure, so the process was pretty fresh in my mind and didn't take very long at all. I had Windows running happily with all patches and drivers within a couple of hours, and adding applications took a little more time. I'm going to image my install now, too, so the next time I have to wipe and replace should be even faster and easier. (All my data is kept on separate drives and backed up redundantly). 2) This is both my work machine, with some important client info on it, and the personal machine I use for online banking and some purchasing. My "incredible" amounts of banking = "any amount" of banking. Tracking down malware and similar varmints looks like a lot of fun as a puzzle and an intellectual challenge, but I have to balance that against my need to use my computer immediately with a high level of confidence in its security. I'm going to add some malware tools as added protection at runtime (as NoScript and MSE alone let this little bastard slip by), but when it comes to recovering my machine, it's sea of glass time, fast and easy.

The True Wheel

For what it's worth as a tiny bit of reassurance.. I'm not on windows, but I had a noscript update on two of my machines this morning. So maybe that bit was real, and something about the update just borked the existing install? You should be able to check when they pushed their updates for windows somewhere. But I've no idea where exactly.

Ahab

I can see on NoScript's http://noscript.net/changelog that the last update was 2.0.7, but I don't see a date and time. It's completely uninstalled: I checked the Add-Ons panel right away and it wasn't listed there.

The True Wheel

Huh. Are you using a different FF profile than the one you were using before, an older one (or a brand new one) in which NoScript was never installed? Info on http://support.mozilla.com/en-US/kb/managing+profiles here.

Gator

Thanks for the links. I can confirm that I have only a single default profile. I've never heard of an update completely uninstalling NoScript, either, so even though I can't remember disabling, uninstalling or allowing global permissions in NoScript before I hit the site, that seems to be the only way that JavaScript could have run on the site and, possibly, killed NoScript. Or perhaps accepting a NoScript update while JS was running on the attack site was enough to kill it. I guess my main question is: how much can I trust my machine now? I will try to scan with the advised software, but as much of a pain as reinstalling is, the nuke from orbit plan is looking better. I don't think I can buy from Amazon or do online banking while I feel this insecure about my computer in its current state.

The True Wheel

You can boot to Linux and run ClamAV (clamscan). There's a LiveCD just for this: http://www.volatileminds.net/opendiagnostics/index.php/OpenDiagnostics_Live_CD

stovenator

Looking around, I did notice that last year, the guy who created NoScript http://hackademix.net/2009/06/24/net-clickonce-update-breaking-noscript-temporarily/ about an issue some people had with NoScript seemingly disappearing. Apparently the solution (at that time) was to uninstall the .NET Framework Assistant and fix the possibly corrupted FF extension files. Maybe that's all that happened here, the extension was corrupted? As far as nuking from orbit, I would consider that to be an extreme last resort to be used only after all other things have been exhausted, but I am not you and your threshold for broken trust may be lower.

Gator

Thanks for digging, Gator. I have a pile of .NET cruft installed, but just the 1.1 to 3.5 Frameworks and Service packs, no Assistant. His problem seemed to arise immediately after a Windows update, but maybe a similar weakness in NS made it vulnerable in the situation I described (installing an update while under attack). But I tried reinstalling NoScript and it came back fine, even remembering my previous settings, and I'll try some additional malware scans (MSE full scan came back absolutely clean). I still really don't like that a JS alert showed up at that site even with NS running, so I'm still not sure which way I'll jump after the next set of scans. Everything is running smoothly, no signs of browser hijacking, but still, I'm giving http://4.bp.blogspot.com/_D_Z-D2tzi14/TDFE5HnY9ZI/AAAAAAAADK8/bGcgfd9YqwE/s1600/Kellie20.png to my computer right now. Thanks!

The True Wheel

I get those pop up alerts all the time on a couple sites I use for work. I thought they were a No Script feature? Applies you to toggle between clicks and has a very confusing OK button?

fshgrl

Load more

Related Q & A:

Just Added Q & A:

Find solution

For every problem there is a solution! Proved by Solucija.

  • Got an issue and looking for advice?

  • Ask Solucija to search every corner of the Web for help.

  • Get workable solutions and helpful tips in a moment.

Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.