My parents back in Bombay have a unique problem. They were hit by a trojan that, amongst other things, replaced the default Firefox start page with an ad for a "Pharma" site. The trojan has been removed by an AVG bootable disk, but NOTHING gets rid of the Firefox issue. Not the usual Tools > Options sequence, not an about:config solution (whatever they try keeps getting replaced with the Pharma URL).

I even tried to get them to uninstall FF, but there seems to be no uninstaller. Eventually, they've installed Chrome, and I'm advising them to delete the FF directory and User Data and do a manual fresh install. There's only so much I can do on the phone from 5,000 miles.

But how does this happen, and how can it be prevented? They run a limited user account and I believe their antivirus was up to date. Also, I'd installed Adblock for them last time around, though not NoScript.

If I was hit by such an infection, what would be a good way to solve it?

Try Malwarebytes : Malwarebytes Anti-Malware is a free download that removes viruses and malware from your computer (http://www.malwarebytes.org/products/malwarebytes_free) update then run and see if that clears it.

Try deleting the User.js file which is located in your 'Profile' folder. You can search for user.js to locate. Make sure that show hidden files/folders is enabled as the Profile folder is hidden in Win2K and XP unless you set show all files/folders.

green granite, I've asked my brother-in-law to do that. Anyway, they've shifted to Chrome for now. I'm still troubled and annoyed, this is not something I expect with Firefox. I was hit with a Trojan on a drive-by last month, in spite of running a fairly tight ship.

If you don't have NoScript installed on Firefox, you're wide open to any drive-by downloads that are not detected by the AV.

Most browsers default to allowing a certain level of script permission. From what I've seen, that default level is not very secure.

Another useful add-on that might have prevented this is a "super-cookie" (flash cookie) cleaner, it's another add-on for Fx, and called BetterPrivacy.

I don't know whether that would have prevented it, as I don't know the vehicle for the browser hijack.

Definitely recommend running MBAM, also.