Fireball is a sophisticated browser hijacker and adware operation that, at its peak, infected over 250 million computers worldwide—making it one of the largest malware campaigns ever documented. Developed by Rafotech, a digital marketing firm based in Beijing, Fireball masquerades as legitimate software bundled with free downloads, then aggressively manipulates browser settings to generate fraudulent advertising revenue. While not classified as ransomware or a direct data-theft trojan, Fireball's ability to execute arbitrary code and track browsing activity poses serious security and privacy risks to infected systems.
The malware functions primarily as a browser manipulator, forcibly changing your default search engine, homepage, and new tab page to redirect traffic through fake search portals that generate pay-per-click revenue for its operators. More concerning, Fireball includes backdoor capabilities that allow attackers to download and execute additional payloads, potentially transforming an adware nuisance into a more dangerous infection. Its widespread distribution through software bundling and deceptive installation practices has affected users across Windows platforms globally.
Threat Profile
| Attribute | Details |
|---|---|
| Family | Browser hijacker / Adware with backdoor capabilities |
| Aliases | Rafotech Fireball, DealPly (related), Mustang Browser |
| Platform | Windows (all versions); primarily targets Chrome, Firefox, Internet Explorer/Edge |
| Discovered | Publicly disclosed June 2017 by Check Point Research |
| Distribution | Software bundling, fake installers, drive-by downloads, deceptive advertisements |
| Persistence Mechanism | Browser extensions, Windows scheduled tasks, registry Run keys, DLL injection |
| Primary Capabilities | Browser hijacking, traffic redirection, arbitrary code execution, data collection, ad injection |
| Network Behavior | Connects to Rafotech command servers; redirects searches through intermediary domains (trotux.com, search.snap.do variants) |
| Data at Risk | Browsing history, search queries, system information, potentially credentials if additional payloads deployed |
| Typical Indicators | Unwanted browser extensions, changed homepage/search engine, redirects to unfamiliar search portals, performance degradation |
| Removal Difficulty | Moderate—uses multiple persistence methods and reinstalls components if not thoroughly cleaned |
| Prevalence | Widespread (estimated 250M+ infections at campaign peak in 2017; still active in reduced form) |
How It Spreads
Fireball's distribution strategy relies heavily on deceptive software bundling—a technique where the malware is packaged with legitimate-looking free software that users intentionally download. When you install what appears to be a harmless utility, media player, or system optimizer from a third-party download site, Fireball's installer components are included in the setup wizard, often pre-checked in "recommended installation" options that most users click through without reading carefully. This bundling approach allowed Rafotech to achieve massive infection rates, as the company partnered with numerous freeware distributors and affiliate networks to spread their software.
The malware also spreads through fake software updates and malicious advertisements on compromised or low-quality websites. Users searching for popular software like Adobe Flash updates, codec packs, or video converters may encounter convincing but fraudulent download buttons that deliver Fireball instead of the intended application. In some cases, the actual software is delivered alongside the malware, making detection more difficult as users believe they received what they were looking for.
Common infection vectors include:
- Bundled freeware installers from download portals like Softonic, CNET Download.com (in past years), and lesser-known aggregator sites
- Fake Flash Player or codec updates presented on streaming or file-sharing sites
- Deceptive "Download" buttons on file-sharing and torrent websites that lead to installer wrappers
- Malicious browser extensions promoted through pop-up advertisements or bundled with other extensions
- Email attachments or links in phishing campaigns claiming to offer useful utilities or security updates
- Compromised legitimate software repackaged by third parties to include Fireball components
- Pay-per-install (PPI) affiliate networks where Rafotech paid distributors to bundle their software with other applications
What It Does On Your Machine
Once installed, Fireball immediately begins modifying your browser configurations to redirect web traffic through its monetization infrastructure. The malware changes your default search engine to fake search portals that appear to provide legitimate results but actually route queries through multiple advertising networks before delivering search results—often from Google or Bing, disguising the manipulation. Every search you perform generates revenue for the operators through advertising clicks and affiliate commissions. Your homepage and new tab page are similarly hijacked to display branded pages filled with sponsored links and advertisements.
Beyond simple browser hijacking, Fireball installs persistent components that resist removal attempts. It creates browser extensions (often with innocuous names or masquerading as legitimate tools), modifies browser shortcut targets to include command-line parameters that force specific startup pages, and injects DLL files into browser processes to maintain control even if you manually change settings back. These modifications work across Chrome, Firefox, and Internet Explorer/Edge, with the malware detecting which browsers are installed and targeting all of them simultaneously.
The more concerning aspect of Fireball is its backdoor functionality. The malware includes code execution capabilities that allow its operators to download and run additional software on your machine without your knowledge or consent. While primarily used to update the hijacker components themselves and install additional adware, this same infrastructure could theoretically deliver more dangerous payloads like data-stealing trojans, ransomware, or cryptocurrency miners. Fireball also collects extensive telemetry about your system and browsing habits, transmitting this data to Rafotech's servers for advertising targeting and potentially selling to third parties.
Performance degradation is another hallmark of Fireball infection. The constant traffic redirection, ad injection, and background communication with command servers consume system resources and bandwidth. Browsers may become noticeably slower to start, pages take longer to load, and unexpected pop-ups or in-page advertisements appear on sites that normally don't display them. The malware's persistence mechanisms also add startup delay as multiple components launch with Windows.
Manual Removal — Step by Step
Disconnect from the Internet
Unplug your Ethernet cable or disable Wi-Fi to prevent Fireball from communicating with its command servers, downloading updates, or receiving instructions to reinstall removed components. This isolation is critical for successful removal.
Boot into Safe Mode with Networking
Restart your computer and press F8 (Windows 7) or hold Shift while clicking Restart (Windows 8/10/11) to access the boot options menu. Select "Safe Mode with Networking" to load Windows with minimal drivers and prevent Fireball's startup components from launching automatically.
Uninstall Suspicious Programs
Open Control Panel > Programs and Features (or Settings > Apps on Windows 10/11) and carefully review the installed programs list. Remove anything from Rafotech, DealPly, Mustang Browser, or any unfamiliar applications installed around the time your browser issues began. Pay attention to programs with generic names or unusual publishers.
Remove Browser Extensions
Open each installed browser and access its extensions/add-ons manager (chrome://extensions/ for Chrome, about:addons for Firefox, edge://extensions/ for Edge). Remove all unfamiliar extensions, especially those you didn't intentionally install. Fireball extensions often have names that sound legitimate like "Search Enhancer" or "Download Manager Pro" but have low ratings or no reviews.
Delete Scheduled Tasks
Open Task Scheduler (search for it in the Start menu), expand Task Scheduler Library, and look for tasks with names containing "Fireball," "Rafotech," "DealPly," or random alphanumeric strings. Right-click and delete any suspicious tasks, especially those that run at logon or regular intervals and point to executables in AppData or ProgramData folders.
Clean Registry Startup Entries
Press Win+R, type "regedit" and hit Enter to open Registry Editor. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Delete any entries pointing to Fireball-related executables or referencing Rafotech/DealPly. Also check HKCU\Software\Policies and HKLM\Software\Policies for browser-hijacking policies.
Delete Malware Folders
Use File Explorer to navigate to %LOCALAPPDATA%, %APPDATA%, and %PROGRAMFILES% (paste these paths directly into the address bar). Delete folders named Fireball, Rafotech, DealPly, or Mustang Browser. You may need to show hidden files (View tab > Hidden items checkbox) and take ownership of folders if Windows denies access.
Reset Browser Settings
In each browser, access the settings menu and perform a full reset. Chrome: Settings > Reset settings > Restore settings to original defaults. Firefox: Help > More troubleshooting information > Refresh Firefox. Edge: Settings > Reset settings > Restore settings to their default values. This removes hijacked settings but preserves bookmarks and passwords.
Scan with Reputable Anti-Malware Tools
Reconnect to the internet and download Malwarebytes (free version works) or another reputable scanner like HitmanPro or AdwCleaner. Run a full system scan to catch any components manual removal missed. These tools maintain signatures for Fireball variants and can detect remnants in system memory or obscure locations.
Verify and Reboot
Before restarting normally, check that your browser homepages and search engines are set correctly and that no suspicious startup items remain in Task Manager (Ctrl+Shift+Esc > Startup tab). Restart your computer normally and test your browsers to confirm the hijacking is gone. If redirects persist, additional components may require professional removal.
Prevention
- Download software only from official sources. Avoid third-party download sites like Softonic, Download.com aggregators, or file-sharing platforms. Always get software directly from the developer's website or the Microsoft Store.
- Choose Custom/Advanced installation options. Never click through installers using Express or Recommended settings. Custom installation reveals bundled software offers that you can deselect before installation proceeds.
- Keep your system and browsers updated. Enable automatic updates for Windows and all browsers. Security patches close vulnerabilities that malware like Fireball exploits for drive-by downloads and privilege escalation.
- Use a reputable ad blocker. Browser extensions like uBlock Origin prevent malicious advertisements from loading, eliminating a major Fireball distribution vector. This also reduces exposure to fake download buttons on legitimate sites.
- Maintain real-time antivirus protection. Windows Defender (built into Windows 10/11) provides adequate baseline protection if kept updated. Supplement with periodic scans using Malwarebytes free to catch PUPs that traditional antivirus might miss.
- Be skeptical of urgent update prompts. Legitimate software updates rarely use pop-up advertisements or redirect you to third-party sites. If you see a Flash Player or codec update notice, close it and check for updates directly through the official software.
- Review browser extensions regularly. Monthly, check your installed extensions and remove anything you don't actively use or don't remember installing. Browser hijackers often slip in as extensions during other software installations.
- Create a limited user account for daily use. On shared computers, use a standard user account rather than an administrator account for routine tasks. This limits malware's ability to install system-wide persistence mechanisms.
When Computer Repair Roswell removes malware from your system, we back our work with a 90-day warranty. If the same infection returns within three months (not caused by new risky behavior), we'll re-clean your machine at no additional charge. We also provide follow-up guidance on prevention specific to how you use your computer.
Bring It In
Fireball infections can be stubborn, with components that reinstall themselves if any piece is missed during manual removal. If you've attempted the steps above and still experience browser redirects, unwanted search engines, or suspicious system behavior, professional intervention can save you hours of frustration. At Computer Repair Roswell, we've removed Fireball from hundreds of machines and have refined our process to ensure complete eradication. Our technicians use specialized tools and manual verification techniques that go beyond consumer antivirus software, checking for rootkit-level persistence and obscure registry modifications that automated tools often miss.
Located on Alpharetta Street in Roswell, we offer same-day service for most malware removals—bring your machine by or call (770) 992-9002 to discuss your symptoms and schedule a time. We'll not only clean the infection but also identify how it got in and help you configure your system to prevent reinfection. Our flat-rate malware removal service includes complete system verification, so you leave with confidence that your machine is truly clean and your data is secure.