“The HoeflerText font wasn’t found” ads (Virus Removal Instructions) - Feb 2019 update

“The HoeflerText font wasn’t found” ads Removal Guide

What is “The HoeflerText font wasn’t found” ads?

“The HoeflerText font wasn’t found” is a social engineering attack that installs ransomware and other malware on the system

“The HoeflerText font wasn’t found” virus“The HoeflerText font wasn’t found” is a virus that distributes GandCrab, Spora, Zeus Panda, and other dangerous malware

“The HoeflerText font wasn’t found” is a cleverly engineered scam that displays a fraudulent popup, asking users to install the fake font to view the contents of the site.[1] It mainly targets Google Chrome and Mozilla Firefox users, as the alleged missing packages come under names Chrome_Font.exe, Chrome_Font_v7.87.zip, and Mozilla_Font_v7.87.zip, although users who use Safari or other browsers might encounter a “The HoeflerText font wasn’t found” pop-up message as well. The bogus alert shows up when the potential victim visits compromised websites[2] infected with a malicious JavaScript code.[3] The scam is developed to automatically scramble the text on a hacked site, which is why a warning about Chrome being outdated seems credible for less experienced PC users. Those who agree to install the fake font end up with dangerous malware, like ransomware or a banking trojan, on their system.

Name The HoeflerText font wasn’t found
Type Malware
Associated threats
  • Fleercivet Ad Clicking Trojan
  • Spora ransomware
  • GandCrab ransomware
  • Zeus Panda banking trojan
Infiltration Malicious JavaScript
Symptoms Varies, depending on malware installed
Elimination Use reputable anti-malware software to scan your device
Recovery Download FortectIntego and scan your device for full recovery after malware infection

The initial version of the HoeflerText font[4] wasn’t found on the affected computer scam asks potential victims to update “Chrome Font Pack” in order to fix this error. However, instead of this font pack, you can end up with Fleercivet Ad Clicking Trojan or even Spora ransomware on your computer.[5] However, Spora is not the only crypto-malware that might be disseminated via HoeflerText scam.

At the end of February 2018, nao_sec analysis revealed that HoeflerText Font Update virus turned to GandCrab ransomware distribution. When redirected to hacked websites, potential victims are offered to fix the problem by installing an update for Google's Font Pack. Unfortunately, the supposed Font Pack downloads Font_Update.exe executable, which runs g.js and hacks the legitimate Netsupport Manager tool to download the ransomware payload. In case of success, the GandCrab ransomware renders all personal files useless by locking them with .GDCB file extension.

Although the “hoefler text” font wasn't found Chrome version prevails, on May 2017, malware researchers has discovered a new variant of the scam that targets Mozilla Firefox users. Cyber criminals use the same social engineering scheme. However, this time users are asked to install “Mozilla Font Pack.” However, installation of this fake update ends up terribly wrong. This scam distributes a Zeus Panda banking trojan.

Beware that the developers of this scam made it look very professional and realistic by filling it with the names of current and latest versions of the font and claiming that the message is delivered by Google or Mozilla Corporation. Bear in mind that your browser doesn’t need any updated fonts from the suspicious notification which is designed with the only purpose – to deceive you and make you open a malicious executive file that you can download from the described pop-up.

The HoeflerText font wasn’t found fake alert"The HoeflerText font wasn’t found" is a bogus pop-up that prompts users to install fake font

We suggest that you stay away from websites that display the defined alert because it is a sign that they have been compromised by cyber criminals. If you agreed to install the described update, your browser and computer need you to start “The HoeflerText font wasn’t found” removal. It’s the only way to get rid of the malware that infiltrated the PC and protect your computer from further attacks.

Remember that malicious programs are dangerous cyber threats[6] that can download and install additional malware to the compromised system, so you should take actions immediately to remove “The HoeflerText font wasn’t found” malware from the system. Therefore, do not hesitate and uninstall “The HoeflerText font wasn’t found” virus with the help of anti-malware software like FortectIntego or SpyHunter 5Combo Cleaner.

“The HoeflerText font wasn’t found” pop-ups are responsible for spreading Spora ransomware virus

Considering how successful this technique was, it is not surprising that ransomware developers were quick to try these new malware distribution methods. The first one to employ “The HoeflerText font wasn’t found” scam[7] was Spora virus, the infamous ransomware that is well-known for using sophisticated ransom payment websites and providing a variety of paid services to the victims.

Ransomware is one of the most devastating cyber infections – it encrypts files with a sophisticated cryptography algorithms and suggests paying a ransom in exchange for data decryption tool. Based on the fact how quickly Spora adapts new distribution techniques and also considering how professionally-made this virus is, we expect nothing more but an increased number of virus attacks shortly.

Reportedly, compromised websites feature a Javascript code that attackers insert at the end of the page. This JavaScript code recognizes visitors who enter the site via Chrome and shows not the real, but a corrupted version of the website and triggers a pop-up stating that visitor's Chrome browser lacks the HoeflerText font, and suggests installing it in order to view contents of the website. The message says:

The “HoeflerText” font wasn't found.
The website you are trying to load is displayed incorrectly, as it uses the”HoeflerText” font. To fix the error and display the text, you have to update “Chrome Font Pack”.
ManuFacturer: Google Inc. All Rights Reserved
Current Version: [version]
Latest version: [version]

The new campaign that spreads the ransomware promotes Update.exe file. If the user clicks the Update button, downloads this file and executes it, the system gets infected with Spora malware, and the victim loses access to all of his files instantly.

The HoeflerText font wasn’t found SporaThe HoeflerText font wasn’t found scam is known to be involved in Spora ransomware distribution

HoeflerText attacks Mozilla Firefox users and spreads Zeus Panda banking Trojan

At the beginning of March 2017, security experts have noticed new HoeflerText ads attack targeted at Mozilla Firefox users.[8] Victims are tricked into visiting an infected website that includes a malicious JavaScript code. In this site, people receive a warning message that HoeflerText font was not found and due to this reason this web page is displayed incorrectly.

In order to fix this issue, victims are asked to install “Mozilla Font Pack” update. This alert window might look legitimate because it provides information about manufacturer, current and latest version of the Mozilla. Thus, computer users can get quite easily get tricked into clicking an “Update” button.

Once they do that, they initiate a download procedure. Users are shown a regular download window which informs about downloading a “Mozilla_Font_v7.87.zip” archive. Inside it, there’s a malicious Mozilla_Font_v7.87.js JavaScript file.

Meanwhile, the crafted website changes the fake alert window and provides instructions how to install a fake Mozilla font package. As soon as the download completes, users need to double-click the JavaScript file and start the installation. Once it’s done, users are supposed to reboot Mozilla and enjoy installed updates.

However, instead of updates, users agree to install Panda Banker virus. The virus is one of many versions of Zeus banking Trojan; thus, their private information is put at risk. When users click on this malicious file, they allow downloading a malware payload called “Mozilla_Font_v7.87.exe.”

As soon as it is successfully saved in C:\ directory, it is executed and starts the installation of banking Trojan. Malware infects two svchost.exe processes and launches its hazardous task. If you got tricked into this scam, you should initiate virus removal immediately by running a full system scan with malware removal software.

HoeflerText Font Update scam spreads GandCrab virus, specialists warn

Followed by a great success of Spora distribution, hackers decided to use the HoeflerText font update scam for GandCrab ransomware distribution. Cybersecurity researcher officially shared the results of the nao_sec analysis,[9] which revealed the new tendency of the HoeflerText virus to redirect people to hacked sites injected with a JavaScript, which display scrambled text by default. Such sites generate a fake update prompt and urge the potential victim to update the Font Pack to fix the scrambled text.

The HoeflerText font wasn’t found GandCrabGandCrab is one of the most prominent ransomware threats on the web and HoeflerText scam can install it on your computer

If Chrome's or Firefox's user clicks on the Update button, the Font_Update.exe file is downloaded and executes a g.js script. The latter may differ depending on the location of the victim. g.js file connects to NetSupport Manager remote access utility and can be found in a tokipp folder under %AppData%. In other words, the “hoeflertext” font wasn't found virus employs Font_Update.exe executable to run g.js script, which hacks the legitimate NetSupport Manager tool to download the GandCrab ransomware payload.

Thus, Google Chrome users have to beware that Font_Update.exe is not a HoeflerText font update. It's a GandCrab ransomware executable, which once activated renders all personal files useless by locking them with .GDCB file extension. In general, do not fall for clicking on pop-ups that offer to download updates unless you like dealing with cyber infections continuously.

Misleading warnings might appear on legitimate websites

As we have mentioned before, you can encounter these pop-ups on websites compromised by hackers who insert an additional piece of JavaScript code at the end of the page's source code. Consequently, Chrome or Firefox users will see a corrupted version of the website instead of the real one.

What is more, the additional code prompts a pop-up message stating that “The HoeflerText font wasn’t found.” If the victim agrees to install the suggested update, one simply downloads the Chrome_Update.exe or Mozilla_Font_v7.87.js file, which needs to be opened in order to activate the malware.

This fake Chrome update reportedly was used to distribute ad fraud malware dubbed Fleercivet[10]. As far as we know, the latest compromised websites that display “The HoeflerText font wasn’t found” alerts are serving Update.exe file, which is an installer for Spora ransomware virus.

Meanwhile, a fraudulent Firefox update is used for distribution and infiltration of Panda Banking trojan. Thus, this alert includes similar information about inability to show a website's content correctly and asks to install necessary updates. If you happen to enter a website that displays the described pop-up, better quit it immediately and do not come back to it. It might take some time for it to be fixed. If you have encountered such website, you can report it to us.

The HoeflerText font wasn’t found pop-up exmapleGoogle Chrome will usually warn you that the file might be malicious. Do not ignore these warnings

Getting rid of “The HoeflerText font wasn’t found” virus

“The HoeflerText font wasn’t found” virus is a very dangerous computer infection. After infiltration, it causes chaos on the browser by delivering misleading pop-ups, and it might also silently connect to various third-party websites via your Internet connection. However, in the worst case, you can get infected with a ransomware after installing this bogus update, and consequences will be devastating. So if you accidentally installed the virus, follow these instructions for a safe “The HoeflerText font wasn’t found” removal.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of “The HoeflerText font wasn’t found” ads. Follow these steps

Manual removal using Safe Mode

If you have installed the virus and now your computer acts slowly or, in the worst case, you cannot access your files, reboot your PC using guidelines provided below. In case you cannot access your files, check out this article.

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove “The HoeflerText font wasn’t found” using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of “The HoeflerText font wasn’t found”. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that “The HoeflerText font wasn’t found” removal is performed successfully.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from “The HoeflerText font wasn’t found” and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting malware

Choose a proper web browser and improve your safety with a VPN tool

Online spying has got momentum in recent years and people are getting more and more interested in how to protect their privacy online. One of the basic means to add a layer of security – choose the most private and secure web browser. Although web browsers can't grant full privacy protection and security, some of them are much better at sandboxing, HTTPS upgrading, active content blocking, tracking blocking, phishing protection, and similar privacy-oriented features. However, if you want true anonymity, we suggest you employ a powerful Private Internet Access VPN – it can encrypt all the traffic that comes and goes out of your computer, preventing tracking completely.


Lost your files? Use data recovery software

While some files located on any computer are replaceable or useless, others can be extremely valuable. Family photos, work documents, school projects – these are types of files that we don't want to lose. Unfortunately, there are many ways how unexpected data loss can occur: power cuts, Blue Screen of Death errors, hardware failures, crypto-malware attack, or even accidental deletion.

To ensure that all the files remain intact, you should prepare regular data backups. You can choose cloud-based or physical copies you could restore from later in case of a disaster. If your backups were lost as well or you never bothered to prepare any, Data Recovery Pro can be your only hope to retrieve your invaluable files.

About the author
Jake Doevan
Jake Doevan - Computer technology expert

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions

Removal guides in other languages