Firefox homepage/keyword hijacked. How do I rescue?
November 11, 2010 8:58 PM   Subscribe

My firefox homepage and keyword.URL have been hijacked by "eSnips". It's incredibly persistent and resists all attempts to change. How do I kick its ass?

Switched to Firefox 4 Beta 7 yesterday, terrific stuff, got all my addons et al. The problem is, my homepage seems to be locked to this page. My keyword.URL is changed to their search engine. Whenever I change those entries in my prefs.js, they get to reset to the eSnips values every time I restart Firefox.

My search engines were also changed to default to Yahoo!, but I fixed that by deleting all the search engines I don't need, so it's just the keyword.URL and homepage now.

I've tried these ideas:
Checking to see if prefs.js is locked or not
Adding homepage and keyword.URL data to a user.js
Run virus/malware checks everywhere

Creating a new profile did solve it, but when I migrated all my profile data (except prefs.js), the problem reappeared. So it's somewhere in my profile folder, and I suspect it's one of my addons/plugins (I can't imagine which though, I got them all from Mozilla's addons page and none of them are particularly suspicious-looking).

Will post Troubleshooting Information if requested.
posted by Senza Volto to Computers & Internet (11 answers total)
posted by juniperesque at 9:08 PM on November 11, 2010

Saw that site on my first Google. I don't have any eSnips extension, and I've already mentioned that changing the keyword.URL or homepage values has no effect as they get changed back to the eSnips values on restart.
posted by Senza Volto at 9:10 PM on November 11, 2010

Awesome! (Not actually awesome.)

Looks like the internet is also vexed by this. Some people are doing a system restore. Yikes!

Is this you? Because it sounds like the same problem.

This link claims to have solved it, but I can't verify since, you know, I don't have it. Looks like everyone agrees it's a virus, though.
posted by juniperesque at 9:18 PM on November 11, 2010

Oh dearie me, my post is on Google? Thought it had disappeared into the abyss, with no reply and all.

The final link is no workie: I don't have any eSnips on my Add/Remove Programs list or Add-Ons list. I think I should mention the curious detail (from that Mozilla post) that this happens only on Firefox 4, and Firefox 3.6 remains normal. Both use the same profile folder, by the bye.

So far I haven't found anyone else whose problem hasn't been solved already. This hijacking operation is done like a pro.
posted by Senza Volto at 9:28 PM on November 11, 2010

Oh, forgot to mention that searching my registry for eSnips or Logia gives no results.
posted by Senza Volto at 9:29 PM on November 11, 2010

After an hour's worth of meddling around, I've found that the problem seems to occur whenever I turn off the extensions.checkCompatibility.4.0b boolean. After lots of prefs.js-deleting and careful addon-adding/enabling, I've narrowed down the list of suspicious extensions to:

Blank Your Monitor
Image Zoom
Menu Editor
PDF Download

By now though, I'm pretty sure that eSnips is functioning as some sort of a hidden extension that gets turned on whenever I set extensions.checkCompatibility.4.0b to false. Strange part is, this never happens with Firefox 3.6. Will try to eliminate the rest of the addons after this.
posted by Senza Volto at 10:42 PM on November 11, 2010

The homepage was probably set to that esnips page so that it could retrieve the infecting payload. That is, I doubt it actually has anything to do with esnips the company. None of those items look useful, though, so I'd feel free to nuke them. You can always reinstall.
posted by rhizome at 11:58 PM on November 11, 2010

Getting closer to isolating the offending extension.

Took off all the above extensions and disabled compatibility checks, no eSnips so far. Now it's just a matter of adding the extensions one by one and seeing which one pops the trigger.
posted by Senza Volto at 1:04 AM on November 12, 2010

Done. I found that eSnips appeared when I added PDF Download. Checking the extension's files revealed a prefs.js inside with some PDF Download instructions, followed by this:

user_pref("browser.startup.homepage", "");
user_pref("", "eSnips Search");
user_pref("", "eSnips Search");
user_pref("", "eSnips Search");
user_pref("keyword.URL", "");

Deleted those lines and now it's no longer resetting to the eSnips instructions. Not sure if PDF Download carries malware or whether it was added by eSnips to piggyback on PDF Download. Either ways, it's fixed now, and this thread shall remain as a testament to the will of one man against the evils of malware.
posted by Senza Volto at 1:11 AM on November 12, 2010 [5 favorites]

I don't recall the the name of the insidious home page hijacker I last had in Firefox,
but the solution was this...

Export all your bookmarks and save your user profile data as non-Firefox user data.

Uninstall Firefox.

Search your registry and manually delete all references to Firefox.

Upon reinstalling, do not allow Firefox to install itself into the folder that it
wants to create for itself (Mozilla Firefox). Instead create your own new
folder with a new name for the program files to reside in.

Resolve yourself that the hijacker will still be somewhere on your hard drive,
but that these steps prevent the hijacker from associating with Firefox.
posted by No Shmoobles at 9:51 AM on November 12, 2010

Just for grins, see what the portable version does. (
posted by Drasher at 4:51 PM on November 12, 2010

« Older Your Favorite Whimsical Research Paper   |   I can't remember the name of this French singer. Newer »
This thread is closed to new comments.