Firefox homepage/keyword hijacked. How do I rescue?
November 11, 2010 8:58 PM Subscribe
My firefox homepage and keyword.URL have been hijacked by "eSnips". It's incredibly persistent and resists all attempts to change. How do I kick its ass?
Switched to Firefox 4 Beta 7 yesterday, terrific stuff, got all my addons et al. The problem is, my homepage seems to be locked to this page. My keyword.URL is changed to their search engine. Whenever I change those entries in my prefs.js, they get to reset to the eSnips values every time I restart Firefox.
My search engines were also changed to default to Yahoo!, but I fixed that by deleting all the search engines I don't need, so it's just the keyword.URL and homepage now.
I've tried these ideas:
Checking to see if prefs.js is locked or not
Adding homepage and keyword.URL data to a user.js
Run virus/malware checks everywhere
Creating a new profile did solve it, but when I migrated all my profile data (except prefs.js), the problem reappeared. So it's somewhere in my profile folder, and I suspect it's one of my addons/plugins (I can't imagine which though, I got them all from Mozilla's addons page and none of them are particularly suspicious-looking).
Will post Troubleshooting Information if requested.
Switched to Firefox 4 Beta 7 yesterday, terrific stuff, got all my addons et al. The problem is, my homepage seems to be locked to this page. My keyword.URL is changed to their search engine. Whenever I change those entries in my prefs.js, they get to reset to the eSnips values every time I restart Firefox.
My search engines were also changed to default to Yahoo!, but I fixed that by deleting all the search engines I don't need, so it's just the keyword.URL and homepage now.
I've tried these ideas:
Checking to see if prefs.js is locked or not
Adding homepage and keyword.URL data to a user.js
Run virus/malware checks everywhere
Creating a new profile did solve it, but when I migrated all my profile data (except prefs.js), the problem reappeared. So it's somewhere in my profile folder, and I suspect it's one of my addons/plugins (I can't imagine which though, I got them all from Mozilla's addons page and none of them are particularly suspicious-looking).
Will post Troubleshooting Information if requested.
Response by poster: Saw that site on my first Google. I don't have any eSnips extension, and I've already mentioned that changing the keyword.URL or homepage values has no effect as they get changed back to the eSnips values on restart.
posted by Senza Volto at 9:10 PM on November 11, 2010
posted by Senza Volto at 9:10 PM on November 11, 2010
Awesome! (Not actually awesome.)
Looks like the internet is also vexed by this. Some people are doing a system restore. Yikes! http://forum.avast.com/index.php?topic=59913.0
Is this you? Because it sounds like the same problem.
This link claims to have solved it, but I can't verify since, you know, I don't have it. Looks like everyone agrees it's a virus, though.
posted by juniperesque at 9:18 PM on November 11, 2010
Looks like the internet is also vexed by this. Some people are doing a system restore. Yikes! http://forum.avast.com/index.php?topic=59913.0
Is this you? Because it sounds like the same problem.
This link claims to have solved it, but I can't verify since, you know, I don't have it. Looks like everyone agrees it's a virus, though.
posted by juniperesque at 9:18 PM on November 11, 2010
Response by poster: Oh dearie me, my post is on Google? Thought it had disappeared into the abyss, with no reply and all.
The final link is no workie: I don't have any eSnips on my Add/Remove Programs list or Add-Ons list. I think I should mention the curious detail (from that Mozilla post) that this happens only on Firefox 4, and Firefox 3.6 remains normal. Both use the same profile folder, by the bye.
So far I haven't found anyone else whose problem hasn't been solved already. This hijacking operation is done like a pro.
posted by Senza Volto at 9:28 PM on November 11, 2010
The final link is no workie: I don't have any eSnips on my Add/Remove Programs list or Add-Ons list. I think I should mention the curious detail (from that Mozilla post) that this happens only on Firefox 4, and Firefox 3.6 remains normal. Both use the same profile folder, by the bye.
So far I haven't found anyone else whose problem hasn't been solved already. This hijacking operation is done like a pro.
posted by Senza Volto at 9:28 PM on November 11, 2010
Response by poster: Oh, forgot to mention that searching my registry for eSnips or Logia gives no results.
posted by Senza Volto at 9:29 PM on November 11, 2010
posted by Senza Volto at 9:29 PM on November 11, 2010
Response by poster: After an hour's worth of meddling around, I've found that the problem seems to occur whenever I turn off the extensions.checkCompatibility.4.0b boolean. After lots of prefs.js-deleting and careful addon-adding/enabling, I've narrowed down the list of suspicious extensions to:
Blank Your Monitor
FoxyProxy
Image Zoom
Menu Editor
PDF Download
Stylish
By now though, I'm pretty sure that eSnips is functioning as some sort of a hidden extension that gets turned on whenever I set extensions.checkCompatibility.4.0b to false. Strange part is, this never happens with Firefox 3.6. Will try to eliminate the rest of the addons after this.
posted by Senza Volto at 10:42 PM on November 11, 2010
Blank Your Monitor
FoxyProxy
Image Zoom
Menu Editor
PDF Download
Stylish
By now though, I'm pretty sure that eSnips is functioning as some sort of a hidden extension that gets turned on whenever I set extensions.checkCompatibility.4.0b to false. Strange part is, this never happens with Firefox 3.6. Will try to eliminate the rest of the addons after this.
posted by Senza Volto at 10:42 PM on November 11, 2010
The homepage was probably set to that esnips page so that it could retrieve the infecting payload. That is, I doubt it actually has anything to do with esnips the company. None of those items look useful, though, so I'd feel free to nuke them. You can always reinstall.
posted by rhizome at 11:58 PM on November 11, 2010
posted by rhizome at 11:58 PM on November 11, 2010
Response by poster: Getting closer to isolating the offending extension.
Took off all the above extensions and disabled compatibility checks, no eSnips so far. Now it's just a matter of adding the extensions one by one and seeing which one pops the trigger.
posted by Senza Volto at 1:04 AM on November 12, 2010
Took off all the above extensions and disabled compatibility checks, no eSnips so far. Now it's just a matter of adding the extensions one by one and seeing which one pops the trigger.
posted by Senza Volto at 1:04 AM on November 12, 2010
Best answer: Done. I found that eSnips appeared when I added PDF Download. Checking the extension's files revealed a prefs.js inside with some PDF Download instructions, followed by this:
user_pref("browser.startup.homepage", "http://eis.esnips.com/page/search/?client_uuid=bda82ac0-85c3-4b48-b0d2-41fde8d1391d");
user_pref("browser.search.defaultenginename", "eSnips Search");
user_pref("browser.search.order.1", "eSnips Search");
user_pref("browser.search.selectedEngine", "eSnips Search");
user_pref("keyword.URL", "http://eis.esnips.com/page/search_provider/?client_uuid=bda82ac0-85c3-4b48-b0d2-41fde8d1391d&q=");
Deleted those lines and now it's no longer resetting to the eSnips instructions. Not sure if PDF Download carries malware or whether it was added by eSnips to piggyback on PDF Download. Either ways, it's fixed now, and this thread shall remain as a testament to the will of one man against the evils of malware.
posted by Senza Volto at 1:11 AM on November 12, 2010 [5 favorites]
user_pref("browser.startup.homepage", "http://eis.esnips.com/page/search/?client_uuid=bda82ac0-85c3-4b48-b0d2-41fde8d1391d");
user_pref("browser.search.defaultenginename", "eSnips Search");
user_pref("browser.search.order.1", "eSnips Search");
user_pref("browser.search.selectedEngine", "eSnips Search");
user_pref("keyword.URL", "http://eis.esnips.com/page/search_provider/?client_uuid=bda82ac0-85c3-4b48-b0d2-41fde8d1391d&q=");
Deleted those lines and now it's no longer resetting to the eSnips instructions. Not sure if PDF Download carries malware or whether it was added by eSnips to piggyback on PDF Download. Either ways, it's fixed now, and this thread shall remain as a testament to the will of one man against the evils of malware.
posted by Senza Volto at 1:11 AM on November 12, 2010 [5 favorites]
I don't recall the the name of the insidious home page hijacker I last had in Firefox,
but the solution was this...
Export all your bookmarks and save your user profile data as non-Firefox user data.
Uninstall Firefox.
Search your registry and manually delete all references to Firefox.
Upon reinstalling, do not allow Firefox to install itself into the folder that it
wants to create for itself (Mozilla Firefox). Instead create your own new
folder with a new name for the program files to reside in.
Resolve yourself that the hijacker will still be somewhere on your hard drive,
but that these steps prevent the hijacker from associating with Firefox.
posted by No Shmoobles at 9:51 AM on November 12, 2010
but the solution was this...
Export all your bookmarks and save your user profile data as non-Firefox user data.
Uninstall Firefox.
Search your registry and manually delete all references to Firefox.
Upon reinstalling, do not allow Firefox to install itself into the folder that it
wants to create for itself (Mozilla Firefox). Instead create your own new
folder with a new name for the program files to reside in.
Resolve yourself that the hijacker will still be somewhere on your hard drive,
but that these steps prevent the hijacker from associating with Firefox.
posted by No Shmoobles at 9:51 AM on November 12, 2010
Just for grins, see what the portable version does. (portableapps.com)
posted by Drasher at 4:51 PM on November 12, 2010
posted by Drasher at 4:51 PM on November 12, 2010
« Older Your Favorite Whimsical Research Paper | I can't remember the name of this French singer. Newer »
This thread is closed to new comments.
posted by juniperesque at 9:08 PM on November 11, 2010