3 days back I was browsing a popular website and I spotted “Zwinky” (which is supposed to turn a photograph into a 3D image)! It did look harmless and hence I installed it willing to give it a try. If you read me regularly, then you might probably know that I prefer Firefox over any other browser. I had used Firefox while downloading and installing “Zwinky”. But my excitement was short-lived when I spotted a new web search tool bar (MyWebSearch) that was added to my Firefox toolbar without my permission during the installation. I uninstalled this toolbar and thought it was the end of it; but soon I was going to be proved wrong!
Sometimes later, while trying to lookup something in Google, I directly typed the search query into the Firefox location/address bar. Usually, it should have displayed Google search results or a direct website based on Google’s "I'm feeling Lucky" algorithm. But this time, I got this instead:
It was super-annoying because I couldn’t search with Google, my primary search engine and Firefox, my primary web browser. It was clear that my dear browser (Firefox) was hijacked by MyWebSearch, which was causing browser redirection to their site. What the hell? I went through all of the Firefox preferences (Tools --> Options) to see if I could change back the default search engine to Google but I couldn't find any such option! Searching in Google for “MyWebSearch” gave me loads of information about this spyware. Yes, I would call it a spyware because it collects and stores information about the web pages you view, the data you enter in online forms and search fields, the "clicks" you make, the IP address, URL and country of the sites you visit, your IP address, information about your browser and operating system, and the products you purchase online while using the service. Instantly I did a scan of my PC using “Spybot – Search & Destroy”. It did find some instances of “MyWebSearch” and claimed to clean it too. But when I started Firefox, I saw it remained hijacked! Damn! :(
"MyWebSearch" Spyware Removal - Getting rid of Firefox/Google redirect Hijack:
The most irritating thing about a spyware is that it can manage to hide in your system and thus hard to be cleaned/removed. And “MyWebSearch” appeared to be quite good at it. I did the following things trying to hunt it down:
1. I checked again in “Add & Remove Programs” list. It wasn’t there.
2. I did a manual search in the “C:\program files”. I didn’t find any suspicious folder here as well. I expanded my search to whole “C:\”, without any luck.
3. Now I opened the “Registry Editor” (Start --> Run --> regedit). I did a search (Ctrl+F) for “MyWebSearch” and found 3 registry entries. I deleted them after making sure that they were the ones I was looking for. To make sure I was not missing any more registry keys, I did a search for “search” and this gave me some more entries. Out of these most were genuine Windows registry keys. But I found 2 of them were pointing to “MyWebSearch” entries; so I deleted them as well.
WARNING! If you are doing this, please be very careful while deleting a registry entry. Accidental deletion of a genuine entry may result in corrupted Windows that can only be fixed via reinstalling Windows.
After deleting the relevant “MyWebSearch” entries from the registry I was almost sure that this time it was finally removed. I started Firefox and oops; I was wrong! It was still hiding somewhere and hijacking my search results everytime I tried to do a quick Google Search via Firefox location/address bar. I searched on Web in hopes of finding out a MyWebSearch removal tool. But most (all) of them described how to get rid of the toolbar, which I had removed already. I could hardly find any info that could help in getting back my hijacked Firefox. I tried HijackThis (a free spyware removal tool by Trend Micro) too. But it was unable to sniff out “MyWebSearch” in its scan result.
I was beginning to get frustrated at this point and suddenly another “test idea” came across my mind. I went to the configuration mode of Firefox by typing “about:config” on the location bar. But searching for “defaultSearch” in the filter bar, gave me “Google” as the default engine! Damn. Where did they hide the redirect hijack configuration then?
Baffled, I now keyed in “myweb” in the filter box and here it was. It showed me the entries where the user setting was modified to hijack the browser, without my permission.
I right-clicked both the entries, choose “Reset” and restarted Firefox.
Hurray! And now the search result is back to Google. I am glad that this nasty hijack episode is finally over for me. Sorry Firefox. You had to spend 3 days in hostage situation due to my stupidity (in deciding to try out a malicious program like “Zwinky”). If you are facing a similar situation of browser hijack and looking for a way out, feel free to try my above steps and let me know if it helped.