How I Fixed my Hijacked Firefox from MyWebSearch Spyware!


Update! For more such awesome Tips and Tricks do visit the Technology How To section. 

3 days back I was browsing a popular website and I spotted “Zwinky” (which is supposed to turn a photograph into a 3D image)! It did look harmless and hence I installed it willing to give it a try. If you read me regularly, then you might probably know that I prefer Firefox over any other browser. I had used Firefox while downloading and installing “Zwinky”. But my excitement was short-lived when I spotted a new web search tool bar (MyWebSearch) that was added to my Firefox toolbar without my permission during the installation. I uninstalled this toolbar and thought it was the end of it; but soon I was going to be proved wrong!
Sometimes later, while trying to lookup something in Google, I directly typed the search query into the Firefox location/address bar. Usually, it should have displayed Google search results or a direct website based on Google’s "I'm feeling Lucky" algorithm. But this time, I got this instead:



It was super-annoying because I couldn’t search with Google, my primary search engine and Firefox, my primary web browser. It was clear that my dear browser (Firefox) was hijacked by MyWebSearch, which was causing browser redirection to their site. What the hell? I went through all of the Firefox preferences (Tools --> Options) to see if I could change back the default search engine to Google but I couldn't find any such option! Searching in Google for “MyWebSearch” gave me loads of information about this spyware. Yes, I would call it a spyware because it collects and stores information about the web pages you view, the data you enter in online forms and search fields, the "clicks" you make, the IP address, URL and country of the sites you visit, your IP address, information about your browser and operating system, and the products you purchase online while using the service. Instantly I did a scan of my PC using “Spybot – Search & Destroy”. It did find some instances of “MyWebSearch” and claimed to clean it too. But when I started Firefox, I saw it remained hijacked! Damn! :(
"MyWebSearch" Spyware Removal - Getting rid of Firefox/Google redirect Hijack:
The most irritating thing about a spyware is that it can manage to hide in your system and thus hard to be cleaned/removed. And “MyWebSearch” appeared to be quite good at it. I did the following things trying to hunt it down:
1. I checked again in “Add & Remove Programs” list. It wasn’t there.
2. I did a manual search in the “C:\program files”. I didn’t find any suspicious folder here as well. I expanded my search to whole “C:\”, without any luck.
3. Now I opened the “Registry Editor” (Start --> Run --> regedit). I did a search (Ctrl+F) for “MyWebSearch” and found 3 registry entries. I deleted them after making sure that they were the ones I was looking for. To make sure I was not missing any more registry keys, I did a search for “search” and this gave me some more entries. Out of these most were genuine Windows registry keys. But I found 2 of them were pointing to “MyWebSearch” entries; so I deleted them as well.
WARNING! If you are doing this, please be very careful while deleting a registry entry. Accidental deletion of a genuine entry may result in corrupted Windows that can only be fixed via reinstalling Windows.
After deleting the relevant “MyWebSearch” entries from the registry I was almost sure that this time it was finally removed. I started Firefox and oops; I was wrong! It was still hiding somewhere and hijacking my search results everytime I tried to do a quick Google Search via Firefox location/address bar. I searched on Web in hopes of finding out a MyWebSearch removal tool. But most (all) of them described how to get rid of the toolbar, which I had removed already. I could hardly find any info that could help in getting back my hijacked Firefox. I tried HijackThis (a free spyware removal tool by Trend Micro) too. But it was unable to sniff out “MyWebSearch” in its scan result.
I was beginning to get frustrated at this point and suddenly another “test idea” came across my mind. I went to the configuration mode of Firefox by typing “about:config” on the location bar. But searching for “defaultSearch” in the filter bar, gave me “Google” as the default engine! Damn. Where did they hide the redirect hijack configuration then?
Baffled, I now keyed in “myweb” in the filter box and here it was. It showed me the entries where the user setting was modified to hijack the browser, without my permission.



I right-clicked both the entries, choose “Reset” and restarted Firefox.



Hurray! And now the search result is back to Google. I am glad that this nasty hijack episode is finally over for me. Sorry Firefox. You had to spend 3 days in hostage situation due to my stupidity (in deciding to try out a malicious program like “Zwinky”). If you are facing a similar situation of browser hijack and looking for a way out, feel free to try my above steps and let me know if it helped. 

Update! For more such awesome Tips and Tricks do visit the Technology How To section. 

Happy Testing…
Share on Google Plus

About Debasis Pradhan

Debasis has over a decade worth of exclusive experience in the field of Software Quality Assurance, Software Development and Testing. He writes here to share some of his interesting experiences with fellow testers.

211 Comments:

  1. Like Loris, I too am facing this problem with Chrome. Would love to know if anyone has figured that one out.

    ReplyDelete
  2. Thank you! About:config and a reboot did the job.

    ReplyDelete
  3. My computer was afflicted with another bad guy--namely, "Delta Search". Went to "Programs and Features" and deleted all traces of my foolish download (one of those Free Internet Download Managers--ain't nuthin free in this world), then used Superantispyware (2 complete scans), but Delta still remained on the Navigation Bar, along with a black menu line. As you so clearly and cleverly instructed, I typed "about:config" into the navigation bar, ignored the warning dialog, and found a long list with a search box at the top. That's apparently the "Filter Box" that confused some of you. I typed in "Delta" and got two lines, both of which I right-clicked on and then "reset." The step that some of you perhaps failed to take is to REBOOT, and voila! Delta Search was gone. Thank you very much for this simple solution. I'm going to tell my local professional computer guru about this.

    ReplyDelete
  4. Thanks. Was trying to remember how to get to the config. Had to do that to get rid of ask toolbar some time ago.

    ReplyDelete
  5. Another Firefox URL highjack is http://www.purchasereviews.net/donate.php - I though I had disable it
    But sometimes when I hove over a link a click that webpage tries to load only to give me "Error message page not found" Not that I wanted it!
    But now some links go to http://3b18765b.linkbucks.com/ and I CAN'T use the back arrow, the only way is to Close the tab or window

    Can Anyone Help Please!

    ReplyDelete
  6. Another URL highjkacker is http://www.purchasereviews.net/donate.php This is a Persistant bugger
    I thought I had disabled it, only to find it trying to re-direct I then get "Error page can't be found"
    But when I hover over a link - I see that url the re-direct now goes to http://3b18765b.linkbucks.com/
    Can Anyone Help Please!

    ReplyDelete
  7. Thank you so much! Worked like a charm!

    ReplyDelete
  8. I was "lucky" enough to have my 11 yr old accidentally download Zwinky. I'm glad I stumbled across your post while searching for a correction! Thanks.

    ReplyDelete
  9. Thank you so much!!! uffffff :-)

    ReplyDelete
  10. I just spend half an hour hunting for this crap on my dad's computer via a remote session. Had the exact same problem. I probably have removed the shitty toolbar and extension earlier when I was cleaning up his laptop but missed the hijacked location bar. Thanks for your article.

    As far as I am concerned, Mindspark should be nuked from orbit. With fire.

    ReplyDelete
  11. Help! I downloaded FireFox and it gave me Mysearch... I have deleted Mysearch through tools as a search engine, and uninstalled it from my computer. However it's still in the back ground somewhere. Because of the hassle I also deleted Firefox too. Now what? Where do I go into my computer to locate this bug?

    ReplyDelete

NOTE: Comments posted on Software Testing Tricks are moderated and will be approved only if they are on-topic. Please avoid comments with spammy URLs. Having trouble leaving comments? Contact Me!