This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

firefox hijack by bing

more options

Hey Guys & Gals,

My Windows 8.1 pc Firefox has been hijacked by bing.

I have paid malwarebytes and scans clean. I have no Adaware or web companion install. Virus protection scan clean as well.

I opened firefox about:config and search for bing and sure enough its listed there 3 times.

browser.search.order.2 default string Bing browser.search.order.US.2 default string data:text/plain,browser.search.order.US.2=Bing' browser.translation.engine default string bing

Can I just delete the values from those 3 sections?

Thanks in advance Grendor

Hey Guys & Gals, My Windows 8.1 pc Firefox has been hijacked by bing. I have paid malwarebytes and scans clean. I have no Adaware or web companion install. Virus protection scan clean as well. I opened firefox about:config and search for bing and sure enough its listed there 3 times. browser.search.order.2 default string Bing browser.search.order.US.2 default string data:text/plain,browser.search.order.US.2=Bing' browser.translation.engine default string bing Can I just delete the values from those 3 sections? Thanks in advance Grendor

All Replies (16)

more options

Hi, no, it is suppose to be there even when things are normal.

Web Companion has changed some file names. Do not know where/what all of them are. Did your follow this : ? : You can look for a file named dsengine.js in these locations. You should only find channel-prefs.js in the "defaults\pref" location. Any file found here apart from channel-prefs.js is suspicious. You can check the content of the file in a text editor (use open with and do not double-click the file).

  • C:\Program Files\Mozilla Firefox\defaults\pref\
  • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\

You can look for a file named dsengine.cfg in the main Firefox program folder.

  • C:\Program Files\Mozilla Firefox\
  • C:\Program Files (x86)\Mozilla Firefox\

Delete the dsengine.js and dsengine.cfg files when present.

This is powerful, search all entries found before deleting anything or go to their forum, on Europe time : https://www.bleepingcomputer.com/download/roguekiller/ or take it to Malwarebytes forum as they can still help :

more options

Pkshadow said

Hi, no, it is suppose to be there even when things are normal. Web Companion has changed some file names. Do not know where/what all of them are. Did your follow this : ? : You can look for a file named dsengine.js in these locations. You should only find channel-prefs.js in the "defaults\pref" location. Any file found here apart from channel-prefs.js is suspicious. You can check the content of the file in a text editor (use open with and do not double-click the file).
  • C:\Program Files\Mozilla Firefox\defaults\pref\
  • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\
You can look for a file named dsengine.cfg in the main Firefox program folder.
  • C:\Program Files\Mozilla Firefox\
  • C:\Program Files (x86)\Mozilla Firefox\
Delete the dsengine.js and dsengine.cfg files when present. This is powerful, search all entries found before deleting anything or go to their forum, on Europe time : https://www.bleepingcomputer.com/download/roguekiller/ or take it to Malwarebytes forum as they can still help :

Hello Pkshadow,

I had tried that after reading other peoples posts with same issue. No files match what was to be deleted.

I have run multiple full scans with numerous programs and all come back clean.

Thanks for the help. Grendor

more options

As mentioned powerful : https://www.bleepingcomputer.com/download/roguekiller/ or take it to Malwarebytes forum as they can still help : https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/ They well get you to run couple of programs and upload result and go over them and are good. Have been there done that.

more options

Pkshadow said

As mentioned powerful : https://www.bleepingcomputer.com/download/roguekiller/ or take it to Malwarebytes forum as they can still help : https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/ They well get you to run couple of programs and upload result and go over them and are good. Have been there done that.

Hey Pkshadow,

Thanks for the help and info. I scanned with Malwarebytes as well and it found nothing and I use paid version.

I sent them a message and will try the other thing you suggested.

Thanks again. Grendor

more options

Pkshadow said

As mentioned powerful : https://www.bleepingcomputer.com/download/roguekiller/ or take it to Malwarebytes forum as they can still help : https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/ They well get you to run couple of programs and upload result and go over them and are good. Have been there done that.

Hey Pkshadow,

One more thing on every redirect to bing each one says almost the same sequence. Most of it is the same except item searching for.

https://www.bing.com/search?q=cars&pc=cosp&ptag=G6C153N57A7CCE9513EE&form=CONBNT&conlogo=CT3210127

https://www.bing.com/search?q=dremel&pc=cosp&ptag=G6C111N57A7CCE9513EE&form=CONBNT&conlogo=CT3210127

I could go on but the sequence is identical for every redirect right after q=cars or q=dremel the &ptag=G6C153N57A7CCE9513EE&form=CONBNT&conlogo=CT3210127 is all the same.

Just thought you should know. Thanks Grendor

more options

The presence of CT3210127 could indicate that some Conduit application got installed, so check the Windows Control Panel for suspicious software.

Do a malware check with several malware scanning programs on the Windows computer.

Please scan with all programs because each program detects different malware. All these programs have free versions.

Make sure you update each program to get the latest version of their databases before doing a scan.

You can also do a check for a rootkit infection with TDSSKiller.


https://support.kaspersky.com/viruses/utility

See also:

more options

cor-el said

The presence of CT3210127 could indicate that some Conduit application got installed, so check the Windows Control Panel for suspicious software. Do a malware check with several malware scanning programs on the Windows computer. Please scan with all programs because each program detects different malware. All these programs have free versions. Make sure you update each program to get the latest version of their databases before doing a scan. You can also do a check for a rootkit infection with TDSSKiller.
https://support.kaspersky.com/viruses/utility See also:


Hello cor-el & Pkshadow,

Well I got it fixed but took lots of work. After scanning pc with every virus/malware program from bleeping computer and majorgeeks, they all came back clean except for a couple empty folders.

I decided to use ccleaner to clean firefox and that did not fix it. I noticed some of the links when I searched for items using google I noticed that many link had webhp ??? in the addressbar. I searched for that and I found pages saying webhp was a virus/malware. I could not find it on my system and no protection found it.

So I decided to use firefox's "Refresh Firefox" option.

The refresh worked and google is now fine so far. I have an open case with Malwarebytes so maybe they can help find and clean the issue. But as I said its working great for now.

I will post again when I have more news from Malwarebytes.

Thanks Grendor

more options

Hi, Great News. Knew there was something in there. You probably got it all with the refresh.

more options

It's difficult to hijack searches externally to Firefox without being detected by malware scanners (and rootkit scanners), but some add-ons do it and they may not be detected as malicious if no one has reported them to the scanner makers as potentially unwanted programs (PUPs).

While I wouldn't suggest restoring your data from the Old Firefox Data folder the Refresh created on your desktop, you could take a look at one particular file. If you click into Old Firefox Data, and then into your old profile folder (the first part is random, for example, a1b2c3d4.default), you can find a file named extensions.json which contains the best available list of your old extensions.

If you drop that file into a Firefox tab, after a few moments, Firefox will display a structured view of the file's contents. This can be a bit hard to follow, but if you use Find (Ctrl+f) to search for defaultlocale then Firefox should jump to the name and description part of the first extension (and use can use Next and Previous, etc.). One of those may be the culprit.

Anything suspicious?

more options

Hello jscher2000,

I have done/am doing check now and found some old addons that were old ones i used long ago that were not compatible with current FF and could not be removed.

I see a couple that say they are from Mozilla like "Photon onboarding" , "Web compat" But I see nothing that looks strange. There are 28 items listed in all and I know some of them well and others are older that could not be removed.

As for me using old data after the refresh firefox imported all my bookmarks and not sure if anything else.

If the file is safe to send (meaning no personal data ect) I can attach to post so you can see it. Let me know.

Thanks in advance Grendor

more options

Hi Grendor, you can't easily post the contents of extensions.json on this site, but you could use https://pastebin.com/ and then share a link back here. This file does contain information about the structure of folders on your computer, so it's not ideal to make it generally available to the world. Maybe there is an alternate way to extract the most relevant data. (But not off the top of my head at this moment...)

more options

Note that webhp isn't a virus, but merely a special API link that can be used to pass parameters to Google.

more options

cor-el said

Note that webhp isn't a virus, but merely a special API link that can be used to pass parameters to Google.

Hey cor-el,

I spent hours searching google and duckduckgo as I never had the webhp ever before. And since it did happen when i went to google.ca (my normal) and searched anything it would give me several different webhp or other and then forward me to bing. When i search webhp i got many pages about it being a virus.

Since I refreshed Firefox I have not been forwarded to bing once. I put exact same addon in firefox as before (except ones i could not remove at the time.)

Anyways all is working fine right now. Thanks for the help and info. Grendor

more options

jscher2000 said

Hi Grendor, you can't easily post the contents of extensions.json on this site, but you could use https://pastebin.com/ and then share a link back here. This file does contain information about the structure of folders on your computer, so it's not ideal to make it generally available to the world. Maybe there is an alternate way to extract the most relevant data. (But not off the top of my head at this moment...)


Hey Jscher2000,

Since you told me that maybe I won't past link to file just to be safe. From now on i run Firefox in Sandboxie to prevent any future problems (I hope).

Anyways Thanks again for all the help. Grendor

more options

Hey,

I have one more question.

In Firefox top right is the 3 lines with a "yellow !" When I check it is asking me to "Reconnect to Sync". Is it safe to do so or what would you suggest?

Thanks in Advance Grendor

more options

Hi Grendor, if you want to use Sync with your refreshed profile, you can. I actually don't know whether add-ons will come back as a result. Great experiment!