X
Tap here to go to the mobile version of the site.

Support Forum

Firefox will not stop changing search provider from Google to "Bing Search Engine" (Not standard "Bing"!)

Posted

As of two days ago, I made the mistake of installing (verified) legitimate software without selecting custom installation. Lo and behold, 2 or 3 bits of malware are tossed onto my PC, but even after scanning twice with both AVG AND Malware Bytes, the default search provider on my firefox forcibly resets to "Bing Search Engine" on firefox every new session.

What's interesting is that "Bing" is the actual, formal search engine for Bing, meaning this is almost certainly illegitimate. In an attempt to fix this I have already: A. Changed the preference AND deleted "Bing Search Engine" from the accepted search engines. B. Removed all cookies, addons, and plugins I have not been able to confirm to be safe. C. Reset ("refreshed") firefox completely

None of these problems have fixed this reversion of Preferred Search Engine, and I fear this is an issue for my security.

As of two days ago, I made the mistake of installing (verified) legitimate software without selecting custom installation. Lo and behold, 2 or 3 bits of malware are tossed onto my PC, but even after scanning twice with both AVG AND Malware Bytes, the default search provider on my firefox forcibly resets to "Bing Search Engine" on firefox every new session. What's interesting is that "Bing" is the actual, formal search engine for Bing, meaning this is almost certainly illegitimate. In an attempt to fix this I have already: A. Changed the preference AND deleted "Bing Search Engine" from the accepted search engines. B. Removed all cookies, addons, and plugins I have not been able to confirm to be safe. C. Reset ("refreshed") firefox completely None of these problems have fixed this reversion of Preferred Search Engine, and I fear this is an issue for my security.

Chosen solution

In addition to the scanners, please check:

(1) Windows Control Panel, Uninstall a Program.

After the list loads, click the "Installed on" column heading to group the infections, I mean, additions, by date. This can help in smoking out undisclosed bundle items that snuck in with that software you agreed to install. Be suspicious of everything you do not recognize/remember, as malware often uses important or innocent sounding names to discourage you from removing it.

Take out as much trash as possible here. If you're not sure, feel free to post program names or a screenshot of the list.

(2) Possible program folder infection.

Check in these locations (varies for 32-bit / 64-bit):

C:\Program Files\Mozilla Firefox\defaults\pref C:\Program Files (x86)\Mozilla Firefox\defaults\pref

Any files other than channel-prefs.js are suspicious. Remove them to a neutral location for further analysis at your leisure.

Read this answer in context 20

Additional System Details

Installed Plug-ins

  • Shockwave Flash 27.0 r0

Application

  • Firefox 57.0.2
  • User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
  • Support URL: https://support.mozilla.org/1/firefox/57.0.2/WINNT/en-US/

Extensions

Javascript

  • incrementalGCEnabled: True

Graphics

  • adapterDescription: NVIDIA GeForce GTX 650 Ti
  • adapterDescription2:
  • adapterDeviceID: 0x11c6
  • adapterDeviceID2:
  • adapterDrivers: nvd3dumx,nvwgf2umx,nvwgf2umx nvd3dum,nvwgf2um,nvwgf2um
  • adapterDrivers2:
  • adapterRAM: 1024
  • adapterRAM2:
  • adapterSubsysID: 0997196e
  • adapterSubsysID2:
  • adapterVendorID: 0x10de
  • adapterVendorID2:
  • crashGuards: []
  • direct2DEnabled: True
  • directWriteEnabled: True
  • directWriteVersion: 6.2.9200.21976
  • driverDate: 6-27-2017
  • driverDate2:
  • driverVersion: 22.21.13.8476
  • driverVersion2:
  • featureLog: {u'fallbacks': [{u'message': u'Unsupported by driver', u'name': u'NO_CONSTANT_BUFFER_OFFSETTING'}], u'features': [{u'status': u'available', u'description': u'Compositing', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'HW_COMPOSITING'}, {u'status': u'available', u'description': u'Direct3D11 Compositing', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'D3D11_COMPOSITING'}, {u'status': u'available', u'description': u'Direct2D', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'DIRECT2D'}, {u'status': u'available', u'description': u'Direct3D11 hardware ANGLE', u'log': [{u'status': u'available', u'type': u'default'}], u'name': u'D3D11_HW_ANGLE'}, {u'status': u'unavailable', u'description': u'GPU Process', u'log': [{u'status': u'unavailable', u'message': u'Multi-process mode is not enabled', u'type': u'default'}], u'name': u'GPU_PROCESS'}, {u'status': u'unavailable', u'description': u'WebRender', u'log': [{u'status': u'opt-in', u'message': u'WebRender is an opt-in feature', u'type': u'default'}, {u'status': u'unavailable', u'message': u"Build doesn't include WebRender", u'type': u'runtime'}], u'name': u'WEBRENDER'}, {u'status': u'available', u'description': u'Advanced Layers', u'log': [{u'status': u'available', u'type': u'default'}, {u'status': u'available', u'message': u'Enabled for Windows 7 via user-preference', u'type': u'user'}], u'name': u'ADVANCED_LAYERS'}]}
  • info: {u'ApzWheelInput': 1, u'ApzDragInput': 1, u'ApzKeyboardInput': 1, u'ApzAutoscrollInput': 1, u'AzureFallbackCanvasBackend': u'skia', u'AzureCanvasAccelerated': 0, u'AzureCanvasBackend': u'direct2d 1.1', u'AzureContentBackend': u'direct2d 1.1'}
  • isGPU2Active: False
  • numAcceleratedWindows: 1
  • numTotalWindows: 1
  • offMainThreadPaintEnabled: False
  • webgl1DriverExtensions: GL_ANGLE_depth_texture GL_ANGLE_framebuffer_blit GL_ANGLE_framebuffer_multisample GL_ANGLE_instanced_arrays GL_ANGLE_lossy_etc_decode GL_ANGLE_pack_reverse_row_order GL_ANGLE_request_extension GL_ANGLE_robust_client_memory GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_ANGLE_texture_usage GL_ANGLE_translated_shader_source GL_CHROMIUM_bind_generates_resource GL_CHROMIUM_bind_uniform_location GL_CHROMIUM_copy_compressed_texture GL_CHROMIUM_copy_texture GL_CHROMIUM_sync_query GL_EXT_blend_minmax GL_EXT_color_buffer_half_float GL_EXT_debug_marker GL_EXT_discard_framebuffer GL_EXT_disjoint_timer_query GL_EXT_draw_buffers GL_EXT_frag_depth GL_EXT_map_buffer_range GL_EXT_occlusion_query_boolean GL_EXT_read_format_bgra GL_EXT_robustness GL_EXT_sRGB GL_EXT_shader_texture_lod GL_EXT_texture_compression_dxt1 GL_EXT_texture_filter_anisotropic GL_EXT_texture_format_BGRA8888 GL_EXT_texture_rg GL_EXT_texture_storage GL_EXT_unpack_subimage GL_KHR_debug GL_NV_EGL_stream_consumer_external GL_NV_fence GL_NV_pack_subimage GL_NV_pixel_buffer_object GL_OES_EGL_image GL_OES_EGL_image_external GL_OES_compressed_ETC1_RGB8_texture GL_OES_depth32 GL_OES_element_index_uint GL_OES_get_program_binary GL_OES_mapbuffer GL_OES_packed_depth_stencil GL_OES_rgb8_rgba8 GL_OES_standard_derivatives GL_OES_texture_float GL_OES_texture_float_linear GL_OES_texture_half_float GL_OES_texture_half_float_linear GL_OES_texture_npot GL_OES_vertex_array_object
  • webgl1Extensions: ANGLE_instanced_arrays EXT_blend_minmax EXT_color_buffer_half_float EXT_frag_depth EXT_shader_texture_lod EXT_texture_filter_anisotropic EXT_disjoint_timer_query OES_element_index_uint OES_standard_derivatives OES_texture_float OES_texture_float_linear OES_texture_half_float OES_texture_half_float_linear OES_vertex_array_object WEBGL_color_buffer_float WEBGL_compressed_texture_s3tc WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_depth_texture WEBGL_draw_buffers WEBGL_lose_context MOZ_WEBGL_lose_context MOZ_WEBGL_compressed_texture_s3tc MOZ_WEBGL_depth_texture
  • webgl1Renderer: Google Inc. -- ANGLE (NVIDIA GeForce GTX 650 Ti Direct3D11 vs_5_0 ps_5_0)
  • webgl1Version: OpenGL ES 2.0 (ANGLE 2.1.0.dec065540d5f)
  • webgl1WSIInfo: EGL_VENDOR: Google Inc. (adapter LUID: 0000000000009aa7) EGL_VERSION: 1.4 (ANGLE 2.1.0.dec065540d5f) EGL_EXTENSIONS: EGL_EXT_create_context_robustness EGL_ANGLE_d3d_share_handle_client_buffer EGL_ANGLE_d3d_texture_client_buffer EGL_ANGLE_surface_d3d_texture_2d_share_handle EGL_ANGLE_query_surface_pointer EGL_ANGLE_window_fixed_size EGL_ANGLE_keyed_mutex EGL_ANGLE_surface_orientation EGL_NV_post_sub_buffer EGL_KHR_create_context EGL_EXT_device_query EGL_KHR_image EGL_KHR_image_base EGL_KHR_gl_texture_2D_image EGL_KHR_gl_texture_cubemap_image EGL_KHR_gl_renderbuffer_image EGL_KHR_get_all_proc_addresses EGL_KHR_stream EGL_KHR_stream_consumer_gltexture EGL_NV_stream_consumer_gltexture_yuv EGL_ANGLE_flexible_surface_compatibility EGL_ANGLE_create_context_webgl_compatibility EGL_CHROMIUM_create_context_bind_generates_resource EGL_EXTENSIONS(nullptr): EGL_EXT_client_extensions EGL_EXT_platform_base EGL_EXT_platform_device EGL_ANGLE_platform_angle EGL_ANGLE_platform_angle_d3d EGL_ANGLE_device_creation EGL_ANGLE_device_creation_d3d11 EGL_ANGLE_experimental_present_path EGL_KHR_client_get_all_proc_addresses
  • webgl2DriverExtensions: GL_ANGLE_depth_texture GL_ANGLE_framebuffer_blit GL_ANGLE_framebuffer_multisample GL_ANGLE_instanced_arrays GL_ANGLE_lossy_etc_decode GL_ANGLE_pack_reverse_row_order GL_ANGLE_request_extension GL_ANGLE_robust_client_memory GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_ANGLE_texture_usage GL_ANGLE_translated_shader_source GL_CHROMIUM_bind_generates_resource GL_CHROMIUM_bind_uniform_location GL_CHROMIUM_copy_compressed_texture GL_CHROMIUM_copy_texture GL_CHROMIUM_sync_query GL_EXT_blend_minmax GL_EXT_color_buffer_float GL_EXT_color_buffer_half_float GL_EXT_debug_marker GL_EXT_discard_framebuffer GL_EXT_disjoint_timer_query GL_EXT_draw_buffers GL_EXT_frag_depth GL_EXT_map_buffer_range GL_EXT_occlusion_query_boolean GL_EXT_read_format_bgra GL_EXT_robustness GL_EXT_sRGB GL_EXT_shader_texture_lod GL_EXT_texture_compression_dxt1 GL_EXT_texture_filter_anisotropic GL_EXT_texture_format_BGRA8888 GL_EXT_texture_norm16 GL_EXT_texture_rg GL_EXT_texture_storage GL_EXT_unpack_subimage GL_KHR_debug GL_NV_EGL_stream_consumer_external GL_NV_fence GL_NV_pack_subimage GL_NV_pixel_buffer_object GL_OES_EGL_image GL_OES_EGL_image_external GL_OES_EGL_image_external_essl3 GL_OES_compressed_ETC1_RGB8_texture GL_OES_depth32 GL_OES_element_index_uint GL_OES_get_program_binary GL_OES_mapbuffer GL_OES_packed_depth_stencil GL_OES_rgb8_rgba8 GL_OES_standard_derivatives GL_OES_texture_float GL_OES_texture_float_linear GL_OES_texture_half_float GL_OES_texture_half_float_linear GL_OES_texture_npot GL_OES_vertex_array_object
  • webgl2Extensions: EXT_color_buffer_float EXT_texture_filter_anisotropic EXT_disjoint_timer_query OES_texture_float_linear WEBGL_compressed_texture_s3tc WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_lose_context MOZ_WEBGL_lose_context MOZ_WEBGL_compressed_texture_s3tc
  • webgl2Renderer: Google Inc. -- ANGLE (NVIDIA GeForce GTX 650 Ti Direct3D11 vs_5_0 ps_5_0)
  • webgl2Version: OpenGL ES 3.0 (ANGLE 2.1.0.dec065540d5f)
  • webgl2WSIInfo: EGL_VENDOR: Google Inc. (adapter LUID: 0000000000009aa7) EGL_VERSION: 1.4 (ANGLE 2.1.0.dec065540d5f) EGL_EXTENSIONS: EGL_EXT_create_context_robustness EGL_ANGLE_d3d_share_handle_client_buffer EGL_ANGLE_d3d_texture_client_buffer EGL_ANGLE_surface_d3d_texture_2d_share_handle EGL_ANGLE_query_surface_pointer EGL_ANGLE_window_fixed_size EGL_ANGLE_keyed_mutex EGL_ANGLE_surface_orientation EGL_NV_post_sub_buffer EGL_KHR_create_context EGL_EXT_device_query EGL_KHR_image EGL_KHR_image_base EGL_KHR_gl_texture_2D_image EGL_KHR_gl_texture_cubemap_image EGL_KHR_gl_renderbuffer_image EGL_KHR_get_all_proc_addresses EGL_KHR_stream EGL_KHR_stream_consumer_gltexture EGL_NV_stream_consumer_gltexture_yuv EGL_ANGLE_flexible_surface_compatibility EGL_ANGLE_create_context_webgl_compatibility EGL_CHROMIUM_create_context_bind_generates_resource EGL_EXTENSIONS(nullptr): EGL_EXT_client_extensions EGL_EXT_platform_base EGL_EXT_platform_device EGL_ANGLE_platform_angle EGL_ANGLE_platform_angle_d3d EGL_ANGLE_device_creation EGL_ANGLE_device_creation_d3d11 EGL_ANGLE_experimental_present_path EGL_KHR_client_get_all_proc_addresses
  • windowLayerManagerRemote: True
  • windowLayerManagerType: Direct3D 11
  • windowUsingAdvancedLayers: True

Modified Preferences

Misc

  • User JS: No
  • Accessibility: No
Pkshadow
  • Top 10 Contributor
825 solutions 10343 answers

Please use more than 1 scanner as each uses diff tech : https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-caused-malware Save your Report and google each before deleting anything as do not want to delete something you need, If need help : https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/ Post in only 1 forum, then wait.

Try AWDcleaner also suggest going to the forum for removal by experts.

Please let us know if this solved your issue or if need further assistance.

Please use more than 1 scanner as each uses diff tech : https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-caused-malware Save your Report and google each before deleting anything as do not want to delete something you need, If need help : https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/ Post in only 1 forum, then wait. Try AWDcleaner also suggest going to the forum for removal by experts. Please let us know if this solved your issue or if need further assistance.
jscher2000
  • Top 10 Contributor
7359 solutions 59909 answers

Chosen Solution

In addition to the scanners, please check:

(1) Windows Control Panel, Uninstall a Program.

After the list loads, click the "Installed on" column heading to group the infections, I mean, additions, by date. This can help in smoking out undisclosed bundle items that snuck in with that software you agreed to install. Be suspicious of everything you do not recognize/remember, as malware often uses important or innocent sounding names to discourage you from removing it.

Take out as much trash as possible here. If you're not sure, feel free to post program names or a screenshot of the list.

(2) Possible program folder infection.

Check in these locations (varies for 32-bit / 64-bit):

C:\Program Files\Mozilla Firefox\defaults\pref C:\Program Files (x86)\Mozilla Firefox\defaults\pref

Any files other than channel-prefs.js are suspicious. Remove them to a neutral location for further analysis at your leisure.

In addition to the scanners, please check: <p>(1) Windows <strong>Control Panel</strong>, Uninstall a Program.</p> <p>After the list loads, click the "Installed on" column heading to group the infections, I mean, additions, by date. This can help in smoking out undisclosed bundle items that snuck in with that software you agreed to install. <em>Be suspicious of everything you do not recognize/remember, as malware often uses important or innocent sounding names to discourage you from removing it.</em></p> <p>Take out as much trash as possible here. If you're not sure, feel free to post program names or a screenshot of the list.</p> <p>(2) Possible '''program folder''' infection.</p> Check in these locations (varies for 32-bit / 64-bit): C:\Program Files\Mozilla Firefox\defaults\pref C:\Program Files (x86)\Mozilla Firefox\defaults\pref Any files ''other than'' channel-prefs.js are suspicious. Remove them to a neutral location for further analysis at your leisure.

Helpful Reply

Fantastic catch, jscher2000. I tried using the above removal methods, and while they caught some stuff, it didn't resolve the issue.

Searched my X86 Firefox directory and found "DS-engine" in there with channel-prefs. Date of file creation? 12/9/2017. That was the guy. Deleted it by hand, and FINALLY the search engine default has stopped being changed.

Thanks for your time, gentlemen, consider this one a victory.

Fantastic catch, jscher2000. I tried using the above removal methods, and while they caught some stuff, it didn't resolve the issue. Searched my X86 Firefox directory and found "DS-engine" in there with channel-prefs. Date of file creation? 12/9/2017. That was the guy. Deleted it by hand, and FINALLY the search engine default has stopped being changed. Thanks for your time, gentlemen, consider this one a victory.
jscher2000
  • Top 10 Contributor
7359 solutions 59909 answers

Hi YCCCM7, thank you for reporting back. Can you associate "DS-engine" with particular software you installed? Naming names helps when other users are Googling. Thanks.

Hi YCCCM7, thank you for reporting back. Can you associate "DS-engine" with particular software you installed? Naming names helps when other users are Googling. Thanks.

Question owner

Sure. I know one malicious program that was rolled up in the installer (the only one that showed up in the control panel) was one "Lavasoft Web Companion"... I think it's one of those cases where there's a legitimate version of it, but this is some less legitimate derivative.

Past that, I think it all came bundled with "BurnAware"... From what I googled, BurnAware's legit enough, or at least used to be, but it came from a supposedly malware free installer from CNet.

What a joke. This is about the 7th time CNet has failed me. Anyways, digression aside, those two are the only ones formally installed.

There were maybe 11 other items caught between Malware Bytes and AWDCleaner, all with very cryptic names, so there could be more behind the scenes.

Sure. I know one malicious program that was rolled up in the installer (the only one that showed up in the control panel) was one "Lavasoft Web Companion"... I think it's one of those cases where there's a legitimate version of it, but this is some less legitimate derivative. Past that, I think it all came bundled with "BurnAware"... From what I googled, BurnAware's legit enough, or at least used to be, but it came from a supposedly malware free installer from CNet. What a joke. This is about the 7th time CNet has failed me. Anyways, digression aside, those two are the only ones formally installed. There were maybe 11 other items caught between Malware Bytes and AWDCleaner, all with very cryptic names, so there could be more behind the scenes.