Jump to content


Photo

Firefox Search Hijack

aim aol search hijack

  • Please log in to reply
No replies to this topic

#1 ImGeo

ImGeo

    New Member

  • Members
  • Pip
  • 1 posts

Posted 09 December 2012 - 09:53 AM

When the AIM/AOL toolbar gets installed into Firefox, it takes over the search engine, installs a toolbar extension, changes the default search (and even changes it back, even if you change it in about:config). However, after you uninstall all the toolbars and extensions and other crapware, one thing that isn't fixed is the homepage search engine.

I'm referring to the search you get directed to when you go to "about:home" in the address bar. Usually it's Google, but it gets directed to somewhere at http://slirsredirect...ector/sredir?q=

Though this may not necessarily fall under malware/spyware, I believe it does because it hijacks search, and is nearly impossible to fix unless you're very technically inclined and can read sqlite and know what to look for.

The affected file is a database in the Firefox profile, for example:
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\rmkme7k3.default\chromeappsstore.sqlite

And the affected row in the database is:

emoh.:moz-safe-about|search-engine|{"name":"AOL Search","searchUrl":"http://slirsredirect...09-12-2012"}|0|

The parameters are going to vary, and how it's represented varies depending on what sqlite you use, but what stays constant (even in binary) is the following JSON:
{"name":"AOL Search","searchUrl":"http://slirsredirect.search.aol.com

So in summary, I believe there should be a filter for the file
chromeappsstore.sqlite
that looks for the string
{"name":"AOL Search","searchUrl":"http://slirsredirect.search.aol.com

Unfortunately, simply deleting that row will cause search to not work. Instead, the JSON must be replaced with:

{"name":"Google","searchUrl":"https://www.google.c...ent=firefox-a"}
The other columns within that row can stay the same.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users