i've been working on this for the last 7 hours. i've seen a lot of viruses before and normally fixing them isn't too hard. My laptop uses a licensed McAfee that updates every day and at the hint of trouble, i run Malwarebytes. Neither, however, see a problem. So i ran SpyBot S&D, Spyware Doctor, SuperAntiSpyware, Panda Root Kit, Panda AntiVirus, GooredFix, Rootkit Revealer and combofix (which i thought would give me a menu of options; it did not, not even one to stop; i understand i might be denied help on this forum for running this so, um, sorry). None of them found anything. In Firefox i've turned off Accept Cookies (because i read it was a cookie exploit) and erased the XUL (because i read it was an XUL problem). i've verified everything in Autoruns and looked for odd processes in Process Explorer (i found nothing in either). i've cleared all my temp files and browser caches with CCleaner. i looked for odd processes in Device Manager (and realized they all looked odd so didn't touch any of them). i erased a randomly named *.sys driver in System32\Drivers that had a timestamp of today (the properties claimed to be Microsoft User Interface, language Russian). i installed the Firefox addon NoScript which blocks redirects (works pretty well but i still can't get to the real link i clicked on). i verified the links are what i think they are on the Google page (by checking page source and the status bar). i Googled a whole bunch about "Google search hijack" and trojan and other search terms. i've waded through my registry to keys people said might be the problem (i haven't seen them). i've rebooted a half dozen times. i've sacrificed small animals to nameless gods. Oh wait, i haven't done that one. Yet.
Out of curiosity, i tried a few things.
First, it happens if i go to Google directly rather than use the Firefox Google toolbar.
Second, it happens on Google Web search but not Image search.
Third, if i go to the same link over and over, it takes me to a different site each time.
Fourth, occasionally (but not too often), the link i clicked on comes up but a new tab opens, normally to the URL XXXX
Sixth, recently (last two hours) i've noticed that IE has been starting up on my machine. No window but i see 2 processes in Process Explorer (which i immediately kill). Might be unrelated. i don't use IE except earlier today to get to Google to look up info on this.
Seventh, Yahoo didn't give me any problems, but i didn't do a lot of searching in it. i didn't try any other engines.
Eighth, the misrouted links don't happen anywhere else - if i make it to a page, i can click any link i want there and it's fine. It's only links off of google.com.
Hmm, real quick, let me check... netstat shows a few links i don't know, one of which is TCP port 2575 static.78-47-248-115.clients.your-server.de:http CLOSE_WAIT. No idea what that is. i'm behind a NetGear firewall and the Microsoft firewall. i also have TCP 1749 ip-212-117-174-177.server.lu:https CLOSE_WAIT. i can't tell if either is sending or receiving data.
What's throwing me is that none of the tools i have even see a problem. The problem shows up plenty over the last 4 years when i Google for it but nothing i've downloaded sees a problem and i obviously can't fix it.
To restate - when i click a link in Google, i often get sent to a random page such as ShoppingKey.com/search.php or oil-n-gasgifts.com/result.php which tries to redirect me to a Chinese site named XXXX to a URL such as fva2gzMe7e6xm0O5d3625a5a60e230dfa04ef970f6c20cde35k and 7Kp2ykkx8e4jAHU55fd2af76ef81bbcef5d0add4fcce6e5d27k. The page source of these pages is always the same:
EDIT: Removed links. You'd be surprised how many people would click on them
Edited by garmanma, 29 November 2009 - 07:59 PM.