Impacted browsers: IE8.0, FF4, Chrome
Tonight I foolishly checked out "famous movie bikinis" on yahoo.com. FF hiccuped a bit, which I recognized as a problem but looking forward to bikinis, I didn't kill it. After that incident, I noticed the following behavior on all 3 browsers:
> type search phrase in the search box (the add-in or helper box in the upper right corner)
> search returned legitimate results page
> click on any result, redirected to some quasi-404 search result...you know, the pages that look like portals, except they are very vague and have the feel of a 404.
The first interesting thing is that this happened with Google and Bing search tools, but not with the yahoo search tool. The yahoo tool worked fine (even selecting from the 1st results page). By contrast, searching from the "title bar" of the yahoo.com home page did not work (legit results redirected). I noticed that the results page returned by the yahoo search tool had a banner "search protected by AVG" while the yahoo.com homepage search results didn't.
Next, the browser behavior:
Open FF, two processes start: firefox.exe and plugin-container.exe. If I use Task Manager to kill plugin-container.exe, FF still runs, but the redirect problem remains.
Open IE, two processes start: both called iexplorer.exe. If I use Task Manager to kill the larger/more CPU-intensive one, IE instantly "restarts" and gives a message "had to restart IE and reload this page". Killing the smaller/less CPU-intensive one kills IE completely.
Playing with FF, I noted some of the redirection after clicking on the search results page went to
registered to isprime.com in NJ. Don't know if that's relevant.
Checked hosts file, clean.
Checked DNS entries in cable modem, OK.
Then as I was explaining to my wife what the problem was, Task Manager suddenly popped up 3 new processes (the machine had been largely idle for the last few minutes):
mmc218.exe (2 instances of this)
at which point I hard-booted the machine (power switch off, then back on).
Now the bad news...boot sector apparently hosed, can't boot from HDD.
So I don't know if there's even anything to help...but maybe these are useful clues. Looking at the posts it would seem that search hijacks are all the rage today.
Edited by hamluis, 27 May 2011 - 02:42 PM.
Moved from MRL to Am I Infected, no logs.