Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google "webhp" Redirect? Possible Hijack?


  • Please log in to reply
8 replies to this topic

#1 TornadoTK

TornadoTK

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 14 March 2014 - 04:54 AM

So out of nowhere, I realize that Google url's are starting to look a little off:

 

"https://www.google.com/webhp?tab=ww&ei=ccEiU9ubN8SGogSOjIHICA&ved=0CBQQ1S4"

 

Granted, this doesn't happen when I use the Firefox search engine bar, or the address bar search. It only starts to happen if I search on Google, and then click the Google logo in the top left corner (which gives me that URL). Then my URL's begin to go from

 

"https://www.google.com/#q=bleeping+computer"

 

to

 

"https://www.google.com/webhp?tab=ww&ei=m8UiU9OUI8T7oATGiIDYBQ&ved=0CBcQ1S4#q=bleeping+computer"

 

After some Googling, it appeared to be a common problem possibly related to Conduit, but I can't find any traces of Conduit, toolbars, search engine bar hijacking, edited host files, changes in internet connection settings - anything! Anyone got a clue as to what it could be and where I might start to piece this puzzle together?

 

Running Windows 7 HP x64 SP1, using Avast Free.


Edited by TornadoTK, 14 March 2014 - 04:55 AM.


BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:56 AM

Posted 14 March 2014 - 06:08 AM

Hello and Welcome -

 

I am not sure if this is your Home Page but please check your Home Page settings -

"https://www.google.com/#q=bleeping+computer" From this page check your settings.

Go - Tools > Internet Options > Set this as your home page, or a second home page http://www.google.com

Then > Connections > LAN Settings and there should only be 1 tick at top Automatically detect settings.

Click OK > OK > and recheck how things look.

 

 

Now:

Please download AdwCleaner by Xplode and save to your Desktop.
NOTE : Please close or save all work, as the computer will be Rebooted
Double-click on AdwCleaner.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator.
Click on the Scan button. (only once)
AdwCleaner will begin...be patient as the scan may take some time to complete.
After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review. 
If you see any which you do not want removed, remove the check mark next to it. 
Next: Click on the Clean button (only once) to remove the selected items. 
You will receive a message telling you that all programs will be close so that the infections can be removed. 
Click on OK, and then OK again to confirm the reboot.
When cleaning process is complete a log (AdwCleaner[S0].txt ) of what was removed will be on your desktop. 
Please copy and the paste this log in your next post.

A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

 

 

Next -

Download Malwarebytes' Anti-Malware Free (aka MBAM)
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.
Be sure to reboot the computer if required after you post the log.
To remove all "found items" you can follow the steps in this Malwarebytes illustrated blog post:
http://blog.malwarebytes.org/news/2013/09/selecting-all-pups/

 

 

Finally -

Please download Temp File Cleaner TFC by Old Timer
* Close ALL running applications as TFC will terminate them before attempting to clean up the temporary files.
* Double-click on the TFC icon.
* Vista / Windows 7 & 8 users Right click on the icon and select Run as Administrator
* When the program opens, click on the Start button. 
* TFC will terminate the Explorer process and all running applications and then begin the process of cleaning out all of your temp folders.
* When done, press OK and reboot your computer to finish the cleanup.



#3 TornadoTK

TornadoTK
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 14 March 2014 - 01:35 PM

# AdwCleaner v3.022 - Report created 14/03/2014 at 10:24:15
# Updated 13/03/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : TornadoTK - MAINTK2014
# Running from : C:\Users\TornadoTK\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Windows\SysWOW64\AI_RecycleBin

***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16521


-\\ Mozilla Firefox v27.0.1 (en-US)

[ File : C:\Users\TornadoTK\AppData\Roaming\Mozilla\Firefox\Profiles\wk7ddi9f.default\prefs.js ]


*************************

AdwCleaner[R0].txt - [837 octets] - [14/03/2014 10:17:48]
AdwCleaner[S0].txt - [763 octets] - [14/03/2014 10:24:15]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [822 octets] ##########
 

 



Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2014.03.14.05

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16521
TornadoTK :: MAINTK2014 [administrator]

3/14/2014 10:30:01 AM
mbam-log-2014-03-14 (10-30-01).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 453047
Time elapsed: 24 minute(s), 3 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 5
C:\Program Files\Adobe\Adobe Bridge CS6 (64 Bit)\amtlib.dll (PUP.RiskwareTool.CK) -> Quarantined and deleted successfully.
C:\Program Files\Adobe\Adobe Photoshop CS6 (64 Bit)\amtlib.dll (PUP.RiskwareTool.CK) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Adobe\Adobe Bridge CS6\amtlib.dll (PUP.RiskwareTool.CK) -> Quarantined and deleted successfully.
C:\Program Files (x86)\Adobe\Adobe Photoshop CS6\amtlib.dll (PUP.RiskwareTool.CK) -> Quarantined and deleted successfully.
D:\uTorrent Downloads\Windows7-Ultimate-Sp1-X86&X64-RTM-Genuine-Untuched(Dark4m)\Activator\Windows.7.Loader.v2.0.6-DAZ\Windows Loader.exe (Hacktool.Agent) -> Quarantined and deleted successfully.

(end)
 



Getting user folders.
 
Stopping running processes.
 
Emptying Temp folders.
 
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Public
 
User: TornadoTK
->Temp folder emptied: 1323432051 bytes
->Temporary Internet Files folder emptied: 471311520 bytes
->Java cache emptied: 580472 bytes
->FireFox cache emptied: 420769696 bytes
->Flash cache emptied: 55196 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 200704 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 312844764 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 48342 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 43293684 bytes
 
Emptying RecycleBin. Do not interrupt.
 
RecycleBin emptied: 0 bytes
Process complete!
 
Total Files Cleaned = 2,453.00 mb



#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:56 AM

Posted 14 March 2014 - 06:39 PM

Hello -

Please add an Update on the computer problem with each post.

 

We are never sure if you need deeper / more help, or if the programs solved it.

You may have 1 browser clear, but there may be extensions to remove from others.

 

Example : My question ................

I am not sure if this is your Home Page but please check your Home Page settings.

 

Without a reply, I do not know these answers, and only you can provide them.



#5 TornadoTK

TornadoTK
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 14 March 2014 - 06:47 PM

Homepage is fine, hasn't changed. Firefox network settings are also okay, everything is still default and nothing appears to be wrong.

 

Problem still persists, same method to recreate it (Go to google.com, attempt to search, return to Google main page via top-left logo).

 

Still links to "https://www.google.com/webhp?tab=ww&ei=gpQjU7ecMcaLrQHVz4HICA&ved=0CBcQ1S4"

 

 

 

Hopefully this can better demonstrate what's going on exactly: http://imgur.com/a/sf8uz


Edited by TornadoTK, 14 March 2014 - 06:56 PM.


#6 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:56 AM

Posted 15 March 2014 - 03:42 PM

Hi -

Sorry if this sounds a bit "off" to you, but I only see a "normal" Google search page.

 

The first picture looks like you have set Firefox as your home page and not Google.

The second Google picture looks Exactly like my Google Home Page.

 

I have 2 home tabs set up, the first (Google) is the one I see when I go online, and the other one is a second tab.

 

I will admit that mine is via Internet Explorer, as I do not bother with F/fox or Chrome.

My spare browser (Avant) also shows the Exact picture that you show (Google home page).

 

This is why I did ask if your Home Page settings were all OK.

 

Please tell me exactly how you spell your home page, so that it comes up as the F/fox emblem.

Mine is set as I have listed above, but I finish it with .au for Australian settings.

 

EDIT -

Please click on GOOGLE in my signature and tell me if this is what you see -


Edited by noknojon, 15 March 2014 - 04:19 PM.


#7 TornadoTK

TornadoTK
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 15 March 2014 - 04:18 PM

The reason I posted those pictures are not for the first or second, as they show "normal" URLs. That is normal Firefox and normal Google. Take note of the URL's displayed in the third and fourth pictures:

 

http://i.imgur.com/hMasNTO.png   http://i.imgur.com/AjfRlxk.png

 

Notice the URLs lead off with that same string: webhp?tab=ww&ei=qJUjU-KMDcqFqQHPuYGIBw&ved=0CBcQ1S4

 

My default homepage is the default Firefox homepage, not a URL. Regardless of whether or not I start at Google, I can always replicate the hijack by following these steps:

  1. Attempt a Google search.
  2. Click on the Google logo in the top left corner to return to the Google home page.

Normally, this would take you to "https://www.google.com/", but I get taken to "https://www.google.com/webhp?tab=ww&ei=XsMkU5baBOiUjAKa7YG4BQ&ved=0CBoQ1S4".

 

I'm trying to figure out why it keeps taking me to "https://www.google.com/webhp?tab=ww&ei=XsMkU5baBOiUjAKa7YG4BQ&ved=0CBoQ1S4" and what the "webhp?tab=ww&ei=XsMkU5baBOiUjAKa7YG4BQ&ved=0CBoQ1S4" string is about.


Edited by TornadoTK, 15 March 2014 - 04:18 PM.


#8 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:56 AM

Posted 15 March 2014 - 05:13 PM

My default homepage is the default Firefox homepage, not a URL.

The default Firefox home page would take you to their forum or similar information, not a Google type search page.

If I set mine to Microsoft (as I use I.E.) then it would not be Google search related - - -

 

Always set a URL for the home page, this way you can tell if it is ever redirected. You are guessing.

Now open I.E. and click Tools > Internet Options and set a home page.

 

Earlier you told me that your Home Page was still set as a normal (when I gave you the Google link).

 

My looking, is that you are just being sent to Google pages not redirected ????????????

 

I keep running your links and I just get a "normal" Google search page,

 

If yours is Not set, how can it be redirected ??

 

If it is set, please give me the link (URL) so I can trace it

 

Here => http://i.imgur.com/AjfRlxk.png You mistyped Testing as "Test String" and you were just taken to all related Test String responses (as I would hope you do). Very normal and good.

 

As I can see no problems or infections, But yes I do see one Extended URL.

Would you like to up this to the Experts area

Please post back with Home Page settings, or if you would prefer to upgrade the problem.

 

 

 

 Please Fully read and follow the instructions in the Preparation Guide starting at Step #6.

 

If you are unable to complete any step, please post the topic and leave a full description of your problems.

 

When you have done that, start a new topic and post the required logs to  Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts only.

 

 Please Use Copy / Paste for your responses, and Do Not Attach them unless your helper requests this.

 

 If Help Bot responds to your topic, please follow his Step #1 so the team will be notified.

 

 After doing this, please reply back in this thread with a link to the new topic so we can close this one.

 

EDIT - I left here and clicked on My Normal Home Google search URL - It reads as

https://www.google.com.au/?gfe_rd=ctrl&ei=etEkU-fKDubC8gfHpoHYCw&gws_rd=cr

The .au is just because I have it set as Australia, no other reason ..............


Edited by noknojon, 15 March 2014 - 05:24 PM.


#9 mds92124

mds92124

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 06 October 2014 - 08:42 PM

I was having the google.com/webhp problem and discovered that it only happen when I invoked google chrome through iStart. If I went through Windows 7 Start and ran google directly it did not intervene. I checked the iStart link definition and it was correct -- no reference to webhp. But if I clicked the button, I went to google.com/webhp. I deleted the Google Search button and recreated it. That solved the problem. 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users