I recently started getting these redirects using XP and Google Chrome, most often on links to youtube pages but also to other web pages. I then found that my computer was badly infected with malware when I downloaded Spybot Search and Destroy. It found several infections that antvir had not found, but was unable to remove many of them. The problem seems to affect Google Chrome more than Firefox, which I started using after I began to get these redirects. When I tried to log into internet banking, Chrome wouldn't connect to the page, and instead displayed a message saying that it was unable to make a secure connection and that something might be interfering with my internet connection, although I was able to connect with Firefox.
So I (fully) formatted and partitioned my hard drive, installed XP on one partition, Ubuntu on another, with a fat32 swap area in-between.
(This is my first foray into Linux)
A few days later I began to get the same redirects in Firefox using Ubuntu, and downloaded ClamAV but it couldn't find anything wrong. I also downloaded NoScript, but subsequently enabled bbc.co.uk, and shortly after that got a fake redirect on Firefox when I tried to click on a link to a Google search result to a page on bbc.co.uk. Clearing my temporary internet files usually fixes the links, but the problem reappears again shortly after.
So I formatted that partition of the hard drive again, re-installed Ubuntu, and also rkhunter, and all seemed fine for a day. The following day I downloaded Google Chrome for Ubuntu, and just a few minutes later I began to get the same redirects again!
I purged Chrome from my pc, ran rkhunter again, and also downloaded and ran chkrootkit and Unhide. Neither chkrootkit or Unhide seemed to find anything wrong, and the positives that rkhunter reports seem to be consistent with false positives that other people say it reports. I have also read through the system log, copied and pasted anything that looks (to me) to be suspicious into Google, and searched to see if anyone else has reported the same lines from their log as being suspicious. So far, I have been unable to find any trace of malware on my Ubuntu installation, but the problem remains.
The first thing I did after re-installing Ubuntu, was to enable the firewall with the following commands:
sudo ufw allow ssh/tcp
sudo ufw logging on
sudo ufw enable
sudo ufw status
...and everything seemed fine until I downloaded Chrome (from the official site) the next day.
After each time I change the software, I open a terminal and type:
sudo rkhunter --propupd
I also understand that I am supposed to add the line:
...after software updates, but I have been unable to locate the latter to add the former to it, so I'm not even sure if I am using rkhunter effectively.
I use the standard firewall on XP and the free version of antivir anti-virus. I haven't used XP much since re-installing it, but did get one such redirect on yet another link to youtube when using Firefox, and when I tried to close the page, my anti-virus software caught TR/Crypt.ZPACK.Gen7 being downloaded. Fortunately it seems to have dealt with it sucessfully, but I haven't dared to install Chrome on XP again.
I have also noticed that every time I run Spybot Search and Destroy on XP after restarting my computer, it finds a few problems including changes to the Registry, although it reports them as minor, and is able to fix them. Perhaps I should post this in a seperate topic in the XP section of the forum, but I thought I should mention it here in case it's relevant.
I am now wondering if there could be a nefarious rootkit hidden somewhere on my hardware, that somehow affects Chrome more than Firefox, and is able to affect Ubuntu to a greater extent than XP, possibly due to the lack of effective (and free) anti-malware software (or my lack of ability to use it effectively) available for Ubuntu.
Any advice would be much appreciated, as I am still very much a beginner with Linux. Please let me know if I should post any logs etc.