Closed Bug 730660 Opened 13 years ago Closed 13 years ago

Google search tab redirects to thewebtimes.net

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
10 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: billgisevil, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:10.0.2) Gecko/20100101 Firefox/10.0.2 Build ID: 20120215223356 Steps to reproduce: Just downloaded product. No extre plug-ins or add-ons yet. Entered search term in tool bar location, used google default search engine. Resulting IRL links on google were redirected when clicked. Went to google directly, entered search term, resulting IRL links were redirected when clicked. Tried varying search terms/parameters no difference, always redirected. Next tried safari browser, used it in the same manner (from toolbar and directly from google), no problems, all links worked properly. This established that problem was neither with google site nor with computer. Problem was with firefox. Next conducted McAfee (updated today) full scan. No issues reported. Went back to firefox, selected yahoo option instead of google option to conduct search from toolbar location. Resulting links worked. Then went back to toolbar with google option. This time it worked, no more redirections of links. Also got same positive result from search in google itself. Links no longer redirected. Note: "Warn me when wesites try to redirect .." under "Options" , "General" was checked at all times. Actual results: After download and install 10.0.2, first time using default google option in search toolbar, all the resulting links returned from the search query, when clicked, were redirected to web site other than the one produced in the search results (not even close) [thewebtimes.net was the target site of the redirection]. Search terms and parameters were varied but same redirection result occurred. Visiting google site itself and conducting varied searches from within that site also produced the same redirection results. Expected results: Should have been able to use default google option in search toolbar and obtain resulting links in google that would not be redirected when clicked
Here's a relevant quote from http://www.techspot.com/vb/topic165915.html Topic: "Google search results being redirected in Firefox" "I got several viruses on my computer yesterday. McAfee found nothing, but MalwareBytes found 14 threats, which were promptly removed. Among them were Qhexia.exe and Qfc.exe. Can't remember the others.. However, in Firefox, Google and Yahoo search results are redirected to blank pages. E.g. I'll search for "blue", go to the Wiki entry on it and end up on a blank page with this address: ht tp://www.thewebtimes.net/?n=1306894928" So it appears this infection can evade McAfee Also see http://www.instructions.cleanallvirus.com/solved-how-to-remove-thewebtimes-net-thewebtimes-net-removal/
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
Summary: misdirected IRL's from Google search tab → Google search tab redirects to thewebtimes.net
I followed up on the information provided and did some further detective work. The conclusion I reluctantly have reached is that your Mozilla Firefox software, downloaded directly from the Mozilla.org website, arrives pre-infected with the "thewebtimes.net" virus. In other words, the infection exists at the source. Here is what I have done. Keep in mind that the URL hijacking problem occurred ONLY in Firefix and NOT with either IE8 or Safari 5.1.2. First after reporting the bug, I uninstalled Firefox. I ran Mcfee VirusScan again and got nothing. I downloaded and ran "Stinger" (from McAfee) with full huristics and got nothing. I downloaded and ran "Malwarebytes" Anti-Malware. It found and reported the following: "Malwarebytes Anti-Malware 1.60.1.1000 www.malwarebytes.org Database version: v2012.02.29.02 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 Surf Ghost :: GUESSWHO2 [administrator] 2/28/2012 23:57:45 PM mbam-log-2012-02-28 (23-57-45).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P Scan options disabled: Objects scanned: 291993 Time elapsed: 1 hour(s), 37 minute(s), 20 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 1 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Security Central (Rogue.SecurityCentral) -> Data: C:\Program Files\Security Central\Security Central.exe -> Quarantined and deleted successfully. Registry Data Items Detected: 2 HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully. HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully. Folders Detected: 0 (No malicious items detected) Files Detected: 2 C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (Trojan.Downloader) -> Quarantined and deleted successfully. (end)" To recap: The two files detected were identified as "Trojan.Downloader" The two Registry Data Items detected were identified as "PUM.Disabled.SecurityCenter"; and The one Registry Value detected was identified as: "Rogue.SecurityCentral" I reran Malwarebytes and this time got nothing. I reran VirusScan and again got nothing. I downloaded Firefox again from the Mozilla website. [NOTE: While attempting to enter my email address on the page where the download "button" is found (in order to opt in to be able to receive product info.) I noticed that any keyboard letter I pressed would be entered twice or three times in the dialogue box - - don't know what that means but I gave up trying to type my email address and just proceeded to download the software.] I downloaded and installed the software, launched the browser, typed "Confrontation Clause" in the search bar, used the "Google" default search engine, got the "Google" page return with various links. Tried the first link, it worked. Tried the next link, it got hijacked. Went back to the first link, hijacked this time. Same result for several more. I closed the browser. Tried IE and Safari and encountered NO problems. So I have uninstalled the software again. I conducted a VirusScan and a Malwarebytes scan again and got nothing. My conclusion is that the virus is already in the software stored on whatever Mozilla server I am accessing through my ISP. The Firefox software itself is infected and is conceivably and unwittingly spreading the infection to every machine that downloads from the server. It needs to be looked into. I would still like to try Firefox some day but not under these circumstances -- not until it is free of "thewebtimes.net" virus. So for now I bid you adieu.
Status: RESOLVED → UNCONFIRMED
Resolution: WORKSFORME → ---
At this point we can't rule out that there is a rootkit that already had control of you computer before you installed Firefox, in which case any tools that you try to fight it with can be considered to be compromised by the rootkit and only a complete format and re-install of you OS will guarantee it's gone.
The downloads of Firefox from are clean of viruses, so you have something on your computer before the infection. Try running something like http://support.kaspersky.com/faq/?qid=208280684, or have a professional clean your pc.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago13 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.