firefox - google.com/search redirects to google.com/webhp but only sometimes

08
2014-07
  • ymar

    According to the internet when google.com/search redirects to google.com/webhp, it means Search Conduit has hijacked the browser. In my case, this is what happens:

    https://www.google.com/search?ie=utf-8&oe=utf-8&rls=org.mozilla:en:official&client=firefox-a&channel=fflb#channel=fflb&q=scrubs&rls=org.mozilla:en:official

    redirects to

    https://www.google.com/webhp?ie=utf-8&oe=utf-8&rls=org.mozilla:en:official&client=firefox-a&channel=fflb#channel=fflb&q=scrubs&rls=org.mozilla:en:official

    however

    https://www.google.com/search?q=scrubs

    and 

    https://www.google.com/#q=scrubs

    do not.

    This doesn't seem to be a big problem really. The first URL is a manually modified URL that got generated when I entered "scrubs" in the address bar. The automatically generated URL did not redirect to a google.com/webhp address. However I would prefer not to have any unsafe redirects being done by browser since I'm not usually careful enough to notice them. I only noticed this one because I was actually playing with the URL. I was playing with it because I noticed something strange: the URL was

    https://www.google.com/search?q=google+.com&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en:official&client=firefox-a&channel=fflb#channel=fflb&q=scrubs&rls=org.mozilla:en:official

    I deleted the strange "q=google+.com&" part, which gave the first URL, and that got redirected. For some reason I can't replicate the generation of the "q=google+.com&" part now. But I'm seeing it in my browsing history.

    Conduit Search was installed on my computer. I did my best to remove it, including a Malwarebytes Anti-Malware scan. I ran a scan again after noticing this just now, and with the new updates applied it found another registry key categorised PUP.Optional.Softonic.A, which seems to be associated with Conduit according to what I've found on Google. However after telling Malwarebytes Anti-Malware to quarantine that and restarting the computer, nothing changed -- the redirect is still on.

    My questions:

    • How does the google.com/webhp thing work? My reasoning is that the reason for it being unsafe shouldn't be DNS resolution. If some malware modified how my DNS queries are resolved it wouldn't have to resort to changing the URL, right? So I think it points to something called "webhp" that's really Google-made, and probably less secure than the other Google-made thing called "search" so someone or something can get a chance to eavesdrop or whatever. Am I right? And in genereal, again, what's the webhp thing? Is it dangerous at all?

    • What was the "google+.com" doing in the automatically generated URL if all I did enter in my query was "scrubs"? Why does removing this part make a redirect possible?

    • Finally, how can I put an end to this behavior?

    My browser is Firefox 28.0 on Windows 7.

    • Answers
  • Travis

    Google.com/webhp is a valid Google website. Just like Google.com/ncr or Google.com/jp it is something that Google uses to help with localization so you get to the correct Google server based on your locale.

    You are over thinking the redirects as being harmful. The redirects in themselves are not harmful, the Conduit redirects are though.

    Here is how to remove Conduit:

    Step 1 : Uninstall Conduit Search from Control Panel.

    Click on Start button and then click on Control Panel and then click on “Uninstall a Program” or Add/Remove Programs option. You’ll get a list which have listed all the installed programs, now Right click on “Search Protected by Conduit” or “Conduit Engine” and then click on uninstall option.

    Step 2 : To Remove Conduit Search from Mozilla Firefox.

    • Open Mozilla Firefox, Click on Tools menu (press “alt” key once to active menu bar) then go to Options, after that a configuration page will be opened, then click on General tab and then look on the very first section named as Startup. Under Startup you will see a HOME PAGE Edit Box, under this edit box you will see www.search.conduit.com, please replace it with www.google.com, then click on apply and close.

    • Restart Firefox Browser

    • Open Firefox and then go the Tools menu (Press “F10” key once to active Menu bar) click on Add-ons, you’ll get a page click on extensions from the left side pane. now look on the right side pane you’ll get all the installed add-ons listed on there. Disable or Remove search.conduit.com addon, also disable all the unknown / unwanted add-ons from there.

    • Open Firefox and then go the Help menu (Press “F10” key once to active Menu bar)

    • Go to Help menu then click on “Troubleshooting information” Note: you can also open this page in this ways, open Firefox then type this command in the address bar “about:support” (without quote) and then hit enter or OK.

    • You will get a page “Troubleshooting information” page, here you will get “Reset Firefox” option in the right side of the page.

    • Click on Reset Firefox option. and follow their instruction to reset. Now your Mozilla Firefox has been Restored to default settings.

    Step 3 : To Remove Conduit Search from Registry

    • Press “window key + R” (Flag sign key + R) you will get Run box then type “REGEDIT” into the run box then click on OK. You’ll get a registry editor window. Back up the registry first using File / Export!

    • In the registry editor, click on Edit menu and then click on find option, you’ll get edit box to search any string into registry editor

    • Type “search.conduit” into the find box and then click on Find Next.

    • The search result will highlight the key or value which have contains the Conduit string.

    • Now delete the Registry Key/Value/Value-Data if any one contains “search.conduit.com” string Note:- Do not delete the complete value data, just delete the search.conduit.com path only

    • Use F3 key to find Next. and do the last step to all results.

    Step 4 : To Remove conduit from Startup

    • Press “window key + R” (Flag sign key + R) you will get Run box then type “MSCONFIG into the run box then click on OK. You’ll get a msconfig window.

    • In the msconfig window click on Startup tab, here you’ll get all the start-up entries, so look on the list and then do Un-check the entries which is contains conduit. Also Un-check all the others entries which you found unwanted. then click on OK to apply all the changes.

    • In the msconfig window click on Services tab, here you’ll get all the startup services list, click on “Hide Windows Services” all the windows related services will be hidden. now it is only display the 3rd party installed services, now look on the list and then do Un-check the service which have contains conduit string. Also Un-check all the unknown / unwanted services. then click on OK to apply all the changes.

    Delete conduit related files from computer

    C:\Users\user22\Appdata\Local\Conduit\BackgroundContainer\BackgroundContainer.dll
C:\Users\user22\Appdata\Local\Conduit\BackgroundContainer\TBUpdaterLogic_1.0.0.1.dll
C:\Users\user22\Appdata\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W21JBUFV\TBUpdaterLogic[1].dll
C:\program files\SearchProtect\Main\bin\CltMngSvc.exe
C:\program files\SearchProtect\SearchProtect\bin\cltmng.exe
C:\program files\SearchProtect\UI\bin\cltmngui.exe
C:\Users\user22\Appdata\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4T11GDL\DefaultTabSetup[1].exe
C:\Users\user22\Appdata\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XL68N412\SearchProtectGeneric2[1].exe
C:\Users\user22\Appdata\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\2QWWNA9U\how-to-remove-conduit-search[1].htm
C:\Users\user22\Appdata\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\51YLL6DN\search_conduit_com[2].htm
C:\Users\user22\Appdata\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RQ3R17KE\Conduit[1].htm
C:\Users\user22\Appdata\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RQ3R17KE\Conduit[2].htm
C:\Users\user22\Appdata\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RQ3R17KE\remove-conduit-search-1024×346[1].png

    >Delete folders from computer

    C:\program files\Conduit
C:\ProgramData\Conduit
C:\Users\user\Appdata\Local\Conduit
C:\Users\user\Appdata\Local\Conduit\BackgroundContainer
C:\Users\user\Appdata\LocalLow\Conduit
C:\program files\SearchProtect
C:\program files\SearchProtect\SearchProtect
C:\Users\user\Appdata\Local\SearchProtect
C:\Users\user\Appdata\Local\SearchProtect\SearchProtect
Delete conduit related registry keys
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\tree\BackgroundContainer Startup Task
HKEY_LOCAL_MACHINE\SOFTWARE\Conduit
HKEY_CURRENT_USER\SOFTWARE\Conduit
HKEY_CURRENT_USER\SOFTWARE\AppDataLow\Software\BackgroundContainer
HKEY_CURRENT_USER\SOFTWARE\AppDataLow\Software\Conduit
HKEY_CURRENT_USER\SOFTWARE\AppDataLow\Software\ConduitSearchScopes
HKEY_CURRENT_USER\SOFTWARE\AppDataLow\Software\uTorrentControl_v6\toolbar\Repository\conduit_CT3289075
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\windows\Currentversion\Uninstall\DefaultTab
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\windows\Currentversion\Uninstall\SearchProtect
Delete conduit related registry value
HKEY_CURRENT_USER\SOFTWARE\microsoft\windows\Currentversion\run :: BackgroundContainer ::: “C:\Windows\system32\Rundll32.exe” “C:\Users\user
\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll”,DllRun
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\windows\Currentversion\Uninstall\IECT3289075 :: DisplayIcon ::: C:\ProgramData\Conduit\IE\CT3289075\SetupIcon.ico
Delete conduit related registry value data
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\windows\Currentversion\Uninstall\SearchProtect :: Publisher ::: Conduit
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\windows\Currentversion\Uninstall\SearchProtect :: DisplayName ::: Search Protect
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\windows\Currentversion\Uninstall\SearchProtect :: DisplayIcon ::: C:\PROGRA~1\SearchProtect\SearchProtect\bin\cltmng.exe
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\windows\Currentversion\Uninstall\SearchProtect :: UninstallString ::: “C:\PROGRA~1\SearchProtect\Main\bin\uninstall.exe” /S
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\windows\Currentversion\Uninstall\IECT3289075 :: UninstallString ::: C:\ProgramData\Conduit\IE\CT3289075\UninstallerUI.exe -ctid=CT3289075 -toolbarName=uTorrentControl_v6 -toolbarEnv=conduit -type=IE -origin=AddRemove -userMode=1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1} :: (Default) ::: Conduit Community Alerts
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}\InprocServer32 :: (Default) ::: C:\Program Files\Conduit\Community Alerts\Alert.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{40FA19B4-9006-41DA-BB11-F936BE177162} :: AppPath ::: C:\Users\user\AppData\Local\Conduit\CT3289075
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{97192212-B1FB-4A85-90CD-7A8DF6BB0CEC} :: Path ::: \BackgroundContainer Startup Task
HKEY_CURRENT_USER\SOFTWARE\AppDataLow\Software\BackgroundContainer\LogicFileManager :: LogicFilePath ::: C:\Users\user\AppData\Local\Conduit\BackgroundContainer\TBUpdaterLogic_1.0.0.1.dll
HKEY_CURRENT_USER\SOFTWARE\AppDataLow\Software\Conduit\Community Alerts\Settings :: ALPClientsServerName ::: http://alert.client.conduit.com
HKEY_CURRENT_USER\SOFTWARE\AppDataLow\Software\Conduit\Community Alerts\Settings :: ALPServicesServerName ::: http://alert.services.conduit.com
HKEY_CURRENT_USER\SOFTWARE\AppDataLow\Software\Conduit\RevertSettings :: ConduitLatestHomePage ::: http://search.conduit.com?SearchSource=10&CUI=UN39173047331940281&UM=1&ctid=CT3289075&SSPV=IE_No_DUM_G
HKEY_CURRENT_USER\SOFTWARE\AppDataLow\Software\uTorrentControl_v6\toolbar :: GroupingServerURL ::: http://grouping.services.conduit.com/
HKEY_CURRENT_USER\SOFTWARE\AppDataLow\Software\uTorrentControl_v6\toolbar :: SearchServerUrl ::: http://search.conduit.com
HKEY_CURRENT_USER\SOFTWARE\AppDataLow\Software\uTorrentControl_v6\toolbar :: Server ::: users.conduit.com
HKEY_CURRENT_USER\SOFTWARE\AppDataLow\Software\uTorrentControl_v6\toolbar :: UsageURL ::: http://usage.users.conduit.com/UsersWebService.asmx/UsersRequests
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\windows\Currentversion\Uninstall\DefaultTab :: DisplayName ::: DefaultTab
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\windows\Currentversion\Uninstall\DefaultTab :: InstallLocation ::: “C:\Users\user22\AppData\Roaming\DefaultTab\DefaultTab”
HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\windows\Currentversion\Uninstall\DefaultTab :: UninstallString ::: “C:\Users\user22\AppData\Roaming\DefaultTab\DefaultTab\uninstalldt.exe”
HKEY_CURRENT_USER\SOFTWARE\microsoft\windows\Currentversion\Uninstall\Save Sense :: DisplayName ::: Save Sense (remove only)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7F6AFBF1-E065-4627-A2FD-810366367D01} :: (Default) ::: DefaultTab Browser Helper
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7F6AFBF1-E065-4627-A2FD-810366367D01}\InprocServer32 :: (Default) ::: C:\Users\user22\AppData\Roaming\DefaultTab\DefaultTab\DefaultTabBHO.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7F6AFBF1-E065-4627-A2FD-810366367D01}\ProgID :: (Default) ::: DefaultTabBHO.DefaultTabBrowser.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7F6AFBF1-E065-4627-A2FD-810366367D01}\VersionIndependentProgID :: (Default) ::: DefaultTabBHO.DefaultTabBrowser

    Reboot


    • Related Question

    redirection - Stop Firefox from redirecting mistyped domains to ask.com
  • tenpn

    When I get a URL wrong at the top level (i.e. when DNS lookup returns NXDOMAIN), my Firefox browser redirects me to ask.com. How do I remove or customise this functionality? There's nothing obvious in the options dialogue and Google isn't being helpful—probably because I don't know the correct name for the error!

    I'm running Windows, Firefox 3.0.14. Not malware, I think I accidentally installed it with realplayer or something.


    • Related Answers
  • secureBadshah
    1. Type about:config in Firefox location bar and press Enter.
    2. Type keyword in Filter textbox and you will see only the preference keyword.URL.
    3. click keyword.enabaled to set it to false. This will disable the search functionality.
    4. If you want to keep the search functionality but use another search engine then double-click on keyword.URL and change the value to say "http://www.google.com/search?btnI=I%27m+Feeling+Lucky&q=" which is the firefox default.
  • Richard

    If you're on Windows, check Add/Remove Programs (or its equivalent) for anything called something like Ask.com Search Assistant or URL Assistant and try uninstalling them if they're there.

  • AnonJr

    As mentioned earlier, there's probably a "helper" program that came with the Ask Toolbar that is still resident. If its not in the Add/Remove programs, you may want to look at the list of services running as it may have placed itself there too.

    Check your Proxy/DNS settings to see if the Ask Toolbar didn't set Ask as the DNS service. It may have changed it in the FireFox settings and/or it may have changed the global Internet Options in Windows.

    In most cases, you can clean up a lot of junk left behind by applications by using tools like CCleaner.

  • fireflame

    This is a tricky one! In my case, the redirect occured in firefox config file, but the clever toolbar people didn't redirect directly to Ask.com or yahoo.com, the browser is redirected to another site which redirects you. This is how i fixed it:

    In Firefox type

    about:config in the address bar. (Ignore the warning.)

    Search for keyword.URL

    and change it to Default.