Chrome Google search URLs changed into a webhp redirect; no rootkit; Avast! and eggheadcafe seem involved; reproducible on one machine. What happened?
Posted by jpluimers on 2012/02/16
Somewhere the last couple of days, Google or Google Chrome has changed the default search URL.
What happened was that some page I had open in Google Chrome (all other web browsers were fine) forced the redirect.
I can only reproduce this on one system (that has both Avast! Antivirus installed, and Chrome open with the page http://www.eggheadcafe.com/searchform.aspx?search=Cross+Join+Excel) but not on other machines.
So far, it took me about a day of work (quarantining the machine, investigating if it was a virus, rootkit or otherwise, trying to verify this is a one off), and I still feel I don’t have the complete answer yet.
I still wonder if others have seen similar issues.
This is how it redirected
The defaults have a truckload of junk around them, but come down to the URLs below (lmgtfy is the search phrase)
It used to be of this form (which now again works, after I closed all Google Chrome pages)
The redirect made it into a longer webhp form:
The fun thing is, that if you enter the form
then you will end at the Google Search home page with the search phrase pre-filled in.
Now that is a pretty nifty “let me Google that for you” :)