Address bar keyword search redirected

Discuss various technical topics not related to Mozilla.
TSAU956
Guest

Address bar keyword search redirected

Post by TSAU956 »

As most of you are probably aware, when you type something into Firefox's address bar without the prefix and suffix (I'm not sure what the technical term is) parts attached, by default you get redirected through Google, specifically http://www.google.com/search?ie=UTF-...ient&gfns=1&q=.

Recently, when I type something in, I get redirected instead to http://www.wsearch.net/?_inv. For instance, if I were to type in "techsupportforum", here's what happens (I recorded the status bar using Capture Me):

Connecting to techsupportforum...
Waiting for techsupportforum...
Connecting to www.wsearch.net...
Waiting for www.wsearch.net...
Connecting to searchportal.information.com...
Waiting for searchportal.information.com...
Connecting to ads1.revenue.net...
Transferring data from searchportal.information.com...
Connecting to adserving.cpxinteractive.com...
Waiting for adserving.cpxinteractive.com...
Connecting to ad.yieldmanager.com...
Connected to ad.yieldmanager.com...
Waiting for ad.yieldmanager.com...
Connecting to ad.yieldmanager.com...
Waiting for ad.yieldmanager.com...
Transferring data from ad.yieldmanager.com...
Connecting to ads1.revenue.net...
Waiting for ads1.revenue.net...
Done

This happens almost exactly the same way every time, no matter what I type into the address bar (as long as it doesn't have those html tags.)

I've checked my about:config, and the 'keyword.URL' preference is set to what it should be. I've also toggled 'keyword.enabled' on and off, to no avail. I've also deleted Firefox (the application as well as its Library/Application Support folder, losing all my add-ons and bookmarks, although I'm sure there's remnants elsewhere in the OS that I don't know about).

Any suggestions on what to do?

PS, I'm using
Firefox 2.0.0.14
Mac OS X Version 10.5.2

Also, this may be of interest (it may or may not be related): recently, about as long as the 'wsearch' thing has been happening, I'm getting these strange 503 Service Unavailable errors. I'll go to a page that's definitely not been hijacked, like CNN, and get redirected to 'www.cnn.com/?unknown', with the 503 message. This happens to webpages seemingly randomly, not always on their front page. It seems to come and go randomly. It happens in both Safari and Firefox.

Thanks
User avatar
Euchre
Posts: 2804
Joined: April 16th, 2006, 12:48 pm

Post by Euchre »

Well that's odd...
Looks like an LSP, but uh - you're on a Mac. I've heard that there are a very few spyware hijacks that work on Macs, but it's possible you've got one. I have also heard of an ISP (especially 'bargain' ISPs) using redirects which in effect become an 'external LSP' and effectively is 'external spyware'. The fact it happens in both your browsers tells me that your system level DNS or somewhere beyond that in your DNS is being changed to that hijacked state. More details about your network (if any) and ISP and such would help greatly.
Gecko
One Rendering Engine to rule them all.
TSAU956
Guest

Post by TSAU956 »

Euchre wrote:More details about your network (if any) and ISP and such would help greatly.
I'm happy to give you what I know - if there's some kind of HJT for network info or an in-depth internet monitoring tool, then point me to it and I'll copy whatever it is you might need, but tell me if there's anything I should delete that's sensitive.

But this is my understanding:

My ISP is Rogers Cable, in Ontario, so beyond heavy traffic shaping I don't think they're that shady. I use a wireless router, secured with WPA and a semi-strong password. However, there was a period of time (1 week or so, I'd say) after I bought the router that I didn't have encryption enabled, but still used the computer. I think I'm a fairly-savvy computer user, but I may have downloaded something along the way.

And although this is really just me ranting now, I've gotta say - the 503 error is just about the most annoying thing that's ever happened (maybe second to Compressor not working in Leopard). It pops up for seemingly no reason. One minute, CNN's not working, the next, hotmail - I really wish I was on a PC right now, so I could find more people with the same problem. Macs are great for spyware until you get some, and then you're the only one who has it.

Thanks for replying.
User avatar
Euchre
Posts: 2804
Joined: April 16th, 2006, 12:48 pm

Post by Euchre »

The only things I can find referring to a wsearch exploit are for Windows. Unless you are for some reason proxying through a Windows box for some reason, I can't find anything that explains the idea of Mac OS X having a hijack. I'm not so familiar with the way OS X maps it's DNS out, but I suppose I might try to learn! One thing I would say is that for Leopard to be hijacked at that level you should've been prompted for a password before installing whatever it would be. Unless your ISP uses Windows for it's servers (which is sadly quite possible) I can't find any reason other than intentional that they'd be routing through the wsearch domain. If you were experiencing these issues in Windows (even via Boot Camp or Parallels or VMWare Fusion or some form of virtualization) I'd understand, but at this point I don't.

Edit to add: Just for kicks, go into System Preferences, then Network, then click on the Airport item in the list at left. Next click the Advanced button which will bring down a property sheet. Click DNS and see what it lists under DNS Servers and Search Domains.
Gecko
One Rendering Engine to rule them all.
TSAU956
Guest

Post by TSAU956 »

Euchre wrote:Edit to add: Just for kicks, go into System Preferences, then Network, then click on the Airport item in the list at left. Next click the Advanced button which will bring down a property sheet. Click DNS and see what it lists under DNS Servers and Search Domains.


Hm, good call. Here's the window: http://i289.photobucket.com/albums/ll21 ... ure1-1.png

I went to mygateway.net, and found something interesting:
http://i289.photobucket.com/albums/ll21 ... cture4.png
Compare that to:
http://i289.photobucket.com/albums/ll21 ... cture3.png

So clearly it's not Firefox. I guess you probably figured this out already, but it seems to be the case that my router manufacturer (SMC) annoyingly decided to enter mygateway.net to hijack searches. Apparently this has been happening for some time - http://www.dslreports.com/forum/remark,16516734.

So I guess all I have to do now is find where I wrote down the password for accessing 192.whatever, or call Rogers. Hopefully this will fix the 503 error as well - at the very least I'll know to stay away from SMC in the future.

Thanks for your help Euchre.
User avatar
Euchre
Posts: 2804
Joined: April 16th, 2006, 12:48 pm

Post by Euchre »

Ah, indeed. So SMC is the one selling out to spyware. If you'll note from reading the thread you posted about, your login is almost certainly a 'user login' and you won't have the access to change the settings necessary to eliminate the problem. I'd suggest complaining to your ISP about their use of hardware that comes preloaded with a form of spyware. You might even want to do it publicly.

Meanwhile, you should be able to tell Mac OS X to use DNS and search domains of your own choosing. That should resolve your issue for now.
Gecko
One Rendering Engine to rule them all.
TSAU956
Guest

Post by TSAU956 »

Well I called Rogers, and their position was essentially "Have you cleared your cookies and cache? Well, are you on Internet Explorer 6, or 7? Oh, you're on a Mac? Hold on. (6 minute hold) Okay, reset your router please, and we recommend using Internet Explorer, we don't support Firefox."

The annoying thing is the guy told me I wasn't able to reset the Domain Name setting, when I actually am (just put it as 192.168.0.1, problem solved). And after I told him the router had come preloaded with a spam website preset, he basically glossed over it and said the 503 error and spyware hijack were probably my fault for using Firefox, and not to call back again if the problem reoccurs.

But you know, it must really suck to be one of those IT guys - stupid ISPs make crap moves like this and they end up having to defend it.
User avatar
Euchre
Posts: 2804
Joined: April 16th, 2006, 12:48 pm

Post by Euchre »

This should broadcast all over as serious stupidity on Rogers' part.
1. There is no more Internet Explorer for Mac. Microsoft no longer offers it, nor supports it. It has not issues any security updates for the last Mac version published 8 years ago.
2. Internet Explorer is vastly more likely to become hijacked than any other browser, period.
3. The denial is stupid. Never, ever have I heard of or seen an exploit for any OS that can change the DNS settings of a modem or router - much less one that would work on a Mac. I defy them to find any such thing, and better yet - demonstrate it.
Gecko
One Rendering Engine to rule them all.
Gandhi
Guest

Having the same problem

Post by Gandhi »

Hey Guys,

I am operating on Mac OSX too and having exactly the same problem with the SMC modem that I received from Rogers. I called up their Tech Support and the guy convinced me that was some kinda adware or spyware; but when I ran an anti-virus and MacScan it still didn't fix the problem. Please advice on any solution or I am thinking of returning the modem.

Thanks.
sdfs
Posts: 25
Joined: June 10th, 2008, 9:55 pm

Post by sdfs »

TSAU956 wrote:The annoying thing is the guy told me I wasn't able to reset the Domain Name setting, when I actually am (just put it as 192.168.0.1, problem solved).


Finally some other people are posting about this. I've had this problem for about 2 months now, ever since going to a wireless router from...you guessed it...Rogers. (There must be thousands of people out there with these things.) I too am on a Mac running Leopard and Firefox (I get the same problem in Safari, btw). Random 503 messages on totally viable site (ie Google). It makes my blood boil. And now the "wsearch.net/?unknown" redirect started in the last few days.

I'm not as tech savvy as you guys. TSAU956 (or someone) can you please explain the above procedure to correct the problem in non-techie terms? How do I change the Domain Name...is it in the advanced network settings?

Many thanks.
Guest
Guest

Post by Guest »

Hey guys,

I had the same problem and was able to solve it using your suggestions. I was being redirected to wsearch.net. Here's what you can do to solve your issue on Mac OS X (I have Leopard):

1. go to system preferences.
2. go to Network
3. select Air port on the left column
4. go to advanced options
5. pick the DNS tab
6. on the left column (under DNS servers), add 192.168.0.1

you should have 192.168.0.1 repeating twice now (one copy is grayed out and one is black and clickable)

hope this helps.
sdfs
Posts: 25
Joined: June 10th, 2008, 9:55 pm

Post by sdfs »

Have made the changes. Many thanks. Hopefully it stops. Rogers should be sued for this.
Guest
Guest

Post by Guest »

How does one correct this in a windows computer? My gf has same problem with her Dell.
User avatar
Euchre
Posts: 2804
Joined: April 16th, 2006, 12:48 pm

Post by Euchre »

Please note, this is based on the people using Rogers Cable. If you use an SMC device with the same issue through another ISP, your settings may vary.

What version of Windows?
If it's XP, this should work:
If the network connection icon (two little monitors that blink) is showing in your System Tray (the icons by the clock), right click it and choose Status. If it is not showing, open the Control Panel then open Network Connections, then right click the Local Area Connection (or whichever icon is showing as connected) and choose Status.
The Connection Status dialog will open to the General tab by default - if it does not, just click General at the top and you will be taken the correct tab. At the bottom of the General tab click Properties.
In the dialog that comes up you will see a list of items which includes Internet Protocol (TCP/IP). Click that item, then click Properties. At the bottom of the next dialog you will see a radio button (filled in dot) by "Obtain DNS server address automatically" Click the empty radio button below it to fill it, then by "Preferred DNS server" and "Alternate DNS server" enter 192.168.0.1 then click OK to close that dialog, and OK for the previous, and Close on the Local Area Connection Status dialog.

If you are having issues with searches after that, I am not aware of a special place to change the search domain(s) used by Windows as you see them on a Mac.
Gecko
One Rendering Engine to rule them all.
Slave2darkbeat
Guest

THANK YOU!

Post by Slave2darkbeat »

Thanks so much for your help Guest. I have never had any problems with my Mac before and have just started using Rogers. My Gmail AND the link for MacScan brought me to http://wsearch.net/?unknown.

If this is indeed a Rogers issue, then all I have to say is "hmph".

Cheers!


Anonymous wrote:Hey guys,

I had the same problem and was able to solve it using your suggestions. I was being redirected to wsearch.net. Here's what you can do to solve your issue on Mac OS X (I have Leopard):

1. go to system preferences.
2. go to Network
3. select Air port on the left column
4. go to advanced options
5. pick the DNS tab
6. on the left column (under DNS servers), add 192.168.0.1

you should have 192.168.0.1 repeating twice now (one copy is grayed out and one is black and clickable)

hope this helps.
Locked