/websearch/community?hl=en
/websearch/community?hl=en
2/26/10
Original Poster
copotay

Google redirect using /url?sa= not a virus or malaware, but...


Ok, first of all I have traversed the internet looking for answers including using the experts at bleeping computer to go through numerous scans of my system to figure out why.
 
XP SP3
 
Situation: Firefox and IE8: When I search off of the main google page for instance "test", I get the results, and upon clicking a link in my browser for "http://www.test.com/" it redirects to this shown below for a split second but then goes to the correct page:

/url?sa=t&source=web&ct=res&cd=1&ved=0CAsQFjAA&url=http%3A%2F%2Fwww.test.com%2F&rct=j&q=test&ei=W1iBS_zZKqH2Mrax0IsK&usg=AFQjCNH21KLjC0CBkjon2DwD_CZ0HApLMw

This occurs from the main google page and when clicking a link in the results it gives a double mouse click sound, (a redirect), before going to the chosen page showing the correct url. If you hover over the link it will not show this redirect link in the status bar, it only appears in the status bar when you right click, left click and hold, or if you look at the properties of the link it will be displayed in the properties window. It appears to be something related to a mousedown event. I have deleted all cookies and temp files and it still does this.

I have two other computers connected wirelessly to the same IP, an XP SP3 desktop with IE8 and a Vista IE7, through a Linksys router. Neither of these two computers show this problem in the browser. I have researched and found other people with the same problem and that it could be Google Analytics and Google randomley choosing me for testing, however I cannot figure out why it would be just this computer and not the other two if they were going off of IPs for testing. If it is google, my mac address to the net is the routers so it can't be them honing in on the Mac address of this computer. It must be something hidden on my system that I have been unable to find. This is also not occuring with everyone that I have talked to, but some are having the same issue.
 
As previously stated I have gone through extensive scanning with the experts at bleeping computer who were unable to find any threatening rootkits or signatures. I uninstalled IE8 which reverted back to IE6, it worked, no more redirects. I reinstalled IE8, it redirected again. My computer is clean of any infections and if it is something that google is instituting, a company like google should put out information to their users just informing them of what is going on and why users will see these redirects so no one thinks that they are browser hijackers and go through all kinds of tedious, time consuming, searching, wasting the valuable time of experts for something that is not malicous.

Google is free, I have used it for years and love it, but you can use other search engines which will not give you headaches. From a consumer standpoint, to keep people using your free search engine, tell us what we may be dealing with in your redirects and that our browsers are not hijacked. I am far from naive to believe google does not and never has click tracked to support their company. That does not bother me as much as why only this computer, not my other two at home, not my work computer, not several friends that I have asked, which inturn makes me beleive google has done something to this one computer, and several other people's computers on the net that have complained, that scanners cannot find because it is not malaware/virus signatured.
 
If anyone knows what is causing this and how to stop it, please post. And I have read posts, blogs, and articles already about how google is using Ajax and will be using it alot more which is why this url is showing up on only some computers and not others, for enhanced tracking purposes.

Community content may not be verified or up-to-date. Learn more.
Expert Replies (7)
Were these replies helpful?
How can we improve them?
All Replies (30)
myself404
2/26/10
myself404
May be atapi.sys (windows/system32/drivers) ist corrupted.
Look here:

http://www.symantec.com/security_response/writeup.jsp?docid=2008-091809-0911-99&tabid=2


If this rootkit has finished its installation, the only noticeable sign of it is a slight binary difference between your atapi.sys and a valid one - date,time and size are equal (beyond the google redirect) . So it was on my system.

Repair:
Boot with Linux or a Part Pe CD, change the file atapi.sys for a valid one (note: there are at least two of them in your system), reboot - the google redirect was gone on my system. No guarantee it will be the same on your system.
Greets and good luck.
2/26/10
Original Poster
copotay
Tks alot for the heads up anything is worth trying at this point. I will have to wait until I get home to try it but I will post the results.
2/27/10
Expert - Top Contributor (Alumni)
Kaleh
I don't think you have anything to worry about. My laptop is doing the same thing (but not the other computer on my home network which is connected through a common router.)  I think it is a cookie based Google tracking thing.

If I right click/copy link location, the URL for [www .test .com] is identical to yours except for the [W1iBS_zZKqH2Mrax0IsK&usg] part ... and that changes each time I do a search and check the link location again.
myself404
2/27/10
myself404
additional info:
 
 
>depending on hardware configuration other drivers could be compromised
 
To avoid these in the future install intelligent script blockers like the FF plugin Noscript.
Have it on my private systems and neverever any virus problems.
myself404
2/27/10
myself404
@kaleh
 
if its the mentioned rootkit, it gather your searches and "phones them home".
If this is ok for you - fine.
But may be this is not all it does - look at the mentioned links - quite a dirty little bugger.
 
Take care.
 
 
 
24 MORE
Google user
12/29/10
Google user
I found my website
the google search with parameters google.com/?sa=xxx this month.
Do it this problem  benefit of my seo, could you help me answer this question. my power balance online shopping.
 
 
This question is locked and replying has been disabled. Still have questions? Ask the Help Community.

Badges

Some community members might have badges that indicate their identity or level of participation in a community.

 
Expert - Google Employee — Googler guides and community managers
 
Expert - Community Specialist — Google partners who share their expertise
 
Expert - Gold — Trusted members who are knowledgeable and active contributors
 
Expert - Platinum — Seasoned members who contribute beyond providing help through mentoring, creating content, and more
 
Expert - Alumni — Past members who are no longer active, but were previously recognized for their helpfulness
 
Expert - Silver — New members who are developing their product knowledge
Community content may not be verified or up-to-date. Learn more.

Levels

Member levels indicate a user's level of participation in a forum. The greater the participation, the higher the level. Everyone starts at level 1 and can rise to level 10. These activities can increase your level in a forum:

  • Post an answer.
  • Having your answer selected as the best answer.
  • Having your post rated as helpful.
  • Vote up a post.
  • Correctly mark a topic or post as abuse.

Having a post marked and removed as abuse will slow a user's advance in levels.

View profile in forum?

To view this member's profile, you need to leave the current Help page.

Report abuse in forum?

This comment originated in the Google Product Forum. To report abuse, you need to leave the current Help page.

Reply in forum?

This comment originated in the Google Product Forum. To reply, you need to leave the current Help page.