# Firefox - Address bar keyword search redirected/hijacked



## Guest (Jun 2, 2008)

As most of you are probably aware, when you type something into Firefox's address bar without the prefix and suffix (I'm not sure what the technical term is) parts attached, by default you get redirected through Google, specifically http://www.google.com/search?ie=UTF-...ient&gfns=1&q=.

Recently, when I type something in, I get redirected instead to http://www.wsearch.net/?_inv. For instance, if I were to type in "techsupportforum", here's what happens (I recorded the status bar using Capture Me):

Connecting to techsupportforum...
Waiting for techsupportforum...
Connecting to www.wsearch.net...
Waiting for www.wsearch.net...
Connecting to searchportal.information.com...
Waiting for searchportal.information.com...
Connecting to ads1.revenue.net...
Transferring data from searchportal.information.com...
Connecting to adserving.cpxinteractive.com...
Waiting for adserving.cpxinteractive.com...
Connecting to ad.yieldmanager.com...
Connected to ad.yieldmanager.com...
Waiting for ad.yieldmanager.com...
Connecting to ad.yieldmanager.com...
Waiting for ad.yieldmanager.com...
Transferring data from ad.yieldmanager.com...
Connecting to ads1.revenue.net...
Waiting for ads1.revenue.net...
Done

This happens almost exactly the same way every time, no matter what I type into the address bar (as long as it doesn't have those html tags.)

I've checked my about:config, and the 'keyword.URL' preference is set to what it should be. I've also toggled 'keyword.enabled' on and off, to no avail. I've also deleted Firefox (the application as well as its Library/Application Support folder, losing all my add-ons and bookmarks, although I'm sure there's remnants elsewhere in the OS that I don't know about).

Any suggestions on what to do?

PS, I'm using
Firefox 2.0.0.14
Mac OS X Version 10.5.2 Build 9C31

Also, this may be of interest (it may or may not be related): recently, about as long as the 'wsearch' thing has been happening, I'm getting these strange 503 Service Unavailable errors. I'll go to a page that's definitely not been hijacked, like CNN, and get redirected to 'www.cnn.com/?unknown', with the 503 message. This happens to webpages seemingly randomly, not always on their front page. It seems to come and go randomly. It happens in both Safari and Firefox.

Thanks


----------



## sdfs (Jun 17, 2008)

This issue being discussed in some depth on three other forums.
http://www.digitalhome.ca/forum/showthread.php?t=87844
http://www.dslreports.com/forum/r20650476-503-Errors-and-redirects-to-wsearch-on-Rogers-wireless
http://forums.mozillazine.org/viewtopic.php?p=3408902#3408902

We are trying to figure out what is causing it.

It is NOT a Firefox bug, as it also appears in Safari and IE.

It is not DNSchanger, as I have personally run a scan for that trojan on my Mac, with clean results, and besides, the redirects don't match the described activity of DNSchanger.

It is not isolated to Macs. It has been documented now on three Windows machines, in both XP and Vista, including one of my own.

It is not a Google hack, as some have suggested, because the wsearch.net redirects are also happening from embedded hyperlinks on web pages.

It always seems to be random.

The 503 errors and the wsearch.net appear to be caused by the same thing.

Are you on Rogers wireless? Some people are speculating that it has something to do with factory pre-set configurations on Rogers' wireless modems, made by SMC. So far, that is the only common denominator we can find.

Please have a look at the other threads. The more people we can get discussing this, the sooner we'll have a solution.


----------



## sdfs (Jun 17, 2008)

Here is a fix for this problem.

NOTE: This is not a fix for the trojan called DNSchanger, or its variant called zlob. (If you think you may have DNSchanger, you can download a scanning app here: »www.dnschanger.com/)

This is a problem that appears to be isolated to SMC wireless modems and has nothing to do with DNSchanger. It seems some SMC modems, on various ISPs, are configured to redirect searches to wsearch.net pages. (DNSchanger will redirect you to all sorts of other pages.)

SYMPTOMS:
1) Links in Google search results randomly redirect to wsearch.net pages or 503 Error pages.
2) Hyperlinks in non-google web pages randomly redirect to wsearch.net pages or 503 Error pages.
3) Single-word entries, or other non-HTML entries, in the URL address bar redirect to wsearch.net pages or 503 Error pages.

(We think all the 503 Errors may be a result of overload on the wesearch.net server due to all the redirects.)

If you have an SMC wireless modem and are experiencing some or all of these problems, here is the fix.

In a browser window, visit the SMC modem page: »192.168.0.1/login.asp

Login as follows
Username: cusadmin
Password: password

From the sidebar menu, choose LAN.

Notice on the screen that appears that the "Domain Name" field has been preset with mygateway.com. Change this to one of the following OpenDNS IPs: 208.67.222.222 or 208.67.222.220

Click "APPLY" and you will see a prompt warning that your modem will have to reboot. Click "OK" on the prompt to reboot the modem.

When your modem reboots (about 30 to 40 secs) all the problems *should* be gone.

(NOTE: If you reset you modem, this will restore the wsearch.net Domain Name default. Something you probably don't want to do.)


----------



## tomdkat (May 6, 2006)

sdfs said:


> This is a problem that appears to be isolated to SMC wireless modems and has nothing to do with DNSchanger. It seems some SMC modems, on various ISPs, are configured to redirect searches to wsearch.net pages. (DNSchanger will redirect you to all sorts of other pages.)


Weird. Thanks for the info! :up:

Peace...


----------



## sdfs (Jun 17, 2008)

Note, it's been brought to my attention that this isn't exactly a "fix" but more of a "work around". Semantics, but true. It still gets results.


----------

