According to the Internet, when google.com/search redirects to google.com/webhp, it means Search Conduit has hijacked the browser. In my case, this is what happens:
https://www.google.com/search?ie=utf-8&oe=utf-8&rls=org.mozilla:en:official&client=firefox-a&channel=fflb#channel=fflb&q=scrubs&rls=org.mozilla:en:official
redirects to
https://www.google.com/webhp?ie=utf-8&oe=utf-8&rls=org.mozilla:en:official&client=firefox-a&channel=fflb#channel=fflb&q=scrubs&rls=org.mozilla:en:official
however
https://www.google.com/search?q=scrubs
and
https://www.google.com/#q=scrubs
do not.
This doesn't seem to be a big problem really. The first URL is a manually modified URL that got generated when I entered "scrubs" in the address bar. The automatically generated URL did not redirect to a google.com/webhp address. However I would prefer not to have any unsafe redirects being done by browser since I'm not usually careful enough to notice them. I only noticed this one because I was actually playing with the URL. I was playing with it because I noticed something strange: the URL was
https://www.google.com/search?q=google+.com&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en:official&client=firefox-a&channel=fflb#channel=fflb&q=scrubs&rls=org.mozilla:en:official
I deleted the strange q=google+.com&
part, which gave the first URL, and that got redirected. For some reason I can't replicate the generation of the q=google+.com&
part now. But I'm seeing it in my browsing history.
Conduit Search was installed on my computer. I did my best to remove it, including a Malwarebytes Anti-Malware scan. I ran a scan again after noticing this just now, and with the new updates applied it found another registry key categorised PUP.Optional.Softonic.A, which seems to be associated with Conduit according to what I've found on Google. However after telling Malwarebytes Anti-Malware to quarantine that and restarting the computer, nothing changed -- the redirect is still on.
My questions:
How does the google.com/webhp thing work? My reasoning is that the reason for it being unsafe shouldn't be DNS resolution. If some malware modified how my DNS queries are resolved it wouldn't have to resort to changing the URL, right? So I think it points to something called "webhp" that's really Google-made, and probably less secure than the other Google-made thing called "search" so someone or something can get a chance to eavesdrop or whatever. Am I right? And in general, again, what's the webhp thing? Is it dangerous at all?
What was the
google+.com
doing in the automatically generated URL if all I did enter in my query was "scrubs"? Why does removing this part make a redirect possible?Finally, how can I put an end to this behavior?
My browser is Firefox 28.0 on Windows 7.