Jump to content

Incredibly perplexing browser redirect - God level expert needed

Recommended Posts

Since the end of April, I've been experiencing a browser redirect with decreasing frequency that ultimately leads me to a fake Time Warner survey, the source of which has me completely stumped. Originally it only happened when visiting one site I frequent, and I was beginning to think the problem was on that website, however tonight it happened when I was at Yahoo's main page. The redirect does not happen when I first open the browser. It usually happens after I've been sitting idle on a page for a minute or two. At first it would happen multiple times per week but now it seems to happen once every week, and the intervals seem to be getting longer.

I get redirect from whatever site I'm at in the following manner:

From the site I'm at, too....


(Note: yimg.com is a Yahoo related domain. domain=https... will point from whatever page I'm at at the time of the redirect)

From there, too...


From there too...


And finally from there, too...

http://www.kewsurvey.com/?sid=isp.opt.3a6x&ow=us.ao96ho9gbr467d49.2col.nojs&isp=Time Warner Cable Internet Llc&browser=Chrome&os=Windows&region=California&city=Los Angeles&ip= States&device=DESKTOP&brand=Desktop&model=Desktop&country=US&track=t.surveysance.com&tid=0ba6f51c-279d-4a68-82c0-dc5e8b9e9e67&caid=3fc624b7-4074-4b7f-aa2a-a68cbc6a0c97&head=ret.ss.asp.ncxw9c&did=5269&voluumdata=BASE64dmlkLi4wMDAwMDAwMi1hMThiLTQ5MDQtODAwMC0wMDAwMDAwMDAwMDBfX3ZwaWQuLmZmYzAwODAwLTQ1YmQtMTFlNy04MDMzLTliMGFkZTM1Nzk2MF9fY2FpZC4uM2ZjNjI0YjctNDA3NC00YjdmLWFhMmEtYTY4Y2JjNmEwYzk3X19ydC4uSEpfX2xpZC4uZmZjYzhjYjYtZGFmNy00NGUzLThiYjItZjMzNzkzNWNhODRjX19vaWQxLi5mMjQyZmIwOC05OWY5LTRiOTUtYTY5Yi00ODA4ZmY4MTE2OTlfX29pZDIuLmNmOTIwMWRiLWYyZjEtNGExYS1hZDI4LWRlYmVlNWI2ZDYxMF9fb2lkMy4uMTliZThlOTMtYzZiYS00M2FhLTgzY2UtZDYxZjhhNzE3ZDBlX19vaWQ0Li5kMjg3Y2ZlZS1jZDkzLTRkNDctOTMyZS1iY2ViM2ZlYjJjNTVfX29pZDUuLjFiY2RlMTI0LTEwYWQtNGEwNC04YWE5LTUxNzk0N2YzYjNhZV9fb2lkNi4uMjVlYzUyMGItNjc2YS00Y2Q4LWE0ZGMtMjg3M2MwMzIyMjA5X19vaWQ3Li42NDIzMGVjYy1jMTRiLTQwMTItOTI3Mi0wNzYyNTgzZjVmZDBfX29pZDguLmU0NWIxNjMyLWM3MGUtNGVjYi04YzE0LWIwYmM1NjE4MzhhMV9fb2lkOS4uNzA2NjY2MTItMTc1ZC00ZjVjLWFlZDQtOTFiMzFlOWI3YTg4X19vaWQxMC4uNGFiNTk5MjctMmU5OC00MDIwLTk0OGItZTI3NGZhN2E2ZGM3X19vaWQxMS4uMTUyZTBkYjktNTNkMy00NTkwLThlMmItMmM0N2JkNTY3NjJkX19vaWQxMi4uZjgyZmQwYTktYzQzZi00ZjY5LTgwMzQtMjNmZGNkMjJlZjE5X19vaWQxMy4uMzhkMWY0MzktMGE0NC00MzBlLWI0NGQtZTZmNWZiMjM5NDZlX192YXIxLi41MjY5X192YXIyLi4xMzAzMV9fdmFyMy4uNDU0MTRfX3ZhcjQuLlVTX192YXI1Li5Mb3MgQW5nZWxlc19fdmFyNi4uQ2hyb21lX19yZC4uZW5naW5lXC5cc3BvdHNjZW5lcmVkXC5caW5mb19fYWlkLi5fX2FiLi5fX3NpZC4uX19jcmkuLl9fcHViLi5fX2RpZC4uX19kaXQuLl9fcGlkLi5fX2l0Li5fX3Z0Li4xNDk2MjA2OTc1MDgz&c1=5269&c2=13031&c3=45414&c4=US&c5=Los Angeles&c6=Chrome


Only the last one, the kewsurvey.com site with the fake Time Warner Survey actually displays in the browser window. The others show up in the browser history. 

OS/Browser details

Windows XP, Google Chrome Version 49.0.2623.112 with only Google Docs and Google Docs offline extensions.

Scanners and Cleaners etc I have tried

1. Malware Bytes, full scan.

2. TDSSKiller

3. RogueKiller


5. HijackThis

6. Chrome Cleanup Tool

7. ADwCleaner


9. Malware Bytes Junkware Removal Tool

10. Norton Power Eraser

11. AVG

The scanners found nothing.


Other things I have tried

1. Deleting cookies/cache.

2. Uninstalling and reinstalling Chrome.

3. Resetting hosts file.

4. Resetting router settings from an old save point from 2013.

5. Changing DNS from ISP's to Google's.

6. Searching for recently installed files or programs.

7. Searching for anything unusual in the startup services or running in the background.


None of this has found the problem or solved it. This is the first time in 20 years I've not been able to locate malicious software. 

If you look up "spotcenered redirect" you will find a few other mentioned by others of the problem, and see what they have done to attempt to fix it, however none of these things have worked for me and I doubt they have worked for the others as well. 














Link to post
Share on other sites

  • Root Admin

Hello @DS8 and :welcome:

Which browser is this happening in? Does it affect only one browser or all browsers?

Please run the following (which you may have already run but I'd like to see the results of new scans please) and post back the logs when ready.


Please restart the computer first and then run the following steps and post back the logs when ready.

Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus




adwcleaner_new.png Fix with AdwCleaner


Please download AdwCleaner by Xplode and save the file to your Desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Clean.
  • Your PC should reboot now.
  • After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

Download Sophos Free Virus Removal Tool and save it to your desktop.

  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View Log file (bottom left-hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found, please confirm that result.

Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
  • Please attach the Additions.txt log to your reply as well.



Link to post
Share on other sites


Thanks for your reply. This problem has happened on Google Chrome. I have just recently installed Firefox but cannot tell yet if it happens with Firefox as well due to the length of the intervals between the redirects and the short period of time I have had Firefox.

I ran the scans as you directed. The files are attached below except the FRST files, which are attached in my previous post.

The only thing that found anything was Sophos, but they may be false positives as those files are working files to their respective programs, and haven't been accessed or modified for years.







Link to post
Share on other sites

  • Root Admin

Please Run TFC by OldTimer to clear temporary files:

  • Download TFC from here and save it to your desktop.
  • http://oldtimer.geekstogo.com/TFC.exe
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.




Please visit each of the following sites and let's reset all of your browsers back to defaults to prevent unexpected issues.
If you are not using one of the browsers but it is installed then you may want to consider uninstalling it as older versions of some software can pose an increase in the potential for an infection to get in.

Internet Explorer
How to reset Internet Explorer settings

Click on Help / Troubleshooting Information then click on the Reset Firefox button.


I would like to reset Chrome back to defaults to completely clear out what is going on with Chrome.

You can keep your “Bookmarks” if you want to keep them, but you have to export them first – >> Export Bookmarks << – Everything else should be removed.

Then I need you to go to >> Google Sync << and sign into your account.
Scroll down until you see the reset sync button and click on the button
At the prompt click on Ok.

Reset Your Browser Settings

  1. In the top-right corner of the browser window, click the “Chrome Menu” icon (Three horizontal lines)
  2. Select Settings.
  3. At the bottom, click Show advanced settings…
  4. Scroll down until you see “Reset settings”, Then click on the button Reset Settings.
  5. In the dialog that appears, click Reset.

Close Chrome and restart it and check it out for me please

Link to post
Share on other sites

I've done all of the things you have directed. I will let you know if the problem re-occurs. If it does, it might take over a week for it to do so as it's occurrence is so sporadic.

Could this type of thing be caused by a script embedded in an ad, without a component on my system itself? 

Link to post
Share on other sites

New development.

When I opened up Chrome today, it appears that I was directed to http://www.nextlnk12.com/?tp=iw&cid=5963&v=27&gnum=6&clickid=00170296p049989804414&cachecode=3vwpM4eW0elg0b4mfZCHQA&preload=pre2&ctag=58952514 

Which directed me to 


Which advises me to click on their website to turn off tracking...

I happened to have Chrome's Developer Tool's Networking tab open at the time. Should I post anything from that? And should I still only run Malwarebytes again or any additional things?

Concerning the browsers, before this problem, I had only Google Chrome and MS Internet Explorer installed. Chrome is the only browser I have used for a number of years and the Internet Explorer is very old and I don't recall ever using it except to download Chrome years ago. I recently installed Firefox after this issue began and have unistalled and re-installed Chrome...though it appears Chrome didn't actually completely uninstall because when I reinstalled it, it was identical to the old setup.


Edited by DS8
Additional info
Link to post
Share on other sites

4 hours ago, Rajat said:

I'm having exact same problem since today. Not sporadic for me. here is my story: 

I have a bookmark for watsapp for web. when I click that, it opens as normal. 

when I type, web.watsapp...., it autofills and when enter is pressed, it redirects to. 

"http://private.njoyapps.com/wim/lp/lp27/ index_23. php"

happens everytime. 

I did whatever reset is intructed above for browser but did run any programs. Malwarebytes is unable to detect this. 

My question is: will reinstalling windows solve this? I recently build a new comp and installed windows 10, so I won't loose too much. 

Also, I know where this most likely came from. 

I downloaded MagicISO from a third party link and while installing I clicked a couple of 'accepts' where I shouldn't have. It installed webdiscover and chromium which I removed. ran Malwarebytes scan which remove another 30-40 registry entries and what not.  but nothing on this. 

I also used Ninite.com to install some softwares. 


screenshot attached.


 In my case, I haven't downloaded any 3rd party software, perhaps with the exception where the anti-malware programs listed above could only be obtained by 3rd parties. I hadn't downloaded anything except the occasional pdf before this problem began and what downloads automatically during the course of normal web browsing. On the latter point, my browsing is generally limited to commercial and academic oriented websites and if I come across a site which I think might be of questionable integrity, I use Google Cache to view it or view it through a VPN. 

Link to post
Share on other sites

I just experienced the original redirect again. 

This time I was idling on a Chicago Tribune news story. I was afk and when I came back, the second I moved the mouse without clicking anything, I received the following redirect...









http://www.grimsurveys.com/?sid=isp.opt.3a6x&ow=us.ao96ho9gbr467d49.2col.nojs.lux.fb&isp=Time Warner Cable Internet Llc&browser=Chrome&os=Windows&region=California&city=Los Angeles&ip= States&device=DESKTOP&brand=Desktop&model=Desktop&country=US&track=t.pinksurveys.com&tid=0ba6f51c-279d-4a68-82c0-dc5e8b9e9e67&caid=3fc624b7-4074-4b7f-aa2a-a68cbc6a0c97&did=5269&voluumdata=BASE64dmlkLi4wMDAwMDAwMC1kYmNmLTRmNDQtODAwMC0wMDAwMDAwMDAwMDBfX3ZwaWQuLmM1YWQ4ODAwLTQ5NjgtMTFlNy04MjkyLWM0ZjE3NGYwOTZjYV9fY2FpZC4uM2ZjNjI0YjctNDA3NC00YjdmLWFhMmEtYTY4Y2JjNmEwYzk3X19ydC4uSF9fbGlkLi4zMmU3NTA2OC0yY2IzLTQyMDgtYjAxZi1kMzUxMzllZTcyMjRfX29pZDEuLmYyNDJmYjA4LTk5ZjktNGI5NS1hNjliLTQ4MDhmZjgxMTY5OV9fb2lkMi4uY2Y5MjAxZGItZjJmMS00YTFhLWFkMjgtZGViZWU1YjZkNjEwX19vaWQzLi4xOWJlOGU5My1jNmJhLTQzYWEtODNjZS1kNjFmOGE3MTdkMGVfX29pZDQuLmQyODdjZmVlLWNkOTMtNGQ0Ny05MzJlLWJjZWIzZmViMmM1NV9fb2lkNS4uMWJjZGUxMjQtMTBhZC00YTA0LThhYTktNTE3OTQ3ZjNiM2FlX19vaWQ2Li4yNWVjNTIwYi02NzZhLTRjZDgtYTRkYy0yODczYzAzMjIyMDlfX29pZDcuLjY0MjMwZWNjLWMxNGItNDAxMi05MjcyLTA3NjI1ODNmNWZkMF9fb2lkOC4uZTQ1YjE2MzItYzcwZS00ZWNiLThjMTQtYjBiYzU2MTgzOGExX19vaWQ5Li43MDY2NjYxMi0xNzVkLTRmNWMtYWVkNC05MWIzMWU5YjdhODhfX29pZDEwLi40YWI1OTkyNy0yZTk4LTQwMjAtOTQ4Yi1lMjc0ZmE3YTZkYzdfX29pZDExLi4xNTJlMGRiOS01M2QzLTQ1OTAtOGUyYi0yYzQ3YmQ1Njc2MmRfX29pZDEyLi5mODJmZDBhOS1jNDNmLTRmNjktODAzNC0yM2ZkY2QyMmVmMTlfX29pZDEzLi4zOGQxZjQzOS0wYTQ0LTQzMGUtYjQ0ZC1lNmY1ZmIyMzk0NmVfX3ZhcjEuLjUyNjlfX3ZhcjIuLjEzMDMxX192YXIzLi40NTQxNF9fdmFyNC4uVVNfX3ZhcjUuLk1hcmluYSBkZWwgUmV5X192YXI2Li5DaHJvbWVfX3JkLi5lbmdpbmVcLlxzcG90c2NlbmVyZWRcLlxpbmZvX19haWQuLl9fYWIuLl9fc2lkLi5fX2NyaS4uX19wdWIuLl9fZGlkLi5fX2RpdC4uX19waWQuLl9faXQuLl9fdnQuLjE0OTY2MTM0Mzk4ODI&c1=5269&c2=13031&c3=45414&c4=US&c5=Marina del Rey&c6=Chrome


You can see the only real difference is I am now being sent to www.grimsurveys.com instead of www.kewsurveys.com






Edited by DS8
Link to post
Share on other sites

  • Root Admin

Please go ahead and run Malwarebytes 3 and do a Threat Scan and post back that log. More than likely it will be clean, but want to make sure it is.

Then also run FRST again and make sure you place a checkmark in the Additions.txt check box and post back all 3 new logs as an attachment.



Link to post
Share on other sites

  • Root Admin

They're not really FP. Those files use certain installers or techniques of installing that are often frowned upon and why they're labeled as PUP. They may have recently been added to our database and why you may not have seen them detected before. Not typically dangerous stuff, just often they try to install other stuff on the box that you may not want.

Just to confirm. This only happens in Chrome?

I know we reset Chrome and other browsers before. Let's do that again. You can try this link for possible additional information on the reset. Just ignore their ads on the page, it is a good technical resource.


If that removes the redirect, great. If not then we may need to do a full uninstall of Chrome after exporting your bookmarks, etc. Don't just uninstall Chrome on your own though as there will still be files and folders that will need removal in order to really remove all of Chrome.

Let me know how the reset goes please.


Link to post
Share on other sites

As of yet, it has only occurred in Google Chrome, however I used Google Chrome exclusively until a few days ago. After the last redirect while using it, I uninstalled it and have been using the new Mozilla Firefox which I just installed the other day, so I've not been using it long enough to determine if it happens with Firefox as well.

I uninstalled Google Chrome using the add/remove programs in the Windows console, but this does not seem to actually completely deleted it from my system, as the last time I uninstalled it and re-installed using the original install file I had on backup (my system does not support the most recent version of Chrome), I noticed it merely revived the previously uninstalled one. Is there an easy way to wipe all traces of Google Chrome from my system?


Link to post
Share on other sites

  • Root Admin

You're correct @DS8 that Chrome does not cleanly uninstall. It actually sort of digs in like a tick and for no good reason I can think of makes it sort of like malware and difficult to remove fully for the average user. We actually flag other programs as PUP for that type of behavior yet not for Chrome probably as no one thinks of it in that way, but I do.

Do you use Google Drive, or Google Earth, or anything like that from Google? If not then just reboot the computer one more time and then run FRST and make sure to place a check mark in the Additions.txt checkbox and attach both of those logs and I'll help you to manually remove the left over elements of Chrome.

Firefox being new should no be experiencing that issue unless, or until you happen to run the same sort of dropper or javascript file that altered Chrome in the first place.


As a side note, if you're using an Android phone you probably do have a Google account. Need to login to it and make sure all syncing is disabled if shared with the PC using the same account.




Edited by AdvancedSetup
Link to post
Share on other sites


I agree with you about Chrome being tick like...unfortunately I didn't discover this until trying to uninstall it. It does run better on my system than Firefox and IE though, so it was less hassle when in use.

I'm positive I don't have anything synced to my Google accounts. I have double checked this to be certain.

I do have Google Earth but I don't see any references to Chrome in the remaining Google folders. Just to Google Earth.

Link to post
Share on other sites

  • Root Admin

You're using Symantec AntiVirus 10.1 Corporate version. Is this still a business computer or it's now your own personal computer?

That antivirus has to be almost useless now days as Symantec does not support it.

AV 10 original Release Date: 2005-04-27
End of Engineering Support 2012-07-04  (Last date for patch releases)
End of Assisted Support 2012-07-04 (Last date to contact support)

I would recommend you uninstall that and find another antivirus that is up to date and fully supports Windows XP Professional Service Pack 3 (X86)


Please read the following article concerning the use of MSCONFIG
Msconfig Is Not A Startup Manager


Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.









Link to post
Share on other sites


Sorry for the delay. I've experienced the redirect again, this time with the newer version of Firefox, only it no longer ends at a fake time warner survey, but at...


Where I am being asked to click to disable tracking.


I don't use Norton. It's been disabled for a while because it caused me more problems than it solved.

I have an old version of Google Earth that doesn't force install Google Chrome. Given that, and being that this problem is also occurring with Firefox, and has been reported to occur with other browsers, should I still proceed to delete Google Earth and Picasa?


Link to post
Share on other sites

  • Root Admin

Yes, both browsers can be affected. We'll go ahead and clean both. Once you've removed all of everything Google and backed up your bookmarks or other data then reboot the computer one more time and run a new FRST scan and attach both new logs so I can review and write an updated script to fully remove left over elements of Chrome.

Then we'll get rid of Firefox next.

When done, we can put back one or both if you like.



Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin
9 hours ago, DS8 said:

Hi @DS8

We already knew that Firefox got it. Up to you we can spend the time again to scan for other stuff but rarely is it anything but a setting on the browser. Once the browser has that setting it's stuck in like a tick and most people have trouble removing it on their own. It's not magic. There are basically only a few reasons for it.

rootkit - persistent and normally redirects all pages. Have not seen one of these infections in a long time now.

router - router has been attacked due to weak or factory password. Rare, but happens. Affects every single device connected to it including phones and tablets.

browser - the very most common and millions of users infected by this method.

threat infection installed non rootkit - possible but often easy to find and remove by almost all security software.


Up to you how you want to proceed, but killing all Sync data from browsers like Chrome and Firefox, full removal, and reinstall normally fixes it. But, it can come right back in a flash if you're not careful and don't install popup and ad-blockers to help stop it.

If you'd like to scan for rootkits and threats please let me know.



Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.