Solved

Google webhp virus

  • 25 October 2012
  • 3 replies
  • 1002 views

I just read about the "webhp" virus for Chrome after noticing that phrase in my omnibox. I want to know if it is real, what type of threat it is to my browsing, and most importantly why my Secure Anywhere Complete didn't catch or remove it when I scan. It's pretty upsetting that a virus can exist on my computer after I bought this product. Can anyone help alleviate my concerns or tell me what I can do? Please. 
icon

Best answer by Kit 1 November 2012, 22:55

Great news!  It's not an issue, despite lots of people screaming muddy blurder over it (clean blurders are not as bad as muddy ones).  google.com/webhp is Completely Normal.



If it's really going to https://google.com/webhp or https://www.google.com/webhp (The official Google server is the critical part), then you're fine. If it goes to something like google.com.webhp.com/stuffhere, that is bad.

 

Web Home Page

 

That URI (Uniform Resource Indicator; the part of a web address after the server) handles all sorts of data for Google.  For example, I typed in "squishy green" and then clicked on "green squishy baff" in the dropdown selector.  My URL was like this:

 

https://www.google.com/webhp#hl=en&sclient=psy-ab&q=green+squishy+baff&oq=squishy+green&gs_l=hp.1.2.0i30j0i8l2j0i8i30.264043.266355.4.274802.13.13.0.0.0.0.211.1260.9j3j1.13.0.les%3B..0.0...1c.1.IHoXvGgJsG0&pbx=1&bav=on.2,or.r_gc.r_pw.r_qf.&fp=525df9d0db58cfce&bpcl=37189454&biw=1680&bih=873

 

Parts of that that we can easily determine:

hl=en means the home language is English.

q=green+squishy+baff shows the final query that was looked up.

oq=squishy+green shows what I was typing before I clicked on the final query.

 

Everything else is Google Inner Workings.  It helps Google figure out what you were typing, how you were typing it, and what it showed you as options, as well as what you clicked on.  That way they can try to figure out what is the most popular options and what people are actually looking for.  If they find out that most people who type "squishy green" will click on "green squishy baff", they will start trying to present it as an option when you have typed "squishy gree" and then "squishy gre" and "squishy gr" and so on, to figure out how to speed things up for people.

 

Simply put, google.com/webhp (or Google.ca or other Google international domains) is perfectly fine.

 

Tricky thing that a lot of people don't realize:

Chrome stores your data on their servers and synchronizes.  If the master browser sets the home page to something, any time you log into another computer's Chrome with your Google account, it will go to that home page.  That means that it's possible for a virus to steal your Chrome and Google credentials on a completely different computer, then set your server sync data to a fake home page.  -NO- antivirus can prevent this because it's using Google's secure communication with your Chrome login to send it, but if the site is Really, REALLY Bad, then WSA will still block it.  So if you get an infection on a computer that doesn't have WSA on it, it can take over your Chrome home page on every single computer that syncs to Google.  It'll even take over your home page on Macs and iPhones and Android Phones running the page sync.  It also affects Firefox and Opera and any other system that sync to the network.

 

 
View original

3 replies

Userlevel 7
Badge +56
Hello msteve72 and Welcome to the Webroot Community Forums!
 
Can you please Submit a Support Ticket and they will be happy to look a your possible issue and they will be able to tell more info about your concerns and if you are infected they will help you remove it without issues and free of charge! ;)
 
TH
Userlevel 7
Great news!  It's not an issue, despite lots of people screaming muddy blurder over it (clean blurders are not as bad as muddy ones).  google.com/webhp is Completely Normal.

If it's really going to https://google.com/webhp or https://www.google.com/webhp (The official Google server is the critical part), then you're fine. If it goes to something like google.com.webhp.com/stuffhere, that is bad.
 
Web Home Page
 
That URI (Uniform Resource Indicator; the part of a web address after the server) handles all sorts of data for Google.  For example, I typed in "squishy green" and then clicked on "green squishy baff" in the dropdown selector.  My URL was like this:
 
https://www.google.com/webhp#hl=en&sclient=psy-ab&q=green+squishy+baff&oq=squishy+green&gs_l=hp.1.2.0i30j0i8l2j0i8i30.264043.266355.4.274802.13.13.0.0.0.0.211.1260.9j3j1.13.0.les%3B..0.0...1c.1.IHoXvGgJsG0&pbx=1&bav=on.2,or.r_gc.r_pw.r_qf.&fp=525df9d0db58cfce&bpcl=37189454&biw=1680&bih=873
 
Parts of that that we can easily determine:
hl=en means the home language is English.
q=green+squishy+baff shows the final query that was looked up.
oq=squishy+green shows what I was typing before I clicked on the final query.
 
Everything else is Google Inner Workings.  It helps Google figure out what you were typing, how you were typing it, and what it showed you as options, as well as what you clicked on.  That way they can try to figure out what is the most popular options and what people are actually looking for.  If they find out that most people who type "squishy green" will click on "green squishy baff", they will start trying to present it as an option when you have typed "squishy gree" and then "squishy gre" and "squishy gr" and so on, to figure out how to speed things up for people.
 
Simply put, google.com/webhp (or Google.ca or other Google international domains) is perfectly fine.
 
Tricky thing that a lot of people don't realize:
Chrome stores your data on their servers and synchronizes.  If the master browser sets the home page to something, any time you log into another computer's Chrome with your Google account, it will go to that home page.  That means that it's possible for a virus to steal your Chrome and Google credentials on a completely different computer, then set your server sync data to a fake home page.  -NO- antivirus can prevent this because it's using Google's secure communication with your Chrome login to send it, but if the site is Really, REALLY Bad, then WSA will still block it.  So if you get an infection on a computer that doesn't have WSA on it, it can take over your Chrome home page on every single computer that syncs to Google.  It'll even take over your home page on Macs and iPhones and Android Phones running the page sync.  It also affects Firefox and Opera and any other system that sync to the network.
 
 

Reply