Community Pick: Many members of our community have endorsed this article.
Editor's Choice: This article has been selected by our editors as an exceptional contribution.

Infected router - Google search redirects even on a clean system

rpggamergirl
CERTIFIED EXPERT
Published:
Updated:
If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article first and run the tool TDSSKiller to get rid of the infection.

Once done, and if the PC seems to be clean but the redirect has not stopped, or in cases where you have just reformatted your system yet also showing the symptoms - then this article is for you, read on.


Router infections:

This infection has been doing its rounds for a while now; there were many PCs infected last year and currently it is still going as seen here. While it only needs to infect one PC in the network and affect all systems which share the same router; it's not surprising that a newly reformatted PC could also show the same symptom.


How does it get into the system:

Much like the Smitfraud family of infection, the Zlob/DNS changer trojans often trick the user by masquerading as a video codec to download. When they are in, these trojans check for wired and wireless hardware router. Once known that a router is being used, it guesses the router’s password by consulting a built-in list of routers with default username and password. Once it has access to the router it then changes the DNS settings, hence called DNS Changer trojans.

However, if the user had changed the default username and password for the router, these trojans will not be able to change DNS settings. That is why it is very important to create your own password and username when using one. Unlike wareout infection(mentioned in another article), this one does not show any entries in the HijackThis log.


The Fix:

Scan the system with your favorite scanner, e.g., MalwareBytes will handle this infection nicely.
Once every PC had been cleaned, you then reset the router to its default configuration. To do this, just insert a tip of a paper clip, or the tip of a cake skewer into a small hole labeled “reset” which is on the back of the router. Press and hold for about ten to 15 seconds. The router’s light should go Off and On again.
Note that if there are other zlob-infected PCs sharing the same router, they need to be cleaned before resetting the router, otherwise the Trojan will simply go back and change DNS settings again.

If needed, you can find most router’s default password on this link, http://www.phenoelit-us.org/dpl/dpl.html.

Also check out this video tutorials on how to configure your router’s security settings, http://www.onguardonline.gov/topics/wireless-security.aspx

There is a new variant of TDL4 rootkit recently that is undetectable by TDSSKiller so if the issue lingers on it could be that the Master Boot Record has been modified and you would need to run “Fixmbr” command from the Recovery Console to fix it.
If you have scanned with TDSSKiller, you had reset the router but the redirects have not stopped then post a question at Virus & Spyware zone and we will be there to give you some assistance.

Hope you find this article helpful.
20
10,814 Views
rpggamergirl
CERTIFIED EXPERT

Comments (17)

CERTIFIED EXPERT
Most Valuable Expert 2012
Top Expert 2013

Commented:
Voted yes
CERTIFIED EXPERT
Top Expert 2007

Author

Commented:
Jsmply, Mbizup,

Thank you for voting Yes!

Commented:
Your welcome RPG, but actually we should be thanking you.  =)
CERTIFIED EXPERT
Top Expert 2007

Author

Commented:
@ Jsmply,

Your feedbacks on questions and continued support to my articles are what motivate me, and I am very grateful. :)

Commented:
Glad to hear it, we have said many times that access to RPG alone is worth the price of EE!

View More

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.