If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article
first and run the tool TDSSKiller
to get rid of the infection.
Once done, and if the PC seems to be clean but the redirect has not stopped, or in cases where you have just reformatted your system yet also showing the symptoms - then this article is for you, read on.
This infection has been doing its rounds for a while now; there were many PCs infected last year and currently it is still going as seen here
. While it only needs to infect one PC in the network and affect all systems which share the same router; it's not surprising that a newly reformatted PC could also show the same symptom.
How does it get into the system:
Much like the Smitfraud family of infection, the Zlob/DNS changer trojans often trick the user by masquerading as a video codec to download. When they are in, these trojans check for wired and wireless hardware router. Once known that a router is being used, it guesses the router’s password by consulting a built-in list of routers with default username and password. Once it has access to the router it then changes the DNS settings, hence called DNS Changer trojans.
However, if the user had changed the default username and password for the router, these trojans will not be able to change DNS settings. That is why it is very important to create your own password and username when using one.
Unlike wareout infection(mentioned in another article), this one does not show any entries in the HijackThis log.
Scan the system with your favorite scanner, e.g., MalwareBytes will handle this infection nicely.
Once every PC had been cleaned, you then reset the router to its default configuration. To do this, just insert a tip of a paper clip, or the tip of a cake skewer into a small hole labeled “reset” which is on the back of the router. Press and hold for about ten to 15 seconds. The router’s light should go Off and On again.
Note that if there are other zlob-infected PCs sharing the same router, they need to be cleaned before resetting the router, otherwise the Trojan will simply go back and change DNS settings again.
If needed, you can find most router’s default password on this link, http://www.phenoelit-us.org/dpl/dpl.html
Also check out this video tutorials on how to configure your router’s security settings, http://www.onguardonline.gov/topics/wireless-security.aspx
There is a new variant of TDL4
rootkit recently that is undetectable by TDSSKiller so if the issue lingers on it could be that the Master Boot Record has been modified and you would need to run “Fixmbr” command from the Recovery Console to fix it.
If you have scanned with TDSSKiller, you had reset the router but the redirects have not stopped then post a question at Virus & Spyware
zone and we will be there to give you some assistance.
Hope you find this article helpful.