<

Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x

Infected router - Google search redirects even on a clean system

Published on
36,394 Points
8,894 Views
20 Endorsements
Last Modified:
Awarded
If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article first and run the tool TDSSKiller to get rid of the infection.

Once done, and if the PC seems to be clean but the redirect has not stopped, or in cases where you have just reformatted your system yet also showing the symptoms - then this article is for you, read on.


Router infections:

This infection has been doing its rounds for a while now; there were many PCs infected last year and currently it is still going as seen here. While it only needs to infect one PC in the network and affect all systems which share the same router; it's not surprising that a newly reformatted PC could also show the same symptom.


How does it get into the system:

Much like the Smitfraud family of infection, the Zlob/DNS changer trojans often trick the user by masquerading as a video codec to download. When they are in, these trojans check for wired and wireless hardware router. Once known that a router is being used, it guesses the router’s password by consulting a built-in list of routers with default username and password. Once it has access to the router it then changes the DNS settings, hence called DNS Changer trojans.

However, if the user had changed the default username and password for the router, these trojans will not be able to change DNS settings. That is why it is very important to create your own password and username when using one. Unlike wareout infection(mentioned in another article), this one does not show any entries in the HijackThis log.


The Fix:

Scan the system with your favorite scanner, e.g., MalwareBytes will handle this infection nicely.
Once every PC had been cleaned, you then reset the router to its default configuration. To do this, just insert a tip of a paper clip, or the tip of a cake skewer into a small hole labeled “reset” which is on the back of the router. Press and hold for about ten to 15 seconds. The router’s light should go Off and On again.
Note that if there are other zlob-infected PCs sharing the same router, they need to be cleaned before resetting the router, otherwise the Trojan will simply go back and change DNS settings again.

If needed, you can find most router’s default password on this link, http://www.phenoelit-us.org/dpl/dpl.html.

Also check out this video tutorials on how to configure your router’s security settings, http://www.onguardonline.gov/topics/wireless-security.aspx

There is a new variant of TDL4 rootkit recently that is undetectable by TDSSKiller so if the issue lingers on it could be that the Master Boot Record has been modified and you would need to run “Fixmbr” command from the Recovery Console to fix it.
If you have scanned with TDSSKiller, you had reset the router but the redirects have not stopped then post a question at Virus & Spyware zone and we will be there to give you some assistance.

Hope you find this article helpful.
20
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
  • +6
17 Comments
 
LVL 38

Expert Comment

by:younghv
rpggamergirl,
Thank you for putting together this Article.
We have seen so much of this problem over the past few weeks and I think this will help a lot of our Members.

"Yes" vote above.

younghv
0
 
LVL 63

Expert Comment

by:☠ MASQ ☠
And from me - amazing how many people forget to take the simple precaution of adding a password to their router.   Perhaps now they know a virus can do this they may take more care about their security.

Thanks for this.
0
 
LVL 47

Author Comment

by:rpggamergirl
younghv, masqueraid,
Thanks for voting 'Yes' :)
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 30

Expert Comment

by:Sudeep Sharma
@younghv,

Good article indeed.

Sudeep
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
Sorry I mean "rpggamergirl" to thanks, but I got the link from one of post from Younghv.

So thanks to both of you.
0
 
LVL 47

Author Comment

by:rpggamergirl
Thanks SSharma.... and thanks to you too younghv for pointing them here.
0
 

Expert Comment

by:Steve-Seese
I have been researching and struggling with this problem for over a month now and this has been the only thing that has helped. I downloaded the Zip, unzipped and ran the exe, then voila! Fixed the issue. Fantastic I tell ya, fantastic!
0
 
LVL 27

Expert Comment

by:Jonvee
This document nicely complements your "Google Hijack" article.   Thanks again.

Voted "Yes" above.
0
 
LVL 47

Author Comment

by:rpggamergirl
Steve-Seese,
Glad to know that this article has been helpful to you, thanks for the yes vote.

Jonvee,
Thanks for voting Yes.
Please use any of my article links in your posts when you see fit, thanks.
0
 
LVL 3

Expert Comment

by:Guillermin-go
Interesting article.

I´m not famous, but voted yes ^^
0
 
LVL 47

Author Comment

by:rpggamergirl
"I´m not famous,"

Neither am I, :)
Thanks for commenting and for voting Yes, I appreciate it :)
0
 

Expert Comment

by:Jsmply
As always, RPG's advice and article was very helpful and informative.  Thanks RPG!
0
 
LVL 61

Expert Comment

by:mbizup
Voted yes
0
 
LVL 47

Author Comment

by:rpggamergirl
Jsmply, Mbizup,

Thank you for voting Yes!
0
 

Expert Comment

by:Jsmply
Your welcome RPG, but actually we should be thanking you.  =)
0
 
LVL 47

Author Comment

by:rpggamergirl
@ Jsmply,

Your feedbacks on questions and continued support to my articles are what motivate me, and I am very grateful. :)
0
 

Expert Comment

by:Jsmply
Glad to hear it, we have said many times that access to RPG alone is worth the price of EE!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Join & Write a Comment

Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month