Infected router - Google search redirects even on a clean system

Published on
37,037 Points
20 Endorsements
Last Modified:
Editor's Choice
Community Pick
If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article first and run the tool TDSSKiller to get rid of the infection.

Once done, and if the PC seems to be clean but the redirect has not stopped, or in cases where you have just reformatted your system yet also showing the symptoms - then this article is for you, read on.

Router infections:

This infection has been doing its rounds for a while now; there were many PCs infected last year and currently it is still going as seen here. While it only needs to infect one PC in the network and affect all systems which share the same router; it's not surprising that a newly reformatted PC could also show the same symptom.

How does it get into the system:

Much like the Smitfraud family of infection, the Zlob/DNS changer trojans often trick the user by masquerading as a video codec to download. When they are in, these trojans check for wired and wireless hardware router. Once known that a router is being used, it guesses the router’s password by consulting a built-in list of routers with default username and password. Once it has access to the router it then changes the DNS settings, hence called DNS Changer trojans.

However, if the user had changed the default username and password for the router, these trojans will not be able to change DNS settings. That is why it is very important to create your own password and username when using one. Unlike wareout infection(mentioned in another article), this one does not show any entries in the HijackThis log.

The Fix:

Scan the system with your favorite scanner, e.g., MalwareBytes will handle this infection nicely.
Once every PC had been cleaned, you then reset the router to its default configuration. To do this, just insert a tip of a paper clip, or the tip of a cake skewer into a small hole labeled “reset” which is on the back of the router. Press and hold for about ten to 15 seconds. The router’s light should go Off and On again.
Note that if there are other zlob-infected PCs sharing the same router, they need to be cleaned before resetting the router, otherwise the Trojan will simply go back and change DNS settings again.

If needed, you can find most router’s default password on this link, http://www.phenoelit-us.org/dpl/dpl.html.

Also check out this video tutorials on how to configure your router’s security settings, http://www.onguardonline.gov/topics/wireless-security.aspx

There is a new variant of TDL4 rootkit recently that is undetectable by TDSSKiller so if the issue lingers on it could be that the Master Boot Record has been modified and you would need to run “Fixmbr” command from the Recovery Console to fix it.
If you have scanned with TDSSKiller, you had reset the router but the redirects have not stopped then post a question at Virus & Spyware zone and we will be there to give you some assistance.

Hope you find this article helpful.
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Get 7 days free