jbaretta
asked on
Google Redirect Infection
At one of our clients, all workstations have contracted an infection that redirects all links on a search (Google, Yahoo) to webpages such as flurrysearch.com.
It has infected PCs with operating systems ranging from XP, Vista and Windows 7. All these workstations have different Antiviruses including AVG, Symantec Endpoint, and Norton 360.
We performed scans with the following programs:
Combofix, SDFix, Malwarebytes, Sophos AntiRootkit, TDSSKiller, Super AntiSpyware, McAffee Stinger, Hitman Pro, and Immunet. None of these scanners found anything on these systems.
However, when I cleared all temp files, and reset the Internet Explorer settings, the redirecting stopped temporarily. After a few minutes, I reopen Internet Explorer and it's redirecting again.
I have also done the following: delete the hosts file, flush the dns, restart the pc, and clear the Macromedia Shared Objects.
As an added sidenote, Bing does not redirect.
Outside of full reinstalls for all workstations which is not our first choice, we are at a loss. Any insight on the matter would be greatly appreciated.
Thank you.
It has infected PCs with operating systems ranging from XP, Vista and Windows 7. All these workstations have different Antiviruses including AVG, Symantec Endpoint, and Norton 360.
We performed scans with the following programs:
Combofix, SDFix, Malwarebytes, Sophos AntiRootkit, TDSSKiller, Super AntiSpyware, McAffee Stinger, Hitman Pro, and Immunet. None of these scanners found anything on these systems.
However, when I cleared all temp files, and reset the Internet Explorer settings, the redirecting stopped temporarily. After a few minutes, I reopen Internet Explorer and it's redirecting again.
I have also done the following: delete the hosts file, flush the dns, restart the pc, and clear the Macromedia Shared Objects.
As an added sidenote, Bing does not redirect.
Outside of full reinstalls for all workstations which is not our first choice, we are at a loss. Any insight on the matter would be greatly appreciated.
Thank you.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
@sjklein42 Wow viruses are now smart enough to infect routers and therefor cause issues on an entire network?? Scary thought. @jbaretta The website he gave seems to have your symptoms and might just be your problem. Based on the information there it does make sense as far as affecting everyone at the same time and doing everything in your power on multiple computers it continues to come back. I personally didn't know viruses had gotten that smart though. Good luck and nice find @sjklein42.
Yes. I did not believe it when I first heard about it a few months ago but have seen it more than a few times since.
Apparently the virus first infects a PC through some (any) vulnerability. It then probes the normal router gateway addresses like 192.168.1.1 and tries to log in using the default username and password.
Once logged into the router, the virus sets up redirect routing table entries for google and some other domains.
Even once the PC is disinfected, if the original vulnerability has not been patched, then the PC can be reinfected by a drive-by download caused by the router redirect
Other unpatched but clean PCs in the same LAN are also subject to the redirect and so the infection can easily spread through the LAN without the users doing anything wrong.
To clean up from this virus, the router needs to be reset (hard reset) and secured with a non-default password. Then all the PCs need to be cleaned and secured.
By the way, a good online scan that checks whether the software on your PC is up-do-date is here:
www.secunia.com
Pick "Scan Now" in the top right corner, then Start Scanner and Start.
Apparently the virus first infects a PC through some (any) vulnerability. It then probes the normal router gateway addresses like 192.168.1.1 and tries to log in using the default username and password.
Once logged into the router, the virus sets up redirect routing table entries for google and some other domains.
Even once the PC is disinfected, if the original vulnerability has not been patched, then the PC can be reinfected by a drive-by download caused by the router redirect
Other unpatched but clean PCs in the same LAN are also subject to the redirect and so the infection can easily spread through the LAN without the users doing anything wrong.
To clean up from this virus, the router needs to be reset (hard reset) and secured with a non-default password. Then all the PCs need to be cleaned and secured.
By the way, a good online scan that checks whether the software on your PC is up-do-date is here:
www.secunia.com
Pick "Scan Now" in the top right corner, then Start Scanner and Start.
Thank you for responding sjklein42 and scissors85,
Wow is correct.....We'll be back on site tomorrow at the clients location to review your suggestions.
If the Router is secure with a non-standard password and not "infected" based on what I'm hearing the next thing we'll look at is the possibility of the Server (Server 2003) being infected and setup as a DNS server on our network.
We will respond back tomorrow am with our findings.
We appreciated your time and expertise.
Wow is correct.....We'll be back on site tomorrow at the clients location to review your suggestions.
If the Router is secure with a non-standard password and not "infected" based on what I'm hearing the next thing we'll look at is the possibility of the Server (Server 2003) being infected and setup as a DNS server on our network.
We will respond back tomorrow am with our findings.
We appreciated your time and expertise.
@ sjklein42 and younghv:
Perhaps this isn't the proper forum to ask (if it isn't please let me know where it is appropriate), will doing a factory reset on the router, updating firmware (if applicable), and changing default credentials on the device stop this exploit? The machines on the network would have to be dealt with as a separate issue, I realize that.
Perhaps this isn't the proper forum to ask (if it isn't please let me know where it is appropriate), will doing a factory reset on the router, updating firmware (if applicable), and changing default credentials on the device stop this exploit? The machines on the network would have to be dealt with as a separate issue, I realize that.
lancecurwens…
Good question.
sjklein42 is the man on this one, but my reading at the link he posted is that compromising the "default" credentials is what initially allows the malware to invade the network.
Changing the account password on routers is always recommended by the manufacturer, but is one of those things that too often gets left out.
Good question.
sjklein42 is the man on this one, but my reading at the link he posted is that compromising the "default" credentials is what initially allows the malware to invade the network.
Changing the account password on routers is always recommended by the manufacturer, but is one of those things that too often gets left out.
younghv is right. To clear the virus from the router it is necessary to do a factory reset and then change the password. Firmware ln the router is not a factor as it is not a vulnerability on the router but a failure to change the default password that leaves the router open to attack.
@younghv & sjklein42
thanks for the clarification on this.
thanks for the clarification on this.
ASKER
Thank you all for responding.
The Router did have the default user name and Password courtesy of AT&T tech support who had our client perform a hard reset on their Linksys Router a while back.
Here is what we found configured for DNS in the Router:
213.109.66.189
213.109.77.61
1.1.1.1.
I have remotely re-configured the DNS within the Router and created a 8 character admin password until we can go onsite later today and perform a Router hard reset and re-scan all the PC's.
We will know for sure we have solved this virus issue once we perform the Router hard reset and re-scan / clean the machines for the last time.
Thank you all for your participating.
The Router did have the default user name and Password courtesy of AT&T tech support who had our client perform a hard reset on their Linksys Router a while back.
Here is what we found configured for DNS in the Router:
213.109.66.189
213.109.77.61
1.1.1.1.
I have remotely re-configured the DNS within the Router and created a 8 character admin password until we can go onsite later today and perform a Router hard reset and re-scan all the PC's.
We will know for sure we have solved this virus issue once we perform the Router hard reset and re-scan / clean the machines for the last time.
Thank you all for your participating.
ASKER
sjklein42,
We appreciate your time & knowledge.
Thank you!
We appreciate your time & knowledge.
Thank you!
jbaretta,
You must have some old-timers in your shop - I just noticed that you are still using "SDFix".
AndyManchesta hasn't updated that for about 3 years (he has just plain ol' left the building) and you should remove that from your inventory of tools.
It was sure one of the best tools back when and I wish Andy would return.
...
Good luck on your off-site work today.
You must have some old-timers in your shop - I just noticed that you are still using "SDFix".
AndyManchesta hasn't updated that for about 3 years (he has just plain ol' left the building) and you should remove that from your inventory of tools.
It was sure one of the best tools back when and I wish Andy would return.
...
Good luck on your off-site work today.
ASKER
3 years makes me an "old timer" :-)
Back in the day my only malware removal program was FDisk.
Spybot's malware database was only about 3,500 programs and took about 10 minutes to complete a scan!
Your right...we'll ditch the program...I think we were desperate enough to try it in this particular situation.
Thanks for your comments younghv.
Back in the day my only malware removal program was FDisk.
Spybot's malware database was only about 3,500 programs and took about 10 minutes to complete a scan!
Your right...we'll ditch the program...I think we were desperate enough to try it in this particular situation.
Thanks for your comments younghv.
I see no one thought of checking this EE article that has been posted early this year, eventhough not an in-depth article but still :(
"Infected Router - Google Search Redirects Even on a Clean System"
https://www.experts-exchange.com/A_5327.html
"Infected Router - Google Search Redirects Even on a Clean System"
https://www.experts-exchange.com/A_5327.html
rpggamergirl: No, we did not miss it. That article was posted after (and partly as a result of) this question.
If that doesn't work then there is definitely some kind of rootkit that is causing the redirect to be recreated. When you ran the programs did you run them in safe mode or normal mode as that is a factor as far as what it will find and can get rid of.
It does sound you have done quite a lot but I have yet to have to reformat a computer from a virus. There is practically always a way to fix it but sometimes it's a pain. Ok most of the time it's a pain.