[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Google Redirect Infection

Posted on 2011-03-10
Medium Priority
Last Modified: 2013-11-22
At one of our clients, all workstations have contracted an infection that redirects all links on a search (Google, Yahoo) to webpages such as flurrysearch.com.

It has infected PCs with operating systems ranging from XP, Vista and Windows 7.  All these workstations have different Antiviruses including AVG, Symantec Endpoint, and Norton 360.

We performed scans with the following programs:

Combofix, SDFix, Malwarebytes, Sophos AntiRootkit, TDSSKiller, Super AntiSpyware, McAffee Stinger, Hitman Pro, and Immunet.  None of these scanners found anything on these systems.

However, when I cleared all temp files, and reset the Internet Explorer settings, the redirecting stopped temporarily.  After a few minutes, I reopen Internet Explorer and it's redirecting again.

I have also done the following: delete the hosts file, flush the dns, restart the pc, and clear the Macromedia Shared Objects.

As an added sidenote, Bing does not redirect.

Outside of full reinstalls for all workstations which is not our first choice, we are at a loss.  Any insight on the matter would be greatly appreciated.

Thank you.
Question by:jbaretta
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +4

Expert Comment

by:Sean Scissors
ID: 35102874
You said it's only google. Now it looks like all you use is IE. If that is the case have you tried to completely uninstall IE and start it from scratch? It was fixed temporarily after removing all temp files but did you clean the cache and cookies as well? Before uninstalling it make sure you clean everything possible. To be honest just run CCleaner and that should remove your cookies and temp files and then through the internet options clear your cache.

If that doesn't work then there is definitely some kind of rootkit that is causing the redirect to be recreated. When you ran the programs did you run them in safe mode or normal mode as that is a factor as far as what it will find and can get rid of.

It does sound you have done quite a lot but I have yet to have to reformat a computer from a virus. There is practically always a way to fix it but sometimes it's a pain. Ok most of the time it's a pain.
LVL 16

Accepted Solution

sjklein42 earned 2000 total points
ID: 35102958
The google redirect virus infects the router!

Does the router still have its default password?

The first step in clearing it up is to reset and secure the router.

There is a great deal of discussion about this on the Web, for example:


Expert Comment

by:Sean Scissors
ID: 35103738
@sjklein42 Wow viruses are now smart enough to infect routers and therefor cause issues on an entire network?? Scary thought. @jbaretta The website he gave seems to have your symptoms and might just be your problem. Based on the information there it does make sense as far as affecting everyone at the same time and doing everything in your power on multiple computers it continues to come back. I personally didn't know viruses had gotten that smart though.  Good luck and nice find @sjklein42.
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

LVL 16

Expert Comment

ID: 35104014
Yes.  I did not believe it when I first heard about it a few months ago but have seen it more than a few times since.

Apparently the virus first infects a PC through some (any) vulnerability.  It then probes the normal router gateway addresses like and tries to log in using the default username and password.

Once logged into the router, the virus sets up redirect routing table entries for google and some other domains.

Even once the PC is disinfected, if the original vulnerability has not been patched, then the PC can be reinfected by a drive-by download caused by the router redirect

Other unpatched but clean PCs in the same LAN are also subject to the redirect and so the infection can easily spread through the LAN without the users doing anything wrong.

To clean up from this virus, the router needs to be reset (hard reset) and secured with a non-default password.  Then all the PCs need to be cleaned and secured.

By the way, a good online scan that checks whether the software on your PC is up-do-date is here:


Pick "Scan Now" in the top right corner, then Start Scanner and Start.

Expert Comment

ID: 35104497
Thank you for responding sjklein42 and scissors85,

Wow is correct.....We'll be back on site tomorrow at the clients location to review your suggestions.

If the Router is secure with a non-standard password and not "infected" based on what I'm hearing the next thing we'll look at is the possibility of the Server (Server 2003) being infected and setup as a DNS server on our network.

We will respond back tomorrow am  with our findings.

We appreciated your time and expertise.

Expert Comment

ID: 35108256
@ sjklein42 and younghv:
Perhaps this isn't the proper forum to ask (if it isn't please let me know where it is appropriate), will doing a factory reset on the router, updating firmware (if applicable), and changing default credentials on the device stop this exploit?  The machines on the network would have to be dealt with as a separate issue, I realize that.  
LVL 38

Expert Comment

ID: 35108593

Good question.
sjklein42 is the man on this one, but my reading at the link he posted is that compromising the "default" credentials is what initially allows the malware to invade the network.

Changing the account password on routers is always recommended by the manufacturer, but is one of those things that too often gets left out.
LVL 16

Expert Comment

ID: 35109759
younghv is right.  To clear the virus from the router it is necessary to do a factory reset and then change the password.  Firmware ln the router is not a factor as it is not a vulnerability on the router but a failure to change the default password that leaves the router open to attack.

Expert Comment

ID: 35109803
@younghv & sjklein42

thanks for the clarification on this.

Author Comment

ID: 35110517
Thank you all for responding.

The Router did have the default user name and Password courtesy of AT&T tech support who had our client perform a hard reset on their Linksys Router a while back.

Here is what we found configured for DNS in the Router:

I have remotely re-configured the DNS within the Router and created a 8 character admin password until we can go onsite later today and perform a Router hard reset and re-scan all the PC's.

We will know for sure we have solved this virus issue once we perform the Router hard reset and re-scan / clean the machines for the last time.

Thank you all for your participating.


Author Closing Comment

ID: 35110543
We appreciate your time & knowledge.
Thank you!
LVL 38

Expert Comment

ID: 35110610
You must have some old-timers in your shop - I just noticed that you are still using "SDFix".

AndyManchesta hasn't updated that for about 3 years (he has just plain ol' left the building) and you should remove that from your inventory of tools.

It was sure one of the best tools back when and I wish Andy would return.

Good luck on your off-site work today.

Author Comment

ID: 35110781
3 years makes me an "old timer"  :-)

Back in the day my only malware removal program was FDisk.
Spybot's malware database was only about 3,500 programs and took about 10 minutes to complete a scan!

Your right...we'll ditch the program...I think we were desperate enough to try it in this particular situation.

Thanks for your comments younghv.
LVL 47

Expert Comment

ID: 37206554
I see no one thought of checking this EE article that has been posted early this year, eventhough not an in-depth article but still :(

"Infected Router - Google Search Redirects Even on a Clean System"
LVL 16

Expert Comment

ID: 37207760
rpggamergirl: No, we did not miss it.  That article was posted after (and partly as a result of) this question.

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Malware seems to be getting smarter and smarter. If you are having trouble being able to launch your malware removal tools such as (and recommended): MalwareBytes, HiJackThis, ComboFix, etc. you can try some of the workarounds listed below. 1. Ma…
This article investigates the question of whether a computer can really be cleaned once it has been infected, and what the best ways of cleaning a computer might be (in this author's opinion).
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question