Solved

Google Redirect Infection

Posted on 2011-03-10
16
1,346 Views
Last Modified: 2013-11-22
At one of our clients, all workstations have contracted an infection that redirects all links on a search (Google, Yahoo) to webpages such as flurrysearch.com.

It has infected PCs with operating systems ranging from XP, Vista and Windows 7.  All these workstations have different Antiviruses including AVG, Symantec Endpoint, and Norton 360.

We performed scans with the following programs:

Combofix, SDFix, Malwarebytes, Sophos AntiRootkit, TDSSKiller, Super AntiSpyware, McAffee Stinger, Hitman Pro, and Immunet.  None of these scanners found anything on these systems.

However, when I cleared all temp files, and reset the Internet Explorer settings, the redirecting stopped temporarily.  After a few minutes, I reopen Internet Explorer and it's redirecting again.

I have also done the following: delete the hosts file, flush the dns, restart the pc, and clear the Macromedia Shared Objects.

As an added sidenote, Bing does not redirect.

Outside of full reinstalls for all workstations which is not our first choice, we are at a loss.  Any insight on the matter would be greatly appreciated.

Thank you.
0
Comment
Question by:jbaretta
  • 4
  • 3
  • 2
  • +4
16 Comments
 
LVL 8

Expert Comment

by:Sean Scissors
ID: 35102874
You said it's only google. Now it looks like all you use is IE. If that is the case have you tried to completely uninstall IE and start it from scratch? It was fixed temporarily after removing all temp files but did you clean the cache and cookies as well? Before uninstalling it make sure you clean everything possible. To be honest just run CCleaner and that should remove your cookies and temp files and then through the internet options clear your cache.

If that doesn't work then there is definitely some kind of rootkit that is causing the redirect to be recreated. When you ran the programs did you run them in safe mode or normal mode as that is a factor as far as what it will find and can get rid of.

It does sound you have done quite a lot but I have yet to have to reformat a computer from a virus. There is practically always a way to fix it but sometimes it's a pain. Ok most of the time it's a pain.
0
 
LVL 16

Accepted Solution

by:
sjklein42 earned 500 total points
ID: 35102958
The google redirect virus infects the router!

Does the router still have its default password?

The first step in clearing it up is to reset and secure the router.

There is a great deal of discussion about this on the Web, for example:

http://tidystorm.com/423/the-redirect-virus-was-in-my-router/
0
 
LVL 8

Expert Comment

by:Sean Scissors
ID: 35103738
@sjklein42 Wow viruses are now smart enough to infect routers and therefor cause issues on an entire network?? Scary thought. @jbaretta The website he gave seems to have your symptoms and might just be your problem. Based on the information there it does make sense as far as affecting everyone at the same time and doing everything in your power on multiple computers it continues to come back. I personally didn't know viruses had gotten that smart though.  Good luck and nice find @sjklein42.
0
 
LVL 16

Expert Comment

by:sjklein42
ID: 35104014
Yes.  I did not believe it when I first heard about it a few months ago but have seen it more than a few times since.

Apparently the virus first infects a PC through some (any) vulnerability.  It then probes the normal router gateway addresses like 192.168.1.1 and tries to log in using the default username and password.

Once logged into the router, the virus sets up redirect routing table entries for google and some other domains.

Even once the PC is disinfected, if the original vulnerability has not been patched, then the PC can be reinfected by a drive-by download caused by the router redirect

Other unpatched but clean PCs in the same LAN are also subject to the redirect and so the infection can easily spread through the LAN without the users doing anything wrong.

To clean up from this virus, the router needs to be reset (hard reset) and secured with a non-default password.  Then all the PCs need to be cleaned and secured.

By the way, a good online scan that checks whether the software on your PC is up-do-date is here:

www.secunia.com

Pick "Scan Now" in the top right corner, then Start Scanner and Start.
0
 

Expert Comment

by:COM1
ID: 35104497
Thank you for responding sjklein42 and scissors85,

Wow is correct.....We'll be back on site tomorrow at the clients location to review your suggestions.

If the Router is secure with a non-standard password and not "infected" based on what I'm hearing the next thing we'll look at is the possibility of the Server (Server 2003) being infected and setup as a DNS server on our network.

We will respond back tomorrow am  with our findings.

We appreciated your time and expertise.
0
 
LVL 8

Expert Comment

by:lancecurwensville
ID: 35108256
@ sjklein42 and younghv:
Perhaps this isn't the proper forum to ask (if it isn't please let me know where it is appropriate), will doing a factory reset on the router, updating firmware (if applicable), and changing default credentials on the device stop this exploit?  The machines on the network would have to be dealt with as a separate issue, I realize that.  
0
 
LVL 38

Expert Comment

by:younghv
ID: 35108593
lancecurwens…

Good question.
sjklein42 is the man on this one, but my reading at the link he posted is that compromising the "default" credentials is what initially allows the malware to invade the network.

Changing the account password on routers is always recommended by the manufacturer, but is one of those things that too often gets left out.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 16

Expert Comment

by:sjklein42
ID: 35109759
younghv is right.  To clear the virus from the router it is necessary to do a factory reset and then change the password.  Firmware ln the router is not a factor as it is not a vulnerability on the router but a failure to change the default password that leaves the router open to attack.
0
 
LVL 8

Expert Comment

by:lancecurwensville
ID: 35109803
@younghv & sjklein42

thanks for the clarification on this.
0
 

Author Comment

by:jbaretta
ID: 35110517
Thank you all for responding.


The Router did have the default user name and Password courtesy of AT&T tech support who had our client perform a hard reset on their Linksys Router a while back.

Here is what we found configured for DNS in the Router:
213.109.66.189
213.109.77.61
1.1.1.1.

I have remotely re-configured the DNS within the Router and created a 8 character admin password until we can go onsite later today and perform a Router hard reset and re-scan all the PC's.

We will know for sure we have solved this virus issue once we perform the Router hard reset and re-scan / clean the machines for the last time.

Thank you all for your participating.

0
 

Author Closing Comment

by:jbaretta
ID: 35110543
sjklein42,
We appreciate your time & knowledge.
Thank you!
0
 
LVL 38

Expert Comment

by:younghv
ID: 35110610
jbaretta,
You must have some old-timers in your shop - I just noticed that you are still using "SDFix".

AndyManchesta hasn't updated that for about 3 years (he has just plain ol' left the building) and you should remove that from your inventory of tools.

It was sure one of the best tools back when and I wish Andy would return.
...

Good luck on your off-site work today.
0
 

Author Comment

by:jbaretta
ID: 35110781
3 years makes me an "old timer"  :-)

Back in the day my only malware removal program was FDisk.
Spybot's malware database was only about 3,500 programs and took about 10 minutes to complete a scan!

Your right...we'll ditch the program...I think we were desperate enough to try it in this particular situation.

Thanks for your comments younghv.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 37206554
I see no one thought of checking this EE article that has been posted early this year, eventhough not an in-depth article but still :(

"Infected Router - Google Search Redirects Even on a Clean System"
http://www.experts-exchange.com/A_5327.html
0
 
LVL 16

Expert Comment

by:sjklein42
ID: 37207760
rpggamergirl: No, we did not miss it.  That article was posted after (and partly as a result of) this question.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Need help removing Safari Adware 17 106
dma locker 3 query 7 104
PUP or Virus 6 62
turbotax on windows 10 57
I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now