Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1408
  • Last Modified:

Google Redirect Infection

At one of our clients, all workstations have contracted an infection that redirects all links on a search (Google, Yahoo) to webpages such as flurrysearch.com.

It has infected PCs with operating systems ranging from XP, Vista and Windows 7.  All these workstations have different Antiviruses including AVG, Symantec Endpoint, and Norton 360.

We performed scans with the following programs:

Combofix, SDFix, Malwarebytes, Sophos AntiRootkit, TDSSKiller, Super AntiSpyware, McAffee Stinger, Hitman Pro, and Immunet.  None of these scanners found anything on these systems.

However, when I cleared all temp files, and reset the Internet Explorer settings, the redirecting stopped temporarily.  After a few minutes, I reopen Internet Explorer and it's redirecting again.

I have also done the following: delete the hosts file, flush the dns, restart the pc, and clear the Macromedia Shared Objects.

As an added sidenote, Bing does not redirect.

Outside of full reinstalls for all workstations which is not our first choice, we are at a loss.  Any insight on the matter would be greatly appreciated.

Thank you.
0
jbaretta
Asked:
jbaretta
  • 4
  • 3
  • 2
  • +4
1 Solution
 
Sean ScissorsProgram Analyst IICommented:
You said it's only google. Now it looks like all you use is IE. If that is the case have you tried to completely uninstall IE and start it from scratch? It was fixed temporarily after removing all temp files but did you clean the cache and cookies as well? Before uninstalling it make sure you clean everything possible. To be honest just run CCleaner and that should remove your cookies and temp files and then through the internet options clear your cache.

If that doesn't work then there is definitely some kind of rootkit that is causing the redirect to be recreated. When you ran the programs did you run them in safe mode or normal mode as that is a factor as far as what it will find and can get rid of.

It does sound you have done quite a lot but I have yet to have to reformat a computer from a virus. There is practically always a way to fix it but sometimes it's a pain. Ok most of the time it's a pain.
0
 
sjklein42Commented:
The google redirect virus infects the router!

Does the router still have its default password?

The first step in clearing it up is to reset and secure the router.

There is a great deal of discussion about this on the Web, for example:

http://tidystorm.com/423/the-redirect-virus-was-in-my-router/ 
0
 
Sean ScissorsProgram Analyst IICommented:
@sjklein42 Wow viruses are now smart enough to infect routers and therefor cause issues on an entire network?? Scary thought. @jbaretta The website he gave seems to have your symptoms and might just be your problem. Based on the information there it does make sense as far as affecting everyone at the same time and doing everything in your power on multiple computers it continues to come back. I personally didn't know viruses had gotten that smart though.  Good luck and nice find @sjklein42.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
sjklein42Commented:
Yes.  I did not believe it when I first heard about it a few months ago but have seen it more than a few times since.

Apparently the virus first infects a PC through some (any) vulnerability.  It then probes the normal router gateway addresses like 192.168.1.1 and tries to log in using the default username and password.

Once logged into the router, the virus sets up redirect routing table entries for google and some other domains.

Even once the PC is disinfected, if the original vulnerability has not been patched, then the PC can be reinfected by a drive-by download caused by the router redirect

Other unpatched but clean PCs in the same LAN are also subject to the redirect and so the infection can easily spread through the LAN without the users doing anything wrong.

To clean up from this virus, the router needs to be reset (hard reset) and secured with a non-default password.  Then all the PCs need to be cleaned and secured.

By the way, a good online scan that checks whether the software on your PC is up-do-date is here:

www.secunia.com

Pick "Scan Now" in the top right corner, then Start Scanner and Start.
0
 
COM1Commented:
Thank you for responding sjklein42 and scissors85,

Wow is correct.....We'll be back on site tomorrow at the clients location to review your suggestions.

If the Router is secure with a non-standard password and not "infected" based on what I'm hearing the next thing we'll look at is the possibility of the Server (Server 2003) being infected and setup as a DNS server on our network.

We will respond back tomorrow am  with our findings.

We appreciated your time and expertise.
0
 
lancecurwensvilleCommented:
@ sjklein42 and younghv:
Perhaps this isn't the proper forum to ask (if it isn't please let me know where it is appropriate), will doing a factory reset on the router, updating firmware (if applicable), and changing default credentials on the device stop this exploit?  The machines on the network would have to be dealt with as a separate issue, I realize that.  
0
 
younghvCommented:
lancecurwens…

Good question.
sjklein42 is the man on this one, but my reading at the link he posted is that compromising the "default" credentials is what initially allows the malware to invade the network.

Changing the account password on routers is always recommended by the manufacturer, but is one of those things that too often gets left out.
0
 
sjklein42Commented:
younghv is right.  To clear the virus from the router it is necessary to do a factory reset and then change the password.  Firmware ln the router is not a factor as it is not a vulnerability on the router but a failure to change the default password that leaves the router open to attack.
0
 
lancecurwensvilleCommented:
@younghv & sjklein42

thanks for the clarification on this.
0
 
jbarettaAuthor Commented:
Thank you all for responding.


The Router did have the default user name and Password courtesy of AT&T tech support who had our client perform a hard reset on their Linksys Router a while back.

Here is what we found configured for DNS in the Router:
213.109.66.189
213.109.77.61
1.1.1.1.

I have remotely re-configured the DNS within the Router and created a 8 character admin password until we can go onsite later today and perform a Router hard reset and re-scan all the PC's.

We will know for sure we have solved this virus issue once we perform the Router hard reset and re-scan / clean the machines for the last time.

Thank you all for your participating.

0
 
jbarettaAuthor Commented:
sjklein42,
We appreciate your time & knowledge.
Thank you!
0
 
younghvCommented:
jbaretta,
You must have some old-timers in your shop - I just noticed that you are still using "SDFix".

AndyManchesta hasn't updated that for about 3 years (he has just plain ol' left the building) and you should remove that from your inventory of tools.

It was sure one of the best tools back when and I wish Andy would return.
...

Good luck on your off-site work today.
0
 
jbarettaAuthor Commented:
3 years makes me an "old timer"  :-)

Back in the day my only malware removal program was FDisk.
Spybot's malware database was only about 3,500 programs and took about 10 minutes to complete a scan!

Your right...we'll ditch the program...I think we were desperate enough to try it in this particular situation.

Thanks for your comments younghv.
0
 
rpggamergirlCommented:
I see no one thought of checking this EE article that has been posted early this year, eventhough not an in-depth article but still :(

"Infected Router - Google Search Redirects Even on a Clean System"
http://www.experts-exchange.com/A_5327.html
0
 
sjklein42Commented:
rpggamergirl: No, we did not miss it.  That article was posted after (and partly as a result of) this question.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 3
  • 2
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now