[VIRUS!] BEWARE of Having Your SEARCHES RATTLED

Very nice video Max.

Well done.

Will

Thanks for the share I will check out the video

Wow, I don't understand why people do this. I guess some people have too much time on their hands.

Thanks for the heads up Max.

Thanks Max. I haven't come across that one - yet. As the results it turns up are so at odds with the original search, I don't think it's an infection that most people would just ignore.

This sneaky little virus is known as "Google Redirect Virus"

Yeah online security is at risk today.
Most of the Anti viruses fail to detect latest viruses & trojans & malwares.
Hacking is also on the rise.

You can never be to careful, over time I have gotten both the redirect and the rootkit

oh the way rosetrees that video made my day

@Max/Everyone else,

I volunteer on Computing.net (a free computer tech support forum) and deal with the Google Redirect virus as it's more commonly known frequently on there. The more technical name for it is "Rootkit", (a piece of software/tools designed to evade your AV protection), there's also another piece of malware known as a Bootkit, (think of a Rootkit that infects your Master Boot Record), which can be just as, if not more destructive. Whenever you get one of these infections though (despite what Microsoft says) DO NOT reformat your computer. These types of infections can survive formatting.

I have to ask, do WSO's/special offers, have to be internet marketing related?. Having a background in IT, I've actually written a book on how to protect yourself from malware, and etc. It still kind of needs formatting and such, and, I have to get it published. But, could I offer this book on the forum?.. Once it's finished, I mean.


On a side note, you can also use a tool called "Rkill", which would allow you to shut down any malicious process that's currently running temporarily, and then you'd be free to scan with your AV software.

Two of four laptops in our house picked up the Google redirect virus. Normally I just pull out trusty Malwarebytes but that wasn't enough. I must have run 5 different AV programs trying to kill that thing and while the symptoms are gone from one computer I'm still not sure I got it all.

I do think TDSS Killer was the last thing I ran but now I can't remember. Going to run it first on the 2nd laptop (which I haven't tackled yet) instead of the other programs.

Fortunately my laptop did not get hit, only my husband's and my oldest son's. My son didn't even mention it until my husband started complaining about his laptop. Just figured he'd type in the direct address of websites he wanted and skip using search! Sigh.

So check your kids' computers/laptops, too. My understanding is this thing has some nasty side effects if not cleaned out correctly.

I actually had it three year ago before I even knew what it was (this was also before I volunteered and removed all types of viruses on a daily basis), and it took me about 4 days to clean out the entire infection. If TDSS doesn't do the job, your next step is to either A) reset your router to it's defaults, or B) Change your current DNS settings to those of either OpenDNS (which will also help protect you from these redirects, and phishing sites), or Google Public DNS.

This folks is why I use Linux.

There are plenty of free tools out there. The problem of course with Linux distros is you have to have a decent idea of what you are doing, but it is the best way to deal with an already infected computer since booting from a Linux CD will assure that the infection can't execute, then run clam and rootkitty on the hard drive and it will zap most things right off.

You don't necessarily want to rely on one avenue though. Being prepared is important too. If you have a clean computer, make yourself a copy of UBCD4Win (Ultimate Boot CD for Windows). You will then have access to a clean boot environment (when dealing with an MBR/rootkit virus, always coldboot) with several utilities including anti-virus which will be way more effective without the offending code residing in memory.

Prevention methods on clean computers are helpful as well. Use of the BIOS "anti-virus" key will prevent any writes to the boot sector. It has to be turned off only to upgrade the OS, but otherwise there's no reason to allow boot sector writes.

Also with advanced Linux and modern Windows OSes (XP SP2 +) in combination with a modern CPU you can activate a feature called "Data Execution Prevention." The Linux module is AppArmor, in Windows it's part of the advanced system settings\Performance. DEP is 100% effective in preventing data execution with a modern processor, but the effectiveness of software only DEP is limited on older processors that don't support it through hardware (still much better than nothing).

Data execution is a method some clever trojans use to get around antivirus programs to drop their payload; even if the anti-virus catches it, the damage has already been done. DEP is normally set to core Windows components only, but if you set it up to ALL programs, no code loaded into a data area of memory can be executed, thus snuffing that route before damage is caused, unless you specifically allow it. Exception profiles exist for poorly written programs that rely on data execution to function normally, but this should be avoided since it then becomes a potential attack vector; you should always find a newer version or alternative program that is properly written.

This folks is why I use Linux. (well, one of the big reasons anyway)

There are plenty of free tools out there. The problem of course with Linux distros is you have to have a decent idea of what you are doing, but it is the best way to deal with an already infected computer since booting from a Linux CD will assure that the infection can't execute, then run clam and rootkitty on the hard drive and it will zap most things right off.

You don't necessarily want to rely on one avenue though. Being prepared is important too. If you have a clean computer, make yourself a copy of UBCD4Win (Ultimate Boot CD for Windows). You will then have access to a clean boot environment (when dealing with an MBR/rootkit virus, always coldboot) with several utilities including anti-virus which will be way more effective without the offending code residing in memory.

Prevention methods on clean computers are helpful as well. Use of the BIOS "anti-virus" key will prevent any writes to the boot sector. It has to be turned off only to upgrade the OS, but otherwise there's no reason to allow boot sector writes.

Also with advanced Linux and modern Windows OSes (XP SP2 +) in combination with a modern CPU you can activate a feature called "Data Execution Prevention." The Linux module is AppArmor, in Windows it's part of the advanced system settings\Performance. DEP is 100% effective in preventing data execution with a modern processor, but the effectiveness of software only DEP is limited on older processors that don't support it through hardware (still much better than nothing).

Data execution is a method some clever trojans use to get around antivirus programs to drop their payload; even if the anti-virus catches it, the damage has already been done. DEP is normally set to core Windows components only, but if you set it up to ALL programs, no code loaded into a data area of memory can be executed, thus snuffing that route before damage is caused, unless you specifically allow it. Exception profiles exist for poorly written programs that rely on data execution to function normally, but this should be avoided since it then becomes a potential attack vector; you should always find a newer version or alternative program that is properly written.

My husband's computer had a Google redirect virus a while back. That thing was miserable, and we finally did reformat - good thing I had a good backup of what little mattered on that machine. These things aren't always easy to notice, and I only noticed it because something else was wrong with his computer too, which he wanted me to fix.

I had that virus for a while on my old laptop. Only way I could get what I was looking for in the search engines was by clicking on the cached results...never was able to fix it though the problem was only in Firefox and not Chrome.

Edit: If anyone has a clear-cut solution on how to get rid of The Redirect Virus let me know so I can post it on one of my blogs...

With a true rootkit or boot sector virus that you want to make sure is completely nuked, as noted, a format is not enough. I can give Linux instructions if need be, but I know most people want to use Windows so I suggest having a full rake UBCD4Win disc made and ready PRIOR to infection. It is a Windows preboot environment so it cannot be safely made from an infected computer. Also make sure you have a physical Windows install disc, since the steps will eliminate any recovery partition that OEM manufacturers seem so fond of in the last decade or so. If it's not an OEM disc for any reason, have also a separate disc with the hardware drivers; most critical is the network card driver (the others can be downloaded if necessary but you have to be able to get online first).

You can boot into the regular environment to do a data backup (NOT an image backup, a data backup archives just your files. An image backup can only back up and restore the current state of the whole hard drive, viruses and all), then reboot (cold) into DBAN and do a zero overwrite. This will ERASE your hard drive to factory condition. Note: that's hard drive factory, not OEM. There will be no recovery partition, no data, no OS, and no virus.

Next, boot the Windows install disc and reinstall Windows. You'll have to redo all the updates and reinstall your programs. For antivirus, I personally suggest Avast4Home but there's plenty of other good and free alternatives as well (AVG is popular). I tend to stay away from the corporate system hogs like Synaptic and McAffee.

Once your antivirus is installed and updated, you can do your data restore. Do not overwrite files when restoring, it can cause problems (especially off \WIN* directories). If your backup has infected code, the AV should catch it and safely quarantine it.

Enjoy your refreshed like-new virus free computer.

Thanks for sharing it here. I don't want my computer to be formatted and I had this for more than 3 years now. I don't have slave disk yet so I am terribly afraid of any viruses that can harm my pc. Great job pal!

^^^ That of course is the overkill method. In some cases, you can boot your install disc to the recovery console and type FIXMBR (NT version of FDISK /MBR) which will give a clean master boot record and boot sector. You'd still want to immediately boot UBCD4Win and do an "off-line" virus scan as well so you are not simply re-infected on reboot.

This only works if your AV hasn't been compromised and the rest of the system is in good working order; Confucius say, "don't use canon to kill mosquito." However if your system is trashed and otherwise irreparable, by all means, bring out the nuke (DBAN = Dan Boot And Nuke).

I had something very similar on my computer called the "Google redirect virus". This virus redirects all your searches to classifieds pages tricking the amateur user into thinking this might be the actual website for a while. This is one bitchass virus that I simply could not get rid of no matter what I did (I'm talking about manual registry editing, etc far more than just virus scans), so I decided to restore my computer to 6 days previous (I set a restore point every 2 weeks) and the virus was rid of.

This virus is like an ex-wife after your money, its a bitch that will NOT leave you alone.

My tip is to go to techspot forums (google it) and they have many threads with computer technicians that offer free solutions, you can create your own thread and have an expert deal with you for free

I had the Google redirect virus as well. I used Hitman Pro and it did the job fast.