[VIRUS!] BEWARE of Having Your SEARCHES RATTLED

by MacS09
30 replies
Last week, I had my searches rattled. My search engine results went all over the place.

By this I mean that whatever I searched for, the links produced by all three major SE went to totally random pages that had nothing to do with what I was looking for.

On closer inspection I noticed strange strings in the status bar. My root had been infected by rattlingsearches.com. I made a video about what this looks like and how to cure it:

Have the Search Engines Gone Mad?

If this spreads widely, consequences for IM would be dire: The logic of this and perhaps similar viruses dictates that we’d have to forget about SEO and perhaps even adwords. The SE could forget about existing. The main problem is that antivirus programs don’t seem to detect these infections as yet. So far, I have only found links to cures after your system has been infected.

Here is the link to the Kaspersky treatment promised in the video.

Anti-rootkit utility TDSSKiller

Has anyone else had any experience with this yet?

Max
#anti-rootkit scan #anto-rootkit treatment #beware #rattled #rattlingsearches.com #searches #virus
  • Profile picture of the author Will Edwards
    Very nice video Max.

    Well done.

    Will
    {{ DiscussionBoard.errors[4965120].message }}
  • Profile picture of the author simonbuzz
    Banned
    Thanks for the share I will check out the video
    {{ DiscussionBoard.errors[4965135].message }}
  • Profile picture of the author Alonzo White
    Wow, I don't understand why people do this. I guess some people have too much time on their hands.

    Thanks for the heads up Max.
    Signature
    {{ DiscussionBoard.errors[4965171].message }}
  • Profile picture of the author rosetrees
    Thanks Max. I haven't come across that one - yet. As the results it turns up are so at odds with the original search, I don't think it's an infection that most people would just ignore.
    {{ DiscussionBoard.errors[4965279].message }}
  • Profile picture of the author Praveen Kumar
    This sneaky little virus is known as "Google Redirect Virus"
    {{ DiscussionBoard.errors[4965858].message }}
    • Profile picture of the author jbento
      Hi Max

      Thanks a lot for the info and for the video. It amazes me we still have some old-good warriors that share valuable information without the format of a WSO... meaning, for free.

      It's rare nowadays..

      Keep the good work

      Jorge
      Signature

      Resources, Tools and Strategies for Starting Your Own Business In the Internet

      {{ DiscussionBoard.errors[4972516].message }}
  • Profile picture of the author dsouravs
    Yeah online security is at risk today.
    Most of the Anti viruses fail to detect latest viruses & trojans & malwares.
    Hacking is also on the rise.
    Signature

    I can convert your Non-Responsive website to Responsive website ... How sweet is that? :)

    {{ DiscussionBoard.errors[4972776].message }}
  • Profile picture of the author sparrow
    You can never be to careful, over time I have gotten both the redirect and the rootkit

    oh the way rosetrees that video made my day
    {{ DiscussionBoard.errors[4973207].message }}
  • Profile picture of the author ry6782010
    @Max/Everyone else,

    I volunteer on Computing.net (a free computer tech support forum) and deal with the Google Redirect virus as it's more commonly known frequently on there. The more technical name for it is "Rootkit", (a piece of software/tools designed to evade your AV protection), there's also another piece of malware known as a Bootkit, (think of a Rootkit that infects your Master Boot Record), which can be just as, if not more destructive. Whenever you get one of these infections though (despite what Microsoft says) DO NOT reformat your computer. These types of infections can survive formatting.

    I have to ask, do WSO's/special offers, have to be internet marketing related?. Having a background in IT, I've actually written a book on how to protect yourself from malware, and etc. It still kind of needs formatting and such, and, I have to get it published. But, could I offer this book on the forum?.. Once it's finished, I mean.


    On a side note, you can also use a tool called "Rkill", which would allow you to shut down any malicious process that's currently running temporarily, and then you'd be free to scan with your AV software.
    {{ DiscussionBoard.errors[4973296].message }}
    • Profile picture of the author Sojourn
      Originally Posted by ry6782010 View Post

      I have to ask, do WSO's/special offers, have to be internet marketing related?. Having a background in IT, I've actually written a book on how to protect yourself from malware, and etc. It still kind of needs formatting and such, and, I have to get it published. But, could I offer this book on the forum?.. Once it's finished, I mean.
      You can check the WSO rules here: http://www.warriorforum.com/warrior-...29-2011-a.html

      Obviously, the audience on this forum will be heavily marketing-related but that also means we're heavy computer users and often concerned with computer security. Even if the WSO platform turned out not to be the best place for your product, this forum holds a ton of information in producing and promoting your product in a number of other locations where it could do very well.

      Of course, you could also become a service provider and charge a service for cleaning up infected computers. I have one sitting here waiting for you....
      {{ DiscussionBoard.errors[4973836].message }}
  • Profile picture of the author Sojourn
    Two of four laptops in our house picked up the Google redirect virus. Normally I just pull out trusty Malwarebytes but that wasn't enough. I must have run 5 different AV programs trying to kill that thing and while the symptoms are gone from one computer I'm still not sure I got it all.

    I do think TDSS Killer was the last thing I ran but now I can't remember. Going to run it first on the 2nd laptop (which I haven't tackled yet) instead of the other programs.

    Fortunately my laptop did not get hit, only my husband's and my oldest son's. My son didn't even mention it until my husband started complaining about his laptop. Just figured he'd type in the direct address of websites he wanted and skip using search! Sigh.

    So check your kids' computers/laptops, too. My understanding is this thing has some nasty side effects if not cleaned out correctly.
    {{ DiscussionBoard.errors[4973521].message }}
  • Profile picture of the author ry6782010
    I actually had it three year ago before I even knew what it was (this was also before I volunteered and removed all types of viruses on a daily basis), and it took me about 4 days to clean out the entire infection. If TDSS doesn't do the job, your next step is to either A) reset your router to it's defaults, or B) Change your current DNS settings to those of either OpenDNS (which will also help protect you from these redirects, and phishing sites), or Google Public DNS.
    {{ DiscussionBoard.errors[4973689].message }}
  • Profile picture of the author Tek Scavenger
    This folks is why I use Linux.

    There are plenty of free tools out there. The problem of course with Linux distros is you have to have a decent idea of what you are doing, but it is the best way to deal with an already infected computer since booting from a Linux CD will assure that the infection can't execute, then run clam and rootkitty on the hard drive and it will zap most things right off.

    You don't necessarily want to rely on one avenue though. Being prepared is important too. If you have a clean computer, make yourself a copy of UBCD4Win (Ultimate Boot CD for Windows). You will then have access to a clean boot environment (when dealing with an MBR/rootkit virus, always coldboot) with several utilities including anti-virus which will be way more effective without the offending code residing in memory.

    Prevention methods on clean computers are helpful as well. Use of the BIOS "anti-virus" key will prevent any writes to the boot sector. It has to be turned off only to upgrade the OS, but otherwise there's no reason to allow boot sector writes.

    Also with advanced Linux and modern Windows OSes (XP SP2 +) in combination with a modern CPU you can activate a feature called "Data Execution Prevention." The Linux module is AppArmor, in Windows it's part of the advanced system settings\Performance. DEP is 100% effective in preventing data execution with a modern processor, but the effectiveness of software only DEP is limited on older processors that don't support it through hardware (still much better than nothing).

    Data execution is a method some clever trojans use to get around antivirus programs to drop their payload; even if the anti-virus catches it, the damage has already been done. DEP is normally set to core Windows components only, but if you set it up to ALL programs, no code loaded into a data area of memory can be executed, thus snuffing that route before damage is caused, unless you specifically allow it. Exception profiles exist for poorly written programs that rely on data execution to function normally, but this should be avoided since it then becomes a potential attack vector; you should always find a newer version or alternative program that is properly written.
    Signature
    Do you Need to Make Money? Of course, we all do!
    Click for ideas to make money online at home.
    {{ DiscussionBoard.errors[4974399].message }}
    • Profile picture of the author CDarklock
      Originally Posted by Tek Scavenger View Post

      This folks is why I use Linux.

      The problem of course with Linux distros is you have to have a decent idea of what you are doing...
      Yes, folks, rather than practicing generally safe computing principles and avoiding the various "bad neighbourhoods" of the web - you know, the places where most piracy and porn are found - you should spend several years becoming a competent and qualified Linux server administrator.

      Where you will, um, still need to practice generally safe computing principles and avoid the various "bad neighbourhoods" of the web. Except you'll do it using systems that are much harder to understand.

      Well, honestly, we just want all the stupid people to get off the damn internet so it can be like it was in the 1980s again. We liked it that way. :p
      Signature
      "The Golden Town is the Golden Town no longer. They have sold their pillars for brass and their temples for money, they have made coins out of their golden doors. It is become a dark town full of trouble, there is no ease in its streets, beauty has left it and the old songs are gone." - Lord Dunsany, The Messengers
      {{ DiscussionBoard.errors[4975405].message }}
      • Profile picture of the author capitalalchemy
        It's the redirect virus. I had it a couple of times on several different computers. It's a rootkit trojan that sneaks onto your computer by tagging along side of a generic printer process, so Windows does not even notice anything out of the ordinary.

        It cloaks itself and then creates a back door to download other adware and so forth. It can be severe. A few weeks later someone was trying to tap into my paypal account, and then I discovered that someone was actually tampering with my debit card, so I had to get a new one issued.

        Financial theft is a risk with this virus.
        {{ DiscussionBoard.errors[4975450].message }}
  • Profile picture of the author Tek Scavenger
    This folks is why I use Linux. (well, one of the big reasons anyway)

    There are plenty of free tools out there. The problem of course with Linux distros is you have to have a decent idea of what you are doing, but it is the best way to deal with an already infected computer since booting from a Linux CD will assure that the infection can't execute, then run clam and rootkitty on the hard drive and it will zap most things right off.

    You don't necessarily want to rely on one avenue though. Being prepared is important too. If you have a clean computer, make yourself a copy of UBCD4Win (Ultimate Boot CD for Windows). You will then have access to a clean boot environment (when dealing with an MBR/rootkit virus, always coldboot) with several utilities including anti-virus which will be way more effective without the offending code residing in memory.

    Prevention methods on clean computers are helpful as well. Use of the BIOS "anti-virus" key will prevent any writes to the boot sector. It has to be turned off only to upgrade the OS, but otherwise there's no reason to allow boot sector writes.

    Also with advanced Linux and modern Windows OSes (XP SP2 +) in combination with a modern CPU you can activate a feature called "Data Execution Prevention." The Linux module is AppArmor, in Windows it's part of the advanced system settings\Performance. DEP is 100% effective in preventing data execution with a modern processor, but the effectiveness of software only DEP is limited on older processors that don't support it through hardware (still much better than nothing).

    Data execution is a method some clever trojans use to get around antivirus programs to drop their payload; even if the anti-virus catches it, the damage has already been done. DEP is normally set to core Windows components only, but if you set it up to ALL programs, no code loaded into a data area of memory can be executed, thus snuffing that route before damage is caused, unless you specifically allow it. Exception profiles exist for poorly written programs that rely on data execution to function normally, but this should be avoided since it then becomes a potential attack vector; you should always find a newer version or alternative program that is properly written.
    Signature
    Do you Need to Make Money? Of course, we all do!
    Click for ideas to make money online at home.
    {{ DiscussionBoard.errors[4974400].message }}
    • Profile picture of the author ry6782010
      Originally Posted by Tek Scavenger View Post

      This folks is why I use Linux. (well, one of the big reasons anyway)

      There are plenty of free tools out there. The problem of course with Linux distros is you have to have a decent idea of what you are doing, but it is the best way to deal with an already infected computer since booting from a Linux CD will assure that the infection can't execute, then run clam and rootkitty on the hard drive and it will zap most things right off.

      You don't necessarily want to rely on one avenue though. Being prepared is important too. If you have a clean computer, make yourself a copy of UBCD4Win (Ultimate Boot CD for Windows). You will then have access to a clean boot environment (when dealing with an MBR/rootkit virus, always coldboot) with several utilities including anti-virus which will be way more effective without the offending code residing in memory.

      Prevention methods on clean computers are helpful as well. Use of the BIOS "anti-virus" key will prevent any writes to the boot sector. It has to be turned off only to upgrade the OS, but otherwise there's no reason to allow boot sector writes.

      Also with advanced Linux and modern Windows OSes (XP SP2 +) in combination with a modern CPU you can activate a feature called "Data Execution Prevention." The Linux module is AppArmor, in Windows it's part of the advanced system settingsPerformance. DEP is 100% effective in preventing data execution with a modern processor, but the effectiveness of software only DEP is limited on older processors that don't support it through hardware (still much better than nothing).

      Data execution is a method some clever trojans use to get around antivirus programs to drop their payload; even if the anti-virus catches it, the damage has already been done. DEP is normally set to core Windows components only, but if you set it up to ALL programs, no code loaded into a data area of memory can be executed, thus snuffing that route before damage is caused, unless you specifically allow it. Exception profiles exist for poorly written programs that rely on data execution to function normally, but this should be avoided since it then becomes a potential attack vector; you should always find a newer version or alternative program that is properly written.

      Linux = <3. On a side note guys, you can also use an add on for Firefox called "NoScript" which will block all scripts executed by sites, it also allows you to unblock only those sites you trust.
      {{ DiscussionBoard.errors[4975758].message }}
  • Profile picture of the author stephfoster
    My husband's computer had a Google redirect virus a while back. That thing was miserable, and we finally did reformat - good thing I had a good backup of what little mattered on that machine. These things aren't always easy to notice, and I only noticed it because something else was wrong with his computer too, which he wanted me to fix.
    {{ DiscussionBoard.errors[4975376].message }}
  • Profile picture of the author stingrays06
    I had that virus for a while on my old laptop. Only way I could get what I was looking for in the search engines was by clicking on the cached results...never was able to fix it though the problem was only in Firefox and not Chrome.

    Edit: If anyone has a clear-cut solution on how to get rid of The Redirect Virus let me know so I can post it on one of my blogs...
    {{ DiscussionBoard.errors[4975970].message }}
  • Profile picture of the author Tek Scavenger
    With a true rootkit or boot sector virus that you want to make sure is completely nuked, as noted, a format is not enough. I can give Linux instructions if need be, but I know most people want to use Windows so I suggest having a full rake UBCD4Win disc made and ready PRIOR to infection. It is a Windows preboot environment so it cannot be safely made from an infected computer. Also make sure you have a physical Windows install disc, since the steps will eliminate any recovery partition that OEM manufacturers seem so fond of in the last decade or so. If it's not an OEM disc for any reason, have also a separate disc with the hardware drivers; most critical is the network card driver (the others can be downloaded if necessary but you have to be able to get online first).

    You can boot into the regular environment to do a data backup (NOT an image backup, a data backup archives just your files. An image backup can only back up and restore the current state of the whole hard drive, viruses and all), then reboot (cold) into DBAN and do a zero overwrite. This will ERASE your hard drive to factory condition. Note: that's hard drive factory, not OEM. There will be no recovery partition, no data, no OS, and no virus.

    Next, boot the Windows install disc and reinstall Windows. You'll have to redo all the updates and reinstall your programs. For antivirus, I personally suggest Avast4Home but there's plenty of other good and free alternatives as well (AVG is popular). I tend to stay away from the corporate system hogs like Synaptic and McAffee.

    Once your antivirus is installed and updated, you can do your data restore. Do not overwrite files when restoring, it can cause problems (especially off \WIN* directories). If your backup has infected code, the AV should catch it and safely quarantine it.

    Enjoy your refreshed like-new virus free computer.
    Signature
    Do you Need to Make Money? Of course, we all do!
    Click for ideas to make money online at home.
    {{ DiscussionBoard.errors[4977808].message }}
  • Profile picture of the author Tommy Smith
    Thanks for sharing it here. I don't want my computer to be formatted and I had this for more than 3 years now. I don't have slave disk yet so I am terribly afraid of any viruses that can harm my pc. Great job pal!
    Signature
    Wholesale Crystal Beads – The best place to buy
    {{ DiscussionBoard.errors[4977954].message }}
  • Profile picture of the author Tek Scavenger
    ^^^ That of course is the overkill method. In some cases, you can boot your install disc to the recovery console and type FIXMBR (NT version of FDISK /MBR) which will give a clean master boot record and boot sector. You'd still want to immediately boot UBCD4Win and do an "off-line" virus scan as well so you are not simply re-infected on reboot.

    This only works if your AV hasn't been compromised and the rest of the system is in good working order; Confucius say, "don't use canon to kill mosquito." However if your system is trashed and otherwise irreparable, by all means, bring out the nuke (DBAN = Dan Boot And Nuke).
    Signature
    Do you Need to Make Money? Of course, we all do!
    Click for ideas to make money online at home.
    {{ DiscussionBoard.errors[4977985].message }}
    • Profile picture of the author capitalalchemy
      I agree - I'm shocked that reformatting has worked for some folks. I reformatted about 2 times and it was still there on one of my computers.
      {{ DiscussionBoard.errors[4979080].message }}
  • Profile picture of the author HazeBlazer
    I had something very similar on my computer called the "Google redirect virus". This virus redirects all your searches to classifieds pages tricking the amateur user into thinking this might be the actual website for a while. This is one bitchass virus that I simply could not get rid of no matter what I did (I'm talking about manual registry editing, etc far more than just virus scans), so I decided to restore my computer to 6 days previous (I set a restore point every 2 weeks) and the virus was rid of.

    This virus is like an ex-wife after your money, its a bitch that will NOT leave you alone.

    My tip is to go to techspot forums (google it) and they have many threads with computer technicians that offer free solutions, you can create your own thread and have an expert deal with you for free
    {{ DiscussionBoard.errors[4979145].message }}
  • Profile picture of the author Lulu Chil
    I had the Google redirect virus as well. I used Hitman Pro and it did the job fast.
    {{ DiscussionBoard.errors[4979957].message }}

Trending Topics