Mediaboss Marketing

January 2, 2013, 10:56 AM PST

Takeaway: Consultant Bob Eisenhardt recounts his frustrating experience trying to track down and get rid of a clients search-redirect virus. Heres how he finally ditched it.

Ever go to Reno, Nevada? Well, if you have not, there is a terrific little virus making its way around the net that instantly takes you there from your search engine. About a month ago, one of my accounts in Manhattan reported that something was re-directing searches to odd websites, one of them coming up as SEARCH RENO. I tested the search on-site and it was indeed true.

All of the standard defense protocols such as a scan with MalwareBytes and ComboFix came up clean. Although the bug is commonly referred to as TDSS, the software fix that a co-consultant I work with totally trusted, TDSSKiller, came up equally clean. This was a surprise.

Sophos has a rootkit killer that also found no infections. ComboFix came up empty handed as did Gmer. Having thus exhausted the standard solutions, I was mightily frustrated.

Further research led me to a persistent link that indicated a services search for RANDOM.EXE running. It was not running on my clients system. The random.exe link also advertises a paid software product to remove the virus, with a live chat concurrent with somebody (probably in India). I ignored that option instantly. (I have come to believe that some blogs pose question and answers by the same user under different names, an ingenious idea for the uninitiated to download an infected product.)

So where does this one come from? The redirect URL takes users to the IP address 63.209.69.107. If you google that IP, you are off on a hunt of severe frustration. This virus has been around awhile, but finding a solution remains confusing. Lets look at that IP address for moment. It is related to SCOUR.COM as a redirect agent. This is either a real or a fake site and the virus itself uses complex methods to hide from traditional removal methods as I undertook above. There seem to be two threats here - a search hijacker and Trojans hiding in the links on the redirect page. The former just slows down your system and makes life frustrating, which is common enough with Windows itself. The Trojan is an open door for someone far away to control your computer and steal information. In a worst-case scenario, malware of this type can steal your financial information and then wipe out your drive. This is precisely what happened to 30,000 systems in Saudi Arabia recently. Trojans must be removed quickly and that is the devilish part to do.

I am heavily qualifying my certainties because this is such an odd entry into the virus and malware world; for instance, I do not know exactly where the infection comes from. We can be reasonably certain that some (not all) porn sites will infect your system as well as other compromised sites that include links to sketchy destinations.

If memory serves, there was also a quick re-direct agent running when a Google search was initiated and before Reno arrived. It was hard to catch, maybe on bar for 2 seconds or so. I believe it was myfreesearch or similar. The category of MYFREE something has always been an annoyance, such as MY FREE WEBSEARCH, which is horrible. But this one came and went very quickly. I strongly urge security experts to use good eyesight to catch these momentary leads.

There is a variant of the redirect virus that attacks just Firefox. Mozilla Support lists a php script running on a different server (where, I know not) that kicks you over to realgamerz.net and similar shady sites. As above, traditional methods of elimination failed and Mozilla really has no clear cut answer. Nor does the voyage always take you to Reno one user reported being directed to bargainmatch.com when trying to find the Weather Channel.

Read the rest here:
Battling the Google Redirect virus