Consultant Bob Eisenhardt recounts his frustrating experience trying to track down and get rid of a client's search-redirect virus. Here's how he finally ditched it.
Ever go to Reno, Nevada? Well, if you have not, there is a terrific little virus making its way around the net that instantly takes you there from your search engine. About a month ago, one of my accounts in Manhattan reported that something was re-directing searches to odd websites, one of them coming up as SEARCH RENO. I tested the search on-site and it was indeed true.
All of the standard defense protocols such as a scan with MalwareBytes and ComboFix came up clean. Although the bug is commonly referred to as TDSS, the software fix that a co-consultant I work with totally trusted, TDSSKiller, came up equally clean. This was a surprise.
Sophos has a rootkit killer that also found no infections. ComboFix came up empty handed as did Gmer. Having thus exhausted the standard solutions, I was mightily frustrated.
Further research led me to a persistent link that indicated a services search for RANDOM.EXE running. It was not running on my client's system. The random.exe link also advertises a paid software product to remove the virus, with a live chat concurrent with somebody (probably in India). I ignored that option instantly. (I have come to believe that some blogs pose question and answers by the same user under different names, an ingenious idea for the uninitiated to download an infected product.)
So where does this one come from? The redirect URL takes users to the IP address 126.96.36.199. If you google that IP, you are off on a hunt of severe frustration. This virus has been around awhile, but finding a solution remains confusing. Let's look at that IP address for moment. It is related to SCOUR.COM as a redirect agent. This is either a real or a fake site and the virus itself uses complex methods to hide from traditional removal methods as I undertook above. There seem to be two threats here - a search hijacker and Trojans hiding in the links on the redirect page. The former just slows down your system and makes life frustrating, which is common enough with Windows itself. The Trojan is an open door for someone far away to control your computer and steal information. In a worst-case scenario, malware of this type can steal your financial information and then wipe out your drive. This is precisely what happened to 30,000 systems in Saudi Arabia recently. Trojans must be removed quickly and that is the devilish part to do.
I am heavily qualifying my certainties because this is such an odd entry into the virus and malware world; for instance, I do not know exactly where the infection comes from. We can be reasonably certain that some (not all) porn sites will infect your system as well as other compromised sites that include links to sketchy destinations.
If memory serves, there was also a quick re-direct agent running when a Google search was initiated and before "Reno" arrived. It was hard to catch, maybe on bar for 2 seconds or so. I believe it was "myfreesearch" or similar. The category of MYFREE something has always been an annoyance, such as MY FREE WEBSEARCH, which is horrible. But this one came and went very quickly. I strongly urge security experts to use good eyesight to catch these momentary leads.
There is a variant of the redirect virus that attacks just Firefox. Mozilla Support lists a php script running on a different server (where, I know not) that kicks you over to "realgamerz.net" and similar shady sites. As above, traditional methods of elimination failed and Mozilla really has no clear cut answer. Nor does the voyage always take you to Reno — one user reported being directed to bargainmatch.com when trying to find the Weather Channel.
All of which leads me to suspect that many variants abound of this virus, but I am almost beginning to think we are entering something beyond traditional virus and malware problems. This one, at least the one I hit, is very slick. We may be seeing a whole new breed of invasive tools come into play. A co-consultant was absolutely shocked that TDSSKiller did not find anything. Running HiJackthis produced a log that can be copied into an effective website, HIJACKTHIS.DE which will run an in-depth analysis and highlight potential issues. Even though several irregularities were spotted, again and again my client's system visited Reno.
Resolution was draconian but very simple - I gave up trying to remove the virus and used Revo uninstaller to remove Firefox entirely, trusting that I am confronted with a variant that infects just Firefox. After saving bookmarks, using Revo, a cold reboot, and then a reinstall, my client has confirmed that the problem has gone away. I am relieved of one more burden. (If I run into this virus again, I will try GOOREDFIX as some have suggested).
Hackers and thieves are, by now, well aware of the tools most professionals use to remove their products, and it would not be surprising at all to see them working their evil deeds around these tools. I generally believe that in the world of security I can stay ahead of the thieves by minus five minutes or so — that there is always somebody out there already ahead of the game by just that much.
Have you run into this virus or a similar search hijacker? How did you get rid of it? Let us know what you found out in the comments below.