Help, my Google search has strange results!

This is one of the more frequent things I hear from folks. You type a search request into your favorite search engine, but the results are all unrelated to the actual query. And there are lots of obviously bad sites showing up in the search results. Short and simple, you’ve got malware.

A while back I came across an article written by Rorschach112 called How To Fix Google Redirects – and all the steps/tools outlined in that post are very effective at resolving a lot of the Google redirect problems that I have had to deal with. So I thought I should post a link in case you’re the type of person who likes to fix-it-yourself.

How to fix Google Redirects, aka Win32/Olmarik, Rootkit.Win32.TDSS.u, Win32/Alureon.F, Backdoor.Tidserv!.inf

This infection hijacks your browsers to divert search engines to malware sites. Another symptom is getting the error message “DCOM server protocol launcher server terminated”. It is important that you do not try fix this infection manually, or to let your anti-virus program do it, as it can result in an unbootable machine if removed badly. This guide is designed to remove the infection easily and effectively, with no side-effects.

Rorschach112 goes on to describe step-by-step what you’ll need to do. He includes links to the specialized tools you’ll need and provides screenshots of what to expect along the way. It’s a simple straight-forward self-help document. So if you’re search results aren’t what you expect, give it a try.

So how did I get infected with this stuff?

I found the article above while researching the Backdoor.TidServ infection that Symantec found on someone’s computer. As it turns out this particular virus had originated back in 2008 and has morphed quite a few times and is still actively affecting machines. It uses various techniques to trick a user into installing the virus.

Some of the infection methods involve posting links in blog comments, or web forums that point to sites which have been hacked via SQL injection. By exploiting weaknesses in database security a malware author can insert code into a web form which can alter the contents of a website, often without the web site owner becoming aware until well after the damage has been done and the site visitors have been infected. This is sometimes referred to as a drive-by infection, because the visitor to the site may innocently stumble upon a site that has been hacked in such a manner and not be aware the they’ve picked up a virus until much later when they try to search for something.

Other methods of infection involve peer to peer file sharing services. The majority of traffic on these file sharing services is from people trying to obtain pirated/illegal software and keygens or cracks to unlock software for free. The malware authors often post their wares with names of popular search items and just sit back and wait for folks to download, install and infect themselves.

So why do virus writers do it?
Well, the answer is quite simple really. Money.

By redirecting your search results to sites of their choosing they can trick you into visiting sites which have a pay-per-click kickback to whomever referred the visitor to the site. If a virus writer could infect and refer 1,000,000 people it adds up quickly.

Even more profitable are the pay-per-install programs. There are companies which offer affiliates a small fee from sales of their software. Symantec studies found one software in their research that paid referrers $0.15 per install. That may not sound like much, but if a person controlled 200,000 machines with a backdoor trojan and told them all to install that piece of software it’s a quick $30,000.

Be safe out there, and as always, if you need anything I’m here to help!
-Erik

Leave a Comment