Wednesday, March 13, 2013

2013 Google Redirect Virus May Not Be On Your PC

skull and cross bones on laptop screenI solved a recent 2013 Google redirect virus threat to our PCs, a problem on which there is sparse information and which came from an unexpected source. If the virus is not on your PC, then your antivirus software is not going to be effective, obviously. I'm posting this solution in the hope that it can save someone else the hours of searching, trying things, etc. that I wasted on it.

Recently, on one of my desktop PCs, Avast Antivirus started popping up warnings about blocking a malware threat. Specifically, it was blocking a javascript virus redirect that it said had something to do with Google Analytics. Sometimes the URL was just an IP address (in this case, 91.236.116.158), other times it was google-analytics.com. There were two scripts being hijacked, ga.js, and urchin.js, which are well-known Google scripts that are used for tailoring Adsense ads to your perceived preferences.

Avast malware popup warning
Sorry for the blurry shot, it says www.google-analytics/ga.js (gzip)

After a short time, this malware blocked popup was happening on nearly any page I surfed, but especially anything related to Google, Analytics or not. Full scans, including boot-time scans, via Avast and later using the free Kapersky Virus Removal Tool (among other tools) turned up some viruses on my PC, they were removed, and once in a while the behavior stopped for a short time, but soon "Malware Blocked" was again my web surfing buddy.


Searching high and low on the 'net didn't turn up a lot, and most of the relevant information was at least a year old, not exactly related to this 2013 redirect threat. Usually, the solutions tracked down a virus on the hard drive, or a hijacked hosts file in Windows. Neither of those solutions seemed to apply in my case. In any event, none of them worked.

Then I got a break, of sorts. My main PC, a Dell laptop, had been idling awaiting a new motherboard for a couple of months. At last, I received a new MB and got it up and running again in the shake of a rattlesnake's tail. Guess what? The same malware blocked popup started showing up on it, too. Since it had been out of commission for so long, and I transferred no files from the desktop PC to the laptop, this meant the problem was in the network.
nslookup showing google-analytics going to the correct IP
What a normal nslookup should be on www.google-analytics.com

There is some talk about router infections related to this malware javascript problem on various forums, but a full reset of our router/modem had no effect. Finally, I read something about the DNS being hijacked. I ran an nslookup in the Windows command shell, and sure enough, google-analytics.com was going to that evil IP address above. Bingo!

This problem wasn't mine after all, but the ISP's. One or more of their DNS servers had been infected by this Google redirect virus and the dopes hadn't noticed it for at least a week. I collected the relevant information, found their support site, and left them a detailed message, including the IPs of the DNS servers I was using.

Problem solved, let's hit the beach!
Though I never heard back from ICE, within a couple of hours the problem had vanished, never to return. It's a little disconcerting that this ISP, I.C.E., which pretty much has a monopoly on Internet access in Costa Rica, wasn't even aware of the problem, or that no one else had reported it to them. Such, sometimes, is life in the land of Pura Vida!

Anyway, everything is now puppies and sunshine again, and that's one problem, if this nasty 2013 Google redirect virus returns, I'll know how to take care of.

If this solution happens to apply to your malware problem, it would be nice if you'd leave a comment below saying so. Good luck!


8 comments:

  1. You can always use Google DNS (8.8.8.8 and 8.8.4.4) or any other DNS hosting provide of your choice (like OpenDNS, etc)

    ReplyDelete
    Replies
    1. Sure, you could. But, in my case, that's not optimal, since I'm located in Costa Rica and Google DNS is probably not going to use the nearest servers to me and thus slow down my connection in some cases. The point of the post, of course, is that you may not realize it's a DNS problem in the first place.

      Delete
  2. I was getting redirects. It started very settle. I though I was crazy. Until I got redirect to an X rated site. Great Post

    ReplyDelete
  3. I recently had this virus and I'm not sure if its gone yet. I tried a bunch of manual fixes located on tech wikis but it either worked for a day or not at all. In the end I tried a solution that was mentioned by a few people who helped me out. Fix Redirect Virus worked pretty well. It felt like I was throwing chemo at my computer. We'll see in the next few weeks if its gone for good. I've never had computer cancer before but I'd have to say this virus seems to fit the bill. If it failed then I'm just going to wipe my computer clean. I'll watch out for the out of personal PC version. Thanks for the heads up.

    ReplyDelete
    Replies
    1. That's a great analogy, computer chemo! I hope your instance of PC cancer is gone, too. It can be very frustrating to kill the virus only to have it re-appear.

      Delete
  4. So I'm somewhat unsure of who is behind this. Is this actually Google, or is it someone pretending to be Google? Also, is this a backdoor virus that sends my information to an undisclosed third party?

    Any answer would be helpful.

    ReplyDelete
  5. Thank you, thank you, thank you for this post, changing the DNS servers fixed the problem. I think I'll wait a while for my ISP to eradicate the cause. This was my second redirection problem in 2 weeks.

    ReplyDelete

Your comments are always appreciated!

Related Posts Plugin for WordPress, Blogger...