Follow Slashdot stories on Twitter


Forgot your password?
Google Security IT

Google Warns Users About Active Malware Infection 80

dinscott writes "Google has begun notifying its users that a particular piece of malware is installed on their computers by showing a big yellow notification above their search results. The warning begun popping up yesterday, and does so only for users whose computers have been infected by a particular strain of malware that hijacks search results in order to drive users towards websites that use pay-per-click schemes."
This discussion has been archived. No new comments can be posted.

Google Warns Users About Active Malware Infection

Comments Filter:
  • Proxy (Score:5, Insightful)

    by mwvdlee ( 775178 ) on Wednesday July 20, 2011 @09:00AM (#36822222) Homepage

    The malware works by redirecting search queries through a proxy. It should be easy for the proxy to just remove the warning or reroute it so Google can't identify the malware.

    • by Intron ( 870560 )

      I'm sure this will start an arms race with the malware writers, but I still wouldn't bet against Google.

      • Same here. As much as they don't want to "Do no evil", they're also pretty fond of their advertising revenue, which this malware is cutting them from. Somehow, I believe Googl-iath wins this one and David goes home with a sore head.

      • by macshit ( 157376 )

        I'm sure this will start an arms race with the malware writers, but I still wouldn't bet against Google.

        Indeed. Spam filtering of course started a similar arms race, but gmail spam filtering has become so good that spam long ago ceased to be an issue for me -- it's been months since I've seen a false negative or false positive (yes I do still check the spam folder sometimes, out of lingering habit), and my email address is all over the place.

        Malware is probably a stickier issue of course, but as you say, it's always risky to bet against Google...

    • by jamesh ( 87723 )

      The malware works by redirecting search queries through a proxy. It should be easy for the proxy to just remove the warning or reroute it so Google can't identify the malware.

      It's just another leap in the perpetual game of leapfrog...

      I do like the idea though.

    • Well it's not that easy, there is usually a virus/trojan that changes you back the proxy service once you disable it. So, you'll have to run some good antimalware scans.

      You also want to check your lmhost file, too, and do a full DNS flush on the infected PC.

      • Which is completely irrelevant to the guys running the malware itself updating their proxy to filter the warning message out.

    • Simply don't return any valid URLs in the results if Google detects a poison proxy.

      Even better, have all the URLs be [] or even better [] or to be slightly evil^H^H^H^H self-serving [] .

  • Nothing seemed to detect it or get rid of it, so she ended up reinstalling the whole OS. It doesn't sound like a particularly new idea, redirecting search, but the proxy aspect might be I suppose.

    • I haven't run into an infection yet that can't be gotten rid of with the Sysinternals suite. Usually takes me less than a half hour of work.
      • by Nursie ( 632944 )

        While that's useful information to me, that wouldn't have helped her, as she's not a geek and was receiving remote advice from people via facebook...

    • I've run into this type of malware/scareware with clients and friends, and I've had a lot of success with the program "Unhackme" by Greatis Software link []. It's been pretty effective on malware and root kits and is reasonably priced, not to mention quick. It also works to prevent further infections by protecting the boot sector area.

      Full disclosure - while I am a fan and recommend the program to others, I have no connection with the company or devs. Just trying to help.
    • 1. Boot to safe mode
      2. Purge all autoruns.
      3. Reboot to normal mode.

      Cleaning a windows PC without malware tools is usually really easy, except in the case of rootkits. This approach has the side effect of removing crap-ware installed by manufacturers.

      • That works on 80% of non-rootkit assisted virus, you still have to factor in the 20% that can, A. Launch in safe mode, B. attach itself to other programs you are inevitably going to open, rather then entirely relying on startup, and that isn't even factoring in the very much increased rate of rootkit based infections as of late.
        • True, for the rest you simply boot to Windows PE from a USB Key or DVD and mount the host machine's registry and remove the offending entries (typically in services or the typical "run" keys. You can also delete the executables from the file system. Obviously the more experience you have doing this the easier it is to identify what to remove. If the machine is running BitLocker you will need the recovery key to use this method, but as long as you have the key it works fine.
          • by Qzukk ( 229616 )

            Seems like I'm running across more and more stuff that hides in the Task Scheduler's "At log on" tasklist. Not many people seem to think to look there, and it doesn't appear to show up in a registry search (unless its one of those {21232f5a1-0b51-521... keys, instead of "task scheduler").

      • Some of my family manage to get infections regularly. I've stopped doing even this three step process as I'm tired of trying to educate them to be careful. First I'll try the built in "system restore" feature and if that doesn't work (either because the restore points don't go back far enough, or we'd need to go too far back to be useful anyway, because the malware has managed to infect the restore point data too, or because it is rootkit aided (or similar) and gets around system restore that way) it is a b
    • by Anonymous Coward

      The malware adds entries into your HOSTS file.
      You'll have to take ownership of the file.
      (properties / security / advanced / owner)
      Then edit it in notepad to remove the offending redirects.

      The hosts file works like a static DNS look up table.
      [hostname] [ip]

    • My husband's computer had a virus along these lines a year or two ago, hijacking Google results, and that thing was tough to get rid of. Not a single malware scanner found it. I simply noticed because he complained his computer wasn't working right, and the usual scanner wasn't fixing it for him. Neither was any other scanner I tried, and I tried a bunch. Not one so much as detected it, but the changed search results showed that something was going on. I had to do a reinstall on his computer too.

      Found it h
      • Found it his computer probably got infected because he kept going back to a site his scanner warned him was infected, and he'd ignored the warning. *headdesk*

        Hey, if it wasn't for people like that half of us wouldn't have jobs! ;)

        (I'm a strong advocate for user education and attempt to do so every time I fix someone's system but I also have no qualms about taking their money when they ignore my advice time and time again)

        • Too true. Especially if you don't learn after an infection or so, paying someone to fix it is just what you deserve. Malware's out there. Be ready to deal with it.
  • Awesome! (Score:5, Insightful)

    by abigsmurf ( 919188 ) on Wednesday July 20, 2011 @09:07AM (#36822288)
    I bet Malware authors are already copying these messages in order to trick people into installing scareware.
  • Same as before. (Score:5, Informative)

    by poofmeisterp ( 650750 ) on Wednesday July 20, 2011 @09:16AM (#36822382) Journal

    Flashback, man.

    This is almost 100% the same as the last piece of malware I was asked to remove from three peoples' machines over the course of a couple of months.

    It was such a pain in the butt because I spent an hour manually cleaning the registry while using a live CD, looking for the newest modified-time files on the machine, looking for installed "Oh-I'm-so-cool" applications, browser extensions, system libs, etc etc etc.....

    In the end, I find out that it was cleaned off after my first registry run key deletion session, but the damn proxy was set in both Mozilla and IE to a remote IP. Now, Proxy is one of the first things I check with there's ad-based or redirectional malware reported.

    What's next?

    • by Anonymous Coward

      I've cleaned the same proxy off machines myself.

      Then one of those machines got hit again, I figured it was the same thing - but all my fixes were still setup. Turned out it was a bogus firefox extension with a real-looking name that was doing all the redirection.

      Somewhere in there there is a human proxy/redirect joke ...

    • The proxy setting will show up - and can be removed with 2 clicks - in a HijackThis [] report. While Trend Micro bought it and supposedly has changed something (not sure what...) HJT remains a useful tool for anyone combating malware and ransomware.

      The Firefox extension AC replied about will show up in a log from ComboFix [] though CFX won't remove the proxy by itself at this point -- perusing a ComboFix log features loads of information about a system and its infections.

    • Manually? UMAD?!?! HiJackThis is woefully out of date, don't bother with it. Use one of these: 1. [] 2. ComboFix - You'll have to enroll in a school to get the in-depth guide 3. AVZ - Includes a really powerful scripting ability. Each of the
  • by Matt.Battey ( 1741550 ) on Wednesday July 20, 2011 @10:07AM (#36822962)

    I picked up that strain on my desktop PC Friday night. Weirdest thing. It started out by popping up a window (that I thought was Windows Defender) indicating I had a trojan. Might have even have been from Defender, it would close right away... Anyway, I started with safe-mode boot, Ad-Aware and Spybot, no dice. I ended up installing Norton Network Security, and it couldn't find it. I had to run Norton Power Eraser. Crazy. A commercial virus scanner that can't find viruses.

    It installs itself in the MBR as a root kit, the proxy may even be local on the pc, downloaded on start-up.

  • When I click on a Google search result I usually don't get there anymore, and my antivirus software (malware bytes) reports that it blocked an outgoing request to a website and gives the IP address. Sometimes I'm redirected without malwarebytes blocking the request and end up in another search engine. Once it was Bing!
    Malwarebytes can't seem to remove WTF is going on. Oh and I don't get a Google popup either.

  • A link to a tool or instructions on how to remove the darn thing! I have been hit by some form of google re-direct twice and the last time I just gave up an re-formatted the hard-drive (it was due for a clean Windowz install anyway).

To do two things at once is to do neither. -- Publilius Syrus