The Google Re-Direct Virus

What the heck, I figured; I could always go into Add/Remove Programs and remove it. I have enough toolbars, and they work fine. Anyone who creates toolbars is re-inventing the wheel.

Remove it I did, at my first opportunity.

That same night, something happened to Google. Instead of going to the search result I clicked on, I ended up on any one of several search sites: Scour, ABCSearch, Infoseek, Bizzclick, Infomash, Gimmeanswers, ShopCompareUs.

The misdirection, I learned, was the work of a rootkit. Since I depend on Google as a research resource, it had to go.

Wikipedia defines a rootkit as "software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications." Malware that compromises certain browser functions while hiding from removal programs, and I had it.

Rootkits take over a computer by changing how its Domain Name Service (DNS) process works. DNS converts Uniform Resource Locators (URLs) into Internet Protocol (IP) addresses. When you ask your computer to find www.nameofwebsite.com, for example, DNS converts the www into the series of numbers separated by periods that identifies the site's server and exact location on the Internet.

A rootkit may tell your computer to go to Scour's IP address, and not the one that leads to the resource you clicked on in Google's search results.

Scour became my most frequently displayed rogue search engine.

Created in the late 90s by five UCLA computer science students, Scour started life as a search engine that also offered peer-to-peer file sharing. I remember them from the boom period of P2P, from roughly 1999-2003. They were a bottom-tier site, never having as many files as Napster or even IMesh. When file-sharing became too risky (illegal), Scour evolved into an interactive search engine.

Its web site states:

Scour's purpose is to bridge the gap between searchers and relevant results.

No; it's to take over computers and direct their users to Scour's limited, sponsored, search results instead of the unlimited, unsponsored results on Google. (Modifying the operation of someone's computer from a remote location ... if I did that, I could be busted for hacking.) Type "Scour" into Google, and one-third of the search suggestions that appear under the main window are terms relate to browser hijacks and malware removal.

Continues the geekspeak:

By providing a platform for the user to vote and comment on relevancy, searchers connect with one another creating a true social search community, attained through innovative solutions to meet the needs of today's web searchers.

Users could vote for ("buzz up") their favorite search results, and collect rewards; two-fifths of a cent per click IF they were among Scour's favored demographics. I did the math: by the time I became eligible for a payout, I'd be ninety-six years old. They don't do this anymore anyway. Scour, as Wikipedia and computer tech forums note, is now a virus (rootkit) re-direct site. And, once you're on it, you can't return to Google by using your browser's Back buttons. You're trapped. All you can do is re-type Google's URL in the Search field, or re-launch and start over.

I typed "Abner Haynes" (Kansas City Chiefs' running back during their AFL years) into Google, and clicked on one of the 28,600 results. I landed, not on the desired web site, but on Scour which offered 24 results. Some of them may have been more relevant than the first 24 Google offered. Relevancy, or the lack of it, isn't the issue. I clicked on something and ended up someplace where I didn't want to be.

The issue is also users who don't know even the little I've learned about malware either becoming lost or thinking that Scour's surprise appearance on their screens is normal. I'm not a techie, but know how malware works and really wonder sometimes how newcomers to the Internet whose kids gave them laptops for Christmas so they could explore Google are dealing with all the misdirection.

ShopCompareUs.com is a search engine whose results are exclusively companies trying to sell products. On its web site is this "Important message to (its) users:"

Have you been redirected to this site by a virus or though other unintended means? This virus does not originate from shopcompareus.com.

I see this and think of the kid with crumbs on his face standing near the fragments of the shattered cookie jar. (It wasn't me!) No, it isn't us, we aren't the ones doing it; the companies whose URLs appear in our search results pay us per click they get from our links, but we're not the ones paying geeks to write and distribute rootkits that take over your computer and make you think we belong there.

Infomash is another rogue search engine whose mission statement explains how worse off the world would be if it didn't exist:

We are a group of experienced web developers, researchers and writers looking to provide users with the best free unbiased information available on the web.

Actually, Infomash - like all pay-per-click search engines - is looking to provide users with only the information they get paid, per click, to provide. But they've got the Internet figured out:

The problem today is that the web is awash with useless information leaving users confused as to where and how to get the right information.

Right they are. Even Google is loaded with misinformation. Well-meaning stuff, but no good nonetheless. Infomash has things under control, though:

Here at Infomash we have done the leg work for you, strategically organizing the content for a better web experience.

No; they've strategically organized the content in a way that earns them the most cash. They must know that people are on to them, because then comes this, written in the clanky style of someone whose native language isn't English:

Recently we have been contacted by some users relating to malware installed on their PC. The users tried to perform a google search and were redirected to Infomash. Under no circumstances do Infomash condone or use malware, adware or any other browser hijacking techniques.

Give me a break. Another search engine pointing out to visitors that they landed on its home page by mistake. In the sellout culture that rules Internet commerce, traffic is traffic.

Another of my new search engine friends - I forget which, and it doesn't really matter - was based in Dubai. Michael Jackson's hideaway, where web developers live eight to a room, home of the world's tallest, half-empty, skyscraper.

None of the well-known malware removers worked. The objective of a rootkit being to hide from programs out to destroy it. Goored.exe (GOOgle REDirect), recommended by a fellow Yahoo Contributor, is the only program I tried that got rid of Scour and its companions. Google search the full file name, or "Goored download." That might require several tries if your Google functionality has been compromised. It's a quick download, and finds the rootkit equally as fast. It found and removed four troublemaking files from my Mozilla folder in less than fifteen seconds. Back to normal. I can work again. And search for pics, hi.

The program I downloaded from Brothersoft wouldn't unzip. The only item I downloaded and installed was the toolbar, which isn't cited as a source of malware as are some of the programs Brothersoft hosts. The Google redirection, however, wasn't present before the visit and appeared immediately after. More significantly, it's gone. From my computer. Still out there, though, to trap the unsuspecting. Right now, seasoned web developers in Dubai are writing new redirect rootkits immune to the newest malware removal programs created specifically to find them.

Fortunately for them - as for the UCLA Five who turned Scour into a slithering, spreading evil - they don't live in China. In the country that holds more United States debt than any other, where people still eat cats and dogs, creators and distributors of malware are subject to the death penalty.