How to fix Google Redirect Virus (browser hijacker) problem
Google redirect virus is a browser hijacker targeting google and other search engine search results and redirecting user to infected pages. These pages can be porn–related or full of advertising banners that make creators of this parasite money. Also, these pages might force you to pay something or give away your bank account details. Thus Google redirect virus is quite dangerous.
There are couple different streaks of Google Redirect viruses, and some of them might need heavy scanning with reputable Anti-malware solution like NOD32 Antivirus, Kaspersky, Malwarebytes. Sometimes Google results Redirect virus even blocks reputable sites and it is tough to download automatic software. However, there are couple easy steps to solve less complex problems.
Note, that before trying to fix other things, you are suggested to scan and check if anti-malware programs can identify more precise reason of Google redirect hijacker. We recommend spyhunter, Hitman Pro for this task. You should always scan after performing all these steps as well, as doing anti-rootkit scan might reveal trojans that were hidden due to other infections. In some cases, rootkits will be detected and removed by anti-malware programs.
Basically, there two types of Google redirect viruses:
a) Hijacking search engine settings aka choosing which search engine to use. Your default search engine is named not google, yahoo, or bing, but something else. The first suspect is a plugin – based hijacker, though other cases are possible.
b) Hijacking results of the search engine when you click on them. Your default search engine is the same, but you get different results when clicking on them. The main suspect would be malware infection ( Step 6), but malicious proxy, dns settings, infected router and even hosts file are possible.
Steps 1-6 deals with regular hijacking of search results that are due to malicious settings or plugins. Steps 7 and above deal with malware infections that result in Google redirect virus symptoms and are more difficult to detect and fix. However, If any of antivirus programs are stopped from execution this means malware infection and you will have to scan your PC with anti-virus and anti-malware programs.
Step 1. Check your hosts file for malicious entries.
Hosts file resides on C:/Windows/System32/Drivers/etc/hosts
Where Windows is your windows installation directory. Open the file with Notepad.
Note: On windows 7/vista/8, you should open your hosts file with administrative privileges or you will not be able to save it. To do so, On Win 7/vista do following:
- Press Start (or round button usually in bottom left corner and enter notepad. Do not press enter
- Right-click on the item in the list above
- Choose Run as administrator
- File->Open and browse to hosts file.
On Windows 8, enter notepad in search box or type right in the metro interface. Perform steps 2-4 like in Win 7.
Google Redirect virus symptoms might be result of malware adding malicious entries to this file and are removed easily as well.
Hosts file should look like this:
There might be line referencing ::1 as well. This is IPv6 local address and perfectly normal. If you see more lines of code and IPs, you should delete these, especially if they rewrite google or Microsoft subdomains. This is a sign, that you either had or have infection on your PC, as this file can not be accessed remotely usually.
Step 2. Check DNS (Domain Name Server) settings
Domain name servers are used to determine what server to access when opening website addresses. Hijacking these settings would allow hijacking various websites including search ones.
1. Go to Control Panel->Network Connections and select your local network.
2. Right-click your local network icon and select Properties.
3. A window will open, then select Internet Protocol (TCP/IP) and click Properties.
4. You will see a window like the one below – this is the Internet Protocol window. Select “Obtain an IP address automatically” and “Obtain DNS server address automatically”.
5. Click OK to save changes.
Step 3. Checking your proxy settings on Internet Explorer
Proxy server settings can be used to implement Google search result hijacking as well. This is simple to fix too:
1. Launch your internet explorer.
2. Tools ->Internet Options, Connections tab. Press LAN Settings
3. Unselect everything or enter parameters that were given by system administrator.
4. Press OK.
Step 4. (Optional) Check your proxy settings on Mozilla Firefox
1. Launch Mozilla Firefox.
2. Tools ->Options. Press Advanced and open Network tab. Then, press Settings button.
3. Select “No proxy” or enter parameters that were given by system administrator.
4. Press OK.
Step 5. Check your browser addons and reset your search settings in browsers
If your search engine changed to unknown one, you might have browser settings changer plugin or program. Typically, these programs will be detected in Step 6, but you will have to fix settings manually.
5.a. Check your IE add-ons and reset search settings
If your browser is hijacked in IE only, check IE browser add-ons. Note: there are malicious plugins that affect both IE and firefox and result in Google redirects in both of the pages. Before this step, make sure you clean your Control Panel from unknown, spammy looking programs.
- Launch your internet explorer.
- Tools->Manage Addons
- Disable all unverified addons (there might be some useful ones, but better re-install them later).
- Delete all add-ons that look spammy/unknown
- Click arrow on the right of search box
- Do following: On IE8-9 choose Manage Search providers, On ie7 click change search defaults
- Remove the unnecessary search engines from the list
- If settings revert after restart, you will have to do Step 6 and repeat step 5 again.
5.b. Check your Firefox extensions and reset search settings
- Press Firefox->Addons
- Go through list and disable all unknown or spamy addons.
- Repeat the same for Plugin list.
- Enter “about:config” in url bar. This will open settings page
- Type “Keyword.url” in the search box. Right click it & reset it.
- Type “browser.search.defaultengine” in the search box. Right click it & reset it.
- Type “browser.search.selectedengine” in the search box. Right click it & reset it.
- Search for ‘browser.newtab.url’. Right-click and reset. This will make sure that the search page won’t launch on each new tab.
- If the settings revert after browser restart, you will need to delete user.js from Firefox profile or/and perform Step 6 and repeat Step 5.
5.c. Check your Chrome extensions and reset search settings
- Click 3 horizontal lines icon on browser toolbar
- Click on Extensions. Review extensions there and disable ones you do not need.
- Select Settings
- Select Basics ->Manage Search engines
- Remove unnecessary search engines from list
- Go back to settings. On Startup choose open blank page ( you can remove undesired pages from the set pages link too).
Step 7. (Optional) Repair Winsock 2 settings with LSPFix
Step 8. If you are still have search engine redirection, it might be tdss or similar rootkit
Although step 6 should detect majority of google redirects of that kind, sometimes it is useful to use a more niche tool. TDSS and Zero Access rootkits both cause redirection symptoms in some cases.
For this specific rootkit a remover can be downloaded from here : support.kaspersky.com/downloads/utils/tdsskiller.exe. Together with TDSS, it might be a sign of rivaling, ZeroAccess infection. Both these rootkits require dedicated programs for removal, and might require alternate OS scanners in worst case.
Step 9. It might be Cycbot infection
Cycbot is one of the trojans that result in browser redirects.
Typically, many of antiviruses and anti-malware programs like Reimage, spyhunter detect Cycbot infection successfully. However, you might want to use our manual removal guide for Cycbot to identify and stop infection.