How to fix Google Redirect Virus (browser hijacker) problem

 

Google redirect virus is a browser hijacker targeting google and other search engine search results and redirecting user to infected pages. These pages can be porn–related or full of advertising banners that make creators of this parasite money. Also, these pages  might force you to pay something or give away your bank account details. Thus Google redirect virus is quite dangerous.

There are couple different streaks of Google Redirect viruses, and some of them might need heavy scanning with reputable Anti-malware solution like NOD32 Antivirus, Kaspersky, Malwarebytes. Sometimes Google results Redirect virus even blocks reputable sites and it is tough to download automatic software. However, there are couple easy steps to solve less complex problems.

Note, that before trying to fix other things, you are suggested to scan and check if anti-malware programs can identify more precise reason of Google redirect hijacker. We recommend spyhunter, Hitman Pro for this task. You should always scan after performing all these steps as well, as doing anti-rootkit scan might reveal trojans that were hidden due to other infections. In some cases, rootkits will be detected and removed by anti-malware programs.

Basically, there two types of Google redirect viruses:

a) Hijacking search engine settings aka choosing which search engine to use. Your default search engine is named not google, yahoo, or bing, but something else. The first suspect is a plugin – based hijacker, though other cases are possible.

b) Hijacking results of the search engine when you click on them. Your default search engine is the same, but you get different results when clicking on them. The main suspect would be malware infection ( Step 6), but malicious proxy, dns settings, infected router and even hosts file are possible.

Steps 1-6 deals with regular hijacking of search results that are due to malicious settings or plugins. Steps 7 and above deal with malware infections that result in Google redirect virus symptoms and are more difficult to detect and fix. However, If any of antivirus programs are stopped from execution this means malware infection and you will have to scan your PC with anti-virus and anti-malware programs.

Step 1. Check your hosts file for malicious entries.
Hosts file resides on C:\Windows\System32\Drivers\etc\hosts
Windows hosts file location
Where Windows is your windows installation directory. Open the file with Notepad.

Note: On windows 7/vista/8, you should open your hosts file with administrative privileges or you will not be able to save it. To do so, On Win 7/vista do following:

  1. Press Start (or round button usually in bottom left corner and enter notepad. Do not press enter
  2. Right-click on the item in the list above
  3. Choose Run as administrator
  4. File->Open and browse to hosts file.

 

On Windows 8, enter notepad in search box or type right in the metro interface. Perform steps 2-4 like in Win 7.

Google Redirect virus symptoms might be result of malware adding malicious entries to this file and are removed easily as well.

Hosts file should look like this:
Windows hosts file

There might be line referencing ::1 as well. This is IPv6 local address and perfectly normal.  If you see more lines of code and IPs, you should delete these, especially if they rewrite google or Microsoft subdomains. This is a sign, that you either had or have infection on your PC, as this file can not be accessed remotely usually.

Step 2. Check DNS (Domain Name Server) settings

Domain name servers are used to determine what server to access when opening website addresses. Hijacking these settings would allow hijacking various websites including search ones.

1. Go to Control Panel->Network Connections and select your local network.
2. Right-click your local network icon and select Properties.
Local Area Connection properties

3. A window will open, then select Internet Protocol (TCP/IP) and click Properties.
Internet Protocol properties

4. You will see a window like the one below – this is the Internet Protocol window. Select “Obtain an IP address automatically” and “Obtain DNS server address automatically”.
DNS Settings
5. Click OK to save changes.

Step 3. Checking your proxy settings on Internet Explorer
Proxy server settings can be used to implement Google search result hijacking as well. This is simple to fix too:

1. Launch your internet explorer.
2. Tools ->Internet Options, Connections tab. Press LAN Settings
Internet Explorer local area network settings
3. Unselect everything or enter parameters that were given by system administrator.
4. Press OK.

Step 4. (Optional) Check your proxy settings on Mozilla Firefox
1. Launch Mozilla Firefox.
2. Tools ->Options. Press Advanced and open Network tab. Then, press Settings button.
Mozilla Firefox network settings
3. Select “No proxy” or enter parameters that were given by system administrator.
4. Press OK.

Step 5. Check your browser addons and reset your search settings in browsers

If your search engine changed to unknown one, you might have browser settings changer plugin or program. Typically, these programs will be detected in Step 6, but you will have to fix settings manually.

5.a. Check your IE add-ons and reset search settings
If your browser is hijacked in IE only, check IE browser add-ons. Note: there are malicious plugins that affect both IE and firefox and result in Google redirects in both of the pages. Before this step, make sure you clean your Control Panel from unknown, spammy looking programs.

  1.  Launch your internet explorer.
  2. Tools->Manage Addons
  3. Disable all unverified addons (there might be some useful ones, but better re-install them later).
  4. Delete all add-ons that look spammy/unknown
  5. Click arrow on the right of search box
  6. Do following: On IE8-9 choose Manage Search providers,  On ie7 click change search defaults
  7. Remove the unnecessary search engines from the list
  8. If settings revert after restart, you will have to do Step 6 and repeat step 5 again.

5.b. Check your Firefox extensions and reset search settings

  1. Press Firefox->Addons
  2. Go through list and disable all unknown or spamy addons.
  3. Repeat the same for Plugin list.
  4. Enter “about:config” in url bar. This will open settings page
  5. Type “Keyword.url” in the search box. Right click it & reset it.
  6. Type “browser.search.defaultengine” in the search box. Right click it & reset it.
  7. Type “browser.search.selectedengine” in the search box. Right click it & reset it.
  8. Search for ‘browser.newtab.url’. Right-click and reset. This will make sure that the search page won’t launch on each new tab.
  9. If the settings revert after browser restart, you will need to delete user.js from Firefox profile or/and perform Step 6 and repeat Step 5.

5.c. Check your Chrome extensions and reset search settings

  1. Click 3 horizontal lines icon on browser toolbar
  2. Click on Extensions. Review extensions there and disable ones you do not need.
  3. Select Settings
  4. Select Basics ->Manage Search engines
  5. Remove unnecessary search engines from list
  6. Go back to settings. On Startup choose open blank page ( you can remove undesired pages from the set pages link too).

Step 6. Scan for malicious parasites with spyware/antivirus removers:
1. spyhunter
2. NOD32 free trial

Step 7. (Optional) Repair Winsock 2 settings with LSPFix
Download LSPFix

Step 8. If you are still have search engine redirection, it might be tdss or similar rootkit

Although step 6 should detect majority of google redirects of that kind, sometimes it is useful to use a more niche tool. TDSS and Zero Access rootkits both cause redirection symptoms in some cases.
For this specific rootkit a remover can be downloaded from here : support.kaspersky.com/downloads/utils/tdsskiller.exe. Together with TDSS, it might be a sign of rivaling, ZeroAccess infection. Both these rootkits require dedicated programs for removal, and might require alternate OS scanners in worst case.

Step 9. It might be Cycbot infection
Cycbot is one of the trojans that result in browser redirects.
Typically, many of antiviruses and anti-malware programs like spyhunter detect Cycbot infection successfully. However, you might want to use our manual removal guide for Cycbot to identify and stop infection.

 

 
 
 

755 thoughts on “How to fix Google Redirect Virus (browser hijacker) problem

  1. jim jones
     

    I am getting google redirects. Spyware Doctor and MbA-M caught nothing

    I tried to my hosts file, but it would not open in notepad.

    Also, your sample is 1k and mine is 289k. Is that excessive. Also, I have a hosts.20090204-121117.backup file Sounds suspicious.

    thanks for any information.

     
    1. admin
       
       
      Post author

      Typical host list is small! Try replacing it with ours! Or search for google in it and delete all the lines related to that.

       
  2. tooSavvy
     

    Hi

    I changed,(after show hidden files), the to read and closed 7 rebooted, returning to hide files again.
    From very slow & constant redirects >>> now none & supa fast, as usual. Either in SlimBrowser or IE ;<)

     
  3. Mark
     

    @admin
    I can open the file with notepad and see that there are several other lines of crap but how can I change the actual file “hosts” I can save it in etc as a notepad text document but how do I effect the actual file?
    Thanks for your help

     
    1. admin
       
       
      Post author

      hosts file is text one. You should be able to change it with notepad. However, on Vista you need to open it with administrator privileges, or you will not be able to save it .

       
  4. marianne
     

    Thank you so much for this, fixed the problem!

    Cheers!

    MArianne

     
  5. Jaycee
     

    THANK YOU! I’ve been trying for weeks to get rid of that stupid virus. Now my computer is working normally and I can access Safe mode again.

     
  6. johann
     

    my etc file isn’t in the drivers folder. Is it hidden?

     
    1. admin
       
       
      Post author

      It might be. What OS you have, Johann?

       
  7. Jin
     

    @admin
    Can you explain a little more about vista. Because I have Vista and I delete the extra lines and try to save it but it won’t let me. Please help. Thank you.

     
    1. admin
       
       
      Post author

      Jin: search for notepad and right-click on it. There will be a choice to start as administrator. Then open hosts file.

       
  8. Jin
     

    My notepad looks exactly like the one on here (after I edited it) but this keeps happening. I have tried 4 different softwares so far, it hasn’t fixed it. My last option would be to reset my whole computer. Is there anything else I can do before going to my last option?

     
    1. admin
       
       
      Post author

      Jin : do you edited as administrator? You need to RUN notepad as administrator, or it will not save.

       
  9. Chaz
     

    Was getting Facebook logon redirected to Pricegrabber.com…..removed entry below the 127.0.0.1 Local Host entry and all was well again! Well done!

     
  10. David
     

    My Host file is not in the folder. I am running XP pro. Can I repelace it with and Host file ?

     
  11. Abdul Karim
     

    My hosts file in 374kb large… (lots of lines).

    i have the default localhost & 127.0.0.1 entry

    And after that I have these comments.

    # Start of entries inserted by Spybot – Search & Destroy
    ……
    ….& thousands of others….
    # End of entries inserted by Spybot – Search & Destroy

    I think it’s legitimate, and it’s spybot’s “immunize feature”. I ran spybot search and destry last night and the redirects have gone down significantly, however I spotted one redirect today. Which is annoying.

     
    1. admin
       
       
      Post author

      Karim : Yeah you are correct. However, Spybots immunizer is crap : it focuses on adware sites mostly, some of them even legitimate advertising sites (that pays for free sites you are visiting). I can’t say they fight malware distributors successfully, as these use different tricks.
      You should check proxy server that is set in your browser. Maybe there is something fishy ?

       
  12. David
     

    @admin

    I am having the same problem with the redirects – how to you check th e proxy server?

     
  13. Dinesh
     

    Thank you very much. Some virus has overidden the host file in my computer. Deleting that solved the problem.
    Thank you again.

     
  14. Randoph
     

    great stuff thanks!

     
  15. M'Rell
     

    Hey thanks this helped a lot!

     
  16. hannah
     

    Please help me. This virus has taken over my computer and I cannot do anything. I’m not very good with computers and really need some help to get it off. If anyone can help, please get in touch

     
  17. Nobita
     

    holy, my computer is at risk.
    i tried all of this but nothing works.
    i need a little help here admin.

    also this thing is appearing in my screen.
    “application cannot be executed.the file wuauclt.exe is infected”

    now how can i fixed my computer??

     
  18. anja
     

    I cannot open “notepad”. The virus doesn’t let me do that!
    What should I do?

     
    1. admin
       
       
      Post author

      Anja : Start task manager and try creating new process. Type in notepad (you might need to enter full path to notepad application).

       
  19. Seth
     

    I am dumping all my pictures and other stuff into another drive and buying windows 7 will I still have these antispyware soft issues? I also may reimage the XP OS back onto the original hard drive after moving most things to another drive. This antivirusspyware soft thing locks me out of control panel program list and add/remove programs.

     
  20. Anna
     

    The virus doesn’t appear to be too severe, as it only affects my search engines; however, I would like to fix it. Nothing significant was caught when I ran Norton so I tried looking at the host list. The only line after
    # 127.0.0.1 localhost is

    # ::1 localhost
    10.254.254.253 AFS

    Should that be deleted? And how do I open it with “administrator privileges”? I am trying to avoid downloading more anti-spyware and anti-virus programs. Is there anything else I can do?

     
    1. admin
       
       
      Post author

      Anna : these lines look harmless for me. Check your DNS settings and proxy. If it fails, you might resort to scanning with anti-malware/antivirus tools

       
  21. Chris
     

    I have a friend w/a Dell PC (unsure of model). She (or tech support) acciedentally downloaded Live Security Suite, and now we can’t get anything to work right. How do I remove LSS w/o wiping out the system, or her taking it and spending her life savings on getting it fixed or a new computer?

     
  22. rayan
     

    i m currently doing everything also ran spyware doctor but my browser ie8 keeps shutting down within one minute of launch. how do i fix this? of course i have the google search results redirection problem as well. can this be fixed atall?

     
    1. admin
       
       
      Post author

      Rayan : check plugins first, disable everything you do not need. If this does not help, you have trojan process already, and need to get some scanner. Download them on uninfected PC and move using usb flash drive or network share.

       
  23. Chris
     

    I also have an Everex Stepnote Laptop that is very slow no matter what we do, and almost every time it is left alone, the screen saver “freezes,” and nothing works except to shut it down by the power button. Any suggestions?

     
    1. admin
       
       
      Post author

      Chris : its more like it is hardware/driver issue than virus.. But a scan with malwarebytes/spyware doctor would not hurt :)

       
  24. thewhodio
     

    Thanks! finally got this bloody redirect off my computer, I’ve been using bing for almost a year!

    Thanks again!

     
  25. x64-Vista
     

    … My Host File doesn’t have hardly any of the things in the ex:picture… ALL it has are things that the step says i should delete,,, it has google in the file and bing… With i.p’s

     
    1. admin
       
       
      Post author

      x64-Vista:
      Delete these lines mentioning google and bing in hosts file – these are fakes. Typical good hosts file should be empty with some exceptions.

       
  26. x64-Vista
     

    I’ll try that if it works thank you soo much… im not good with computerz

     
  27. x64-Vista
     

    Umm there is no option to run as admin and it wont let me save? Help plz

     
    1. admin
       
       
      Post author

      x64-Vista Search for notepad in program list and righ click on it. Tehere will be an option to run it as administrator. Then open hosts with it.

       
  28. jcd
     

    @admin
    Do you need to reboot after removing the lines from the hosts file?

     
  29. jcd
     

    What worked for me was to disable all of the unverified add-ons in IE. Thanks!

     
  30. Hi
     

    When i try to change the Hosts File it wont let me i even ran Notepad as admin…

     
    1. admin
       
       
      Post author

      Hi: Try launching task manager and stopping strangely named processes first. Maybe your virus is observing hosts file. You might try to modify it in safe mode as well.

       
  31. jay
     

    Hello,
    My problem is the google redirect virus.
    I have xp I found the host file mine is 400kb is that normal? I see a loot of google files is it safe to just delete these and will they come back?

     
  32. jay
     

    After i delete the google stuff do i reboot or what?

     
  33. madge
     

    so ive read through alot of this. my hosts file looks nothing like that and it has only yahoo and google urls and no localhost one so i tried to delete them and put that in but it says unable to find. its not saved as a txt document and it wont let me change it and when i open notepad as admin the hosts file is absent when i go to the same spot. i also tried everything else on here and none of it did anything. p.s. i have vista

     
    1. admin
       
       
      Post author

      Madge : choose Show all files (not only txt) when opening hosts file from administrator notepad. By default, notepad lists only files with .txt extension, but in hosts file case it is none.

       
  34. Laura
     

    I have the “live security suite” rogue malware. Won’t let me do anything. I have tried to run several removal mbam, spybot, etc Everytime I try to run the downloaded file I get the following message “Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item.” I am in safe mode with networking and signed on as administrator. I have tried downloading to fly drive and accesing it that way same message, I have also tried changing file name same problem. Went through steps to open notebook and won’t let me do that either any suggestions?????

     
    1. admin
       
       
      Post author

      Laura: This is separate problem. You should kill live security suite processes before executing any of files, and (maybe) fix registry, that does not allow executing programs. To do so, start task manager right after being logged in. The Live security suite will load quite fast afterwards, so you have to hurry. Press CTRL + shift+ esc and wait. Go to processes tab, and look for processes that should not be there (typically, names are random letters). Stop them. Then go to File ->New task and enter full path to antivirus executable on hard disk. This should allow launching antivirus and removing everything. Later you might continue with removing redirects.

       
  35. Jesse
     

    Nothing is working for me. I have been reading posts for the past few hours, and have removed viruses in the past, but this one is givin me a run for my money. I manually deleted the virus files themselves, but still cannot get on the internet. I have done everything listed on this page regarding proxies and whatnot, but still nothing. I have searched for the registry files, but being that I never actually clicked the virus to run a scan, I don’t have any to delete. I am at a complete loss. Computer works fine, just cannot get online in any way.

     
    1. admin
       
       
      Post author

      Jesse: you might need to install antimalware tools using usb drive. There might be a cases where virus inserts itself in other locations, for example in drivers. Though it is very rare. The guide covers majority of common cases of broken internet connections due to infections.

       
  36. Ty
     

    Thank you so much. My host file was the problem. It was completely rewritten and had and IP that was no mines and it keep repeating itself on every search engine. I just delete the whole thing but hosts is still there but nothing is on the notepad. I can use the search engines now but I will restart my computer and see if the host file will return back to normal. But so far the hijack is gone. Thank you so much.

     
  37. jerry
     

    wow soooooo good its working again after so much stress .. tried 4 different malware programs not even norton picked it up .. thank you so much for your step by step procedure without it i would never of figured this one out … i wanna kiss you

     
  38. Alexander Mains
     

    Ok I got this after I got AV Security Suite
    I did all of that and scanned with AVG and IObit Scanners but the problem wont go away on Firefox
    No proxies on either and auto DNS
    WHAT DO I DO!
    And you guys can protect the hosts file by putting it to Read-Only
    Found that out not too long ago

     
    1. admin
       
       
      Post author

      Alexander: Check add-ons in firefox. These might be infected as well. Also, neither IOBIT or AVG are good: Iobit uses ripped off malwarebytes database ( at least partially), and AVG (free) lacks rootkit detection.
      I would recommend scanning with Spyware Doctor, Malwarebytes, Spybot S&D / AVAST or Avira

       
  39. Alexander Mains
     

    OKAY I will try…
    I looked at my Plugins and saw Pando…
    and I’m like “whats that” no info, no homepage, nothin… I disabled that (hopefully that works)
    I did have Spybot before and ill run it again as soon as I get it again…
    I’m also thinking about getting this Spyware Doctor cuz it seems useful

     
  40. Alexander Mains
     

    I did Spybot S&D and it found a ton of things(types were malware(c)and Security(c) and a couple hijackers from files in the registry) but somehow I’m still getting the hijacker in Firefox only(ugh). I really need to get rid of it
    and Yes I ran 1 scan,restarted and scanned again + my dad scanned on his account
    I’m going to try to scan and look over EVERYTHING
    Any suggestions…
    Links the thing is taking me to:(ADS SPREAD LIKE AIDS!)
    [We do not allow links to malicious sites to prevent infection of other readers]

     
    1. admin
       
       
      Post author

      Alexander: Save your firefox bookmarks. Close it. Go to firefox data folder C:\Documents & Settings\[Username]\Application Data\…. On vista/xp (on windows 7 use C:\users\… instead) and delete everything. Then reboot, start firefox anew.
      If this solves problem, this is the quickest fix.

       
  41. Alexander Mains
     

    Gah!!! I did all of that and I still have it!!! (and I have XP SP3 by the way)

     
    1. admin
       
       
      Post author

      Then you will have to scan with something else than Spybot. I would suggest Spyware Doctor, malwarebytes anti-malware, superantispyware. If only firefox is affected, and problem persists after deleting userdata, no problems in settings, then you have firefox-specific hijacker.

       
  42. Alexander Mains
     

    I got spyware doctor and it is scanning right now
    Thank you for the help so far
    threats so far
    Tracking cookies-7
    Spywere Known bad sites-1
    Adware.Advertizing-1
    Adware.searchit toolbar-9 (oh gosh lost my place Its done)
    Trojan-Downloader.small.CML-6 (sounds like it)
    Hijacker.dospop_toolbar-30
    yeah thank you again for your help
    ill see if it still happens

     
    1. admin
       
       
      Post author

      Alexander: I would guess it is Hijacker.dospop_toolbar-30 . Trojan.Downloader would be the one responsible of installing it ;)

       
  43. Alexander Mains
     

    … I lost all of that because my computer froze…
    I cant pay for it so I guess I just have to do another scan and remove manually…
    I didn’t know you had to pay for it… oh well atleast it got the location of it

     
    1. admin
       
       
      Post author

      Well, Spyware Doctor has about 4x bigger database of traces than spybot as far as I have checked, so I know it can find more. I am not so sure Spybot S&D is updated enough to make it good solution for windows XP or latter users.

       
  44. Alexander Mains
     

    Thanks for the help I got it off but I think there’s still more…
    I still get it but I don’t care not as many now AND! it just goes to google instead of the ads
    YEY!

     
    1. admin
       
       
      Post author

      No problem, Alexander.

       
  45. Don C
     

    Just got done resolving a redirection — and worse – problem which was caused by a problem with our router.

    The virus/Trojan had changed router setting to direct DNS searches to their web address. They returned bogus address.

    Look into your router settings to make sure you’re settings have not been messed with. We ended up Restting the router to factory settings and reinstalled the router.

     
  46. Mark
     

    I have windows 7 and just got the virus/trojan myself. However, I cannot open ANYTHING. Not even task manager. I can open programs in safe mode, but how do I remove it from there?

     
    1. admin
       
       
      Post author

      Mark : First you will have to remove viruses. Disable the proxy server, download Spyware Doctor or malwarebytes, do a scan, remove stuff it finds. Do it in safe mode. Then reboot, and try to finalize checking the connection.

       
  47. James
     

    The issue with facebook redirecting to say pricegrabber isn’t always a virus or malware.

    Linksys routers are sometimes the culprit…a fix that may help for some people (specifically using linksys wrt160n or any other linksys router).

    Network Connections > Right click your connection > Properties > Select TCP/IP > Properties > Set your DNS manually (see below for what DNS servers).

    To determine the DNS servers to input here: Get to CMD Prompt > IPCONFIG /ALL > You will see 2 IP’s under the DNS Servers section > Enter those 2 numbers in the TCP/IP DNS configuration.

    I use OPENDNS, which is configured on the router and now manually set in the tcp/ip, and have never once seen this facebook redirect occur again.

     
    1. admin
       
       
      Post author

      James: Completely true. People should change their router default password in all cases.

       
  48. anthony
     

    i have the google redirect problem (xp),have tried all the the advice,but still have the problem,in the host file its only has 127.0.0.1 local file, nothing else,could this be the problem?

     
    1. admin
       
       
      Post author

      anthony: your hosts file is clean. Check add-ons and proxies. Also you might want to try specifying different DNS servers in your internet settings, set them to google ones (8.8.8.8 and 8.8.4.4 ). Sometimes the router is corrupted instead of PC and this might help both in cases of malicious DNS or malicious router settings.

       
  49. Bhakti
     

    Hello.. Emmm I dont know when “Security Master AV” was downloaded in my PC.. After that at regular intervals i get pop up windows asking for healing the viruses and buying the software.. I want to delete the above program/software.. Its really annoying.. Can u pls help!
    Regards
    Bhakti

     
  50. JABAD
     

    Mine is only redirecting Google chrome, not IE. Will the same steps above work? Is there something else I should look at?

     
    1. admin
       
       
      Post author

      JABAD: You need to reset connection settings in chrome. This is done going to Tools->Options->UnderTheHood -> Network->Change proxy settings.
      Also you might need to disable chrome addons that are malicious.

       
  51. JABAD
     

    Reset to defaut? There is no proxy enabled, so that is OK.
    I checked add-ons and see nothing that looks too bad. I disabled three that looked unfamiliar and nothing changed. Should I disable all add-ons?

     
    1. admin
       
       
      Post author

      JABAD: This might be rootkit. do a scan with http://support.kaspersky.com/downloads/utils/tdsskiller.exe
      Also make sure your proxy settings do not use system defaults. it should be set to No proxy. There are 4 settings in chrome.

       
  52. Ramesh
     

    Google web redirection is due to virus infection. Especially Rootkit infections.
    Try to run TDSSKILLER from KASPERSKY LABS.

    http://support.kaspersky.com/downloads/utils/tdsskiller.exe

    For more information,
    Visit the site

    http://support.kaspersky.com/viruses/solutions?qid=208280684

     
  53. ecosseman
     

    Download “Dr Web” (free). ‘Quick Scan’ identifies System32 HOST file. Restore original …bingo!

     
    1. admin
       
       
      Post author

      Ecosseman : System Hosts file is only one of causes for this problem.

       
  54. leo
     

    ok when i open up my Hosts file i have right uder 127.0.0.1 Local Host a ::1 localhost do i have to delet that host or what and i have windows vista how do i get to my local network

     
    1. admin
       
       
      Post author

      Leo : No, it looks clean (an IPv6 address for localhost).

       
  55. Alexander Mains
     

    Hello again all :D
    I am back for help
    …Still have the virus redirect
    Has any way changed to get rid of except the Rootkit thing (which I am doing now)?

     
    1. admin
       
       
      Post author

      Alexander: Check your router settings as well, and try to enter DNS settings in your internet connection manually. SET them to 8.8.8.8 and 8.8.4.4. Sometimes routers are infected instead of PC.

       
  56. Alexander Mains
     

    okay I did rookit and no more google but I did get pop-ups and I cant access some sites

     
  57. Alexander Mains
     

    and erm how do I check my router settings (XP, service pack 3)???

     
    1. admin
       
       
      Post author

      Alexander: Update and do a scan with same tools again (Spyware Doctor, malwarebytes, etc). Rootkit might have hidden/downloaded other processes. I would say this time it is not router.
      For checking router, do a following: See what ip your PC got, and which gateway it uses. Then enter that gateway address in your browser.

       
  58. Alexander Mains
     

    I did rootkit and Spyware Doc and rootkit got 8 or 9 things out of it
    How can I check the IP and Gateway? :/

     
    1. admin
       
       
      Post author

      Look at the image in the step in 2.2 of this guide. There is a menu. Choose Status instead of properties. There you will see gateway server. usually the IP for it is 192.168.1.1 or something like that. If you are connected to the internet directly (no router), then this does not apply to you, and you have to look for virus in your PC.

       
  59. Rocki
     

    I got my laptop as secure as I can. Runs Win7, has kaspersky 2010 Internet security suite as well as malwarebytes. My browser redirect (facebook -> pricegrabber) problem was down to what James said. No viruses or spyware were reported, even checked hosts file. I did have ::1 Localhost which is also a valid entry.

    Have to thank James for his tip on DNS settings as that has done the trick. And the router I am using? WRT160N. Arrrgh!

    Admin: I think you should change your original post and point to what James has said if one does not find any of your suggested issues.

     
    1. admin
       
       
      Post author

      Rocki : We are working on it. We are planing on adding a guides how to restore infected routers back to original settings (as one could do some nasty things even when DNS settings are fixed in the PC). I would recommend restoring router firmware and changing password on the router.

       
  60. fran
     

    I have in my hosts/etc file:

    127.0.0.1 localhost
    ::1 localhost

    Should I delete the :: localhost?

     
    1. admin
       
       
      Post author

      Fran : No, it is IPv6 address of local host. Perfectly normal. Your problem is somewhere else. At this data (August 2010) , proxy server and tdss rootkit are dominating causes of redirects, followed by infected routers.

       
  61. Luigi12345851
     

    It happens to me no matter what search engine I use and the only add-ons installed in IE are 3 Java ones.

     
  62. Alexander Mains
     

    No redirects! :-)
    Thanks a ton

     
  63. Trenton
     

    Please help I did everything listed and it’s still redirecting me with every search engine and both firefox and IE. :(

     
    1. admin
       
       
      Post author

      Have you done full system scan with Spyware Doctor? Have you checked your router? Have you runned TDSS cleaner?

       
  64. Lucas
     

    Hi, my friend has a Dell laptop, running Vista. The virus is Security Suite and seems to have infected lots!
    Please could you explain the above (in a more dumbed down version) she can’t afford to send her laptop to be repaired.
    I was thinking of downloading the spyware to my hardrive and then installing it on her pc, but won’t the virus spread to my hardrive?
    Thanks for your help!

     
    1. admin
       
       
      Post author

      Lucas: we have a removal guide for security suite here : http://www.2-viruses.com/remove-security-suite

       
  65. Jim
     

    Thanks for the great article.I had the hijack virus.Not only that it was blocking my spybot S&D andother malware programs from even running.I went tru all the steps but have to say #8 was the one that found & fixed the problems..
    Thanks again..

     
  66. Freeforce
     

    Has anyone had to deal with this with Chrome yet?

     
    1. admin
       
       
      Post author

      Freeforce : it is quite straightforward. In most cases problem is not chrome specific, but you can check Customize and control->Options->Under the hood -> Change Proxy settings ( It uses IE settings)
      Also, you can check Customize and Control -> Tools->extensions and disable all unknown extensions.
      Everything else is NOT chrome specific, thus the guide should apply.

       
  67. Edintrouble
     

    I have downloaded AntiSpy Safeguard on my computer; I want to remove it but I have no clue. Can you please help me

     
  68. Edgar Manukyan
     

    I tried almost any available malware, spyware, rootcleaner, etc. software, but the only thing that helped me with this annoying Google search results redirects was editing the host file. One should enable file extensions from folder options, then copy the host file content (the desired clean content) into notepad, save it with “hosts.txt” file name, then delete the old hosts file with let’s say Unlocker and finally delete .txt extension from your created file and voilà you have new nice and clean hosts. Hopefully this will work for you.

     
  69. Edintrouble
     

    Please help me about that

     
    1. admin
       
       
      Post author

      Edintrouble: read our specific guide for AntiSpy Safeguard

       
  70. syn
     

    do i have to connect to internet when checking on the host file?

     
    1. admin
       
       
      Post author

      Syn: You can edit hosts file offline.

       
  71. syn
     

    the host file ending with

    ::1 local host

    it is alright then? if nothing wron with the host, how can i removed the antispy safeguard? im not good in safe mood.
    i did install tdsskiller.exe, but the scan doesnt detect anything. the spyware doctor detected some malicious file but i can removed those files unless i buy the full version. is there another way?

     
    1. admin
       
       
      Post author

      syn:
      ::1 : ok, it is for IPv6.
      You can delete these files by expanding the detection results, checking the file location. Then delete file. Just make sure to fix registry as well, as in some cases malicious files are referenced instead important system processes. It would be best first to start msconfig and disable the malicious files from starting up, then deleting them.

       
  72. need
     

    ok I did steps 1 and 2 but i cant do three! help!

     
    1. admin
       
       
      Post author

      What stops you from disabling proxy server? If it reappers, then skill to steps to download removal software, as that is sure sign of malicious processes on PC.

       
  73. JC
     

    I worked on three computers that had this same problem:
    Windows 7:
    I logged in as another (administrator user and ran MS Security Essentials, then logged back into the infected side and turned off the Proxy server setting:
    Internet Explorer -> Tools -> Internet Options -> Connections tab
    LAN settings button: clear all the check-boxes. (Do this even if you do not have another user login). The proxy server was checked only in one out of 3 machines I helped with.
    Find the AppData folder of this user (with infection) and delete two *.bat files and the *.exe file in the AppData folder.
    Windows Server 2003 (similar to Windows XP):
    Find the Application Data folder for the user (under Documents and Settings and delete any *.exe files there and the *.bat files.
    NOTE: You might find EXE files in the AppData or Application Data folders that belong to Google, Adobe etc. If you see any UNINSTALL programs there run them and then take out all remaining files. (I don’t think these are essential programs.

    Find the TEMP folder of the User’s folder and delete all the files there. The EXE file that generates new names is there. It is called by the BAT files o do this. The one I found is ‘e.exe’.

    Good Luck and let’s hope FBI catches those who gave so much misery to people are caught, fined and jailed for the rest of their lives. (It’s not hard to find them, FBI)

     
  74. Kristen
     

    Hey! I had this same problem and got tricked into getting the free version of AntispySafegaurd! But Just simple Compture Restore saved mine. Just set it back to a time before you used the spyware (I set mine to a month back even though I only had this problem for a week) Its very Simple and now my compture works fine.
    Good Luck!
    P.S. AntiSpySafe Gaurd WILL try to restrict this. But just click the “Continue UnProtected” until it allows you.

     
  75. Sara
     

    i need help, im very confused

     
  76. Ali
     

    Thank you so much! I tried everything. I searched everywhere. NOBODY helped me. All it took was the notepad trick. You’re awesome!

     
  77. Ali
     

    I lied. I thought it was fixed but after leaving you that comment I went to google search again and the same stupid redirect happened. Help?

     
    1. admin
       
       
      Post author

      Try disabling proxy server, do a scan with some anti-malware tools, and check if you got TDSS rootkit (run TDSS Killer). See your router settings as well. Generally, try doing the whole guide.

       
  78. Kaitlyn
     

    I have done the above steps. My host file has no other lines other than what you say should have.

    I am still getting fake microsoft alerts. My google search on this problem gets redirected, using firefox.

    I have followed the steps on this website http://www.2-viruses.com/remove-fake-microsoft-security-essentials-alert and found nothing. Also rebooted my pc with aoss scan http://www.pctools.com/aoss/ and scan with malware byte but it found nothing.

    After all these, I am still getting fake microsoft alerts :( what else can I try? I downloaded spyware doctor but I have to pay for it. Is there any other free software that I can use?

     
    1. admin
       
       
      Post author

      Kaitlyn : Try Malwarebytes or SuperAntiSpyware. Malware mutates, so no tool is 100%. If SD does not detect particular parasites, It will not remove it in full version probably till next update. Also, have you run TDSS Killer?

       
  79. Tim
     

    I love you guys, just thought I would tell you. TDSS killer and the Malwarebytes totally cleaned my computer and got rid of this and other problems. Thankyou for making my life so much easier.

     
  80. Brian
     

    After wasting time using many different anti-virus apps this was the one thing that worked! Thanks

     
  81. Pingback: What is Google Redirect Virus?

  82. Sebrina
     

    I have thinkpoint have no idea how it got on my computer. I have norton and it says nuthin at all is wrong. I’m runnin windows 7 & I need to know how to get it off it won’t let me online or on anything really I got the task manager to work and that’s the only way I can get online and I have to use my safari cuz it won’t work with explorer it got on my comp last nite somehow and I need help removin it before it gets too bad oh btw was on the phone with a lady from compaq for 3 hours she did nuthin to help she just tried to sell me a recovery disk for $30 :( plzz help me I know nuthin about these things

     
    1. admin
       
       
      Post author

      Sebrina: read Thickpoint removal guide. Disable proxy in your other browsers and try searching and deleting file hotfix.exe under your user folder (one level above my documents).

       
  83. Jon
     

    @admin
    This sounds exactly like the virus that I have on my other computer. Not sure if you are familiar with “youcansearch com” but I keep getting directed to that site whenever I try to use another search engine. I have used Malwarebytes Anti-Malware, but nothing seems to show up. In searching on how to get rid of it, I found a site that told me to delete all the files under the etc folder (… ). Here, you say to delete only specific lines from the host file. Can I do either?

     
    1. admin
       
       
      Post author

      I do not recommend deleting all the files from there. They are created by windows for a good reason :)
      Just delete additional lines if there are any. If not, virus is somewhere else.

       
  84. Jon
     

    Assuming that the virus is not in that location, what other locations do you recommend that I can check?

     
    1. admin
       
       
      Post author

      Go through full guide. If it is malware, any scanner will help significantly, as it could be anywhere. If its settings only, then it will be either DNS server settings (in router or on PC), proxy, or hosts file.

       
  85. Jon
     

    I will be sure to check everything. Thanks for your help!

     
  86. Tram
     

    Hi, so I know that you said that in order to save the host file you’re supposed to open it as the administrator. I know for a FACT that I am the administrator, but I still cannot save the host file. I always tells me to “contact the system administrator” and then it tells me to save it as a text file in my Documents. What should I do?

     
    1. admin
       
       
      Post author

      Tram:
      Are you on Vista / windows 7 ? If so, you are not running as full admin all the time, even if account is administrators one. That is called UAC window. If a program is launched without elevating the permissions, it will not be able to receive these permissions latter on. That is why it is important to open the file as administrator.
      Neverless, there are forms of malware that change file permissions. For that, you have to right-click on the file and change its attributes.

       
  87. Tram
     

    Yes I believe I am on Vista. But the thing is, when I right-click on the host file, the “open file as admin” is not available. It just goes straight to “open” and then asks me what format I want to open it as. Since I am not really computer savvy, how would I change this?

     
    1. admin
       
       
      Post author

      Tram: You can not open hosts file as admin. You can open Notepad first (as admin) and then from notepad open hosts file.

       
  88. randy burns
     

    Hi…I have read thru all your fixes…even tried kasperspy…I did a fresh install of windows and STILL have the redirect….i have tried all the programs….avg.malware.super.adaware…a list of em and they find nothing…any suggestions?….it is IE and firefox not just one…thanks so much

     
    1. admin
       
       
      Post author

      Randy: Check your router and DNS settings. Then again, it kinda depends when you get redirects: all programs or specific browsers.

       
  89. Jason
     

    Hi, I had the redirect virus and I did your fix steps and now i don’t get redirects anymore, which is great, thanks. (however, my hosts file was perfectly in tact.)

    The problem I am still having is that every time I open my internet browser (either IE or firefox), usually after restarting my computer or waking it from sleep mode, my proxies are changed and my internet becomes unusable.
    Something keeps changing my proxy settings to “Manual Proxy configuration:” (on firefox, for example) and I have to change it to “no proxy” every time if I want to use my internet. What would be causing this and how would I fix it?

    Thanks.

     
  90. Jason
     

    EDIT: It seems to be the act of opening the browser that re-sets the proxy settings to the setting that won’t let my internet work (Manual Proxy configuration)…. if that helps??

     
    1. admin
       
       
      Post author

      Jason: Your problems are due to some virus process. The usual suspects are TDSS Rootkit (Have you scanned with TDSS Killer? ) or similar. What I can recommend is doing some more anti-malware scans. I can recommend Malwarebytes, Spyware Doctor, and, in this case, Hitman Pro http://resellers.hitmanpro.com/9182137/HitmanPro35.exe .

       
  91. Jason
     

    I just scanned with TDSS Killer and there was no problems. Also I checked my Device Manager under Non-Plug and Play Drivers and there was no TDSS there. I have done approximately 20 scans, including scans with many different types of trusted scanners (including the ones you recommended) as well as boot scans and scanning in safe mode.

    However, every time I open my browser my proxies are changed. My hosts file is fine and unchanged, my DNS settings were originally changed, but since my fixing them they haven’t changed back (unlike my proxy settings). What could be causing this? It’s very annoying and it is slowing down my computer quite noticeably.

    Thanks again.

     
  92. Jason
     

    EDIT: I just reinstalled Firefox. Now whenever I open my browser (either IE or Firefox) my proxy settings are unchanged! So I guess the virus was affecting some sort of Firefox file itself? I don’t know… Does this mean the virus is gone? or..?

     
    1. admin
       
       
      Post author

      Jason: It might be a case. There might have been some sort of FF add-on, written for this purpose that is yet unknown for scanners.

       
  93. CPHelp
     

    @Seth
    Ok, to do this correctly, select sll the things you want to keep, and right click, and look for an option that says: Scan with [your virus protection if you have one] and scan, then move to disc.

     
  94. shashi
     

    I download but I dont know how to fix it help me.

     
  95. Rachel
     

    I downloaded spybot and ran a search. I am no longer redirected to spam sites from google searches but I still cannot open firefox. I opened the wordpad host document and there was nothing unusual. I went through all of the other steps as well, except changing firefox’s settings, because I cannot open it.

     
    1. admin
       
       
      Post author

      Rachel: Spybot in my opinion is severely slow at updating definitions. Your problem is due to infection, and not malicious configurations. Try using couple other scanners: Hitman Pro, Spyware Doctor, Malwarebytes, SuperAntispyware.

       
  96. Rachel
     

    Actually I am still being redirected.

     
  97. Rachel
     

    Malwarebytes caught nothing. Spyware Doctor found things but because it is the free trial, I cannot do anything about it. I will try Hitman Pro and Superantispyware. Could this infection also be disturbing the connection between my computer and printer or is that an unrelated problem?

     
    1. admin
       
       
      Post author

      Expand SD detected items. See the file location. In many cases it is safe to delete or rename detected files. In some cases you will have to modify registry keys.

       
  98. Rachel
     

    I used Hitman Pro and Superantispyware. Both of them found things and deleted them, but I am still being redirected. On the upside, firefox now opens. Its proxy settings look fine.

     
  99. anon
     

    I been reading through you article and avg and malwarebytes dont pick up the virus of rootkit. Whenver i visit a legit site to download himan pro or superantispyware my mozilla firefox freezes. i heard about it might be a router issue or i should use tdsskiller

     
    1. admin
       
       
      Post author

      Anon
      Yes, TDSS Killer is good approach. Try changing DNS servers though and check which DNS servers your router uses. It happens, that malware infect routers, especially ones with default password for that model.

       
  100. anon
     

    thanks tdss killer did it then i used malwarebytes to scan. =)So do recommend changing the password on my router and which anti virus/malware/spyware product that in the future can get rid of problems likes this.

     
    1. admin
       
       
      Post author

      If it was TDSS Killer, then your router is likely unaffected. However, it is bad to keep default router password, so if you do, change it (just not to aaaaaa, 123456 or password, the most popular and automatically attacked combos). I recommend getting internet security level of protection for every PC: Eset Smart Security, Kaspersky internet security or PC Tools spyware Doctor with antivirus, or any other from major makers. If not, get Spyware Doctor or Malwarebytes full running with real time protection together with decent antivirus. That should reduce risks of getting infected significantly.

       
  101. Marc
     

    I had this issue and it turned out the dns settings had been hijacked.

    I returned them to google’s dns servers (8.8.8.8, 8.8.4.4) and everything is happy now.

    I don’t think any malware removal tool will find this.

     
  102. anon
     

    ty admin for the help

     
  103. greg
     

    YOU are a god among men i love you you saved my computer experience thank you !!!!!!!!!!!!

     
  104. will
     

    the antivirus software alert wont let me open my host file. i found it but it wont let me open it. what do i do?

     
    1. admin
       
       
      Post author

      Will: This guide is more in cases of handling left-over damage of malware. If you have active malware attack, first scan with regular anti-malware and antivirus tools.

       
  105. Marshall
     

    i have the antivirus 2011 and i have followed instruction concerning the hosts site, etc. I have downloaded spydocter but unable to execute. What next

     
    1. admin
       
       
      Post author

      Marshall: In your case it is malware based infection, and not malicious settings. Thus I recommed 1. Update Spyware Doctor 2. Try other tools (malwarebytes, hitman pro, superantispyware are good) 3. Delete it manually 4. Ask questions under its own guide : http://www.2-viruses.com/remove-internet-antivirus-2011

       
  106. Laurens
     

    I just had the same problem. Malwarebytes and G-Data found that csrss.exe, dwm.exe and conhost.exe were all infected by a Cycbot.AC Trojan Horse. Gladly, NOD32 ESET just released an update TODAY where they counter this Trojan:
    http://www.eset.com/threat-center/threatsense-updates (see Virus Signature update 5698). So, I recommend using NOD32.

     
  107. PengSwen
     

    My computer had been redirecting me to infomation-seeking.com ..im using window XP pro.so is there any difrences in steps?

     
  108. codey
     

    I installed the program, but the system won’t let me launch it. What do i do?

     
    1. admin
       
       
      Post author

      Codey: read guide on how to disable processes or reboot into safe mode with networking.

       
  109. Jordy
     

    I have ”security shield” and i think thats a virus.
    How does it go away ?
    Caus e my whole comp doesnt do it, cause then a ”security shield” browser comes

     
  110. Shyenne
     

    I’m trying to follow this site, & in my eyes it’s complicated. i have no idea what i’m doing. i’ve never had a virus.

     
  111. Carl
     

    “Oh my god, no way” and “Congratulations, you won” audio will be heard along with re-directs when going thru Google links (especially this web site). The problems may not occur for 15-30 minutes, but they will return and are extremely random.

    Downloaded Malware did get rid of alot of problems and I did all of the other steps herein however…..no luck. By the way, this particular computer does not have a “hosts” file in the “etc” path. Strange.

    I’m gonna “bite the bullet” and re-install XP. Spending more than 2 hours trying to fix a goofy mal-ware problem is stupid. I’ll say one thing – whatever web-sites sponser these malware products should be shot.

     
  112. Carl
     

    No worries. I guess I didn’t do “everything”. I ran “tdsskiller” (as suggested). It found 1 problem and “cured” it and…….horrah. No more google re-directs, browser kills, and funny audio. Here’s hoping this problem has gone away forever.

    Thanx for the information – beats having to re-build.

     
    1. admin
       
       
      Post author

      Carl: It is advisable to scan with other tools after TDSS got removed.

       
  113. Carl
     

    Do you mean like “Malwarebytes”? Or are you referring to something else?

     
    1. admin
       
       
      Post author

      Carl: Hitman pro, Spyware Doctor, Malwarebytes. Hitman pro is always a good choice, as it scans against couple antivirus databases. SD has bigger database (in my opinion) as malwarebytes, and is a part of bigger security suite. Though it is commercial program. And Malwarebytes is quite popular for good reasons to scan.

       
  114. Carl
     

    I scanned with Malware and got nothing; SD still reports 5 items:
    Application.TrackingCookies
    Tracking.TrackingCookies!Rem
    Adware.Advertising
    Spyware.Known_Bad_Sites
    Spyware.TrusyHound!Rem

    Also, there are several processes that seem strange. They are:
    DLACTRLW.EXE
    PDVDDXSRV.exe
    ITMRTSVC.exe

    I believe the first one (DLACTRLW.EXE) is causing multiple processes (with the same name) to be born. When they occur, silly sound bytes (as previously mentioned) are heard. They seem to come up randomly.

    However the Google re-direct no longer occurs after TDSSKILLER was run.

    I suppose what I still don’t know is exactly which Malware is one the PC. Does any of the above info help you in making that determination? Also, to kill those Malware items, is there something that is free that will do it? I’m a little cheap and don’t feel like paying the $30 bucks.

     
    1. admin
       
       
      Post author

      Carl: These SD detections are of low importance. I would do a scan with Hitman Pro and thats it.
      Google the process names separately though.

       
  115. Carl
     

    Thanx for your help. It appears the “dlactrlw.exe”, which found its way into the “startup” registry key, was the culprit. After removing that entry, everything seems to be fine. The folks who own this pc will be checking to see if any re-occurrences continue.

     
  116. Amber
     

    I think i’m having the worst problem with my lap top I can’t access anything not my control panel the internet none of my antiviruses or anything….Basically all I can do is turn it off and on…..do you know how I can fix this???

     
    1. admin
       
       
      Post author

      Last known good configuration in boot menu after force shutdown would be an option. Also, try downloading and using scanners in safe mode with networking.

       
  117. Amber
     

    ok….what do you mean by good configuration in boot menu after force shutdown would be an option…Idk to much about computers….

     
    1. admin
       
       
      Post author

      Press power button and hold for ~3secs. The PC will shut down. Then power on, and there will be a menu.

       
  118. Nicco
     

    I has my system attacked by antivirus8… bought spyware doctor and antivirus. Ran the software and removed malicious items it notified me of. HOwever. I can not get my MOZILLA FIREFOX TO LAUNCH. When i go to lauch i get

    “About internet Explorer Emergency Mode” box to pop up and it tells me that malicious software has infected my PC and the browers can’t be launched. I have uninstalled and reinstalled both Internet explorer and Firefox and I still keep getting this error message.. HELP..

     
  119. Alex AAA
     

    unbelivable in the add ons…. thanx a ton

     
  120. Kebap
     

    I disabled IE7 addon “Research” and now I don’t seem to get redirected any more (have to test longer though, because it did’t happen each time anyway…) Thanks for the great guide! :)

     
  121. Billy
     

    I had “Security Shield”. Removed it with CCcleaner, RKill and Malwarebytesantimalware. Then Google’s been directed to Findgala. C.WINDOWS>System32>Drivers>etc> all files are there, except HOSTS file is missing. Used Spyware Doctor, found: RogueAntiSpyware.WindowsSecuritySuite(13 infections), Trackware.Tracking Cookies!rem (24 infections), Adware.Advertising (10 infections), Spyware.TrustyHound!rem (1 infection), Application.TrackinfCookies (15 infections). Spent 3 days trying to get rid of findgala to no avail. HELP..

     
    1. admin
       
       
      Post author

      Billy: Check other things in this guide. Run TDSS killer as well.

       
  122. Billy
     

    Ran TDSS killer as suggested. Took 22 seconds and result was no infections found. In-depth scanned with NOD32 Anti virus, no objects found infected. Did step 2 to 9, except step 7 (‘coz it’s optional) and step 1 (‘coz couldn’t HOSTS file). Still redirected to findgala. Am I missing something here? I start losing hope here…@admin

     
    1. admin
       
       
      Post author

      Stuff to try :
      1. Hitman pro ( http://www.surfright.nl/en/hitmanpro )
      2. EmsiSoft Anti-Malware ( http://www.emsisoft.com )
      Host file is at c:\(your windows folder)\ system32\drivers\etc . It has no extention.

      If it is clear, and no scanning detect anything then it is problem with your router (most likely), semi-whitelisted browser toolbar (failed to remove browser add-on in one of the steps, but unlikely) or very fresh infection (less likely if you use several tools and they come clean).

       
  123. Billy
     

    Ran everything again. Malwarebytes antimalware: no malicious objects found. Hitman Pro: caught IExplore.exe as a threat, contains a high amount of malware related properties and it’s a potentially malicious software. Should I delete or quarantine this? A friend told me to just change the google bar from the right-hand side drop down menu and choose “Find more providers”? Emisoft Anti-Malware is still scanning as I type now. Checked several times C>WINDOWS>System32>drivers>etc>…, the HOSTS file (with no extension) is not there. There are only 5 files in etc folder: HOSTS.bak, lmhosts.sam, networks, protocol, services. And the worst part is most of the times I turn on my laptop in normal mode, it always freezes and I can only use it if I switch to Safe mode with networking. How do I know there’s a problem with my router and what did you mean by semi-whitelisted browser toolbar? I’m very dumb when it comes to computer stuff..@admin

     
    1. admin
       
       
      Post author

      Billy: Iexplore.exe might be a fake iexplore, check the file location. See the content of hosts.bak file, and maybe try to create an empty hosts file. If you can’t create, the real hosts file is hidden and cause of your problems.

       
  124. Billy
     

    Located the file, it turns out to be Rkill program (the Icon says IExplore). Opened hosts.bak in Note pad:
    127.0.0.1 localhost
    ::1 localhost
    How do I create an empty hosts file? How can I find the hidden hosts file?

     
    1. admin
       
       
      Post author

      Just try renaming .bak file to one without extension or save same content using notepad to file without extension. IF you are stopped from doing that, it is likely that there is hidden file.

       
  125. Billy
     

    When I tried renaming .bak file to without extension, a message box poppe dup saying if I change the file extension, the file will be unusable, so I saved same content of hosts.bak as file without extension, and the file type is text document. What else needs to be done?

     
    1. admin
       
       
      Post author

      Just make sure it is without extension (as extensions of known file types might be hidden). If you save as .txt it might leave .txt extension hidden.

       
  126. Billy
     

    I copied hosts.bak and tried renaming it into hosts without extension, it asks me if I want to rename it to hosts(2), because there is already a file with the same name in the location. Does this mean the hosts file is already there, but it’s hidden?

     
    1. admin
       
       
      Post author

      Yes. Edit your settings to see hidden and system files.
      On windows 7 :
      Open Folder Options by clicking the Start button
      Select Control Panel
      Clicking Appearance and Personalization
      And then click Folder Options.
      Click the View tab.
      Under Advanced settings, click Show hidden files and folders, and then click OK.

       
  127. Billy
     

    Mine is Vista. Opened Control Panel>Folder Options>View tab>clicked on show hidden files and folders. Then checked the etc folder, still doesn’t show hosts file without extension.

     
    1. admin
       
       
      Post author

      Look for option to see system files as well.

       
  128. Billy
     
     
  129. Tawni
     

    so how to i get to ‘hosts’ because it won’t let me click on it without closing again and bringing another security shield warning…?

     
    1. admin
       
       
      Post author

      Tawni: use code for Security shield to disable it first. Read our guide on security shield.

       
  130. techmanDj
     

    combofix fixed mine.

     
  131. Chuck
     

    I have done everything found on this forum with very itte resuts. After the Windows Performance Manager downoaded itsef onto my computer I ceaned most of it up by searching for unusual programs. I found and deleted the files called cvfgtm.exe and bktgrk.exe. These files apeard to be AVI files. After deleting these files my computer was restored to mostly norma operation. I then used AVG free and IObit 360 to scan again and removed a few bad files. But I wanted to make sure I had all the virus removed so I searched and found this site. As I downoloaded the Spyware Doctor, AVG 2011 also downoaded. Both these files appeared to be maicious viruses and has completley destroyed my computer. I have worked my way back little by little and have just about cleaned up the mess.

    But I have one problem left that I can’t get fixed.When I try to open Notepad in Administrator, it refuses my pasword. Also, Internet Exporer opens only somekind of “Emergency Mode” and refuses to let me open any page except the microsoft.com page that contains the Windows Performance Manager and other viruses.

    Can you help me get my internet going again?
    Thank you

     
  132. joe
     

    is stopzilla any good?

     
    1. admin
       
       
      Post author

      Joe: There are mixed opinions about stopzilla. I would not use it myself, as in my experience it detects infections in files that are harmless ( aka false positives). However, these are not intentional, and the company is legitimate. There are better tools though.

       
  133. Sascha S
     

    i had this problem too,
    it was a self reinstalling local proxy.
    files(therms) to search in registry:

    Temp\csrss.exe (dont delete anything where path starts with %system… ususally with Temp\csrss.exe you would not even find something starts with %system…)

    data\dwm.exe (not renameable because running, so needs deleted in registry)

    data\wins.exe (rename you will find the path in registry)

    data\conhost.exe (Start > run > msconfig > systemstart > uncheck conhost)

    —- export registry first DONT delete keys just remove values —-

    After restart you will find out (because your internet works only for certain webpages ) that your system LAN-Settings where set to use Proxy for LAN…
    so go to

    Start > Control Panel > Internet > Tab Connections > Button Lan settings > uncheck use Proxy.

    that was it for me, hope it helps someone.

     
  134. Sascha S
     

    ah yes that was for win xp sp 3

     
  135. elena
     

    where can I find the add-ons in IE? and what is IE?
    Thanks

     
  136. tony
     

    ok ive read this page and it didnt help my google redirects my host files are fine i cant find a tdss thingy i cant download things either it just keeps asking what program would i like to choose to open file and when choose it just does it again my spywaredoctor didnt pick up anything but now i cant even open that my processes seem fine my proxy is disabled so im just going to save money and buy new com btw i using ie8 i believe

     
    1. admin
       
       
      Post author

      Tony: Your file associations are messed up, you will need to fix registry first.
      Check your browser addons and try doing scan in safe mode with networking (full system scan) with several tools

       
  137. phnatduppf
     

    Have trawled various forums, manually hacked away at the superfluous, used malwarebytes’ anti-malware, superanti-spyware, sophos anti-rootkit and unhack me, tried disabling javascript, checked dns, hosts, and proxy settings, and scoured the filesystem for dozens of the usual suspects. My search results still redirect me almost unswervingly towards a goingonearth version of whichever result i’ve clicked. Likely point of infection was mj1.exe and mj2.exe though not sure of where they originated. Close to initiating a total re-install but refuse to be beaten, now 8hrs in and need to sleep. D

     
    1. admin
       
       
      Post author

      phnatduppf:
      Have you checked add-ons in browsers? In some cases router needs checking as well, though that approach works through DNS servers usually and is fixed once you change it.

       
  138. phnatduppf
     

    Cheers for reply,
    all addons are those i installed and none of my anti-* scans flag them.
    Online through t-mobiles web’n’walk mobile broadband and a 3g huawei dongle only use firefox but checked and IE has same issue on my first use of the program.
    What is being referred to when i click a search result? How is it unique only to this action, not downloads or intra/inter-site links, also appears yahoo is unaffected whilst bing and google are. D

     
  139. phnatduppf
     

    Problem appears solved,
    first ran rkill.exe (found grpconv.exe),
    then kaspersky’s tdss killer (found sptd.sys),
    then mbam,
    then hitmanpro (found sapi0.dll).
    So far (>20 searches) no redirects. D

     
    1. admin
       
       
      Post author

      phnatduppf
      Yeah, TDSS Killer quite often a solution for these problems… In fact TDSS is in my usual suspect list :)

       
  140. James
     

    Am stuck at step 1 – how do I save the corrected host file (I don’t see where to “open with admin priveleges on my home PC).

     
    1. admin
       
       
      Post author

      James: For older versions of windows (like XP) just open it.

       
  141. Tim
     

    Step #8 cleared up my computer. Thank you so much!

     
  142. Marg
     

    Hi,

    My google direct virus means that all the web browser open up in Chinese – and it appears to be a porn site. This happens for both IE and Mozilla and also appears in Yahoo if I try to search. I have read all the following information and no-one has mentioned Chinese characters. How can I fix this problem?

    Many thanks

    Marg

     
    1. admin
       
       
      Post author

      Marg: read sections about DNS, Proxy, add-ons. Also, scan with anti-malware tools

       
  143. Moon
     

    I’m stuck on step 1. I opened the host file in notepad and it’s empty. what does that mean?

     
    1. admin
       
       
      Post author

      Moon: Empty hosts file is ok. Just make sure you opened right file.

       
  144. Moon
     

    I’ve run rkill and malwarebytes. I deleted a bunch of trojans. Now I can’t seem to get my wireless router to find my wireless network. what can I do?? please help!

     
  145. Moon
     

    One last question – is zitui.exe a virus? i don’t know what it is and I’ve never seen it before.

     
    1. admin
       
       
      Post author

      zitui.exe sounds like virus.

       
  146. I’m having trouble opening my file as a note pad. It won’t open at all, I did everything I can, including “Running as Administrator,” nothing seems to work. Please E-Mail me and help me out. I really wish to get this program out of my computer.

     
  147. ethan
     

    I cant open my host files it wont let me and ive tried moving malware anti malware by a usb drive but it still wont let me open it

     
  148. drew
     

    This goes out to the maker of this virus im trackn you and i will get you its nice in CALIFORIA cant wait to see you

     
  149. robin kinsella
     

    it keeps poping up i can not do nothing on my cumputer

     
  150. Ben
     

    I Can’t find my host file and it won’t let me run notepad as Administrator doesn’t work either, im running Windows 7 64bit Please Help.

     
    1. admin
       
       
      Post author

      Ben: It might be invisible. Try editing it in safe mode, not in regular mode.

       
  151. jonlee
     

    this is my host what should i remove.
    # Copyright (c) 1993-1999 Microsoft Corp.
    #
    # This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to computernames
    # (NetBIOS) names. Each entry should be kept on an individual line.
    # The IP address should be placed in the first column followed by the
    # corresponding computername. The address and the computername
    # should be separated by at least one space or tab. The “#” character
    # is generally used to denote the start of a comment (see the exceptions
    # below).
    #
    # This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts
    # files and offers the following extensions:
    #
    # #PRE
    # #DOM:
    # #INCLUDE
    # #BEGIN_ALTERNATE
    # #END_ALTERNATE
    # xnn (non-printing character support)
    #
    # Following any entry in the file with the characters “#PRE” will cause
    # the entry to be preloaded into the name cache. By default, entries are
    # not preloaded, but are parsed only after dynamic name resolution fails.
    #
    # Following an entry with the “#DOM:” tag will associate the
    # entry with the domain specified by . This affects how the
    # browser and logon services behave in TCP/IP environments. To preload
    # the host name associated with #DOM entry, it is necessary to also add a
    # #PRE to the line. The is always preloaded although it will not
    # be shown when the name cache is viewed.
    #
    # Specifying “#INCLUDE ” will force the RFC NetBIOS (NBT)
    # software to seek the specified and parse it as if it were
    # local. is generally a UNC-based name, allowing a
    # centralized lmhosts file to be maintained on a server.
    # It is ALWAYS necessary to provide a mapping for the IP address of the
    # server prior to the #INCLUDE. This mapping must use the #PRE directive.
    # In addtion the share “public” in the example below must be in the
    # LanManServer list of “NullSessionShares” in order for client machines to
    # be able to read the lmhosts file successfully. This key is under
    # \machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares
    # in the registry. Simply add “public” to the list found there.
    #
    # The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE
    # statements to be grouped together. Any single successful include
    # will cause the group to succeed.
    #
    # Finally, non-printing characters can be embedded in mappings by
    # first surrounding the NetBIOS name in quotations, then using the
    # xnn notation to specify a hex value for a non-printing character.
    #
    # The following example illustrates all of these extensions:
    #
    # 102.54.94.97 rhino #PRE #DOM:networking #net group’s DC
    # 102.54.94.102 “appname x14″ #special app server
    # 102.54.94.123 popular #PRE #source server
    # 102.54.94.117 localsrv #PRE #needed for the include
    #
    # #BEGIN_ALTERNATE
    # #INCLUDE \\localsrv\public\lmhosts
    # #INCLUDE \\rhino\public\lmhosts
    # #END_ALTERNATE
    #
    # In the above example, the “appname” server contains a special
    # character in its name, the “popular” and “localsrv” server names are
    # preloaded, and the “rhino” server name is specified so it can be used
    # to later #INCLUDE a centrally maintained lmhosts file if the “localsrv”
    # system is unavailable.
    #
    # Note that the whole file is parsed including comments on each lookup,
    # so keeping the number of comments to a minimum will improve performance.
    # Therefore it is not advisable to simply add lmhosts file entries onto the
    # end of this file.

     
    1. admin
       
       
      Post author

      Your hosts file is clean.

       
  152. Julius
     

    You are the best! I have been working on this damn thing all week. The rootkit tdsskiller did the trick! Symantec and Malwarebytes didn’t pick it up.

     
  153. Esthefany
     

    I am so confused! I can’t get this to work for me at all. :(

     
  154. NakedGuy69
     

    This worked for me.

    Just make sure guys that when you’re about to edit the host file, “read only” is UNCHECKED in the files properties.

    And if you are having problems with overwriting the file, double click it when you are saving.

     
  155. bidita
     

    the xpantispyware 2012 has blocked all d important files including dis file nd i can,t open it neither can i make it run dus ne1 has d idea hw 2 fix ds problem????????????

     
    1. admin
       
       
      Post author

      Bidita: In your case, read the guide on XP antispyware 2012. You need to kill its processes, this guide is not that applicable (except you might have to remove proxy as well) http://www.2-viruses.com/remove-xp-antispyware-2012

       
  156. Ed
     

    Hosts files are fine and DNS setting and Proxy too – downloaded all (Malwarebytes, Spyware doc, even the special remove antispyware) in safe mode with networking but every time I want to run them, Vista Spyware message appears and blocks them. Can someone help?

     
    1. admin
       
       
      Post author

      ED: If the file is blocked after download, try renaming them to .com instead of .exe Or you might have to kill malware processes manually.

       
  157. BigL
     

    @Julius

    Thank you from RDU (Raleigh-Durham NC)! The rootkit tdsskiller did the trick!

    With 12 years computer/network experience — this Malware got me good! Wasted 4 hours of my life!!!

     
  158. JustME
     

    Old hacker trick—mark the hosts files to read only…and if you use WinPatrol
    (the free version is fine) it will show you the hosts file within the application and also everthing running.
    AND it warns you if something writes to the startup
    http://www.winpatrol.com/

     
  159. Dale Anderson
     

    Thanks for this information. This virus was causing me all sorts of headaches.

    Now if I could get my hands on the person who put the virus on my computer in the first place, that would be a nice feeling to have. :)

    Cheers, Dale

     
  160. Denny
     

    I beat Vista Fix It and Google Redirect

     
  161. David B
     

    My hosts shows a ::1 under the ip addy. Should this get deleted? When I try and save it says cannot create to C:\Windows\system32\drivers\etc\hosts, Make sure path and filename are correct. I am pretty sure I am logged in as admin… Ran AVG antivirus which found nothing. Just would rather exhaust all options before i go downloading and installing 14 different malware products. Thanks.

     
    1. admin
       
       
      Post author

      David: You got Vista/Win 7. ::1 is harmless, it is an IP6 address. If this is single additional line, your file does not need editing.
      If hosts file is clean, I would look for problems in other sections (either trojan is active on system, Rootkit, or malicious proxy, etc. )

       
  162. Michael
     

    When I open my hosts file on windows 7 with notepad, the document that opens is blank. Why is that?

     
    1. admin
       
       
      Post author

      Michael: if this is correct location, than everything is fine. Hosts file is not necessarily in most cases, though there is a placeholder file in most of the systems with some commented lines and 2 lines referencing localhost.

       
  163. Tyler
     

    Thank you this guide. all the responses to questions really helped my knowledge on this subject. i checked my addons in Firefox and found “XUL cache.” i removed it and the redirects seem to have stopped. I read somewhere that this addon can somehow get back onto my browser. Is there something that i can do to make sure that i’m in the clear?

     
    1. admin
       
       
      Post author

      Tyler: best advice is to keep decent internet security suite on PC. Malware still has to get in on one’s PC to modify settings and cause redirects (except in case of hijacked router). For the router, nothing beats changing password from default one.

       
  164. Melisa
     

    Just wanna say thank you. The instructions totally solved my problem! Really saved me a lot me trouble. Thanks a lot!

     
  165. Shokc
     

    @Hi
    To save host file as admin, windows 7, even if you are the admin right click on host file go to properties, under security tab, select user and edit – Select all boxes under Allow. This will grant permission to save the file.

     
  166. Shokc
     

    Will let you save the host file.

     
  167. Raj
     

    Just removing the following entry from my hosts file did the trick.
    # localhost name resolution is handled within DNS itself.
    # 127.0.0.1 localhost
    # ::1 localhost

    Thank you very much!!!!

     
  168. Jackie
     

    @Shokc
    I can’t update the hosts file it won’t let me open it or change the user properties so all users can edit. I can’t download the spyware (*any of them) from the internet as the virus has blocked access to them. I can’t even access the internet settings to change proxy settings…it just says can’t access contact your system administrator. Please help I can’t do anything on my PC and this virus is so fr*king annoying!

     
  169. SamieJ72
     

    Reboot your computer in safe mode and delete the following file in the following folder. Fixed my redirect problem like a champ!!

    File: api-ms-win-core-memory-l1-1-032.dll
    Folder: C:\Windows\SysWOW64

     
  170. CDA Rescue
     

    Unhack me is a great program for removing most of the malware. Been doing the virus removal since 1991 and have to say this program has made life so easy.

    http://www.greatis.com/unhackme/download.htm

    Just fixed some malware entries in my host file.

    Also combofix works well, just be careful with it.

    http://www.bleepingcomputer.com/download/anti-virus/combofix

    Worried about the fake viruses? try WOT for your browser to let you know of potentially dangerous sites.

    http://www.mywot.com/en/download

     
    1. admin
       
       
      Post author

      CDA Rescue :
      Thank you for suggestions.
      WOT is useless against fake antiviruses. Its ratings are based on opinion on domains, and these change on daily basis. It is useful against poor programs though or scams. Both Combofix And Unhack me are computer repair programs that are of interest for people that repair PCs for living rather than regular user that desires less problems with one’s PC on long run :)

       
  171. itguy
     

    The TDSKiller program did the trick for me…thank you!

     
  172. Justanotherdude
     

    tdsskiller.exe is the one. I think that should be bumped up to Step 1. :)

    Thanks for the help.. just glad that I finally got rid of it.

     
  173. SubZerQQ
     

    for those of you that are having problems editing host file. I highly recommend HostsXpert v4.4. A free program for managing your host file. get it here:
    http://www.funkytoad.com/index.php?option=com_content&view=article&id=13&Itemid=31&28d444df85eb4f435055ed9d39c02f03=d315773113eab5e724959c494ea17358

     
  174. Pingback: Is malware payment gateway shutdown the end of Fake AVs?

  175. frozo
     

    I edited my host file but to no avail and tdsskiller.exe resolved my issue. Thank you.

     
  176. Zoey38
     

    my host file doesn’t look like that it looks faded and it won’t let me save it i have also tried running as administrator

     
  177. Wendy
     

    I’m trying to do step one, and my computer wouldn’t let me ‘access’ or save my changes. I noticed extra line that ‘i think’ should be removed, ::1 localhost. How can I let the hosts file save my deletion>

     
  178. Wendy
     

    BTW, I’m on Window’s Vista – how can I open the ‘host’ file with admin. privelages?

     
  179. Wendy
     

    Got it. Figured it out!

     
  180. Chris
     

    The hosts file suggestion solved the problem that Lavesoft and Ad-Aware didn’t catch this one. Thanks for being awesome.

     
  181. Xinci
     

    Thank you thank you! I had to do quite a bit of research for an important paper I’m working on and the problem was hidering me greatly. I followed your instructions and it worked! It was some trojan programs that were quarantined in my virus protection but they were still causing problems. I’m very grateful :)

     
  182. gsly
     

    Thank you very much this worked very well. I appreciate your assistance

     
  183. Pingback: Dedicated 2-viruses » Fake BBC videos are used to trick PC users on Facebook

  184. Dave
     

    Just wanted to say thanks for the information. My IE has had the same problem as most people have had lately. I had tried about 10 Spyware tools and none found the problem, so I downloaded and ran tdsskiller.exe from Kaspersky. I ran it and the program found 2 files BMLOAD and tcpipBM which it removed and now IE works as it should when I select something from a google search.

    Now to find a fix for why my active window deselects itself after about 25 seconds and I have to click on the window to continue doing whatever.

     
    1. admin
       
       
      Post author

      Dave: Rescan with full kaspersky version or other 10 tools :). This kind of infection might have hidden some other processes from anti-malware tools while active. Also, it might be useful to do a test run with some registry optimizer like CCleaner.

       
  185. Dave
     

    Hi ya Admin.

    I just found what was causing the active window deselection. I recently installed Kies for my Samsung phone. I went through and ended the windows processes that weren’t directly related to windows 1 at a time until it stopped. It was KiesPDLR that was somehow causing the problem. Thanks again for your help.

     
    1. admin
       
       
      Post author
       
  186. Jen
     

    Great info, unfortunately I’m still having issues.
    Step 1: I modified the hosts file to match yours
    Steps 2 & 3: settings were fine
    Step 4: N/A
    Step 5: I disabled all non-Microsoft addons
    Step 6: I ran Spyware Doctor. It found a high threat and a medium threat. I was surprised that I had to pay $30 to fix these, but I decided that the $30 would be well worth the fix. This didn’t do the trick though.

    When we go to Google & Bing the bottom bar says “waiting for Google.com” and the page just never loads. Yahoo loads, but we can’t search, the searches don’t load. The control key isn’t working properly, I can’t copy and paste using control commands.

    I didn’t continue with steps 7, 8 or 9 because this computer belongs to my parents and I ran out of time. Any advice??

     
  187. Marc
     

    Step #1 was the fix for me. It worked. But before that, I’ve scanned my laptop running Vista Basic Edition with Adaware (free edition) from Lavasoft. I’ve been using Adaware since 2001. I’ve used also CCleaner (free edition) to scan/fix registry entries + stop suspected processes. Both are excellent tools for free. Finally, I’ve uninstalled several “suspectful” third party software using another free tool: Revo Uninstaller. This utility isn’t just uninstalling the software but also offer to clean the registry table of ANY occurrence of the software you’re uninstalling. Then apply the fix proposed here otherwise the malware if not remove previously will keep re-installing itself.

    I can now enjoy ALL the Google / Yahoo searches again.

     
  188. Helen Wood
     

    Thanks! I have been having a nervous breakdown over this and your advice is the first that actually got me anywhere.

     
  189. Whitley G
     

    I have tried everything. It keeps bringing up Data restore with every error message possible. Please help me I’m not very computer savy and I really need this to work for school…Thank you

     
  190. train42
     

    Step 4 worked for me, but as I understand it, the automatic setting of proxies still has fake information somewhere, right? How do I fix this to get rid of the problem completely?

     
    1. admin
       
       
      Post author

      Train42: in some cases the original infection is already gone (removed by antivirus), but proxy settings remain. However, I would recommend scanning PC with decent antivirus. If you have no other symptoms, I would recommend scanning with Hitman Pro, as it is fast and scans with multiple antivirus engines http://www.2-viruses.com/reviews/hitman-pro .

       
  191. Lisa
     

    I have followed your instructions but I still get redirects to stuff like blendersearch. What can I do?? There is nothing in my hosts file that is abnormal. I ran the tdsskiller and it doesn’t detect anything.

     
    1. admin
       
       
      Post author

      Lisa: Have you checked browser add-ons and DNS server settings? It might be some plugin that hijacks search. Disable all add-ons. If this continues, I would recommend scanning with Hitman Pro or Mbam first. TDSS killer detects several families of rootkits, but not everything.
      Post back about your progress.

       
  192. Pingback: ZeroAccess Rootkit - how to remove

  193. Lisa
     

    @ admin:

    I have disabled browser addons. As for the DNS server settings, I have both IPv6 and IPv4, and they are both set to “Obtain an IP address automatically”. I have uesd Malwarebyte and it did not detect anything of the sort.

     
    1. admin
       
       
      Post author

      Lisa: are there other PCs in the network and everything works fine?
      Also, scan with hitman pro instead of Malwarebytes. It uses several antivirus engines,but tests less places than regular antivirus. This is to reduce chances that there is malware to the minimum. As long as there is no malware, I would suspect router hijacking, but the chances are poor. Maybe the site is infected, though, or some weird user script…

       
  194. Cody
     

    Well I troubleshot all these steps and noticed that all my settings are like that suggested. My internet regarding the proxy settings, however, does not have a proxy port. The only browser I have is Google Chrome. I have a redirect virus that when i click on a trusted site, it stops at a blank screen, pauses, loads then stops and changes the website. It takes me to sites like dictionary sites with “Suggestions” I use an entirely outdated 2005 Media center edition PC so everything isn’t far from Win98.

     
  195. Lisa
     

    @ admin:

    Yes there are others but they use Macs. I read on this page that Hitman Pro would require payment in order to remove/clean anything? Malwarebytes detected stuff a couple days ago. I followed your steps and tried the Malwarebytes again, and nothing shows up. I have just checked with Hitman Pro and Tracking Cookies as well several Malware/Trojans showed up. What should I do?

     
    1. admin
       
       
      Post author

      Lisa: Hitman pro is free to scan, and free for the first 30 days to remove (you need to press activate, but no payment is required). Additionally, it will help to determine if there is really something wrong on your PC during the scan itself.
      If other PCs / Macs in the same network are ok, then it is not hijacked router (if they use automatical DNS as well),
      You could also try super anti-spyware.

       
  196. Lisa
     

    @ admin:

    Sorry, I did not see that there was a trial. :) What should I do if the redirect problem happens again and I don’t have the trial option for Hitman Pro anymore? I don’t have the funds to purchase a decent antivirus program or anything in that category for that matter. :( Will let you know of my computer progress after reboot.

     
    1. admin
       
       
      Post author

      Lisa: The correct answer is using decent, commercial (preferably) antivirus like Kaspersky or Eset. In worser case – Microsoft Security Essentials, in worst cases – other free antiviruses. Prevention is the best cure for some of the redirects.

       
  197. Lisa
     

    @ admin:

    Hitman Pro did the trick for me, so I believe. :) I have not been redirected after reboot. Thank you so much for your help and guidance for future prevention! :D

     
  198. Tim Milligan
     

    Here is what I have found with my laptop and google redirects. There is a copy of MS Internet Explorer running in the background. This appears to be related to the redirects. When I rename my IE folders so it will not run and kill the running copy the redirects stop. When I put the folder name back. The IE background process will reappear and the redirects will start again.

     
  199. Tim Milligan
     

    I should also say, since IE is disabled I use Firefox or Chrome. Both of which also had the redirects.

     
    1. admin
       
       
      Post author

      Tim: It might be a malicious IE plugin, that creates a process and hijacks all internet access. Have you scanned your PC with multiple tools?

       
  200. jimmy
     

    Your the best whomever listed the things to do to get rid of the redirct virus….thanks

     
  201. Ryan Critchett
     

    Hate this. I’ve had this problem multiple times, did all of the above fixes, and it changed nothing. Something was still delivering both the fake antivirus program and the redirects in Google, to the machine. Even went as far as to reformat the machine. Then, upon entering dns and static ip info, the machine got infected again. BUT, the server machine (which was really just another computer acting as a server) was not infected. We scanned that thing thoroughly. ODD and extremely stealth, these things are.

     
    1. admin
       
       
      Post author

      Ryan: this guide is for cases when there is no obvious trojan in the system. In your case, I would first do tdss killer scan (and see if it detects), and if not, do a scan with Alternate OS scanners, and then repeat all the steps here.

       
  202. jose rey
     

    browser is redirecting lines in google searches

     
  203. jose rey
     

    how can i eliminate google redirect

     
  204. amit
     

    i have a problem with the cursor it is not stable may be it is due to some virus, pse suggest me how to repair it.

     
  205. Pingback: Dedicated 2-viruses » Keygenguru and other crack websites should not be trusted

  206. Pingback: Trojan.DNSChanger - how to remove

  207. Pingback: TDSS rootkit - how to remove

  208. pedro
     

    thanks a lot i erased the whole host file cause it gave me no option to modify whwt was on it in fact there were two extra lines one for google and the other for bing after delection the hidden virus cant redirectme anymore. i tried everything before unsuscesfully:system restore,antivirus scanning resseting internet explorer, windows search. etc etc, even listing the page risksearch net on the restricted sites button dint work completely cause even it tried to connect unsuscesfully but redirectme from the right results. i was about to switch the hd, but i found your help online and it worked, thanks

     
  209. Al
     

    I have something called searchqu that got in my computer with a music download today. How do I get rid of it. It has taken over as my home page and search engine! Thanks

     
    1. admin
       
       
      Post author

      Al : read guide, everything applies. Uninstall browser ad-ons, scan with both Spyware Doctor and TDSS killer, check hosts file.

       
  210. ada
     

    I changed hos file but wont save it saiys it is read only please help

     
  211. ada
     

    host file is invisible unless I open I copy an dpaste address C:\Windows\System32\Drivers\etc\hosts. When I paste it to search box it asks me what program to use I dobn’t have an option to run as admin
    If I open notepad file I can right click and run as admin, BUT when I open host file and delete bottom section I can not save bcs it is read only.
    I hope that makes sense to someone :(

     
    1. admin
       
       
      Post author

      right-click on it and go to its properties. Remove System And read only attribute.

       
  212. ada
     

    @pedro
    How do you delete host file . I can not find it unless I copy and paste C:\Windows\System32\Drivers\etc\hosts to search box and then access is denied . Is there any other way of deleting it.

     
  213. mcryan
     

    I have located the HOSTS page & opened in notepad, however, after the 127.0.0.1 localhost I have loads of others all with the same number but different name. Do I delete all of them?

     
    1. admin
       
       
      Post author

      mcryan
      yes, you should. Thats DNS address hijacking.

       
  214. trail
     

    I can’t seem to run KasperSky. Google redirects me to cc search sometimes(I’m on google chrome). When downloading, my internet connection gets cut off and I had to restart the computer. Any idea what I should do? I tried opening host, nothing suspicious. Checked proxies and DNS settings also nothing.

     
    1. admin
       
       
      Post author

      Trail : check router settings, although I would suspect active malware on your PC. Download TDSS Killer and some anti-malware program on another pc and use Flash drive .

       
  215. Unknown
     

    If you cant remove Malware on your own, stop being cheap and take it to a pro. Nuff said!

     
    1. admin
       
       
      Post author

      Unknown
      I would say first get a decent antivirus or anti-malware. There would be far less infections if people would actually use antivirus :)
      Professional repair is required for fresh or very aggressive malware or when PC is beyond automatic repair.

       
  216. Mike
     

    I have been getting the Google redirect since yesterday. I scanned with Malwarebytes and found nothing, I cannot even open Norton 360, not even with Task Manager, and running TDSSkiller twice found nothing. I have gone through my host file, found no extra info there, and I checked my proxy settings; one thing was checked and I unchecked it. I went back to the proxy settings later and it was still unchecked. What can I do to remove this virus?

     
    1. admin
       
       
      Post author

      Mike: Scan with different anti-malware programs, like Spyware doctor or Hitman Pro first. If it is clean, check your DNS Servers (should be set on automatic in most of cases). If it is on automatic, then set it to google DNS (this would mean your router’s DNS settings were hijacked). However, if you can’t launch norton 360, it is malware infection.

       
  217. Mike
     

    Spyware Doctor found some low-risk stuff, mostly tracking cookies and a couple of different advertising adware. I’m not in a position to purchase the full version, though, so I couldn’t remove it. I still can’t open Norton but I did check my DNS settings, everything was set on automatic and I didn’t know what the Google DNS settings were so I left them alone. Hitman Pro spent five minutes looking for an internet connection before aborting the scan. I do not know why it did this, as I was able to access the internet fine during the search.

     
    1. admin
       
       
      Post author

      Mike: Run GMER first, then Stopzilla. Try setting dns servers to 8.8.8.8 and 8.8.4.4 (listed in this guide).

       
  218. Mike
     

    I ran SuperAntiSpyware as well, removed several tracking cookies but I did not resolve the redirecting problem. I also retried the TDSSkiller and it still found nothing. Is there another antivirus or antirootkit program that might help remove this?

     
  219. Greg
     

    Ummm… Hi every time i click on a link in google or any other search site it redirects me to a ramdon Porn Site. i can avoid this by coping the direct link into the serch bar but its a pain doing that all the time.Ive use spyware doctor
    And it only found cookies and one medium RogueAntiSpyware.Antivirus360 and that has nothing to do with my browser or somthing like that But please help me!!

     
  220. Lulu
     

    I’m so frustrated with this redirect virus in firefox. I run winxp and have TrendMicro who, surprise surprise, didn’t stop yet another virus from taking hold. I ran malaware bytes and it found 2 reg key trojans and one infected folder. I deleted all 3 then when back in and double checked everything over again. Still i’m getting redirected. Any other suggestions or if someone finds a solution please let me know. Thanx

     
  221. Lulu
     

    Oh update. I think I know what the culprit is. It’s this babylon search engine I caught it’s name in the “jump” when it was redirecting me. Now if I can find out how to get rid of this I may be ok. Any help appreciated since this is one of the only sites that acctually gets past the redirect. :D

     
  222. Lulu
     

    @Lulu
    Great news!!! I went to Microsoft’s website and D/L the microsoft emergency response cleaning tool. After many failed attempts by malaware, spybot, trend, and even Hitman nothing removed it. I then called microsoft and they directed me to this. It is a free d/l for windows users. Ran one scan took about 4 hours restarted pc and viola. redirect gone. Hopefully this will work for some one else :D

     
  223. Matt
     

    Hi,
    I have been having this redirect problem for a few days now and could really use some help. I don’t get redirected every time I click a google link, but occasionally I do and will have to try many times before I actually get through to the requested site…I followed all the steps (all of my settings and folders were already how this guide says they should be) and have done full computer scans with AVG, Malawarebytes, Microsoft Malware Removal tool, and the Microsoft Security Scanner, and the TDSS killer suggested on this page and found nothing. (AVG and Malaware found 2-3 Trojans the first time I scanned, but they all seemed to be unimportant crap that didn’t effect my redirect problem when I removed them). Any Suggestions or Ideas? Please help me out!
    Thanks in Advance.

     
    1. admin
       
       
      Post author

      Matt : Several things.
      1. Are other PCs in the same network experiencing same problem ? If so, router infection is more than likely. It will not be detected by any tools, though DNS change to 8.8.8.8 and 8.8.4.4 (like in guide) might fix the problems. In such case, one should restore router firmware.
      2. Scan with hitman PRO, SuperAntiSpyware, Stopzilla and Spyware Doctor. While majority of microsoft tools are ok, not everything is detected, and personally I do not trust AVG too much. TDSS Killer is against one (nasty) family of infections.
      3. Double check that correct hosts file is empty.
      4. Worst cases? Scan with GMER for unknown rootkits, scan with AVIRA boot cd or PC Tech support time.

       
  224. Elliott Bettman
     

    two (and a half) words..

    Get..A..MAC. I have Minor trojan problems but as long as I don’t execute and delete it’s all good. Linux is BOMB proof but user unfriendly

     
    1. admin
       
       
      Post author

      Elliott Bettman: Wrong.
      Some of things listed in this guide are possible in Mac as well. For example, HOST file, DNS hijacking, infected router or malicious browser add-on. In fact, they are possible in Linux as well. A mac owner should get an antivirus, and (likely) Linux box owner as well. Everything else is down to market share.

       
  225. Sarah Thompson
     

    Hey admin, I tried everything you said on this page and everything’s fine. The only problem is that i still have this annoying redirect virus going…. any help please?

     
    1. admin
       
       
      Post author

      Sarah : Double check addons, change DNS servers and scan with hitman pro and Spyware Doctor.

       
  226. Rebecca Ldj
     

    My computer took a turn for the worse today. After much digging and grueling trying to find out what it was – my two biggest clues of my search engine searches being redirected and music/radio/ads playing in background and the help of my secondary computer – it came down to a virus. I bought norton, ran malwarebytes and ran spybot S&D as well as TDSSKILLER….and then ran all the checks you listed here. I am still having issues. Any ideas?

     
    1. admin
       
       
      Post author

      Rebecca Ldj:
      2 issues are most likely :
      First one is yet unknown trojan /adware. For this, try hitman pro, Spyware Doctor, SuperAntiSpyware.
      Second one is malicious browser add-on (if the music plays only after browser is launched) or proxy.

       
  227. Joe
     

    My hosts file seems to be hidden, all I can find in the etc folder is lmhosts.sam, which looks exactly like one hosts file posted by a reader that you said was clean. Do I need to find the actualy hosts file and check it? How do I find it if it’s hidden?

     
  228. Joe
     

    Update: The first thing I ran was ad-aware in safe mode+networking, which found several items, including trojans. I still had the redirect problem and ran kaspersky tdsskiller, which found something and removed it. Then I ran malwarebytes which found one infected file that looked like a really old keygen for some app. The problem seems to be resolved but I am still curious about my hosts file, why I cannot find it even when I select “show hidden.” I would like to check my hosts file just to be sure, as I said I can only find lmhosts.sam which looks clean.

     
    1. admin
       
       
      Post author

      Joe: PCs can function without hosts file in most of the cases, thats one option. Another option is hosts file with attribute System, which would be hidden as long as an option to list system files is unchecked (thats default). Some malware programs use this trick to hide documents or files.

       
  229. Tom
     

    I was having this issue but only in IE. Ran MalwareBytes, Hitman Pro, Spybot, TDSS Killer etc etc. Nothing was finding or fixing anything. I tried using Dr. Web (free version) and it found a Trojan. Once deleted the problem seems to have been fixed :)

     
    1. admin
       
       
      Post author

      Tom : was it an executable or in settings ?

       
  230. Tom
     

    I deleted Dr. Web but from what I recall it was not an exe file. It was a .dll file in C:\Windows\SysWow64 folder

     
  231. Tom
     

    I found the log file.

    C:\Windows\SysWOW64\msimmsg.dll infected with Trojan.MulDrop3.19698

     
  232. Doug
     

    I tried to delete the extra IPs and files in the hosts file, but when I’m done and go to close the window I’m not able to save it – I’m not actually deleting the multiple lines of IPs permanently. The file is in read only mode. How do you save the new host file once all the junk has been deleted? thanks

     
    1. admin
       
       
      Post author

      Doug: are you on Win 7/Vista? If so, search in menu for notepad, rightclick on it and choose run as administrator.
      If this does not work or you are on XP, run cmd, then run
      attrb -r c:\windows\system32\drivers\etc\hosts

       
  233. Doug
     

    @admin
    I’m on XP. What is cmd & attrb -r? I’m definitely not as technicallogically advanced as you!

     
    1. admin
       
       
      Post author

      Doug -> Start->run , then cmd and enter. A window would appear. Then attrib -R c:\windows\system32\drivers\etc\hosts

       
  234. Sher
     

    Spybot Search & Destroy found Security Defender and says it fixed the problem, but it didn’t. It keeps coming up. Should I have an extra line in hosts – localhost name resolution is handled within DNS itself?

     
    1. admin
       
       
      Post author

      lines referencing localhost is ok, all other lines should be deleted. If malware is comming up, scan with Malwarebytes, Spyware Doctor or Stopzilla.This is not settings problem, this is malware problem in your case. I do not trust Spybots update frequency that much.

       
  235. colin
     

    i hope you guys get paid to run this sight thank you so much all this help was absolutely wonderfull u guys are heroes

     
  236. Will
     

    Thanks. Kaspersky TDSSKiller did the job for me. Btw. there are a couple of other little diagnostics that were useful to me & may be useful to others. Trying to get to http://www.google.com or other search sites with low-level utilities like ping & nslookup also did not work for me, though they had no problems with non-search sites. That told my problem was way down in dns resolution. That and the fact that utilities like malwarebytes & Hitman turned up nothing (or rather turned up a bunch of extraneous false positives), made it likelier that what I was dealing with was rootkit based & very well hidden, as it in fact turned out to be.

     
  237. Steven
     

    TDSSKiller did the trick! Thank you so much for this…you are a life saver!

     
  238. Matt
     

    Problem:
    Was experiencing the redirect problem, so I used lspfix on my Win7 machine. And now I am apparently connected to the iinternet but no web pages load at all. Is there a fix? I’ve used the net command to reset my connection but received errors.

     
    1. admin
       
       
      Post author

      Matt: what error message do you get? Check if there is proxy error (disable proxy server completely).

       
  239. sky
     

    @admin

    i’m using win7 andi only can open with notepad, i cant open as admin. i have right clicked but it doesnt appear run as admin, what should i do to solve the problem? i’m using mcafee and now the antivirus is not functioning well as the firewall keeping turning off even though i have tried many times to turn it on

     
    1. admin
       
       
      Post author

      Sky: Try creating another, admin user account on PC

       
  240. sky
     

    how to create another admin user account?i seem saw like got extra unknown user account but i am unable to delete it.is it possible to delete user account? can you please show me the steps? Thank you so much for your help

     
    1. admin
       
       
      Post author

      Sky: If you are in limited user account, you need help of someone that has access to administrative account. The good thing is that malware is likely to have infected your user account only.

       
  241. graham
     

    First of all, thanks admin, for putting so much work in helping people. Now, for my question: When i open hosts file, it asks me with what i want to open it, there’s a list of programs there including notepad, but i can’t right-click it to open as administrator. When i right-click it pretends nothing happened.
    Please reply.

    ps. I’m not that good with computers so you will have to explain it like i’m a three year old.

     
  242. Mike Lockey
     

    So I’ve done everything on here and the redirect still appears in Google. Incidentally, I don’t have any problems with IE 64 bit. But
    I can’t turn on Security Essentials and my services are altered to disabled.
    Hrrmmph – so what do I do now?

     
  243. Azalea W.
     

    My problem is I don’t even have a host file. I can open the etc folder but the host file isn’t in there at all. Everything is unhidden. Any help?

     
    1. admin
       
       
      Post author

      Azalea W.
      Typically, it should be here, it might be hidden as system file (make sure you see system files too). However, if there is no host file, then there is no problem related to it as well, so check other things too.

       
  244. Robero
     

    i was freaking out for a whole day!!!!!! thank you it fixed the problem i am so greatful, now i can do my research on google again. thanks again.

     
  245. Robero
     

    it worked then went back wont let me save it?

     
  246. Leisa
     

    I am having the same issue and have tried every step (scanned with multiple programs, edited host file, ran gooredfix, tdsskiller, etc) still being redirected, in all browsers, IE9, firefox, chrome. I am running Norton and it found nothing. I have used kapersky and it found nothing. I have cleaned with ccleaner, spybot, etc. Please help!

     
  247. J
     

    I have # ::1 localhost underneath mine – I am the only user on the computer and I can open the file. I delete it and it says I dont have permission to save it…. any ideas? Thanks

     
  248. J
     

    @J
    Sorry – its says access denied – not that I dont have permission

     
    1. admin
       
       
      Post author

      J: your hosts file is fine. This is for IPv6 protocol. Check other things in this guide and scan for malware.

       
  249. MMC
     

    I’m having major issues with my computer – and even though I’ve deleted the extra host files, it hasn’t solved anything. Done all the scans as suggested and yet I still keep getting redirected to the likes of Facebook Apps (Are YOU Interested, Gogobot, CityVille, etc) and my computer is running so slowly. Any suggestions? I’m running Chrome.

     
    1. admin
       
       
      Post author

      MMC: First, check and disable chrome extensions. Next, change DNS servers to google ones (read the guide). Also, scan with Hitman Pro, Spyware Doctor and Spybot S&D. For me, it looks like some sort of Adware, either toolbar or not.

       
  250. Melissa
     

    Thanks for all your detailed information. I have followed your steps up to step 8 (checked the proxy stettings, changed DNS servers to google ones (I think), checked the host file, disabled addons in firefox and ie, downloaded and ran Malwarebytes and Hitman Pro)… so far no luck. I have downloaded TDSSKiller but can’t get it to run. As per your other post, I’ve tried renaming it to xxxx.com also, but it still won’t run. Do you have any suggestions? Thanks for your help!

     
    1. admin
       
       
      Post author

      Melissa
      Weird. I would recommend Scanning with Alternate OS Scanner, like Aviras Boot CD. What error do you get while launching TDSS ?

       
  251. Melissa
     

    Ta. No error message, just the usual Vista permission thing (obviously I press continue) then nothing happens. I also scan with AVG (free version) each day. What is Aviras Boot CD? My computer knowledge is very minimal. Malwarebytes has a Windows popup type message about every 1 minute saying it’s bloked a malicious site, even when I don’t have a browser open (it does mention firefox.exe, which I’ve noticed sometimes runs in the background as a process even when it’s closed – I am always connected to the net though.) Thanks so much for you help – very, very appreciated!

     
    1. admin
       
       
      Post author

      Melissa : Aviras Boot CD is a software that has to be burned on CD. You instert CD in your disk drive and reboot, choose to boot from that CD. It might detect parasites that prevent detection while their run.

       
  252. Karen
     

    My desktop is fine by my laptop has this on it. I went on my desktop to research was this XP Home Security 2012 thing is and found this download but I cannot connect to the internet thru my laptop so how can I go on and download this to run?

     
    1. admin
       
       
      Post author

      Karen : XP Home Security 2012 is not google redirect virus per se. It allows executable downloads, and you should download and run first process explorer, then anti-malware program like spyware doctor to remove it. Or fake register it. Read more here : http://www.2-viruses.com/remove-xp-home-security-2012 and watch this movie : http://www.youtube.com/watch?v=15QrZkhGKB8

       
  253. Emily
     

    Hi,

    Thanks for this information.

    I realised I had this virus this morning and instantly download malwarebytes and ran a full scan. It picked up a huge number of bits and pieces (hadn’t scanned my PC in quite a while) but the problem persisted.

    I then found this thread and did everything you suggested. I had one extra line in my hosts file, the same as another poster that you said was harmless, which I deleted. I ran google again but the problem persists – except this time, with Malwarebytes installed, every time I click the link it returns me back to the search page and notifies me with “Successfully blocked access to a potentially malicious website 206.161.121.5 – Type: outgoing – Port: 52442 – Process: boom.exe (boom.exe is what I’ve had to rename Google Chrome, the browser I’m using, as when it’s called chrome.exe Windows refuses to load it and this was the fix I found on the net!)

    So does any of that mean anything to you?! What should I do next? I’m currently running another scan on malwarebytes but should I download another scanner too?
    I tried downloading and installing AVG but halfway through the install it said something about changes to Microsoft Office Professional needing to be undone before the install could complete. I recently installed a new version of MS Office so assumed I didn’t want changes to be undone so I clicked no and the install for AVG terminated. Help!

    Thanks.

     
    1. admin
       
       
      Post author

      Emily. This looks like malware infection, either plugin in chrome, or proxy, or attached to network connection or even in router.
      Scan first with TDSS killer (it requires no network).
      Then Hitman Pro. If this finds nothing, scan with Spyware Doctor or try Kaspersky trial.

       
  254. Emily
     

    A little extra info, don’t know if it will be helpful: it’s literally only clicking on the search results that is the problem. If I right click on the search results and copy the link and paste into the URL bar the real page loads no problem, with no redirection or notification from Malware Bytes.

     
  255. Emily
     

    Thanks for the mega quick response. Just ran Kapersky’sTDSS killer, found nothing. Will try Hitman – but I need to run into university for a practical now so won’t be able to update with results for a couple of hours! Sorry! Thanks so much though. If it was in router is it likely that my other housemates, using the same router and connection, would be affected too?

     
    1. admin
       
       
      Post author

      If they are not affected, it is not router. Look under plugins/extensions, also, download process explorer from microsoft and see what processes run (kill all except chrome’s from %application data%).

       
  256. Emily
     

    Quick update before uni: Ran HitmanPro. No change, problem persists. Will try the other measures you suggested when I get home. Thanks for your helps so far.

     
  257. Emily
     

    So I came back from uni and ran a couple of scans based on my boyfriend’s advice (computer guru).
    First ran Norton Power Eraser. Found some threats and deleted them for me. Miraculously I realised the redirecting had stopped. I assumed the virus had gone and carried on as usual. However between running NPE and realising the redirection had stopped I ran the Norton Online Scan and I suddenly remembered I hadn’t checked the results. Unfortunately this found 91 infected files. And I was finally informed of the name of the virus: ramnit.B.

    Google searches suggest the prognosis isn’t good! What do I do now?!

     
    1. admin
       
       
      Post author

      Emily: Get some decent antivirus, that detects the files as well. For example, get kaspersky trial (30 days free) and scan. Online scanners do not fix system and files.

       
  258. Lindsey
     

    I have this gnarly redirecting virus. Everytime I type “google.com” in Chrome, it pops up with Oops! Google.com cannot be found. I have tried SuperAntiSpyware, Malwarebytes, Microsoft Security Essentials, PC doctor, McAfee Home Security AND Hitman Pro. I did everything in your manual from checking my host files to checking add-ons and proxy settings.
    I am getting very very very frustrated for I cannot seem to get rid of this thing.
    I have ran everything in Safe Mode and normal mode…
    Any help would be appreciated.

     
    1. admin
       
       
      Post author

      Lindsey : This is not redirect problem, it is related to name resolving. What is your default search provider in browser? If it is something else than google or bing, then it is browser add-on/toolbar problem. Or this might be some sort of DNS problems (change your DNS to 8.8.8.8 and 8.8.4.4 ) /

       
  259. Jaime C
     

    I have used Combofix and it removed some stuff…I cant get on teh internet now.
    I am going to try your suggestions and get back here and post my comments/results.

     
  260. Laura
     

    Thanks – deleting the extra lines in the hosts file cured my problem. Unbelievably simple fix. two lines – one redirecting google, the other redirecting bing

     
  261. Matt L.
     

    Oh, I have problem. I was deleted the extra lines (my host file looks like your example), but the problem isn’t fixed. What can I do more? I use google chrome, and have windows 7 x64

     
    1. admin
       
       
      Post author

      Matt: Ensure that you saved hosts file in the right place, there are no parasites on PC by scanning with several tools (including TDSS killer), Then try to disable add-ons in browsers and proxy server.

       
  262. Matt L.
     

    Host file in right place, TDSS killer and others can’t find anything, but when I disable proxy server it helps. But my question is: disabling proxy server is safe? I’m asking because I don’t know much about computer science ;)

     
    1. admin
       
       
      Post author

      Matt: Disabling malicious proxy server is highly desired. Proxy servers are used for legitimate purposes sometime, but if you get redirected during search, then something was wrong there.

       
  263. Craig
     

    Thanks, sort-of. Host file fix easy but things stayed bad. Step 8 solved my problem with the root virus, guess I had tdss. The Malwarebytes download seemed to help. However I also tried Spyware Doctor (cost me $29.95) and while it started fine and after the initial scan said it had eliminated some additional issues, very soon it slowed my system down horribly. It also said AVG Free was in its way so I eliminated that. I next did the update it suggested, and then things went fast downhill. No matter how I tried its settings it slowed me to zero, caused hard crashes, etc. I finally after a day’s effort managed to remove it from the machine (I use XP) and I’m now fine (but being very careful). Any advice you can offer re why what you recommended locked me up so hard?

     
    1. admin
       
       
      Post author

      Craig: Use one antivirus only. SD works well with some antiviruses, not so good with others.

       
  264. Victor
     

    My daughter’s laptop was having an intermittent problem when searching with Google. She would complain that it would “redirect” to other websites. The thing is, it wouldn’t do it all the time. Again, it was an intermittent problem. Usually, whenever I’ve experienced a virus/malware on any computer, it would always take over completely. Those are easy to identify because it’s obvious to see what the problem is. This intrusion, however, is sneaky and does not show itself as boldly as other viruses or malware do. After finally experiencing the problem firsthand, I searched for “google redirect” and ended up at your site. I want to thank you for your detailed explanation of how to remove this nuisance!!! As per your recommendation, I began my removal process at Step #7, but it was Step #8 that did the trick. My daughter and I are thankful for your efforts! Please keep up the great work!!!

     
  265. gustavo
     

    Please i need help. The virus i have seems to be a little less severe. I can use the internet and everything is fine except when i use google and it sends me to weird websites. I have tried everything in this page. After conducting the kaspersky scan it said it had removed some threats, but the redirect still occurs. I dont know what to do. Also when i tried to find the host file i went to ect and everything, but i had no hosts file. . Pease help

     
  266. Joe C
     

    AWESOME.. TDSS Killer is my hero! so are you, Admin. Redirect Virus cured.

     
  267. leo
     

    mr/mrs admin… YOU ARE DA MAN/WOMAN. Thank you verry much. keep up the awsome work. With people like you we can overcome the stupidity that is/are hackers. Thanks again…

     
  268. Allison
     

    I did the steps, and now my computer connects to the LAN connection, but I no longer have internet access. So, I have no idea if it fixed the Google redirects, but now there’s a whole other problem. Is there any way to fix this.

     
    1. admin
       
       
      Post author

      Allison : make sure you have correct DNS servers and no proxy set up.

       
  269. Rick
     

    Had serious issues with hijacker, which started with the loss of my personalized google home page before expanding to constant hijacking. While researching the problem I found your site. I had already scanned with Webroot and Malwarebytes, and though both found and removed threats, I still had both problems. Since you recently seemed to recommend TDSS Killer most often, I downloaded and used it. TDSS Killer found and removed one threat, which totally fixed my problems. Thanks very much to you and TDSS Killer.

     
  270. Kat
     

    So I was using Google Image search yesterday, and the redirects started after that. It’s only happened twice so far (when I manually type in an address, it sends me to www youcansearch com). I’ve followed all the first five steps above, but everything was already set up as instructed; I had no changes to make (except my hosts file has all those Spybot entries, which I understand is O.K.?). My Malwarebytes scan didn’t turn up anything. I can’t find anything fishy in my registry editor (though I admit I don’t know too much about what I’m looking for).

    I’m afraid if I don’t nip it in the bud now, it’ll eat up my computer later. Is there another step I’m missing?

     
    1. admin
       
       
      Post author

      Kat : run tDSS killer, also check browser addons. Then scan with more anti-malware programs – it might be fresh parasite which is not in Spybot or MBAM db.

       
  271. Joe
     

    I am trying to track down why this one site (i built) does not go to the actual web address URL from any browser when clicking on the google search results. My host file is fine, proxies, etc look good. Any ideas. The site shows up first if you type mcgonigles as the google search term. Thanks.

     
    1. admin
       
       
      Post author

      Joe : your site is infected. It shows infected pages only if you click on search results. This is due malicious plugin in WP or other CMS you use. OR the server itself is infected. If you need help, ask admin. To reduce the risk, your url was removed from post.

       
  272. Joe
     

    Okay, thanks. It is odd though because I have a number of sites on that same server and none of them are behaving this way. Any thoughts?

     
    1. admin
       
       
      Post author

      Joe : which CMS you use for the site?

       
  273. Kat
     

    Thanks for the suggestion, admin! I ran tDSS killer, and everything came out clean. I ran Spybot, and it was clean. All my add-ons have been unchecked for some time except McAfee. The only other scan I have is McAfee, which is the suckiest of all sucky anti-virus. Is there anything else I should be doing?

     
    1. admin
       
       
      Post author

      KAT: Set DNS Servers to google or opendns ones. Scan with other tools than Spybot (for example, SuperAntiSpyware, Stopzilla (quite aggressive this one), Spyware Doctor). If there is an unknown trojan, these should identify its presence.

       
  274. chris
     

    @admin
    No matter if I use IE, Chrome or Firefox anytime I do a goggle search I get a message that says Oops! Google.com cannot be found. I can get to Bing or yahoo

     
    1. admin
       
       
      Post author

      Chris : this is problem in DNS chain. It can be either problem with hosts file, or bad dns servers or router/ISP issues.

       
  275. chris
     

    @admin
    So what do you reccommend I do?

     
  276. j
     

    I’ve right clicked on notepad but nothing happens. Is there another way I can run as administrator

     
  277. Mary
     

    For the past 3 days, I have been unable to access my credit union website. I’m receiving Error 7 (net::ERR_TIMED_OUT): The operation timed out. I can get to other websites without any issue. I’ve tried Firefox and IE as well….times out. I’m not very savvy with removal of anything. I have Norton Antivirus 360 v.06 and I’ve run it and it’s come out clean.

     
    1. admin
       
       
      Post author

      If one website is not working, then it is likely website issue and not a virus or malware. I would check proxy server and DNS Settings.

       
  278. Hugh
     

    Thank you very much for this article.

    My redirect problem was fixed after doing the following:

    - I have Windows XP.
    - Run Malware Bytes (completely free downloaded software) and removed 7 malware virusses on my computer.
    - Run Avast Full System Scan (completely free downloaded software)and removed 5 more virusses in registry files.
    - Right Clicked on the Hosts file and disabed “Read Only”
    - Then Right Click on the Hosts file again and open with Notepad.
    - Deleted any extra lines in the file that are not included in the screenshot above. I had to delete 2 lines containing Google and Bing with ip addresses.
    - Opened the TCP/IP properties and choose “Obtain IP address” and “Obtain DNS settings” automatically.

    Problems are gone and I can now access the internet again without the frustration of being redirected to spam sites.

    My wish is that the hackers / idiots / oxygen wasters who created these viruses are punished properly in some way or another during their lifetime!

     
  279. Mark Kucia
     

    I hav got the redirection rule from unknown source.Please help me to destroy it.

     
  280. schnookum cakes
     

    @Ramesh
    Dude! This root-kit link that you put on the thread saved my computer from all the cancers that were in it. I tried doing every single piece of advice I found. But this cleared the root-kit that had put a choke hold on my anti=virus software, preventing it from detecting the bulk of viruses that were embedded. Hugs*. Kaspersky

     
  281. Daniel
     

    I tried every steps mentioned, including all the virus/malware programs.

    But nothing changed.

    Then I go to the extreme, using ComboFix.exe. It manages to fix it.

    But the malware is coming back after a while.

    Please help.

    What should I do now(I d not want to format and reinstall my Windows)?

     
    1. admin
       
       
      Post author

      Daniel: Scan with anti-malware programs and get one with real time protection

       
  282. Daniel
     

    I’ve done that with various anti-malware programs.

    You just name it and I’ve tried them all.

    Nothing!

    Previously my search results will be redirect.

    But after using the ComboFix.exe, currently the redirect will show when I type wrongly an URL.

    What should I do now?

    I am almost giving up and going for the formatting and reinstalling.

     
    1. admin
       
       
      Post author

      Daniel : This is malicious setup in your browser (to use a bad engine for auto-repair wrongly entered urls)

       
  283. Daniel
     

    So what should I do? What is the solution?

    Please help.

     
    1. admin
       
       
      Post author

      Which browser do you use?

       
  284. Daniel
     

    I’ve 4 browsers,, I tried all of them. They have the same symptom.

    IE, FireFox, Chrome and Safari

     
    1. admin
       
       
      Post author

      If it affects multiple browsers, check your DNS settings too. And hosts file again.
      Then check http://www.technipages.com/firefox-change-address-bar-search-provider.html this guide for firefox.

       
  285. Daniel
     

    Done everything as instructed.

    Still no luck.

    Still getting redirected when typing an invalid url.

     
  286. Eric Schooling
     

    Read most of this site I have windows xp pro sp3. No file named “hosts” in windows\system32\drivers\etc folder. Show hidden files is checked and hide …file and ext is unchecked as well as hide operating systems files is unchecked Can I just create the file or do I realy need it Also there is nothing in Control Panel\Network Connections Norton keep coming up with Trojan..Zeroaccess!kmem\inf

     
    1. admin
       
       
      Post author

      Eric : The file is unnecessary in most of the cases and CAN be deleted. However, typically it exists on the systems (except if it is deleted in the past). Make sure you see system files as well. For double checking, try saving fresh, empty hosts file in the folder. If there are some sort of hosts file hijack, you will be warned that the file exists.

       
  287. Afterwalker
     

    I am not sure how to open the ‘hosts’ file in step 1 of your solution, as it has no file extension. Its icon appears to be a sheet of paper with the upper right corner slightly folded. I am using a Windows 7.

     
  288. Afterwalker
     

    I’ve figured out how to open the ‘hosts’ file in wordpad. (What an idiot I am)
    But I am unable to save my changes, and receive the following message:

    “You don’t have permission to save in this location.
    Contact the administrator to obtain permission.

    Would you like to save in the My Documents folder instead?”

    I am certain that my account is an administrator account; I even went to the control panel and checked.
    I suspect that a virus or some other kind of malicious software is somehow preventing me from making changes to my ‘hosts’ file.
    Any ideas what’s going on, or what I should do?

     
    1. admin
       
       
      Post author

      Afterwalker
      Press start button
      enter Wordpad, but do not press enter. Right click on it and choose open as administrator.
      Then in it open hosts file.

       
  289. Pam
     

    Suddenly google has been taken over! Can you explain the process for getting rid of this virus for Windows 7. It’s so new to me and I can’t even find the folders or the C drive in this unfamiliar control panel and other such stuff. Never realized how user friendly XP was until this came out. it seems my browswer has been highjacked and searches take me to these strange places. Your screen shots were great, but not the same for Windows 7. Any help you can give would be great. I have already run a few scans and it did not fix it. Thanks!

     
  290. Billy
     

    I’ve opened up the hosts file, but it looks nothing like the picture you have. It only has the IP address and “local host” on a single line. I’ve run multiple malware scans and found nothing. Any ideas? Thanks.

     
    1. admin
       
       
      Post author

      Billy: check other things too. redirects might be caused by any of these.

       
  291. Billy
     

    I have gone through pretty much all the steps you have listed and even tried to remove it manually (though I could not find a file that looked suspicious in the bootlog). What would happen if I deleted the “host” file and/or lmhosts SAM file completely? I am at a loss.

     
    1. admin
       
       
      Post author

      Billy: double scan with anti-malware programs. if hosts file is empty, make sure you are not infected. Or describe the symptoms more precisely.

       
  292. Aaron
     

    Thanks. I also did steps 2-5 and all of those settings were normal. I’ll work through the rest of the steps tonight to see if I can figure it out.

    I’ve already run Malwarebytes and SpyBot Search and Destroy with no luck. SpyBot was rather annoying and kept giving me windows saying something about a change to the regisrty key and asking if i should deny or allow the change.

    So far the search results are being redirected to other random crappy search sites.

     
  293. raigo
     

    # Copyright (c) 1993-2009 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a ‘#’ symbol.
    #
    # For example:
    #
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host

    # localhost name resolution is handled within DNS itself.
    # 127.0.0.1 localhost
    # ::1 localhost

    Ihave this , its ok ore not , tanx for help

     
  294. BeenThere
     

    Be careful looking at the hosts file. I have seen cases where everything looks normal in notepad, but the redirects are at the end of the file, preceded by a lot of blank lines so you do not see them unless you scroll down,

     
  295. w--smith
     

    This worked for me.
    Used all the various scanners listed in this site.
    Malwarebytes full scan found it as c:/windows/system32/tskillf.dll
    It was being launched by the task scheduler as a rundll32.exe program so hijackthis didn’t see it. The task scheduler is not checked by hijackthis or malwarebytes. it can be found in control panel. I removed the launch in scheduler by hand.
    I also ran cclean to wipe out my browers temp files , cookies , etc.
    It got in through firefox as a quicktime update messed up explorer7 , firefox and opera searches. Seamonkey was OK. I’m running windows xp pro.
    Thanks for pointing me in the right direction.

     
  296. margaretanderson
     

    i cannot get rid of AVG Resident Shield A lert please help me to solve this problem

     
  297. brianna81
     

    HELP!!! Started noticing redirects about 2 weeks ago but it was off and on, FB redirects to price grabber every time now.I have gone through as many steps as I can with my limited knowledge of computers. I do have a linksys router that was set up a long time ago when I used to have roommate. I no longer need this so I want to take it out and go back to using my local area connection. If I uninstall the program and plug the internet directly back into my pc will this take care of the problem?

     
  298. brianna81
     

    OK so I have successfully done all steps except for 7 and 8. I don’t even know what those two are about so I am going to wait for help before I try those ones, thank you in advance for helping me out:)

     
    1. admin
       
       
      Post author

      Brianna81: make sure you disable proxy in FF and disable plugins there as well.

       
  299. brianna81
     

    now I can access Facebook through internet explorer but not mozilla firefox, is that where the problem is? I’m so confused!!!

     
  300. brianna81
     

    chose “no proxys” for FF, but no change. I have disabled all add-ons on FF and internet explorer. Is this from using the Linksys? I can still access on internet explorer so far.

     
  301. brianna81
     

    why does this effect only Facebook?? or is it effecting other things and I just don’t know it? Is this something from a porn site??? if so I’m gonna kill my husband.

     
  302. brianna81
     

    thinking that linksys is the problem I’m trying to uninstall cisco home network/linksys and cannot. I can see cisco in my programs and features but when I select it I’m not given the option to uninstall, what do I do? I know i sound like an idiot, I just need help

     
  303. Eddiejiovanni
     

    @admin

    I now have the google redirect virus. In addition to it redirecting me to various web sites it also has disabled or removed my adobe flash. When I am able to go to website I constantly get an error message saying I need to download adobe flash. I just bought my computer a few months ago and adobe flash was already installed. I went ahead and redownloaded the flash twice and I still get the error message. Is there a way of fixing both problems? I did read what you previously posted above but the options still did not work. I am running windows 7 and it has attached/ attacked my Internet explorer 7. In addition whenever I put http://www.google.com in the address line it’ll will stall for about two minutes then say a page would appear saying I am not connected to the Internet. Even though I am. Pleaseeeeee help me out! I’m not very computer savvy but I will figure it out if you could give me some direction. Thank you very much …

     
    1. admin
       
       
      Post author

      Eddiejiovanni Do a full system scan with couple of anti-malware programs. In your case I would suspect trojan.

       
  304. Eddiejiovanni
     

    I’m sorry I am running Internet Explorer 9.

     
  305. saint_danielz
     

    Admin please help me :(
    I have done step 1. but I can’t find my host and host.bak
    There’s only lmhost.sam , networks, protocol, and services
    I’m a windows 7 user. please help meeee :(

     
    1. admin
       
       
      Post author

      saint_danielz
      Make sure you see hidden and system files. If the file does not exist (it is not there if you enabled seeing hidden and system files), then the problem is elsewhere. System can operate without hosts file, though there is one typically.

       
  306. saint_danielz
     

    I did show my hidden files and folders, but still there’s no host file.
    So where is the problem? what else should i check?
    thanks before

     
    1. admin
       
       
      Post author

      Go with other points too. Dont forget to scan with anti-malware program.

       
  307. Alyssa
     

    For the version I had, that infects Firefox, Malwarebytes found nothing, but Hitman fixed it.

     
    1. admin
       
       
      Post author

      Alyssa: MBAM works poorly with rootkit – based malwares, but works ok against some common trojans that cause similar problems. For some rootkits, we have good results with Spyhunter atm ( http://www.2-viruses.com/reviews/spyhunter )

       
  308. David McC
     

    I have also been hit with a Google Re-direct.

    It is only showing up in a user account and not in the Admin account.

    Host file is clean, the settings are as per the instructions above.

    I have run Kapersky’sTDSS killer and Malwarebytes.

    Suggestions?