How to fix Google Redirect Virus (browser hijacker) problem

 

Google redirect virus is a browser hijacker targeting google and other search engine search results and redirecting user to infected pages. These pages can be porn–related or full of advertising banners that make creators of this parasite money. Also, these pages  might force you to pay something or give away your bank account details. Thus Google redirect virus is quite dangerous.

There are couple different streaks of Google Redirect viruses, and some of them might need heavy scanning with reputable Anti-malware solution like NOD32 Antivirus, Kaspersky, Malwarebytes. Sometimes Google results Redirect virus even blocks reputable sites and it is tough to download automatic software. However, there are couple easy steps to solve less complex problems.

Note, that before trying to fix other things, you are suggested to scan and check if anti-malware programs can identify more precise reason of Google redirect hijacker. We recommend spyhunter, Hitman Pro for this task. You should always scan after performing all these steps as well, as doing anti-rootkit scan might reveal trojans that were hidden due to other infections. In some cases, rootkits will be detected and removed by anti-malware programs.

Basically, there two types of Google redirect viruses:

a) Hijacking search engine settings aka choosing which search engine to use. Your default search engine is named not google, yahoo, or bing, but something else. The first suspect is a plugin – based hijacker, though other cases are possible.

b) Hijacking results of the search engine when you click on them. Your default search engine is the same, but you get different results when clicking on them. The main suspect would be malware infection ( Step 6), but malicious proxy, dns settings, infected router and even hosts file are possible.

Steps 1-6 deals with regular hijacking of search results that are due to malicious settings or plugins. Steps 7 and above deal with malware infections that result in Google redirect virus symptoms and are more difficult to detect and fix. However, If any of antivirus programs are stopped from execution this means malware infection and you will have to scan your PC with anti-virus and anti-malware programs.

Step 1. Check your hosts file for malicious entries.
Hosts file resides on C:\Windows\System32\Drivers\etc\hosts
Windows hosts file location
Where Windows is your windows installation directory. Open the file with Notepad.

Note: On windows 7/vista/8, you should open your hosts file with administrative privileges or you will not be able to save it. To do so, On Win 7/vista do following:

  1. Press Start (or round button usually in bottom left corner and enter notepad. Do not press enter
  2. Right-click on the item in the list above
  3. Choose Run as administrator
  4. File->Open and browse to hosts file.

 

On Windows 8, enter notepad in search box or type right in the metro interface. Perform steps 2-4 like in Win 7.

Google Redirect virus symptoms might be result of malware adding malicious entries to this file and are removed easily as well.

Hosts file should look like this:
Windows hosts file

There might be line referencing ::1 as well. This is IPv6 local address and perfectly normal.  If you see more lines of code and IPs, you should delete these, especially if they rewrite google or Microsoft subdomains. This is a sign, that you either had or have infection on your PC, as this file can not be accessed remotely usually.

Step 2. Check DNS (Domain Name Server) settings

Domain name servers are used to determine what server to access when opening website addresses. Hijacking these settings would allow hijacking various websites including search ones.

1. Go to Control Panel->Network Connections and select your local network.
2. Right-click your local network icon and select Properties.
Local Area Connection properties

3. A window will open, then select Internet Protocol (TCP/IP) and click Properties.
Internet Protocol properties

4. You will see a window like the one below – this is the Internet Protocol window. Select “Obtain an IP address automatically” and “Obtain DNS server address automatically”.
DNS Settings
5. Click OK to save changes.

Step 3. Checking your proxy settings on Internet Explorer
Proxy server settings can be used to implement Google search result hijacking as well. This is simple to fix too:

1. Launch your internet explorer.
2. Tools ->Internet Options, Connections tab. Press LAN Settings
Internet Explorer local area network settings
3. Unselect everything or enter parameters that were given by system administrator.
4. Press OK.

Step 4. (Optional) Check your proxy settings on Mozilla Firefox
1. Launch Mozilla Firefox.
2. Tools ->Options. Press Advanced and open Network tab. Then, press Settings button.
Mozilla Firefox network settings
3. Select “No proxy” or enter parameters that were given by system administrator.
4. Press OK.

Step 5. Check your browser addons and reset your search settings in browsers

If your search engine changed to unknown one, you might have browser settings changer plugin or program. Typically, these programs will be detected in Step 6, but you will have to fix settings manually.

5.a. Check your IE add-ons and reset search settings
If your browser is hijacked in IE only, check IE browser add-ons. Note: there are malicious plugins that affect both IE and firefox and result in Google redirects in both of the pages. Before this step, make sure you clean your Control Panel from unknown, spammy looking programs.

  1.  Launch your internet explorer.
  2. Tools->Manage Addons
  3. Disable all unverified addons (there might be some useful ones, but better re-install them later).
  4. Delete all add-ons that look spammy/unknown
  5. Click arrow on the right of search box
  6. Do following: On IE8-9 choose Manage Search providers,  On ie7 click change search defaults
  7. Remove the unnecessary search engines from the list
  8. If settings revert after restart, you will have to do Step 6 and repeat step 5 again.

5.b. Check your Firefox extensions and reset search settings

  1. Press Firefox->Addons
  2. Go through list and disable all unknown or spamy addons.
  3. Repeat the same for Plugin list.
  4. Enter “about:config” in url bar. This will open settings page
  5. Type “Keyword.url” in the search box. Right click it & reset it.
  6. Type “browser.search.defaultengine” in the search box. Right click it & reset it.
  7. Type “browser.search.selectedengine” in the search box. Right click it & reset it.
  8. Search for ‘browser.newtab.url’. Right-click and reset. This will make sure that the search page won’t launch on each new tab.
  9. If the settings revert after browser restart, you will need to delete user.js from Firefox profile or/and perform Step 6 and repeat Step 5.

5.c. Check your Chrome extensions and reset search settings

  1. Click 3 horizontal lines icon on browser toolbar
  2. Click on Extensions. Review extensions there and disable ones you do not need.
  3. Select Settings
  4. Select Basics ->Manage Search engines
  5. Remove unnecessary search engines from list
  6. Go back to settings. On Startup choose open blank page ( you can remove undesired pages from the set pages link too).

Step 6. Scan for malicious parasites with spyware/antivirus removers:
1. spyhunter
2. NOD32 free trial

Step 7. (Optional) Repair Winsock 2 settings with LSPFix
Download LSPFix

Step 8. If you are still have search engine redirection, it might be tdss or similar rootkit

Although step 6 should detect majority of google redirects of that kind, sometimes it is useful to use a more niche tool. TDSS and Zero Access rootkits both cause redirection symptoms in some cases.
For this specific rootkit a remover can be downloaded from here : support.kaspersky.com/downloads/utils/tdsskiller.exe. Together with TDSS, it might be a sign of rivaling, ZeroAccess infection. Both these rootkits require dedicated programs for removal, and might require alternate OS scanners in worst case.

Step 9. It might be Cycbot infection
Cycbot is one of the trojans that result in browser redirects.
Typically, many of antiviruses and anti-malware programs like spyhunter detect Cycbot infection successfully. However, you might want to use our manual removal guide for Cycbot to identify and stop infection.

 

 
 
 

757 thoughts on “How to fix Google Redirect Virus (browser hijacker) problem

  1. jim jones
     

    I am getting google redirects. Spyware Doctor and MbA-M caught nothing

    I tried to my hosts file, but it would not open in notepad.

    Also, your sample is 1k and mine is 289k. Is that excessive. Also, I have a hosts.20090204-121117.backup file Sounds suspicious.

    thanks for any information.

     
  2. tooSavvy
     

    Hi

    I changed,(after show hidden files), the to read and closed 7 rebooted, returning to hide files again.
    From very slow & constant redirects >>> now none & supa fast, as usual. Either in SlimBrowser or IE ;<)

     
  3. Mark
     

    @admin
    I can open the file with notepad and see that there are several other lines of crap but how can I change the actual file “hosts” I can save it in etc as a notepad text document but how do I effect the actual file?
    Thanks for your help

     
  4. marianne
     

    Thank you so much for this, fixed the problem!

    Cheers!

    MArianne

     
  5. Jaycee
     

    THANK YOU! I’ve been trying for weeks to get rid of that stupid virus. Now my computer is working normally and I can access Safe mode again.

     
  6. johann
     

    my etc file isn’t in the drivers folder. Is it hidden?

     
  7. Jin
     

    @admin
    Can you explain a little more about vista. Because I have Vista and I delete the extra lines and try to save it but it won’t let me. Please help. Thank you.

     
  8. Jin
     

    My notepad looks exactly like the one on here (after I edited it) but this keeps happening. I have tried 4 different softwares so far, it hasn’t fixed it. My last option would be to reset my whole computer. Is there anything else I can do before going to my last option?

     
  9. Chaz
     

    Was getting Facebook logon redirected to Pricegrabber.com…..removed entry below the 127.0.0.1 Local Host entry and all was well again! Well done!

     
  10. David
     

    My Host file is not in the folder. I am running XP pro. Can I repelace it with and Host file ?

     
  11. Abdul Karim
     

    My hosts file in 374kb large… (lots of lines).

    i have the default localhost & 127.0.0.1 entry

    And after that I have these comments.

    # Start of entries inserted by Spybot – Search & Destroy
    ……
    ….& thousands of others….
    # End of entries inserted by Spybot – Search & Destroy

    I think it’s legitimate, and it’s spybot’s “immunize feature”. I ran spybot search and destry last night and the redirects have gone down significantly, however I spotted one redirect today. Which is annoying.

     
  12. David
     

    @admin

    I am having the same problem with the redirects – how to you check th e proxy server?

     
  13. Dinesh
     

    Thank you very much. Some virus has overidden the host file in my computer. Deleting that solved the problem.
    Thank you again.

     
  14. Randoph
     

    great stuff thanks!

     
  15. M'Rell
     

    Hey thanks this helped a lot!

     
  16. hannah
     

    Please help me. This virus has taken over my computer and I cannot do anything. I’m not very good with computers and really need some help to get it off. If anyone can help, please get in touch

     
  17. Nobita
     

    holy, my computer is at risk.
    i tried all of this but nothing works.
    i need a little help here admin.

    also this thing is appearing in my screen.
    “application cannot be executed.the file wuauclt.exe is infected”

    now how can i fixed my computer??

     
  18. anja
     

    I cannot open “notepad”. The virus doesn’t let me do that!
    What should I do?

     
  19. Seth
     

    I am dumping all my pictures and other stuff into another drive and buying windows 7 will I still have these antispyware soft issues? I also may reimage the XP OS back onto the original hard drive after moving most things to another drive. This antivirusspyware soft thing locks me out of control panel program list and add/remove programs.

     
  20. Anna
     

    The virus doesn’t appear to be too severe, as it only affects my search engines; however, I would like to fix it. Nothing significant was caught when I ran Norton so I tried looking at the host list. The only line after
    # 127.0.0.1 localhost is

    # ::1 localhost
    10.254.254.253 AFS

    Should that be deleted? And how do I open it with “administrator privileges”? I am trying to avoid downloading more anti-spyware and anti-virus programs. Is there anything else I can do?

     
  21. Chris
     

    I have a friend w/a Dell PC (unsure of model). She (or tech support) acciedentally downloaded Live Security Suite, and now we can’t get anything to work right. How do I remove LSS w/o wiping out the system, or her taking it and spending her life savings on getting it fixed or a new computer?

     
  22. rayan
     

    i m currently doing everything also ran spyware doctor but my browser ie8 keeps shutting down within one minute of launch. how do i fix this? of course i have the google search results redirection problem as well. can this be fixed atall?

     
  23. Chris
     

    I also have an Everex Stepnote Laptop that is very slow no matter what we do, and almost every time it is left alone, the screen saver “freezes,” and nothing works except to shut it down by the power button. Any suggestions?

     
  24. thewhodio
     

    Thanks! finally got this bloody redirect off my computer, I’ve been using bing for almost a year!

    Thanks again!

     
  25. x64-Vista
     

    … My Host File doesn’t have hardly any of the things in the ex:picture… ALL it has are things that the step says i should delete,,, it has google in the file and bing… With i.p’s

     
  26. x64-Vista
     

    I’ll try that if it works thank you soo much… im not good with computerz

     
  27. x64-Vista
     

    Umm there is no option to run as admin and it wont let me save? Help plz

     
  28. jcd
     

    @admin
    Do you need to reboot after removing the lines from the hosts file?

     
  29. jcd
     

    What worked for me was to disable all of the unverified add-ons in IE. Thanks!

     
  30. Hi
     

    When i try to change the Hosts File it wont let me i even ran Notepad as admin…

     
  31. jay
     

    Hello,
    My problem is the google redirect virus.
    I have xp I found the host file mine is 400kb is that normal? I see a loot of google files is it safe to just delete these and will they come back?

     
  32. jay
     

    After i delete the google stuff do i reboot or what?

     
  33. madge
     

    so ive read through alot of this. my hosts file looks nothing like that and it has only yahoo and google urls and no localhost one so i tried to delete them and put that in but it says unable to find. its not saved as a txt document and it wont let me change it and when i open notepad as admin the hosts file is absent when i go to the same spot. i also tried everything else on here and none of it did anything. p.s. i have vista

     
  34. Laura
     

    I have the “live security suite” rogue malware. Won’t let me do anything. I have tried to run several removal mbam, spybot, etc Everytime I try to run the downloaded file I get the following message “Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item.” I am in safe mode with networking and signed on as administrator. I have tried downloading to fly drive and accesing it that way same message, I have also tried changing file name same problem. Went through steps to open notebook and won’t let me do that either any suggestions?????

     
  35. Jesse
     

    Nothing is working for me. I have been reading posts for the past few hours, and have removed viruses in the past, but this one is givin me a run for my money. I manually deleted the virus files themselves, but still cannot get on the internet. I have done everything listed on this page regarding proxies and whatnot, but still nothing. I have searched for the registry files, but being that I never actually clicked the virus to run a scan, I don’t have any to delete. I am at a complete loss. Computer works fine, just cannot get online in any way.

     
  36. Ty
     

    Thank you so much. My host file was the problem. It was completely rewritten and had and IP that was no mines and it keep repeating itself on every search engine. I just delete the whole thing but hosts is still there but nothing is on the notepad. I can use the search engines now but I will restart my computer and see if the host file will return back to normal. But so far the hijack is gone. Thank you so much.

     
  37. jerry
     

    wow soooooo good its working again after so much stress .. tried 4 different malware programs not even norton picked it up .. thank you so much for your step by step procedure without it i would never of figured this one out … i wanna kiss you

     
  38. Alexander Mains
     

    Ok I got this after I got AV Security Suite
    I did all of that and scanned with AVG and IObit Scanners but the problem wont go away on Firefox
    No proxies on either and auto DNS
    WHAT DO I DO!
    And you guys can protect the hosts file by putting it to Read-Only
    Found that out not too long ago

     
  39. Alexander Mains
     

    OKAY I will try…
    I looked at my Plugins and saw Pando…
    and I’m like “whats that” no info, no homepage, nothin… I disabled that (hopefully that works)
    I did have Spybot before and ill run it again as soon as I get it again…
    I’m also thinking about getting this Spyware Doctor cuz it seems useful

     
  40. Alexander Mains
     

    I did Spybot S&D and it found a ton of things(types were malware(c)and Security(c) and a couple hijackers from files in the registry) but somehow I’m still getting the hijacker in Firefox only(ugh). I really need to get rid of it
    and Yes I ran 1 scan,restarted and scanned again + my dad scanned on his account
    I’m going to try to scan and look over EVERYTHING
    Any suggestions…
    Links the thing is taking me to:(ADS SPREAD LIKE AIDS!)
    [We do not allow links to malicious sites to prevent infection of other readers]

     
  41. Alexander Mains
     

    Gah!!! I did all of that and I still have it!!! (and I have XP SP3 by the way)

     
  42. Alexander Mains
     

    I got spyware doctor and it is scanning right now
    Thank you for the help so far
    threats so far
    Tracking cookies-7
    Spywere Known bad sites-1
    Adware.Advertizing-1
    Adware.searchit toolbar-9 (oh gosh lost my place Its done)
    Trojan-Downloader.small.CML-6 (sounds like it)
    Hijacker.dospop_toolbar-30
    yeah thank you again for your help
    ill see if it still happens

     
  43. Alexander Mains
     

    … I lost all of that because my computer froze…
    I cant pay for it so I guess I just have to do another scan and remove manually…
    I didn’t know you had to pay for it… oh well atleast it got the location of it

     
  44. Alexander Mains
     

    Thanks for the help I got it off but I think there’s still more…
    I still get it but I don’t care not as many now AND! it just goes to google instead of the ads
    YEY!

     
  45. Don C
     

    Just got done resolving a redirection — and worse – problem which was caused by a problem with our router.

    The virus/Trojan had changed router setting to direct DNS searches to their web address. They returned bogus address.

    Look into your router settings to make sure you’re settings have not been messed with. We ended up Restting the router to factory settings and reinstalled the router.

     
  46. Mark
     

    I have windows 7 and just got the virus/trojan myself. However, I cannot open ANYTHING. Not even task manager. I can open programs in safe mode, but how do I remove it from there?

     
  47. James
     

    The issue with facebook redirecting to say pricegrabber isn’t always a virus or malware.

    Linksys routers are sometimes the culprit…a fix that may help for some people (specifically using linksys wrt160n or any other linksys router).

    Network Connections > Right click your connection > Properties > Select TCP/IP > Properties > Set your DNS manually (see below for what DNS servers).

    To determine the DNS servers to input here: Get to CMD Prompt > IPCONFIG /ALL > You will see 2 IP’s under the DNS Servers section > Enter those 2 numbers in the TCP/IP DNS configuration.

    I use OPENDNS, which is configured on the router and now manually set in the tcp/ip, and have never once seen this facebook redirect occur again.

     
  48. anthony
     

    i have the google redirect problem (xp),have tried all the the advice,but still have the problem,in the host file its only has 127.0.0.1 local file, nothing else,could this be the problem?

     
  49. Bhakti
     

    Hello.. Emmm I dont know when “Security Master AV” was downloaded in my PC.. After that at regular intervals i get pop up windows asking for healing the viruses and buying the software.. I want to delete the above program/software.. Its really annoying.. Can u pls help!
    Regards
    Bhakti

     
  50. JABAD
     

    Mine is only redirecting Google chrome, not IE. Will the same steps above work? Is there something else I should look at?

     
  51. JABAD
     

    Reset to defaut? There is no proxy enabled, so that is OK.
    I checked add-ons and see nothing that looks too bad. I disabled three that looked unfamiliar and nothing changed. Should I disable all add-ons?

     
  52. Ramesh
     

    Google web redirection is due to virus infection. Especially Rootkit infections.
    Try to run TDSSKILLER from KASPERSKY LABS.

    http://support.kaspersky.com/downloads/utils/tdsskiller.exe

    For more information,
    Visit the site

    http://support.kaspersky.com/viruses/solutions?qid=208280684

     
  53. ecosseman
     

    Download “Dr Web” (free). ‘Quick Scan’ identifies System32 HOST file. Restore original …bingo!

     
  54. leo
     

    ok when i open up my Hosts file i have right uder 127.0.0.1 Local Host a ::1 localhost do i have to delet that host or what and i have windows vista how do i get to my local network

     
  55. Alexander Mains
     

    Hello again all 😀
    I am back for help
    …Still have the virus redirect
    Has any way changed to get rid of except the Rootkit thing (which I am doing now)?

     
  56. Alexander Mains
     

    okay I did rookit and no more google but I did get pop-ups and I cant access some sites

     
  57. Alexander Mains
     

    and erm how do I check my router settings (XP, service pack 3)???

     
  58. Alexander Mains
     

    I did rootkit and Spyware Doc and rootkit got 8 or 9 things out of it
    How can I check the IP and Gateway? :/

     
  59. Rocki
     

    I got my laptop as secure as I can. Runs Win7, has kaspersky 2010 Internet security suite as well as malwarebytes. My browser redirect (facebook -> pricegrabber) problem was down to what James said. No viruses or spyware were reported, even checked hosts file. I did have ::1 Localhost which is also a valid entry.

    Have to thank James for his tip on DNS settings as that has done the trick. And the router I am using? WRT160N. Arrrgh!

    Admin: I think you should change your original post and point to what James has said if one does not find any of your suggested issues.

     
  60. fran
     

    I have in my hosts/etc file:

    127.0.0.1 localhost
    ::1 localhost

    Should I delete the :: localhost?

     
  61. Luigi12345851
     

    It happens to me no matter what search engine I use and the only add-ons installed in IE are 3 Java ones.

     
  62. Alexander Mains
     

    No redirects! :-)
    Thanks a ton

     
  63. Trenton
     

    Please help I did everything listed and it’s still redirecting me with every search engine and both firefox and IE. :(

     
  64. Lucas
     

    Hi, my friend has a Dell laptop, running Vista. The virus is Security Suite and seems to have infected lots!
    Please could you explain the above (in a more dumbed down version) she can’t afford to send her laptop to be repaired.
    I was thinking of downloading the spyware to my hardrive and then installing it on her pc, but won’t the virus spread to my hardrive?
    Thanks for your help!

     
  65. Jim
     

    Thanks for the great article.I had the hijack virus.Not only that it was blocking my spybot S&D andother malware programs from even running.I went tru all the steps but have to say #8 was the one that found & fixed the problems..
    Thanks again..

     
  66. Freeforce
     

    Has anyone had to deal with this with Chrome yet?

     
  67. Edintrouble
     

    I have downloaded AntiSpy Safeguard on my computer; I want to remove it but I have no clue. Can you please help me

     
  68. Edgar Manukyan
     

    I tried almost any available malware, spyware, rootcleaner, etc. software, but the only thing that helped me with this annoying Google search results redirects was editing the host file. One should enable file extensions from folder options, then copy the host file content (the desired clean content) into notepad, save it with “hosts.txt” file name, then delete the old hosts file with let’s say Unlocker and finally delete .txt extension from your created file and voilà you have new nice and clean hosts. Hopefully this will work for you.

     
  69. Edintrouble
     

    Please help me about that

     
  70. syn
     

    do i have to connect to internet when checking on the host file?

     
  71. syn
     

    the host file ending with

    ::1 local host

    it is alright then? if nothing wron with the host, how can i removed the antispy safeguard? im not good in safe mood.
    i did install tdsskiller.exe, but the scan doesnt detect anything. the spyware doctor detected some malicious file but i can removed those files unless i buy the full version. is there another way?

     
  72. need
     

    ok I did steps 1 and 2 but i cant do three! help!

     
  73. JC
     

    I worked on three computers that had this same problem:
    Windows 7:
    I logged in as another (administrator user and ran MS Security Essentials, then logged back into the infected side and turned off the Proxy server setting:
    Internet Explorer -> Tools -> Internet Options -> Connections tab
    LAN settings button: clear all the check-boxes. (Do this even if you do not have another user login). The proxy server was checked only in one out of 3 machines I helped with.
    Find the AppData folder of this user (with infection) and delete two *.bat files and the *.exe file in the AppData folder.
    Windows Server 2003 (similar to Windows XP):
    Find the Application Data folder for the user (under Documents and Settings and delete any *.exe files there and the *.bat files.
    NOTE: You might find EXE files in the AppData or Application Data folders that belong to Google, Adobe etc. If you see any UNINSTALL programs there run them and then take out all remaining files. (I don’t think these are essential programs.

    Find the TEMP folder of the User’s folder and delete all the files there. The EXE file that generates new names is there. It is called by the BAT files o do this. The one I found is ‘e.exe’.

    Good Luck and let’s hope FBI catches those who gave so much misery to people are caught, fined and jailed for the rest of their lives. (It’s not hard to find them, FBI)

     
  74. Kristen
     

    Hey! I had this same problem and got tricked into getting the free version of AntispySafegaurd! But Just simple Compture Restore saved mine. Just set it back to a time before you used the spyware (I set mine to a month back even though I only had this problem for a week) Its very Simple and now my compture works fine.
    Good Luck!
    P.S. AntiSpySafe Gaurd WILL try to restrict this. But just click the “Continue UnProtected” until it allows you.

     
  75. Sara
     

    i need help, im very confused

     
  76. Ali
     

    Thank you so much! I tried everything. I searched everywhere. NOBODY helped me. All it took was the notepad trick. You’re awesome!

     
  77. Ali
     

    I lied. I thought it was fixed but after leaving you that comment I went to google search again and the same stupid redirect happened. Help?

     
  78. Kaitlyn
     

    I have done the above steps. My host file has no other lines other than what you say should have.

    I am still getting fake microsoft alerts. My google search on this problem gets redirected, using firefox.

    I have followed the steps on this website http://www.2-viruses.com/remove-fake-microsoft-security-essentials-alert and found nothing. Also rebooted my pc with aoss scan http://www.pctools.com/aoss/ and scan with malware byte but it found nothing.

    After all these, I am still getting fake microsoft alerts :( what else can I try? I downloaded spyware doctor but I have to pay for it. Is there any other free software that I can use?

     
  79. Tim
     

    I love you guys, just thought I would tell you. TDSS killer and the Malwarebytes totally cleaned my computer and got rid of this and other problems. Thankyou for making my life so much easier.

     
  80. Brian
     

    After wasting time using many different anti-virus apps this was the one thing that worked! Thanks

     
  81. Pingback: What is Google Redirect Virus?

  82. Sebrina
     

    I have thinkpoint have no idea how it got on my computer. I have norton and it says nuthin at all is wrong. I’m runnin windows 7 & I need to know how to get it off it won’t let me online or on anything really I got the task manager to work and that’s the only way I can get online and I have to use my safari cuz it won’t work with explorer it got on my comp last nite somehow and I need help removin it before it gets too bad oh btw was on the phone with a lady from compaq for 3 hours she did nuthin to help she just tried to sell me a recovery disk for $30 :( plzz help me I know nuthin about these things

     
  83. Jon
     

    @admin
    This sounds exactly like the virus that I have on my other computer. Not sure if you are familiar with “youcansearch com” but I keep getting directed to that site whenever I try to use another search engine. I have used Malwarebytes Anti-Malware, but nothing seems to show up. In searching on how to get rid of it, I found a site that told me to delete all the files under the etc folder (… ). Here, you say to delete only specific lines from the host file. Can I do either?

     
  84. Jon
     

    Assuming that the virus is not in that location, what other locations do you recommend that I can check?

     
  85. Jon
     

    I will be sure to check everything. Thanks for your help!

     
  86. Tram
     

    Hi, so I know that you said that in order to save the host file you’re supposed to open it as the administrator. I know for a FACT that I am the administrator, but I still cannot save the host file. I always tells me to “contact the system administrator” and then it tells me to save it as a text file in my Documents. What should I do?

     
  87. Tram
     

    Yes I believe I am on Vista. But the thing is, when I right-click on the host file, the “open file as admin” is not available. It just goes straight to “open” and then asks me what format I want to open it as. Since I am not really computer savvy, how would I change this?

     
  88. randy burns
     

    Hi…I have read thru all your fixes…even tried kasperspy…I did a fresh install of windows and STILL have the redirect….i have tried all the programs….avg.malware.super.adaware…a list of em and they find nothing…any suggestions?….it is IE and firefox not just one…thanks so much

     
  89. Jason
     

    Hi, I had the redirect virus and I did your fix steps and now i don’t get redirects anymore, which is great, thanks. (however, my hosts file was perfectly in tact.)

    The problem I am still having is that every time I open my internet browser (either IE or firefox), usually after restarting my computer or waking it from sleep mode, my proxies are changed and my internet becomes unusable.
    Something keeps changing my proxy settings to “Manual Proxy configuration:” (on firefox, for example) and I have to change it to “no proxy” every time if I want to use my internet. What would be causing this and how would I fix it?

    Thanks.

     
  90. Jason
     

    EDIT: It seems to be the act of opening the browser that re-sets the proxy settings to the setting that won’t let my internet work (Manual Proxy configuration)…. if that helps??

     
  91. Jason
     

    I just scanned with TDSS Killer and there was no problems. Also I checked my Device Manager under Non-Plug and Play Drivers and there was no TDSS there. I have done approximately 20 scans, including scans with many different types of trusted scanners (including the ones you recommended) as well as boot scans and scanning in safe mode.

    However, every time I open my browser my proxies are changed. My hosts file is fine and unchanged, my DNS settings were originally changed, but since my fixing them they haven’t changed back (unlike my proxy settings). What could be causing this? It’s very annoying and it is slowing down my computer quite noticeably.

    Thanks again.

     
  92. Jason
     

    EDIT: I just reinstalled Firefox. Now whenever I open my browser (either IE or Firefox) my proxy settings are unchanged! So I guess the virus was affecting some sort of Firefox file itself? I don’t know… Does this mean the virus is gone? or..?

     
  93. CPHelp
     

    @Seth
    Ok, to do this correctly, select sll the things you want to keep, and right click, and look for an option that says: Scan with [your virus protection if you have one] and scan, then move to disc.

     
  94. shashi
     

    I download but I dont know how to fix it help me.

     
  95. Rachel
     

    I downloaded spybot and ran a search. I am no longer redirected to spam sites from google searches but I still cannot open firefox. I opened the wordpad host document and there was nothing unusual. I went through all of the other steps as well, except changing firefox’s settings, because I cannot open it.

     
  96. Rachel
     

    Actually I am still being redirected.

     
  97. Rachel
     

    Malwarebytes caught nothing. Spyware Doctor found things but because it is the free trial, I cannot do anything about it. I will try Hitman Pro and Superantispyware. Could this infection also be disturbing the connection between my computer and printer or is that an unrelated problem?

     
  98. Rachel
     

    I used Hitman Pro and Superantispyware. Both of them found things and deleted them, but I am still being redirected. On the upside, firefox now opens. Its proxy settings look fine.

     
  99. anon
     

    I been reading through you article and avg and malwarebytes dont pick up the virus of rootkit. Whenver i visit a legit site to download himan pro or superantispyware my mozilla firefox freezes. i heard about it might be a router issue or i should use tdsskiller

     
  100. anon
     

    thanks tdss killer did it then i used malwarebytes to scan. =)So do recommend changing the password on my router and which anti virus/malware/spyware product that in the future can get rid of problems likes this.

     
  101. Marc
     

    I had this issue and it turned out the dns settings had been hijacked.

    I returned them to google’s dns servers (8.8.8.8, 8.8.4.4) and everything is happy now.

    I don’t think any malware removal tool will find this.

     
  102. anon
     

    ty admin for the help

     
  103. greg
     

    YOU are a god among men i love you you saved my computer experience thank you !!!!!!!!!!!!

     
  104. will
     

    the antivirus software alert wont let me open my host file. i found it but it wont let me open it. what do i do?

     
  105. Marshall
     

    i have the antivirus 2011 and i have followed instruction concerning the hosts site, etc. I have downloaded spydocter but unable to execute. What next

     
  106. Laurens
     

    I just had the same problem. Malwarebytes and G-Data found that csrss.exe, dwm.exe and conhost.exe were all infected by a Cycbot.AC Trojan Horse. Gladly, NOD32 ESET just released an update TODAY where they counter this Trojan:
    http://www.eset.com/threat-center/threatsense-updates (see Virus Signature update 5698). So, I recommend using NOD32.

     
  107. PengSwen
     

    My computer had been redirecting me to infomation-seeking.com ..im using window XP pro.so is there any difrences in steps?

     
  108. codey
     

    I installed the program, but the system won’t let me launch it. What do i do?

     
  109. Jordy
     

    I have ”security shield” and i think thats a virus.
    How does it go away ?
    Caus e my whole comp doesnt do it, cause then a ”security shield” browser comes

     
  110. Shyenne
     

    I’m trying to follow this site, & in my eyes it’s complicated. i have no idea what i’m doing. i’ve never had a virus.

     
  111. Carl
     

    “Oh my god, no way” and “Congratulations, you won” audio will be heard along with re-directs when going thru Google links (especially this web site). The problems may not occur for 15-30 minutes, but they will return and are extremely random.

    Downloaded Malware did get rid of alot of problems and I did all of the other steps herein however…..no luck. By the way, this particular computer does not have a “hosts” file in the “etc” path. Strange.

    I’m gonna “bite the bullet” and re-install XP. Spending more than 2 hours trying to fix a goofy mal-ware problem is stupid. I’ll say one thing – whatever web-sites sponser these malware products should be shot.

     
  112. Carl
     

    No worries. I guess I didn’t do “everything”. I ran “tdsskiller” (as suggested). It found 1 problem and “cured” it and…….horrah. No more google re-directs, browser kills, and funny audio. Here’s hoping this problem has gone away forever.

    Thanx for the information – beats having to re-build.

     
  113. Carl
     

    Do you mean like “Malwarebytes”? Or are you referring to something else?

     
  114. Carl
     

    I scanned with Malware and got nothing; SD still reports 5 items:
    Application.TrackingCookies
    Tracking.TrackingCookies!Rem
    Adware.Advertising
    Spyware.Known_Bad_Sites
    Spyware.TrusyHound!Rem

    Also, there are several processes that seem strange. They are:
    DLACTRLW.EXE
    PDVDDXSRV.exe
    ITMRTSVC.exe

    I believe the first one (DLACTRLW.EXE) is causing multiple processes (with the same name) to be born. When they occur, silly sound bytes (as previously mentioned) are heard. They seem to come up randomly.

    However the Google re-direct no longer occurs after TDSSKILLER was run.

    I suppose what I still don’t know is exactly which Malware is one the PC. Does any of the above info help you in making that determination? Also, to kill those Malware items, is there something that is free that will do it? I’m a little cheap and don’t feel like paying the $30 bucks.

     
  115. Carl
     

    Thanx for your help. It appears the “dlactrlw.exe”, which found its way into the “startup” registry key, was the culprit. After removing that entry, everything seems to be fine. The folks who own this pc will be checking to see if any re-occurrences continue.

     
  116. Amber
     

    I think i’m having the worst problem with my lap top I can’t access anything not my control panel the internet none of my antiviruses or anything….Basically all I can do is turn it off and on…..do you know how I can fix this???

     
  117. Amber
     

    ok….what do you mean by good configuration in boot menu after force shutdown would be an option…Idk to much about computers….

     
  118. Nicco
     

    I has my system attacked by antivirus8… bought spyware doctor and antivirus. Ran the software and removed malicious items it notified me of. HOwever. I can not get my MOZILLA FIREFOX TO LAUNCH. When i go to lauch i get

    “About internet Explorer Emergency Mode” box to pop up and it tells me that malicious software has infected my PC and the browers can’t be launched. I have uninstalled and reinstalled both Internet explorer and Firefox and I still keep getting this error message.. HELP..

     
  119. Alex AAA
     

    unbelivable in the add ons…. thanx a ton

     
  120. Kebap
     

    I disabled IE7 addon “Research” and now I don’t seem to get redirected any more (have to test longer though, because it did’t happen each time anyway…) Thanks for the great guide! :)

     
  121. Billy
     

    I had “Security Shield”. Removed it with CCcleaner, RKill and Malwarebytesantimalware. Then Google’s been directed to Findgala. C.WINDOWS>System32>Drivers>etc> all files are there, except HOSTS file is missing. Used Spyware Doctor, found: RogueAntiSpyware.WindowsSecuritySuite(13 infections), Trackware.Tracking Cookies!rem (24 infections), Adware.Advertising (10 infections), Spyware.TrustyHound!rem (1 infection), Application.TrackinfCookies (15 infections). Spent 3 days trying to get rid of findgala to no avail. HELP..

     
  122. Billy
     

    Ran TDSS killer as suggested. Took 22 seconds and result was no infections found. In-depth scanned with NOD32 Anti virus, no objects found infected. Did step 2 to 9, except step 7 (‘coz it’s optional) and step 1 (‘coz couldn’t HOSTS file). Still redirected to findgala. Am I missing something here? I start losing hope here…@admin

     
  123. Billy
     

    Ran everything again. Malwarebytes antimalware: no malicious objects found. Hitman Pro: caught IExplore.exe as a threat, contains a high amount of malware related properties and it’s a potentially malicious software. Should I delete or quarantine this? A friend told me to just change the google bar from the right-hand side drop down menu and choose “Find more providers”? Emisoft Anti-Malware is still scanning as I type now. Checked several times C>WINDOWS>System32>drivers>etc>…, the HOSTS file (with no extension) is not there. There are only 5 files in etc folder: HOSTS.bak, lmhosts.sam, networks, protocol, services. And the worst part is most of the times I turn on my laptop in normal mode, it always freezes and I can only use it if I switch to Safe mode with networking. How do I know there’s a problem with my router and what did you mean by semi-whitelisted browser toolbar? I’m very dumb when it comes to computer stuff..@admin

     
  124. Billy
     

    Located the file, it turns out to be Rkill program (the Icon says IExplore). Opened hosts.bak in Note pad:
    127.0.0.1 localhost
    ::1 localhost
    How do I create an empty hosts file? How can I find the hidden hosts file?

     
  125. Billy
     

    When I tried renaming .bak file to without extension, a message box poppe dup saying if I change the file extension, the file will be unusable, so I saved same content of hosts.bak as file without extension, and the file type is text document. What else needs to be done?

     
  126. Billy
     

    I copied hosts.bak and tried renaming it into hosts without extension, it asks me if I want to rename it to hosts(2), because there is already a file with the same name in the location. Does this mean the hosts file is already there, but it’s hidden?

     
  127. Billy
     

    Mine is Vista. Opened Control Panel>Folder Options>View tab>clicked on show hidden files and folders. Then checked the etc folder, still doesn’t show hosts file without extension.

     
  128. Billy
     
     
  129. Tawni
     

    so how to i get to ‘hosts’ because it won’t let me click on it without closing again and bringing another security shield warning…?

     
  130. techmanDj
     

    combofix fixed mine.

     
  131. Chuck
     

    I have done everything found on this forum with very itte resuts. After the Windows Performance Manager downoaded itsef onto my computer I ceaned most of it up by searching for unusual programs. I found and deleted the files called cvfgtm.exe and bktgrk.exe. These files apeard to be AVI files. After deleting these files my computer was restored to mostly norma operation. I then used AVG free and IObit 360 to scan again and removed a few bad files. But I wanted to make sure I had all the virus removed so I searched and found this site. As I downoloaded the Spyware Doctor, AVG 2011 also downoaded. Both these files appeared to be maicious viruses and has completley destroyed my computer. I have worked my way back little by little and have just about cleaned up the mess.

    But I have one problem left that I can’t get fixed.When I try to open Notepad in Administrator, it refuses my pasword. Also, Internet Exporer opens only somekind of “Emergency Mode” and refuses to let me open any page except the microsoft.com page that contains the Windows Performance Manager and other viruses.

    Can you help me get my internet going again?
    Thank you

     
  132. joe
     

    is stopzilla any good?

     
  133. Sascha S
     

    i had this problem too,
    it was a self reinstalling local proxy.
    files(therms) to search in registry:

    Temp\csrss.exe (dont delete anything where path starts with %system… ususally with Temp\csrss.exe you would not even find something starts with %system…)

    data\dwm.exe (not renameable because running, so needs deleted in registry)

    data\wins.exe (rename you will find the path in registry)

    data\conhost.exe (Start > run > msconfig > systemstart > uncheck conhost)

    —- export registry first DONT delete keys just remove values —-

    After restart you will find out (because your internet works only for certain webpages ) that your system LAN-Settings where set to use Proxy for LAN…
    so go to

    Start > Control Panel > Internet > Tab Connections > Button Lan settings > uncheck use Proxy.

    that was it for me, hope it helps someone.

     
  134. Sascha S
     

    ah yes that was for win xp sp 3

     
  135. elena
     

    where can I find the add-ons in IE? and what is IE?
    Thanks

     
  136. tony
     

    ok ive read this page and it didnt help my google redirects my host files are fine i cant find a tdss thingy i cant download things either it just keeps asking what program would i like to choose to open file and when choose it just does it again my spywaredoctor didnt pick up anything but now i cant even open that my processes seem fine my proxy is disabled so im just going to save money and buy new com btw i using ie8 i believe

     
  137. phnatduppf
     

    Have trawled various forums, manually hacked away at the superfluous, used malwarebytes’ anti-malware, superanti-spyware, sophos anti-rootkit and unhack me, tried disabling javascript, checked dns, hosts, and proxy settings, and scoured the filesystem for dozens of the usual suspects. My search results still redirect me almost unswervingly towards a goingonearth version of whichever result i’ve clicked. Likely point of infection was mj1.exe and mj2.exe though not sure of where they originated. Close to initiating a total re-install but refuse to be beaten, now 8hrs in and need to sleep. D

     
  138. phnatduppf
     

    Cheers for reply,
    all addons are those i installed and none of my anti-* scans flag them.
    Online through t-mobiles web’n’walk mobile broadband and a 3g huawei dongle only use firefox but checked and IE has same issue on my first use of the program.
    What is being referred to when i click a search result? How is it unique only to this action, not downloads or intra/inter-site links, also appears yahoo is unaffected whilst bing and google are. D

     
  139. phnatduppf
     

    Problem appears solved,
    first ran rkill.exe (found grpconv.exe),
    then kaspersky’s tdss killer (found sptd.sys),
    then mbam,
    then hitmanpro (found sapi0.dll).
    So far (>20 searches) no redirects. D

     
  140. James
     

    Am stuck at step 1 – how do I save the corrected host file (I don’t see where to “open with admin priveleges on my home PC).

     
  141. Tim
     

    Step #8 cleared up my computer. Thank you so much!

     
  142. Marg
     

    Hi,

    My google direct virus means that all the web browser open up in Chinese – and it appears to be a porn site. This happens for both IE and Mozilla and also appears in Yahoo if I try to search. I have read all the following information and no-one has mentioned Chinese characters. How can I fix this problem?

    Many thanks

    Marg

     
  143. Moon
     

    I’m stuck on step 1. I opened the host file in notepad and it’s empty. what does that mean?

     
  144. Moon
     

    I’ve run rkill and malwarebytes. I deleted a bunch of trojans. Now I can’t seem to get my wireless router to find my wireless network. what can I do?? please help!

     
  145. Moon
     

    One last question – is zitui.exe a virus? i don’t know what it is and I’ve never seen it before.

     
  146. I’m having trouble opening my file as a note pad. It won’t open at all, I did everything I can, including “Running as Administrator,” nothing seems to work. Please E-Mail me and help me out. I really wish to get this program out of my computer.

     
  147. ethan
     

    I cant open my host files it wont let me and ive tried moving malware anti malware by a usb drive but it still wont let me open it

     
  148. drew
     

    This goes out to the maker of this virus im trackn you and i will get you its nice in CALIFORIA cant wait to see you

     
  149. robin kinsella
     

    it keeps poping up i can not do nothing on my cumputer

     
  150. Ben
     

    I Can’t find my host file and it won’t let me run notepad as Administrator doesn’t work either, im running Windows 7 64bit Please Help.

     
  151. jonlee
     

    this is my host what should i remove.
    # Copyright (c) 1993-1999 Microsoft Corp.
    #
    # This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to computernames
    # (NetBIOS) names. Each entry should be kept on an individual line.
    # The IP address should be placed in the first column followed by the
    # corresponding computername. The address and the computername
    # should be separated by at least one space or tab. The “#” character
    # is generally used to denote the start of a comment (see the exceptions
    # below).
    #
    # This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts
    # files and offers the following extensions:
    #
    # #PRE
    # #DOM:
    # #INCLUDE
    # #BEGIN_ALTERNATE
    # #END_ALTERNATE
    # xnn (non-printing character support)
    #
    # Following any entry in the file with the characters “#PRE” will cause
    # the entry to be preloaded into the name cache. By default, entries are
    # not preloaded, but are parsed only after dynamic name resolution fails.
    #
    # Following an entry with the “#DOM:” tag will associate the
    # entry with the domain specified by . This affects how the
    # browser and logon services behave in TCP/IP environments. To preload
    # the host name associated with #DOM entry, it is necessary to also add a
    # #PRE to the line. The is always preloaded although it will not
    # be shown when the name cache is viewed.
    #
    # Specifying “#INCLUDE ” will force the RFC NetBIOS (NBT)
    # software to seek the specified and parse it as if it were
    # local. is generally a UNC-based name, allowing a
    # centralized lmhosts file to be maintained on a server.
    # It is ALWAYS necessary to provide a mapping for the IP address of the
    # server prior to the #INCLUDE. This mapping must use the #PRE directive.
    # In addtion the share “public” in the example below must be in the
    # LanManServer list of “NullSessionShares” in order for client machines to
    # be able to read the lmhosts file successfully. This key is under
    # \machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares
    # in the registry. Simply add “public” to the list found there.
    #
    # The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE
    # statements to be grouped together. Any single successful include
    # will cause the group to succeed.
    #
    # Finally, non-printing characters can be embedded in mappings by
    # first surrounding the NetBIOS name in quotations, then using the
    # xnn notation to specify a hex value for a non-printing character.
    #
    # The following example illustrates all of these extensions:
    #
    # 102.54.94.97 rhino #PRE #DOM:networking #net group’s DC
    # 102.54.94.102 “appname x14” #special app server
    # 102.54.94.123 popular #PRE #source server
    # 102.54.94.117 localsrv #PRE #needed for the include
    #
    # #BEGIN_ALTERNATE
    # #INCLUDE \\localsrv\public\lmhosts
    # #INCLUDE \\rhino\public\lmhosts
    # #END_ALTERNATE
    #
    # In the above example, the “appname” server contains a special
    # character in its name, the “popular” and “localsrv” server names are
    # preloaded, and the “rhino” server name is specified so it can be used
    # to later #INCLUDE a centrally maintained lmhosts file if the “localsrv”
    # system is unavailable.
    #
    # Note that the whole file is parsed including comments on each lookup,
    # so keeping the number of comments to a minimum will improve performance.
    # Therefore it is not advisable to simply add lmhosts file entries onto the
    # end of this file.

     
  152. Julius
     

    You are the best! I have been working on this damn thing all week. The rootkit tdsskiller did the trick! Symantec and Malwarebytes didn’t pick it up.

     
  153. Esthefany
     

    I am so confused! I can’t get this to work for me at all. :(

     
  154. NakedGuy69
     

    This worked for me.

    Just make sure guys that when you’re about to edit the host file, “read only” is UNCHECKED in the files properties.

    And if you are having problems with overwriting the file, double click it when you are saving.

     
  155. bidita
     

    the xpantispyware 2012 has blocked all d important files including dis file nd i can,t open it neither can i make it run dus ne1 has d idea hw 2 fix ds problem????????????

     
  156. Ed
     

    Hosts files are fine and DNS setting and Proxy too – downloaded all (Malwarebytes, Spyware doc, even the special remove antispyware) in safe mode with networking but every time I want to run them, Vista Spyware message appears and blocks them. Can someone help?

     
  157. BigL
     

    @Julius

    Thank you from RDU (Raleigh-Durham NC)! The rootkit tdsskiller did the trick!

    With 12 years computer/network experience — this Malware got me good! Wasted 4 hours of my life!!!

     
  158. JustME
     

    Old hacker trick—mark the hosts files to read only…and if you use WinPatrol
    (the free version is fine) it will show you the hosts file within the application and also everthing running.
    AND it warns you if something writes to the startup
    http://www.winpatrol.com/

     
  159. Dale Anderson
     

    Thanks for this information. This virus was causing me all sorts of headaches.

    Now if I could get my hands on the person who put the virus on my computer in the first place, that would be a nice feeling to have. :)

    Cheers, Dale

     
  160. Denny
     

    I beat Vista Fix It and Google Redirect

     
  161. David B
     

    My hosts shows a ::1 under the ip addy. Should this get deleted? When I try and save it says cannot create to C:\Windows\system32\drivers\etc\hosts, Make sure path and filename are correct. I am pretty sure I am logged in as admin… Ran AVG antivirus which found nothing. Just would rather exhaust all options before i go downloading and installing 14 different malware products. Thanks.

     
  162. Michael
     

    When I open my hosts file on windows 7 with notepad, the document that opens is blank. Why is that?

     
  163. Tyler
     

    Thank you this guide. all the responses to questions really helped my knowledge on this subject. i checked my addons in Firefox and found “XUL cache.” i removed it and the redirects seem to have stopped. I read somewhere that this addon can somehow get back onto my browser. Is there something that i can do to make sure that i’m in the clear?

     
  164. Melisa
     

    Just wanna say thank you. The instructions totally solved my problem! Really saved me a lot me trouble. Thanks a lot!

     
  165. Shokc
     

    @Hi
    To save host file as admin, windows 7, even if you are the admin right click on host file go to properties, under security tab, select user and edit – Select all boxes under Allow. This will grant permission to save the file.

     
  166. Shokc
     

    Will let you save the host file.

     
  167. Raj
     

    Just removing the following entry from my hosts file did the trick.
    # localhost name resolution is handled within DNS itself.
    # 127.0.0.1 localhost
    # ::1 localhost

    Thank you very much!!!!

     
  168. Jackie
     

    @Shokc
    I can’t update the hosts file it won’t let me open it or change the user properties so all users can edit. I can’t download the spyware (*any of them) from the internet as the virus has blocked access to them. I can’t even access the internet settings to change proxy settings…it just says can’t access contact your system administrator. Please help I can’t do anything on my PC and this virus is so fr*king annoying!

     
  169. SamieJ72
     

    Reboot your computer in safe mode and delete the following file in the following folder. Fixed my redirect problem like a champ!!

    File: api-ms-win-core-memory-l1-1-032.dll
    Folder: C:\Windows\SysWOW64

     
  170. CDA Rescue
     

    Unhack me is a great program for removing most of the malware. Been doing the virus removal since 1991 and have to say this program has made life so easy.

    http://www.greatis.com/unhackme/download.htm

    Just fixed some malware entries in my host file.

    Also combofix works well, just be careful with it.

    http://www.bleepingcomputer.com/download/anti-virus/combofix

    Worried about the fake viruses? try WOT for your browser to let you know of potentially dangerous sites.

    http://www.mywot.com/en/download

     
  171. itguy
     

    The TDSKiller program did the trick for me…thank you!

     
  172. Justanotherdude
     

    tdsskiller.exe is the one. I think that should be bumped up to Step 1. :)

    Thanks for the help.. just glad that I finally got rid of it.

     
  173. SubZerQQ
     

    for those of you that are having problems editing host file. I highly recommend HostsXpert v4.4. A free program for managing your host file. get it here:
    http://www.funkytoad.com/index.php?option=com_content&view=article&id=13&Itemid=31&28d444df85eb4f435055ed9d39c02f03=d315773113eab5e724959c494ea17358

     
  174. Pingback: Is malware payment gateway shutdown the end of Fake AVs?

  175. frozo
     

    I edited my host file but to no avail and tdsskiller.exe resolved my issue. Thank you.

     
  176. Zoey38
     

    my host file doesn’t look like that it looks faded and it won’t let me save it i have also tried running as administrator

     
  177. Wendy
     

    I’m trying to do step one, and my computer wouldn’t let me ‘access’ or save my changes. I noticed extra line that ‘i think’ should be removed, ::1 localhost. How can I let the hosts file save my deletion>

     
  178. Wendy
     

    BTW, I’m on Window’s Vista – how can I open the ‘host’ file with admin. privelages?

     
  179. Wendy
     

    Got it. Figured it out!

     
  180. Chris
     

    The hosts file suggestion solved the problem that Lavesoft and Ad-Aware didn’t catch this one. Thanks for being awesome.

     
  181. Xinci
     

    Thank you thank you! I had to do quite a bit of research for an important paper I’m working on and the problem was hidering me greatly. I followed your instructions and it worked! It was some trojan programs that were quarantined in my virus protection but they were still causing problems. I’m very grateful :)

     
  182. gsly
     

    Thank you very much this worked very well. I appreciate your assistance

     
  183. Pingback: Dedicated 2-viruses » Fake BBC videos are used to trick PC users on Facebook

  184. Dave
     

    Just wanted to say thanks for the information. My IE has had the same problem as most people have had lately. I had tried about 10 Spyware tools and none found the problem, so I downloaded and ran tdsskiller.exe from Kaspersky. I ran it and the program found 2 files BMLOAD and tcpipBM which it removed and now IE works as it should when I select something from a google search.

    Now to find a fix for why my active window deselects itself after about 25 seconds and I have to click on the window to continue doing whatever.

     
  185. Dave
     

    Hi ya Admin.

    I just found what was causing the active window deselection. I recently installed Kies for my Samsung phone. I went through and ended the windows processes that weren’t directly related to windows 1 at a time until it stopped. It was KiesPDLR that was somehow causing the problem. Thanks again for your help.

     
  186. Jen
     

    Great info, unfortunately I’m still having issues.
    Step 1: I modified the hosts file to match yours
    Steps 2 & 3: settings were fine
    Step 4: N/A
    Step 5: I disabled all non-Microsoft addons
    Step 6: I ran Spyware Doctor. It found a high threat and a medium threat. I was surprised that I had to pay $30 to fix these, but I decided that the $30 would be well worth the fix. This didn’t do the trick though.

    When we go to Google & Bing the bottom bar says “waiting for Google.com” and the page just never loads. Yahoo loads, but we can’t search, the searches don’t load. The control key isn’t working properly, I can’t copy and paste using control commands.

    I didn’t continue with steps 7, 8 or 9 because this computer belongs to my parents and I ran out of time. Any advice??

     
  187. Marc
     

    Step #1 was the fix for me. It worked. But before that, I’ve scanned my laptop running Vista Basic Edition with Adaware (free edition) from Lavasoft. I’ve been using Adaware since 2001. I’ve used also CCleaner (free edition) to scan/fix registry entries + stop suspected processes. Both are excellent tools for free. Finally, I’ve uninstalled several “suspectful” third party software using another free tool: Revo Uninstaller. This utility isn’t just uninstalling the software but also offer to clean the registry table of ANY occurrence of the software you’re uninstalling. Then apply the fix proposed here otherwise the malware if not remove previously will keep re-installing itself.

    I can now enjoy ALL the Google / Yahoo searches again.

     
  188. Helen Wood
     

    Thanks! I have been having a nervous breakdown over this and your advice is the first that actually got me anywhere.

     
  189. Whitley G
     

    I have tried everything. It keeps bringing up Data restore with every error message possible. Please help me I’m not very computer savy and I really need this to work for school…Thank you

     
  190. train42
     

    Step 4 worked for me, but as I understand it, the automatic setting of proxies still has fake information somewhere, right? How do I fix this to get rid of the problem completely?

     
  191. Lisa
     

    I have followed your instructions but I still get redirects to stuff like blendersearch. What can I do?? There is nothing in my hosts file that is abnormal. I ran the tdsskiller and it doesn’t detect anything.

     
  192. Pingback: ZeroAccess Rootkit - how to remove

  193. Lisa
     

    @ admin:

    I have disabled browser addons. As for the DNS server settings, I have both IPv6 and IPv4, and they are both set to “Obtain an IP address automatically”. I have uesd Malwarebyte and it did not detect anything of the sort.

     
  194. Cody
     

    Well I troubleshot all these steps and noticed that all my settings are like that suggested. My internet regarding the proxy settings, however, does not have a proxy port. The only browser I have is Google Chrome. I have a redirect virus that when i click on a trusted site, it stops at a blank screen, pauses, loads then stops and changes the website. It takes me to sites like dictionary sites with “Suggestions” I use an entirely outdated 2005 Media center edition PC so everything isn’t far from Win98.

     
  195. Lisa
     

    @ admin:

    Yes there are others but they use Macs. I read on this page that Hitman Pro would require payment in order to remove/clean anything? Malwarebytes detected stuff a couple days ago. I followed your steps and tried the Malwarebytes again, and nothing shows up. I have just checked with Hitman Pro and Tracking Cookies as well several Malware/Trojans showed up. What should I do?

     
  196. Lisa
     

    @ admin:

    Sorry, I did not see that there was a trial. :) What should I do if the redirect problem happens again and I don’t have the trial option for Hitman Pro anymore? I don’t have the funds to purchase a decent antivirus program or anything in that category for that matter. :( Will let you know of my computer progress after reboot.

     
  197. Lisa
     

    @ admin:

    Hitman Pro did the trick for me, so I believe. :) I have not been redirected after reboot. Thank you so much for your help and guidance for future prevention! 😀

     
  198. Tim Milligan
     

    Here is what I have found with my laptop and google redirects. There is a copy of MS Internet Explorer running in the background. This appears to be related to the redirects. When I rename my IE folders so it will not run and kill the running copy the redirects stop. When I put the folder name back. The IE background process will reappear and the redirects will start again.

     
  199. Tim Milligan
     

    I should also say, since IE is disabled I use Firefox or Chrome. Both of which also had the redirects.

     
  200. jimmy
     

    Your the best whomever listed the things to do to get rid of the redirct virus….thanks

     
  201. Ryan Critchett
     

    Hate this. I’ve had this problem multiple times, did all of the above fixes, and it changed nothing. Something was still delivering both the fake antivirus program and the redirects in Google, to the machine. Even went as far as to reformat the machine. Then, upon entering dns and static ip info, the machine got infected again. BUT, the server machine (which was really just another computer acting as a server) was not infected. We scanned that thing thoroughly. ODD and extremely stealth, these things are.

     
  202. jose rey
     

    browser is redirecting lines in google searches

     
  203. jose rey
     

    how can i eliminate google redirect

     
  204. amit
     

    i have a problem with the cursor it is not stable may be it is due to some virus, pse suggest me how to repair it.

     
  205. Pingback: Dedicated 2-viruses » Keygenguru and other crack websites should not be trusted

  206. Pingback: Trojan.DNSChanger - how to remove

  207. Pingback: TDSS rootkit - how to remove

  208. pedro
     

    thanks a lot i erased the whole host file cause it gave me no option to modify whwt was on it in fact there were two extra lines one for google and the other for bing after delection the hidden virus cant redirectme anymore. i tried everything before unsuscesfully:system restore,antivirus scanning resseting internet explorer, windows search. etc etc, even listing the page risksearch net on the restricted sites button dint work completely cause even it tried to connect unsuscesfully but redirectme from the right results. i was about to switch the hd, but i found your help online and it worked, thanks

     
  209. Al
     

    I have something called searchqu that got in my computer with a music download today. How do I get rid of it. It has taken over as my home page and search engine! Thanks

     
  210. ada
     

    I changed hos file but wont save it saiys it is read only please help

     
  211. ada
     

    host file is invisible unless I open I copy an dpaste address C:\Windows\System32\Drivers\etc\hosts. When I paste it to search box it asks me what program to use I dobn’t have an option to run as admin
    If I open notepad file I can right click and run as admin, BUT when I open host file and delete bottom section I can not save bcs it is read only.
    I hope that makes sense to someone :(

     
  212. ada
     

    @pedro
    How do you delete host file . I can not find it unless I copy and paste C:\Windows\System32\Drivers\etc\hosts to search box and then access is denied . Is there any other way of deleting it.

     
  213. mcryan
     

    I have located the HOSTS page & opened in notepad, however, after the 127.0.0.1 localhost I have loads of others all with the same number but different name. Do I delete all of them?

     
  214. trail
     

    I can’t seem to run KasperSky. Google redirects me to cc search sometimes(I’m on google chrome). When downloading, my internet connection gets cut off and I had to restart the computer. Any idea what I should do? I tried opening host, nothing suspicious. Checked proxies and DNS settings also nothing.

     
  215. Unknown
     

    If you cant remove Malware on your own, stop being cheap and take it to a pro. Nuff said!

     
  216. Mike
     

    I have been getting the Google redirect since yesterday. I scanned with Malwarebytes and found nothing, I cannot even open Norton 360, not even with Task Manager, and running TDSSkiller twice found nothing. I have gone through my host file, found no extra info there, and I checked my proxy settings; one thing was checked and I unchecked it. I went back to the proxy settings later and it was still unchecked. What can I do to remove this virus?

     
  217. Mike
     

    Spyware Doctor found some low-risk stuff, mostly tracking cookies and a couple of different advertising adware. I’m not in a position to purchase the full version, though, so I couldn’t remove it. I still can’t open Norton but I did check my DNS settings, everything was set on automatic and I didn’t know what the Google DNS settings were so I left them alone. Hitman Pro spent five minutes looking for an internet connection before aborting the scan. I do not know why it did this, as I was able to access the internet fine during the search.

     
  218. Mike
     

    I ran SuperAntiSpyware as well, removed several tracking cookies but I did not resolve the redirecting problem. I also retried the TDSSkiller and it still found nothing. Is there another antivirus or antirootkit program that might help remove this?

     
  219. Greg
     

    Ummm… Hi every time i click on a link in google or any other search site it redirects me to a ramdon Porn Site. i can avoid this by coping the direct link into the serch bar but its a pain doing that all the time.Ive use spyware doctor
    And it only found cookies and one medium RogueAntiSpyware.Antivirus360 and that has nothing to do with my browser or somthing like that But please help me!!

     
  220. Lulu
     

    I’m so frustrated with this redirect virus in firefox. I run winxp and have TrendMicro who, surprise surprise, didn’t stop yet another virus from taking hold. I ran malaware bytes and it found 2 reg key trojans and one infected folder. I deleted all 3 then when back in and double checked everything over again. Still i’m getting redirected. Any other suggestions or if someone finds a solution please let me know. Thanx

     
  221. Lulu
     

    Oh update. I think I know what the culprit is. It’s this babylon search engine I caught it’s name in the “jump” when it was redirecting me. Now if I can find out how to get rid of this I may be ok. Any help appreciated since this is one of the only sites that acctually gets past the redirect. 😀

     
  222. Lulu
     

    @Lulu
    Great news!!! I went to Microsoft’s website and D/L the microsoft emergency response cleaning tool. After many failed attempts by malaware, spybot, trend, and even Hitman nothing removed it. I then called microsoft and they directed me to this. It is a free d/l for windows users. Ran one scan took about 4 hours restarted pc and viola. redirect gone. Hopefully this will work for some one else 😀

     
  223. Matt
     

    Hi,
    I have been having this redirect problem for a few days now and could really use some help. I don’t get redirected every time I click a google link, but occasionally I do and will have to try many times before I actually get through to the requested site…I followed all the steps (all of my settings and folders were already how this guide says they should be) and have done full computer scans with AVG, Malawarebytes, Microsoft Malware Removal tool, and the Microsoft Security Scanner, and the TDSS killer suggested on this page and found nothing. (AVG and Malaware found 2-3 Trojans the first time I scanned, but they all seemed to be unimportant crap that didn’t effect my redirect problem when I removed them). Any Suggestions or Ideas? Please help me out!
    Thanks in Advance.

     
  224. Elliott Bettman
     

    two (and a half) words..

    Get..A..MAC. I have Minor trojan problems but as long as I don’t execute and delete it’s all good. Linux is BOMB proof but user unfriendly

     
  225. Sarah Thompson
     

    Hey admin, I tried everything you said on this page and everything’s fine. The only problem is that i still have this annoying redirect virus going…. any help please?

     
  226. Rebecca Ldj
     

    My computer took a turn for the worse today. After much digging and grueling trying to find out what it was – my two biggest clues of my search engine searches being redirected and music/radio/ads playing in background and the help of my secondary computer – it came down to a virus. I bought norton, ran malwarebytes and ran spybot S&D as well as TDSSKILLER….and then ran all the checks you listed here. I am still having issues. Any ideas?

     
  227. Joe
     

    My hosts file seems to be hidden, all I can find in the etc folder is lmhosts.sam, which looks exactly like one hosts file posted by a reader that you said was clean. Do I need to find the actualy hosts file and check it? How do I find it if it’s hidden?

     
  228. Joe
     

    Update: The first thing I ran was ad-aware in safe mode+networking, which found several items, including trojans. I still had the redirect problem and ran kaspersky tdsskiller, which found something and removed it. Then I ran malwarebytes which found one infected file that looked like a really old keygen for some app. The problem seems to be resolved but I am still curious about my hosts file, why I cannot find it even when I select “show hidden.” I would like to check my hosts file just to be sure, as I said I can only find lmhosts.sam which looks clean.

     
  229. Tom
     

    I was having this issue but only in IE. Ran MalwareBytes, Hitman Pro, Spybot, TDSS Killer etc etc. Nothing was finding or fixing anything. I tried using Dr. Web (free version) and it found a Trojan. Once deleted the problem seems to have been fixed :)

     
  230. Tom
     

    I deleted Dr. Web but from what I recall it was not an exe file. It was a .dll file in C:\Windows\SysWow64 folder

     
  231. Tom
     

    I found the log file.

    C:\Windows\SysWOW64\msimmsg.dll infected with Trojan.MulDrop3.19698

     
  232. Doug
     

    I tried to delete the extra IPs and files in the hosts file, but when I’m done and go to close the window I’m not able to save it – I’m not actually deleting the multiple lines of IPs permanently. The file is in read only mode. How do you save the new host file once all the junk has been deleted? thanks

     
  233. Doug
     

    @admin
    I’m on XP. What is cmd & attrb -r? I’m definitely not as technicallogically advanced as you!

     
  234. Sher
     

    Spybot Search & Destroy found Security Defender and says it fixed the problem, but it didn’t. It keeps coming up. Should I have an extra line in hosts – localhost name resolution is handled within DNS itself?

     
  235. colin
     

    i hope you guys get paid to run this sight thank you so much all this help was absolutely wonderfull u guys are heroes

     
  236. Will
     

    Thanks. Kaspersky TDSSKiller did the job for me. Btw. there are a couple of other little diagnostics that were useful to me & may be useful to others. Trying to get to http://www.google.com or other search sites with low-level utilities like ping & nslookup also did not work for me, though they had no problems with non-search sites. That told my problem was way down in dns resolution. That and the fact that utilities like malwarebytes & Hitman turned up nothing (or rather turned up a bunch of extraneous false positives), made it likelier that what I was dealing with was rootkit based & very well hidden, as it in fact turned out to be.

     
  237. Steven
     

    TDSSKiller did the trick! Thank you so much for this…you are a life saver!

     
  238. Matt
     

    Problem:
    Was experiencing the redirect problem, so I used lspfix on my Win7 machine. And now I am apparently connected to the iinternet but no web pages load at all. Is there a fix? I’ve used the net command to reset my connection but received errors.

     
  239. sky
     

    @admin

    i’m using win7 andi only can open with notepad, i cant open as admin. i have right clicked but it doesnt appear run as admin, what should i do to solve the problem? i’m using mcafee and now the antivirus is not functioning well as the firewall keeping turning off even though i have tried many times to turn it on

     
  240. sky
     

    how to create another admin user account?i seem saw like got extra unknown user account but i am unable to delete it.is it possible to delete user account? can you please show me the steps? Thank you so much for your help

     
  241. graham
     

    First of all, thanks admin, for putting so much work in helping people. Now, for my question: When i open hosts file, it asks me with what i want to open it, there’s a list of programs there including notepad, but i can’t right-click it to open as administrator. When i right-click it pretends nothing happened.
    Please reply.

    ps. I’m not that good with computers so you will have to explain it like i’m a three year old.

     
  242. Mike Lockey
     

    So I’ve done everything on here and the redirect still appears in Google. Incidentally, I don’t have any problems with IE 64 bit. But
    I can’t turn on Security Essentials and my services are altered to disabled.
    Hrrmmph – so what do I do now?

     
  243. Azalea W.
     

    My problem is I don’t even have a host file. I can open the etc folder but the host file isn’t in there at all. Everything is unhidden. Any help?

     
  244. Robero
     

    i was freaking out for a whole day!!!!!! thank you it fixed the problem i am so greatful, now i can do my research on google again. thanks again.

     
  245. Robero
     

    it worked then went back wont let me save it?

     
  246. Leisa
     

    I am having the same issue and have tried every step (scanned with multiple programs, edited host file, ran gooredfix, tdsskiller, etc) still being redirected, in all browsers, IE9, firefox, chrome. I am running Norton and it found nothing. I have used kapersky and it found nothing. I have cleaned with ccleaner, spybot, etc. Please help!

     
  247. J
     

    I have # ::1 localhost underneath mine – I am the only user on the computer and I can open the file. I delete it and it says I dont have permission to save it…. any ideas? Thanks

     
  248. J
     

    @J
    Sorry – its says access denied – not that I dont have permission

     
  249. MMC
     

    I’m having major issues with my computer – and even though I’ve deleted the extra host files, it hasn’t solved anything. Done all the scans as suggested and yet I still keep getting redirected to the likes of Facebook Apps (Are YOU Interested, Gogobot, CityVille, etc) and my computer is running so slowly. Any suggestions? I’m running Chrome.

     
  250. Melissa
     

    Thanks for all your detailed information. I have followed your steps up to step 8 (checked the proxy stettings, changed DNS servers to google ones (I think), checked the host file, disabled addons in firefox and ie, downloaded and ran Malwarebytes and Hitman Pro)… so far no luck. I have downloaded TDSSKiller but can’t get it to run. As per your other post, I’ve tried renaming it to xxxx.com also, but it still won’t run. Do you have any suggestions? Thanks for your help!

     
  251. Melissa
     

    Ta. No error message, just the usual Vista permission thing (obviously I press continue) then nothing happens. I also scan with AVG (free version) each day. What is Aviras Boot CD? My computer knowledge is very minimal. Malwarebytes has a Windows popup type message about every 1 minute saying it’s bloked a malicious site, even when I don’t have a browser open (it does mention firefox.exe, which I’ve noticed sometimes runs in the background as a process even when it’s closed – I am always connected to the net though.) Thanks so much for you help – very, very appreciated!

     
  252. Karen
     

    My desktop is fine by my laptop has this on it. I went on my desktop to research was this XP Home Security 2012 thing is and found this download but I cannot connect to the internet thru my laptop so how can I go on and download this to run?

     
  253. Emily
     

    Hi,

    Thanks for this information.

    I realised I had this virus this morning and instantly download malwarebytes and ran a full scan. It picked up a huge number of bits and pieces (hadn’t scanned my PC in quite a while) but the problem persisted.

    I then found this thread and did everything you suggested. I had one extra line in my hosts file, the same as another poster that you said was harmless, which I deleted. I ran google again but the problem persists – except this time, with Malwarebytes installed, every time I click the link it returns me back to the search page and notifies me with “Successfully blocked access to a potentially malicious website 206.161.121.5 – Type: outgoing – Port: 52442 – Process: boom.exe (boom.exe is what I’ve had to rename Google Chrome, the browser I’m using, as when it’s called chrome.exe Windows refuses to load it and this was the fix I found on the net!)

    So does any of that mean anything to you?! What should I do next? I’m currently running another scan on malwarebytes but should I download another scanner too?
    I tried downloading and installing AVG but halfway through the install it said something about changes to Microsoft Office Professional needing to be undone before the install could complete. I recently installed a new version of MS Office so assumed I didn’t want changes to be undone so I clicked no and the install for AVG terminated. Help!

    Thanks.

     
  254. Emily
     

    A little extra info, don’t know if it will be helpful: it’s literally only clicking on the search results that is the problem. If I right click on the search results and copy the link and paste into the URL bar the real page loads no problem, with no redirection or notification from Malware Bytes.

     
  255. Emily
     

    Thanks for the mega quick response. Just ran Kapersky’sTDSS killer, found nothing. Will try Hitman – but I need to run into university for a practical now so won’t be able to update with results for a couple of hours! Sorry! Thanks so much though. If it was in router is it likely that my other housemates, using the same router and connection, would be affected too?

     
  256. Emily
     

    Quick update before uni: Ran HitmanPro. No change, problem persists. Will try the other measures you suggested when I get home. Thanks for your helps so far.

     
  257. Emily
     

    So I came back from uni and ran a couple of scans based on my boyfriend’s advice (computer guru).
    First ran Norton Power Eraser. Found some threats and deleted them for me. Miraculously I realised the redirecting had stopped. I assumed the virus had gone and carried on as usual. However between running NPE and realising the redirection had stopped I ran the Norton Online Scan and I suddenly remembered I hadn’t checked the results. Unfortunately this found 91 infected files. And I was finally informed of the name of the virus: ramnit.B.

    Google searches suggest the prognosis isn’t good! What do I do now?!

     
  258. Lindsey
     

    I have this gnarly redirecting virus. Everytime I type “google.com” in Chrome, it pops up with Oops! Google.com cannot be found. I have tried SuperAntiSpyware, Malwarebytes, Microsoft Security Essentials, PC doctor, McAfee Home Security AND Hitman Pro. I did everything in your manual from checking my host files to checking add-ons and proxy settings.
    I am getting very very very frustrated for I cannot seem to get rid of this thing.
    I have ran everything in Safe Mode and normal mode…
    Any help would be appreciated.

     
  259. Jaime C
     

    I have used Combofix and it removed some stuff…I cant get on teh internet now.
    I am going to try your suggestions and get back here and post my comments/results.

     
  260. Laura
     

    Thanks – deleting the extra lines in the hosts file cured my problem. Unbelievably simple fix. two lines – one redirecting google, the other redirecting bing

     
  261. Matt L.
     

    Oh, I have problem. I was deleted the extra lines (my host file looks like your example), but the problem isn’t fixed. What can I do more? I use google chrome, and have windows 7 x64

     
  262. Matt L.
     

    Host file in right place, TDSS killer and others can’t find anything, but when I disable proxy server it helps. But my question is: disabling proxy server is safe? I’m asking because I don’t know much about computer science 😉

     
  263. Craig
     

    Thanks, sort-of. Host file fix easy but things stayed bad. Step 8 solved my problem with the root virus, guess I had tdss. The Malwarebytes download seemed to help. However I also tried Spyware Doctor (cost me $29.95) and while it started fine and after the initial scan said it had eliminated some additional issues, very soon it slowed my system down horribly. It also said AVG Free was in its way so I eliminated that. I next did the update it suggested, and then things went fast downhill. No matter how I tried its settings it slowed me to zero, caused hard crashes, etc. I finally after a day’s effort managed to remove it from the machine (I use XP) and I’m now fine (but being very careful). Any advice you can offer re why what you recommended locked me up so hard?

     
  264. Victor
     

    My daughter’s laptop was having an intermittent problem when searching with Google. She would complain that it would “redirect” to other websites. The thing is, it wouldn’t do it all the time. Again, it was an intermittent problem. Usually, whenever I’ve experienced a virus/malware on any computer, it would always take over completely. Those are easy to identify because it’s obvious to see what the problem is. This intrusion, however, is sneaky and does not show itself as boldly as other viruses or malware do. After finally experiencing the problem firsthand, I searched for “google redirect” and ended up at your site. I want to thank you for your detailed explanation of how to remove this nuisance!!! As per your recommendation, I began my removal process at Step #7, but it was Step #8 that did the trick. My daughter and I are thankful for your efforts! Please keep up the great work!!!

     
  265. gustavo
     

    Please i need help. The virus i have seems to be a little less severe. I can use the internet and everything is fine except when i use google and it sends me to weird websites. I have tried everything in this page. After conducting the kaspersky scan it said it had removed some threats, but the redirect still occurs. I dont know what to do. Also when i tried to find the host file i went to ect and everything, but i had no hosts file. . Pease help

     
  266. Joe C
     

    AWESOME.. TDSS Killer is my hero! so are you, Admin. Redirect Virus cured.

     
  267. leo
     

    mr/mrs admin… YOU ARE DA MAN/WOMAN. Thank you verry much. keep up the awsome work. With people like you we can overcome the stupidity that is/are hackers. Thanks again…

     
  268. Allison
     

    I did the steps, and now my computer connects to the LAN connection, but I no longer have internet access. So, I have no idea if it fixed the Google redirects, but now there’s a whole other problem. Is there any way to fix this.

     
  269. Rick
     

    Had serious issues with hijacker, which started with the loss of my personalized google home page before expanding to constant hijacking. While researching the problem I found your site. I had already scanned with Webroot and Malwarebytes, and though both found and removed threats, I still had both problems. Since you recently seemed to recommend TDSS Killer most often, I downloaded and used it. TDSS Killer found and removed one threat, which totally fixed my problems. Thanks very much to you and TDSS Killer.

     
  270. Kat
     

    So I was using Google Image search yesterday, and the redirects started after that. It’s only happened twice so far (when I manually type in an address, it sends me to www youcansearch com). I’ve followed all the first five steps above, but everything was already set up as instructed; I had no changes to make (except my hosts file has all those Spybot entries, which I understand is O.K.?). My Malwarebytes scan didn’t turn up anything. I can’t find anything fishy in my registry editor (though I admit I don’t know too much about what I’m looking for).

    I’m afraid if I don’t nip it in the bud now, it’ll eat up my computer later. Is there another step I’m missing?

     
  271. Joe
     

    I am trying to track down why this one site (i built) does not go to the actual web address URL from any browser when clicking on the google search results. My host file is fine, proxies, etc look good. Any ideas. The site shows up first if you type mcgonigles as the google search term. Thanks.

     
  272. Joe
     

    Okay, thanks. It is odd though because I have a number of sites on that same server and none of them are behaving this way. Any thoughts?

     
  273. Kat
     

    Thanks for the suggestion, admin! I ran tDSS killer, and everything came out clean. I ran Spybot, and it was clean. All my add-ons have been unchecked for some time except McAfee. The only other scan I have is McAfee, which is the suckiest of all sucky anti-virus. Is there anything else I should be doing?

     
  274. chris
     

    @admin
    No matter if I use IE, Chrome or Firefox anytime I do a goggle search I get a message that says Oops! Google.com cannot be found. I can get to Bing or yahoo

     
  275. chris
     

    @admin
    So what do you reccommend I do?

     
  276. j
     

    I’ve right clicked on notepad but nothing happens. Is there another way I can run as administrator

     
  277. Mary
     

    For the past 3 days, I have been unable to access my credit union website. I’m receiving Error 7 (net::ERR_TIMED_OUT): The operation timed out. I can get to other websites without any issue. I’ve tried Firefox and IE as well….times out. I’m not very savvy with removal of anything. I have Norton Antivirus 360 v.06 and I’ve run it and it’s come out clean.

     
  278. Hugh
     

    Thank you very much for this article.

    My redirect problem was fixed after doing the following:

    – I have Windows XP.
    – Run Malware Bytes (completely free downloaded software) and removed 7 malware virusses on my computer.
    – Run Avast Full System Scan (completely free downloaded software)and removed 5 more virusses in registry files.
    – Right Clicked on the Hosts file and disabed “Read Only”
    – Then Right Click on the Hosts file again and open with Notepad.
    – Deleted any extra lines in the file that are not included in the screenshot above. I had to delete 2 lines containing Google and Bing with ip addresses.
    – Opened the TCP/IP properties and choose “Obtain IP address” and “Obtain DNS settings” automatically.

    Problems are gone and I can now access the internet again without the frustration of being redirected to spam sites.

    My wish is that the hackers / idiots / oxygen wasters who created these viruses are punished properly in some way or another during their lifetime!

     
  279. Mark Kucia
     

    I hav got the redirection rule from unknown source.Please help me to destroy it.

     
  280. schnookum cakes
     

    @Ramesh
    Dude! This root-kit link that you put on the thread saved my computer from all the cancers that were in it. I tried doing every single piece of advice I found. But this cleared the root-kit that had put a choke hold on my anti=virus software, preventing it from detecting the bulk of viruses that were embedded. Hugs*. Kaspersky

     
  281. Daniel
     

    I tried every steps mentioned, including all the virus/malware programs.

    But nothing changed.

    Then I go to the extreme, using ComboFix.exe. It manages to fix it.

    But the malware is coming back after a while.

    Please help.

    What should I do now(I d not want to format and reinstall my Windows)?

     
  282. Daniel
     

    I’ve done that with various anti-malware programs.

    You just name it and I’ve tried them all.

    Nothing!

    Previously my search results will be redirect.

    But after using the ComboFix.exe, currently the redirect will show when I type wrongly an URL.

    What should I do now?

    I am almost giving up and going for the formatting and reinstalling.

     
  283. Daniel
     

    So what should I do? What is the solution?

    Please help.

     
  284. Daniel
     

    I’ve 4 browsers,, I tried all of them. They have the same symptom.

    IE, FireFox, Chrome and Safari

     
  285. Daniel
     

    Done everything as instructed.

    Still no luck.

    Still getting redirected when typing an invalid url.

     
  286. Eric Schooling
     

    Read most of this site I have windows xp pro sp3. No file named “hosts” in windows\system32\drivers\etc folder. Show hidden files is checked and hide …file and ext is unchecked as well as hide operating systems files is unchecked Can I just create the file or do I realy need it Also there is nothing in Control Panel\Network Connections Norton keep coming up with Trojan..Zeroaccess!kmem\inf

     
  287. Afterwalker
     

    I am not sure how to open the ‘hosts’ file in step 1 of your solution, as it has no file extension. Its icon appears to be a sheet of paper with the upper right corner slightly folded. I am using a Windows 7.

     
  288. Afterwalker
     

    I’ve figured out how to open the ‘hosts’ file in wordpad. (What an idiot I am)
    But I am unable to save my changes, and receive the following message:

    “You don’t have permission to save in this location.
    Contact the administrator to obtain permission.

    Would you like to save in the My Documents folder instead?”

    I am certain that my account is an administrator account; I even went to the control panel and checked.
    I suspect that a virus or some other kind of malicious software is somehow preventing me from making changes to my ‘hosts’ file.
    Any ideas what’s going on, or what I should do?

     
  289. Pam
     

    Suddenly google has been taken over! Can you explain the process for getting rid of this virus for Windows 7. It’s so new to me and I can’t even find the folders or the C drive in this unfamiliar control panel and other such stuff. Never realized how user friendly XP was until this came out. it seems my browswer has been highjacked and searches take me to these strange places. Your screen shots were great, but not the same for Windows 7. Any help you can give would be great. I have already run a few scans and it did not fix it. Thanks!

     
  290. Billy
     

    I’ve opened up the hosts file, but it looks nothing like the picture you have. It only has the IP address and “local host” on a single line. I’ve run multiple malware scans and found nothing. Any ideas? Thanks.

     
  291. Billy
     

    I have gone through pretty much all the steps you have listed and even tried to remove it manually (though I could not find a file that looked suspicious in the bootlog). What would happen if I deleted the “host” file and/or lmhosts SAM file completely? I am at a loss.

     
  292. Aaron
     

    Thanks. I also did steps 2-5 and all of those settings were normal. I’ll work through the rest of the steps tonight to see if I can figure it out.

    I’ve already run Malwarebytes and SpyBot Search and Destroy with no luck. SpyBot was rather annoying and kept giving me windows saying something about a change to the regisrty key and asking if i should deny or allow the change.

    So far the search results are being redirected to other random crappy search sites.

     
  293. raigo
     

    # Copyright (c) 1993-2009 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a ‘#’ symbol.
    #
    # For example:
    #
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host

    # localhost name resolution is handled within DNS itself.
    # 127.0.0.1 localhost
    # ::1 localhost

    Ihave this , its ok ore not , tanx for help

     
  294. BeenThere
     

    Be careful looking at the hosts file. I have seen cases where everything looks normal in notepad, but the redirects are at the end of the file, preceded by a lot of blank lines so you do not see them unless you scroll down,

     
  295. w--smith
     

    This worked for me.
    Used all the various scanners listed in this site.
    Malwarebytes full scan found it as c:/windows/system32/tskillf.dll
    It was being launched by the task scheduler as a rundll32.exe program so hijackthis didn’t see it. The task scheduler is not checked by hijackthis or malwarebytes. it can be found in control panel. I removed the launch in scheduler by hand.
    I also ran cclean to wipe out my browers temp files , cookies , etc.
    It got in through firefox as a quicktime update messed up explorer7 , firefox and opera searches. Seamonkey was OK. I’m running windows xp pro.
    Thanks for pointing me in the right direction.

     
  296. margaretanderson
     

    i cannot get rid of AVG Resident Shield A lert please help me to solve this problem

     
  297. brianna81
     

    HELP!!! Started noticing redirects about 2 weeks ago but it was off and on, FB redirects to price grabber every time now.I have gone through as many steps as I can with my limited knowledge of computers. I do have a linksys router that was set up a long time ago when I used to have roommate. I no longer need this so I want to take it out and go back to using my local area connection. If I uninstall the program and plug the internet directly back into my pc will this take care of the problem?

     
  298. brianna81
     

    OK so I have successfully done all steps except for 7 and 8. I don’t even know what those two are about so I am going to wait for help before I try those ones, thank you in advance for helping me out:)

     
  299. brianna81
     

    now I can access Facebook through internet explorer but not mozilla firefox, is that where the problem is? I’m so confused!!!

     
  300. brianna81
     

    chose “no proxys” for FF, but no change. I have disabled all add-ons on FF and internet explorer. Is this from using the Linksys? I can still access on internet explorer so far.

     
  301. brianna81
     

    why does this effect only Facebook?? or is it effecting other things and I just don’t know it? Is this something from a porn site??? if so I’m gonna kill my husband.

     
  302. brianna81
     

    thinking that linksys is the problem I’m trying to uninstall cisco home network/linksys and cannot. I can see cisco in my programs and features but when I select it I’m not given the option to uninstall, what do I do? I know i sound like an idiot, I just need help

     
  303. Eddiejiovanni
     

    @admin

    I now have the google redirect virus. In addition to it redirecting me to various web sites it also has disabled or removed my adobe flash. When I am able to go to website I constantly get an error message saying I need to download adobe flash. I just bought my computer a few months ago and adobe flash was already installed. I went ahead and redownloaded the flash twice and I still get the error message. Is there a way of fixing both problems? I did read what you previously posted above but the options still did not work. I am running windows 7 and it has attached/ attacked my Internet explorer 7. In addition whenever I put http://www.google.com in the address line it’ll will stall for about two minutes then say a page would appear saying I am not connected to the Internet. Even though I am. Pleaseeeeee help me out! I’m not very computer savvy but I will figure it out if you could give me some direction. Thank you very much …

     
  304. Eddiejiovanni
     

    I’m sorry I am running Internet Explorer 9.

     
  305. saint_danielz
     

    Admin please help me :(
    I have done step 1. but I can’t find my host and host.bak
    There’s only lmhost.sam , networks, protocol, and services
    I’m a windows 7 user. please help meeee :(

     
  306. saint_danielz
     

    I did show my hidden files and folders, but still there’s no host file.
    So where is the problem? what else should i check?
    thanks before

     
  307. Alyssa
     

    For the version I had, that infects Firefox, Malwarebytes found nothing, but Hitman fixed it.

     
  308. David McC
     

    I have also been hit with a Google Re-direct.

    It is only showing up in a user account and not in the Admin account.

    Host file is clean, the settings are as per the instructions above.

    I have run Kapersky’sTDSS killer and Malwarebytes.

    Suggestions?

     
  309. John Tea
     

    First of all, many thanks to those who asked and responded above.
    Had trojan tracur detected and removed a couple of days ago, only symptom leftover was a chrome redirect from google.com results. Tried 3 (malm, superantispyware, and hitmanpro, all trials, in that order :) ) Malwarebytes detected 2 registry entries:

    Registry Values Detected: 1
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations|bak_Application (Hijacker.Application) -> Data: http://go.microsoft.com/fwlink/?LinkId=57426&Ext=%s -> Quarantined and deleted successfully.

    Registry Data Items Detected: 1
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations|Application (Hijacker.Application) -> Bad: (……….Malicious url removed …..) Good: (http://shell.windows.com/fileassoc/%04x/xml/redir.asp?Ext=%s) -> Quarantined and repaired successfully.

    the others subsequently scanned clean, yet the search redirect persisted. proxy, DNS, and other settings normal. Looked into the above comment #462, searched for chrome browser user data, found this:
    http://support.google.com/chrome/bin/answer.py?hl=en&answer=142059
    renamed the default file described and voila, no more redirects in Chrome.
    I am running Norton business suite AV, and given the 3 recent scans (and active mbam) can I be relatively certain no further infections exist?

     
  310. lindsey
     

    I have Vista, and have followed steps 1-6 and still have the redirect bug. I did notice, however, that there is a Microsoft Visual C++ prog added on my programs list that I did not approve/add. When viewing it on notepad, it appears to state there is a threat. I try to uninstall, but as it is from an unverified pub, my options are “allow:if you are fam with the prog” or “cancel: if not”. I am afraid to allow thinking it might get worse. What should I do? And is this even related to the redirect virus?

     
  311. JT
     

    My hosts file in 424kb

    I have the default localhost & 127.0.0.1 entry

    And after that I have these comments.

    # Start of entries inserted by Spybot – Search & Destroy
    ……
    ….& thousands of others….
    # End of entries inserted by Spybot – Search & Destroy

    What do I do with the “hosts” file? It will not let me change or delete anything even as ADMIN. I made a notepad copy of the file and can delete all non esential entries and have saved it in this location. Do I just delete the original host file? Also, the hosts.20110509-120215 (backup) is clean but when I tried to open it I had to chose a program to do so, I picked notepad and now it stays as a note pad file, is that OK? Thank you.

     
  312. Liz
     

    If super antispyware stopped during first scan, does that mean it will not work and should not be trusted? I have used all kinds of things, tdss, av programs, nothing is working… Will try these tips after current scan

     
  313. Richard M. Renneboog
     

    Just got verification of my previous post. Certificate info from Google address bar (the red lock icon) said “IopFailZeroAccessCreate”.

     
  314. TMAC
     

    i am having an issue getting to google and all google related sites,if i put ip address of google it goes ran everything combofix malwarebytes… didnt find anything

     
  315. JARNKM
     

    Have the problems with S.M.A.R.T. data recovery program and cannot remove.

    I tried downloading the three programs in “safe mode with networking” (the only mode booting, at present), but when it comes to “Installation”, I get the Yellow Exclamation point and it says: “System Administrator has set policies to prevent this installation”. This, I definitely have not done.

    What now! ………………….. THANKS!

     
  316. Renuka
     

    I’m getting a pop up window asking for my card details,pin,DOB,etc every time i log in to my netbanking account or even in amazon. I have checked everything i’m aware of but no success yet.
    Yesterday i saw some one else’s email id (something like ‘smartmind@gmail.com’) in the username field of amazon uk site when i was trying to log on, which is quite unexpected as this is my personal laptop and I’m the only user.
    Plz help :(

     
  317. RaghuMitra
     

    Excellent… editing the hosts file and removing entry for 127.0.0.1 did the trick. Just got curious, how the host entry for 127.0.0.1 impacted my search results?

     
  318. Jay
     

    Thanks guys. I just deleted all entries in the host file and it is working ok. Thanks a lot, this was a pain in my a**. Good job.

     
  319. mehlicious
     

    man… all i ended up having to do was clear my cache to stop my google redirect problem

     
  320. Nicole
     

    Ran the Microsoft Safety Scanner which found a trojan virus and fixed the Google redirect problem and made the browsing speed much faster!

     
  321. ech1zen
     

    TTTHHHAAANNNKKK“`SSS FOR ALL YOUR GUIDES…..
    SUCCESS…..

     
  322. stan
     
     
  323. Mulan
     

    OMG, THANK YOU!!!! I tried everything to get rid of a nasty google redirect virus and nothing worked. Then I found your site, followed your (very clear and simple) instructions, and presto! Now my computer is working again! All I had to do was change the host file by deleting two extra lines with google and bing IP addresses. At first, I had trouble saving the changes even though I had administrator rights, but then I had the bright idea of going to the document’s properties page and un-clicking “Read Only.” Thank you so much!

     
  324. Ryan
     

    I got the Google re-direct virus and none of the steps worked for me. I have Norton Internet Security 2012 and paid them $99 to have a tech fix my computer with remote access. Here is what they found:

    There was a virus associated with some rundll32.exe file. They found it in:

    c:\documents and settings\owner\local settings\application data\apple computer\apple\qisvdmrmz.dll

    They removed it from the registry and now everything seems fine. I would have no clue how to do that. Also, Norton Internet Security did not find/block it because it was in the Apple folder… weird. Maybe this helps someone else.

     
  325. Zathu
     

    Okay, I already went through several steps from different websites. Use TDSSKiller, etc I checked my hosts file and there’s nothing wrong. add-ons etcetera, still nothing unusual. And I still got those problems, in my case though there’s more problem, I can’t login on all sites, can’t open google mail. and browser show error when opening https:// I use personal wifi network with my family, but problems only exist in my notebook, then it’s not possible if the router is infected, right? Or is it possible?

     
  326. maygen
     

    I am also having the problem of saving changes to the notepad. I have right clicked to change to administrator, nothing happens, I am also on my administrator account. There is one extra line after 127.1 etc local host. But I cannot save changes after deleting it?

     
  327. Isaac
     

    I checked the host files and my services file was a 17KB so I wanted to ask if my google redirect virus was in here


    directplaysrvr 47624/tcp #Direct Play Server
    directplaysrvr 47624/udp #Direct Play Server

    Any help you can give me would be great!

     
  328. Isaac
     

    Okay so I tried your spyware doctor and it found this

    6/6/2012 8:39:01 AM:445
    IntelliGuard: System Event Blocked
    Threat Name – Trojan.Malscript
    Details – Spyware Doctor has blocked an application attempting to access a file.
    Risk Level – Medium
    Infection – C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\TGGUTABW\CELEBRITYBABYCRAZE_COM[1].HTM

    Could this be the cause of all my missory. If so how do I get rid of it permitly

     
  329. Isaac
     

    Okay I will and get back to you.

     
  330. Isaac
     

    Properties
    Name i8042prt.sys
    Location C:\Windows\system32\DRIVERS
    Size 53.5 KB
    Time 357.0 days ago (2011-06-15 07:54:22)
    Entropy 5.8
    Service i8042prt
    SHA-256 30A52512421963F548423A0A2D4FE3FB4431C434E1A7E147BA0C23B7AB68C66C

    Detection Names
    G Data Gen:Variant.Sirefef.22 (Engine A)
    Ikarus Trojan-Dropper.Win32.Sirefef!IK

    Scoring (153.0)
    One or more antivirus vendors have indicated that the file is malicious.
    The file is hidden from Windows API. This is typical to malware.
    The file is completely hidden from view and most antivirus products. It may belong to a rootkit.
    Starts automatically as a service during system bootup.
    Authors name is missing in version info. This is not common to most programs.
    Version control is missing. This file is probably created by an individual. This is not typical to most programs.
    Program starts automatically without user intervention.
    The file is located in a folder that contains core operating system files from Windows. This is not typical to most programs and is only common to system tools, drivers and hacking utilities.
    The file is a device driver. Device drivers run as trusted (highly privileged) code.
    The file is protected by Windows File Protection (WFP). This is typical to critical Windows system files.

    Startup
    HKLM\SYSTEM\CurrentControlSet\Services\i8042prt\

    This is the only major thing it found

     
  331. Isaac
     

    @Giedrius Majauskas (admin)
    Thank you. I’ve been fighting my redirects and scanning with my anti-virus for a week now.

     
  332. John C
     

    I have approx. 217 host files that are backups going back a few years.
    The latest modified file is from 2/28/11. Is this the one I need to modify (delete all the extra entries)?
    Also, should I delete the other 216 backup files, is this safe?
    I use XP Home edition

     
  333. Bryan
     

    I have not tried these solutions but was searching for something on another computer, trying to fix this problem. My Google was not working properly and whenever I searched a term, the first page had weird links. Also, if I typed, “Why are” normally Google shows a list of frequent phrases. It wasn’t doing this and when typing in the same search from 2 separate computers, one was working as it should and what I’m used too, and one was clearly working wrong. Anyways, I found this online and tried it. While I was waiting for the comp to reboot I ran across this site still looking for other solutions in case it didn’t work. Well it worked. So if you’re having this problem, try this out….

    1.) Exit out of all programs
    2.)goto run enter
    C:\WINDOWS\system32
    3.) then scroll to the bottom of the page and find wdmaud.sys just rename it to BAD_wdmaud.sys
    4.) Immediately reboot the system
    5.) Test the results

    it is important that you do not just search for wdmaud.sys because there is a valid file on your computer named that… but any file in the C:\WINDOWS\system32 folder with that name can be deleted/renamed to fix the problem.

     
  334. Dan
     

    I have a redirect virus which changes sites on every sub search in Firefox. I have ran Malware bytes, Microsoft Scanner, TDDS Rootkit by Kaspersky and Viper with no success. Host file looks normal, and all the setting is in networking. Could use help on this one

     
  335. Dan
     

    Thanks for the reply, both IE and FF are going to the same bogus sites. Proxy servers are disabled in tools, networking. My DNS is greyed out and maybe that way since I use a static IP.

     
  336. Dan
     

    I changed my network setting to auto IP and DNS and it still redirects.

     
  337. wis
     

    Do this: you may need to login with a different profile
    -scan with Hitman Pro, malwarebytes, TDSS killer by Kaspersky
    -use “Autoruns” and “process explorer” to identify running malwares and delete them manually
    -Reset IE setting
    -clear all termporary files using ccleaner
    -check DNS settings in LAN/Wifi Adapters
    -Important: run “sfc /scannow” and Restart

    good luck

     
  338. Bill Everitt
     

    Thanks, this helped.

     
  339. Whitney
     

    This has happened to me before but it pisses me off so much. First of all I NEVER go to porn sites and the main sites I go to are facebook, youtube, hotmail, and my work website. When I type in http://www.facebook.com this is what the browser goes to: < malicious url removed >. WTF???? It’s so annoying, I can’t get to facebook via my laptop, any of the other computers in this house, on my ipod touch, or even on my android. My brother fixed it once but I don’t know how. Apparently it’s our whole network or something and I need to know how I can avoid this in the future and how to fix this because I’m really annoyed. >:(

     
  340. kröper
     

    it is very unfortunate that in this very good description concerning google redirect solutions -it is not mentioned -before making a very long total scan, as suggested with spy hunter- that removal of found problems can not be undertaken without buying the full version of the program!!!!
    I think it would have been only fair to include this in the description especially as by linkbugs redirekt it is indicated that a scan and remove of found problems is possible for free!!

     
  341. Jessica
     

    I spent the last 2-3 days working on removing this virus and finally got there. I’m using a laptop running Windows 7 Ultimate and Internet Explorer 9. This virus caused Google, Yahoo and Bing all to re-direct, but ASK and DuckDuckGo and Google’s Advanced Search was not affected. I am more willing than others to go into various questionable sites and try new things, mostly because I back-up weekly and have multiple PC’s. Some without any modem so they’re completely clean from the Internet (aka Big Brother).

    1. scanned with Norton Internet Security – scan came back clean, re-direct still exists same search engines
    2. de-installed NIS and installed Microsoft Security Essentials – scan in Safe Mode came back clean, re-direct still exists
    3. restored defaults on IE9 and defaults for manage network connections, for windows 7, c:\windwos\system32\ncpa.cpl
    3. found out that the hosts file in C:\windows\system32\drivers\etc has been corrupted. Note the file does not have an extension. I created a new Hosts file with the ip address 127.0.0.1 and ::1 properly defined – re-direct still exists
    4. found a site suggesting a registry edit for the TDSS system file on my PC, nothing found was abnormal, also searched for specific registry variables associated with TDSS nothing there either. Also never change the registry unless you’re absolutely confident or you can restore you PC without stress
    5. decided to try TDSSKiller by Kaspersky, again re-direct still exists.
    6. searched on rootkit viruses and read all sorts of pages but nothing new
    7. ran Norton Power Eraser and found a DLL file that it cleaned up. I am resetting some registry variables because NPE will delete specific user variables.

     
  342. Tony
     

    When I Go to facebook.com I’m redirected to Linkbucks website… http://63ce2138.qqc.co/ I tried to reformat hd and added windows 7 ultimate and Norton 360 and still same Problem. Norton isn’t picking it up! Any tips???

     
  343. Gary
     

    I am so frustrated with this virus, i downloaded prevx and used the scan hoping it would get rid of the background audio ads and google redirect, but it didn’t, so i started here, but ran into a small problem with step 1…. when i go to C:\Windows\System32\Drivers\etc\hosts, my comp does NOT HAVE A HOSTS FILE!!! ADMIN PLESE HELP! Thanks

     
  344. Michael
     

    Hitman Pro from SurfRight will fix – permanently – the Google redirect virus, and may work for other redirect problems as well. There’s a full version 30-day free trial.

     
  345. olleymae
     

    Okay my hosts file looked fine, I have run my normal AVG free scan (said threat detected but then when scan finished said no threats found) so then I downloaded Hitman Pro it found a few things and took care of them, but I was still having the redirect issue, so I downloaded Malwarebytes and it found a few more things and cleaned them up but I’m still having this issue. I use Firefox, and I changed my proxy settings to No Proxy. I am completely at a loss here. Any more tips??

     
  346. Tony
     

    @Jessica
    A very good account of what you’ve done.. and then spoil it by not giving the name of the DLL that had been affected :(

     
  347. Bob
     

    What the heck…I have tried all the steps mentioned above and no luck. Have ran hitman pro, tdss, looked in the hosts file and nothing there. Something is not right. Is it the so involved that i need to wipe the os clean? what can i do?

     
  348. Bob
     

    I have scanned with Hitman Pro, Spyhunter(Have to pay???), Microsoft Security, Avast, TDSSkiller…some have found a trojan and claim to remove it but its still there redirecting pages. It is happening on Google and Yahoo the only browsers I use and its happens on the results. Have been through all the steps and nothing has worked so far. Using verizon wireless to connect to internet and checked the TCP\IP settings. Will it be somewhere on there? Can I change router info for a verizon wireless set-up? Any more help will be greatly apperciated.

     
  349. Bob
     

    I neglected to write down the exact name but the Microsoft Security scan the last one I did last night found two trojans that had Java in both their names and said it wiped them out. All others also acknowledged something was there but not a list of the trojans. After i ran that tool and restarted the computer and tested a few searches the redirect came back and I just gave up last night. Worked all day trying to figure something out. Seems that the programs find something but that the trojan just gets re-born. Know thinking I don’t remember if i ever got the tdsskiller to work properly maybe I can try and download for another computer and use a usb to the infected computer. What extensions are you talikng about? the add-ons?

     
  350. Bob
     

    I’m at a total lost now Admin. I have ran through all steps on your site re-ran TDSSkiller and nothing found. I found another blog that details looking at all the system files that run at startup that are located in the driver folder. He is recommending doing a manual removal if you can find the virus source. Here is the ntbtlog file can you spot anything that shouldn’t be there. Any more help will be greatly apperciated
    [content snipped]

     
  351. TJ
     

    I finally found something that removed the redirect virus on my pc. I just got this viruns within the last 30 days. I have a Norton account and went there to see what they had to clean this up. I downloaded their “Power Eraser” software and ran it. It found a file titled dqzev.dll in my c:\users\[user]\appdata\local\ folder. The software removed the file and rebooted my pc. I no longer am redirected when I click on a link in search results.

     
  352. RB
     

    @TJ
    Bingo TJ. Thank you. You saved my sanity.
    I have Norton2012 and several full scans over the past week could not find anything but usual tracking cookies.
    When I saw your post today I downloaded and ran Norton Power Eraser and it found the very same dqzev.dll file and removed it. Problem solved!!!

     
  353. RB
     

    @RB
    Forgot to mention that while I too have a Norton account, Norton Power Eraser is a FREE download, so I did not even have to login to get it.

     
  354. Thom
     

    Got this redirect virus, Was not being detected by my anti virus. Tried Malwarebytes which stopped the redirects but still did not remove it. Kept telling me it was stopping redirects from rundll32. So I went to Start entered msconfig and under the startup tab found ATRBBEV unclicked it, rebooted and redirect virus was stopped. Whatever it is, it is still on the computer, just not running. The source column said rundll32″C as the source. Hope this helps the next victim.

     
  355. mike
     

    All this info is good but what i found to be the best is to edit c:/windows/system32/drivers/ect/host. Delete anything below last line ie 127.0.0.1.
    Also edit c:/windows/system32/drivers/ect/imhosts. Delete anything below last line.

    This will remove any chances of rediredting. If you feel unconfortable with this just save document on desktop.

     
  356. turbanator21
     

    Hi, I need your help to get rid of linkbucks which always redirects whenever i open facebook address on browser. all other sites are working fine. I did chk host file n only thing suspicious to me was some calendar host file which i m not sure about. I see some process names crss.exe is working in taskbar menu which i cant stop. plz help

     
  357. Bob
     

    Interestingly for me, when I tried to install Spyware Doctor it caused my system to blue screen and each subsequent reboot brought the blue screen. I had to do a system restore back one day to get my system to boot up.

     
  358. B Vacher
     

    How do you open notepad as the administrator? I cannot delete the files placed in my “hosts” file by the virus unless I open it as an administrator.

     
  359. Hayden
     

    Please help me! I have located the hosts file, and I opened it with notepad (as administrator), and there are lines of text that need to be deleted, but when I delete them and try to save the file, it says that the file is set to “read only”, and when I try to disable the “read only” option from the file, it says that access is denied. What do I do?

     
  360. Hayden
     

    Also, when I open cmd and type in attrib -r c:\windows\system32\drivers\etc\hosts it says “Not resetting hidden file”.

     
  361. Lance
     

    I was clearing a redirect problem for a Client (I own That Bytes! Computer Repair in Austin TX). McAfee, Avira, TDSSKiller, Spybot nor MBAM corrected the problem. I ran HiJackThis and noted an unusual entry, but it looked pretty legitimate, so I left it and continued the hunt for the problem. After a while, I went back to HJT, removed the registry entry, and Voila! The redirects ceased. In this case, the entry was in User_Bob_AppData_Local_Deployment_Dell_QHIXW.DLL. The files and folders were created just 2 days prior. A direct scan of the file with McAfee and MBAM still didn’t identify it as a problem. I removed the file and folders permanently.

    I hope this helps some of you having problems with redirects.

     
  362. Hayden
     

    I tried that, too, and it said “Not resetting system file”, so I typed in attrib -s -h -r c:\windows\system32\drivers\etc\hosts and it said “access is denied”. Am I screwed?

     
  363. Hayden
     

    I even opened cmd as an administrator.

     
  364. Cement
     

    I know why I got traffic from this search engine, seems it is infected.

     
  365. Ben
     

    Had the redirect virus. It was awful. Followed your recommendations steps 1 through 7, still had issues. Downloaded Hitman Pro from CNET, and redirect is gone. The one step I did differently than above, was start the computer in safe mode with networking, and ran the anti spyware software from there. I used AVG first, nothing detected. Then ran Malwarebytes, which found 1 infection, and 45 traking cookies. After Malwarebytes, used Hitman Pro which found the infection. Thanks for operating this site!! Life saver.

     
  366. nate
     

    Annoying as hell, yes…..infecting my computer,probably……but how exactly is a redirect going to force a person to share bank or CC details lol

     
  367. Edward
     

    I appreciate this thread (and amazing dedication from Giedrius, thank you). I recently caught the Google redirect virus.

    AVG Free, Malwarebytes Free, TDSSKiller, Kaspersky Free Virus Scan, MS Safety Scanner did not find anything.

    My host file was large and I used the following to reset it http://support.microsoft.com/kb/972034. It reduced the frequency (I think) but still had the redirect.

    I just used Norton’s Power Eraser and it found xckor.dll which it removed. Interestingly, there is not alot of info on xckor.dll when searched with google.

    Too soon to tell if it fixed my problem but wanted to provide another data point to this group.

     
  368. Edward
     

    @Giedrius Majauskas (admin)
    Its looking good. I’ve not had a redirect incident since running the Power Eraser. Thanks again for all the info in this thread.

     
  369. Samsung PC Technician
     

    The sure way to eliminate bad malware, viruses, adware, spyware, dials, keystroke loggers, backdoor, trojans, worms,etc is to nuke your computer by installing a new windows operating system. Save your data and make sure you have the original user programs of course. Worse comes to worse that is what you do.

    However in the tech field. Which may be something that every day user may want do is to back up their computer. Not just data or system. Everything!!! We in the tech field like using images. Images are basically an exact 1.1 copy of your data files, system files and program files you have in your computer.

    Without going to the hassle of buying/installing a new operating system, loading programs and user data back into your computer that was recovered to factory settings…..That’s were images come in.

    If you make an image of your hard drive at a known good state. And you have all the programs you probably ever going to use. Would be good to back up the whole hard drive with norton ghost and store on an external hard drive. If your computer ever gets messed up beyond repair. Load the image and your computer is back to a known good state with all of your programs and user data at the time of back up. You can back up as often as you like of course. Takes the hasstle of searching the web for quick fixes, which are good to know. Although can’t be sure you got all threats out your system. Images are guaranteed!! (granted you installed windows, programs, and user data independently and remotely from any internet sourse. Updating system utilities and diagnostic programs is ok and safe of course from the internet. Once done, run norton from another computer and create image with hard drive adaptor cables. You’ll need to remove your hard drive from the computer you want backedup). And that’s pretty much it.

    Michael T.
    Samsung PC Tech

     
  370. amar
     

    keeps opening up every time i launch google chrome even when i open a new tab it opens up and i have to click back on the toolbar to return to the speed dial page.any suggestions on what to do.

     
  371. amar
     

    same problem Giedrius

     
  372. Owen
     

    google is redirecting me to other locations ads mainly. I have reformated my drive and reinstalled windows 7. i am not recieving any issues with any other search engins but with every browser i use chrome mozilla or E9(guarbage) i still get redirected when trying to make a selection of a web page to go to.
    at this time i dont understand why this is still happening.

     
  373. Owen
     

    seems to be fixed. i restarted my router router after doing a OS install and it cleared out the dir in the router no more issues thus far. will repost if issues come back thank you for the page it was helpfull never knew about this virus before first time dealing with it or knowing anyone who has.

     
  374. Owen
     

    never mind sorry issues still continue

     
  375. owen
     

    problem has been fixed used malware antivirus found only 1 virus a rootkit. i did do a full format i did not copy over when i did the OS install. also another thing i did do was reset my router to factory default.

     
  376. Bob R
     

    Lots of tech talk lots of downloads and scans not to mention time and money but it still redirects my browser-I have a hard time believing that the merchants that these sites recommend are not somehow involved in this-where is the profit to be made by redirecting someone’s browser?

     
  377. Bob R
     

    Spyware doctor claims to have found it but of course for only $29.95 it will remove it!

     
  378. Bob R
     

    That will be the third anti-virus program used today.

     
  379. Les
     

    I went through the list methodically, and it is fixed. Step 4 seemed to fix it for me. I am little confused, because it seemed to fix it in Chrome and IE also. But I am just grateful it is fixed.

     
  380. Cody
     

    I do not have a host file. Running Windows 7 as administrator and hidden files shown. Is it somewhere else on windows 7?

     
  381. Markus
     

    Thanks i remove the host site and it got rid of redirect thanks again.

     
  382. Ashok
     

    Hi admin,
    my redirecting problem is solved. But if i open any website witout https:// some advertisement is displaying rather than actual content in place of images or vidoes. Which is happening oly in chrome which is my default browser. this working fine with firefox. any suggestions,

     
  383. Jet
     

    Giedrius (Admin)…first of all thank you! for the great article and more importantly all of the assistance that you’ve been providing for everyone in this forum. I think it is awesome! So thank you!!!

    It looks like I’ve got some flavor of the IE Google Mail redirection problem. Although I never actually redirected to anther site I can get on to GMail from IE. When I try to get to GMail (e.g., click on Google Mail on Google website or type in mail.google.com) I can see IE tries to get me google mail but then before it can get me there the browser then tries to send me to (https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/?tab%3Dwm&scc=1&ltmpl=default&ltmplcache=2) to be specific. The browser never makes it to this URL either.It quickly tried to load mail.google.com again..and this loop continues endlessly until I kill the browser. I seem to get to other Google locations (e.g., maps) from IE but not Gmail. Not sure if this re-direct problem that others are seeing or not.

    If it is I’ve done ALL the steps you described in your article except #4 (FireFox is installed on my system but I don’t use it at all). The only things that remain to be done from your article are:

    Run Nod32 and Spy Doctor.

    However I have run: Hitman, MalwareBytes and SpyHunter (2.5 hrs to complete);
    None of these came up with any problems other that a few tracking cookies. No serious threats.

    I just downloaded Kaspersky Internet Security (Trial) and I’m running a scan with it. It tells me I have 2 hours left to complete the complete scan (argh).

    By the way this problem started Friday at my home. I stayed at friends house on Saturday and Sunday and it’s happening here as well…so I don’t think it’s a problem with the router.

    Where do I go from here? Thoughts?

    Thanks,
    Jet

     
  384. Jet
     

    @Jet
    One quick update I downloaded PC Tools Spyware Doctor (~300MB!!!!) and ran it. It identified a could low risk threats (Tracking Cookies) and two high risk threats (Threat.Info-Stealer.Mem). As it turns out this so called high risk threat was actually a mis-identification of Kapersky’s main AV executable and one of their files. I guess this is a known issue with Spyware Doctor as it’s been reported by other people but Symantec hasn’t done anything to fix the problem!!! Between the size of this stupid application and the false identifications I’d say Spyware Doctor SUCKS!! Maybe they just want to scare you into purchasing their product by falsely identifying something that isn’t a problem at all. What a waste of bandwidth and time!!!

     
  385. Jet
     

    Giedrius, thanks for the reply. In response to your comments:

    1) I cleared the cache CTRL F5 and rechecked the Proxy settings (Step #3) and it looks fine.
    2) I’m using IE9
    3) Yes I could use Chrome or FF but I don’t give up easily and want to fix this issue.

    Other suggestions? (Of your recommendations in your article the only thing I haven’t done is run Nod32….although i must say I’m getting weary of downloading tools and running scans.)

     
  386. jade
     

    I’ve been having this problem for awhile now. I’ve tried everything in your tutorial except for last step because I am not very computer savvy and I’m afraid I’ll screw something up. I even tried tdsskiller and the fix for tdsskiller with no luck. What else can I do?

     
  387. Jet
     

    Giedrius, thanks for the feedback. I do plan to switch to Chrome but I didn’t want to surrender to some potential Hijacker. Too much fight in me for that. You may be right that this may not be a Hijacker issue. I deleted all the browser history (and I mean all items on the Delete Browser History Option) and it seems to have at least temporarily stopped the problem from occuring. I’m fairly certain I did this before but perhaps I didn’t delete all things in the Browser history. Anyway it is gone for now. If it comes back I may use the HijackThis to scan my system. Do you read HijackThis log files? Or do you suggest going to one of the security forums like BleepingComputer?
    Thanks again for you help…crossing my fingers and hoping the problem won’t reoccur.

     
  388. Cody Nason
     

    @admin how do I remove the trojan.zeroaccess infections that the spyware doctor found?? I DESPERATELY need your help. please respond with utmost urgency. thank you for your time.

     
  389. Cody Nason
     

    Giedrius (admin): spyware doctor inormed me that the virus was located in C:\WINDOWS\system32\drivers\redbook.sys is there any way to remove it without having to download any programs? (in case those links don’t work for me) I apologize for any inconveniences.

     
  390. Cody Nason
     

    Giedrius : You are a genius, good sir. I thank you for your time and effort put in to helping each and every one of us who were having trouble with our searches. thank you very much. it worked swell.

     
  391. jade
     

    Are spyhunter and hitman pro the same as malware bytes? because I already have that program and did a scan with that

     
  392. Bill
     

    Malwarebytes fixed the problem on my computer. TDSS Killer did NOT work, and I could not find TDSS in my registry, hard drive, or system devices.

     
  393. Vernon Siler
     
     
  394. Tom Westfall
     

    I have the same problem on a Windows 7 Ultimate 64 Bit, IE 8 system. I’ve run MalWareBytes, Spy Doctor, Norton Power Eraser, Spyware Hunter, and Hitman and while many of them found somehting they didn’t like none of them have solved my problem. I’ve checked DNS, and the hosts file and I can’t seem to fix this. I thought it must be a BHO because it only happens when I use IE, Safari works fine. Anything else I can try?

     
  395. Tom Westfall
     

    My first scan with MalWareBytes found nothing at all. The others found a few cookies and items I would regard as basically harmless. I did run TDSS Killer as well and it found nothing. I ran the Hijackthis and don’t see anything in there that looks like a problem.

     
  396. Nameita
     

    Hello,

    My host file contains only one line :/ It’s the last line of yours! Also I use google chrome as a browser any advice here?

     
  397. Nameita
     

    Also every time I perform a scan with Malwarebyte or Kasperspy, my Symantec Antivirus starts automatically and detect a whole bunch of suspicious file! Should I deactivite symantec first and let Kasperspy work? @Nameita

     
  398. Susan
     

    @Giedrius Majauskas (admin)
    Great Posts! Had the same redirect problem. Looked at several of the suggestions. Cleaned up hosts file and ran tdsskiller (still had redirect issue). Kept reading posts and tried Power Eraser from Norton…. problem fixed! Thanks SO much for posting all this information – super help!

     
  399. Gakuno
     

    I just used Combofix.
    1. Download Combofix (FREE)
    2. Open up a txt file
    3. Copy paste this into it:

    File::
    c:\windows\system32\winupdate.exe
    c:\windows\system32\winhelper.dll
    c:\windows\system32\AVR09.exe
    c:\Program Files\AdvancedVirusRemover\PAVRM.exe

    4. Name it CFScript.txt
    5. Close all apps.
    6. Drag file into Combofix (DRAG THE TEXT FILE INTO THE APP)
    7. Let it do it’s thing.

     
  400. Bill
     

    @Giedrius Majauskas (admin)

    Thank you very much for your quick response, hitman pro took care of it.

     
  401. AmITheOnlyGuyWithAMacAroundHere
     

    I’m on Mac, any tips about the google redirect stuff?

     
  402. Leah
     

    Thank goodness for geniuses like you to help tech-challenged people like me!

    I think I have the google redirect virus. My problems started when my daughter was attempting to download a free game (Disney’s pirates of the caribbean). Next thing I know, google.com just doesn’t look right. The ads that are normally to the right of the results are absent, and the “results” do not really make sense (wikipedia or product based only), and if I click on a link, it takes me to an obvious ad. So, I immediately closed my browser, ran disk cleanup, deleted temp files, uninstalled everything that had been installed from the last few days, and ran a full scan with Norton 360. I still had a problem, and it got worse…the computer shut down and went to the blue screen of death (crash dump or whatever). It was only able to come up in safe modes. I brought it up with safe mode plus networking, and tried the next recommended step: Norton Power Eraser. Upon reboot, it went back to blue screen and would only come up in safe mode still. I ran Norton’s Reboot/recovery tool, as instructed, and still got the blue screen/safe mode cycle. So I tried going to Control Panel–>Recover–system restore and chose a back up source from over a month ago. Upon reboot, I was able to come back in normal mode, but the redirecting is still happening. I contacted Norton’s Tech support and initiated the remote resource with their tech. I explained everything that has happened, but she kept asking me to repeat parts of my story and her first reaction was that my Norton must be out of date. I assured her that I always kept it up to date, as I have a 3 year subscription with auto detect of updates and scans. She then asked if I contacted Microsoft to address the blue screen issue. I asked why would I, when clearly the problems started because of a virus that I thought Norton was supposed to protect me from. When I suggested that I thought I had a redirect virus (which I deduced based on info from sites like yours), she seemed to have no clue what I was talking about and chukled when I brought up the possibility of it being a rootkit infection. After making me feel like an idiot for a few mintues, the tech finally took over my computer and worked through the night. She is apparently off for the weekend, and sent me a message that she would resume work on my system on Monday. I am beyond frustrated. Any insights or suggestions?

     
  403. Leah
     

    @Giedrius Majauskas (admin)
    Ran through your list (which I really didn’t trust myself to do). And….believe it or not, the virus is gone.I believe the Kaspersky TDSSKiller is what did the trick. I am just flabbergasted that Norton’s tech wasn’t more helpful. It amazes me that I was able to find your site, download a solution, and have it fixed in a matter of minutes! Thanks for the info, it was easier than I would have believed. :)

     
  404. pavan ravi teja
     

    first of all thanks a lot for the people who put up a discussion here which helped me.
    I GOT RID OF GOOGLE REDIRECT VIRUS,JUST FOLLOW THESE SIMPLE STEPS:
    1.install spyware hunter,scan the system completly.
    2.after scanning ,it identifies the location of spyware and other virus
    3.for me it identified spyware virus+ sumthing lyk virus genre dd!
    4.i cud get rid of spyware virus by manually removing the items indicated.but i cud not remove other kind of virus,showed error message wen i tried to do so.
    5.finally restart ur system in safemode as u have removed some of cookies(spyware virus) in windows,dont worry if bluescreen comes up.just open it in a safe mode later on it will be okay,
    6.now,ur browser will be safe.
    hope u too can get rid of this maddening virus!!!

     
  405. jeff
     

    NOTHING is working for me. Everything i’ve tried all the way through to TDSSKiller says that my computer is clean. But, all my google search results redirect to advertisements. I tried Bing, and it affects Bing search results as well. Also affects multiple browsers (tried IE8 and Chrome). I’ve tried all the software recommended on this page and it’s not detecting this. I’m so frustrated.

     
  406. Lex
     

    I have run through the steps and none of this is working for me. I don’t know what to do anymore, I thought I had solved the problem but then I went back and googled something and BAM redirected.

     
  407. ronnie J
     

    Firefox updated and the dang add on needed to be disabled.Worked.Simple.Very annoying.

     
  408. Michael
     

    Thank you very much. The first step really works wonder. I had like 7KB host file, and after decreasing it to 1 KB the problem has been solved. I’m glad I found this site. ^^

     
  409. Michael
     

    Btw, I’m using windows 7.

     
  410. Murali
     

    Thank you very much for this very very useful info.

    Deleted that 1 extra line exactly after the last line of the given page.

    Started with ::1….

    Once again thanks for the ultimate information.

     
  411. Dave J
     

    Need some input. I am running in circles trying to get rid of this redirect virus. The symtoms are: most of the time my redirect is through [malicious url removed]. My internet explorer is all fouled up as is my task manager. I have had many blue screens.
    My virus scans have been:Norton,Malwarebyte,spybotsdAdware,adwarecleaner,saphros,and hitman. Only hit man said I had something. Two rootkits with a replace option. Have tried TDSSkiller, but refuses to run after the windows run window is checked.
    I am running XP sp2.
    Any suggestion would be helpful and appreciated.

     
  412. Andrew
     

    Hello G.M(Admin), I have one PC (XP), one laptop(XP), one android ph and one android tablet. All has google redirect virus (but only when I click one website, it redirect). Why my android ph and tablet has GRV? Is my Router infected GRV?

     
  413. Daniel T
     

    Possible Solution/fix:
    Google browser hijacked and redirected to 7search, search qandas com, and other advertising sites.
    I fought the Google browser redirect issue for 2 weeks, only Google searches in IE8 were affected, using Bing in IE8 worked OK. I reset to IE8 default settings, tried blocking with IE8 security settings, disabled browser add-ons, and followed many other tech articles/solutions with no luck.

    Listed first below is the SOLUTION I finally found to the Google browser redirect problem:

    HitMan Pro 64 bit found a variant of TDL rootkit/bootkit infecting the Master Boot Record, cleaned and fixed on first scan and reboot. I installed the Free version good for thirty days and will be buying the full license. Marked some Punkbuster files from my games as suspicious but left them alone.

    I installed many antivirus, security, and antimalware programs: both retail versions and freeware.
    Following is a list of programs that missed the TDL Rootkit.

    Norton Internet Security which is my primary and favorite security suite which was installed and up to date but never found the TDL Rootkit.

    Webroot Secure Anywhere Trial was installed but never found the TDL Rootkit. This is my second favorite security suite but tends to interfere more with online games.

    AVG Free 2013 installed but never found the TDL Rootkit.

    SuperAntiSpyware retail version purchased but never found the TDL Rootkit. Seems to be an OK program, but I was disappointed in overall results. Install free version and wait a day or two, and following a scan the program will offer a discounted 1 PC license for 9.95 or 2 PC license for 14.95.

    Spybot Search and Destroy free version installed but missed the TDL Rootkit.

    Malwarebytes free version installed but never found the TDL Rootkit.

    Xoftspy SE trial version installed but missed the TDL Rootkit.

    Windows Malicious Software Removal Tool ran but never found the TDL Rootkit.

    I did not use any McAfee security products because I had a very bad experience with a poor version of McAfee software many years ago and do not use McAfee software.

     
  414. Naveen Kumar
     

    I was getting google redirects. Eset caught the virus n removed it

    thanks for any information.

     
  415. kingck
     

    so here is what ive done
    1.got spy hunter
    2. ran TDSSkiller with loaded modules
    3.check the drivers in the device manger
    4.checked host file
    5.checked TCP/IP
    6.checked proxy settings
    7.cleared browsing data

    and im still having this damn virus its highly annoying

     
  416. kingck
     

    i ran it no good there wasnt anything out of the ordinary just some basic tracking cookies in IE and Firefox chrome was clean and my DNS servers are set to automatic
    also i tryed runing firefox in safemode still redirect along with chrome in safemode

     
  417. jon m
     

    Mine was called Snap.do, it was an add on in internet explorer. I used crap cleaner (CC) that I got on download.com to uninstall it.

    Took 5 seconds, and now good as new, hope it helps.
    Sucked for a couple days till I figured it out.

     
  418. Ashley
     

    Please help! This morning I searched a topic on Google (using Internet Explorer, Windows 7), but when I clicked the link it took me to a different site than I thought I was going to. I read a few tutorials about redirect virus removal and have completed the following:

    -Ran McAfee full scan (nothing detected)
    -Confirm HOST file (it was correct)
    -Confirm LAN proxy and DNS settings (they were OK)
    -Deleted internet files, cookies, etc via Internet Options
    -Downloaded and ran Spyware Doctor (nothing detected)
    -Downloaded and ran Hitman Pro (nothing detected)
    -Downloaded and ran TDSS Killer (nothing detected)
    -Downloaded and ran Spyhunter

    Spyhunter originally detected 29 threatening cookies from such sources as 2o7, 7search, Doubleclick, Tribal Fusion, etc. I reopened IE and deleted files again then searched for the “infected files” in the proper directory (reported by Spyhunter) and they were nowhere to be seen. What’s more, when I reperformed the Spyhunter scan, nothing was detected.

    HOWEVER…when I try to click on a Google search result I am STILL being redirected (most often to a site “selling” Norton anti-virus).

    Any suggestions? My next thought was a complete system reload, but I’m not even sure that will get rid of the problem!

     
  419. Ashley
     

    I forgot, I’ve also disabled all of my add-ons.

    SOS!

     
  420. Ashley
     

    Hello again and thanks for your response.

    Update- Last night I downloaded and ran CCleaner…it helped and I wasn’t redirected! BUT, this morning I tried to click on a Google search result and I was redirected. I tried a number of different searches and any link redirects me. Crap.

    When I pull up Google it looks normal (http://www.google.com) and when I search it still looks fairly normal (google.com/string of #s and letters).

    I just downloaded and ran both Malwarebytes and Superantispyware, but nothing was detected. What did you mean by an aftereffect of toolbar? How would I cange the search provider?

    Lastly, what is a hijackthis log?

    Thanks again!

    PS- If I restore or reload my computer, will that get rid of the problem? I’m at my wit’s end!

     
  421. Queena
     

    @Mulan
    this worked magnificently to me!! same problem now im virus free

     
  422. Pete
     

    After trying everything I could find on the net to get rid of the Google redirect virus (nothing worked), I discovered that if I turned off Gmail, it went away. Really !!

     
  423. Watson
     

    I have clicked on the three-lined icon several times and have been unable to locate the Options menu. It has simply disappeared. Also, my Chrome browser is now working very slowly, and this morning when I opened it, a dialog box appeared that read “Your profile could not be opened correctly. Some features may be unavailable. Please check that the profile exists and that you have permission to read and write its contents.” What can I do?

     
  424. Zumbul
     

    By cleaning hosts file my firefox started to work well. However, issues with internet explorer continued.
    I downloaded demo version of HitmanPro 3 from http://www.surfright.nl/en/hitmanpro/
    It was able to locate and delete fontviewt.dll file in C:\Users\%username%\AppData\Roaming folder.
    Afterwards everything worked just fine.

     
  425. Mike
     

    I had the redirect problem only in Google Chrome – Firefox and IE were fine. I tried everything, uninstall and reinstall, msn security essentials, malwarebytes, combofix, etc. Nothing worked until…

    I downloaded Revo Uninstaller (free), performed the most advanced/deepest uninstall, deleted all found files, selected to delete related registry items, basically just did everything Revo asked. Now, after a reinstall of Google Chrome, everything is fine.

     
  426. Danny
     

    Still on XP (I know…) and there is no hosts file in the specified folder. Assistance?

     
  427. Tim
     

    I looked at the host file as suggested and am seeing entries like this
    127.0.0.1 http://www.hgoogle.it
    127.0.0.1 hgoogle.it
    Are these types of entries causing the redirects?

     
  428. Danny
     

    There are definitely no files here that are hidden…

     
  429. Alex
     

    Changed the hosts file. Worked great. Thanks!

     
  430. Rebecca
     

    My “hosts” file can’t be changed without Administrative permission, even though I’ve tried both accounts on this laptop.

    The file looks like this:
    # Copyright (c) 1993-2006 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a ‘#’ symbol.
    #
    # For example:
    #
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host

    127.0.0.1 localhost
    ::1 localhost
    #74.208.10.249 gs.apple.com

    Is there anything wrong with the last two lines?

     
  431. James
     

    Thank you for the post. It is very informative

     
  432. Paul
     

    I seem to have the redirect problem as well. I have tried many things to no avail I have done virus scans with malwarebytes, avg, avast, hitman pro, spyhunter, spybot and ran TDSSKiller and combo fix (tried what I can in safe mode as well). Checked the host file and the router, but can’t find anything. I ran hijackthis and it looked ok as well. The problem started with firefox, so I deleted that in tried chrome. It doesn’t seem to happen in IE, but my IE seems to be missing pictures (the google logo doesn’t show, various icons and things on assorted pages, etc). I also seem to get “you’re about to leave a secure connection” message an excessive amount of time.

    Any help or suggestions would be greatly appreciated. (I’m pretty technical, so can handle most manual tasks).

    Paul.

     
  433. Peter Rosenberg
     

    Thank you. This worked. http://www.google.com was being redirected to a Microsoft website. Norton Antivirus found nothing. I folowed your steps and in the end it was an IE add-on.

     
  434. Rock ON Society
     

    Download COMBOFIX.EXE its the only way to fix the google redirect virus.

     
  435. Heero
     

    Oh wow! You’ve helped so many people, it’s actually kind of mindblowing! The sheer effort into responding to these people’s requests for help in diagnosing the problem. Kudos! Kudos! Kudos!

     
  436. AFITgrad86
     

    This is a FYI. I am having many of the symptoms described by Paul above. After significant trial and error over a 2 day period we (my IT Person and me) determined this behavior was associated with a rootkit virus. The actual detection was very tricky. We finally identified it using a renamed copy TDSSkiller from a USB drive. The problem software was identified as Rootkit.Boot.SST.b – one very bad hombre.

    Unfortunately the clean option did not work. The next step was to create a boot disk with GPARTed on it to locate and delete the infected partition. The jury is still out on this fix as it takes quite a long time to run.

    The fix is discussed here: http://community.norton.com/t5/Tech-Outpost/Rootkit-Boot-SST-b-is-NOT-coming-off-PLEASE-help/td-p/588858

    Hope this helps shed some light on Paul’s issue.

     
  437. tidy car
     

    So i’m having the same issues. Not sure if it was answered already but i have vista and there isn’t a host file only an imhosts.sam. Is it the Same? Do i create a host file? Also i turned on show hidden files just in case and still, there wasn’t a simple host file.
    Thanks in advance

     
  438. Tom
     

    Hi, I have the redirect problems. Ran through all the steps, scanned with MS security essentials, TDSS killer, est nod32, hit man pro. Nod 32 detected “operating memory >>rundll32.exe(3508) – probably a variant of win32/ponmocup.AA Trojan – unable to clean” any ideas of next steps?? Many thanks.

     
  439. Shante
     

    I’ve had the redirect issue with google chrome, uninstalled, and tried internet explorer and same issues with google search. My host looks like this…should i delete last line or is it fine? also, when i try to login to gmail, it keeps saying my cookies are disabled, but they are enabled. any relation?

    # localhost name resolution is handle within DNS itself.
    # 127.0.0.1 localhost
    # ::1 localhost

     
  440. Shante
     

    The date settings are fine. All my websites that require cookies are not working. I cannot log into twitter on my laptop, it says theres a technical issue, I can’t log into gmail, it says the cookies are disabled but in my settings they are enabled. Also, I keep getting redirected to other sites when I google and click the links. Alot of times i will see redirect-ads.com i believe that is the website that pops up before it sents me to another unrelated site. Is there a way to delete this virus? I’ve dont system scans with Malware Bytes Antimalware and deleted the viruses it has found…However the cookies issue still occurs and I still get redirected.

     
  441. Jeff
     

    I am having redirect issues in both Google and IE0 on Windows 7 64 bit OS. I deleted the #::1 localhost line within the hosts folder (as an administrator in notepad), but it did not make a difference. Should I reinsert it (based on your recent response to Shante)? Also, I found no viruses using my installed McAfee virus scan.

     
  442. Jeff
     

    Can I use the trial version or do I need to purchase the full version?

     
  443. Patricia Prewett
     

    PLEASE REMOVE BLEKKO, IT BLOCKS MY GOOGLE. I NEVER WANT IT ON MY COMPUTER AGAIN!!!!!!!

     
  444. Darius
     

    Everytime I go to google to search for something, it always redirects me to Bing and I can’t search for anything from that point on. I use Prevx for my anti-virus, and it’s always popping up showing that I have some type of malware to remove…….Can you help me to solve this problem?

     
  445. Darius
     

    Where do I go to check browser extensions. Also, I use IE for my browser.

     
  446. Jeff
     

    Giedrius

    I ran hitman pro and it quaranteed a couple files and that fixed my problems. Neither Google nor IE9 are being subjected to hijacking now. Thanks very much!

    Jeff

     
  447. ally
     

    @admin
    im having trouble opening lspfix it says im missing a file but i manually went to the file and its there is there something i can do myself or can i fix the lspfix i dont know how to run under admin win7 im not sure what the lspfix is suppose to do

     
  448. Sherri D
     

    Combo fix worked while all the other solution options didn’t. It took about a half hour from start to finish and well worth every minute!

     
  449. Amy
     

    THANK YOU THANK YOU THANK YOU!! I opened the fedex virus this week and malwarebytes and ccleaner did not do the trick. It was not popping up windows in ff but my browser was VERY sluggish so I opened task manager and saw it was popping up various random application websites one after the other contained there. Killing processes did not work. What finally did was going through your steps and when I got to the add-ons in ie and disabled those disguised as microsoft, it finally stopped. I will FOREVER love you. I just started school and also work two jobs and the computer was my livelihood. You have saved my life.

     
  450. Kalpana
     

    Thanks a lot this helped me to solve my problem

     
  451. Brian
     

    I have the redirect virus where the web server, be it chrome, explorer, or whatever that is the default continues to open unprompted going to google. Obviously google does not work and just refreshes when you try to type anything. I just ran hitman pro 64 bit and it found one threat but it did not fix the problem. I have tried spy hunter, malware, tdskiller and a few others but they do not detect anything. Even when I open in safe mode the web browser continues to open to google unprompted. Any help would be appreciated

     
  452. Brian
     

    I ran adwcleaner and it seemed to work for a little while but now it is back to constantly opening browsers again. Any other suggestions?

     
  453. Rog
     

    @Giedrius Majauskas (admin)
    Don’t know whether this will help others or not. As admin suggested I checked host file and it looked ok. Then noticed in the etc folder a file called lmhost which looked similar in wordpad but with alot of other stuff in it. I moved it to wastebin and have not experienced any redirecting in Chrome since. Been ok for 2 hours now Fingers crossed.

     
  454. James Krstich
     

    You would think Google would go out of there way to protect the way they make money. Or those that pay google, would get really out of sorts when there page is never brought up. Why pay some one when they don’t provide the service.
    unless, it’s part of the marketing. lead them to pages,us,that are not there search, lets say ten times, the just might hit on something. Time number eleven, Oh my the page you have been clicking on.