How to fix Google Redirect Virus (browser hijacker) problem
Google redirect virus is a browser hijacker targeting google and other search engine search results and redirecting user to infected pages. These pages can be porn–related or full of advertising banners that make creators of this parasite money. Also, these pages might force you to pay something or give away your bank account details. Thus Google redirect virus is quite dangerous.
There are couple different streaks of Google Redirect viruses, and some of them might require heavy scanning with reputable Anti-malware solution like NOD32 Antivirus, Kaspersky, Spyware Doctor, Malwarebytes. Sometimes Google results Redirect virus even blocks reputable sites and it is tough to download automatic software. However, there are couple easy steps to solve less complex problems.
Note, that before trying to fix other things, you are suggested to scan and check if anti-malware programs can identify more precise reason of Google redirect hijacker. We recommend Spyware Doctor, Malwarebytes Anti-Malware Hitman Pro for this task. You should always scan after performing all these steps as well, as doing anti-rootkit scan might reveal trojans that were hidden due to other infections.
Steps 1-6 deals with regular hijacking of search results that are due to malicious settings or plugins. Steps 7 and above deal with malware infections that result in Google redirect virus symptoms and are more difficult to detect and fix. However, If any of antivirus programs are stopped from execution this means malware infection and you will have to scan your PC with anti-virus and anti-malware programs.
Step 1. Check your hosts file for malicious entries.
Hosts file resides on C:\Windows\System32\Drivers\etc\hosts
Where Windows is your windows installation directory. On windows 7/vista, you should open your hosts file with administrative privileges. Google Redirect virus symptoms might be result of malware adding malicious entries to this file and are removed easily as well.
Hosts file should look like this: (open the file with Notepad)
If you see more lines of code and IPs, you should delete these, especially if they rewrite google or Microsoft subdomains. This is a sign, that you either had or have infection on your PC, as this file can not be accessed remotely usually.
Step 2. Check DNS (Domain Name Server) settings
Domain name servers are used to determine what server to access when opening website addresses. Hijacking these settings would allow hijacking various websites including search ones.
1. Go to Control Panel->Network Connections and select your local network.
2. Right-click your local network icon and select Properties.
3. A window will open, then select Internet Protocol (TCP/IP) and click Properties.
4. You will see a window like the one below – this is the Internet Protocol window. Select “Obtain an IP address automatically” and “Obtain DNS server address automatically”.
5. Click OK to save changes.
Step 3. Checking your proxy settings on Internet Explorer
Proxy server settings can be used to implement Google search result hijacking as well. This is simple to fix too:
1. Launch your internet explorer.
2. Tools ->Internet Options, Connections tab. Press LAN Settings
3. Unselect everything or enter parameters that were given by system administrator.
4. Press OK.
Step 4. (Optional) Check your proxy settings on Mozilla Firefox
1. Launch Mozilla Firefox.
2. Tools ->Options. Press Advanced and open Network tab. Then, press Settings button.
3. Select “No proxy” or enter parameters that were given by system administrator.
4. Press OK.
Step 5. Check your IE add-ons
If your browser is hijacked in IE only, check IE browser ad-ons. Note: there are malicious plugins that affect both IE and firefox and result in Google redirects in both of the pages.
1. Launch your internet explorer.
2. Tools->Manage Addons
3. Disable all unverified addons (there might be some useful ones, but better re-install them later).
Delete all ad-ons that look spammy/unknown
Step 6. Scan for malicious parasites with spyware/antivirus removers:
1. Spyware Doctor
2. Malwarebytes Anti-Malware
3. NOD32 free trial
Step 7. (Optional) Repair Winsock 2 settings with LSPFix
Download LSPFix
Step 8. If you are still have search engine redirection, it might be tdss or similar rootkit
Although step 6 should detect majority of google redirects of that kind, sometimes it is useful to use a more niche tool. TDSS and Zero Access rootkits both cause redirection symptoms in some cases.
For this specific rootkit a remover can be downloaded from here : support.kaspersky.com/downloads/utils/tdsskiller.exe. Together with TDSS, it might be a sign of rivaling, ZeroAccess infection. Both these rootkits require dedicated programs for removal, and might require alternate OS scanners in worst case.
Step 9. It might be Cycbot infection
Cycbot is one of the trojans that result in browser redirects.
Typically, many of antiviruses detect Cycbot infection successfully. However, you might want to use our manual removal guide for Cycbot to identify and stop infection.
I am getting google redirects. Spyware Doctor and MbA-M caught nothing
I tried to my hosts file, but it would not open in notepad.
Also, your sample is 1k and mine is 289k. Is that excessive. Also, I have a hosts.20090204-121117.backup file Sounds suspicious.
thanks for any information.
Typical host list is small! Try replacing it with ours! Or search for google in it and delete all the lines related to that.
Hi
I changed,(after show hidden files), the to read and closed 7 rebooted, returning to hide files again.
From very slow & constant redirects >>> now none & supa fast, as usual. Either in SlimBrowser or IE ;<)
@admin
I can open the file with notepad and see that there are several other lines of crap but how can I change the actual file “hosts” I can save it in etc as a notepad text document but how do I effect the actual file?
Thanks for your help
hosts file is text one. You should be able to change it with notepad. However, on Vista you need to open it with administrator privileges, or you will not be able to save it .
Thank you so much for this, fixed the problem!
Cheers!
MArianne
THANK YOU! I’ve been trying for weeks to get rid of that stupid virus. Now my computer is working normally and I can access Safe mode again.
my etc file isn’t in the drivers folder. Is it hidden?
It might be. What OS you have, Johann?
@admin
Can you explain a little more about vista. Because I have Vista and I delete the extra lines and try to save it but it won’t let me. Please help. Thank you.
Jin: search for notepad and right-click on it. There will be a choice to start as administrator. Then open hosts file.
My notepad looks exactly like the one on here (after I edited it) but this keeps happening. I have tried 4 different softwares so far, it hasn’t fixed it. My last option would be to reset my whole computer. Is there anything else I can do before going to my last option?
Jin : do you edited as administrator? You need to RUN notepad as administrator, or it will not save.
Was getting Facebook logon redirected to Pricegrabber.com…..removed entry below the 127.0.0.1 Local Host entry and all was well again! Well done!
My Host file is not in the folder. I am running XP pro. Can I repelace it with and Host file ?
My hosts file in 374kb large… (lots of lines).
i have the default localhost & 127.0.0.1 entry
And after that I have these comments.
# Start of entries inserted by Spybot – Search & Destroy
……
….& thousands of others….
# End of entries inserted by Spybot – Search & Destroy
I think it’s legitimate, and it’s spybot’s “immunize feature”. I ran spybot search and destry last night and the redirects have gone down significantly, however I spotted one redirect today. Which is annoying.
Karim : Yeah you are correct. However, Spybots immunizer is crap : it focuses on adware sites mostly, some of them even legitimate advertising sites (that pays for free sites you are visiting). I can’t say they fight malware distributors successfully, as these use different tricks.
You should check proxy server that is set in your browser. Maybe there is something fishy ?
@admin
I am having the same problem with the redirects – how to you check th e proxy server?
Thank you very much. Some virus has overidden the host file in my computer. Deleting that solved the problem.
Thank you again.
great stuff thanks!
Hey thanks this helped a lot!
Please help me. This virus has taken over my computer and I cannot do anything. I’m not very good with computers and really need some help to get it off. If anyone can help, please get in touch
holy, my computer is at risk.
i tried all of this but nothing works.
i need a little help here admin.
also this thing is appearing in my screen.
“application cannot be executed.the file wuauclt.exe is infected”
now how can i fixed my computer??
I cannot open “notepad”. The virus doesn’t let me do that!
What should I do?
Anja : Start task manager and try creating new process. Type in notepad (you might need to enter full path to notepad application).
I am dumping all my pictures and other stuff into another drive and buying windows 7 will I still have these antispyware soft issues? I also may reimage the XP OS back onto the original hard drive after moving most things to another drive. This antivirusspyware soft thing locks me out of control panel program list and add/remove programs.
The virus doesn’t appear to be too severe, as it only affects my search engines; however, I would like to fix it. Nothing significant was caught when I ran Norton so I tried looking at the host list. The only line after
# 127.0.0.1 localhost is
# ::1 localhost
10.254.254.253 AFS
Should that be deleted? And how do I open it with “administrator privileges”? I am trying to avoid downloading more anti-spyware and anti-virus programs. Is there anything else I can do?
Anna : these lines look harmless for me. Check your DNS settings and proxy. If it fails, you might resort to scanning with anti-malware/antivirus tools
I have a friend w/a Dell PC (unsure of model). She (or tech support) acciedentally downloaded Live Security Suite, and now we can’t get anything to work right. How do I remove LSS w/o wiping out the system, or her taking it and spending her life savings on getting it fixed or a new computer?
i m currently doing everything also ran spyware doctor but my browser ie8 keeps shutting down within one minute of launch. how do i fix this? of course i have the google search results redirection problem as well. can this be fixed atall?
Rayan : check plugins first, disable everything you do not need. If this does not help, you have trojan process already, and need to get some scanner. Download them on uninfected PC and move using usb flash drive or network share.
I also have an Everex Stepnote Laptop that is very slow no matter what we do, and almost every time it is left alone, the screen saver “freezes,” and nothing works except to shut it down by the power button. Any suggestions?
Chris : its more like it is hardware/driver issue than virus.. But a scan with malwarebytes/spyware doctor would not hurt
Thanks! finally got this bloody redirect off my computer, I’ve been using bing for almost a year!
Thanks again!
… My Host File doesn’t have hardly any of the things in the ex:picture… ALL it has are things that the step says i should delete,,, it has google in the file and bing… With i.p’s
x64-Vista:
Delete these lines mentioning google and bing in hosts file – these are fakes. Typical good hosts file should be empty with some exceptions.
I’ll try that if it works thank you soo much… im not good with computerz
Umm there is no option to run as admin and it wont let me save? Help plz
x64-Vista Search for notepad in program list and righ click on it. Tehere will be an option to run it as administrator. Then open hosts with it.
@admin
Do you need to reboot after removing the lines from the hosts file?
What worked for me was to disable all of the unverified add-ons in IE. Thanks!
When i try to change the Hosts File it wont let me i even ran Notepad as admin…
Hi: Try launching task manager and stopping strangely named processes first. Maybe your virus is observing hosts file. You might try to modify it in safe mode as well.
Hello,
My problem is the google redirect virus.
I have xp I found the host file mine is 400kb is that normal? I see a loot of google files is it safe to just delete these and will they come back?
After i delete the google stuff do i reboot or what?
so ive read through alot of this. my hosts file looks nothing like that and it has only yahoo and google urls and no localhost one so i tried to delete them and put that in but it says unable to find. its not saved as a txt document and it wont let me change it and when i open notepad as admin the hosts file is absent when i go to the same spot. i also tried everything else on here and none of it did anything. p.s. i have vista
Madge : choose Show all files (not only txt) when opening hosts file from administrator notepad. By default, notepad lists only files with .txt extension, but in hosts file case it is none.
I have the “live security suite” rogue malware. Won’t let me do anything. I have tried to run several removal mbam, spybot, etc Everytime I try to run the downloaded file I get the following message “Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item.” I am in safe mode with networking and signed on as administrator. I have tried downloading to fly drive and accesing it that way same message, I have also tried changing file name same problem. Went through steps to open notebook and won’t let me do that either any suggestions?????
Laura: This is separate problem. You should kill live security suite processes before executing any of files, and (maybe) fix registry, that does not allow executing programs. To do so, start task manager right after being logged in. The Live security suite will load quite fast afterwards, so you have to hurry. Press CTRL + shift+ esc and wait. Go to processes tab, and look for processes that should not be there (typically, names are random letters). Stop them. Then go to File ->New task and enter full path to antivirus executable on hard disk. This should allow launching antivirus and removing everything. Later you might continue with removing redirects.
Nothing is working for me. I have been reading posts for the past few hours, and have removed viruses in the past, but this one is givin me a run for my money. I manually deleted the virus files themselves, but still cannot get on the internet. I have done everything listed on this page regarding proxies and whatnot, but still nothing. I have searched for the registry files, but being that I never actually clicked the virus to run a scan, I don’t have any to delete. I am at a complete loss. Computer works fine, just cannot get online in any way.
Jesse: you might need to install antimalware tools using usb drive. There might be a cases where virus inserts itself in other locations, for example in drivers. Though it is very rare. The guide covers majority of common cases of broken internet connections due to infections.
Thank you so much. My host file was the problem. It was completely rewritten and had and IP that was no mines and it keep repeating itself on every search engine. I just delete the whole thing but hosts is still there but nothing is on the notepad. I can use the search engines now but I will restart my computer and see if the host file will return back to normal. But so far the hijack is gone. Thank you so much.
wow soooooo good its working again after so much stress .. tried 4 different malware programs not even norton picked it up .. thank you so much for your step by step procedure without it i would never of figured this one out … i wanna kiss you
Ok I got this after I got AV Security Suite
I did all of that and scanned with AVG and IObit Scanners but the problem wont go away on Firefox
No proxies on either and auto DNS
WHAT DO I DO!
And you guys can protect the hosts file by putting it to Read-Only
Found that out not too long ago
Alexander: Check add-ons in firefox. These might be infected as well. Also, neither IOBIT or AVG are good: Iobit uses ripped off malwarebytes database ( at least partially), and AVG (free) lacks rootkit detection.
I would recommend scanning with Spyware Doctor, Malwarebytes, Spybot S&D / AVAST or Avira
OKAY I will try…
I looked at my Plugins and saw Pando…
and I’m like “whats that” no info, no homepage, nothin… I disabled that (hopefully that works)
I did have Spybot before and ill run it again as soon as I get it again…
I’m also thinking about getting this Spyware Doctor cuz it seems useful
I did Spybot S&D and it found a ton of things(types were malware(c)and Security(c) and a couple hijackers from files in the registry) but somehow I’m still getting the hijacker in Firefox only(ugh). I really need to get rid of it
and Yes I ran 1 scan,restarted and scanned again + my dad scanned on his account
I’m going to try to scan and look over EVERYTHING
Any suggestions…
Links the thing is taking me to:(ADS SPREAD LIKE AIDS!)
[We do not allow links to malicious sites to prevent infection of other readers]
Alexander: Save your firefox bookmarks. Close it. Go to firefox data folder C:\Documents & Settings\[Username]\Application Data\…. On vista/xp (on windows 7 use C:\users\… instead) and delete everything. Then reboot, start firefox anew.
If this solves problem, this is the quickest fix.
Gah!!! I did all of that and I still have it!!! (and I have XP SP3 by the way)
Then you will have to scan with something else than Spybot. I would suggest Spyware Doctor, malwarebytes anti-malware, superantispyware. If only firefox is affected, and problem persists after deleting userdata, no problems in settings, then you have firefox-specific hijacker.
I got spyware doctor and it is scanning right now
Thank you for the help so far
threats so far
Tracking cookies-7
Spywere Known bad sites-1
Adware.Advertizing-1
Adware.searchit toolbar-9 (oh gosh lost my place Its done)
Trojan-Downloader.small.CML-6 (sounds like it)
Hijacker.dospop_toolbar-30
yeah thank you again for your help
ill see if it still happens
Alexander: I would guess it is Hijacker.dospop_toolbar-30 . Trojan.Downloader would be the one responsible of installing it
… I lost all of that because my computer froze…
I cant pay for it so I guess I just have to do another scan and remove manually…
I didn’t know you had to pay for it… oh well atleast it got the location of it
Well, Spyware Doctor has about 4x bigger database of traces than spybot as far as I have checked, so I know it can find more. I am not so sure Spybot S&D is updated enough to make it good solution for windows XP or latter users.
Thanks for the help I got it off but I think there’s still more…
I still get it but I don’t care not as many now AND! it just goes to google instead of the ads
YEY!
No problem, Alexander.
Just got done resolving a redirection — and worse – problem which was caused by a problem with our router.
The virus/Trojan had changed router setting to direct DNS searches to their web address. They returned bogus address.
Look into your router settings to make sure you’re settings have not been messed with. We ended up Restting the router to factory settings and reinstalled the router.
I have windows 7 and just got the virus/trojan myself. However, I cannot open ANYTHING. Not even task manager. I can open programs in safe mode, but how do I remove it from there?
Mark : First you will have to remove viruses. Disable the proxy server, download Spyware Doctor or malwarebytes, do a scan, remove stuff it finds. Do it in safe mode. Then reboot, and try to finalize checking the connection.
The issue with facebook redirecting to say pricegrabber isn’t always a virus or malware.
Linksys routers are sometimes the culprit…a fix that may help for some people (specifically using linksys wrt160n or any other linksys router).
Network Connections > Right click your connection > Properties > Select TCP/IP > Properties > Set your DNS manually (see below for what DNS servers).
To determine the DNS servers to input here: Get to CMD Prompt > IPCONFIG /ALL > You will see 2 IP’s under the DNS Servers section > Enter those 2 numbers in the TCP/IP DNS configuration.
I use OPENDNS, which is configured on the router and now manually set in the tcp/ip, and have never once seen this facebook redirect occur again.
James: Completely true. People should change their router default password in all cases.
i have the google redirect problem (xp),have tried all the the advice,but still have the problem,in the host file its only has 127.0.0.1 local file, nothing else,could this be the problem?
anthony: your hosts file is clean. Check add-ons and proxies. Also you might want to try specifying different DNS servers in your internet settings, set them to google ones (8.8.8.8 and 8.8.4.4 ). Sometimes the router is corrupted instead of PC and this might help both in cases of malicious DNS or malicious router settings.
Hello.. Emmm I dont know when “Security Master AV” was downloaded in my PC.. After that at regular intervals i get pop up windows asking for healing the viruses and buying the software.. I want to delete the above program/software.. Its really annoying.. Can u pls help!
Regards
Bhakti
Mine is only redirecting Google chrome, not IE. Will the same steps above work? Is there something else I should look at?
JABAD: You need to reset connection settings in chrome. This is done going to Tools->Options->UnderTheHood -> Network->Change proxy settings.
Also you might need to disable chrome addons that are malicious.
Reset to defaut? There is no proxy enabled, so that is OK.
I checked add-ons and see nothing that looks too bad. I disabled three that looked unfamiliar and nothing changed. Should I disable all add-ons?
JABAD: This might be rootkit. do a scan with http://support.kaspersky.com/downloads/utils/tdsskiller.exe
Also make sure your proxy settings do not use system defaults. it should be set to No proxy. There are 4 settings in chrome.
Google web redirection is due to virus infection. Especially Rootkit infections.
Try to run TDSSKILLER from KASPERSKY LABS.
http://support.kaspersky.com/downloads/utils/tdsskiller.exe
For more information,
Visit the site
http://support.kaspersky.com/viruses/solutions?qid=208280684
Download “Dr Web” (free). ‘Quick Scan’ identifies System32 HOST file. Restore original …bingo!
Ecosseman : System Hosts file is only one of causes for this problem.
ok when i open up my Hosts file i have right uder 127.0.0.1 Local Host a ::1 localhost do i have to delet that host or what and i have windows vista how do i get to my local network
Leo : No, it looks clean (an IPv6 address for localhost).
Hello again all
I am back for help
…Still have the virus redirect
Has any way changed to get rid of except the Rootkit thing (which I am doing now)?
Alexander: Check your router settings as well, and try to enter DNS settings in your internet connection manually. SET them to 8.8.8.8 and 8.8.4.4. Sometimes routers are infected instead of PC.
okay I did rookit and no more google but I did get pop-ups and I cant access some sites
and erm how do I check my router settings (XP, service pack 3)???
Alexander: Update and do a scan with same tools again (Spyware Doctor, malwarebytes, etc). Rootkit might have hidden/downloaded other processes. I would say this time it is not router.
For checking router, do a following: See what ip your PC got, and which gateway it uses. Then enter that gateway address in your browser.
I did rootkit and Spyware Doc and rootkit got 8 or 9 things out of it
How can I check the IP and Gateway? :/
Look at the image in the step in 2.2 of this guide. There is a menu. Choose Status instead of properties. There you will see gateway server. usually the IP for it is 192.168.1.1 or something like that. If you are connected to the internet directly (no router), then this does not apply to you, and you have to look for virus in your PC.
I got my laptop as secure as I can. Runs Win7, has kaspersky 2010 Internet security suite as well as malwarebytes. My browser redirect (facebook -> pricegrabber) problem was down to what James said. No viruses or spyware were reported, even checked hosts file. I did have ::1 Localhost which is also a valid entry.
Have to thank James for his tip on DNS settings as that has done the trick. And the router I am using? WRT160N. Arrrgh!
Admin: I think you should change your original post and point to what James has said if one does not find any of your suggested issues.
Rocki : We are working on it. We are planing on adding a guides how to restore infected routers back to original settings (as one could do some nasty things even when DNS settings are fixed in the PC). I would recommend restoring router firmware and changing password on the router.
I have in my hosts/etc file:
127.0.0.1 localhost
::1 localhost
Should I delete the :: localhost?
Fran : No, it is IPv6 address of local host. Perfectly normal. Your problem is somewhere else. At this data (August 2010) , proxy server and tdss rootkit are dominating causes of redirects, followed by infected routers.
It happens to me no matter what search engine I use and the only add-ons installed in IE are 3 Java ones.
No redirects!
Thanks a ton
Please help I did everything listed and it’s still redirecting me with every search engine and both firefox and IE.
Have you done full system scan with Spyware Doctor? Have you checked your router? Have you runned TDSS cleaner?
Hi, my friend has a Dell laptop, running Vista. The virus is Security Suite and seems to have infected lots!
Please could you explain the above (in a more dumbed down version) she can’t afford to send her laptop to be repaired.
I was thinking of downloading the spyware to my hardrive and then installing it on her pc, but won’t the virus spread to my hardrive?
Thanks for your help!
Lucas: we have a removal guide for security suite here : http://www.2-viruses.com/remove-security-suite
Thanks for the great article.I had the hijack virus.Not only that it was blocking my spybot S&D andother malware programs from even running.I went tru all the steps but have to say #8 was the one that found & fixed the problems..
Thanks again..
Has anyone had to deal with this with Chrome yet?
Freeforce : it is quite straightforward. In most cases problem is not chrome specific, but you can check Customize and control->Options->Under the hood -> Change Proxy settings ( It uses IE settings)
Also, you can check Customize and Control -> Tools->extensions and disable all unknown extensions.
Everything else is NOT chrome specific, thus the guide should apply.
I have downloaded AntiSpy Safeguard on my computer; I want to remove it but I have no clue. Can you please help me
I tried almost any available malware, spyware, rootcleaner, etc. software, but the only thing that helped me with this annoying Google search results redirects was editing the host file. One should enable file extensions from folder options, then copy the host file content (the desired clean content) into notepad, save it with “hosts.txt” file name, then delete the old hosts file with let’s say Unlocker and finally delete .txt extension from your created file and voilà you have new nice and clean hosts. Hopefully this will work for you.
Please help me about that
Edintrouble: read our specific guide for AntiSpy Safeguard
do i have to connect to internet when checking on the host file?
Syn: You can edit hosts file offline.
the host file ending with
::1 local host
it is alright then? if nothing wron with the host, how can i removed the antispy safeguard? im not good in safe mood.
i did install tdsskiller.exe, but the scan doesnt detect anything. the spyware doctor detected some malicious file but i can removed those files unless i buy the full version. is there another way?
syn:
::1 : ok, it is for IPv6.
You can delete these files by expanding the detection results, checking the file location. Then delete file. Just make sure to fix registry as well, as in some cases malicious files are referenced instead important system processes. It would be best first to start msconfig and disable the malicious files from starting up, then deleting them.
ok I did steps 1 and 2 but i cant do three! help!
What stops you from disabling proxy server? If it reappers, then skill to steps to download removal software, as that is sure sign of malicious processes on PC.
I worked on three computers that had this same problem:
Windows 7:
I logged in as another (administrator user and ran MS Security Essentials, then logged back into the infected side and turned off the Proxy server setting:
Internet Explorer -> Tools -> Internet Options -> Connections tab
LAN settings button: clear all the check-boxes. (Do this even if you do not have another user login). The proxy server was checked only in one out of 3 machines I helped with.
Find the AppData folder of this user (with infection) and delete two *.bat files and the *.exe file in the AppData folder.
Windows Server 2003 (similar to Windows XP):
Find the Application Data folder for the user (under Documents and Settings and delete any *.exe files there and the *.bat files.
NOTE: You might find EXE files in the AppData or Application Data folders that belong to Google, Adobe etc. If you see any UNINSTALL programs there run them and then take out all remaining files. (I don’t think these are essential programs.
Find the TEMP folder of the User’s folder and delete all the files there. The EXE file that generates new names is there. It is called by the BAT files o do this. The one I found is ‘e.exe’.
Good Luck and let’s hope FBI catches those who gave so much misery to people are caught, fined and jailed for the rest of their lives. (It’s not hard to find them, FBI)
Hey! I had this same problem and got tricked into getting the free version of AntispySafegaurd! But Just simple Compture Restore saved mine. Just set it back to a time before you used the spyware (I set mine to a month back even though I only had this problem for a week) Its very Simple and now my compture works fine.
Good Luck!
P.S. AntiSpySafe Gaurd WILL try to restrict this. But just click the “Continue UnProtected” until it allows you.
i need help, im very confused
Thank you so much! I tried everything. I searched everywhere. NOBODY helped me. All it took was the notepad trick. You’re awesome!
I lied. I thought it was fixed but after leaving you that comment I went to google search again and the same stupid redirect happened. Help?
Try disabling proxy server, do a scan with some anti-malware tools, and check if you got TDSS rootkit (run TDSS Killer). See your router settings as well. Generally, try doing the whole guide.
I have done the above steps. My host file has no other lines other than what you say should have.
I am still getting fake microsoft alerts. My google search on this problem gets redirected, using firefox.
I have followed the steps on this website http://www.2-viruses.com/remove-fake-microsoft-security-essentials-alert and found nothing. Also rebooted my pc with aoss scan http://www.pctools.com/aoss/ and scan with malware byte but it found nothing.
After all these, I am still getting fake microsoft alerts
what else can I try? I downloaded spyware doctor but I have to pay for it. Is there any other free software that I can use?
Kaitlyn : Try Malwarebytes or SuperAntiSpyware. Malware mutates, so no tool is 100%. If SD does not detect particular parasites, It will not remove it in full version probably till next update. Also, have you run TDSS Killer?
I love you guys, just thought I would tell you. TDSS killer and the Malwarebytes totally cleaned my computer and got rid of this and other problems. Thankyou for making my life so much easier.
After wasting time using many different anti-virus apps this was the one thing that worked! Thanks
I have thinkpoint have no idea how it got on my computer. I have norton and it says nuthin at all is wrong. I’m runnin windows 7 & I need to know how to get it off it won’t let me online or on anything really I got the task manager to work and that’s the only way I can get online and I have to use my safari cuz it won’t work with explorer it got on my comp last nite somehow and I need help removin it before it gets too bad oh btw was on the phone with a lady from compaq for 3 hours she did nuthin to help she just tried to sell me a recovery disk for $30
plzz help me I know nuthin about these things
Sebrina: read Thickpoint removal guide. Disable proxy in your other browsers and try searching and deleting file hotfix.exe under your user folder (one level above my documents).
@admin
This sounds exactly like the virus that I have on my other computer. Not sure if you are familiar with “youcansearch com” but I keep getting directed to that site whenever I try to use another search engine. I have used Malwarebytes Anti-Malware, but nothing seems to show up. In searching on how to get rid of it, I found a site that told me to delete all the files under the etc folder (… ). Here, you say to delete only specific lines from the host file. Can I do either?
I do not recommend deleting all the files from there. They are created by windows for a good reason
Just delete additional lines if there are any. If not, virus is somewhere else.
Assuming that the virus is not in that location, what other locations do you recommend that I can check?
Go through full guide. If it is malware, any scanner will help significantly, as it could be anywhere. If its settings only, then it will be either DNS server settings (in router or on PC), proxy, or hosts file.
I will be sure to check everything. Thanks for your help!
Hi, so I know that you said that in order to save the host file you’re supposed to open it as the administrator. I know for a FACT that I am the administrator, but I still cannot save the host file. I always tells me to “contact the system administrator” and then it tells me to save it as a text file in my Documents. What should I do?
Tram:
Are you on Vista / windows 7 ? If so, you are not running as full admin all the time, even if account is administrators one. That is called UAC window. If a program is launched without elevating the permissions, it will not be able to receive these permissions latter on. That is why it is important to open the file as administrator.
Neverless, there are forms of malware that change file permissions. For that, you have to right-click on the file and change its attributes.
Yes I believe I am on Vista. But the thing is, when I right-click on the host file, the “open file as admin” is not available. It just goes straight to “open” and then asks me what format I want to open it as. Since I am not really computer savvy, how would I change this?
Tram: You can not open hosts file as admin. You can open Notepad first (as admin) and then from notepad open hosts file.
Hi…I have read thru all your fixes…even tried kasperspy…I did a fresh install of windows and STILL have the redirect….i have tried all the programs….avg.malware.super.adaware…a list of em and they find nothing…any suggestions?….it is IE and firefox not just one…thanks so much
Randy: Check your router and DNS settings. Then again, it kinda depends when you get redirects: all programs or specific browsers.
Hi, I had the redirect virus and I did your fix steps and now i don’t get redirects anymore, which is great, thanks. (however, my hosts file was perfectly in tact.)
The problem I am still having is that every time I open my internet browser (either IE or firefox), usually after restarting my computer or waking it from sleep mode, my proxies are changed and my internet becomes unusable.
Something keeps changing my proxy settings to “Manual Proxy configuration:” (on firefox, for example) and I have to change it to “no proxy” every time if I want to use my internet. What would be causing this and how would I fix it?
Thanks.
EDIT: It seems to be the act of opening the browser that re-sets the proxy settings to the setting that won’t let my internet work (Manual Proxy configuration)…. if that helps??
Jason: Your problems are due to some virus process. The usual suspects are TDSS Rootkit (Have you scanned with TDSS Killer? ) or similar. What I can recommend is doing some more anti-malware scans. I can recommend Malwarebytes, Spyware Doctor, and, in this case, Hitman Pro http://resellers.hitmanpro.com/9182137/HitmanPro35.exe .
I just scanned with TDSS Killer and there was no problems. Also I checked my Device Manager under Non-Plug and Play Drivers and there was no TDSS there. I have done approximately 20 scans, including scans with many different types of trusted scanners (including the ones you recommended) as well as boot scans and scanning in safe mode.
However, every time I open my browser my proxies are changed. My hosts file is fine and unchanged, my DNS settings were originally changed, but since my fixing them they haven’t changed back (unlike my proxy settings). What could be causing this? It’s very annoying and it is slowing down my computer quite noticeably.
Thanks again.
EDIT: I just reinstalled Firefox. Now whenever I open my browser (either IE or Firefox) my proxy settings are unchanged! So I guess the virus was affecting some sort of Firefox file itself? I don’t know… Does this mean the virus is gone? or..?
Jason: It might be a case. There might have been some sort of FF add-on, written for this purpose that is yet unknown for scanners.
@Seth
Ok, to do this correctly, select sll the things you want to keep, and right click, and look for an option that says: Scan with [your virus protection if you have one] and scan, then move to disc.
I download but I dont know how to fix it help me.
I downloaded spybot and ran a search. I am no longer redirected to spam sites from google searches but I still cannot open firefox. I opened the wordpad host document and there was nothing unusual. I went through all of the other steps as well, except changing firefox’s settings, because I cannot open it.
Rachel: Spybot in my opinion is severely slow at updating definitions. Your problem is due to infection, and not malicious configurations. Try using couple other scanners: Hitman Pro, Spyware Doctor, Malwarebytes, SuperAntispyware.
Actually I am still being redirected.
Malwarebytes caught nothing. Spyware Doctor found things but because it is the free trial, I cannot do anything about it. I will try Hitman Pro and Superantispyware. Could this infection also be disturbing the connection between my computer and printer or is that an unrelated problem?
Expand SD detected items. See the file location. In many cases it is safe to delete or rename detected files. In some cases you will have to modify registry keys.
I used Hitman Pro and Superantispyware. Both of them found things and deleted them, but I am still being redirected. On the upside, firefox now opens. Its proxy settings look fine.
I been reading through you article and avg and malwarebytes dont pick up the virus of rootkit. Whenver i visit a legit site to download himan pro or superantispyware my mozilla firefox freezes. i heard about it might be a router issue or i should use tdsskiller
Anon
Yes, TDSS Killer is good approach. Try changing DNS servers though and check which DNS servers your router uses. It happens, that malware infect routers, especially ones with default password for that model.
thanks tdss killer did it then i used malwarebytes to scan. =)So do recommend changing the password on my router and which anti virus/malware/spyware product that in the future can get rid of problems likes this.
If it was TDSS Killer, then your router is likely unaffected. However, it is bad to keep default router password, so if you do, change it (just not to aaaaaa, 123456 or password, the most popular and automatically attacked combos). I recommend getting internet security level of protection for every PC: Eset Smart Security, Kaspersky internet security or PC Tools spyware Doctor with antivirus, or any other from major makers. If not, get Spyware Doctor or Malwarebytes full running with real time protection together with decent antivirus. That should reduce risks of getting infected significantly.
I had this issue and it turned out the dns settings had been hijacked.
I returned them to google’s dns servers (8.8.8.8, 8.8.4.4) and everything is happy now.
I don’t think any malware removal tool will find this.
ty admin for the help
YOU are a god among men i love you you saved my computer experience thank you !!!!!!!!!!!!
the antivirus software alert wont let me open my host file. i found it but it wont let me open it. what do i do?
Will: This guide is more in cases of handling left-over damage of malware. If you have active malware attack, first scan with regular anti-malware and antivirus tools.
i have the antivirus 2011 and i have followed instruction concerning the hosts site, etc. I have downloaded spydocter but unable to execute. What next
Marshall: In your case it is malware based infection, and not malicious settings. Thus I recommed 1. Update Spyware Doctor 2. Try other tools (malwarebytes, hitman pro, superantispyware are good) 3. Delete it manually 4. Ask questions under its own guide : http://www.2-viruses.com/remove-internet-antivirus-2011
I just had the same problem. Malwarebytes and G-Data found that csrss.exe, dwm.exe and conhost.exe were all infected by a Cycbot.AC Trojan Horse. Gladly, NOD32 ESET just released an update TODAY where they counter this Trojan:
http://www.eset.com/threat-center/threatsense-updates (see Virus Signature update 5698). So, I recommend using NOD32.
My computer had been redirecting me to infomation-seeking.com ..im using window XP pro.so is there any difrences in steps?
I installed the program, but the system won’t let me launch it. What do i do?
Codey: read guide on how to disable processes or reboot into safe mode with networking.
I have ”security shield” and i think thats a virus.
How does it go away ?
Caus e my whole comp doesnt do it, cause then a ”security shield” browser comes
Jordy: read specific guide : http://www.2-viruses.com/remove-security-shield
I’m trying to follow this site, & in my eyes it’s complicated. i have no idea what i’m doing. i’ve never had a virus.
“Oh my god, no way” and “Congratulations, you won” audio will be heard along with re-directs when going thru Google links (especially this web site). The problems may not occur for 15-30 minutes, but they will return and are extremely random.
Downloaded Malware did get rid of alot of problems and I did all of the other steps herein however…..no luck. By the way, this particular computer does not have a “hosts” file in the “etc” path. Strange.
I’m gonna “bite the bullet” and re-install XP. Spending more than 2 hours trying to fix a goofy mal-ware problem is stupid. I’ll say one thing – whatever web-sites sponser these malware products should be shot.
No worries. I guess I didn’t do “everything”. I ran “tdsskiller” (as suggested). It found 1 problem and “cured” it and…….horrah. No more google re-directs, browser kills, and funny audio. Here’s hoping this problem has gone away forever.
Thanx for the information – beats having to re-build.
Carl: It is advisable to scan with other tools after TDSS got removed.
Do you mean like “Malwarebytes”? Or are you referring to something else?
Carl: Hitman pro, Spyware Doctor, Malwarebytes. Hitman pro is always a good choice, as it scans against couple antivirus databases. SD has bigger database (in my opinion) as malwarebytes, and is a part of bigger security suite. Though it is commercial program. And Malwarebytes is quite popular for good reasons to scan.
I scanned with Malware and got nothing; SD still reports 5 items:
Application.TrackingCookies
Tracking.TrackingCookies!Rem
Adware.Advertising
Spyware.Known_Bad_Sites
Spyware.TrusyHound!Rem
Also, there are several processes that seem strange. They are:
DLACTRLW.EXE
PDVDDXSRV.exe
ITMRTSVC.exe
I believe the first one (DLACTRLW.EXE) is causing multiple processes (with the same name) to be born. When they occur, silly sound bytes (as previously mentioned) are heard. They seem to come up randomly.
However the Google re-direct no longer occurs after TDSSKILLER was run.
I suppose what I still don’t know is exactly which Malware is one the PC. Does any of the above info help you in making that determination? Also, to kill those Malware items, is there something that is free that will do it? I’m a little cheap and don’t feel like paying the $30 bucks.
Carl: These SD detections are of low importance. I would do a scan with Hitman Pro and thats it.
Google the process names separately though.
Thanx for your help. It appears the “dlactrlw.exe”, which found its way into the “startup” registry key, was the culprit. After removing that entry, everything seems to be fine. The folks who own this pc will be checking to see if any re-occurrences continue.
I think i’m having the worst problem with my lap top I can’t access anything not my control panel the internet none of my antiviruses or anything….Basically all I can do is turn it off and on…..do you know how I can fix this???
Last known good configuration in boot menu after force shutdown would be an option. Also, try downloading and using scanners in safe mode with networking.
ok….what do you mean by good configuration in boot menu after force shutdown would be an option…Idk to much about computers….
Press power button and hold for ~3secs. The PC will shut down. Then power on, and there will be a menu.
I has my system attacked by antivirus8… bought spyware doctor and antivirus. Ran the software and removed malicious items it notified me of. HOwever. I can not get my MOZILLA FIREFOX TO LAUNCH. When i go to lauch i get
“About internet Explorer Emergency Mode” box to pop up and it tells me that malicious software has infected my PC and the browers can’t be launched. I have uninstalled and reinstalled both Internet explorer and Firefox and I still keep getting this error message.. HELP..
unbelivable in the add ons…. thanx a ton
I disabled IE7 addon “Research” and now I don’t seem to get redirected any more (have to test longer though, because it did’t happen each time anyway…) Thanks for the great guide!
I had “Security Shield”. Removed it with CCcleaner, RKill and Malwarebytesantimalware. Then Google’s been directed to Findgala. C.WINDOWS>System32>Drivers>etc> all files are there, except HOSTS file is missing. Used Spyware Doctor, found: RogueAntiSpyware.WindowsSecuritySuite(13 infections), Trackware.Tracking Cookies!rem (24 infections), Adware.Advertising (10 infections), Spyware.TrustyHound!rem (1 infection), Application.TrackinfCookies (15 infections). Spent 3 days trying to get rid of findgala to no avail. HELP..
Billy: Check other things in this guide. Run TDSS killer as well.
Ran TDSS killer as suggested. Took 22 seconds and result was no infections found. In-depth scanned with NOD32 Anti virus, no objects found infected. Did step 2 to 9, except step 7 (‘coz it’s optional) and step 1 (‘coz couldn’t HOSTS file). Still redirected to findgala. Am I missing something here? I start losing hope here…@admin
Stuff to try :
1. Hitman pro ( http://www.surfright.nl/en/hitmanpro )
2. EmsiSoft Anti-Malware ( http://www.emsisoft.com )
Host file is at c:\(your windows folder)\ system32\drivers\etc . It has no extention.
If it is clear, and no scanning detect anything then it is problem with your router (most likely), semi-whitelisted browser toolbar (failed to remove browser add-on in one of the steps, but unlikely) or very fresh infection (less likely if you use several tools and they come clean).
Ran everything again. Malwarebytes antimalware: no malicious objects found. Hitman Pro: caught IExplore.exe as a threat, contains a high amount of malware related properties and it’s a potentially malicious software. Should I delete or quarantine this? A friend told me to just change the google bar from the right-hand side drop down menu and choose “Find more providers”? Emisoft Anti-Malware is still scanning as I type now. Checked several times C>WINDOWS>System32>drivers>etc>…, the HOSTS file (with no extension) is not there. There are only 5 files in etc folder: HOSTS.bak, lmhosts.sam, networks, protocol, services. And the worst part is most of the times I turn on my laptop in normal mode, it always freezes and I can only use it if I switch to Safe mode with networking. How do I know there’s a problem with my router and what did you mean by semi-whitelisted browser toolbar? I’m very dumb when it comes to computer stuff..@admin
Billy: Iexplore.exe might be a fake iexplore, check the file location. See the content of hosts.bak file, and maybe try to create an empty hosts file. If you can’t create, the real hosts file is hidden and cause of your problems.
Located the file, it turns out to be Rkill program (the Icon says IExplore). Opened hosts.bak in Note pad:
127.0.0.1 localhost
::1 localhost
How do I create an empty hosts file? How can I find the hidden hosts file?
Just try renaming .bak file to one without extension or save same content using notepad to file without extension. IF you are stopped from doing that, it is likely that there is hidden file.
When I tried renaming .bak file to without extension, a message box poppe dup saying if I change the file extension, the file will be unusable, so I saved same content of hosts.bak as file without extension, and the file type is text document. What else needs to be done?
Just make sure it is without extension (as extensions of known file types might be hidden). If you save as .txt it might leave .txt extension hidden.
I copied hosts.bak and tried renaming it into hosts without extension, it asks me if I want to rename it to hosts(2), because there is already a file with the same name in the location. Does this mean the hosts file is already there, but it’s hidden?
Yes. Edit your settings to see hidden and system files.
On windows 7 :
Open Folder Options by clicking the Start button
Select Control Panel
Clicking Appearance and Personalization
And then click Folder Options.
Click the View tab.
Under Advanced settings, click Show hidden files and folders, and then click OK.
Mine is Vista. Opened Control Panel>Folder Options>View tab>clicked on show hidden files and folders. Then checked the etc folder, still doesn’t show hosts file without extension.
Look for option to see system files as well.
Where is the option?
so how to i get to ‘hosts’ because it won’t let me click on it without closing again and bringing another security shield warning…?
Tawni: use code for Security shield to disable it first. Read our guide on security shield.
combofix fixed mine.
I have done everything found on this forum with very itte resuts. After the Windows Performance Manager downoaded itsef onto my computer I ceaned most of it up by searching for unusual programs. I found and deleted the files called cvfgtm.exe and bktgrk.exe. These files apeard to be AVI files. After deleting these files my computer was restored to mostly norma operation. I then used AVG free and IObit 360 to scan again and removed a few bad files. But I wanted to make sure I had all the virus removed so I searched and found this site. As I downoloaded the Spyware Doctor, AVG 2011 also downoaded. Both these files appeared to be maicious viruses and has completley destroyed my computer. I have worked my way back little by little and have just about cleaned up the mess.
But I have one problem left that I can’t get fixed.When I try to open Notepad in Administrator, it refuses my pasword. Also, Internet Exporer opens only somekind of “Emergency Mode” and refuses to let me open any page except the microsoft.com page that contains the Windows Performance Manager and other viruses.
Can you help me get my internet going again?
Thank you
is stopzilla any good?
Joe: There are mixed opinions about stopzilla. I would not use it myself, as in my experience it detects infections in files that are harmless ( aka false positives). However, these are not intentional, and the company is legitimate. There are better tools though.
i had this problem too,
it was a self reinstalling local proxy.
files(therms) to search in registry:
Temp\csrss.exe (dont delete anything where path starts with %system… ususally with Temp\csrss.exe you would not even find something starts with %system…)
data\dwm.exe (not renameable because running, so needs deleted in registry)
data\wins.exe (rename you will find the path in registry)
data\conhost.exe (Start > run > msconfig > systemstart > uncheck conhost)
—- export registry first DONT delete keys just remove values —-
After restart you will find out (because your internet works only for certain webpages ) that your system LAN-Settings where set to use Proxy for LAN…
so go to
Start > Control Panel > Internet > Tab Connections > Button Lan settings > uncheck use Proxy.
that was it for me, hope it helps someone.
ah yes that was for win xp sp 3
where can I find the add-ons in IE? and what is IE?
Thanks
ok ive read this page and it didnt help my google redirects my host files are fine i cant find a tdss thingy i cant download things either it just keeps asking what program would i like to choose to open file and when choose it just does it again my spywaredoctor didnt pick up anything but now i cant even open that my processes seem fine my proxy is disabled so im just going to save money and buy new com btw i using ie8 i believe
Tony: Your file associations are messed up, you will need to fix registry first.
Check your browser addons and try doing scan in safe mode with networking (full system scan) with several tools
Have trawled various forums, manually hacked away at the superfluous, used malwarebytes’ anti-malware, superanti-spyware, sophos anti-rootkit and unhack me, tried disabling javascript, checked dns, hosts, and proxy settings, and scoured the filesystem for dozens of the usual suspects. My search results still redirect me almost unswervingly towards a goingonearth version of whichever result i’ve clicked. Likely point of infection was mj1.exe and mj2.exe though not sure of where they originated. Close to initiating a total re-install but refuse to be beaten, now 8hrs in and need to sleep. D
phnatduppf:
Have you checked add-ons in browsers? In some cases router needs checking as well, though that approach works through DNS servers usually and is fixed once you change it.
Cheers for reply,
all addons are those i installed and none of my anti-* scans flag them.
Online through t-mobiles web’n'walk mobile broadband and a 3g huawei dongle only use firefox but checked and IE has same issue on my first use of the program.
What is being referred to when i click a search result? How is it unique only to this action, not downloads or intra/inter-site links, also appears yahoo is unaffected whilst bing and google are. D
Problem appears solved,
first ran rkill.exe (found grpconv.exe),
then kaspersky’s tdss killer (found sptd.sys),
then mbam,
then hitmanpro (found sapi0.dll).
So far (>20 searches) no redirects. D
phnatduppf
Yeah, TDSS Killer quite often a solution for these problems… In fact TDSS is in my usual suspect list
Am stuck at step 1 – how do I save the corrected host file (I don’t see where to “open with admin priveleges on my home PC).
James: For older versions of windows (like XP) just open it.
Step #8 cleared up my computer. Thank you so much!
Hi,
My google direct virus means that all the web browser open up in Chinese – and it appears to be a porn site. This happens for both IE and Mozilla and also appears in Yahoo if I try to search. I have read all the following information and no-one has mentioned Chinese characters. How can I fix this problem?
Many thanks
Marg
Marg: read sections about DNS, Proxy, add-ons. Also, scan with anti-malware tools
I’m stuck on step 1. I opened the host file in notepad and it’s empty. what does that mean?
Moon: Empty hosts file is ok. Just make sure you opened right file.
I’ve run rkill and malwarebytes. I deleted a bunch of trojans. Now I can’t seem to get my wireless router to find my wireless network. what can I do?? please help!
One last question – is zitui.exe a virus? i don’t know what it is and I’ve never seen it before.
zitui.exe sounds like virus.
I’m having trouble opening my file as a note pad. It won’t open at all, I did everything I can, including “Running as Administrator,” nothing seems to work. Please E-Mail me and help me out. I really wish to get this program out of my computer.
I cant open my host files it wont let me and ive tried moving malware anti malware by a usb drive but it still wont let me open it
This goes out to the maker of this virus im trackn you and i will get you its nice in CALIFORIA cant wait to see you
it keeps poping up i can not do nothing on my cumputer
I Can’t find my host file and it won’t let me run notepad as Administrator doesn’t work either, im running Windows 7 64bit Please Help.
Ben: It might be invisible. Try editing it in safe mode, not in regular mode.
this is my host what should i remove.
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to computernames
# (NetBIOS) names. Each entry should be kept on an individual line.
# The IP address should be placed in the first column followed by the
# corresponding computername. The address and the computername
# should be separated by at least one space or tab. The “#” character
# is generally used to denote the start of a comment (see the exceptions
# below).
#
# This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts
# files and offers the following extensions:
#
# #PRE
# #DOM:
# #INCLUDE
# #BEGIN_ALTERNATE
# #END_ALTERNATE
# xnn (non-printing character support)
#
# Following any entry in the file with the characters “#PRE” will cause
# the entry to be preloaded into the name cache. By default, entries are
# not preloaded, but are parsed only after dynamic name resolution fails.
#
# Following an entry with the “#DOM:” tag will associate the
# entry with the domain specified by . This affects how the
# browser and logon services behave in TCP/IP environments. To preload
# the host name associated with #DOM entry, it is necessary to also add a
# #PRE to the line. The is always preloaded although it will not
# be shown when the name cache is viewed.
#
# Specifying “#INCLUDE ” will force the RFC NetBIOS (NBT)
# software to seek the specified and parse it as if it were
# local. is generally a UNC-based name, allowing a
# centralized lmhosts file to be maintained on a server.
# It is ALWAYS necessary to provide a mapping for the IP address of the
# server prior to the #INCLUDE. This mapping must use the #PRE directive.
# In addtion the share “public” in the example below must be in the
# LanManServer list of “NullSessionShares” in order for client machines to
# be able to read the lmhosts file successfully. This key is under
# \machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares
# in the registry. Simply add “public” to the list found there.
#
# The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE
# statements to be grouped together. Any single successful include
# will cause the group to succeed.
#
# Finally, non-printing characters can be embedded in mappings by
# first surrounding the NetBIOS name in quotations, then using the
# xnn notation to specify a hex value for a non-printing character.
#
# The following example illustrates all of these extensions:
#
# 102.54.94.97 rhino #PRE #DOM:networking #net group’s DC
# 102.54.94.102 “appname x14″ #special app server
# 102.54.94.123 popular #PRE #source server
# 102.54.94.117 localsrv #PRE #needed for the include
#
# #BEGIN_ALTERNATE
# #INCLUDE \\localsrv\public\lmhosts
# #INCLUDE \\rhino\public\lmhosts
# #END_ALTERNATE
#
# In the above example, the “appname” server contains a special
# character in its name, the “popular” and “localsrv” server names are
# preloaded, and the “rhino” server name is specified so it can be used
# to later #INCLUDE a centrally maintained lmhosts file if the “localsrv”
# system is unavailable.
#
# Note that the whole file is parsed including comments on each lookup,
# so keeping the number of comments to a minimum will improve performance.
# Therefore it is not advisable to simply add lmhosts file entries onto the
# end of this file.
Your hosts file is clean.
You are the best! I have been working on this damn thing all week. The rootkit tdsskiller did the trick! Symantec and Malwarebytes didn’t pick it up.
I am so confused! I can’t get this to work for me at all.
This worked for me.
Just make sure guys that when you’re about to edit the host file, “read only” is UNCHECKED in the files properties.
And if you are having problems with overwriting the file, double click it when you are saving.
the xpantispyware 2012 has blocked all d important files including dis file nd i can,t open it neither can i make it run dus ne1 has d idea hw 2 fix ds problem????????????
Bidita: In your case, read the guide on XP antispyware 2012. You need to kill its processes, this guide is not that applicable (except you might have to remove proxy as well) http://www.2-viruses.com/remove-xp-antispyware-2012
Hosts files are fine and DNS setting and Proxy too – downloaded all (Malwarebytes, Spyware doc, even the special remove antispyware) in safe mode with networking but every time I want to run them, Vista Spyware message appears and blocks them. Can someone help?
ED: If the file is blocked after download, try renaming them to .com instead of .exe Or you might have to kill malware processes manually.
@Julius
Thank you from RDU (Raleigh-Durham NC)! The rootkit tdsskiller did the trick!
With 12 years computer/network experience — this Malware got me good! Wasted 4 hours of my life!!!
Old hacker trick—mark the hosts files to read only…and if you use WinPatrol
(the free version is fine) it will show you the hosts file within the application and also everthing running.
AND it warns you if something writes to the startup
http://www.winpatrol.com/
Thanks for this information. This virus was causing me all sorts of headaches.
Now if I could get my hands on the person who put the virus on my computer in the first place, that would be a nice feeling to have.
Cheers, Dale
I beat Vista Fix It and Google Redirect
My hosts shows a ::1 under the ip addy. Should this get deleted? When I try and save it says cannot create to C:\Windows\system32\drivers\etc\hosts, Make sure path and filename are correct. I am pretty sure I am logged in as admin… Ran AVG antivirus which found nothing. Just would rather exhaust all options before i go downloading and installing 14 different malware products. Thanks.
David: You got Vista/Win 7. ::1 is harmless, it is an IP6 address. If this is single additional line, your file does not need editing.
If hosts file is clean, I would look for problems in other sections (either trojan is active on system, Rootkit, or malicious proxy, etc. )
When I open my hosts file on windows 7 with notepad, the document that opens is blank. Why is that?
Michael: if this is correct location, than everything is fine. Hosts file is not necessarily in most cases, though there is a placeholder file in most of the systems with some commented lines and 2 lines referencing localhost.
Thank you this guide. all the responses to questions really helped my knowledge on this subject. i checked my addons in Firefox and found “XUL cache.” i removed it and the redirects seem to have stopped. I read somewhere that this addon can somehow get back onto my browser. Is there something that i can do to make sure that i’m in the clear?
Tyler: best advice is to keep decent internet security suite on PC. Malware still has to get in on one’s PC to modify settings and cause redirects (except in case of hijacked router). For the router, nothing beats changing password from default one.
Just wanna say thank you. The instructions totally solved my problem! Really saved me a lot me trouble. Thanks a lot!
@Hi
To save host file as admin, windows 7, even if you are the admin right click on host file go to properties, under security tab, select user and edit – Select all boxes under Allow. This will grant permission to save the file.
Will let you save the host file.
Just removing the following entry from my hosts file did the trick.
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
Thank you very much!!!!
@Shokc
I can’t update the hosts file it won’t let me open it or change the user properties so all users can edit. I can’t download the spyware (*any of them) from the internet as the virus has blocked access to them. I can’t even access the internet settings to change proxy settings…it just says can’t access contact your system administrator. Please help I can’t do anything on my PC and this virus is so fr*king annoying!
Reboot your computer in safe mode and delete the following file in the following folder. Fixed my redirect problem like a champ!!
File: api-ms-win-core-memory-l1-1-032.dll
Folder: C:\Windows\SysWOW64
Unhack me is a great program for removing most of the malware. Been doing the virus removal since 1991 and have to say this program has made life so easy.
http://www.greatis.com/unhackme/download.htm
Just fixed some malware entries in my host file.
Also combofix works well, just be careful with it.
http://www.bleepingcomputer.com/download/anti-virus/combofix
Worried about the fake viruses? try WOT for your browser to let you know of potentially dangerous sites.
http://www.mywot.com/en/download
CDA Rescue :
Thank you for suggestions.
WOT is useless against fake antiviruses. Its ratings are based on opinion on domains, and these change on daily basis. It is useful against poor programs though or scams. Both Combofix And Unhack me are computer repair programs that are of interest for people that repair PCs for living rather than regular user that desires less problems with one’s PC on long run
The TDSKiller program did the trick for me…thank you!
tdsskiller.exe is the one. I think that should be bumped up to Step 1.
Thanks for the help.. just glad that I finally got rid of it.
for those of you that are having problems editing host file. I highly recommend HostsXpert v4.4. A free program for managing your host file. get it here:
http://www.funkytoad.com/index.php?option=com_content&view=article&id=13&Itemid=31&28d444df85eb4f435055ed9d39c02f03=d315773113eab5e724959c494ea17358
I edited my host file but to no avail and tdsskiller.exe resolved my issue. Thank you.
my host file doesn’t look like that it looks faded and it won’t let me save it i have also tried running as administrator
I’m trying to do step one, and my computer wouldn’t let me ‘access’ or save my changes. I noticed extra line that ‘i think’ should be removed, ::1 localhost. How can I let the hosts file save my deletion>
BTW, I’m on Window’s Vista – how can I open the ‘host’ file with admin. privelages?
Got it. Figured it out!
The hosts file suggestion solved the problem that Lavesoft and Ad-Aware didn’t catch this one. Thanks for being awesome.
Thank you thank you! I had to do quite a bit of research for an important paper I’m working on and the problem was hidering me greatly. I followed your instructions and it worked! It was some trojan programs that were quarantined in my virus protection but they were still causing problems. I’m very grateful
Thank you very much this worked very well. I appreciate your assistance
Just wanted to say thanks for the information. My IE has had the same problem as most people have had lately. I had tried about 10 Spyware tools and none found the problem, so I downloaded and ran tdsskiller.exe from Kaspersky. I ran it and the program found 2 files BMLOAD and tcpipBM which it removed and now IE works as it should when I select something from a google search.
Now to find a fix for why my active window deselects itself after about 25 seconds and I have to click on the window to continue doing whatever.
Dave: Rescan with full kaspersky version or other 10 tools
. This kind of infection might have hidden some other processes from anti-malware tools while active. Also, it might be useful to do a test run with some registry optimizer like CCleaner.
Hi ya Admin.
I just found what was causing the active window deselection. I recently installed Kies for my Samsung phone. I went through and ended the windows processes that weren’t directly related to windows 1 at a time until it stopped. It was KiesPDLR that was somehow causing the problem. Thanks again for your help.
Glad it helped.
Great info, unfortunately I’m still having issues.
Step 1: I modified the hosts file to match yours
Steps 2 & 3: settings were fine
Step 4: N/A
Step 5: I disabled all non-Microsoft addons
Step 6: I ran Spyware Doctor. It found a high threat and a medium threat. I was surprised that I had to pay $30 to fix these, but I decided that the $30 would be well worth the fix. This didn’t do the trick though.
When we go to Google & Bing the bottom bar says “waiting for Google.com” and the page just never loads. Yahoo loads, but we can’t search, the searches don’t load. The control key isn’t working properly, I can’t copy and paste using control commands.
I didn’t continue with steps 7, 8 or 9 because this computer belongs to my parents and I ran out of time. Any advice??
Step #1 was the fix for me. It worked. But before that, I’ve scanned my laptop running Vista Basic Edition with Adaware (free edition) from Lavasoft. I’ve been using Adaware since 2001. I’ve used also CCleaner (free edition) to scan/fix registry entries + stop suspected processes. Both are excellent tools for free. Finally, I’ve uninstalled several “suspectful” third party software using another free tool: Revo Uninstaller. This utility isn’t just uninstalling the software but also offer to clean the registry table of ANY occurrence of the software you’re uninstalling. Then apply the fix proposed here otherwise the malware if not remove previously will keep re-installing itself.
I can now enjoy ALL the Google / Yahoo searches again.
Thanks! I have been having a nervous breakdown over this and your advice is the first that actually got me anywhere.
I have tried everything. It keeps bringing up Data restore with every error message possible. Please help me I’m not very computer savy and I really need this to work for school…Thank you
Step 4 worked for me, but as I understand it, the automatic setting of proxies still has fake information somewhere, right? How do I fix this to get rid of the problem completely?
Train42: in some cases the original infection is already gone (removed by antivirus), but proxy settings remain. However, I would recommend scanning PC with decent antivirus. If you have no other symptoms, I would recommend scanning with Hitman Pro, as it is fast and scans with multiple antivirus engines http://www.2-viruses.com/reviews/hitman-pro .
I have followed your instructions but I still get redirects to stuff like blendersearch. What can I do?? There is nothing in my hosts file that is abnormal. I ran the tdsskiller and it doesn’t detect anything.
Lisa: Have you checked browser add-ons and DNS server settings? It might be some plugin that hijacks search. Disable all add-ons. If this continues, I would recommend scanning with Hitman Pro or Mbam first. TDSS killer detects several families of rootkits, but not everything.
Post back about your progress.
@ admin:
I have disabled browser addons. As for the DNS server settings, I have both IPv6 and IPv4, and they are both set to “Obtain an IP address automatically”. I have uesd Malwarebyte and it did not detect anything of the sort.
Lisa: are there other PCs in the network and everything works fine?
Also, scan with hitman pro instead of Malwarebytes. It uses several antivirus engines,but tests less places than regular antivirus. This is to reduce chances that there is malware to the minimum. As long as there is no malware, I would suspect router hijacking, but the chances are poor. Maybe the site is infected, though, or some weird user script…
Well I troubleshot all these steps and noticed that all my settings are like that suggested. My internet regarding the proxy settings, however, does not have a proxy port. The only browser I have is Google Chrome. I have a redirect virus that when i click on a trusted site, it stops at a blank screen, pauses, loads then stops and changes the website. It takes me to sites like dictionary sites with “Suggestions” I use an entirely outdated 2005 Media center edition PC so everything isn’t far from Win98.
@ admin:
Yes there are others but they use Macs. I read on this page that Hitman Pro would require payment in order to remove/clean anything? Malwarebytes detected stuff a couple days ago. I followed your steps and tried the Malwarebytes again, and nothing shows up. I have just checked with Hitman Pro and Tracking Cookies as well several Malware/Trojans showed up. What should I do?
Lisa: Hitman pro is free to scan, and free for the first 30 days to remove (you need to press activate, but no payment is required). Additionally, it will help to determine if there is really something wrong on your PC during the scan itself.
If other PCs / Macs in the same network are ok, then it is not hijacked router (if they use automatical DNS as well),
You could also try super anti-spyware.
@ admin:
Sorry, I did not see that there was a trial.
What should I do if the redirect problem happens again and I don’t have the trial option for Hitman Pro anymore? I don’t have the funds to purchase a decent antivirus program or anything in that category for that matter. 
Will let you know of my computer progress after reboot.
Lisa: The correct answer is using decent, commercial (preferably) antivirus like Kaspersky or Eset. In worser case – Microsoft Security Essentials, in worst cases – other free antiviruses. Prevention is the best cure for some of the redirects.
@ admin:
Hitman Pro did the trick for me, so I believe.
I have not been redirected after reboot. Thank you so much for your help and guidance for future prevention! 
Here is what I have found with my laptop and google redirects. There is a copy of MS Internet Explorer running in the background. This appears to be related to the redirects. When I rename my IE folders so it will not run and kill the running copy the redirects stop. When I put the folder name back. The IE background process will reappear and the redirects will start again.
I should also say, since IE is disabled I use Firefox or Chrome. Both of which also had the redirects.
Tim: It might be a malicious IE plugin, that creates a process and hijacks all internet access. Have you scanned your PC with multiple tools?
Your the best whomever listed the things to do to get rid of the redirct virus….thanks
Hate this. I’ve had this problem multiple times, did all of the above fixes, and it changed nothing. Something was still delivering both the fake antivirus program and the redirects in Google, to the machine. Even went as far as to reformat the machine. Then, upon entering dns and static ip info, the machine got infected again. BUT, the server machine (which was really just another computer acting as a server) was not infected. We scanned that thing thoroughly. ODD and extremely stealth, these things are.
Ryan: this guide is for cases when there is no obvious trojan in the system. In your case, I would first do tdss killer scan (and see if it detects), and if not, do a scan with Alternate OS scanners, and then repeat all the steps here.
browser is redirecting lines in google searches
how can i eliminate google redirect
i have a problem with the cursor it is not stable may be it is due to some virus, pse suggest me how to repair it.
thanks a lot i erased the whole host file cause it gave me no option to modify whwt was on it in fact there were two extra lines one for google and the other for bing after delection the hidden virus cant redirectme anymore. i tried everything before unsuscesfully:system restore,antivirus scanning resseting internet explorer, windows search. etc etc, even listing the page risksearch net on the restricted sites button dint work completely cause even it tried to connect unsuscesfully but redirectme from the right results. i was about to switch the hd, but i found your help online and it worked, thanks
I have something called searchqu that got in my computer with a music download today. How do I get rid of it. It has taken over as my home page and search engine! Thanks
Al : read guide, everything applies. Uninstall browser ad-ons, scan with both Spyware Doctor and TDSS killer, check hosts file.
I changed hos file but wont save it saiys it is read only please help
host file is invisible unless I open I copy an dpaste address C:\Windows\System32\Drivers\etc\hosts. When I paste it to search box it asks me what program to use I dobn’t have an option to run as admin
If I open notepad file I can right click and run as admin, BUT when I open host file and delete bottom section I can not save bcs it is read only.
I hope that makes sense to someone
right-click on it and go to its properties. Remove System And read only attribute.
@pedro
How do you delete host file . I can not find it unless I copy and paste C:\Windows\System32\Drivers\etc\hosts to search box and then access is denied . Is there any other way of deleting it.
I have located the HOSTS page & opened in notepad, however, after the 127.0.0.1 localhost I have loads of others all with the same number but different name. Do I delete all of them?
mcryan
yes, you should. Thats DNS address hijacking.
I can’t seem to run KasperSky. Google redirects me to cc search sometimes(I’m on google chrome). When downloading, my internet connection gets cut off and I had to restart the computer. Any idea what I should do? I tried opening host, nothing suspicious. Checked proxies and DNS settings also nothing.
Trail : check router settings, although I would suspect active malware on your PC. Download TDSS Killer and some anti-malware program on another pc and use Flash drive .
If you cant remove Malware on your own, stop being cheap and take it to a pro. Nuff said!
Unknown
I would say first get a decent antivirus or anti-malware. There would be far less infections if people would actually use antivirus
Professional repair is required for fresh or very aggressive malware or when PC is beyond automatic repair.
I have been getting the Google redirect since yesterday. I scanned with Malwarebytes and found nothing, I cannot even open Norton 360, not even with Task Manager, and running TDSSkiller twice found nothing. I have gone through my host file, found no extra info there, and I checked my proxy settings; one thing was checked and I unchecked it. I went back to the proxy settings later and it was still unchecked. What can I do to remove this virus?
Mike: Scan with different anti-malware programs, like Spyware doctor or Hitman Pro first. If it is clean, check your DNS Servers (should be set on automatic in most of cases). If it is on automatic, then set it to google DNS (this would mean your router’s DNS settings were hijacked). However, if you can’t launch norton 360, it is malware infection.
Spyware Doctor found some low-risk stuff, mostly tracking cookies and a couple of different advertising adware. I’m not in a position to purchase the full version, though, so I couldn’t remove it. I still can’t open Norton but I did check my DNS settings, everything was set on automatic and I didn’t know what the Google DNS settings were so I left them alone. Hitman Pro spent five minutes looking for an internet connection before aborting the scan. I do not know why it did this, as I was able to access the internet fine during the search.
Mike: Run GMER first, then Stopzilla. Try setting dns servers to 8.8.8.8 and 8.8.4.4 (listed in this guide).
I ran SuperAntiSpyware as well, removed several tracking cookies but I did not resolve the redirecting problem. I also retried the TDSSkiller and it still found nothing. Is there another antivirus or antirootkit program that might help remove this?
Ummm… Hi every time i click on a link in google or any other search site it redirects me to a ramdon Porn Site. i can avoid this by coping the direct link into the serch bar but its a pain doing that all the time.Ive use spyware doctor
And it only found cookies and one medium RogueAntiSpyware.Antivirus360 and that has nothing to do with my browser or somthing like that But please help me!!
I’m so frustrated with this redirect virus in firefox. I run winxp and have TrendMicro who, surprise surprise, didn’t stop yet another virus from taking hold. I ran malaware bytes and it found 2 reg key trojans and one infected folder. I deleted all 3 then when back in and double checked everything over again. Still i’m getting redirected. Any other suggestions or if someone finds a solution please let me know. Thanx
Oh update. I think I know what the culprit is. It’s this babylon search engine I caught it’s name in the “jump” when it was redirecting me. Now if I can find out how to get rid of this I may be ok. Any help appreciated since this is one of the only sites that acctually gets past the redirect.
@Lulu
Great news!!! I went to Microsoft’s website and D/L the microsoft emergency response cleaning tool. After many failed attempts by malaware, spybot, trend, and even Hitman nothing removed it. I then called microsoft and they directed me to this. It is a free d/l for windows users. Ran one scan took about 4 hours restarted pc and viola. redirect gone. Hopefully this will work for some one else
Hi,
I have been having this redirect problem for a few days now and could really use some help. I don’t get redirected every time I click a google link, but occasionally I do and will have to try many times before I actually get through to the requested site…I followed all the steps (all of my settings and folders were already how this guide says they should be) and have done full computer scans with AVG, Malawarebytes, Microsoft Malware Removal tool, and the Microsoft Security Scanner, and the TDSS killer suggested on this page and found nothing. (AVG and Malaware found 2-3 Trojans the first time I scanned, but they all seemed to be unimportant crap that didn’t effect my redirect problem when I removed them). Any Suggestions or Ideas? Please help me out!
Thanks in Advance.
Matt : Several things.
1. Are other PCs in the same network experiencing same problem ? If so, router infection is more than likely. It will not be detected by any tools, though DNS change to 8.8.8.8 and 8.8.4.4 (like in guide) might fix the problems. In such case, one should restore router firmware.
2. Scan with hitman PRO, SuperAntiSpyware, Stopzilla and Spyware Doctor. While majority of microsoft tools are ok, not everything is detected, and personally I do not trust AVG too much. TDSS Killer is against one (nasty) family of infections.
3. Double check that correct hosts file is empty.
4. Worst cases? Scan with GMER for unknown rootkits, scan with AVIRA boot cd or PC Tech support time.
two (and a half) words..
Get..A..MAC. I have Minor trojan problems but as long as I don’t execute and delete it’s all good. Linux is BOMB proof but user unfriendly
Elliott Bettman: Wrong.
Some of things listed in this guide are possible in Mac as well. For example, HOST file, DNS hijacking, infected router or malicious browser add-on. In fact, they are possible in Linux as well. A mac owner should get an antivirus, and (likely) Linux box owner as well. Everything else is down to market share.
Hey admin, I tried everything you said on this page and everything’s fine. The only problem is that i still have this annoying redirect virus going…. any help please?
Sarah : Double check addons, change DNS servers and scan with hitman pro and Spyware Doctor.
My computer took a turn for the worse today. After much digging and grueling trying to find out what it was – my two biggest clues of my search engine searches being redirected and music/radio/ads playing in background and the help of my secondary computer – it came down to a virus. I bought norton, ran malwarebytes and ran spybot S&D as well as TDSSKILLER….and then ran all the checks you listed here. I am still having issues. Any ideas?
Rebecca Ldj:
2 issues are most likely :
First one is yet unknown trojan /adware. For this, try hitman pro, Spyware Doctor, SuperAntiSpyware.
Second one is malicious browser add-on (if the music plays only after browser is launched) or proxy.
My hosts file seems to be hidden, all I can find in the etc folder is lmhosts.sam, which looks exactly like one hosts file posted by a reader that you said was clean. Do I need to find the actualy hosts file and check it? How do I find it if it’s hidden?
Update: The first thing I ran was ad-aware in safe mode+networking, which found several items, including trojans. I still had the redirect problem and ran kaspersky tdsskiller, which found something and removed it. Then I ran malwarebytes which found one infected file that looked like a really old keygen for some app. The problem seems to be resolved but I am still curious about my hosts file, why I cannot find it even when I select “show hidden.” I would like to check my hosts file just to be sure, as I said I can only find lmhosts.sam which looks clean.
Joe: PCs can function without hosts file in most of the cases, thats one option. Another option is hosts file with attribute System, which would be hidden as long as an option to list system files is unchecked (thats default). Some malware programs use this trick to hide documents or files.
I was having this issue but only in IE. Ran MalwareBytes, Hitman Pro, Spybot, TDSS Killer etc etc. Nothing was finding or fixing anything. I tried using Dr. Web (free version) and it found a Trojan. Once deleted the problem seems to have been fixed
Tom : was it an executable or in settings ?
I deleted Dr. Web but from what I recall it was not an exe file. It was a .dll file in C:\Windows\SysWow64 folder
I found the log file.
C:\Windows\SysWOW64\msimmsg.dll infected with Trojan.MulDrop3.19698
I tried to delete the extra IPs and files in the hosts file, but when I’m done and go to close the window I’m not able to save it – I’m not actually deleting the multiple lines of IPs permanently. The file is in read only mode. How do you save the new host file once all the junk has been deleted? thanks
Doug: are you on Win 7/Vista? If so, search in menu for notepad, rightclick on it and choose run as administrator.
If this does not work or you are on XP, run cmd, then run
attrb -r c:\windows\system32\drivers\etc\hosts
@admin
I’m on XP. What is cmd & attrb -r? I’m definitely not as technicallogically advanced as you!
Doug -> Start->run , then cmd and enter. A window would appear. Then attrib -R c:\windows\system32\drivers\etc\hosts
Spybot Search & Destroy found Security Defender and says it fixed the problem, but it didn’t. It keeps coming up. Should I have an extra line in hosts – localhost name resolution is handled within DNS itself?
lines referencing localhost is ok, all other lines should be deleted. If malware is comming up, scan with Malwarebytes, Spyware Doctor or Stopzilla.This is not settings problem, this is malware problem in your case. I do not trust Spybots update frequency that much.
i hope you guys get paid to run this sight thank you so much all this help was absolutely wonderfull u guys are heroes
Thanks. Kaspersky TDSSKiller did the job for me. Btw. there are a couple of other little diagnostics that were useful to me & may be useful to others. Trying to get to http://www.google.com or other search sites with low-level utilities like ping & nslookup also did not work for me, though they had no problems with non-search sites. That told my problem was way down in dns resolution. That and the fact that utilities like malwarebytes & Hitman turned up nothing (or rather turned up a bunch of extraneous false positives), made it likelier that what I was dealing with was rootkit based & very well hidden, as it in fact turned out to be.
TDSSKiller did the trick! Thank you so much for this…you are a life saver!
Problem:
Was experiencing the redirect problem, so I used lspfix on my Win7 machine. And now I am apparently connected to the iinternet but no web pages load at all. Is there a fix? I’ve used the net command to reset my connection but received errors.
Matt: what error message do you get? Check if there is proxy error (disable proxy server completely).
@admin
i’m using win7 andi only can open with notepad, i cant open as admin. i have right clicked but it doesnt appear run as admin, what should i do to solve the problem? i’m using mcafee and now the antivirus is not functioning well as the firewall keeping turning off even though i have tried many times to turn it on
Sky: Try creating another, admin user account on PC
how to create another admin user account?i seem saw like got extra unknown user account but i am unable to delete it.is it possible to delete user account? can you please show me the steps? Thank you so much for your help
Sky: If you are in limited user account, you need help of someone that has access to administrative account. The good thing is that malware is likely to have infected your user account only.
First of all, thanks admin, for putting so much work in helping people. Now, for my question: When i open hosts file, it asks me with what i want to open it, there’s a list of programs there including notepad, but i can’t right-click it to open as administrator. When i right-click it pretends nothing happened.
Please reply.
ps. I’m not that good with computers so you will have to explain it like i’m a three year old.
So I’ve done everything on here and the redirect still appears in Google. Incidentally, I don’t have any problems with IE 64 bit. But
I can’t turn on Security Essentials and my services are altered to disabled.
Hrrmmph – so what do I do now?
My problem is I don’t even have a host file. I can open the etc folder but the host file isn’t in there at all. Everything is unhidden. Any help?
Azalea W.
Typically, it should be here, it might be hidden as system file (make sure you see system files too). However, if there is no host file, then there is no problem related to it as well, so check other things too.
i was freaking out for a whole day!!!!!! thank you it fixed the problem i am so greatful, now i can do my research on google again. thanks again.
it worked then went back wont let me save it?
I am having the same issue and have tried every step (scanned with multiple programs, edited host file, ran gooredfix, tdsskiller, etc) still being redirected, in all browsers, IE9, firefox, chrome. I am running Norton and it found nothing. I have used kapersky and it found nothing. I have cleaned with ccleaner, spybot, etc. Please help!
I have # ::1 localhost underneath mine – I am the only user on the computer and I can open the file. I delete it and it says I dont have permission to save it…. any ideas? Thanks
@J
Sorry – its says access denied – not that I dont have permission
J: your hosts file is fine. This is for IPv6 protocol. Check other things in this guide and scan for malware.
I’m having major issues with my computer – and even though I’ve deleted the extra host files, it hasn’t solved anything. Done all the scans as suggested and yet I still keep getting redirected to the likes of Facebook Apps (Are YOU Interested, Gogobot, CityVille, etc) and my computer is running so slowly. Any suggestions? I’m running Chrome.
MMC: First, check and disable chrome extensions. Next, change DNS servers to google ones (read the guide). Also, scan with Hitman Pro, Spyware Doctor and Spybot S&D. For me, it looks like some sort of Adware, either toolbar or not.
Thanks for all your detailed information. I have followed your steps up to step 8 (checked the proxy stettings, changed DNS servers to google ones (I think), checked the host file, disabled addons in firefox and ie, downloaded and ran Malwarebytes and Hitman Pro)… so far no luck. I have downloaded TDSSKiller but can’t get it to run. As per your other post, I’ve tried renaming it to xxxx.com also, but it still won’t run. Do you have any suggestions? Thanks for your help!
Melissa
Weird. I would recommend Scanning with Alternate OS Scanner, like Aviras Boot CD. What error do you get while launching TDSS ?
Ta. No error message, just the usual Vista permission thing (obviously I press continue) then nothing happens. I also scan with AVG (free version) each day. What is Aviras Boot CD? My computer knowledge is very minimal. Malwarebytes has a Windows popup type message about every 1 minute saying it’s bloked a malicious site, even when I don’t have a browser open (it does mention firefox.exe, which I’ve noticed sometimes runs in the background as a process even when it’s closed – I am always connected to the net though.) Thanks so much for you help – very, very appreciated!
Melissa : Aviras Boot CD is a software that has to be burned on CD. You instert CD in your disk drive and reboot, choose to boot from that CD. It might detect parasites that prevent detection while their run.
My desktop is fine by my laptop has this on it. I went on my desktop to research was this XP Home Security 2012 thing is and found this download but I cannot connect to the internet thru my laptop so how can I go on and download this to run?
Karen : XP Home Security 2012 is not google redirect virus per se. It allows executable downloads, and you should download and run first process explorer, then anti-malware program like spyware doctor to remove it. Or fake register it. Read more here : http://www.2-viruses.com/remove-xp-home-security-2012 and watch this movie : http://www.youtube.com/watch?v=15QrZkhGKB8
Hi,
Thanks for this information.
I realised I had this virus this morning and instantly download malwarebytes and ran a full scan. It picked up a huge number of bits and pieces (hadn’t scanned my PC in quite a while) but the problem persisted.
I then found this thread and did everything you suggested. I had one extra line in my hosts file, the same as another poster that you said was harmless, which I deleted. I ran google again but the problem persists – except this time, with Malwarebytes installed, every time I click the link it returns me back to the search page and notifies me with “Successfully blocked access to a potentially malicious website 206.161.121.5 – Type: outgoing – Port: 52442 – Process: boom.exe (boom.exe is what I’ve had to rename Google Chrome, the browser I’m using, as when it’s called chrome.exe Windows refuses to load it and this was the fix I found on the net!)
So does any of that mean anything to you?! What should I do next? I’m currently running another scan on malwarebytes but should I download another scanner too?
I tried downloading and installing AVG but halfway through the install it said something about changes to Microsoft Office Professional needing to be undone before the install could complete. I recently installed a new version of MS Office so assumed I didn’t want changes to be undone so I clicked no and the install for AVG terminated. Help!
Thanks.
Emily. This looks like malware infection, either plugin in chrome, or proxy, or attached to network connection or even in router.
Scan first with TDSS killer (it requires no network).
Then Hitman Pro. If this finds nothing, scan with Spyware Doctor or try Kaspersky trial.
A little extra info, don’t know if it will be helpful: it’s literally only clicking on the search results that is the problem. If I right click on the search results and copy the link and paste into the URL bar the real page loads no problem, with no redirection or notification from Malware Bytes.
Thanks for the mega quick response. Just ran Kapersky’sTDSS killer, found nothing. Will try Hitman – but I need to run into university for a practical now so won’t be able to update with results for a couple of hours! Sorry! Thanks so much though. If it was in router is it likely that my other housemates, using the same router and connection, would be affected too?
If they are not affected, it is not router. Look under plugins/extensions, also, download process explorer from microsoft and see what processes run (kill all except chrome’s from %application data%).
Quick update before uni: Ran HitmanPro. No change, problem persists. Will try the other measures you suggested when I get home. Thanks for your helps so far.
So I came back from uni and ran a couple of scans based on my boyfriend’s advice (computer guru).
First ran Norton Power Eraser. Found some threats and deleted them for me. Miraculously I realised the redirecting had stopped. I assumed the virus had gone and carried on as usual. However between running NPE and realising the redirection had stopped I ran the Norton Online Scan and I suddenly remembered I hadn’t checked the results. Unfortunately this found 91 infected files. And I was finally informed of the name of the virus: ramnit.B.
Google searches suggest the prognosis isn’t good! What do I do now?!
Emily: Get some decent antivirus, that detects the files as well. For example, get kaspersky trial (30 days free) and scan. Online scanners do not fix system and files.
I have this gnarly redirecting virus. Everytime I type “google.com” in Chrome, it pops up with Oops! Google.com cannot be found. I have tried SuperAntiSpyware, Malwarebytes, Microsoft Security Essentials, PC doctor, McAfee Home Security AND Hitman Pro. I did everything in your manual from checking my host files to checking add-ons and proxy settings.
I am getting very very very frustrated for I cannot seem to get rid of this thing.
I have ran everything in Safe Mode and normal mode…
Any help would be appreciated.
Lindsey : This is not redirect problem, it is related to name resolving. What is your default search provider in browser? If it is something else than google or bing, then it is browser add-on/toolbar problem. Or this might be some sort of DNS problems (change your DNS to 8.8.8.8 and 8.8.4.4 ) /
i trey to fix the host file but it tells me i need to be an administrator to save it but i am already the administrator (the only user profile on my computer). is there another way to enter as administrator?
phil : You are on windows 7 or Vista. So you are running with limited permissions usually, and you have to elevate your privileges temporally to make changes to system settings.
start, run. Then enter notepad, and once it appears in the menu, right-click on it and choose “run as administrator”. Reopen the hosts file with this notepad. You will be able to save the changes.
I have used Combofix and it removed some stuff…I cant get on teh internet now.
I am going to try your suggestions and get back here and post my comments/results.
I am having the google redirect issue. There is a line in my host file that I am trying to delete. If I use the path c:>windows>system32>drivers>etc>hosts, I am asked which program I want to open the host file in, and I choose Notepad and the host file is displayed. When I try to save my changes, I get an error that “Cannot create the c:>windows>system32>drivers>etc>hosts file. Make sure that the file name and path are correct.” If I right-click on Notepad and select “Run as Administrator”, there is no host file at all…when I open etc, there are no files. I am on Vista. How can I edit my host file?
Vickie: You need to run notepad as administrator.
@ Vickie: Right click on the hosts file. Under the General Tab, uncheck Read-Only. Then you can save the file.
Thanks – deleting the extra lines in the hosts file cured my problem. Unbelievably simple fix. two lines – one redirecting google, the other redirecting bing
Oh, I have problem. I was deleted the extra lines (my host file looks like your example), but the problem isn’t fixed. What can I do more? I use google chrome, and have windows 7 x64
Matt: Ensure that you saved hosts file in the right place, there are no parasites on PC by scanning with several tools (including TDSS killer), Then try to disable add-ons in browsers and proxy server.
Host file in right place, TDSS killer and others can’t find anything, but when I disable proxy server it helps. But my question is: disabling proxy server is safe? I’m asking because I don’t know much about computer science
Matt: Disabling malicious proxy server is highly desired. Proxy servers are used for legitimate purposes sometime, but if you get redirected during search, then something was wrong there.
Thanks, sort-of. Host file fix easy but things stayed bad. Step 8 solved my problem with the root virus, guess I had tdss. The Malwarebytes download seemed to help. However I also tried Spyware Doctor (cost me $29.95) and while it started fine and after the initial scan said it had eliminated some additional issues, very soon it slowed my system down horribly. It also said AVG Free was in its way so I eliminated that. I next did the update it suggested, and then things went fast downhill. No matter how I tried its settings it slowed me to zero, caused hard crashes, etc. I finally after a day’s effort managed to remove it from the machine (I use XP) and I’m now fine (but being very careful). Any advice you can offer re why what you recommended locked me up so hard?
Craig: Use one antivirus only. SD works well with some antiviruses, not so good with others.
My daughter’s laptop was having an intermittent problem when searching with Google. She would complain that it would “redirect” to other websites. The thing is, it wouldn’t do it all the time. Again, it was an intermittent problem. Usually, whenever I’ve experienced a virus/malware on any computer, it would always take over completely. Those are easy to identify because it’s obvious to see what the problem is. This intrusion, however, is sneaky and does not show itself as boldly as other viruses or malware do. After finally experiencing the problem firsthand, I searched for “google redirect” and ended up at your site. I want to thank you for your detailed explanation of how to remove this nuisance!!! As per your recommendation, I began my removal process at Step #7, but it was Step #8 that did the trick. My daughter and I are thankful for your efforts! Please keep up the great work!!!