How to fix Google Redirect Virus (browser hijacker) problem

 

Google redirect virus is a browser hijacker targeting google and other search engine search results and redirecting user to infected pages. These pages can be porn–related or full of advertising banners that make creators of this parasite money. Also, these pages  might force you to pay something or give away your bank account details. Thus Google redirect virus is quite dangerous.

There are couple different streaks of Google Redirect viruses, and some of them might need heavy scanning with reputable Anti-malware solution like NOD32 Antivirus, Kaspersky, Malwarebytes. Sometimes Google results Redirect virus even blocks reputable sites and it is tough to download automatic software. However, there are couple easy steps to solve less complex problems.

Note, that before trying to fix other things, you are suggested to scan and check if anti-malware programs can identify more precise reason of Google redirect hijacker. We recommend spyhunter, Hitman Pro for this task. You should always scan after performing all these steps as well, as doing anti-rootkit scan might reveal trojans that were hidden due to other infections. In some cases, rootkits will be detected and removed by anti-malware programs.

Basically, there two types of Google redirect viruses:

a) Hijacking search engine settings aka choosing which search engine to use. Your default search engine is named not google, yahoo, or bing, but something else. The first suspect is a plugin – based hijacker, though other cases are possible.

b) Hijacking results of the search engine when you click on them. Your default search engine is the same, but you get different results when clicking on them. The main suspect would be malware infection ( Step 6), but malicious proxy, dns settings, infected router and even hosts file are possible.

Steps 1-6 deals with regular hijacking of search results that are due to malicious settings or plugins. Steps 7 and above deal with malware infections that result in Google redirect virus symptoms and are more difficult to detect and fix. However, If any of antivirus programs are stopped from execution this means malware infection and you will have to scan your PC with anti-virus and anti-malware programs.

Step 1. Check your hosts file for malicious entries.
Hosts file resides on C:\Windows\System32\Drivers\etc\hosts
Windows hosts file location
Where Windows is your windows installation directory. Open the file with Notepad.

Note: On windows 7/vista/8, you should open your hosts file with administrative privileges or you will not be able to save it. To do so, On Win 7/vista do following:

  1. Press Start (or round button usually in bottom left corner and enter notepad. Do not press enter
  2. Right-click on the item in the list above
  3. Choose Run as administrator
  4. File->Open and browse to hosts file.

 

On Windows 8, enter notepad in search box or type right in the metro interface. Perform steps 2-4 like in Win 7.

Google Redirect virus symptoms might be result of malware adding malicious entries to this file and are removed easily as well.

Hosts file should look like this:
Windows hosts file

There might be line referencing ::1 as well. This is IPv6 local address and perfectly normal.  If you see more lines of code and IPs, you should delete these, especially if they rewrite google or Microsoft subdomains. This is a sign, that you either had or have infection on your PC, as this file can not be accessed remotely usually.

Step 2. Check DNS (Domain Name Server) settings

Domain name servers are used to determine what server to access when opening website addresses. Hijacking these settings would allow hijacking various websites including search ones.

1. Go to Control Panel->Network Connections and select your local network.
2. Right-click your local network icon and select Properties.
Local Area Connection properties

3. A window will open, then select Internet Protocol (TCP/IP) and click Properties.
Internet Protocol properties

4. You will see a window like the one below – this is the Internet Protocol window. Select “Obtain an IP address automatically” and “Obtain DNS server address automatically”.
DNS Settings
5. Click OK to save changes.

Step 3. Checking your proxy settings on Internet Explorer
Proxy server settings can be used to implement Google search result hijacking as well. This is simple to fix too:

1. Launch your internet explorer.
2. Tools ->Internet Options, Connections tab. Press LAN Settings
Internet Explorer local area network settings
3. Unselect everything or enter parameters that were given by system administrator.
4. Press OK.

Step 4. (Optional) Check your proxy settings on Mozilla Firefox
1. Launch Mozilla Firefox.
2. Tools ->Options. Press Advanced and open Network tab. Then, press Settings button.
Mozilla Firefox network settings
3. Select “No proxy” or enter parameters that were given by system administrator.
4. Press OK.

Step 5. Check your browser addons and reset your search settings in browsers

If your search engine changed to unknown one, you might have browser settings changer plugin or program. Typically, these programs will be detected in Step 6, but you will have to fix settings manually.

5.a. Check your IE add-ons and reset search settings
If your browser is hijacked in IE only, check IE browser add-ons. Note: there are malicious plugins that affect both IE and firefox and result in Google redirects in both of the pages. Before this step, make sure you clean your Control Panel from unknown, spammy looking programs.

  1.  Launch your internet explorer.
  2. Tools->Manage Addons
  3. Disable all unverified addons (there might be some useful ones, but better re-install them later).
  4. Delete all add-ons that look spammy/unknown
  5. Click arrow on the right of search box
  6. Do following: On IE8-9 choose Manage Search providers,  On ie7 click change search defaults
  7. Remove the unnecessary search engines from the list
  8. If settings revert after restart, you will have to do Step 6 and repeat step 5 again.

5.b. Check your Firefox extensions and reset search settings

  1. Press Firefox->Addons
  2. Go through list and disable all unknown or spamy addons.
  3. Repeat the same for Plugin list.
  4. Enter “about:config” in url bar. This will open settings page
  5. Type “Keyword.url” in the search box. Right click it & reset it.
  6. Type “browser.search.defaultengine” in the search box. Right click it & reset it.
  7. Type “browser.search.selectedengine” in the search box. Right click it & reset it.
  8. Search for ‘browser.newtab.url’. Right-click and reset. This will make sure that the search page won’t launch on each new tab.
  9. If the settings revert after browser restart, you will need to delete user.js from Firefox profile or/and perform Step 6 and repeat Step 5.

5.c. Check your Chrome extensions and reset search settings

  1. Click 3 horizontal lines icon on browser toolbar
  2. Click on Extensions. Review extensions there and disable ones you do not need.
  3. Select Settings
  4. Select Basics ->Manage Search engines
  5. Remove unnecessary search engines from list
  6. Go back to settings. On Startup choose open blank page ( you can remove undesired pages from the set pages link too).

Step 6. Scan for malicious parasites with spyware/antivirus removers:
1. spyhunter
2. NOD32 free trial

Step 7. (Optional) Repair Winsock 2 settings with LSPFix
Download LSPFix

Step 8. If you are still have search engine redirection, it might be tdss or similar rootkit

Although step 6 should detect majority of google redirects of that kind, sometimes it is useful to use a more niche tool. TDSS and Zero Access rootkits both cause redirection symptoms in some cases.
For this specific rootkit a remover can be downloaded from here : support.kaspersky.com/downloads/utils/tdsskiller.exe. Together with TDSS, it might be a sign of rivaling, ZeroAccess infection. Both these rootkits require dedicated programs for removal, and might require alternate OS scanners in worst case.

Step 9. It might be Cycbot infection
Cycbot is one of the trojans that result in browser redirects.
Typically, many of antiviruses and anti-malware programs like spyhunter detect Cycbot infection successfully. However, you might want to use our manual removal guide for Cycbot to identify and stop infection.

 

 
 
 

755 thoughts on “How to fix Google Redirect Virus (browser hijacker) problem

  1. jim jones
     

    I am getting google redirects. Spyware Doctor and MbA-M caught nothing

    I tried to my hosts file, but it would not open in notepad.

    Also, your sample is 1k and mine is 289k. Is that excessive. Also, I have a hosts.20090204-121117.backup file Sounds suspicious.

    thanks for any information.

     
    1. admin
       
       
      Post author

      Typical host list is small! Try replacing it with ours! Or search for google in it and delete all the lines related to that.

       
  2. tooSavvy
     

    Hi

    I changed,(after show hidden files), the to read and closed 7 rebooted, returning to hide files again.
    From very slow & constant redirects >>> now none & supa fast, as usual. Either in SlimBrowser or IE ;<)

     
  3. Mark
     

    @admin
    I can open the file with notepad and see that there are several other lines of crap but how can I change the actual file “hosts” I can save it in etc as a notepad text document but how do I effect the actual file?
    Thanks for your help

     
    1. admin
       
       
      Post author

      hosts file is text one. You should be able to change it with notepad. However, on Vista you need to open it with administrator privileges, or you will not be able to save it .

       
  4. marianne
     

    Thank you so much for this, fixed the problem!

    Cheers!

    MArianne

     
  5. Jaycee
     

    THANK YOU! I’ve been trying for weeks to get rid of that stupid virus. Now my computer is working normally and I can access Safe mode again.

     
  6. johann
     

    my etc file isn’t in the drivers folder. Is it hidden?

     
    1. admin
       
       
      Post author

      It might be. What OS you have, Johann?

       
  7. Jin
     

    @admin
    Can you explain a little more about vista. Because I have Vista and I delete the extra lines and try to save it but it won’t let me. Please help. Thank you.

     
    1. admin
       
       
      Post author

      Jin: search for notepad and right-click on it. There will be a choice to start as administrator. Then open hosts file.

       
  8. Jin
     

    My notepad looks exactly like the one on here (after I edited it) but this keeps happening. I have tried 4 different softwares so far, it hasn’t fixed it. My last option would be to reset my whole computer. Is there anything else I can do before going to my last option?

     
    1. admin
       
       
      Post author

      Jin : do you edited as administrator? You need to RUN notepad as administrator, or it will not save.

       
  9. Chaz
     

    Was getting Facebook logon redirected to Pricegrabber.com…..removed entry below the 127.0.0.1 Local Host entry and all was well again! Well done!

     
  10. David
     

    My Host file is not in the folder. I am running XP pro. Can I repelace it with and Host file ?

     
  11. Abdul Karim
     

    My hosts file in 374kb large… (lots of lines).

    i have the default localhost & 127.0.0.1 entry

    And after that I have these comments.

    # Start of entries inserted by Spybot – Search & Destroy
    ……
    ….& thousands of others….
    # End of entries inserted by Spybot – Search & Destroy

    I think it’s legitimate, and it’s spybot’s “immunize feature”. I ran spybot search and destry last night and the redirects have gone down significantly, however I spotted one redirect today. Which is annoying.

     
    1. admin
       
       
      Post author

      Karim : Yeah you are correct. However, Spybots immunizer is crap : it focuses on adware sites mostly, some of them even legitimate advertising sites (that pays for free sites you are visiting). I can’t say they fight malware distributors successfully, as these use different tricks.
      You should check proxy server that is set in your browser. Maybe there is something fishy ?

       
  12. David
     

    @admin

    I am having the same problem with the redirects – how to you check th e proxy server?

     
  13. Dinesh
     

    Thank you very much. Some virus has overidden the host file in my computer. Deleting that solved the problem.
    Thank you again.

     
  14. Randoph
     

    great stuff thanks!

     
  15. M'Rell
     

    Hey thanks this helped a lot!

     
  16. hannah
     

    Please help me. This virus has taken over my computer and I cannot do anything. I’m not very good with computers and really need some help to get it off. If anyone can help, please get in touch

     
  17. Nobita
     

    holy, my computer is at risk.
    i tried all of this but nothing works.
    i need a little help here admin.

    also this thing is appearing in my screen.
    “application cannot be executed.the file wuauclt.exe is infected”

    now how can i fixed my computer??

     
  18. anja
     

    I cannot open “notepad”. The virus doesn’t let me do that!
    What should I do?

     
    1. admin
       
       
      Post author

      Anja : Start task manager and try creating new process. Type in notepad (you might need to enter full path to notepad application).

       
  19. Seth
     

    I am dumping all my pictures and other stuff into another drive and buying windows 7 will I still have these antispyware soft issues? I also may reimage the XP OS back onto the original hard drive after moving most things to another drive. This antivirusspyware soft thing locks me out of control panel program list and add/remove programs.

     
  20. Anna
     

    The virus doesn’t appear to be too severe, as it only affects my search engines; however, I would like to fix it. Nothing significant was caught when I ran Norton so I tried looking at the host list. The only line after
    # 127.0.0.1 localhost is

    # ::1 localhost
    10.254.254.253 AFS

    Should that be deleted? And how do I open it with “administrator privileges”? I am trying to avoid downloading more anti-spyware and anti-virus programs. Is there anything else I can do?

     
    1. admin
       
       
      Post author

      Anna : these lines look harmless for me. Check your DNS settings and proxy. If it fails, you might resort to scanning with anti-malware/antivirus tools

       
  21. Chris
     

    I have a friend w/a Dell PC (unsure of model). She (or tech support) acciedentally downloaded Live Security Suite, and now we can’t get anything to work right. How do I remove LSS w/o wiping out the system, or her taking it and spending her life savings on getting it fixed or a new computer?

     
  22. rayan
     

    i m currently doing everything also ran spyware doctor but my browser ie8 keeps shutting down within one minute of launch. how do i fix this? of course i have the google search results redirection problem as well. can this be fixed atall?

     
    1. admin
       
       
      Post author

      Rayan : check plugins first, disable everything you do not need. If this does not help, you have trojan process already, and need to get some scanner. Download them on uninfected PC and move using usb flash drive or network share.

       
  23. Chris
     

    I also have an Everex Stepnote Laptop that is very slow no matter what we do, and almost every time it is left alone, the screen saver “freezes,” and nothing works except to shut it down by the power button. Any suggestions?

     
    1. admin
       
       
      Post author

      Chris : its more like it is hardware/driver issue than virus.. But a scan with malwarebytes/spyware doctor would not hurt :)

       
  24. thewhodio
     

    Thanks! finally got this bloody redirect off my computer, I’ve been using bing for almost a year!

    Thanks again!

     
  25. x64-Vista
     

    … My Host File doesn’t have hardly any of the things in the ex:picture… ALL it has are things that the step says i should delete,,, it has google in the file and bing… With i.p’s

     
    1. admin
       
       
      Post author

      x64-Vista:
      Delete these lines mentioning google and bing in hosts file – these are fakes. Typical good hosts file should be empty with some exceptions.

       
  26. x64-Vista
     

    I’ll try that if it works thank you soo much… im not good with computerz

     
  27. x64-Vista
     

    Umm there is no option to run as admin and it wont let me save? Help plz

     
    1. admin
       
       
      Post author

      x64-Vista Search for notepad in program list and righ click on it. Tehere will be an option to run it as administrator. Then open hosts with it.

       
  28. jcd
     

    @admin
    Do you need to reboot after removing the lines from the hosts file?

     
  29. jcd
     

    What worked for me was to disable all of the unverified add-ons in IE. Thanks!

     
  30. Hi
     

    When i try to change the Hosts File it wont let me i even ran Notepad as admin…

     
    1. admin
       
       
      Post author

      Hi: Try launching task manager and stopping strangely named processes first. Maybe your virus is observing hosts file. You might try to modify it in safe mode as well.

       
  31. jay
     

    Hello,
    My problem is the google redirect virus.
    I have xp I found the host file mine is 400kb is that normal? I see a loot of google files is it safe to just delete these and will they come back?

     
  32. jay
     

    After i delete the google stuff do i reboot or what?

     
  33. madge
     

    so ive read through alot of this. my hosts file looks nothing like that and it has only yahoo and google urls and no localhost one so i tried to delete them and put that in but it says unable to find. its not saved as a txt document and it wont let me change it and when i open notepad as admin the hosts file is absent when i go to the same spot. i also tried everything else on here and none of it did anything. p.s. i have vista

     
    1. admin
       
       
      Post author

      Madge : choose Show all files (not only txt) when opening hosts file from administrator notepad. By default, notepad lists only files with .txt extension, but in hosts file case it is none.

       
  34. Laura
     

    I have the “live security suite” rogue malware. Won’t let me do anything. I have tried to run several removal mbam, spybot, etc Everytime I try to run the downloaded file I get the following message “Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item.” I am in safe mode with networking and signed on as administrator. I have tried downloading to fly drive and accesing it that way same message, I have also tried changing file name same problem. Went through steps to open notebook and won’t let me do that either any suggestions?????

     
    1. admin
       
       
      Post author

      Laura: This is separate problem. You should kill live security suite processes before executing any of files, and (maybe) fix registry, that does not allow executing programs. To do so, start task manager right after being logged in. The Live security suite will load quite fast afterwards, so you have to hurry. Press CTRL + shift+ esc and wait. Go to processes tab, and look for processes that should not be there (typically, names are random letters). Stop them. Then go to File ->New task and enter full path to antivirus executable on hard disk. This should allow launching antivirus and removing everything. Later you might continue with removing redirects.

       
  35. Jesse
     

    Nothing is working for me. I have been reading posts for the past few hours, and have removed viruses in the past, but this one is givin me a run for my money. I manually deleted the virus files themselves, but still cannot get on the internet. I have done everything listed on this page regarding proxies and whatnot, but still nothing. I have searched for the registry files, but being that I never actually clicked the virus to run a scan, I don’t have any to delete. I am at a complete loss. Computer works fine, just cannot get online in any way.

     
    1. admin
       
       
      Post author

      Jesse: you might need to install antimalware tools using usb drive. There might be a cases where virus inserts itself in other locations, for example in drivers. Though it is very rare. The guide covers majority of common cases of broken internet connections due to infections.

       
  36. Ty
     

    Thank you so much. My host file was the problem. It was completely rewritten and had and IP that was no mines and it keep repeating itself on every search engine. I just delete the whole thing but hosts is still there but nothing is on the notepad. I can use the search engines now but I will restart my computer and see if the host file will return back to normal. But so far the hijack is gone. Thank you so much.

     
  37. jerry
     

    wow soooooo good its working again after so much stress .. tried 4 different malware programs not even norton picked it up .. thank you so much for your step by step procedure without it i would never of figured this one out … i wanna kiss you

     
  38. Alexander Mains
     

    Ok I got this after I got AV Security Suite
    I did all of that and scanned with AVG and IObit Scanners but the problem wont go away on Firefox
    No proxies on either and auto DNS
    WHAT DO I DO!
    And you guys can protect the hosts file by putting it to Read-Only
    Found that out not too long ago

     
    1. admin
       
       
      Post author

      Alexander: Check add-ons in firefox. These might be infected as well. Also, neither IOBIT or AVG are good: Iobit uses ripped off malwarebytes database ( at least partially), and AVG (free) lacks rootkit detection.
      I would recommend scanning with Spyware Doctor, Malwarebytes, Spybot S&D / AVAST or Avira

       
  39. Alexander Mains
     

    OKAY I will try…
    I looked at my Plugins and saw Pando…
    and I’m like “whats that” no info, no homepage, nothin… I disabled that (hopefully that works)
    I did have Spybot before and ill run it again as soon as I get it again…
    I’m also thinking about getting this Spyware Doctor cuz it seems useful

     
  40. Alexander Mains
     

    I did Spybot S&D and it found a ton of things(types were malware(c)and Security(c) and a couple hijackers from files in the registry) but somehow I’m still getting the hijacker in Firefox only(ugh). I really need to get rid of it
    and Yes I ran 1 scan,restarted and scanned again + my dad scanned on his account
    I’m going to try to scan and look over EVERYTHING
    Any suggestions…
    Links the thing is taking me to:(ADS SPREAD LIKE AIDS!)
    [We do not allow links to malicious sites to prevent infection of other readers]

     
    1. admin
       
       
      Post author

      Alexander: Save your firefox bookmarks. Close it. Go to firefox data folder C:\Documents & Settings\[Username]\Application Data\…. On vista/xp (on windows 7 use C:\users\… instead) and delete everything. Then reboot, start firefox anew.
      If this solves problem, this is the quickest fix.

       
  41. Alexander Mains
     

    Gah!!! I did all of that and I still have it!!! (and I have XP SP3 by the way)

     
    1. admin
       
       
      Post author

      Then you will have to scan with something else than Spybot. I would suggest Spyware Doctor, malwarebytes anti-malware, superantispyware. If only firefox is affected, and problem persists after deleting userdata, no problems in settings, then you have firefox-specific hijacker.

       
  42. Alexander Mains
     

    I got spyware doctor and it is scanning right now
    Thank you for the help so far
    threats so far
    Tracking cookies-7
    Spywere Known bad sites-1
    Adware.Advertizing-1
    Adware.searchit toolbar-9 (oh gosh lost my place Its done)
    Trojan-Downloader.small.CML-6 (sounds like it)
    Hijacker.dospop_toolbar-30
    yeah thank you again for your help
    ill see if it still happens

     
    1. admin
       
       
      Post author

      Alexander: I would guess it is Hijacker.dospop_toolbar-30 . Trojan.Downloader would be the one responsible of installing it ;)

       
  43. Alexander Mains
     

    … I lost all of that because my computer froze…
    I cant pay for it so I guess I just have to do another scan and remove manually…
    I didn’t know you had to pay for it… oh well atleast it got the location of it

     
    1. admin
       
       
      Post author

      Well, Spyware Doctor has about 4x bigger database of traces than spybot as far as I have checked, so I know it can find more. I am not so sure Spybot S&D is updated enough to make it good solution for windows XP or latter users.

       
  44. Alexander Mains
     

    Thanks for the help I got it off but I think there’s still more…
    I still get it but I don’t care not as many now AND! it just goes to google instead of the ads
    YEY!

     
    1. admin
       
       
      Post author

      No problem, Alexander.

       
  45. Don C
     

    Just got done resolving a redirection — and worse – problem which was caused by a problem with our router.

    The virus/Trojan had changed router setting to direct DNS searches to their web address. They returned bogus address.

    Look into your router settings to make sure you’re settings have not been messed with. We ended up Restting the router to factory settings and reinstalled the router.

     
  46. Mark
     

    I have windows 7 and just got the virus/trojan myself. However, I cannot open ANYTHING. Not even task manager. I can open programs in safe mode, but how do I remove it from there?

     
    1. admin
       
       
      Post author

      Mark : First you will have to remove viruses. Disable the proxy server, download Spyware Doctor or malwarebytes, do a scan, remove stuff it finds. Do it in safe mode. Then reboot, and try to finalize checking the connection.

       
  47. James
     

    The issue with facebook redirecting to say pricegrabber isn’t always a virus or malware.

    Linksys routers are sometimes the culprit…a fix that may help for some people (specifically using linksys wrt160n or any other linksys router).

    Network Connections > Right click your connection > Properties > Select TCP/IP > Properties > Set your DNS manually (see below for what DNS servers).

    To determine the DNS servers to input here: Get to CMD Prompt > IPCONFIG /ALL > You will see 2 IP’s under the DNS Servers section > Enter those 2 numbers in the TCP/IP DNS configuration.

    I use OPENDNS, which is configured on the router and now manually set in the tcp/ip, and have never once seen this facebook redirect occur again.

     
    1. admin
       
       
      Post author

      James: Completely true. People should change their router default password in all cases.

       
  48. anthony
     

    i have the google redirect problem (xp),have tried all the the advice,but still have the problem,in the host file its only has 127.0.0.1 local file, nothing else,could this be the problem?

     
    1. admin
       
       
      Post author

      anthony: your hosts file is clean. Check add-ons and proxies. Also you might want to try specifying different DNS servers in your internet settings, set them to google ones (8.8.8.8 and 8.8.4.4 ). Sometimes the router is corrupted instead of PC and this might help both in cases of malicious DNS or malicious router settings.

       
  49. Bhakti
     

    Hello.. Emmm I dont know when “Security Master AV” was downloaded in my PC.. After that at regular intervals i get pop up windows asking for healing the viruses and buying the software.. I want to delete the above program/software.. Its really annoying.. Can u pls help!
    Regards
    Bhakti

     
  50. JABAD
     

    Mine is only redirecting Google chrome, not IE. Will the same steps above work? Is there something else I should look at?

     
    1. admin
       
       
      Post author

      JABAD: You need to reset connection settings in chrome. This is done going to Tools->Options->UnderTheHood -> Network->Change proxy settings.
      Also you might need to disable chrome addons that are malicious.

       
  51. JABAD
     

    Reset to defaut? There is no proxy enabled, so that is OK.
    I checked add-ons and see nothing that looks too bad. I disabled three that looked unfamiliar and nothing changed. Should I disable all add-ons?

     
    1. admin
       
       
      Post author

      JABAD: This might be rootkit. do a scan with http://support.kaspersky.com/downloads/utils/tdsskiller.exe
      Also make sure your proxy settings do not use system defaults. it should be set to No proxy. There are 4 settings in chrome.

       
  52. Google web redirection is due to virus infection. Especially Rootkit infections.
    Try to run TDSSKILLER from KASPERSKY LABS.

    http://support.kaspersky.com/downloads/utils/tdsskiller.exe

    For more information,
    Visit the site

    http://support.kaspersky.com/viruses/solutions?qid=208280684

     
  53. ecosseman
     

    Download “Dr Web” (free). ‘Quick Scan’ identifies System32 HOST file. Restore original …bingo!

     
    1. admin
       
       
      Post author

      Ecosseman : System Hosts file is only one of causes for this problem.

       
  54. leo
     

    ok when i open up my Hosts file i have right uder 127.0.0.1 Local Host a ::1 localhost do i have to delet that host or what and i have windows vista how do i get to my local network

     
    1. admin
       
       
      Post author

      Leo : No, it looks clean (an IPv6 address for localhost).

       
  55. Alexander Mains
     

    Hello again all :D
    I am back for help
    …Still have the virus redirect
    Has any way changed to get rid of except the Rootkit thing (which I am doing now)?

     
    1. admin
       
       
      Post author

      Alexander: Check your router settings as well, and try to enter DNS settings in your internet connection manually. SET them to 8.8.8.8 and 8.8.4.4. Sometimes routers are infected instead of PC.

       
  56. Alexander Mains
     

    okay I did rookit and no more google but I did get pop-ups and I cant access some sites

     
  57. Alexander Mains
     

    and erm how do I check my router settings (XP, service pack 3)???

     
    1. admin
       
       
      Post author

      Alexander: Update and do a scan with same tools again (Spyware Doctor, malwarebytes, etc). Rootkit might have hidden/downloaded other processes. I would say this time it is not router.
      For checking router, do a following: See what ip your PC got, and which gateway it uses. Then enter that gateway address in your browser.

       
  58. Alexander Mains
     

    I did rootkit and Spyware Doc and rootkit got 8 or 9 things out of it
    How can I check the IP and Gateway? :/

     
    1. admin
       
       
      Post author

      Look at the image in the step in 2.2 of this guide. There is a menu. Choose Status instead of properties. There you will see gateway server. usually the IP for it is 192.168.1.1 or something like that. If you are connected to the internet directly (no router), then this does not apply to you, and you have to look for virus in your PC.

       
  59. Rocki
     

    I got my laptop as secure as I can. Runs Win7, has kaspersky 2010 Internet security suite as well as malwarebytes. My browser redirect (facebook -> pricegrabber) problem was down to what James said. No viruses or spyware were reported, even checked hosts file. I did have ::1 Localhost which is also a valid entry.

    Have to thank James for his tip on DNS settings as that has done the trick. And the router I am using? WRT160N. Arrrgh!

    Admin: I think you should change your original post and point to what James has said if one does not find any of your suggested issues.

     
    1. admin
       
       
      Post author

      Rocki : We are working on it. We are planing on adding a guides how to restore infected routers back to original settings (as one could do some nasty things even when DNS settings are fixed in the PC). I would recommend restoring router firmware and changing password on the router.

       
  60. fran
     

    I have in my hosts/etc file:

    127.0.0.1 localhost
    ::1 localhost

    Should I delete the :: localhost?

     
    1. admin
       
       
      Post author

      Fran : No, it is IPv6 address of local host. Perfectly normal. Your problem is somewhere else. At this data (August 2010) , proxy server and tdss rootkit are dominating causes of redirects, followed by infected routers.

       
  61. Luigi12345851
     

    It happens to me no matter what search engine I use and the only add-ons installed in IE are 3 Java ones.

     
  62. Alexander Mains
     

    No redirects! :-)
    Thanks a ton

     
  63. Trenton
     

    Please help I did everything listed and it’s still redirecting me with every search engine and both firefox and IE. :(

     
    1. admin
       
       
      Post author

      Have you done full system scan with Spyware Doctor? Have you checked your router? Have you runned TDSS cleaner?

       
  64. Lucas
     

    Hi, my friend has a Dell laptop, running Vista. The virus is Security Suite and seems to have infected lots!
    Please could you explain the above (in a more dumbed down version) she can’t afford to send her laptop to be repaired.
    I was thinking of downloading the spyware to my hardrive and then installing it on her pc, but won’t the virus spread to my hardrive?
    Thanks for your help!

     
    1. admin
       
       
      Post author

      Lucas: we have a removal guide for security suite here : http://www.2-viruses.com/remove-security-suite

       
  65. Jim
     

    Thanks for the great article.I had the hijack virus.Not only that it was blocking my spybot S&D andother malware programs from even running.I went tru all the steps but have to say #8 was the one that found & fixed the problems..
    Thanks again..

     
  66. Freeforce
     

    Has anyone had to deal with this with Chrome yet?

     
    1. admin
       
       
      Post author

      Freeforce : it is quite straightforward. In most cases problem is not chrome specific, but you can check Customize and control->Options->Under the hood -> Change Proxy settings ( It uses IE settings)
      Also, you can check Customize and Control -> Tools->extensions and disable all unknown extensions.
      Everything else is NOT chrome specific, thus the guide should apply.

       
  67. Edintrouble
     

    I have downloaded AntiSpy Safeguard on my computer; I want to remove it but I have no clue. Can you please help me

     
  68. Edgar Manukyan
     

    I tried almost any available malware, spyware, rootcleaner, etc. software, but the only thing that helped me with this annoying Google search results redirects was editing the host file. One should enable file extensions from folder options, then copy the host file content (the desired clean content) into notepad, save it with “hosts.txt” file name, then delete the old hosts file with let’s say Unlocker and finally delete .txt extension from your created file and voilà you have new nice and clean hosts. Hopefully this will work for you.

     
  69. Edintrouble
     

    Please help me about that

     
    1. admin
       
       
      Post author

      Edintrouble: read our specific guide for AntiSpy Safeguard

       
  70. syn
     

    do i have to connect to internet when checking on the host file?

     
    1. admin
       
       
      Post author

      Syn: You can edit hosts file offline.

       
  71. syn
     

    the host file ending with

    ::1 local host

    it is alright then? if nothing wron with the host, how can i removed the antispy safeguard? im not good in safe mood.
    i did install tdsskiller.exe, but the scan doesnt detect anything. the spyware doctor detected some malicious file but i can removed those files unless i buy the full version. is there another way?

     
    1. admin
       
       
      Post author

      syn:
      ::1 : ok, it is for IPv6.
      You can delete these files by expanding the detection results, checking the file location. Then delete file. Just make sure to fix registry as well, as in some cases malicious files are referenced instead important system processes. It would be best first to start msconfig and disable the malicious files from starting up, then deleting them.

       
  72. need
     

    ok I did steps 1 and 2 but i cant do three! help!

     
    1. admin
       
       
      Post author

      What stops you from disabling proxy server? If it reappers, then skill to steps to download removal software, as that is sure sign of malicious processes on PC.

       
  73. JC
     

    I worked on three computers that had this same problem:
    Windows 7:
    I logged in as another (administrator user and ran MS Security Essentials, then logged back into the infected side and turned off the Proxy server setting:
    Internet Explorer -> Tools -> Internet Options -> Connections tab
    LAN settings button: clear all the check-boxes. (Do this even if you do not have another user login). The proxy server was checked only in one out of 3 machines I helped with.
    Find the AppData folder of this user (with infection) and delete two *.bat files and the *.exe file in the AppData folder.
    Windows Server 2003 (similar to Windows XP):
    Find the Application Data folder for the user (under Documents and Settings and delete any *.exe files there and the *.bat files.
    NOTE: You might find EXE files in the AppData or Application Data folders that belong to Google, Adobe etc. If you see any UNINSTALL programs there run them and then take out all remaining files. (I don’t think these are essential programs.

    Find the TEMP folder of the User’s folder and delete all the files there. The EXE file that generates new names is there. It is called by the BAT files o do this. The one I found is ‘e.exe’.

    Good Luck and let’s hope FBI catches those who gave so much misery to people are caught, fined and jailed for the rest of their lives. (It’s not hard to find them, FBI)

     
  74. Kristen
     

    Hey! I had this same problem and got tricked into getting the free version of AntispySafegaurd! But Just simple Compture Restore saved mine. Just set it back to a time before you used the spyware (I set mine to a month back even though I only had this problem for a week) Its very Simple and now my compture works fine.
    Good Luck!
    P.S. AntiSpySafe Gaurd WILL try to restrict this. But just click the “Continue UnProtected” until it allows you.

     
  75. Sara
     

    i need help, im very confused

     
  76. Ali
     

    Thank you so much! I tried everything. I searched everywhere. NOBODY helped me. All it took was the notepad trick. You’re awesome!

     
  77. Ali
     

    I lied. I thought it was fixed but after leaving you that comment I went to google search again and the same stupid redirect happened. Help?

     
    1. admin
       
       
      Post author

      Try disabling proxy server, do a scan with some anti-malware tools, and check if you got TDSS rootkit (run TDSS Killer). See your router settings as well. Generally, try doing the whole guide.

       
  78. Kaitlyn
     

    I have done the above steps. My host file has no other lines other than what you say should have.

    I am still getting fake microsoft alerts. My google search on this problem gets redirected, using firefox.

    I have followed the steps on this website http://www.2-viruses.com/remove-fake-microsoft-security-essentials-alert and found nothing. Also rebooted my pc with aoss scan http://www.pctools.com/aoss/ and scan with malware byte but it found nothing.

    After all these, I am still getting fake microsoft alerts :( what else can I try? I downloaded spyware doctor but I have to pay for it. Is there any other free software that I can use?

     
    1. admin
       
       
      Post author

      Kaitlyn : Try Malwarebytes or SuperAntiSpyware. Malware mutates, so no tool is 100%. If SD does not detect particular parasites, It will not remove it in full version probably till next update. Also, have you run TDSS Killer?

       
  79. Tim
     

    I love you guys, just thought I would tell you. TDSS killer and the Malwarebytes totally cleaned my computer and got rid of this and other problems. Thankyou for making my life so much easier.

     
  80. Brian
     

    After wasting time using many different anti-virus apps this was the one thing that worked! Thanks

     
  81. Pingback: What is Google Redirect Virus?

  82. Sebrina
     

    I have thinkpoint have no idea how it got on my computer. I have norton and it says nuthin at all is wrong. I’m runnin windows 7 & I need to know how to get it off it won’t let me online or on anything really I got the task manager to work and that’s the only way I can get online and I have to use my safari cuz it won’t work with explorer it got on my comp last nite somehow and I need help removin it before it gets too bad oh btw was on the phone with a lady from compaq for 3 hours she did nuthin to help she just tried to sell me a recovery disk for $30 :( plzz help me I know nuthin about these things

     
    1. admin
       
       
      Post author

      Sebrina: read Thickpoint removal guide. Disable proxy in your other browsers and try searching and deleting file hotfix.exe under your user folder (one level above my documents).

       
  83. Jon
     

    @admin
    This sounds exactly like the virus that I have on my other computer. Not sure if you are familiar with “youcansearch com” but I keep getting directed to that site whenever I try to use another search engine. I have used Malwarebytes Anti-Malware, but nothing seems to show up. In searching on how to get rid of it, I found a site that told me to delete all the files under the etc folder (… ). Here, you say to delete only specific lines from the host file. Can I do either?

     
    1. admin
       
       
      Post author

      I do not recommend deleting all the files from there. They are created by windows for a good reason :)
      Just delete additional lines if there are any. If not, virus is somewhere else.

       
  84. Jon
     

    Assuming that the virus is not in that location, what other locations do you recommend that I can check?

     
    1. admin
       
       
      Post author

      Go through full guide. If it is malware, any scanner will help significantly, as it could be anywhere. If its settings only, then it will be either DNS server settings (in router or on PC), proxy, or hosts file.

       
  85. Jon
     

    I will be sure to check everything. Thanks for your help!

     
  86. Tram
     

    Hi, so I know that you said that in order to save the host file you’re supposed to open it as the administrator. I know for a FACT that I am the administrator, but I still cannot save the host file. I always tells me to “contact the system administrator” and then it tells me to save it as a text file in my Documents. What should I do?

     
    1. admin
       
       
      Post author

      Tram:
      Are you on Vista / windows 7 ? If so, you are not running as full admin all the time, even if account is administrators one. That is called UAC window. If a program is launched without elevating the permissions, it will not be able to receive these permissions latter on. That is why it is important to open the file as administrator.
      Neverless, there are forms of malware that change file permissions. For that, you have to right-click on the file and change its attributes.

       
  87. Tram
     

    Yes I believe I am on Vista. But the thing is, when I right-click on the host file, the “open file as admin” is not available. It just goes straight to “open” and then asks me what format I want to open it as. Since I am not really computer savvy, how would I change this?

     
    1. admin
       
       
      Post author

      Tram: You can not open hosts file as admin. You can open Notepad first (as admin) and then from notepad open hosts file.

       
  88. randy burns
     

    Hi…I have read thru all your fixes…even tried kasperspy…I did a fresh install of windows and STILL have the redirect….i have tried all the programs….avg.malware.super.adaware…a list of em and they find nothing…any suggestions?….it is IE and firefox not just one…thanks so much

     
    1. admin
       
       
      Post author

      Randy: Check your router and DNS settings. Then again, it kinda depends when you get redirects: all programs or specific browsers.

       
  89. Jason
     

    Hi, I had the redirect virus and I did your fix steps and now i don’t get redirects anymore, which is great, thanks. (however, my hosts file was perfectly in tact.)

    The problem I am still having is that every time I open my internet browser (either IE or firefox), usually after restarting my computer or waking it from sleep mode, my proxies are changed and my internet becomes unusable.
    Something keeps changing my proxy settings to “Manual Proxy configuration:” (on firefox, for example) and I have to change it to “no proxy” every time if I want to use my internet. What would be causing this and how would I fix it?

    Thanks.

     
  90. Jason
     

    EDIT: It seems to be the act of opening the browser that re-sets the proxy settings to the setting that won’t let my internet work (Manual Proxy configuration)…. if that helps??

     
    1. admin
       
       
      Post author

      Jason: Your problems are due to some virus process. The usual suspects are TDSS Rootkit (Have you scanned with TDSS Killer? ) or similar. What I can recommend is doing some more anti-malware scans. I can recommend Malwarebytes, Spyware Doctor, and, in this case, Hitman Pro http://resellers.hitmanpro.com/9182137/HitmanPro35.exe .

       
  91. Jason
     

    I just scanned with TDSS Killer and there was no problems. Also I checked my Device Manager under Non-Plug and Play Drivers and there was no TDSS there. I have done approximately 20 scans, including scans with many different types of trusted scanners (including the ones you recommended) as well as boot scans and scanning in safe mode.

    However, every time I open my browser my proxies are changed. My hosts file is fine and unchanged, my DNS settings were originally changed, but since my fixing them they haven’t changed back (unlike my proxy settings). What could be causing this? It’s very annoying and it is slowing down my computer quite noticeably.

    Thanks again.

     
  92. Jason
     

    EDIT: I just reinstalled Firefox. Now whenever I open my browser (either IE or Firefox) my proxy settings are unchanged! So I guess the virus was affecting some sort of Firefox file itself? I don’t know… Does this mean the virus is gone? or..?

     
    1. admin
       
       
      Post author

      Jason: It might be a case. There might have been some sort of FF add-on, written for this purpose that is yet unknown for scanners.

       
  93. CPHelp
     

    @Seth
    Ok, to do this correctly, select sll the things you want to keep, and right click, and look for an option that says: Scan with [your virus protection if you have one] and scan, then move to disc.

     
  94. shashi
     

    I download but I dont know how to fix it help me.

     
  95. Rachel
     

    I downloaded spybot and ran a search. I am no longer redirected to spam sites from google searches but I still cannot open firefox. I opened the wordpad host document and there was nothing unusual. I went through all of the other steps as well, except changing firefox’s settings, because I cannot open it.

     
    1. admin
       
       
      Post author

      Rachel: Spybot in my opinion is severely slow at updating definitions. Your problem is due to infection, and not malicious configurations. Try using couple other scanners: Hitman Pro, Spyware Doctor, Malwarebytes, SuperAntispyware.

       
  96. Rachel
     

    Actually I am still being redirected.

     
  97. Rachel
     

    Malwarebytes caught nothing. Spyware Doctor found things but because it is the free trial, I cannot do anything about it. I will try Hitman Pro and Superantispyware. Could this infection also be disturbing the connection between my computer and printer or is that an unrelated problem?

     
    1. admin
       
       
      Post author

      Expand SD detected items. See the file location. In many cases it is safe to delete or rename detected files. In some cases you will have to modify registry keys.

       
  98. Rachel
     

    I used Hitman Pro and Superantispyware. Both of them found things and deleted them, but I am still being redirected. On the upside, firefox now opens. Its proxy settings look fine.

     
  99. anon
     

    I been reading through you article and avg and malwarebytes dont pick up the virus of rootkit. Whenver i visit a legit site to download himan pro or superantispyware my mozilla firefox freezes. i heard about it might be a router issue or i should use tdsskiller

     
    1. admin
       
       
      Post author

      Anon
      Yes, TDSS Killer is good approach. Try changing DNS servers though and check which DNS servers your router uses. It happens, that malware infect routers, especially ones with default password for that model.

       
  100. anon
     

    thanks tdss killer did it then i used malwarebytes to scan. =)So do recommend changing the password on my router and which anti virus/malware/spyware product that in the future can get rid of problems likes this.

     
    1. admin
       
       
      Post author

      If it was TDSS Killer, then your router is likely unaffected. However, it is bad to keep default router password, so if you do, change it (just not to aaaaaa, 123456 or password, the most popular and automatically attacked combos). I recommend getting internet security level of protection for every PC: Eset Smart Security, Kaspersky internet security or PC Tools spyware Doctor with antivirus, or any other from major makers. If not, get Spyware Doctor or Malwarebytes full running with real time protection together with decent antivirus. That should reduce risks of getting infected significantly.

       
  101. Marc
     

    I had this issue and it turned out the dns settings had been hijacked.

    I returned them to google’s dns servers (8.8.8.8, 8.8.4.4) and everything is happy now.

    I don’t think any malware removal tool will find this.

     
  102. anon
     
     
  103. greg
     

    YOU are a god among men i love you you saved my computer experience thank you !!!!!!!!!!!!

     
  104. will
     

    the antivirus software alert wont let me open my host file. i found it but it wont let me open it. what do i do?

     
    1. admin
       
       
      Post author

      Will: This guide is more in cases of handling left-over damage of malware. If you have active malware attack, first scan with regular anti-malware and antivirus tools.

       
  105. Marshall
     

    i have the antivirus 2011 and i have followed instruction concerning the hosts site, etc. I have downloaded spydocter but unable to execute. What next

     
    1. admin
       
       
      Post author

      Marshall: In your case it is malware based infection, and not malicious settings. Thus I recommed 1. Update Spyware Doctor 2. Try other tools (malwarebytes, hitman pro, superantispyware are good) 3. Delete it manually 4. Ask questions under its own guide : http://www.2-viruses.com/remove-internet-antivirus-2011

       
  106. Laurens
     

    I just had the same problem. Malwarebytes and G-Data found that csrss.exe, dwm.exe and conhost.exe were all infected by a Cycbot.AC Trojan Horse. Gladly, NOD32 ESET just released an update TODAY where they counter this Trojan:
    http://www.eset.com/threat-center/threatsense-updates (see Virus Signature update 5698). So, I recommend using NOD32.

     
  107. PengSwen
     

    My computer had been redirecting me to infomation-seeking.com ..im using window XP pro.so is there any difrences in steps?

     
  108. codey
     

    I installed the program, but the system won’t let me launch it. What do i do?

     
    1. admin
       
       
      Post author

      Codey: read guide on how to disable processes or reboot into safe mode with networking.

       
  109. Jordy
     

    I have ”security shield” and i think thats a virus.
    How does it go away ?
    Caus e my whole comp doesnt do it, cause then a ”security shield” browser comes

     
  110. Shyenne
     

    I’m trying to follow this site, & in my eyes it’s complicated. i have no idea what i’m doing. i’ve never had a virus.

     
  111. Carl
     

    “Oh my god, no way” and “Congratulations, you won” audio will be heard along with re-directs when going thru Google links (especially this web site). The problems may not occur for 15-30 minutes, but they will return and are extremely random.

    Downloaded Malware did get rid of alot of problems and I did all of the other steps herein however…..no luck. By the way, this particular computer does not have a “hosts” file in the “etc” path. Strange.

    I’m gonna “bite the bullet” and re-install XP. Spending more than 2 hours trying to fix a goofy mal-ware problem is stupid. I’ll say one thing – whatever web-sites sponser these malware products should be shot.

     
  112. Carl
     

    No worries. I guess I didn’t do “everything”. I ran “tdsskiller” (as suggested). It found 1 problem and “cured” it and…….horrah. No more google re-directs, browser kills, and funny audio. Here’s hoping this problem has gone away forever.

    Thanx for the information – beats having to re-build.

     
    1. admin
       
       
      Post author

      Carl: It is advisable to scan with other tools after TDSS got removed.

       
  113. Carl
     

    Do you mean like “Malwarebytes”? Or are you referring to something else?

     
    1. admin
       
       
      Post author

      Carl: Hitman pro, Spyware Doctor, Malwarebytes. Hitman pro is always a good choice, as it scans against couple antivirus databases. SD has bigger database (in my opinion) as malwarebytes, and is a part of bigger security suite. Though it is commercial program. And Malwarebytes is quite popular for good reasons to scan.

       
  114. Carl
     

    I scanned with Malware and got nothing; SD still reports 5 items:
    Application.TrackingCookies
    Tracking.TrackingCookies!Rem
    Adware.Advertising
    Spyware.Known_Bad_Sites
    Spyware.TrusyHound!Rem

    Also, there are several processes that seem strange. They are:
    DLACTRLW.EXE
    PDVDDXSRV.exe
    ITMRTSVC.exe

    I believe the first one (DLACTRLW.EXE) is causing multiple processes (with the same name) to be born. When they occur, silly sound bytes (as previously mentioned) are heard. They seem to come up randomly.

    However the Google re-direct no longer occurs after TDSSKILLER was run.

    I suppose what I still don’t know is exactly which Malware is one the PC. Does any of the above info help you in making that determination? Also, to kill those Malware items, is there something that is free that will do it? I’m a little cheap and don’t feel like paying the $30 bucks.

     
    1. admin
       
       
      Post author

      Carl: These SD detections are of low importance. I would do a scan with Hitman Pro and thats it.
      Google the process names separately though.

       
  115. Carl
     

    Thanx for your help. It appears the “dlactrlw.exe”, which found its way into the “startup” registry key, was the culprit. After removing that entry, everything seems to be fine. The folks who own this pc will be checking to see if any re-occurrences continue.

     
  116. Amber
     

    I think i’m having the worst problem with my lap top I can’t access anything not my control panel the internet none of my antiviruses or anything….Basically all I can do is turn it off and on…..do you know how I can fix this???

     
    1. admin
       
       
      Post author

      Last known good configuration in boot menu after force shutdown would be an option. Also, try downloading and using scanners in safe mode with networking.

       
  117. Amber
     

    ok….what do you mean by good configuration in boot menu after force shutdown would be an option…Idk to much about computers….

     
    1. admin
       
       
      Post author

      Press power button and hold for ~3secs. The PC will shut down. Then power on, and there will be a menu.

       
  118. Nicco
     

    I has my system attacked by antivirus8… bought spyware doctor and antivirus. Ran the software and removed malicious items it notified me of. HOwever. I can not get my MOZILLA FIREFOX TO LAUNCH. When i go to lauch i get

    “About internet Explorer Emergency Mode” box to pop up and it tells me that malicious software has infected my PC and the browers can’t be launched. I have uninstalled and reinstalled both Internet explorer and Firefox and I still keep getting this error message.. HELP..

     
  119. Alex AAA
     

    unbelivable in the add ons…. thanx a ton

     
  120. Kebap
     

    I disabled IE7 addon “Research” and now I don’t seem to get redirected any more (have to test longer though, because it did’t happen each time anyway…) Thanks for the great guide! :)

     
  121. Billy
     

    I had “Security Shield”. Removed it with CCcleaner, RKill and Malwarebytesantimalware. Then Google’s been directed to Findgala. C.WINDOWS>System32>Drivers>etc> all files are there, except HOSTS file is missing. Used Spyware Doctor, found: RogueAntiSpyware.WindowsSecuritySuite(13 infections), Trackware.Tracking Cookies!rem (24 infections), Adware.Advertising (10 infections), Spyware.TrustyHound!rem (1 infection), Application.TrackinfCookies (15 infections). Spent 3 days trying to get rid of findgala to no avail. HELP..

     
    1. admin
       
       
      Post author

      Billy: Check other things in this guide. Run TDSS killer as well.

       
  122. Billy
     

    Ran TDSS killer as suggested. Took 22 seconds and result was no infections found. In-depth scanned with NOD32 Anti virus, no objects found infected. Did step 2 to 9, except step 7 (‘coz it’s optional) and step 1 (‘coz couldn’t HOSTS file). Still redirected to findgala. Am I missing something here? I start losing hope here…@admin

     
    1. admin
       
       
      Post author

      Stuff to try :
      1. Hitman pro ( http://www.surfright.nl/en/hitmanpro )
      2. EmsiSoft Anti-Malware ( http://www.emsisoft.com )
      Host file is at c:\(your windows folder)\ system32\drivers\etc . It has no extention.

      If it is clear, and no scanning detect anything then it is problem with your router (most likely), semi-whitelisted browser toolbar (failed to remove browser add-on in one of the steps, but unlikely) or very fresh infection (less likely if you use several tools and they come clean).

       
  123. Billy
     

    Ran everything again. Malwarebytes antimalware: no malicious objects found. Hitman Pro: caught IExplore.exe as a threat, contains a high amount of malware related properties and it’s a potentially malicious software. Should I delete or quarantine this? A friend told me to just change the google bar from the right-hand side drop down menu and choose “Find more providers”? Emisoft Anti-Malware is still scanning as I type now. Checked several times C>WINDOWS>System32>drivers>etc>…, the HOSTS file (with no extension) is not there. There are only 5 files in etc folder: HOSTS.bak, lmhosts.sam, networks, protocol, services. And the worst part is most of the times I turn on my laptop in normal mode, it always freezes and I can only use it if I switch to Safe mode with networking. How do I know there’s a problem with my router and what did you mean by semi-whitelisted browser toolbar? I’m very dumb when it comes to computer stuff..@admin

     
    1. admin
       
       
      Post author

      Billy: Iexplore.exe might be a fake iexplore, check the file location. See the content of hosts.bak file, and maybe try to create an empty hosts file. If you can’t create, the real hosts file is hidden and cause of your problems.

       
  124. Billy
     

    Located the file, it turns out to be Rkill program (the Icon says IExplore). Opened hosts.bak in Note pad:
    127.0.0.1 localhost
    ::1 localhost
    How do I create an empty hosts file? How can I find the hidden hosts file?

     
    1. admin
       
       
      Post author

      Just try renaming .bak file to one without extension or save same content using notepad to file without extension. IF you are stopped from doing that, it is likely that there is hidden file.

       
  125. Billy
     

    When I tried renaming .bak file to without extension, a message box poppe dup saying if I change the file extension, the file will be unusable, so I saved same content of hosts.bak as file without extension, and the file type is text document. What else needs to be done?

     
    1. admin
       
       
      Post author

      Just make sure it is without extension (as extensions of known file types might be hidden). If you save as .txt it might leave .txt extension hidden.

       
  126. Billy
     

    I copied hosts.bak and tried renaming it into hosts without extension, it asks me if I want to rename it to hosts(2), because there is already a file with the same name in the location. Does this mean the hosts file is already there, but it’s hidden?

     
    1. admin
       
       
      Post author

      Yes. Edit your settings to see hidden and system files.
      On windows 7 :
      Open Folder Options by clicking the Start button
      Select Control Panel
      Clicking Appearance and Personalization
      And then click Folder Options.
      Click the View tab.
      Under Advanced settings, click Show hidden files and folders, and then click OK.

       
  127. Billy
     

    Mine is Vista. Opened Control Panel>Folder Options>View tab>clicked on show hidden files and folders. Then checked the etc folder, still doesn’t show hosts file without extension.

     
    1. admin
       
       
      Post author

      Look for option to see system files as well.

       
  128. Billy
     
     
  129. Tawni
     

    so how to i get to ‘hosts’ because it won’t let me click on it without closing again and bringing another security shield warning…?

     
    1. admin
       
       
      Post author

      Tawni: use code for Security shield to disable it first. Read our guide on security shield.

       
  130. techmanDj
     
     
  131. Chuck
     

    I have done everything found on this forum with very itte resuts. After the Windows Performance Manager downoaded itsef onto my computer I ceaned most of it up by searching for unusual programs. I found and deleted the files called cvfgtm.exe and bktgrk.exe. These files apeard to be AVI files. After deleting these files my computer was restored to mostly norma operation. I then used AVG free and IObit 360 to scan again and removed a few bad files. But I wanted to make sure I had all the virus removed so I searched and found this site. As I downoloaded the Spyware Doctor, AVG 2011 also downoaded. Both these files appeared to be maicious viruses and has completley destroyed my computer. I have worked my way back little by little and have just about cleaned up the mess.

    But I have one problem left that I can’t get fixed.When I try to open Notepad in Administrator, it refuses my pasword. Also, Internet Exporer opens only somekind of “Emergency Mode” and refuses to let me open any page except the microsoft.com page that contains the Windows Performance Manager and other viruses.

    Can you help me get my internet going again?
    Thank you

     
  132. joe
     

    is stopzilla any good?

     
    1. admin
       
       
      Post author

      Joe: There are mixed opinions about stopzilla. I would not use it myself, as in my experience it detects infections in files that are harmless ( aka false positives). However, these are not intentional, and the company is legitimate. There are better tools though.

       
  133. Sascha S
     

    i had this problem too,
    it was a self reinstalling local proxy.
    files(therms) to search in registry:

    Temp\csrss.exe (dont delete anything where path starts with %system… ususally with Temp\csrss.exe you would not even find something starts with %system…)

    data\dwm.exe (not renameable because running, so needs deleted in registry)

    data\wins.exe (rename you will find the path in registry)

    data\conhost.exe (Start > run > msconfig > systemstart > uncheck conhost)

    —- export registry first DONT delete keys just remove values —-

    After restart you will find out (because your internet works only for certain webpages ) that your system LAN-Settings where set to use Proxy for LAN…
    so go to

    Start > Control Panel > Internet > Tab Connections > Button Lan settings > uncheck use Proxy.

    that was it for me, hope it helps someone.

     
  134. Sascha S
     

    ah yes that was for win xp sp 3

     
  135. elena
     

    where can I find the add-ons in IE? and what is IE?
    Thanks

     
  136. tony
     

    ok ive read this page and it didnt help my google redirects my host files are fine i cant find a tdss thingy i cant download things either it just keeps asking what program would i like to choose to open file and when choose it just does it again my spywaredoctor didnt pick up anything but now i cant even open that my processes seem fine my proxy is disabled so im just going to save money and buy new com btw i using ie8 i believe

     
    1. admin
       
       
      Post author

      Tony: Your file associations are messed up, you will need to fix registry first.
      Check your browser addons and try doing scan in safe mode with networking (full system scan) with several tools

       
  137. phnatduppf
     

    Have trawled various forums, manually hacked away at the superfluous, used malwarebytes’ anti-malware, superanti-spyware, sophos anti-rootkit and unhack me, tried disabling javascript, checked dns, hosts, and proxy settings, and scoured the filesystem for dozens of the usual suspects. My search results still redirect me almost unswervingly towards a goingonearth version of whichever result i’ve clicked. Likely point of infection was mj1.exe and mj2.exe though not sure of where they originated. Close to initiating a total re-install but refuse to be beaten, now 8hrs in and need to sleep. D

     
    1. admin
       
       
      Post author

      phnatduppf:
      Have you checked add-ons in browsers? In some cases router needs checking as well, though that approach works through DNS servers usually and is fixed once you change it.

       
  138. phnatduppf
     

    Cheers for reply,
    all addons are those i installed and none of my anti-* scans flag them.
    Online through t-mobiles web’n’walk mobile broadband and a 3g huawei dongle only use firefox but checked and IE has same issue on my first use of the program.
    What is being referred to when i click a search result? How is it unique only to this action, not downloads or intra/inter-site links, also appears yahoo is unaffected whilst bing and google are. D

     
  139. phnatduppf
     

    Problem appears solved,
    first ran rkill.exe (found grpconv.exe),
    then kaspersky’s tdss killer (found sptd.sys),
    then mbam,
    then hitmanpro (found sapi0.dll).
    So far (>20 searches) no redirects. D

     
    1. admin
       
       
      Post author

      phnatduppf
      Yeah, TDSS Killer quite often a solution for these problems… In fact TDSS is in my usual suspect list :)

       
  140. James
     

    Am stuck at step 1 – how do I save the corrected host file (I don’t see where to “open with admin priveleges on my home PC).

     
    1. admin
       
       
      Post author

      James: For older versions of windows (like XP) just open it.

       
  141. Tim
     

    Step #8 cleared up my computer. Thank you so much!

     
  142. Marg
     

    Hi,

    My google direct virus means that all the web browser open up in Chinese – and it appears to be a porn site. This happens for both IE and Mozilla and also appears in Yahoo if I try to search. I have read all the following information and no-one has mentioned Chinese characters. How can I fix this problem?

    Many thanks

    Marg

     
    1. admin
       
       
      Post author

      Marg: read sections about DNS, Proxy, add-ons. Also, scan with anti-malware tools

       
  143. Moon
     

    I’m stuck on step 1. I opened the host file in notepad and it’s empty. what does that mean?

     
    1. admin
       
       
      Post author

      Moon: Empty hosts file is ok. Just make sure you opened right file.

       
  144. Moon
     

    I’ve run rkill and malwarebytes. I deleted a bunch of trojans. Now I can’t seem to get my wireless router to find my wireless network. what can I do?? please help!

     
  145. Moon
     

    One last question – is zitui.exe a virus? i don’t know what it is and I’ve never seen it before.

     
    1. admin
       
       
      Post author

      zitui.exe sounds like virus.

       
  146. I’m having trouble opening my file as a note pad. It won’t open at all, I did everything I can, including “Running as Administrator,” nothing seems to work. Please E-Mail me and help me out. I really wish to get this program out of my computer.

     
  147. ethan
     

    I cant open my host files it wont let me and ive tried moving malware anti malware by a usb drive but it still wont let me open it

     
  148. drew
     

    This goes out to the maker of this virus im trackn you and i will get you its nice in CALIFORIA cant wait to see you

     
  149. robin kinsella
     

    it keeps poping up i can not do nothing on my cumputer

     
  150. Ben
     

    I Can’t find my host file and it won’t let me run notepad as Administrator doesn’t work either, im running Windows 7 64bit Please Help.

     
    1. admin
       
       
      Post author

      Ben: It might be invisible. Try editing it in safe mode, not in regular mode.

       
  151. jonlee
     

    this is my host what should i remove.
    # Copyright (c) 1993-1999 Microsoft Corp.
    #
    # This is a sample LMHOSTS file used by the Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to computernames
    # (NetBIOS) names. Each entry should be kept on an individual line.
    # The IP address should be placed in the first column followed by the
    # corresponding computername. The address and the computername
    # should be separated by at least one space or tab. The “#” character
    # is generally used to denote the start of a comment (see the exceptions
    # below).
    #
    # This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts
    # files and offers the following extensions:
    #
    # #PRE
    # #DOM:
    # #INCLUDE
    # #BEGIN_ALTERNATE
    # #END_ALTERNATE
    # xnn (non-printing character support)
    #
    # Following any entry in the file with the characters “#PRE” will cause
    # the entry to be preloaded into the name cache. By default, entries are
    # not preloaded, but are parsed only after dynamic name resolution fails.
    #
    # Following an entry with the “#DOM:” tag will associate the
    # entry with the domain specified by . This affects how the
    # browser and logon services behave in TCP/IP environments. To preload
    # the host name associated with #DOM entry, it is necessary to also add a
    # #PRE to the line. The is always preloaded although it will not
    # be shown when the name cache is viewed.
    #
    # Specifying “#INCLUDE ” will force the RFC NetBIOS (NBT)
    # software to seek the specified and parse it as if it were
    # local. is generally a UNC-based name, allowing a
    # centralized lmhosts file to be maintained on a server.
    # It is ALWAYS necessary to provide a mapping for the IP address of the
    # server prior to the #INCLUDE. This mapping must use the #PRE directive.
    # In addtion the share “public” in the example below must be in the
    # LanManServer list of “NullSessionShares” in order for client machines to
    # be able to read the lmhosts file successfully. This key is under
    # \machine\system\currentcontrolset\services\lanmanserver\parameters\nullsessionshares
    # in the registry. Simply add “public” to the list found there.
    #
    # The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE
    # statements to be grouped together. Any single successful include
    # will cause the group to succeed.
    #
    # Finally, non-printing characters can be embedded in mappings by
    # first surrounding the NetBIOS name in quotations, then using the
    # xnn notation to specify a hex value for a non-printing character.
    #
    # The following example illustrates all of these extensions:
    #
    # 102.54.94.97 rhino #PRE #DOM:networking #net group’s DC
    # 102.54.94.102 “appname x14″ #special app server
    # 102.54.94.123 popular #PRE #source server
    # 102.54.94.117 localsrv #PRE #needed for the include
    #
    # #BEGIN_ALTERNATE
    # #INCLUDE \\localsrv\public\lmhosts
    # #INCLUDE \\rhino\public\lmhosts
    # #END_ALTERNATE
    #
    # In the above example, the “appname” server contains a special
    # character in its name, the “popular” and “localsrv” server names are
    # preloaded, and the “rhino” server name is specified so it can be used
    # to later #INCLUDE a centrally maintained lmhosts file if the “localsrv”
    # system is unavailable.
    #
    # Note that the whole file is parsed including comments on each lookup,
    # so keeping the number of comments to a minimum will improve performance.
    # Therefore it is not advisable to simply add lmhosts file entries onto the
    # end of this file.

     
    1. admin
       
       
      Post author

      Your hosts file is clean.

       
  152. Julius
     

    You are the best! I have been working on this damn thing all week. The rootkit tdsskiller did the trick! Symantec and Malwarebytes didn’t pick it up.

     
  153. Esthefany
     

    I am so confused! I can’t get this to work for me at all. :(

     
  154. NakedGuy69
     

    This worked for me.

    Just make sure guys that when you’re about to edit the host file, “read only” is UNCHECKED in the files properties.

    And if you are having problems with overwriting the file, double click it when you are saving.

     
  155. bidita
     

    the xpantispyware 2012 has blocked all d important files including dis file nd i can,t open it neither can i make it run dus ne1 has d idea hw 2 fix ds problem????????????

     
    1. admin
       
       
      Post author

      Bidita: In your case, read the guide on XP antispyware 2012. You need to kill its processes, this guide is not that applicable (except you might have to remove proxy as well) http://www.2-viruses.com/remove-xp-antispyware-2012

       
  156. Ed
     

    Hosts files are fine and DNS setting and Proxy too – downloaded all (Malwarebytes, Spyware doc, even the special remove antispyware) in safe mode with networking but every time I want to run them, Vista Spyware message appears and blocks them. Can someone help?

     
    1. admin
       
       
      Post author

      ED: If the file is blocked after download, try renaming them to .com instead of .exe Or you might have to kill malware processes manually.

       
  157. BigL
     

    @Julius

    Thank you from RDU (Raleigh-Durham NC)! The rootkit tdsskiller did the trick!

    With 12 years computer/network experience — this Malware got me good! Wasted 4 hours of my life!!!

     
  158. JustME
     

    Old hacker trick—mark the hosts files to read only…and if you use WinPatrol
    (the free version is fine) it will show you the hosts file within the application and also everthing running.
    AND it warns you if something writes to the startup
    http://www.winpatrol.com/

     
  159. Dale Anderson
     

    Thanks for this information. This virus was causing me all sorts of headaches.

    Now if I could get my hands on the person who put the virus on my computer in the first place, that would be a nice feeling to have. :)

    Cheers, Dale

     
  160. Denny
     

    I beat Vista Fix It and Google Redirect

     
  161. David B
     

    My hosts shows a ::1 under the ip addy. Should this get deleted? When I try and save it says cannot create to C:\Windows\system32\drivers\etc\hosts, Make sure path and filename are correct. I am pretty sure I am logged in as admin… Ran AVG antivirus which found nothing. Just would rather exhaust all options before i go downloading and installing 14 different malware products. Thanks.

     
    1. admin
       
       
      Post author

      David: You got Vista/Win 7. ::1 is harmless, it is an IP6 address. If this is single additional line, your file does not need editing.
      If hosts file is clean, I would look for problems in other sections (either trojan is active on system, Rootkit, or malicious proxy, etc. )

       
  162. Michael
     

    When I open my hosts file on windows 7 with notepad, the document that opens is blank. Why is that?

     
    1. admin
       
       
      Post author

      Michael: if this is correct location, than everything is fine. Hosts file is not necessarily in most cases, though there is a placeholder file in most of the systems with some commented lines and 2 lines referencing localhost.

       
  163. Tyler
     

    Thank you this guide. all the responses to questions really helped my knowledge on this subject. i checked my addons in Firefox and found “XUL cache.” i removed it and the redirects seem to have stopped. I read somewhere that this addon can somehow get back onto my browser. Is there something that i can do to make sure that i’m in the clear?

     
    1. admin
       
       
      Post author

      Tyler: best advice is to keep decent internet security suite on PC. Malware still has to get in on one’s PC to modify settings and cause redirects (except in case of hijacked router). For the router, nothing beats changing password from default one.

       
  164. Melisa
     

    Just wanna say thank you. The instructions totally solved my problem! Really saved me a lot me trouble. Thanks a lot!

     
  165. Shokc
     

    @Hi
    To save host file as admin, windows 7, even if you are the admin right click on host file go to properties, under security tab, select user and edit – Select all boxes under Allow. This will grant permission to save the file.

     
  166. Shokc
     

    Will let you save the host file.

     
  167. Raj
     

    Just removing the following entry from my hosts file did the trick.
    # localhost name resolution is handled within DNS itself.
    # 127.0.0.1 localhost
    # ::1 localhost

    Thank you very much!!!!

     
  168. Jackie
     

    @Shokc
    I can’t update the hosts file it won’t let me open it or change the user properties so all users can edit. I can’t download the spyware (*any of them) from the internet as the virus has blocked access to them. I can’t even access the internet settings to change proxy settings…it just says can’t access contact your system administrator. Please help I can’t do anything on my PC and this virus is so fr*king annoying!

     
  169. SamieJ72
     

    Reboot your computer in safe mode and delete the following file in the following folder. Fixed my redirect problem like a champ!!

    File: api-ms-win-core-memory-l1-1-032.dll
    Folder: C:\Windows\SysWOW64

     
  170. CDA Rescue
     

    Unhack me is a great program for removing most of the malware. Been doing the virus removal since 1991 and have to say this program has made life so easy.

    http://www.greatis.com/unhackme/download.htm

    Just fixed some malware entries in my host file.

    Also combofix works well, just be careful with it.

    http://www.bleepingcomputer.com/download/anti-virus/combofix

    Worried about the fake viruses? try WOT for your browser to let you know of potentially dangerous sites.

    http://www.mywot.com/en/download

     
    1. admin
       
       
      Post author

      CDA Rescue :
      Thank you for suggestions.
      WOT is useless against fake antiviruses. Its ratings are based on opinion on domains, and these change on daily basis. It is useful against poor programs though or scams. Both Combofix And Unhack me are computer repair programs that are of interest for people that repair PCs for living rather than regular user that desires less problems with one’s PC on long run :)

       
  171. itguy
     

    The TDSKiller program did the trick for me…thank you!

     
  172. Justanotherdude
     

    tdsskiller.exe is the one. I think that should be bumped up to Step 1. :)

    Thanks for the help.. just glad that I finally got rid of it.

     
  173. SubZerQQ
     

    for those of you that are having problems editing host file. I highly recommend HostsXpert v4.4. A free program for managing your host file. get it here:
    http://www.funkytoad.com/index.php?option=com_content&view=article&id=13&Itemid=31&28d444df85eb4f435055ed9d39c02f03=d315773113eab5e724959c494ea17358

     
  174. Pingback: Is malware payment gateway shutdown the end of Fake AVs?

  175. frozo
     

    I edited my host file but to no avail and tdsskiller.exe resolved my issue. Thank you.

     
  176. Zoey38
     

    my host file doesn’t look like that it looks faded and it won’t let me save it i have also tried running as administrator

     
  177. Wendy
     

    I’m trying to do step one, and my computer wouldn’t let me ‘access’ or save my changes. I noticed extra line that ‘i think’ should be removed, ::1 localhost. How can I let the hosts file save my deletion>

     
  178. Wendy
     

    BTW, I’m on Window’s Vista – how can I open the ‘host’ file with admin. privelages?

     
  179. Wendy
     

    Got it. Figured it out!

     
  180. Chris
     

    The hosts file suggestion solved the problem that Lavesoft and Ad-Aware didn’t catch this one. Thanks for being awesome.

     
  181. Xinci
     

    Thank you thank you! I had to do quite a bit of research for an important paper I’m working on and the problem was hidering me greatly. I followed your instructions and it worked! It was some trojan programs that were quarantined in my virus protection but they were still causing problems. I’m very grateful :)

     
  182. gsly
     

    Thank you very much this worked very well. I appreciate your assistance

     
  183. Pingback: Dedicated 2-viruses » Fake BBC videos are used to trick PC users on Facebook

  184. Dave
     

    Just wanted to say thanks for the information. My IE has had the same problem as most people have had lately. I had tried about 10 Spyware tools and none found the problem, so I downloaded and ran tdsskiller.exe from Kaspersky. I ran it and the program found 2 files BMLOAD and tcpipBM which it removed and now IE works as it should when I select something from a google search.

    Now to find a fix for why my active window deselects itself after about 25 seconds and I have to click on the window to continue doing whatever.

     
    1. admin
       
       
      Post author

      Dave: Rescan with full kaspersky version or other 10 tools :). This kind of infection might have hidden some other processes from anti-malware tools while active. Also, it might be useful to do a test run with some registry optimizer like CCleaner.

       
  185. Dave
     

    Hi ya Admin.

    I just found what was causing the active window deselection. I recently installed Kies for my Samsung phone. I went through and ended the windows processes that weren’t directly related to windows 1 at a time until it stopped. It was KiesPDLR that was somehow causing the problem. Thanks again for your help.

     
    1. admin
       
       
      Post author
       
  186. Jen
     

    Great info, unfortunately I’m still having issues.
    Step 1: I modified the hosts file to match yours
    Steps 2 & 3: settings were fine
    Step 4: N/A
    Step 5: I disabled all non-Microsoft addons
    Step 6: I ran Spyware Doctor. It found a high threat and a medium threat. I was surprised that I had to pay $30 to fix these, but I decided that the $30 would be well worth the fix. This didn’t do the trick though.

    When we go to Google & Bing the bottom bar says “waiting for Google.com” and the page just never loads. Yahoo loads, but we can’t search, the searches don’t load. The control key isn’t working properly, I can’t copy and paste using control commands.

    I didn’t continue with steps 7, 8 or 9 because this computer belongs to my parents and I ran out of time. Any advice??

     
  187. Marc
     

    Step #1 was the fix for me. It worked. But before that, I’ve scanned my laptop running Vista Basic Edition with Adaware (free edition) from Lavasoft. I’ve been using Adaware since 2001. I’ve used also CCleaner (free edition) to scan/fix registry entries + stop suspected processes. Both are excellent tools for free. Finally, I’ve uninstalled several “suspectful” third party software using another free tool: Revo Uninstaller. This utility isn’t just uninstalling the software but also offer to clean the registry table of ANY occurrence of the software you’re uninstalling. Then apply the fix proposed here otherwise the malware if not remove previously will keep re-installing itself.

    I can now enjoy ALL the Google / Yahoo searches again.

     
  188. Helen Wood
     

    Thanks! I have been having a nervous breakdown over this and your advice is the first that actually got me anywhere.

     
  189. Whitley G
     

    I have tried everything. It keeps bringing up Data restore with every error message possible. Please help me I’m not very computer savy and I really need this to work for school…Thank you

     
  190. train42
     

    Step 4 worked for me, but as I understand it, the automatic setting of proxies still has fake information somewhere, right? How do I fix this to get rid of the problem completely?

     
    1. admin
       
       
      Post author

      Train42: in some cases the original infection is already gone (removed by antivirus), but proxy settings remain. However, I would recommend scanning PC with decent antivirus. If you have no other symptoms, I would recommend scanning with Hitman Pro, as it is fast and scans with multiple antivirus engines http://www.2-viruses.com/reviews/hitman-pro .

       
  191. Lisa
     

    I have followed your instructions but I still get redirects to stuff like blendersearch. What can I do?? There is nothing in my hosts file that is abnormal. I ran the tdsskiller and it doesn’t detect anything.

     
    1. admin
       
       
      Post author

      Lisa: Have you checked browser add-ons and DNS server settings? It might be some plugin that hijacks search. Disable all add-ons. If this continues, I would recommend scanning with Hitman Pro or Mbam first. TDSS killer detects several families of rootkits, but not everything.
      Post back about your progress.

       
  192. Pingback: ZeroAccess Rootkit - how to remove

  193. Lisa
     

    @ admin:

    I have disabled browser addons. As for the DNS server settings, I have both IPv6 and IPv4, and they are both set to “Obtain an IP address automatically”. I have uesd Malwarebyte and it did not detect anything of the sort.

     
    1. admin
       
       
      Post author

      Lisa: are there other PCs in the network and everything works fine?
      Also, scan with hitman pro instead of Malwarebytes. It uses several antivirus engines,but tests less places than regular antivirus. This is to reduce chances that there is malware to the minimum. As long as there is no malware, I would suspect router hijacking, but the chances are poor. Maybe the site is infected, though, or some weird user script…

       
  194. Cody
     

    Well I troubleshot all these steps and noticed that all my settings are like that suggested. My internet regarding the proxy settings, however, does not have a proxy port. The only browser I have is Google Chrome. I have a redirect virus that when i click on a trusted site, it stops at a blank screen, pauses, loads then stops and changes the website. It takes me to sites like dictionary sites with “Suggestions” I use an entirely outdated 2005 Media center edition PC so everything isn’t far from Win98.

     
  195. Lisa
     

    @ admin:

    Yes there are others but they use Macs. I read on this page that Hitman Pro would require payment in order to remove/clean anything? Malwarebytes detected stuff a couple days ago. I followed your steps and tried the Malwarebytes again, and nothing shows up. I have just checked with Hitman Pro and Tracking Cookies as well several Malware/Trojans showed up. What should I do?

     
    1. admin
       
       
      Post author

      Lisa: Hitman pro is free to scan, and free for the first 30 days to remove (you need to press activate, but no payment is required). Additionally, it will help to determine if there is really something wrong on your PC during the scan itself.
      If other PCs / Macs in the same network are ok, then it is not hijacked router (if they use automatical DNS as well),
      You could also try super anti-spyware.

       
  196. Lisa
     

    @ admin:

    Sorry, I did not see that there was a trial. :) What should I do if the redirect problem happens again and I don’t have the trial option for Hitman Pro anymore? I don’t have the funds to purchase a decent antivirus program or anything in that category for that matter. :( Will let you know of my computer progress after reboot.

     
    1. admin
       
       
      Post author

      Lisa: The correct answer is using decent, commercial (preferably) antivirus like Kaspersky or Eset. In worser case – Microsoft Security Essentials, in worst cases – other free antiviruses. Prevention is the best cure for some of the redirects.

       
  197. Lisa
     

    @ admin:

    Hitman Pro did the trick for me, so I believe. :) I have not been redirected after reboot. Thank you so much for your help and guidance for future prevention! :D

     
  198. Tim Milligan
     

    Here is what I have found with my laptop and google redirects. There is a copy of MS Internet Explorer running in the background. This appears to be related to the redirects. When I rename my IE folders so it will not run and kill the running copy the redirects stop. When I put the folder name back. The IE background process will reappear and the redirects will start again.

     
  199. Tim Milligan
     

    I should also say, since IE is disabled I use Firefox or Chrome. Both of which also had the redirects.

     
    1. admin
       
       
      Post author

      Tim: It might be a malicious IE plugin, that creates a process and hijacks all internet access. Have you scanned your PC with multiple tools?

       
  200. jimmy
     

    Your the best whomever listed the things to do to get rid of the redirct virus….thanks

     
  201. Ryan Critchett
     

    Hate this. I’ve had this problem multiple times, did all of the above fixes, and it changed nothing. Something was still delivering both the fake antivirus program and the redirects in Google, to the machine. Even went as far as to reformat the machine. Then, upon entering dns and static ip info, the machine got infected again. BUT, the server machine (which was really just another computer acting as a server) was not infected. We scanned that thing thoroughly. ODD and extremely stealth, these things are.

     
    1. admin
       
       
      Post author

      Ryan: this guide is for cases when there is no obvious trojan in the system. In your case, I would first do tdss killer scan (and see if it detects), and if not, do a scan with Alternate OS scanners, and then repeat all the steps here.

       
  202. jose rey
     

    browser is redirecting lines in google searches

     
  203. jose rey
     

    how can i eliminate google redirect

     
  204. amit
     

    i have a problem with the cursor it is not stable may be it is due to some virus, pse suggest me how to repair it.

     
  205. Pingback: Dedicated 2-viruses » Keygenguru and other crack websites should not be trusted

  206. Pingback: Trojan.DNSChanger - how to remove

  207. Pingback: TDSS rootkit - how to remove

  208. pedro
     

    thanks a lot i erased the whole host file cause it gave me no option to modify whwt was on it in fact there were two extra lines one for google and the other for bing after delection the hidden virus cant redirectme anymore. i tried everything before unsuscesfully:system restore,antivirus scanning resseting internet explorer, windows search. etc etc, even listing the page risksearch net on the restricted sites button dint work completely cause even it tried to connect unsuscesfully but redirectme from the right results. i was about to switch the hd, but i found your help online and it worked, thanks

     
  209. Al
     

    I have something called searchqu that got in my computer with a music download today. How do I get rid of it. It has taken over as my home page and search engine! Thanks

     
    1. admin
       
       
      Post author

      Al : read guide, everything applies. Uninstall browser ad-ons, scan with both Spyware Doctor and TDSS killer, check hosts file.

       
  210. ada
     

    I changed hos file but wont save it saiys it is read only please help

     
  211. ada
     

    host file is invisible unless I open I copy an dpaste address C:\Windows\System32\Drivers\etc\hosts. When I paste it to search box it asks me what program to use I dobn’t have an option to run as admin
    If I open notepad file I can right click and run as admin, BUT when I open host file and delete bottom section I can not save bcs it is read only.
    I hope that makes sense to someone :(

     
    1. admin
       
       
      Post author

      right-click on it and go to its properties. Remove System And read only attribute.

       
  212. ada
     

    @pedro
    How do you delete host file . I can not find it unless I copy and paste C:\Windows\System32\Drivers\etc\hosts to search box and then access is denied . Is there any other way of deleting it.

     
  213. mcryan
     

    I have located the HOSTS page & opened in notepad, however, after the 127.0.0.1 localhost I have loads of others all with the same number but different name. Do I delete all of them?

     
    1. admin
       
       
      Post author

      mcryan
      yes, you should. Thats DNS address hijacking.

       
  214. trail
     

    I can’t seem to run KasperSky. Google redirects me to cc search sometimes(I’m on google chrome). When downloading, my internet connection gets cut off and I had to restart the computer. Any idea what I should do? I tried opening host, nothing suspicious. Checked proxies and DNS settings also nothing.

     
    1. admin
       
       
      Post author

      Trail : check router settings, although I would suspect active malware on your PC. Download TDSS Killer and some anti-malware program on another pc and use Flash drive .

       
  215. Unknown
     

    If you cant remove Malware on your own, stop being cheap and take it to a pro. Nuff said!

     
    1. admin
       
       
      Post author

      Unknown
      I would say first get a decent antivirus or anti-malware. There would be far less infections if people would actually use antivirus :)
      Professional repair is required for fresh or very aggressive malware or when PC is beyond automatic repair.

       
  216. Mike
     

    I have been getting the Google redirect since yesterday. I scanned with Malwarebytes and found nothing, I cannot even open Norton 360, not even with Task Manager, and running TDSSkiller twice found nothing. I have gone through my host file, found no extra info there, and I checked my proxy settings; one thing was checked and I unchecked it. I went back to the proxy settings later and it was still unchecked. What can I do to remove this virus?

     
    1. admin
       
       
      Post author

      Mike: Scan with different anti-malware programs, like Spyware doctor or Hitman Pro first. If it is clean, check your DNS Servers (should be set on automatic in most of cases). If it is on automatic, then set it to google DNS (this would mean your router’s DNS settings were hijacked). However, if you can’t launch norton 360, it is malware infection.

       
  217. Mike
     

    Spyware Doctor found some low-risk stuff, mostly tracking cookies and a couple of different advertising adware. I’m not in a position to purchase the full version, though, so I couldn’t remove it. I still can’t open Norton but I did check my DNS settings, everything was set on automatic and I didn’t know what the Google DNS settings were so I left them alone. Hitman Pro spent five minutes looking for an internet connection before aborting the scan. I do not know why it did this, as I was able to access the internet fine during the search.

     
    1. admin
       
       
      Post author

      Mike: Run GMER first, then Stopzilla. Try setting dns servers to 8.8.8.8 and 8.8.4.4 (listed in this guide).

       
  218. Mike
     

    I ran SuperAntiSpyware as well, removed several tracking cookies but I did not resolve the redirecting problem. I also retried the TDSSkiller and it still found nothing. Is there another antivirus or antirootkit program that might help remove this?

     
  219. Greg
     

    Ummm… Hi every time i click on a link in google or any other search site it redirects me to a ramdon Porn Site. i can avoid this by coping the direct link into the serch bar but its a pain doing that all the time.Ive use spyware doctor
    And it only found cookies and one medium RogueAntiSpyware.Antivirus360 and that has nothing to do with my browser or somthing like that But please help me!!

     
  220. Lulu
     

    I’m so frustrated with this redirect virus in firefox. I run winxp and have TrendMicro who, surprise surprise, didn’t stop yet another virus from taking hold. I ran malaware bytes and it found 2 reg key trojans and one infected folder. I deleted all 3 then when back in and double checked everything over again. Still i’m getting redirected. Any other suggestions or if someone finds a solution please let me know. Thanx

     
  221. Lulu
     

    Oh update. I think I know what the culprit is. It’s this babylon search engine I caught it’s name in the “jump” when it was redirecting me. Now if I can find out how to get rid of this I may be ok. Any help appreciated since this is one of the only sites that acctually gets past the redirect. :D

     
  222. Lulu
     

    @Lulu
    Great news!!! I went to Microsoft’s website and D/L the microsoft emergency response cleaning tool. After many failed attempts by malaware, spybot, trend, and even Hitman nothing removed it. I then called microsoft and they directed me to this. It is a free d/l for windows users. Ran one scan took about 4 hours restarted pc and viola. redirect gone. Hopefully this will work for some one else :D

     
  223. Matt
     

    Hi,
    I have been having this redirect problem for a few days now and could really use some help. I don’t get redirected every time I click a google link, but occasionally I do and will have to try many times before I actually get through to the requested site…I followed all the steps (all of my settings and folders were already how this guide says they should be) and have done full computer scans with AVG, Malawarebytes, Microsoft Malware Removal tool, and the Microsoft Security Scanner, and the TDSS killer suggested on this page and found nothing. (AVG and Malaware found 2-3 Trojans the first time I scanned, but they all seemed to be unimportant crap that didn’t effect my redirect problem when I removed them). Any Suggestions or Ideas? Please help me out!
    Thanks in Advance.

     
    1. admin
       
       
      Post author

      Matt : Several things.
      1. Are other PCs in the same network experiencing same problem ? If so, router infection is more than likely. It will not be detected by any tools, though DNS change to 8.8.8.8 and 8.8.4.4 (like in guide) might fix the problems. In such case, one should restore router firmware.
      2. Scan with hitman PRO, SuperAntiSpyware, Stopzilla and Spyware Doctor. While majority of microsoft tools are ok, not everything is detected, and personally I do not trust AVG too much. TDSS Killer is against one (nasty) family of infections.
      3. Double check that correct hosts file is empty.
      4. Worst cases? Scan with GMER for unknown rootkits, scan with AVIRA boot cd or PC Tech support time.

       
  224. Elliott Bettman
     

    two (and a half) words..

    Get..A..MAC. I have Minor trojan problems but as long as I don’t execute and delete it’s all good. Linux is BOMB proof but user unfriendly

     
    1. admin
       
       
      Post author

      Elliott Bettman: Wrong.
      Some of things listed in this guide are possible in Mac as well. For example, HOST file, DNS hijacking, infected router or malicious browser add-on. In fact, they are possible in Linux as well. A mac owner should get an antivirus, and (likely) Linux box owner as well. Everything else is down to market share.

       
  225. Sarah Thompson
     

    Hey admin, I tried everything you said on this page and everything’s fine. The only problem is that i still have this annoying redirect virus going…. any help please?

     
    1. admin
       
       
      Post author

      Sarah : Double check addons, change DNS servers and scan with hitman pro and Spyware Doctor.

       
  226. Rebecca Ldj
     

    My computer took a turn for the worse today. After much digging and grueling trying to find out what it was – my two biggest clues of my search engine searches being redirected and music/radio/ads playing in background and the help of my secondary computer – it came down to a virus. I bought norton, ran malwarebytes and ran spybot S&D as well as TDSSKILLER….and then ran all the checks you listed here. I am still having issues. Any ideas?

     
    1. admin
       
       
      Post author

      Rebecca Ldj:
      2 issues are most likely :
      First one is yet unknown trojan /adware. For this, try hitman pro, Spyware Doctor, SuperAntiSpyware.
      Second one is malicious browser add-on (if the music plays only after browser is launched) or proxy.

       
  227. Joe
     

    My hosts file seems to be hidden, all I can find in the etc folder is lmhosts.sam, which looks exactly like one hosts file posted by a reader that you said was clean. Do I need to find the actualy hosts file and check it? How do I find it if it’s hidden?

     
  228. Joe
     

    Update: The first thing I ran was ad-aware in safe mode+networking, which found several items, including trojans. I still had the redirect problem and ran kaspersky tdsskiller, which found something and removed it. Then I ran malwarebytes which found one infected file that looked like a really old keygen for some app. The problem seems to be resolved but I am still curious about my hosts file, why I cannot find it even when I select “show hidden.” I would like to check my hosts file just to be sure, as I said I can only find lmhosts.sam which looks clean.

     
    1. admin
       
       
      Post author

      Joe: PCs can function without hosts file in most of the cases, thats one option. Another option is hosts file with attribute System, which would be hidden as long as an option to list system files is unchecked (thats default). Some malware programs use this trick to hide documents or files.

       
  229. Tom
     

    I was having this issue but only in IE. Ran MalwareBytes, Hitman Pro, Spybot, TDSS Killer etc etc. Nothing was finding or fixing anything. I tried using Dr. Web (free version) and it found a Trojan. Once deleted the problem seems to have been fixed :)

     
    1. admin
       
       
      Post author

      Tom : was it an executable or in settings ?

       
  230. Tom
     

    I deleted Dr. Web but from what I recall it was not an exe file. It was a .dll file in C:\Windows\SysWow64 folder

     
  231. Tom
     

    I found the log file.

    C:\Windows\SysWOW64\msimmsg.dll infected with Trojan.MulDrop3.19698

     
  232. Doug
     

    I tried to delete the extra IPs and files in the hosts file, but when I’m done and go to close the window I’m not able to save it – I’m not actually deleting the multiple lines of IPs permanently. The file is in read only mode. How do you save the new host file once all the junk has been deleted? thanks

     
    1. admin
       
       
      Post author

      Doug: are you on Win 7/Vista? If so, search in menu for notepad, rightclick on it and choose run as administrator.
      If this does not work or you are on XP, run cmd, then run
      attrb -r c:\windows\system32\drivers\etc\hosts

       
  233. Doug
     

    @admin
    I’m on XP. What is cmd & attrb -r? I’m definitely not as technicallogically advanced as you!

     
    1. admin
       
       
      Post author

      Doug -> Start->run , then cmd and enter. A window would appear. Then attrib -R c:\windows\system32\drivers\etc\hosts

       
  234. Sher
     

    Spybot Search & Destroy found Security Defender and says it fixed the problem, but it didn’t. It keeps coming up. Should I have an extra line in hosts – localhost name resolution is handled within DNS itself?

     
    1. admin
       
       
      Post author

      lines referencing localhost is ok, all other lines should be deleted. If malware is comming up, scan with Malwarebytes, Spyware Doctor or Stopzilla.This is not settings problem, this is malware problem in your case. I do not trust Spybots update frequency that much.

       
  235. colin
     

    i hope you guys get paid to run this sight thank you so much all this help was absolutely wonderfull u guys are heroes

     
  236. Will
     

    Thanks. Kaspersky TDSSKiller did the job for me. Btw. there are a couple of other little diagnostics that were useful to me & may be useful to others. Trying to get to http://www.google.com or other search sites with low-level utilities like ping & nslookup also did not work for me, though they had no problems with non-search sites. That told my problem was way down in dns resolution. That and the fact that utilities like malwarebytes & Hitman turned up nothing (or rather turned up a bunch of extraneous false positives), made it likelier that what I was dealing with was rootkit based & very well hidden, as it in fact turned out to be.

     
  237. Steven
     

    TDSSKiller did the trick! Thank you so much for this…you are a life saver!

     
  238. Matt
     

    Problem:
    Was experiencing the redirect problem, so I used lspfix on my Win7 machine. And now I am apparently connected to the iinternet but no web pages load at all. Is there a fix? I’ve used the net command to reset my connection but received errors.

     
    1. admin
       
       
      Post author

      Matt: what error message do you get? Check if there is proxy error (disable proxy server completely).

       
  239. sky
     

    @admin

    i’m using win7 andi only can open with notepad, i cant open as admin. i have right clicked but it doesnt appear run as admin, what should i do to solve the problem? i’m using mcafee and now the antivirus is not functioning well as the firewall keeping turning off even though i have tried many times to turn it on

     
    1. admin
       
       
      Post author

      Sky: Try creating another, admin user account on PC

       
  240. sky
     

    how to create another admin user account?i seem saw like got extra unknown user account but i am unable to delete it.is it possible to delete user account? can you please show me the steps? Thank you so much for your help

     
    1. admin
       
       
      Post author

      Sky: If you are in limited user account, you need help of someone that has access to administrative account. The good thing is that malware is likely to have infected your user account only.

       
  241. graham
     

    First of all, thanks admin, for putting so much work in helping people. Now, for my question: When i open hosts file, it asks me with what i want to open it, there’s a list of programs there including notepad, but i can’t right-click it to open as administrator. When i right-click it pretends nothing happened.
    Please reply.

    ps. I’m not that good with computers so you will have to explain it like i’m a three year old.

     
  242. Mike Lockey
     

    So I’ve done everything on here and the redirect still appears in Google. Incidentally, I don’t have any problems with IE 64 bit. But
    I can’t turn on Security Essentials and my services are altered to disabled.
    Hrrmmph – so what do I do now?

     
  243. Azalea W.
     

    My problem is I don’t even have a host file. I can open the etc folder but the host file isn’t in there at all. Everything is unhidden. Any help?

     
    1. admin
       
       
      Post author

      Azalea W.
      Typically, it should be here, it might be hidden as system file (make sure you see system files too). However, if there is no host file, then there is no problem related to it as well, so check other things too.

       
  244. Robero
     

    i was freaking out for a whole day!!!!!! thank you it fixed the problem i am so greatful, now i can do my research on google again. thanks again.

     
  245. Robero
     

    it worked then went back wont let me save it?

     
  246. Leisa
     

    I am having the same issue and have tried every step (scanned with multiple programs, edited host file, ran gooredfix, tdsskiller, etc) still being redirected, in all browsers, IE9, firefox, chrome. I am running Norton and it found nothing. I have used kapersky and it found nothing. I have cleaned with ccleaner, spybot, etc. Please help!

     
  247. J
     

    I have # ::1 localhost underneath mine – I am the only user on the computer and I can open the file. I delete it and it says I dont have permission to save it…. any ideas? Thanks

     
  248. J
     

    @J
    Sorry – its says access denied – not that I dont have permission

     
    1. admin
       
       
      Post author

      J: your hosts file is fine. This is for IPv6 protocol. Check other things in this guide and scan for malware.

       
  249. MMC
     

    I’m having major issues with my computer – and even though I’ve deleted the extra host files, it hasn’t solved anything. Done all the scans as suggested and yet I still keep getting redirected to the likes of Facebook Apps (Are YOU Interested, Gogobot, CityVille, etc) and my computer is running so slowly. Any suggestions? I’m running Chrome.

     
    1. admin
       
       
      Post author

      MMC: First, check and disable chrome extensions. Next, change DNS servers to google ones (read the guide). Also, scan with Hitman Pro, Spyware Doctor and Spybot S&D. For me, it looks like some sort of Adware, either toolbar or not.

       
  250. Melissa
     

    Thanks for all your detailed information. I have followed your steps up to step 8 (checked the proxy stettings, changed DNS servers to google ones (I think), checked the host file, disabled addons in firefox and ie, downloaded and ran Malwarebytes and Hitman Pro)… so far no luck. I have downloaded TDSSKiller but can’t get it to run. As per your other post, I’ve tried renaming it to xxxx.com also, but it still won’t run. Do you have any suggestions? Thanks for your help!

     
    1. admin
       
       
      Post author

      Melissa
      Weird. I would recommend Scanning with Alternate OS Scanner, like Aviras Boot CD. What error do you get while launching TDSS ?

       
  251. Melissa
     

    Ta. No error message, just the usual Vista permission thing (obviously I press continue) then nothing happens. I also scan with AVG (free version) each day. What is Aviras Boot CD? My computer knowledge is very minimal. Malwarebytes has a Windows popup type message about every 1 minute saying it’s bloked a malicious site, even when I don’t have a browser open (it does mention firefox.exe, which I’ve noticed sometimes runs in the background as a process even when it’s closed – I am always connected to the net though.) Thanks so much for you help – very, very appreciated!

     
    1. admin
       
       
      Post author

      Melissa : Aviras Boot CD is a software that has to be burned on CD. You instert CD in your disk drive and reboot, choose to boot from that CD. It might detect parasites that prevent detection while their run.

       
  252. Karen
     

    My desktop is fine by my laptop has this on it. I went on my desktop to research was this XP Home Security 2012 thing is and found this download but I cannot connect to the internet thru my laptop so how can I go on and download this to run?

     
    1. admin
       
       
      Post author

      Karen : XP Home Security 2012 is not google redirect virus per se. It allows executable downloads, and you should download and run first process explorer, then anti-malware program like spyware doctor to remove it. Or fake register it. Read more here : http://www.2-viruses.com/remove-xp-home-security-2012 and watch this movie : http://www.youtube.com/watch?v=15QrZkhGKB8

       
  253. Emily
     

    Hi,

    Thanks for this information.

    I realised I had this virus this morning and instantly download malwarebytes and ran a full scan. It picked up a huge number of bits and pieces (hadn’t scanned my PC in quite a while) but the problem persisted.

    I then found this thread and did everything you suggested. I had one extra line in my hosts file, the same as another poster that you said was harmless, which I deleted. I ran google again but the problem persists – except this time, with Malwarebytes installed, every time I click the link it returns me back to the search page and notifies me with “Successfully blocked access to a potentially malicious website 206.161.121.5 – Type: outgoing – Port: 52442 – Process: boom.exe (boom.exe is what I’ve had to rename Google Chrome, the browser I’m using, as when it’s called chrome.exe Windows refuses to load it and this was the fix I found on the net!)

    So does any of that mean anything to you?! What should I do next? I’m currently running another scan on malwarebytes but should I download another scanner too?
    I tried downloading and installing AVG but halfway through the install it said something about changes to Microsoft Office Professional needing to be undone before the install could complete. I recently installed a new version of MS Office so assumed I didn’t want changes to be undone so I clicked no and the install for AVG terminated. Help!

    Thanks.

     
    1. admin
       
       
      Post author

      Emily. This looks like malware infection, either plugin in chrome, or proxy, or attached to network connection or even in router.
      Scan first with TDSS killer (it requires no network).
      Then Hitman Pro. If this finds nothing, scan with Spyware Doctor or try Kaspersky trial.

       
  254. Emily
     

    A little extra info, don’t know if it will be helpful: it’s literally only clicking on the search results that is the problem. If I right click on the search results and copy the link and paste into the URL bar the real page loads no problem, with no redirection or notification from Malware Bytes.

     
  255. Emily
     

    Thanks for the mega quick response. Just ran Kapersky’sTDSS killer, found nothing. Will try Hitman – but I need to run into university for a practical now so won’t be able to update with results for a couple of hours! Sorry! Thanks so much though. If it was in router is it likely that my other housemates, using the same router and connection, would be affected too?

     
    1. admin
       
       
      Post author

      If they are not affected, it is not router. Look under plugins/extensions, also, download process explorer from microsoft and see what processes run (kill all except chrome’s from %application data%).

       
  256. Emily
     

    Quick update before uni: Ran HitmanPro. No change, problem persists. Will try the other measures you suggested when I get home. Thanks for your helps so far.

     
  257. Emily
     

    So I came back from uni and ran a couple of scans based on my boyfriend’s advice (computer guru).
    First ran Norton Power Eraser. Found some threats and deleted them for me. Miraculously I realised the redirecting had stopped. I assumed the virus had gone and carried on as usual. However between running NPE and realising the redirection had stopped I ran the Norton Online Scan and I suddenly remembered I hadn’t checked the results. Unfortunately this found 91 infected files. And I was finally informed of the name of the virus: ramnit.B.

    Google searches suggest the prognosis isn’t good! What do I do now?!

     
    1. admin
       
       
      Post author

      Emily: Get some decent antivirus, that detects the files as well. For example, get kaspersky trial (30 days free) and scan. Online scanners do not fix system and files.

       
  258. Lindsey
     

    I have this gnarly redirecting virus. Everytime I type “google.com” in Chrome, it pops up with Oops! Google.com cannot be found. I have tried SuperAntiSpyware, Malwarebytes, Microsoft Security Essentials, PC doctor, McAfee Home Security AND Hitman Pro. I did everything in your manual from checking my host files to checking add-ons and proxy settings.
    I am getting very very very frustrated for I cannot seem to get rid of this thing.
    I have ran everything in Safe Mode and normal mode…
    Any help would be appreciated.

     
    1. admin
       
       
      Post author

      Lindsey : This is not redirect problem, it is related to name resolving. What is your default search provider in browser? If it is something else than google or bing, then it is browser add-on/toolbar problem. Or this might be some sort of DNS problems (change your DNS to 8.8.8.8 and 8.8.4.4 ) /

       
  259. Jaime C
     

    I have used Combofix and it removed some stuff…I cant get on teh internet now.
    I am going to try your suggestions and get back here and post my comments/results.

     
  260. Laura
     

    Thanks – deleting the extra lines in the hosts file cured my problem. Unbelievably simple fix. two lines – one redirecting google, the other redirecting bing

     
  261. Matt L.
     

    Oh, I have problem. I was deleted the extra lines (my host file looks like your example), but the problem isn’t fixed. What can I do more? I use google chrome, and have windows 7 x64

     
    1. admin
       
       
      Post author

      Matt: Ensure that you saved hosts file in the right place, there are no parasites on PC by scanning with several tools (including TDSS killer), Then try to disable add-ons in browsers and proxy server.

       
  262. Matt L.
     

    Host file in right place, TDSS killer and others can’t find anything, but when I disable proxy server it helps. But my question is: disabling proxy server is safe? I’m asking because I don’t know much about computer science ;)

     
    1. admin
       
       
      Post author

      Matt: Disabling malicious proxy server is highly desired. Proxy servers are used for legitimate purposes sometime, but if you get redirected during search, then something was wrong there.

       
  263. Craig
     

    Thanks, sort-of. Host file fix easy but things stayed bad. Step 8 solved my problem with the root virus, guess I had tdss. The Malwarebytes download seemed to help. However I also tried Spyware Doctor (cost me $29.95) and while it started fine and after the initial scan said it had eliminated some additional issues, very soon it slowed my system down horribly. It also said AVG Free was in its way so I eliminated that. I next did the update it suggested, and then things went fast downhill. No matter how I tried its settings it slowed me to zero, caused hard crashes, etc. I finally after a day’s effort managed to remove it from the machine (I use XP) and I’m now fine (but being very careful). Any advice you can offer re why what you recommended locked me up so hard?

     
    1. admin
       
       
      Post author

      Craig: Use one antivirus only. SD works well with some antiviruses, not so good with others.

       
  264. Victor
     

    My daughter’s laptop was having an intermittent problem when searching with Google. She would complain that it would “redirect” to other websites. The thing is, it wouldn’t do it all the time. Again, it was an intermittent problem. Usually, whenever I’ve experienced a virus/malware on any computer, it would always take over completely. Those are easy to identify because it’s obvious to see what the problem is. This intrusion, however, is sneaky and does not show itself as boldly as other viruses or malware do. After finally experiencing the problem firsthand, I searched for “google redirect” and ended up at your site. I want to thank you for your detailed explanation of how to remove this nuisance!!! As per your recommendation, I began my removal process at Step #7, but it was Step #8 that did the trick. My daughter and I are thankful for your efforts! Please keep up the great work!!!

     
  265. gustavo
     

    Please i need help. The virus i have seems to be a little less severe. I can use the internet and everything is fine except when i use google and it sends me to weird websites. I have tried everything in this page. After conducting the kaspersky scan it said it had removed some threats, but the redirect still occurs. I dont know what to do. Also when i tried to find the host file i went to ect and everything, but i had no hosts file. . Pease help

     
  266. Joe C
     

    AWESOME.. TDSS Killer is my hero! so are you, Admin. Redirect Virus cured.

     
  267. leo
     

    mr/mrs admin… YOU ARE DA MAN/WOMAN. Thank you verry much. keep up the awsome work. With people like you we can overcome the stupidity that is/are hackers. Thanks again…

     
  268. Allison
     

    I did the steps, and now my computer connects to the LAN connection, but I no longer have internet access. So, I have no idea if it fixed the Google redirects, but now there’s a whole other problem. Is there any way to fix this.

     
    1. admin
       
       
      Post author

      Allison : make sure you have correct DNS servers and no proxy set up.

       
  269. Rick
     

    Had serious issues with hijacker, which started with the loss of my personalized google home page before expanding to constant hijacking. While researching the problem I found your site. I had already scanned with Webroot and Malwarebytes, and though both found and removed threats, I still had both problems. Since you recently seemed to recommend TDSS Killer most often, I downloaded and used it. TDSS Killer found and removed one threat, which totally fixed my problems. Thanks very much to you and TDSS Killer.

     
  270. Kat
     

    So I was using Google Image search yesterday, and the redirects started after that. It’s only happened twice so far (when I manually type in an address, it sends me to www youcansearch com). I’ve followed all the first five steps above, but everything was already set up as instructed; I had no changes to make (except my hosts file has all those Spybot entries, which I understand is O.K.?). My Malwarebytes scan didn’t turn up anything. I can’t find anything fishy in my registry editor (though I admit I don’t know too much about what I’m looking for).

    I’m afraid if I don’t nip it in the bud now, it’ll eat up my computer later. Is there another step I’m missing?

     
    1. admin
       
       
      Post author

      Kat : run tDSS killer, also check browser addons. Then scan with more anti-malware programs – it might be fresh parasite which is not in Spybot or MBAM db.

       
  271. Joe
     

    I am trying to track down why this one site (i built) does not go to the actual web address URL from any browser when clicking on the google search results. My host file is fine, proxies, etc look good. Any ideas. The site shows up first if you type mcgonigles as the google search term. Thanks.

     
    1. admin
       
       
      Post author

      Joe : your site is infected. It shows infected pages only if you click on search results. This is due malicious plugin in WP or other CMS you use. OR the server itself is infected. If you need help, ask admin. To reduce the risk, your url was removed from post.

       
  272. Joe
     

    Okay, thanks. It is odd though because I have a number of sites on that same server and none of them are behaving this way. Any thoughts?

     
    1. admin
       
       
      Post author

      Joe : which CMS you use for the site?

       
  273. Kat
     

    Thanks for the suggestion, admin! I ran tDSS killer, and everything came out clean. I ran Spybot, and it was clean. All my add-ons have been unchecked for some time except McAfee. The only other scan I have is McAfee, which is the suckiest of all sucky anti-virus. Is there anything else I should be doing?

     
    1. admin
       
       
      Post author

      KAT: Set DNS Servers to google or opendns ones. Scan with other tools than Spybot (for example, SuperAntiSpyware, Stopzilla (quite aggressive this one), Spyware Doctor). If there is an unknown trojan, these should identify its presence.

       
  274. chris
     

    @admin
    No matter if I use IE, Chrome or Firefox anytime I do a goggle search I get a message that says Oops! Google.com cannot be found. I can get to Bing or yahoo

     
    1. admin
       
       
      Post author

      Chris : this is problem in DNS chain. It can be either problem with hosts file, or bad dns servers or router/ISP issues.

       
  275. chris
     

    @admin
    So what do you reccommend I do?

     
  276. j
     

    I’ve right clicked on notepad but nothing happens. Is there another way I can run as administrator

     
  277. Mary
     

    For the past 3 days, I have been unable to access my credit union website. I’m receiving Error 7 (net::ERR_TIMED_OUT): The operation timed out. I can get to other websites without any issue. I’ve tried Firefox and IE as well….times out. I’m not very savvy with removal of anything. I have Norton Antivirus 360 v.06 and I’ve run it and it’s come out clean.

     
    1. admin
       
       
      Post author

      If one website is not working, then it is likely website issue and not a virus or malware. I would check proxy server and DNS Settings.

       
  278. Hugh
     

    Thank you very much for this article.

    My redirect problem was fixed after doing the following:

    - I have Windows XP.
    - Run Malware Bytes (completely free downloaded software) and removed 7 malware virusses on my computer.
    - Run Avast Full System Scan (completely free downloaded software)and removed 5 more virusses in registry files.
    - Right Clicked on the Hosts file and disabed “Read Only”
    - Then Right Click on the Hosts file again and open with Notepad.
    - Deleted any extra lines in the file that are not included in the screenshot above. I had to delete 2 lines containing Google and Bing with ip addresses.
    - Opened the TCP/IP properties and choose “Obtain IP address” and “Obtain DNS settings” automatically.

    Problems are gone and I can now access the internet again without the frustration of being redirected to spam sites.

    My wish is that the hackers / idiots / oxygen wasters who created these viruses are punished properly in some way or another during their lifetime!

     
  279. Mark Kucia
     

    I hav got the redirection rule from unknown source.Please help me to destroy it.

     
  280. schnookum cakes
     

    @Ramesh
    Dude! This root-kit link that you put on the thread saved my computer from all the cancers that were in it. I tried doing every single piece of advice I found. But this cleared the root-kit that had put a choke hold on my anti=virus software, preventing it from detecting the bulk of viruses that were embedded. Hugs*. Kaspersky

     
  281. Daniel
     

    I tried every steps mentioned, including all the virus/malware programs.

    But nothing changed.

    Then I go to the extreme, using ComboFix.exe. It manages to fix it.

    But the malware is coming back after a while.

    Please help.

    What should I do now(I d not want to format and reinstall my Windows)?

     
    1. admin
       
       
      Post author

      Daniel: Scan with anti-malware programs and get one with real time protection

       
  282. Daniel
     

    I’ve done that with various anti-malware programs.

    You just name it and I’ve tried them all.

    Nothing!

    Previously my search results will be redirect.

    But after using the ComboFix.exe, currently the redirect will show when I type wrongly an URL.

    What should I do now?

    I am almost giving up and going for the formatting and reinstalling.

     
    1. admin
       
       
      Post author

      Daniel : This is malicious setup in your browser (to use a bad engine for auto-repair wrongly entered urls)

       
  283. Daniel
     

    So what should I do? What is the solution?

    Please help.

     
    1. admin
       
       
      Post author

      Which browser do you use?

       
  284. Daniel
     

    I’ve 4 browsers,, I tried all of them. They have the same symptom.

    IE, FireFox, Chrome and Safari

     
    1. admin
       
       
      Post author

      If it affects multiple browsers, check your DNS settings too. And hosts file again.
      Then check http://www.technipages.com/firefox-change-address-bar-search-provider.html this guide for firefox.

       
  285. Daniel
     

    Done everything as instructed.

    Still no luck.

    Still getting redirected when typing an invalid url.

     
  286. Eric Schooling
     

    Read most of this site I have windows xp pro sp3. No file named “hosts” in windows\system32\drivers\etc folder. Show hidden files is checked and hide …file and ext is unchecked as well as hide operating systems files is unchecked Can I just create the file or do I realy need it Also there is nothing in Control Panel\Network Connections Norton keep coming up with Trojan..Zeroaccess!kmem\inf

     
    1. admin
       
       
      Post author

      Eric : The file is unnecessary in most of the cases and CAN be deleted. However, typically it exists on the systems (except if it is deleted in the past). Make sure you see system files as well. For double checking, try saving fresh, empty hosts file in the folder. If there are some sort of hosts file hijack, you will be warned that the file exists.

       
  287. Afterwalker
     

    I am not sure how to open the ‘hosts’ file in step 1 of your solution, as it has no file extension. Its icon appears to be a sheet of paper with the upper right corner slightly folded. I am using a Windows 7.

     
  288. Afterwalker
     

    I’ve figured out how to open the ‘hosts’ file in wordpad. (What an idiot I am)
    But I am unable to save my changes, and receive the following message:

    “You don’t have permission to save in this location.
    Contact the administrator to obtain permission.

    Would you like to save in the My Documents folder instead?”

    I am certain that my account is an administrator account; I even went to the control panel and checked.
    I suspect that a virus or some other kind of malicious software is somehow preventing me from making changes to my ‘hosts’ file.
    Any ideas what’s going on, or what I should do?

     
    1. admin
       
       
      Post author

      Afterwalker
      Press start button
      enter Wordpad, but do not press enter. Right click on it and choose open as administrator.
      Then in it open hosts file.

       
  289. Pam
     

    Suddenly google has been taken over! Can you explain the process for getting rid of this virus for Windows 7. It’s so new to me and I can’t even find the folders or the C drive in this unfamiliar control panel and other such stuff. Never realized how user friendly XP was until this came out. it seems my browswer has been highjacked and searches take me to these strange places. Your screen shots were great, but not the same for Windows 7. Any help you can give would be great. I have already run a few scans and it did not fix it. Thanks!

     
  290. Billy
     

    I’ve opened up the hosts file, but it looks nothing like the picture you have. It only has the IP address and “local host” on a single line. I’ve run multiple malware scans and found nothing. Any ideas? Thanks.

     
    1. admin
       
       
      Post author

      Billy: check other things too. redirects might be caused by any of these.

       
  291. Billy
     

    I have gone through pretty much all the steps you have listed and even tried to remove it manually (though I could not find a file that looked suspicious in the bootlog). What would happen if I deleted the “host” file and/or lmhosts SAM file completely? I am at a loss.

     
    1. admin
       
       
      Post author

      Billy: double scan with anti-malware programs. if hosts file is empty, make sure you are not infected. Or describe the symptoms more precisely.

       
  292. Aaron
     

    Thanks. I also did steps 2-5 and all of those settings were normal. I’ll work through the rest of the steps tonight to see if I can figure it out.

    I’ve already run Malwarebytes and SpyBot Search and Destroy with no luck. SpyBot was rather annoying and kept giving me windows saying something about a change to the regisrty key and asking if i should deny or allow the change.

    So far the search results are being redirected to other random crappy search sites.

     
  293. raigo
     

    # Copyright (c) 1993-2009 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a ‘#’ symbol.
    #
    # For example:
    #
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host

    # localhost name resolution is handled within DNS itself.
    # 127.0.0.1 localhost
    # ::1 localhost

    Ihave this , its ok ore not , tanx for help

     
  294. BeenThere
     

    Be careful looking at the hosts file. I have seen cases where everything looks normal in notepad, but the redirects are at the end of the file, preceded by a lot of blank lines so you do not see them unless you scroll down,

     
  295. w--smith
     

    This worked for me.
    Used all the various scanners listed in this site.
    Malwarebytes full scan found it as c:/windows/system32/tskillf.dll
    It was being launched by the task scheduler as a rundll32.exe program so hijackthis didn’t see it. The task scheduler is not checked by hijackthis or malwarebytes. it can be found in control panel. I removed the launch in scheduler by hand.
    I also ran cclean to wipe out my browers temp files , cookies , etc.
    It got in through firefox as a quicktime update messed up explorer7 , firefox and opera searches. Seamonkey was OK. I’m running windows xp pro.
    Thanks for pointing me in the right direction.

     
  296. margaretanderson
     

    i cannot get rid of AVG Resident Shield A lert please help me to solve this problem

     
  297. brianna81
     

    HELP!!! Started noticing redirects about 2 weeks ago but it was off and on, FB redirects to price grabber every time now.I have gone through as many steps as I can with my limited knowledge of computers. I do have a linksys router that was set up a long time ago when I used to have roommate. I no longer need this so I want to take it out and go back to using my local area connection. If I uninstall the program and plug the internet directly back into my pc will this take care of the problem?

     
  298. brianna81
     

    OK so I have successfully done all steps except for 7 and 8. I don’t even know what those two are about so I am going to wait for help before I try those ones, thank you in advance for helping me out:)

     
    1. admin
       
       
      Post author

      Brianna81: make sure you disable proxy in FF and disable plugins there as well.

       
  299. brianna81
     

    now I can access Facebook through internet explorer but not mozilla firefox, is that where the problem is? I’m so confused!!!

     
  300. brianna81
     

    chose “no proxys” for FF, but no change. I have disabled all add-ons on FF and internet explorer. Is this from using the Linksys? I can still access on internet explorer so far.

     
  301. brianna81
     

    why does this effect only Facebook?? or is it effecting other things and I just don’t know it? Is this something from a porn site??? if so I’m gonna kill my husband.

     
  302. brianna81
     

    thinking that linksys is the problem I’m trying to uninstall cisco home network/linksys and cannot. I can see cisco in my programs and features but when I select it I’m not given the option to uninstall, what do I do? I know i sound like an idiot, I just need help

     
  303. Eddiejiovanni
     

    @admin

    I now have the google redirect virus. In addition to it redirecting me to various web sites it also has disabled or removed my adobe flash. When I am able to go to website I constantly get an error message saying I need to download adobe flash. I just bought my computer a few months ago and adobe flash was already installed. I went ahead and redownloaded the flash twice and I still get the error message. Is there a way of fixing both problems? I did read what you previously posted above but the options still did not work. I am running windows 7 and it has attached/ attacked my Internet explorer 7. In addition whenever I put http://www.google.com in the address line it’ll will stall for about two minutes then say a page would appear saying I am not connected to the Internet. Even though I am. Pleaseeeeee help me out! I’m not very computer savvy but I will figure it out if you could give me some direction. Thank you very much …

     
    1. admin
       
       
      Post author

      Eddiejiovanni Do a full system scan with couple of anti-malware programs. In your case I would suspect trojan.

       
  304. Eddiejiovanni
     

    I’m sorry I am running Internet Explorer 9.

     
  305. saint_danielz
     

    Admin please help me :(
    I have done step 1. but I can’t find my host and host.bak
    There’s only lmhost.sam , networks, protocol, and services
    I’m a windows 7 user. please help meeee :(

     
    1. admin
       
       
      Post author

      saint_danielz
      Make sure you see hidden and system files. If the file does not exist (it is not there if you enabled seeing hidden and system files), then the problem is elsewhere. System can operate without hosts file, though there is one typically.

       
  306. saint_danielz
     

    I did show my hidden files and folders, but still there’s no host file.
    So where is the problem? what else should i check?
    thanks before

     
    1. admin
       
       
      Post author

      Go with other points too. Dont forget to scan with anti-malware program.

       
  307. Alyssa
     

    For the version I had, that infects Firefox, Malwarebytes found nothing, but Hitman fixed it.

     
    1. admin
       
       
      Post author

      Alyssa: MBAM works poorly with rootkit – based malwares, but works ok against some common trojans that cause similar problems. For some rootkits, we have good results with Spyhunter atm ( http://www.2-viruses.com/reviews/spyhunter )

       
  308. David McC
     

    I have also been hit with a Google Re-direct.

    It is only showing up in a user account and not in the Admin account.

    Host file is clean, the settings are as per the instructions above.

    I have run Kapersky’sTDSS killer and Malwarebytes.

    Suggestions?

     
    1. admin
       
       
      Post author

      David : Browser settings might be stored in user account. Check plugins, proxies, etc.
      Malware infection is still possible. TDSS is very narrow-focused tool and mbam might not be 100%. Superantispyware, Spyhunter, Spybot S&D scan would eliminate possibility of malware.
      Worst case scenario: Go to the users application data, and delete browser data folder.

       
  309. John Tea
     

    First of all, many thanks to those who asked and responded above.
    Had trojan tracur detected and removed a couple of days ago, only symptom leftover was a chrome redirect from google.com results. Tried 3 (malm, superantispyware, and hitmanpro, all trials, in that order :) ) Malwarebytes detected 2 registry entries:

    Registry Values Detected: 1
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations|bak_Application (Hijacker.Application) -> Data: http://go.microsoft.com/fwlink/?LinkId=57426&Ext=%s -> Quarantined and deleted successfully.

    Registry Data Items Detected: 1
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations|Application (Hijacker.Application) -> Bad: (……….Malicious url removed …..) Good: (http://shell.windows.com/fileassoc/%04x/xml/redir.asp?Ext=%s) -> Quarantined and repaired successfully.

    the others subsequently scanned clean, yet the search redirect persisted. proxy, DNS, and other settings normal. Looked into the above comment #462, searched for chrome browser user data, found this:
    http://support.google.com/chrome/bin/answer.py?hl=en&answer=142059
    renamed the default file described and voila, no more redirects in Chrome.
    I am running Norton business suite AV, and given the 3 recent scans (and active mbam) can I be relatively certain no further infections exist?

     
    1. admin
       
       
      Post author
       
  310. lindsey
     

    I have Vista, and have followed steps 1-6 and still have the redirect bug. I did notice, however, that there is a Microsoft Visual C++ prog added on my programs list that I did not approve/add. When viewing it on notepad, it appears to state there is a threat. I try to uninstall, but as it is from an unverified pub, my options are “allow:if you are fam with the prog” or “cancel: if not”. I am afraid to allow thinking it might get worse. What should I do? And is this even related to the redirect virus?

     
    1. Giedrius Majauskas
       
       
      Post author

      Lindsey: It might be some malicious browser add-on. Generally, it should bet detected by one of the anti-malware programs. Viewing it on notepad would show nothing. I recommend first scanning with anti-malware programs, and second, trying to uninstall it with revo uninstaller.

       
  311. JT
     

    My hosts file in 424kb

    I have the default localhost & 127.0.0.1 entry

    And after that I have these comments.

    # Start of entries inserted by Spybot – Search & Destroy
    ……
    ….& thousands of others….
    # End of entries inserted by Spybot – Search & Destroy

    What do I do with the “hosts” file? It will not let me change or delete anything even as ADMIN. I made a notepad copy of the file and can delete all non esential entries and have saved it in this location. Do I just delete the original host file? Also, the hosts.20110509-120215 (backup) is clean but when I tried to open it I had to chose a program to do so, I picked notepad and now it stays as a note pad file, is that OK? Thank you.

     
    1. Giedrius Majauskas
       
       
      Post author

      JT: You need to check if these are really legitimate entries. Generally, Spybot is ok program and its insertions should be harmless. Though its name can be misused by scammers. Check if there is anything google or sites you are seeing redirects related. If not, go to other steps.

       
  312. Liz
     

    If super antispyware stopped during first scan, does that mean it will not work and should not be trusted? I have used all kinds of things, tdss, av programs, nothing is working… Will try these tips after current scan

     
    1. Liz : if SAS got stopped, then it means that it is likely to be a parasite infection which is aware of superantispyware. Try running spyhunter : http://www.2-viruses.com/reviews/spyhunter or stopzilla : http://www.2-viruses.com/reviews/stopzilla . These programs include active process killer against new threats, so have better chances to find parasites.

       
  313. Richard M. Renneboog
     

    Just got verification of my previous post. Certificate info from Google address bar (the red lock icon) said “IopFailZeroAccessCreate”.

     
  314. TMAC
     

    i am having an issue getting to google and all google related sites,if i put ip address of google it goes ran everything combofix malwarebytes… didnt find anything

     
    1. TMAC: The issue is related to DNS servers. Check your DNS server settings and hosts file. This is covered in this guide.

       
  315. JARNKM
     

    Have the problems with S.M.A.R.T. data recovery program and cannot remove.

    I tried downloading the three programs in “safe mode with networking” (the only mode booting, at present), but when it comes to “Installation”, I get the Yellow Exclamation point and it says: “System Administrator has set policies to prevent this installation”. This, I definitely have not done.

    What now! ………………….. THANKS!

     
    1. JARNKM: You should read guide on specific parasite. For example, you could try fake-register the malware. Also, it is possible to fix the registry so that instalations would be allowed again. http://www.2-viruses.com/remove-smart-data-recovery

       
  316. Renuka
     

    I’m getting a pop up window asking for my card details,pin,DOB,etc every time i log in to my netbanking account or even in amazon. I have checked everything i’m aware of but no success yet.
    Yesterday i saw some one else’s email id (something like ‘smartmind@gmail.com’) in the username field of amazon uk site when i was trying to log on, which is quite unexpected as this is my personal laptop and I’m the only user.
    Plz help :(

     
    1. Renuka
      You might have some sort of carding trojan or some weird password manager. It is not redirection problem, and with high certainty it is caused by software on the PC (it could be caused by something filtering network traffic, but it is not likely). My first step would be scanning with couple anti-malware programs, including http://www.2-viruses.com/reviews/spyhunter, http://www.2-viruses.com/reviews/spyware-doctor, SuperAntiSpyware… this is likely to cover majority of parasites. If this won’t help I would look for information about the messages in the popups.

       
  317. RaghuMitra
     

    Excellent… editing the hosts file and removing entry for 127.0.0.1 did the trick. Just got curious, how the host entry for 127.0.0.1 impacted my search results?

     
    1. RaghurMitra: Depends. If the entry for some site is 127.0.0.1 it allows some process at local PC handle that request to specific website.

       
  318. Jay
     

    Thanks guys. I just deleted all entries in the host file and it is working ok. Thanks a lot, this was a pain in my a**. Good job.

     
  319. mehlicious
     

    man… all i ended up having to do was clear my cache to stop my google redirect problem

     
  320. Nicole
     

    Ran the Microsoft Safety Scanner which found a trojan virus and fixed the Google redirect problem and made the browsing speed much faster!

     
  321. ech1zen
     

    TTTHHHAAANNNKKK“`SSS FOR ALL YOUR GUIDES…..
    SUCCESS…..

     
  322. stan
     
     
  323. Mulan
     

    OMG, THANK YOU!!!! I tried everything to get rid of a nasty google redirect virus and nothing worked. Then I found your site, followed your (very clear and simple) instructions, and presto! Now my computer is working again! All I had to do was change the host file by deleting two extra lines with google and bing IP addresses. At first, I had trouble saving the changes even though I had administrator rights, but then I had the bright idea of going to the document’s properties page and un-clicking “Read Only.” Thank you so much!

     
  324. Ryan
     

    I got the Google re-direct virus and none of the steps worked for me. I have Norton Internet Security 2012 and paid them $99 to have a tech fix my computer with remote access. Here is what they found:

    There was a virus associated with some rundll32.exe file. They found it in:

    c:\documents and settings\owner\local settings\application data\apple computer\apple\qisvdmrmz.dll

    They removed it from the registry and now everything seems fine. I would have no clue how to do that. Also, Norton Internet Security did not find/block it because it was in the Apple folder… weird. Maybe this helps someone else.

     
    1. Ryan:
      I think that full system scan with anti-malware program would helped in your case. Might have worked with Norton as well. There are quite many PC parasites that cause these problems, but AV/antimalware programs can handle these usually.

       
  325. Zathu
     

    Okay, I already went through several steps from different websites. Use TDSSKiller, etc I checked my hosts file and there’s nothing wrong. add-ons etcetera, still nothing unusual. And I still got those problems, in my case though there’s more problem, I can’t login on all sites, can’t open google mail. and browser show error when opening https:// I use personal wifi network with my family, but problems only exist in my notebook, then it’s not possible if the router is infected, right? Or is it possible?

     
    1. Zathu: In your case it is likely to be malware. Scan with anti-malware programs (TDSS killer is against a small subset of them). It might be proxy too, though unlikely – https would work in most of such cases.

       
  326. maygen
     

    I am also having the problem of saving changes to the notepad. I have right clicked to change to administrator, nothing happens, I am also on my administrator account. There is one extra line after 127.1 etc local host. But I cannot save changes after deleting it?

     
    1. maygen make sure you open file as administrator.

       
  327. Isaac
     

    I checked the host files and my services file was a 17KB so I wanted to ask if my google redirect virus was in here


    directplaysrvr 47624/tcp #Direct Play Server
    directplaysrvr 47624/udp #Direct Play Server

    Any help you can give me would be great!

     
    1. This is not hosts file. Make sure you are opening right one :)

       
  328. Isaac
     

    Okay so I tried your spyware doctor and it found this

    6/6/2012 8:39:01 AM:445
    IntelliGuard: System Event Blocked
    Threat Name – Trojan.Malscript
    Details – Spyware Doctor has blocked an application attempting to access a file.
    Risk Level – Medium
    Infection – C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\TGGUTABW\CELEBRITYBABYCRAZE_COM[1].HTM

    Could this be the cause of all my missory. If so how do I get rid of it permitly

     
    1. This alone ? probably not, this is how you might get infected. Scan with hitman pro too.

       
  329. Isaac
     

    Okay I will and get back to you.

     
  330. Isaac
     

    Properties
    Name i8042prt.sys
    Location C:\Windows\system32\DRIVERS
    Size 53.5 KB
    Time 357.0 days ago (2011-06-15 07:54:22)
    Entropy 5.8
    Service i8042prt
    SHA-256 30A52512421963F548423A0A2D4FE3FB4431C434E1A7E147BA0C23B7AB68C66C

    Detection Names
    G Data Gen:Variant.Sirefef.22 (Engine A)
    Ikarus Trojan-Dropper.Win32.Sirefef!IK

    Scoring (153.0)
    One or more antivirus vendors have indicated that the file is malicious.
    The file is hidden from Windows API. This is typical to malware.
    The file is completely hidden from view and most antivirus products. It may belong to a rootkit.
    Starts automatically as a service during system bootup.
    Authors name is missing in version info. This is not common to most programs.
    Version control is missing. This file is probably created by an individual. This is not typical to most programs.
    Program starts automatically without user intervention.
    The file is located in a folder that contains core operating system files from Windows. This is not typical to most programs and is only common to system tools, drivers and hacking utilities.
    The file is a device driver. Device drivers run as trusted (highly privileged) code.
    The file is protected by Windows File Protection (WFP). This is typical to critical Windows system files.

    Startup
    HKLM\SYSTEM\CurrentControlSet\Services\i8042prt\

    This is the only major thing it found

     
    1. Isaac : run TDSS Killer or Spyhunter. You got this infection : http://www.2-viruses.com/remove-sirefef

       
  331. Isaac
     

    @Giedrius Majauskas (admin)
    Thank you. I’ve been fighting my redirects and scanning with my anti-virus for a week now.

     
  332. John C
     

    I have approx. 217 host files that are backups going back a few years.
    The latest modified file is from 2/28/11. Is this the one I need to modify (delete all the extra entries)?
    Also, should I delete the other 216 backup files, is this safe?
    I use XP Home edition

     
    1. John C: Typically, if your hosts file is backuped, you have some sort of software that modifies it (I think some game launchers do that, maybe some hijack protection software does that too). Yes, you can delete old ones, that is not the problem. I would check what is in it first, and then I would decide if it needs modification or not.

       
  333. Bryan
     

    I have not tried these solutions but was searching for something on another computer, trying to fix this problem. My Google was not working properly and whenever I searched a term, the first page had weird links. Also, if I typed, “Why are” normally Google shows a list of frequent phrases. It wasn’t doing this and when typing in the same search from 2 separate computers, one was working as it should and what I’m used too, and one was clearly working wrong. Anyways, I found this online and tried it. While I was waiting for the comp to reboot I ran across this site still looking for other solutions in case it didn’t work. Well it worked. So if you’re having this problem, try this out….

    1.) Exit out of all programs
    2.)goto run enter
    C:\WINDOWS\system32
    3.) then scroll to the bottom of the page and find wdmaud.sys just rename it to BAD_wdmaud.sys
    4.) Immediately reboot the system
    5.) Test the results

    it is important that you do not just search for wdmaud.sys because there is a valid file on your computer named that… but any file in the C:\WINDOWS\system32 folder with that name can be deleted/renamed to fix the problem.

     
    1. Bryan: This should be detected by anti-malware or anti-rootkit program scan. There might be couple other fake .sys file names used,always scan with anti-malware programs.

       
  334. Dan
     

    I have a redirect virus which changes sites on every sub search in Firefox. I have ran Malware bytes, Microsoft Scanner, TDDS Rootkit by Kaspersky and Viper with no success. Host file looks normal, and all the setting is in networking. Could use help on this one

     
    1. Dan:
      Do IE redirects too, or is it firefox only? If it is FF, check extensions first.
      Also check Proxy server (always disable) and DNS server (just in case, unlikely).
      Next, if this is a dll injection, scan with more anti-malware : Hitman pro & maybe Spyhunter.

       
  335. Dan
     

    Thanks for the reply, both IE and FF are going to the same bogus sites. Proxy servers are disabled in tools, networking. My DNS is greyed out and maybe that way since I use a static IP.

     
    1. Dan:
      Scan with abovementioned program, as in your case I Suspect plugin or malware. Write down list of plugins in both explorer and firefox.

       
  336. Dan
     

    I changed my network setting to auto IP and DNS and it still redirects.

     
  337. wis
     

    Do this: you may need to login with a different profile
    -scan with Hitman Pro, malwarebytes, TDSS killer by Kaspersky
    -use “Autoruns” and “process explorer” to identify running malwares and delete them manually
    -Reset IE setting
    -clear all termporary files using ccleaner
    -check DNS settings in LAN/Wifi Adapters
    -Important: run “sfc /scannow” and Restart

    good luck

     
  338. Bill Everitt
     
     
  339. Whitney
     

    This has happened to me before but it pisses me off so much. First of all I NEVER go to porn sites and the main sites I go to are facebook, youtube, hotmail, and my work website. When I type in http://www.facebook.com this is what the browser goes to: < malicious url removed >. WTF???? It’s so annoying, I can’t get to facebook via my laptop, any of the other computers in this house, on my ipod touch, or even on my android. My brother fixed it once but I don’t know how. Apparently it’s our whole network or something and I need to know how I can avoid this in the future and how to fix this because I’m really annoyed. >:(

     
    1. Whitney: If all your PC and phones show the same result, your PC is not infected, but your router is or DNS server changed. Ask someone to reset your router to network defaults. This might be some sort of ISP problem too.
      There is no chance that Android would be infected with PC malware.

       
  340. kröper
     

    it is very unfortunate that in this very good description concerning google redirect solutions -it is not mentioned -before making a very long total scan, as suggested with spy hunter- that removal of found problems can not be undertaken without buying the full version of the program!!!!
    I think it would have been only fair to include this in the description especially as by linkbugs redirekt it is indicated that a scan and remove of found problems is possible for free!!

     
    1. kröper: actually, SH offers one of the best malware scans. If there is malware, and you would search for configuration issues, it would take much longer to solve your problem.
      What I like about SH (and doctor ) – these programs display full path to issues thus you can fix them yourself.

       
  341. Jessica
     

    I spent the last 2-3 days working on removing this virus and finally got there. I’m using a laptop running Windows 7 Ultimate and Internet Explorer 9. This virus caused Google, Yahoo and Bing all to re-direct, but ASK and DuckDuckGo and Google’s Advanced Search was not affected. I am more willing than others to go into various questionable sites and try new things, mostly because I back-up weekly and have multiple PC’s. Some without any modem so they’re completely clean from the Internet (aka Big Brother).

    1. scanned with Norton Internet Security – scan came back clean, re-direct still exists same search engines
    2. de-installed NIS and installed Microsoft Security Essentials – scan in Safe Mode came back clean, re-direct still exists
    3. restored defaults on IE9 and defaults for manage network connections, for windows 7, c:\windwos\system32\ncpa.cpl
    3. found out that the hosts file in C:\windows\system32\drivers\etc has been corrupted. Note the file does not have an extension. I created a new Hosts file with the ip address 127.0.0.1 and ::1 properly defined – re-direct still exists
    4. found a site suggesting a registry edit for the TDSS system file on my PC, nothing found was abnormal, also searched for specific registry variables associated with TDSS nothing there either. Also never change the registry unless you’re absolutely confident or you can restore you PC without stress
    5. decided to try TDSSKiller by Kaspersky, again re-direct still exists.
    6. searched on rootkit viruses and read all sorts of pages but nothing new
    7. ran Norton Power Eraser and found a DLL file that it cleaned up. I am resetting some registry variables because NPE will delete specific user variables.

     
    1. Jessica : In your case it was malware (malicious DLL injection) and maybe some other problems. I recommend running scans with Hitman Pro (and spyhunter ) besides antivirus. Hitman checks files/processes against 5 antivirus engines instead of one. Spyhunter has good detection ratio for rootkits and other malware. Only then I would look through DNSes, as these changes are less popular now when DNS Changer malware is no longer distributed.

       
  342. Tony
     

    When I Go to facebook.com I’m redirected to Linkbucks website… http://63ce2138.qqc.co/ I tried to reformat hd and added windows 7 ultimate and Norton 360 and still same Problem. Norton isn’t picking it up! Any tips???

     
    1. Tony: You got hijacking malware. Scan with anti-malware program or read more : http://www.2-viruses.com/remove-linkbucks-redirect

       
  343. Gary
     

    I am so frustrated with this virus, i downloaded prevx and used the scan hoping it would get rid of the background audio ads and google redirect, but it didn’t, so i started here, but ran into a small problem with step 1…. when i go to C:\Windows\System32\Drivers\etc\hosts, my comp does NOT HAVE A HOSTS FILE!!! ADMIN PLESE HELP! Thanks

     
    1. Gary: You can skip any step from the list, though I would recommend scanning with anti-malware programs in any case.
      Make sure hosts file is not hidden / system. In such case you won’t see it in the list.

       
  344. Michael
     

    Hitman Pro from SurfRight will fix – permanently – the Google redirect virus, and may work for other redirect problems as well. There’s a full version 30-day free trial.

     
    1. Michael : Hitman works for some malware versions really well. However, it is not an ultimate fix for all redirect problems, only some of malware related. Though glad it helped in your case.

       
  345. olleymae
     

    Okay my hosts file looked fine, I have run my normal AVG free scan (said threat detected but then when scan finished said no threats found) so then I downloaded Hitman Pro it found a few things and took care of them, but I was still having the redirect issue, so I downloaded Malwarebytes and it found a few more things and cleaned them up but I’m still having this issue. I use Firefox, and I changed my proxy settings to No Proxy. I am completely at a loss here. Any more tips??

     
    1. Olleymae : Check your DNS server, disable all extensions in firefox that you aren’t sure of. Restart firefox. Run Spyhunter scan for more malware.

       
  346. Tony
     

    @Jessica
    A very good account of what you’ve done.. and then spoil it by not giving the name of the DLL that had been affected :(

     
  347. Bob
     

    What the heck…I have tried all the steps mentioned above and no luck. Have ran hitman pro, tdss, looked in the hosts file and nothing there. Something is not right. Is it the so involved that i need to wipe the os clean? what can i do?

     
    1. Bob : run scan with different anti-malware program and check extensions / DNS server. Which browser is redirected? Does the search engine itself is hijacked or results only ?

       
  348. Bob
     

    I have scanned with Hitman Pro, Spyhunter(Have to pay???), Microsoft Security, Avast, TDSSkiller…some have found a trojan and claim to remove it but its still there redirecting pages. It is happening on Google and Yahoo the only browsers I use and its happens on the results. Have been through all the steps and nothing has worked so far. Using verizon wireless to connect to internet and checked the TCP\IP settings. Will it be somewhere on there? Can I change router info for a verizon wireless set-up? Any more help will be greatly apperciated.

     
    1. Bob:
      if there was trojan detected, would be helpful if you provide the name of the trojan. Also, which tools detected it? Do they detect it now?
      If malware exists on your system, then it is likely effect of running malware, not TCP/IP settings. However, you should disable extensions in your browser. You might want to run HijackThis and disable all browser helper objects that you do not need.

       
  349. Bob
     

    I neglected to write down the exact name but the Microsoft Security scan the last one I did last night found two trojans that had Java in both their names and said it wiped them out. All others also acknowledged something was there but not a list of the trojans. After i ran that tool and restarted the computer and tested a few searches the redirect came back and I just gave up last night. Worked all day trying to figure something out. Seems that the programs find something but that the trojan just gets re-born. Know thinking I don’t remember if i ever got the tdsskiller to work properly maybe I can try and download for another computer and use a usb to the infected computer. What extensions are you talikng about? the add-ons?

     
    1. Bob:
      Yeah, browser addons are possible. Though first you have to eliminate possibility of rootkits. For this, use TDSS Killer and Combofix. Spyhunter is likely to detect them as well (it is good all-around tool). Hitman pro might detect or not them depending on their version.
      Speaking about addons, they are usually missed by many anti-malware / anti-virus tools, thus they can not be eliminated.
      Another possibility is some other malware process, which should be detected by at least one of the programs during full scan.

       
  350. Bob
     

    I’m at a total lost now Admin. I have ran through all steps on your site re-ran TDSSkiller and nothing found. I found another blog that details looking at all the system files that run at startup that are located in the driver folder. He is recommending doing a manual removal if you can find the virus source. Here is the ntbtlog file can you spot anything that shouldn’t be there. Any more help will be greatly apperciated
    [content snipped]

     
    1. Bob. Scan with GMER (have you scanned with ComboFix?), SuperAntiSpyware and Spybot S&D. For me, it looks that it is not the drivers. Use FULL scan with SuperAntiSpyware.

       
  351. TJ
     

    I finally found something that removed the redirect virus on my pc. I just got this viruns within the last 30 days. I have a Norton account and went there to see what they had to clean this up. I downloaded their “Power Eraser” software and ran it. It found a file titled dqzev.dll in my c:\users\[user]\appdata\local\ folder. The software removed the file and rebooted my pc. I no longer am redirected when I click on a link in search results.

     
  352. RB
     

    @TJ
    Bingo TJ. Thank you. You saved my sanity.
    I have Norton2012 and several full scans over the past week could not find anything but usual tracking cookies.
    When I saw your post today I downloaded and ran Norton Power Eraser and it found the very same dqzev.dll file and removed it. Problem solved!!!

     
  353. RB
     

    @RB
    Forgot to mention that while I too have a Norton account, Norton Power Eraser is a FREE download, so I did not even have to login to get it.

     
  354. Thom
     

    Got this redirect virus, Was not being detected by my anti virus. Tried Malwarebytes which stopped the redirects but still did not remove it. Kept telling me it was stopping redirects from rundll32. So I went to Start entered msconfig and under the startup tab found ATRBBEV unclicked it, rebooted and redirect virus was stopped. Whatever it is, it is still on the computer, just not running. The source column said rundll32″C as the source. Hope this helps the next victim.

     
  355. mike
     

    All this info is good but what i found to be the best is to edit c:/windows/system32/drivers/ect/host. Delete anything below last line ie 127.0.0.1.
    Also edit c:/windows/system32/drivers/ect/imhosts. Delete anything below last line.

    This will remove any chances of rediredting. If you feel unconfortable with this just save document on desktop.

     
    1. mike : It depends on way redirects are implemented. Any way of the listed above are possible + malware attack. So, Hosts files might be clean for somebody.

       
  356. turbanator21
     

    Hi, I need your help to get rid of linkbucks which always redirects whenever i open facebook address on browser. all other sites are working fine. I did chk host file n only thing suspicious to me was some calendar host file which i m not sure about. I see some process names crss.exe is working in taskbar menu which i cant stop. plz help

     
    1. turbanator21 : run anti-malware scan first (TDSS Killer / Spyhunter / Hitman Pro ). Redirect on facebook.com would point either to hosts file or malicious extension.

       
  357. Bob
     

    Interestingly for me, when I tried to install Spyware Doctor it caused my system to blue screen and each subsequent reboot brought the blue screen. I had to do a system restore back one day to get my system to boot up.

     
    1. Bob : Spyware Doctor works poorly with some antiviruses, thats the main problem I have with it now. But it is way good against trojans. Instead of Spyware Doctor in such cases I recommend Hitman Pro (5 AV engines ) Spyhunter (good malware database) or Malwarebytes.

       
  358. B Vacher
     

    How do you open notepad as the administrator? I cannot delete the files placed in my “hosts” file by the virus unless I open it as an administrator.

     
    1. B Vacher : Start -> Run -> enter notepad till it finds it in program list, right-click on icon and choose run as administrator.

       
  359. Hayden
     

    Please help me! I have located the hosts file, and I opened it with notepad (as administrator), and there are lines of text that need to be deleted, but when I delete them and try to save the file, it says that the file is set to “read only”, and when I try to disable the “read only” option from the file, it says that access is denied. What do I do?

     
  360. Hayden
     

    Also, when I open cmd and type in attrib -r c:\windows\system32\drivers\etc\hosts it says “Not resetting hidden file”.

     
    1. Hayden : you have to reset Hidden attribute first. ( -h)

       
  361. Lance
     

    I was clearing a redirect problem for a Client (I own That Bytes! Computer Repair in Austin TX). McAfee, Avira, TDSSKiller, Spybot nor MBAM corrected the problem. I ran HiJackThis and noted an unusual entry, but it looked pretty legitimate, so I left it and continued the hunt for the problem. After a while, I went back to HJT, removed the registry entry, and Voila! The redirects ceased. In this case, the entry was in User_Bob_AppData_Local_Deployment_Dell_QHIXW.DLL. The files and folders were created just 2 days prior. A direct scan of the file with McAfee and MBAM still didn’t identify it as a problem. I removed the file and folders permanently.

    I hope this helps some of you having problems with redirects.

     
  362. Hayden
     

    I tried that, too, and it said “Not resetting system file”, so I typed in attrib -s -h -r c:\windows\system32\drivers\etc\hosts and it said “access is denied”. Am I screwed?

     
  363. Hayden
     

    I even opened cmd as an administrator.

     
    1. Hayden: Try scanning with MBAM and Spyhunter. There might be a group policy that disables hosts file editing, and it might be picked up by anti-malware programs. If not, there is a registry fix you will have to run.

       
  364. Cement
     

    I know why I got traffic from this search engine, seems it is infected.

     
  365. Ben
     

    Had the redirect virus. It was awful. Followed your recommendations steps 1 through 7, still had issues. Downloaded Hitman Pro from CNET, and redirect is gone. The one step I did differently than above, was start the computer in safe mode with networking, and ran the anti spyware software from there. I used AVG first, nothing detected. Then ran Malwarebytes, which found 1 infection, and 45 traking cookies. After Malwarebytes, used Hitman Pro which found the infection. Thanks for operating this site!! Life saver.

     
  366. nate
     

    Annoying as hell, yes…..infecting my computer,probably……but how exactly is a redirect going to force a person to share bank or CC details lol

     
    1. Nate: One of possibilities : redirect and mask unsafe page as reputable site.

       
  367. Edward
     

    I appreciate this thread (and amazing dedication from Giedrius, thank you). I recently caught the Google redirect virus.

    AVG Free, Malwarebytes Free, TDSSKiller, Kaspersky Free Virus Scan, MS Safety Scanner did not find anything.

    My host file was large and I used the following to reset it http://support.microsoft.com/kb/972034. It reduced the frequency (I think) but still had the redirect.

    I just used Norton’s Power Eraser and it found xckor.dll which it removed. Interestingly, there is not alot of info on xckor.dll when searched with google.

    Too soon to tell if it fixed my problem but wanted to provide another data point to this group.

     
    1. Edward : Most malware uses random DLL and exe names.

       
  368. Edward
     

    @Giedrius Majauskas (admin)
    Its looking good. I’ve not had a redirect incident since running the Power Eraser. Thanks again for all the info in this thread.

     
  369. Samsung PC Technician
     

    The sure way to eliminate bad malware, viruses, adware, spyware, dials, keystroke loggers, backdoor, trojans, worms,etc is to nuke your computer by installing a new windows operating system. Save your data and make sure you have the original user programs of course. Worse comes to worse that is what you do.

    However in the tech field. Which may be something that every day user may want do is to back up their computer. Not just data or system. Everything!!! We in the tech field like using images. Images are basically an exact 1.1 copy of your data files, system files and program files you have in your computer.

    Without going to the hassle of buying/installing a new operating system, loading programs and user data back into your computer that was recovered to factory settings…..That’s were images come in.

    If you make an image of your hard drive at a known good state. And you have all the programs you probably ever going to use. Would be good to back up the whole hard drive with norton ghost and store on an external hard drive. If your computer ever gets messed up beyond repair. Load the image and your computer is back to a known good state with all of your programs and user data at the time of back up. You can back up as often as you like of course. Takes the hasstle of searching the web for quick fixes, which are good to know. Although can’t be sure you got all threats out your system. Images are guaranteed!! (granted you installed windows, programs, and user data independently and remotely from any internet sourse. Updating system utilities and diagnostic programs is ok and safe of course from the internet. Once done, run norton from another computer and create image with hard drive adaptor cables. You’ll need to remove your hard drive from the computer you want backedup). And that’s pretty much it.

    Michael T.
    Samsung PC Tech

     
    1. Michael : There are 3 issues with your approach :
      1. System is already infected, so this is for future reference only.
      2. Redirections might survive backup/restore if the router firmware is infected and not the PC.
      3. The better way is to make System install image (which you call backup) and then document backup separately. Images might be done after installing important software, and backups should be made each week at the rarest.

       
  370. amar
     

    keeps opening up every time i launch google chrome even when i open a new tab it opens up and i have to click back on the toolbar to return to the speed dial page.any suggestions on what to do.

     
    1. amar : You should open chrome settings, go to start up section, there will be a setting that launches couple pages at the same time. Remove undesired sites from list.

       
  371. amar
     

    same problem Giedrius

     
    1. amar : Scan with hitman pro and other anti-malware programs. Check if there are no extensions in chrome.

       
  372. Owen
     

    google is redirecting me to other locations ads mainly. I have reformated my drive and reinstalled windows 7. i am not recieving any issues with any other search engins but with every browser i use chrome mozilla or E9(guarbage) i still get redirected when trying to make a selection of a web page to go to.
    at this time i dont understand why this is still happening.

     
  373. Owen
     

    seems to be fixed. i restarted my router router after doing a OS install and it cleared out the dir in the router no more issues thus far. will repost if issues come back thank you for the page it was helpfull never knew about this virus before first time dealing with it or knowing anyone who has.

     
  374. Owen
     

    never mind sorry issues still continue

     
    1. Owen : if you formated the drive and haven’t installed on top, then there is possibility that you are using proxy or your router provides you with wrong DNS. Make sure your browser uses direct connection. Make sure your DNS servers are 8.8.8.8 and 8.8.4.4. Make sure you have good password on router and router uses either automatic DNS settings or well-known and secure ones (like 8.8.8.8 and 8.8.4.4). Yeah, router infections happen too. Almost everything else (except couple rootkits that should be detected with anti-malware scan ) would not survive format. Reinfection is possible too.
      Also, if you have copied whole user dir (or if you would reinstal on top), there are more settings that could have survived. In such case I would create another user account and check if the problems are with other account as well. If not, then your user account settings are hijacked.

       
  375. owen
     

    problem has been fixed used malware antivirus found only 1 virus a rootkit. i did do a full format i did not copy over when i did the OS install. also another thing i did do was reset my router to factory default.

     
    1. owen : run scan with TDSS Killer and If you have time, boot from norton power eraser CD. Some MBR rootkits can survive format in rare cases.

       
  376. Bob R
     

    Lots of tech talk lots of downloads and scans not to mention time and money but it still redirects my browser-I have a hard time believing that the merchants that these sites recommend are not somehow involved in this-where is the profit to be made by redirecting someone’s browser?

     
    1. Bob R: typically, malware makers earn money different way from redirects. Some site owners pay (though various advertising networks) for a traffic. Sometimes they do not know that they pay for malware-generated and thus useless traffic, sometimes even advertising network does not know.

       
  377. Bob R
     

    Spyware doctor claims to have found it but of course for only $29.95 it will remove it!

     
  378. Bob R
     

    That will be the third anti-virus program used today.

     
  379. Les
     

    I went through the list methodically, and it is fixed. Step 4 seemed to fix it for me. I am little confused, because it seemed to fix it in Chrome and IE also. But I am just grateful it is fixed.

     
  380. Cody
     

    I do not have a host file. Running Windows 7 as administrator and hidden files shown. Is it somewhere else on windows 7?

     
    1. Cody: it should be there. Make sure you see system files too.

       
  381. Markus
     

    Thanks i remove the host site and it got rid of redirect thanks again.

     
  382. Ashok
     

    Hi admin,
    my redirecting problem is solved. But if i open any website witout https:// some advertisement is displaying rather than actual content in place of images or vidoes. Which is happening oly in chrome which is my default browser. this working fine with firefox. any suggestions,

     
    1. Ashok : Check out proxy server, you should disable it in chrome. Also, this might be an extensions.

       
  383. Jet
     

    Giedrius (Admin)…first of all thank you! for the great article and more importantly all of the assistance that you’ve been providing for everyone in this forum. I think it is awesome! So thank you!!!

    It looks like I’ve got some flavor of the IE Google Mail redirection problem. Although I never actually redirected to anther site I can get on to GMail from IE. When I try to get to GMail (e.g., click on Google Mail on Google website or type in mail.google.com) I can see IE tries to get me google mail but then before it can get me there the browser then tries to send me to (https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/?tab%3Dwm&scc=1&ltmpl=default&ltmplcache=2) to be specific. The browser never makes it to this URL either.It quickly tried to load mail.google.com again..and this loop continues endlessly until I kill the browser. I seem to get to other Google locations (e.g., maps) from IE but not Gmail. Not sure if this re-direct problem that others are seeing or not.

    If it is I’ve done ALL the steps you described in your article except #4 (FireFox is installed on my system but I don’t use it at all). The only things that remain to be done from your article are:

    Run Nod32 and Spy Doctor.

    However I have run: Hitman, MalwareBytes and SpyHunter (2.5 hrs to complete);
    None of these came up with any problems other that a few tracking cookies. No serious threats.

    I just downloaded Kaspersky Internet Security (Trial) and I’m running a scan with it. It tells me I have 2 hours left to complete the complete scan (argh).

    By the way this problem started Friday at my home. I stayed at friends house on Saturday and Sunday and it’s happening here as well…so I don’t think it’s a problem with the router.

    Where do I go from here? Thoughts?

    Thanks,
    Jet

     
  384. Jet
     

    @Jet
    One quick update I downloaded PC Tools Spyware Doctor (~300MB!!!!) and ran it. It identified a could low risk threats (Tracking Cookies) and two high risk threats (Threat.Info-Stealer.Mem). As it turns out this so called high risk threat was actually a mis-identification of Kapersky’s main AV executable and one of their files. I guess this is a known issue with Spyware Doctor as it’s been reported by other people but Symantec hasn’t done anything to fix the problem!!! Between the size of this stupid application and the false identifications I’d say Spyware Doctor SUCKS!! Maybe they just want to scare you into purchasing their product by falsely identifying something that isn’t a problem at all. What a waste of bandwidth and time!!!

     
    1. Jet: Your problem is not spyware related most likely. Your problem is browser proxy related or cache issues. Clean up browser cache first, and disable all proxy server. Also, which version of IE are you using? Older versios of IE are not supported by Google anymore. You could try using google chrome (which is faster and more secure) or Firefox. It might be toolbar issue, though, but most likely not.

       
  385. Jet
     

    Giedrius, thanks for the reply. In response to your comments:

    1) I cleared the cache CTRL F5 and rechecked the Proxy settings (Step #3) and it looks fine.
    2) I’m using IE9
    3) Yes I could use Chrome or FF but I don’t give up easily and want to fix this issue.

    Other suggestions? (Of your recommendations in your article the only thing I haven’t done is run Nod32….although i must say I’m getting weary of downloading tools and running scans.)

     
    1. Jet : Using chrome would help eliminate some possible causes of the problems. Also, an option would be running Hijackthis and checking if there are unknown DLLs or BHOs. For me, such redirection looks not malware related, but rather something wrong with google cookie management or similar.

       
  386. jade
     

    I’ve been having this problem for awhile now. I’ve tried everything in your tutorial except for last step because I am not very computer savvy and I’m afraid I’ll screw something up. I even tried tdsskiller and the fix for tdsskiller with no luck. What else can I do?

     
    1. Jade : run a system scan. Hitman pro ( http://www.2-viruses.com/reviews/hitman-pro ) and Spyhunter ( http://www.2-viruses.com/reviews/spyhunter ). Also, spybot S&D might catch some weird toolbars others can’t.

       
  387. Jet
     

    Giedrius, thanks for the feedback. I do plan to switch to Chrome but I didn’t want to surrender to some potential Hijacker. Too much fight in me for that. You may be right that this may not be a Hijacker issue. I deleted all the browser history (and I mean all items on the Delete Browser History Option) and it seems to have at least temporarily stopped the problem from occuring. I’m fairly certain I did this before but perhaps I didn’t delete all things in the Browser history. Anyway it is gone for now. If it comes back I may use the HijackThis to scan my system. Do you read HijackThis log files? Or do you suggest going to one of the security forums like BleepingComputer?
    Thanks again for you help…crossing my fingers and hoping the problem won’t reoccur.

     
    1. Jet : what I mean is that if the problem occurs using chrome, then it is system wide problem. If it is IE specific, then you have modified browser settings or there is some sort of weirdo toolbar. If you are not sure yourself, and HijackThis does not show anything weird (like unknown toobars or programs from %TEMP%, %AppData% that would bring us back to malware issues) then I would suggest going to some sort of remote support (eg crossloop.com )
      Also, this problem is covered in http://boardreader.com/thread/I_use_IE9_when_I_open_my_GMail_it_contin_d4v3t__9a5f99f8-9560-4d70-b0cd-df0d2e02500a.html . It looks like it can be caused by software conflict of some sort, as you have cleaned the cache couple times.
      And you should check your PC date settings too. Is the date/time correct? This could cause problems with cookies that would result in redirect loop.

       
  388. Cody Nason
     

    @admin how do I remove the trojan.zeroaccess infections that the spyware doctor found?? I DESPERATELY need your help. please respond with utmost urgency. thank you for your time.

     
    1. Cody Nason : Read here : http://www.2-viruses.com/remove-zeroaccess-rootkit . Manually, it is nearly impossible. I would recommend using TDSS Killer from kaspersky ( http://support.kaspersky.com/viruses/solutions?qid=208280684 )

       
  389. Cody Nason
     

    Giedrius (admin): spyware doctor inormed me that the virus was located in C:\WINDOWS\system32\drivers\redbook.sys is there any way to remove it without having to download any programs? (in case those links don’t work for me) I apologize for any inconveniences.

     
    1. Cody : In worst case: try rebooting into safe mode with command prompt. rename the file detected. Then reinstal your audio driver. I would go with automated removal using TDSS Killer. It is much safer.

       
  390. Cody Nason
     

    Giedrius : You are a genius, good sir. I thank you for your time and effort put in to helping each and every one of us who were having trouble with our searches. thank you very much. it worked swell.

     
  391. jade
     

    Are spyhunter and hitman pro the same as malware bytes? because I already have that program and did a scan with that

     
    1. Jade : each of anti-malware programs have separate databases. Hitman Pro uses 5 antivirus databases, but checks less files and requires network, it has more limited curing capabilities and no protection. Spyhunter is commercial program competing with mbam, it has better anti-rootkit detection/removal (in my opinion) and different databases. As both programs provide free scan (and remove rootkits on install for free), it is a good shot to confirm if you are infected or not.

       
  392. Bill
     

    Malwarebytes fixed the problem on my computer. TDSS Killer did NOT work, and I could not find TDSS in my registry, hard drive, or system devices.

     
  393. Vernon Siler
     
     
  394. Tom Westfall
     

    I have the same problem on a Windows 7 Ultimate 64 Bit, IE 8 system. I’ve run MalWareBytes, Spy Doctor, Norton Power Eraser, Spyware Hunter, and Hitman and while many of them found somehting they didn’t like none of them have solved my problem. I’ve checked DNS, and the hosts file and I can’t seem to fix this. I thought it must be a BHO because it only happens when I use IE, Safari works fine. Anything else I can try?

     
    1. Tom Westfall:
      It depends if any of the programs detected trojan or only harmless cookies. If it was trojan, then update and scan again, maybe with TDSS Killer too. If not, then run Hijackthis and doublecheck all BHOS it detects

       
  395. Tom Westfall
     

    My first scan with MalWareBytes found nothing at all. The others found a few cookies and items I would regard as basically harmless. I did run TDSS Killer as well and it found nothing. I ran the Hijackthis and don’t see anything in there that looks like a problem.

     
    1. Tom: it might be a proxy server or some add-on. Also, some sort of unknown malware.

       
  396. Nameita
     

    Hello,

    My host file contains only one line :/ It’s the last line of yours! Also I use google chrome as a browser any advice here?

     
  397. Nameita
     

    Also every time I perform a scan with Malwarebyte or Kasperspy, my Symantec Antivirus starts automatically and detect a whole bunch of suspicious file! Should I deactivite symantec first and let Kasperspy work? @Nameita

     
    1. I would recommend doing scan with Kaspersky with disabled Symantec. Suspicious files can be detected for 2 reasons: they are opened for reading and thus checked by 2 antiviruses at the same time, or just these 2 antiviruses do not work together.

       
  398. Susan
     

    @Giedrius Majauskas (admin)
    Great Posts! Had the same redirect problem. Looked at several of the suggestions. Cleaned up hosts file and ran tdsskiller (still had redirect issue). Kept reading posts and tried Power Eraser from Norton…. problem fixed! Thanks SO much for posting all this information – super help!

     
  399. Gakuno
     

    I just used Combofix.
    1. Download Combofix (FREE)
    2. Open up a txt file
    3. Copy paste this into it:

    File::
    c:\windows\system32\winupdate.exe
    c:\windows\system32\winhelper.dll
    c:\windows\system32\AVR09.exe
    c:\Program Files\AdvancedVirusRemover\PAVRM.exe

    4. Name it CFScript.txt
    5. Close all apps.
    6. Drag file into Combofix (DRAG THE TEXT FILE INTO THE APP)
    7. Let it do it’s thing.

     
  400. Bill
     

    @Giedrius Majauskas (admin)

    Thank you very much for your quick response, hitman pro took care of it.

     
  401. AmITheOnlyGuyWithAMacAroundHere
     

    I’m on Mac, any tips about the google redirect stuff?

     
    1. AmITheOnlyGuyWithAMacAroundHere: Plugin/Extension / DNS server information, even proxy and hosts file exist on mac as well. The particular actions might differ somewhat. I recommend running Sophos antivirus to scan for malware too.

       
  402. Leah
     

    Thank goodness for geniuses like you to help tech-challenged people like me!

    I think I have the google redirect virus. My problems started when my daughter was attempting to download a free game (Disney’s pirates of the caribbean). Next thing I know, google.com just doesn’t look right. The ads that are normally to the right of the results are absent, and the “results” do not really make sense (wikipedia or product based only), and if I click on a link, it takes me to an obvious ad. So, I immediately closed my browser, ran disk cleanup, deleted temp files, uninstalled everything that had been installed from the last few days, and ran a full scan with Norton 360. I still had a problem, and it got worse…the computer shut down and went to the blue screen of death (crash dump or whatever). It was only able to come up in safe modes. I brought it up with safe mode plus networking, and tried the next recommended step: Norton Power Eraser. Upon reboot, it went back to blue screen and would only come up in safe mode still. I ran Norton’s Reboot/recovery tool, as instructed, and still got the blue screen/safe mode cycle. So I tried going to Control Panel–>Recover–system restore and chose a back up source from over a month ago. Upon reboot, I was able to come back in normal mode, but the redirecting is still happening. I contacted Norton’s Tech support and initiated the remote resource with their tech. I explained everything that has happened, but she kept asking me to repeat parts of my story and her first reaction was that my Norton must be out of date. I assured her that I always kept it up to date, as I have a 3 year subscription with auto detect of updates and scans. She then asked if I contacted Microsoft to address the blue screen issue. I asked why would I, when clearly the problems started because of a virus that I thought Norton was supposed to protect me from. When I suggested that I thought I had a redirect virus (which I deduced based on info from sites like yours), she seemed to have no clue what I was talking about and chukled when I brought up the possibility of it being a rootkit infection. After making me feel like an idiot for a few mintues, the tech finally took over my computer and worked through the night. She is apparently off for the weekend, and sent me a message that she would resume work on my system on Monday. I am beyond frustrated. Any insights or suggestions?

     
    1. Leah: Does url on the search page show that it is google or not? If it is google, then you have parasite (most likely) and you should scan with this : http://www.2-viruses.com/reviews/hitman-pro or spyhunter. If it is not google, then you got some sort of toolbar and you should remove it instead and reset search providers. In most cases going through this list won’t hurt. We can’t do this for you :)

       
  403. Leah
     

    @Giedrius Majauskas (admin)
    Ran through your list (which I really didn’t trust myself to do). And….believe it or not, the virus is gone.I believe the Kaspersky TDSSKiller is what did the trick. I am just flabbergasted that Norton’s tech wasn’t more helpful. It amazes me that I was able to find your site, download a solution, and have it fixed in a matter of minutes! Thanks for the info, it was easier than I would have believed. :)

     
  404. pavan ravi teja
     

    first of all thanks a lot for the people who put up a discussion here which helped me.
    I GOT RID OF GOOGLE REDIRECT VIRUS,JUST FOLLOW THESE SIMPLE STEPS:
    1.install spyware hunter,scan the system completly.
    2.after scanning ,it identifies the location of spyware and other virus
    3.for me it identified spyware virus+ sumthing lyk virus genre dd!
    4.i cud get rid of spyware virus by manually removing the items indicated.but i cud not remove other kind of virus,showed error message wen i tried to do so.
    5.finally restart ur system in safemode as u have removed some of cookies(spyware virus) in windows,dont worry if bluescreen comes up.just open it in a safe mode later on it will be okay,
    6.now,ur browser will be safe.
    hope u too can get rid of this maddening virus!!!

     
  405. jeff
     

    NOTHING is working for me. Everything i’ve tried all the way through to TDSSKiller says that my computer is clean. But, all my google search results redirect to advertisements. I tried Bing, and it affects Bing search results as well. Also affects multiple browsers (tried IE8 and Chrome). I’ve tried all the software recommended on this page and it’s not detecting this. I’m so frustrated.

     
    1. jeff : Software will not detect all configuration changes. Go through the list manually. Though scanning with hitman pro and spyhunter is recommended.

       
  406. Lex
     

    I have run through the steps and none of this is working for me. I don’t know what to do anymore, I thought I had solved the problem but then I went back and googled something and BAM redirected.

     
    1. Lex: scan with Hitman pro: http://www.2-viruses.com/reviews/hitman-pro If the steps does not work, it is malware, probably non-rootkit one.

       
  407. ronnie J
     

    Firefox updated and the dang add on needed to be disabled.Worked.Simple.Very annoying.

     
  408. Michael
     

    Thank you very much. The first step really works wonder. I had like 7KB host file, and after decreasing it to 1 KB the problem has been solved. I’m glad I found this site. ^^

     
  409. Michael
     

    Btw, I’m using windows 7.

     
  410. Murali
     

    Thank you very much for this very very useful info.

    Deleted that 1 extra line exactly after the last line of the given page.

    Started with ::1….

    Once again thanks for the ultimate information.

     
  411. Dave J
     

    Need some input. I am running in circles trying to get rid of this redirect virus. The symtoms are: most of the time my redirect is through [malicious url removed]. My internet explorer is all fouled up as is my task manager. I have had many blue screens.
    My virus scans have been:Norton,Malwarebyte,spybotsdAdware,adwarecleaner,saphros,and hitman. Only hit man said I had something. Two rootkits with a replace option. Have tried TDSSkiller, but refuses to run after the windows run window is checked.
    I am running XP sp2.
    Any suggestion would be helpful and appreciated.

     
    1. Dave J. Malware infection – let Hitman try cleaning it. Another option would be running some alternate OS scanner CD, Kaspersky antivirus. If TDSS Killer cant’t launch, try Webroot anti-rootkit too.

       
  412. Andrew
     

    Hello G.M(Admin), I have one PC (XP), one laptop(XP), one android ph and one android tablet. All has google redirect virus (but only when I click one website, it redirect). Why my android ph and tablet has GRV? Is my Router infected GRV?

     
    1. Andrew : If it is single website, the website itself might be faulty. Yes, there is a possibility of router infection too, or all devices use same proxy server.

       
  413. Daniel T
     

    Possible Solution/fix:
    Google browser hijacked and redirected to 7search, search qandas com, and other advertising sites.
    I fought the Google browser redirect issue for 2 weeks, only Google searches in IE8 were affected, using Bing in IE8 worked OK. I reset to IE8 default settings, tried blocking with IE8 security settings, disabled browser add-ons, and followed many other tech articles/solutions with no luck.

    Listed first below is the SOLUTION I finally found to the Google browser redirect problem:

    HitMan Pro 64 bit found a variant of TDL rootkit/bootkit infecting the Master Boot Record, cleaned and fixed on first scan and reboot. I installed the Free version good for thirty days and will be buying the full license. Marked some Punkbuster files from my games as suspicious but left them alone.

    I installed many antivirus, security, and antimalware programs: both retail versions and freeware.
    Following is a list of programs that missed the TDL Rootkit.

    Norton Internet Security which is my primary and favorite security suite which was installed and up to date but never found the TDL Rootkit.

    Webroot Secure Anywhere Trial was installed but never found the TDL Rootkit. This is my second favorite security suite but tends to interfere more with online games.

    AVG Free 2013 installed but never found the TDL Rootkit.

    SuperAntiSpyware retail version purchased but never found the TDL Rootkit. Seems to be an OK program, but I was disappointed in overall results. Install free version and wait a day or two, and following a scan the program will offer a discounted 1 PC license for 9.95 or 2 PC license for 14.95.

    Spybot Search and Destroy free version installed but missed the TDL Rootkit.

    Malwarebytes free version installed but never found the TDL Rootkit.

    Xoftspy SE trial version installed but missed the TDL Rootkit.

    Windows Malicious Software Removal Tool ran but never found the TDL Rootkit.

    I did not use any McAfee security products because I had a very bad experience with a poor version of McAfee software many years ago and do not use McAfee software.

     
    1. Daniel. For 64bit system I would use Tess killer instead of Hitman if root kit gets detected. But if everything got cleared that’s ok. Hitman is great as second opinion scanner.

       
  414. Naveen Kumar
     

    I was getting google redirects. Eset caught the virus n removed it

    thanks for any information.

     
  415. kingck
     

    so here is what ive done
    1.got spy hunter
    2. ran TDSSkiller with loaded modules
    3.check the drivers in the device manger
    4.checked host file
    5.checked TCP/IP
    6.checked proxy settings
    7.cleared browsing data

    and im still having this damn virus its highly annoying

     
    1. Kingck : run hitman pro ( http://www.2-viruses.com/reviews/hitman-pro ) and check your DNS Servers. Also, check your browser addons, there are plenty of addons that can cause redirection or hijacked search.

       
  416. kingck
     

    i ran it no good there wasnt anything out of the ordinary just some basic tracking cookies in IE and Firefox chrome was clean and my DNS servers are set to automatic
    also i tryed runing firefox in safemode still redirect along with chrome in safemode

     
  417. jon m
     

    Mine was called Snap.do, it was an add on in internet explorer. I used crap cleaner (CC) that I got on download.com to uninstall it.

    Took 5 seconds, and now good as new, hope it helps.
    Sucked for a couple days till I figured it out.

     
  418. Ashley
     

    Please help! This morning I searched a topic on Google (using Internet Explorer, Windows 7), but when I clicked the link it took me to a different site than I thought I was going to. I read a few tutorials about redirect virus removal and have completed the following:

    -Ran McAfee full scan (nothing detected)
    -Confirm HOST file (it was correct)
    -Confirm LAN proxy and DNS settings (they were OK)
    -Deleted internet files, cookies, etc via Internet Options
    -Downloaded and ran Spyware Doctor (nothing detected)
    -Downloaded and ran Hitman Pro (nothing detected)
    -Downloaded and ran TDSS Killer (nothing detected)
    -Downloaded and ran Spyhunter

    Spyhunter originally detected 29 threatening cookies from such sources as 2o7, 7search, Doubleclick, Tribal Fusion, etc. I reopened IE and deleted files again then searched for the “infected files” in the proper directory (reported by Spyhunter) and they were nowhere to be seen. What’s more, when I reperformed the Spyhunter scan, nothing was detected.

    HOWEVER…when I try to click on a Google search result I am STILL being redirected (most often to a site “selling” Norton anti-virus).

    Any suggestions? My next thought was a complete system reload, but I’m not even sure that will get rid of the problem!

     
  419. Ashley
     

    I forgot, I’ve also disabled all of my add-ons.

    SOS!

     
    1. Ashley: 3 possible causes.
      Do you get redirect when clicking on ANY search results and website in url bar (before clicking) is google (.com , .uk , etc is ok?)
      . If yes and yes – malware issues, and you will have to use more anti-malware programs ( superantispyware, malwarebytes ), one should have added the particular virus in databases.
      if Yes and No – it is browser hijack and might be aftereffect of toolbar. You will have to change search provider back to google.com.
      If you get such result only if clicking on single site, then the site is infected and not your PC.
      if it is one of the 2 first things, you could post hijackthis logs either here or any computer support forum.

       
  420. Ashley
     

    Hello again and thanks for your response.

    Update- Last night I downloaded and ran CCleaner…it helped and I wasn’t redirected! BUT, this morning I tried to click on a Google search result and I was redirected. I tried a number of different searches and any link redirects me. Crap.

    When I pull up Google it looks normal (http://www.google.com) and when I search it still looks fairly normal (google.com/string of #s and letters).

    I just downloaded and ran both Malwarebytes and Superantispyware, but nothing was detected. What did you mean by an aftereffect of toolbar? How would I cange the search provider?

    Lastly, what is a hijackthis log?

    Thanks again!

    PS- If I restore or reload my computer, will that get rid of the problem? I’m at my wit’s end!

     
    1. Ashley : http://www.filehippo.com/download_hijackthis/. Download and run. Look for BHO entries, also for startups from %TEMP%, %AppData% and similar folders.

       
  421. Queena
     

    @Mulan
    this worked magnificently to me!! same problem now im virus free

     
  422. Pete
     

    After trying everything I could find on the net to get rid of the Google redirect virus (nothing worked), I discovered that if I turned off Gmail, it went away. Really !!

     
  423. Watson
     

    I have clicked on the three-lined icon several times and have been unable to locate the Options menu. It has simply disappeared. Also, my Chrome browser is now working very slowly, and this morning when I opened it, a dialog box appeared that read “Your profile could not be opened correctly. Some features may be unavailable. Please check that the profile exists and that you have permission to read and write its contents.” What can I do?

     
    1. Watson: if your profile data is unaccessible, then it might be that your crhome instalation is corrupted and you should delete your settings and reinstall chrome. This might be caused by some viruses too, though usually this is due bad settings.

       
  424. Zumbul
     

    By cleaning hosts file my firefox started to work well. However, issues with internet explorer continued.
    I downloaded demo version of HitmanPro 3 from http://www.surfright.nl/en/hitmanpro/
    It was able to locate and delete fontviewt.dll file in C:\Users\%username%\AppData\Roaming folder.
    Afterwards everything worked just fine.

     
  425. Mike
     

    I had the redirect problem only in Google Chrome – Firefox and IE were fine. I tried everything, uninstall and reinstall, msn security essentials, malwarebytes, combofix, etc. Nothing worked until…

    I downloaded Revo Uninstaller (free), performed the most advanced/deepest uninstall, deleted all found files, selected to delete related registry items, basically just did everything Revo asked. Now, after a reinstall of Google Chrome, everything is fine.

     
  426. Danny
     

    Still on XP (I know…) and there is no hosts file in the specified folder. Assistance?

     
    1. Danny : Hosts file should be there, it might be hidden though.

       
  427. Tim
     

    I looked at the host file as suggested and am seeing entries like this
    127.0.0.1 http://www.hgoogle.it
    127.0.0.1 hgoogle.it
    Are these types of entries causing the redirects?

     
    1. Tim: These look like blocking lines to me (blocking hgoogle.it ), though it can be used by malware in some cases. I would look for other types of problem first.

       
  428. Danny
     

    There are definitely no files here that are hidden…

     
  429. Alex
     

    Changed the hosts file. Worked great. Thanks!

     
  430. Rebecca
     

    My “hosts” file can’t be changed without Administrative permission, even though I’ve tried both accounts on this laptop.

    The file looks like this:
    # Copyright (c) 1993-2006 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a ‘#’ symbol.
    #
    # For example:
    #
    # 102.54.94.97 rhino.acme.com # source server
    # 38.25.63.10 x.acme.com # x client host

    127.0.0.1 localhost
    ::1 localhost
    #74.208.10.249 gs.apple.com

    Is there anything wrong with the last two lines?

     
  431. James
     

    Thank you for the post. It is very informative

     
  432. Paul
     

    I seem to have the redirect problem as well. I have tried many things to no avail I have done virus scans with malwarebytes, avg, avast, hitman pro, spyhunter, spybot and ran TDSSKiller and combo fix (tried what I can in safe mode as well). Checked the host file and the router, but can’t find anything. I ran hijackthis and it looked ok as well. The problem started with firefox, so I deleted that in tried chrome. It doesn’t seem to happen in IE, but my IE seems to be missing pictures (the google logo doesn’t show, various icons and things on assorted pages, etc). I also seem to get “you’re about to leave a secure connection” message an excessive amount of time.

    Any help or suggestions would be greatly appreciated. (I’m pretty technical, so can handle most manual tasks).

    Paul.

     
    1. Paul : Check proxy and disable it in browsers. 2. Check toolbars and security settings. For me, lacking of images in IE would indicated to registry messed up or proxy, so you might wish to clean with registry cleaner as well.
      Another possible issue for redirects are toolbars/BHO’s, which are not picked up by anti-virus programs (often), but would be visible in hijackthis log.
      If the redirects continue, check if they are to the same page (toolbar more likely, or registry messed up) or random pages (unknown trojan or proxy or router attack). In the random page case, I would recommend clean windows install if noone detects the parasite.

       
  433. Peter Rosenberg
     

    Thank you. This worked. http://www.google.com was being redirected to a Microsoft website. Norton Antivirus found nothing. I folowed your steps and in the end it was an IE add-on.

     
  434. Rock ON Society
     

    Download COMBOFIX.EXE its the only way to fix the google redirect virus.

     
    1. Rock ON Society:
      Actually, Combofix does not work against all redirects. At least some covered in guide can not be fixed by automated methods.

       
  435. Heero
     

    Oh wow! You’ve helped so many people, it’s actually kind of mindblowing! The sheer effort into responding to these people’s requests for help in diagnosing the problem. Kudos! Kudos! Kudos!

     
  436. AFITgrad86
     

    This is a FYI. I am having many of the symptoms described by Paul above. After significant trial and error over a 2 day period we (my IT Person and me) determined this behavior was associated with a rootkit virus. The actual detection was very tricky. We finally identified it using a renamed copy TDSSkiller from a USB drive. The problem software was identified as Rootkit.Boot.SST.b – one very bad hombre.

    Unfortunately the clean option did not work. The next step was to create a boot disk with GPARTed on it to locate and delete the infected partition. The jury is still out on this fix as it takes quite a long time to run.

    The fix is discussed here: http://community.norton.com/t5/Tech-Outpost/Rootkit-Boot-SST-b-is-NOT-coming-off-PLEASE-help/td-p/588858

    Hope this helps shed some light on Paul’s issue.

     
    1. AFITgrad86 : Some of the symptoms Paul and you have are not directly caused by rootkit, but by the mess-up of registry due to the infection. In very difficult cases, I recommend using Norton Power Eraser or Kaspersky boot CD instead of modifying infected PCs hard disk.

       
  437. tidy car
     

    So i’m having the same issues. Not sure if it was answered already but i have vista and there isn’t a host file only an imhosts.sam. Is it the Same? Do i create a host file? Also i turned on show hidden files just in case and still, there wasn’t a simple host file.
    Thanks in advance

     
    1. Tidy car: In many cases it might have “system” attribute instead of hidden, which would make it invisible even if you see hidden files. Make sure you see system files as well.
      If there is no hosts file, then look for redirection cause elsewhere. Missing hosts file will not cause problems.

       
  438. Tom
     

    Hi, I have the redirect problems. Ran through all the steps, scanned with MS security essentials, TDSS killer, est nod32, hit man pro. Nod 32 detected “operating memory >>rundll32.exe(3508) – probably a variant of win32/ponmocup.AA Trojan – unable to clean” any ideas of next steps?? Many thanks.

     
    1. Tom: re-scan with hitman pro (ESET detected trojan in memory but can’t identify the file it came from). If this fails, you will have to scan from alternate OS scanner like Norton Power eraser or Kaspersky bootable scanner.

       
  439. Shante
     

    I’ve had the redirect issue with google chrome, uninstalled, and tried internet explorer and same issues with google search. My host looks like this…should i delete last line or is it fine? also, when i try to login to gmail, it keeps saying my cookies are disabled, but they are enabled. any relation?

    # localhost name resolution is handle within DNS itself.
    # 127.0.0.1 localhost
    # ::1 localhost

     
    1. shante the hosts file is fine. Check the date settings on your PC. This is likely cause for your problems in gmail.

       
  440. Shante
     

    The date settings are fine. All my websites that require cookies are not working. I cannot log into twitter on my laptop, it says theres a technical issue, I can’t log into gmail, it says the cookies are disabled but in my settings they are enabled. Also, I keep getting redirected to other sites when I google and click the links. Alot of times i will see redirect-ads.com i believe that is the website that pops up before it sents me to another unrelated site. Is there a way to delete this virus? I’ve dont system scans with Malware Bytes Antimalware and deleted the viruses it has found…However the cookies issue still occurs and I still get redirected.

     
    1. Shante: Scan with hitman pro and spyhunter. Looks like a trojan that uses advertising network (ad-feeds )

       
  441. Jeff
     

    I am having redirect issues in both Google and IE0 on Windows 7 64 bit OS. I deleted the #::1 localhost line within the hosts folder (as an administrator in notepad), but it did not make a difference. Should I reinsert it (based on your recent response to Shante)? Also, I found no viruses using my installed McAfee virus scan.

     
    1. Jeff:
      1. These are default values of little effect.
      2. Scan with hitman pro ( http://www.2-viruses.com/reviews/hitman-pro ). If no parasites detected, describe the problem in more detail (clicks on results redirect to other website than intended -> malware / bad prox ; different search engine -> toolbar /malware issue, etc)

       
  442. Jeff
     

    Can I use the trial version or do I need to purchase the full version?

     
    1. Jeff: Hitman has 30-day fully functional trial.

       
  443. Patricia Prewett
     

    PLEASE REMOVE BLEKKO, IT BLOCKS MY GOOGLE. I NEVER WANT IT ON MY COMPUTER AGAIN!!!!!!!

     
  444. Darius
     

    Everytime I go to google to search for something, it always redirects me to Bing and I can’t search for anything from that point on. I use Prevx for my anti-virus, and it’s always popping up showing that I have some type of malware to remove…….Can you help me to solve this problem?

     
    1. Darius: scan with hitman pro. Check your browser extensions. Which browser do you use?

       
  445. Darius
     

    Where do I go to check browser extensions. Also, I use IE for my browser.

     
    1. Go to tools ->manage addons. Also, Hijackthis log might provide some insights about ones hidding from you (look for BHO entries)

       
  446. Jeff
     

    Giedrius

    I ran hitman pro and it quaranteed a couple files and that fixed my problems. Neither Google nor IE9 are being subjected to hijacking now. Thanks very much!

    Jeff

     
  447. ally
     

    @admin
    im having trouble opening lspfix it says im missing a file but i manually went to the file and its there is there something i can do myself or can i fix the lspfix i dont know how to run under admin win7 im not sure what the lspfix is suppose to do

     
  448. Sherri D
     

    Combo fix worked while all the other solution options didn’t. It took about a half hour from start to finish and well worth every minute!

     
    1. Sherri – it was malware issue in your case, not just the after-effects

       
  449. Amy
     

    THANK YOU THANK YOU THANK YOU!! I opened the fedex virus this week and malwarebytes and ccleaner did not do the trick. It was not popping up windows in ff but my browser was VERY sluggish so I opened task manager and saw it was popping up various random application websites one after the other contained there. Killing processes did not work. What finally did was going through your steps and when I got to the add-ons in ie and disabled those disguised as microsoft, it finally stopped. I will FOREVER love you. I just started school and also work two jobs and the computer was my livelihood. You have saved my life.

     
  450. Kalpana
     

    Thanks a lot this helped me to solve my problem

     
  451. Brian
     

    I have the redirect virus where the web server, be it chrome, explorer, or whatever that is the default continues to open unprompted going to google. Obviously google does not work and just refreshes when you try to type anything. I just ran hitman pro 64 bit and it found one threat but it did not fix the problem. I have tried spy hunter, malware, tdskiller and a few others but they do not detect anything. Even when I open in safe mode the web browser continues to open to google unprompted. Any help would be appreciated

     
    1. Brian: What Hitman pro removed? If it was trojan, then it might be that there is another one still lurked or hidden in the system. Double check your settings as well. You might want to try running adwcleaner as well.

       
  452. Brian
     

    I ran adwcleaner and it seemed to work for a little while but now it is back to constantly opening browsers again. Any other suggestions?

     
    1. Brian : Either you
      1. Reinstalled it again by mistake
      2. Got trojan, that reinstalls it.
      3. Got program, that reverts settings back.
      Scan with anti-malware program like spyhunter http://www.2-viruses.com/reviews/spyhunter or Hitman pro to confirm trojan version. if not, remove last installed programs from control panel (that you do not know) and try cleaning again. Use program with real time protection (AV, Spyhunter, full version of Malwarebytes, etc) to protect you from such infections.

       
  453. Rog
     

    @Giedrius Majauskas (admin)
    Don’t know whether this will help others or not. As admin suggested I checked host file and it looked ok. Then noticed in the etc folder a file called lmhost which looked similar in wordpad but with alot of other stuff in it. I moved it to wastebin and have not experienced any redirecting in Chrome since. Been ok for 2 hours now Fingers crossed.

     
  454. James Krstich
     

    You would think Google would go out of there way to protect the way they make money. Or those that pay google, would get really out of sorts when there page is never brought up. Why pay some one when they don’t provide the service.
    unless, it’s part of the marketing. lead them to pages,us,that are not there search, lets say ten times, the just might hit on something. Time number eleven, Oh my the page you have been clicking on.

     
  455. David
     

    Alright, I’ve been fighting this thing for an hour and don’t know what else to do. I went through the steps, but it still redirects me from google to a page that says “It works! =) ” at IP: http://91.219.237.56/
    I’ve tried everything and am in the process of doing a full computer sweep with avast! any advice?

     
    1. Doublecheck your dns settings and scan with hitman pro too

       
  456. Jim Stafford
     

    Thank you! I tried these suggestions and it worked. Before, the search engine Icon looked like a Levis Jeans logo with a red rectangle to its left. Thanks again. Jim in Nashville

     
  457. Rick
     

    Thank you I was getting the redirection of Google. Both Spyhunter and MalareByte did find the problem. Hitman Pro 3 fixed my issue

     
  458. Maria
     

    Ok so I have a trial of Norton, Malwarebyte, and SUPERantispyware Free edition and I have scanned with it all and it said my laptop is secure.
    However my Windows Security Center keeps turning off whenever I turn it on and Google always redirects me to anti-virus websites
    How do I stop it and keep my Security Center on?

     
    1. Maria : Scan with Hitman pro and TDSS Killer first, This might be trojan related. If security center is turned off, then Norton does not help, And other programs (free versions) are not real time protectors.

       
  459. Maria
     

    @Giedrius Majauskas (admin)
    Ahh it works now, thank you so so much :)

     
  460. Meg Gabrielle
     

    @HiI had to drag the hosts file to the fesktop. Right click, run as administrator, then save, then drag back to the file location. It works. I also have Spybot, and those are the ONLY entries except the ones I add myself. My headache is a file called HARDDISKVOLUME3, and it is in the devices file. I cannot delete it. I placed it on my desktop and completely renamed the files. I still cannot delete any of it. I have a IP for it [ip removed], and from [link removed] I got it in YouTube while watching a animation tutorial for a class I am taking. This is pretty deep into my computer, the first real challenge I have ever had. I just bought this computer and had not gotten a chance to bog it down with protection yet. I fear it is a lost cause and not worth the issues. Might just reset it and be done with all of it. I have all the programs I need. Will a system reset fix it?

     
    1. Meg: Run TDSS killer and anti-malware programs.

       
  461. rose
     

    hi i was doing good untill i got to local area connecton properties i have two internet protocol version 6 TCP/lPv6 one say internet protocol version 4 TCP/lPv4 what do i do with them please help me

     
    1. Leave them as they are.

       
  462. Abhijeet Ashok Muneshwar
     

    Hi All,

    I want to get the setup or files of “Google Redirect Virus”. I have to perform experiments on redirect virus. I tried searching on Google. But I didn’t get meaningful results. Can you please help.

    Thank you in advance.

     
    1. Google redirect virus stands for group of parasites, so you won’t find any “setup files”. Depends on the type you want.

       
  463. David
     

    Been trying to get rid of this for months and Hitman Pro 3 finally done it!! Thanks for this post.

     
  464. Abhijeet Ashok Muneshwar
     

    @Giedrius Majauskas (admin)

    Thank you for your reply.
    As you said, Google redirect virus stands for group of parasites, can you please send me those parasites, if possible?

     
    1. Abhijeet: We do not distribute samples. You should look for browser hijacker samples (easy downloadable from e.g. Conduit website who makes some of them), versions of TDSS rootkit (their servers might be inactive so they might not work ), DNS changer malware ,etc.

       
  465. sara
     

    I have done all of the above to try to recover the use of my search engine and it is no longer redirecting me to an ad site but it doesn’t take me to the site I am looking for just goes back to the google home page any other suggestions

     
    1. Sara: If it goes back to search results, double-scan with anti-malware programs. There might be an issue with trojans.

       
  466. SHEVAK
     

    My Google searches very slowly. Script appears at top of search screen once Google page opens. Bing won’t search either. But Ask.com is very fast. What’s up???

     
    1. SHEVAK : Check your hosts file, proxy settings and plugins. Any of these might cause such symptoms, also, scan with hitman pro and adwcleaner

       
  467. rachel
     

    Had a google redirect virus last December and malwarebytes got rid of it. Didn’t work this time. I’m running Vista and IE Explorer.
    I’ve completed steps 1-3 in your list and everything is ok. Don’t have firefox so skipped step 4. Step 5 showed me only one suspicious looking add-on: google gears helper. Publisher is listed as google(unverified). Am afraid to remove w/o checking.
    Could this be the problem? Or do I need to move on to a stronger malware detection progam?

    Thnks.

     
  468. rachel
     

    I should probably add that my redirect problem is intermitent. Google brings up a list of sites properly, but I’m (sometimes – usually but not always) redirected when I click on one of them. And I’ve cleared the cache repeatedly also.

     
    1. Rachel : Your problem is likely malware based. Google Gears plugin sounds old and obsolete, in most cases it can be disabled (Gears is discontinued). Scan with http://www.2-viruses.com/reviews/hitman-pro and