How to fix Google Redirect Virus (browser hijacker) problem

-
 566
 

Google redirect virus is a browser hijacker targeting google and other search engine search results and redirecting user to infected pages. These pages can be porn–related or full of advertising banners that make creators of this parasite money. Also, these pages might force you to pay something or give away your bank account details. Thus Google redirect virus is quite dangerous.

There are couple different streaks of Google Redirect viruses, and some of them might need heavy scanning with reputable Anti-malware solution like NOD32 Antivirus, Kaspersky, Malwarebytes. Sometimes Google results Redirect virus even blocks reputable sites and it is tough to download automatic software. However, there are couple easy steps to solve less complex problems.

googleredirectvirus-2-viruses

Note, that before trying to fix other things, you are suggested to scan and check if anti-malware programs can identify more precise reason of Google redirect hijacker. We recommend spyhunter, Hitman Pro for this task. You should always scan after performing all these steps as well, as doing anti-rootkit scan might reveal trojans that were hidden due to other infections. In some cases, rootkits will be detected and removed by anti-malware programs.

Basically, there two types of Google redirect viruses:

a) Hijacking search engine settings aka choosing which search engine to use. Your default search engine is named not google, yahoo, or bing, but something else. The first suspect is a plugin – based hijacker, though other cases are possible.

b) Hijacking results of the search engine when you click on them. Your default search engine is the same, but you get different results when clicking on them. The main suspect would be malware infection, but malicious proxy, dns settings, infected router and even hosts file are possible.

Some of the most common infections are:

Mybestvideosearch.com virus, Guard-search.com virus, Search.yourpackagetrackernow.com virus, Searchonlineusa.com virus, Incosic.com virus, Search.mediatab.tv virus, SearchPrivacy.co virus, Search.supermediatabsearch.com virus, Funcionapage.com virus, Search.internetspeedpilot.com virus, Search.greatsocialtab.com virus, Search.funsocialtabsearch.com virus, Search.searcheeh.com virus, Search.yourtelevisioncenter.com virus, Search.searchgmf.com virus, Search.yourspeedtestcenter.com virus, Search.searchpat.com virus, Search.searchtnl.com virus, SportsScore virus, Tw105.com virus, Search.searcheasyw.com virus, Search.searchhdrp.com virus

Steps 1-5 deals with regular hijacking of search results that are due to malicious settings or plugins. Steps 6 and above deal with malware infections that result in Google redirect virus symptoms and are more difficult to detect and fix. However, If any of antivirus programs are stopped from execution this means malware infection and you will have to scan your PC with anti-virus and anti-malware programs.


Step 1. Check your hosts file for Google redirect virus malicious entries


Hosts file resides on C:/Windows/System32/Drivers/etc/hosts on Windows system and /etc/hosts on OS/X and linux-based systems. 
Hosts location
Where Windows is your windows installation directory. Open the file with Notepad.

Note: On windows 7/vista/8, you should open your hosts file with administrative privileges or you will not be able to save it. To do so, On Win 7/vista do following:

  1. Press Start (or round button usually in bottom left corner and enter notepad. Do not press enter
  2. Right-click on the item in the list above
  3. Choose Run as administrator
  4. File->Open and browse to hosts file.

Open Notepad

On Windows 8, enter notepad in search box or type right in the metro interface. Perform steps 2-4 like in Win 7.

Google Redirect virus symptoms might be result of malware adding malicious entries to this file and are removed easily as well.

Hosts file should look like this:
Hosts file

There might be line referencing ::1 as well. This is IPv6 local address and perfectly normal. If you see more lines of code and IPs, you should delete these, especially if they rewrite google or Microsoft subdomains. This is a sign, that you either had or have infection on your PC, as this file can not be accessed remotely usually.

My hosts file is very long, should I be concerned?

You should check the commented with # section. If the writes were done by Spybot S&D or Hosts-file (HP-Host) and there are thousands of them, they are legitimate and prevent your PC from opening suspected websites. Personally, I do not use them.

Note that for Google redirect to be caused by hosts file, it should contain line mentioning it. Typical malicious hosts file is short or medium length (up to several hundred lines) and not longer.

I am in correct folder, but can’t see hosts file. Am I infected?

The hosts file might be hidden with either hidden or system attributes. Make sure you see such files. It is possible to create a regular file named hosts on desktop (an empty one) and move it to the correct location. If system asks to overwrite, then the file is hidden. If not, there was not host file.

Note, that the system will work without any problems with no hosts file (Windows one) in most of the cases.

I can’t edit hosts file even as Administrator

Hosts file can be protected by system and readonly attributes sometimes. To reset these, follow these steps:

  1. Press Start (or circular icon in bottom-left)
  2. enter CMD in the filed, DON’T press enter
  3. Right-click on it, select run as administrator. Accept to elevate its permissions.
  4. Enter in black window following command : attrib -H -R -S C:/Windows/System32/Drivers/etc/hosts  where C:\Windows is your windows install folder.
  5. If it fails, try using file unlockers

Step 2. Check DNS (Domain Name Server) settings

Domain name servers are used to determine what server to access when opening website addresses. Hijacking these settings would allow hijacking various websites including search ones.

1. Go to Control Panel->Network Connections and select your local network.
2. Right-click your local network icon and select Properties.
Network properties

3. A window will open, then select Internet Protocol (TCP/IP) and click Properties.
Network settings

4. You will see a window like the one below – this is the Internet Protocol window. Select “Obtain an IP address automatically” and “Obtain DNS server address automatically” OR enter known good dns servers ( 8.8.8.8 and 8.8.4.4  are good choice – a public DNS servers offered by Google). Both options have its own Pros and Cons : using static DNS IP’s might be a bit slower on some networks, but it prevents some ISP and router caused hijacks. 
IPV4 settings
5. Click OK to save changes.

Step 3. Checking your proxy settings for Google redirect virus


Proxy server settings can be used to implement Google search result hijacking as well. Most of the internet programs use system proxy settings that are accessed from internet explorer and Edge browsers or from control panel. This is simple to fix too:

1. Launch your internet explorer.
2. Tools ->Internet Options, Connections tab. Press LAN Settings
IE network settings
3. Unselect everything or enter parameters that were given by system administrator.
4. Press OK.

Step 4. (Optional) Check your proxy settings on Mozilla Firefox


1. Launch Mozilla Firefox.
2. Tools ->Options. Press Advanced and open Network tab. Then, press Settings button.
Firefox connection settings
3. Select “No proxy” or enter parameters that were given by system administrator.
4. Press OK.

Step 5. Check your browser addons and reset your search settings in browsers

If your search engine changed to unknown one, you might have browser settings changer plugin or program. Typically, these programs will be detected in Step 6, but you will have to fix settings manually.

5.a. Check your IE add-ons and reset search settings


If your browser is hijacked in IE only, check IE browser add-ons. Note: there are malicious plugins that affect both IE and firefox and result in Google redirects in both of the pages. Before this step, make sure you clean your Control Panel from unknown, spammy looking programs.

  1. Launch your internet explorer.
  2. Tools->Manage Addons
  3. Disable all unverified addons (there might be some useful ones, but better re-install them later).
  4. Delete all add-ons that look spammy/unknown
  5. Click arrow on the right of search box
  6. Do following: On IE8-9 choose Manage Search providers, On ie7 click change search defaults
  7. Remove the unnecessary search engines from the list
  8. If settings revert after restart, you will have to do Step 6 and repeat step 5 again.

5.b. Check your Firefox extensions and reset search settings

  1. Press Firefox->Addons
  2. Go through list and disable all unknown or spamy addons.
  3. Repeat the same for Plugin list.
  4. Enter “about:config” in url bar. This will open settings page
  5. Type “Keyword.url” in the search box. Right click it & reset it.
  6. Type “browser.search.defaultengine” in the search box. Right click it & reset it.
  7. Type “browser.search.selectedengine” in the search box. Right click it & reset it.
  8. Search for ‘browser.newtab.url’. Right-click and reset. This will make sure that the search page won’t launch on each new tab.
  9. If the settings revert after browser restart, you will need to delete user.js from Firefox profile or/and perform Step 6 and repeat Step 5.

5.c. Check your Chrome extensions and reset search settings

  1. Click 3 horizontal lines icon on browser toolbar
  2. Click on Extensions. Review extensions there and disable ones you do not need.
  3. Select Settings
  4. Select Basics ->Manage Search engines
  5. Remove unnecessary search engines from list
  6. Go back to settings. On Startup choose open blank page ( you can remove undesired pages from the set pages link too).

Step 6. Scan for malicious parasites with spyware/antivirus removers:

Symptoms: No setting changes are found and all other options are exhausted. Other devices behave normally. OR clicks on search results open completely different pages than expected.

  1. Reimage. It is one of very few tools that both detects malware and can restore completely corrupted files from cloud backups. This helps in cases when Trojan replaces system file completely which happens with Google Redirect virus.
  2. Spyhunter has a very good anti-malware database and quite strong focus against both browser hijackers and Trojans. Review for Spyhunter can be found here.
  3. Hitman. Its a second opinion scanner that uses multiple antivirus databases in the cloud.

These removers should detect majority of google redirects of that kind, sometimes it is useful to use a more niche tool.

Symptoms: The anti-malware tools detected some parasites as trojans/adware but failed to fix them and symptoms persist. OR you can’t launch anti-malware programs.

TDSS and Zero Access rootkits both cause Google redirection symptoms in some cases. Both these rootkits require dedicated programs for removal, and might require alternate OS scanners in worst case. For this specific rootkit a remover can be downloaded from here : support.kaspersky.com/downloads/utils/tdsskiller.exe. Another options is to scan your PC from safe mode or with alternate OS scanners.

Symptoms: Internet is not working after malware got removed or google redirects/clickjacking still present.

Sometimes, the internet connection chain gets corrupted and requires specific fix. These cases are extremely rare today. You might have to fix your winsock 2 settings with LSPFix utility.
Download LSPFix. This is a dangerous program as you have to investigate each item it lists. Some are allowed and legitimate, others are not.

Malware – based Google redirect virus FAQ

Why  don’t  you recommend “insert name” tool?

These anti-malware programs are not random picks, but cover wide range of possible causes for redirection. While specific other tools might be needed or useful, these tools have the best chance to identify the cause. Some of the other applications (Namely, LSPFix, Combofix, etc) might be somewhat dangerous as they are more professional repair tools than malware removal ones. E. G. I would recommend to start with TDSS killer when rootkit infections are more likely, and for browser plugin caused Google redirects Spyhunter or Adwcleaner might be the best option.

I can not recommend tools that don’t work well with the ones I recommend as well. This would cause more problems you rather than help.

I can’t launch anti-malware programs. What to do?

In most cases this is caused by either false positive in antivirus or a malware. Try renaming the anti-malware executable extension from .exe to .com and launch it again. Another approach would be alternate OS scanners – bootable CDs that can scan your hard drive as long as it is not encrypted. The third option would be Hitman Kickstart.

Step 7. Investigate other possibilities

Symptoms: All devices in the network behave the same, especially if they have different OS.

One more possibility is infected router or ISP hijacking both DNS and http requests. It is hard to debug such Google redirect virus problems, but a common sign for these would be same hijacking happening while in the same network, e.g. while at home on several devices and not while in work or somewhere else.

Router google redirect viruses are caused by poor router passwords or well-known vulnerabilities of popular router brands. While an exact fix will be different, you will have to download an updated image and flash your router with it.

For router infections you will need to download router image and reset your router with it. This depend on particular type of device and we can’t provide instructions for all of them in this guide. Afterwards, make sure your router has a strong admin password.

 

Update 2017.08 

I have decided to add quick answers section to particular steps and remove questions/answers about common problems or not relevant to this guide. This is done for usability: most of the comments ask for repeated questions and quick answers add more value.

 
 

About the author

 - Main Editor

I have started 2-viruses.com in 2007 after wanting to be more or less independent from single security program maker. Since then, we kept working on this site to make internet better and safer place to use.

 
 
 
 

566 thoughts on “How to fix Google Redirect Virus (browser hijacker) problem

566 Comments
  1. Hi

    I changed,(after show hidden files), the to read and closed 7 rebooted, returning to hide files again.
    From very slow & constant redirects >>> now none & supa fast, as usual. Either in SlimBrowser or IE ;<)

  2. THANK YOU! I’ve been trying for weeks to get rid of that stupid virus. Now my computer is working normally and I can access Safe mode again.

  3. Was getting Facebook logon redirected to Pricegrabber.com…..removed entry below the 127.0.0.1 Local Host entry and all was well again! Well done!

  4. My Host file is not in the folder. I am running XP pro. Can I repelace it with and Host file ?

  5. Thank you very much. Some virus has overidden the host file in my computer. Deleting that solved the problem.
    Thank you again.

  6. holy, my computer is at risk.
    i tried all of this but nothing works.
    i need a little help here admin.

    also this thing is appearing in my screen.
    “application cannot be executed.the file wuauclt.exe is infected”

    now how can i fixed my computer??

  7. Anja : Start task manager and try creating new process. Type in notepad (you might need to enter full path to notepad application).

  8. I am dumping all my pictures and other stuff into another drive and buying windows 7 will I still have these antispyware soft issues? I also may reimage the XP OS back onto the original hard drive after moving most things to another drive. This antivirusspyware soft thing locks me out of control panel program list and add/remove programs.

  9. The virus doesn’t appear to be too severe, as it only affects my search engines; however, I would like to fix it. Nothing significant was caught when I ran Norton so I tried looking at the host list. The only line after
    # 127.0.0.1 localhost is

    # ::1 localhost
    10.254.254.253 AFS

    Should that be deleted? And how do I open it with “administrator privileges”? I am trying to avoid downloading more anti-spyware and anti-virus programs. Is there anything else I can do?

  10. Anna : these lines look harmless for me. Check your DNS settings and proxy. If it fails, you might resort to scanning with anti-malware/antivirus tools

  11. I have a friend w/a Dell PC (unsure of model). She (or tech support) acciedentally downloaded Live Security Suite, and now we can’t get anything to work right. How do I remove LSS w/o wiping out the system, or her taking it and spending her life savings on getting it fixed or a new computer?

  12. I also have an Everex Stepnote Laptop that is very slow no matter what we do, and almost every time it is left alone, the screen saver “freezes,” and nothing works except to shut it down by the power button. Any suggestions?

  13. Chris : its more like it is hardware/driver issue than virus.. But a scan with malwarebytes/spyware doctor would not hurt 🙂

  14. Thanks! finally got this bloody redirect off my computer, I’ve been using bing for almost a year!

    Thanks again!

  15. Hello,
    My problem is the google redirect virus.
    I have xp I found the host file mine is 400kb is that normal? I see a loot of google files is it safe to just delete these and will they come back?

  16. I have the “live security suite” rogue malware. Won’t let me do anything. I have tried to run several removal mbam, spybot, etc Everytime I try to run the downloaded file I get the following message “Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item.” I am in safe mode with networking and signed on as administrator. I have tried downloading to fly drive and accesing it that way same message, I have also tried changing file name same problem. Went through steps to open notebook and won’t let me do that either any suggestions?????

  17. Laura: This is separate problem. You should kill live security suite processes before executing any of files, and (maybe) fix registry, that does not allow executing programs. To do so, start task manager right after being logged in. The Live security suite will load quite fast afterwards, so you have to hurry. Press CTRL + shift+ esc and wait. Go to processes tab, and look for processes that should not be there (typically, names are random letters). Stop them. Then go to File ->New task and enter full path to antivirus executable on hard disk. This should allow launching antivirus and removing everything. Later you might continue with removing redirects.

  18. Nothing is working for me. I have been reading posts for the past few hours, and have removed viruses in the past, but this one is givin me a run for my money. I manually deleted the virus files themselves, but still cannot get on the internet. I have done everything listed on this page regarding proxies and whatnot, but still nothing. I have searched for the registry files, but being that I never actually clicked the virus to run a scan, I don’t have any to delete. I am at a complete loss. Computer works fine, just cannot get online in any way.

  19. Jesse: you might need to install antimalware tools using usb drive. There might be a cases where virus inserts itself in other locations, for example in drivers. Though it is very rare. The guide covers majority of common cases of broken internet connections due to infections.

  20. Thank you so much. My host file was the problem. It was completely rewritten and had and IP that was no mines and it keep repeating itself on every search engine. I just delete the whole thing but hosts is still there but nothing is on the notepad. I can use the search engines now but I will restart my computer and see if the host file will return back to normal. But so far the hijack is gone. Thank you so much.

  21. wow soooooo good its working again after so much stress .. tried 4 different malware programs not even norton picked it up .. thank you so much for your step by step procedure without it i would never of figured this one out … i wanna kiss you

  22. Ok I got this after I got AV Security Suite
    I did all of that and scanned with AVG and IObit Scanners but the problem wont go away on Firefox
    No proxies on either and auto DNS
    WHAT DO I DO!
    And you guys can protect the hosts file by putting it to Read-Only
    Found that out not too long ago

  23. Alexander: Check add-ons in firefox. These might be infected as well. Also, neither IOBIT or AVG are good: Iobit uses ripped off malwarebytes database ( at least partially), and AVG (free) lacks rootkit detection.
    I would recommend scanning with Spyware Doctor, Malwarebytes, Spybot S&D / AVAST or Avira

  24. OKAY I will try…
    I looked at my Plugins and saw Pando…
    and I’m like “whats that” no info, no homepage, nothin… I disabled that (hopefully that works)
    I did have Spybot before and ill run it again as soon as I get it again…
    I’m also thinking about getting this Spyware Doctor cuz it seems useful

  25. I did Spybot S&D and it found a ton of things(types were malware(c)and Security(c) and a couple hijackers from files in the registry) but somehow I’m still getting the hijacker in Firefox only(ugh). I really need to get rid of it
    and Yes I ran 1 scan,restarted and scanned again + my dad scanned on his account
    I’m going to try to scan and look over EVERYTHING
    Any suggestions…
    Links the thing is taking me to:(ADS SPREAD LIKE AIDS!)
    [We do not allow links to malicious sites to prevent infection of other readers]

  26. Alexander: Save your firefox bookmarks. Close it. Go to firefox data folder C:\Documents & Settings\[Username]\Application Data\…. On vista/xp (on windows 7 use C:\users\… instead) and delete everything. Then reboot, start firefox anew.
    If this solves problem, this is the quickest fix.

  27. Then you will have to scan with something else than Spybot. I would suggest Spyware Doctor, malwarebytes anti-malware, superantispyware. If only firefox is affected, and problem persists after deleting userdata, no problems in settings, then you have firefox-specific hijacker.

  28. I got spyware doctor and it is scanning right now
    Thank you for the help so far
    threats so far
    Tracking cookies-7
    Spywere Known bad sites-1
    Adware.Advertizing-1
    Adware.searchit toolbar-9 (oh gosh lost my place Its done)
    Trojan-Downloader.small.CML-6 (sounds like it)
    Hijacker.dospop_toolbar-30
    yeah thank you again for your help
    ill see if it still happens

  29. Alexander: I would guess it is Hijacker.dospop_toolbar-30 . Trojan.Downloader would be the one responsible of installing it 😉

  30. … I lost all of that because my computer froze…
    I cant pay for it so I guess I just have to do another scan and remove manually…
    I didn’t know you had to pay for it… oh well atleast it got the location of it

  31. Well, Spyware Doctor has about 4x bigger database of traces than spybot as far as I have checked, so I know it can find more. I am not so sure Spybot S&D is updated enough to make it good solution for windows XP or latter users.

  32. Thanks for the help I got it off but I think there’s still more…
    I still get it but I don’t care not as many now AND! it just goes to google instead of the ads
    YEY!

  33. Just got done resolving a redirection — and worse – problem which was caused by a problem with our router.

    The virus/Trojan had changed router setting to direct DNS searches to their web address. They returned bogus address.

    Look into your router settings to make sure you’re settings have not been messed with. We ended up Restting the router to factory settings and reinstalled the router.

  34. I have windows 7 and just got the virus/trojan myself. However, I cannot open ANYTHING. Not even task manager. I can open programs in safe mode, but how do I remove it from there?

  35. Mark : First you will have to remove viruses. Disable the proxy server, download Spyware Doctor or malwarebytes, do a scan, remove stuff it finds. Do it in safe mode. Then reboot, and try to finalize checking the connection.

  36. The issue with facebook redirecting to say pricegrabber isn’t always a virus or malware.

    Linksys routers are sometimes the culprit…a fix that may help for some people (specifically using linksys wrt160n or any other linksys router).

    Network Connections > Right click your connection > Properties > Select TCP/IP > Properties > Set your DNS manually (see below for what DNS servers).

    To determine the DNS servers to input here: Get to CMD Prompt > IPCONFIG /ALL > You will see 2 IP’s under the DNS Servers section > Enter those 2 numbers in the TCP/IP DNS configuration.

    I use OPENDNS, which is configured on the router and now manually set in the tcp/ip, and have never once seen this facebook redirect occur again.

  37. Hello.. Emmm I dont know when “Security Master AV” was downloaded in my PC.. After that at regular intervals i get pop up windows asking for healing the viruses and buying the software.. I want to delete the above program/software.. Its really annoying.. Can u pls help!
    Regards
    Bhakti

  38. Mine is only redirecting Google chrome, not IE. Will the same steps above work? Is there something else I should look at?

  39. JABAD: You need to reset connection settings in chrome. This is done going to Tools->Options->UnderTheHood -> Network->Change proxy settings.
    Also you might need to disable chrome addons that are malicious.

  40. Reset to defaut? There is no proxy enabled, so that is OK.
    I checked add-ons and see nothing that looks too bad. I disabled three that looked unfamiliar and nothing changed. Should I disable all add-ons?

  41. ok when i open up my Hosts file i have right uder 127.0.0.1 Local Host a ::1 localhost do i have to delet that host or what and i have windows vista how do i get to my local network

  42. Hello again all 😀
    I am back for help
    …Still have the virus redirect
    Has any way changed to get rid of except the Rootkit thing (which I am doing now)?

  43. Alexander: Check your router settings as well, and try to enter DNS settings in your internet connection manually. SET them to 8.8.8.8 and 8.8.4.4. Sometimes routers are infected instead of PC.

  44. Alexander: Update and do a scan with same tools again (Spyware Doctor, malwarebytes, etc). Rootkit might have hidden/downloaded other processes. I would say this time it is not router.
    For checking router, do a following: See what ip your PC got, and which gateway it uses. Then enter that gateway address in your browser.

  45. I did rootkit and Spyware Doc and rootkit got 8 or 9 things out of it
    How can I check the IP and Gateway? :/

  46. Look at the image in the step in 2.2 of this guide. There is a menu. Choose Status instead of properties. There you will see gateway server. usually the IP for it is 192.168.1.1 or something like that. If you are connected to the internet directly (no router), then this does not apply to you, and you have to look for virus in your PC.

  47. It happens to me no matter what search engine I use and the only add-ons installed in IE are 3 Java ones.

  48. Please help I did everything listed and it’s still redirecting me with every search engine and both firefox and IE. 🙁

  49. Hi, my friend has a Dell laptop, running Vista. The virus is Security Suite and seems to have infected lots!
    Please could you explain the above (in a more dumbed down version) she can’t afford to send her laptop to be repaired.
    I was thinking of downloading the spyware to my hardrive and then installing it on her pc, but won’t the virus spread to my hardrive?
    Thanks for your help!

  50. Thanks for the great article.I had the hijack virus.Not only that it was blocking my spybot S&D andother malware programs from even running.I went tru all the steps but have to say #8 was the one that found & fixed the problems..
    Thanks again..

  51. Freeforce : it is quite straightforward. In most cases problem is not chrome specific, but you can check Customize and control->Options->Under the hood -> Change Proxy settings ( It uses IE settings)
    Also, you can check Customize and Control -> Tools->extensions and disable all unknown extensions.
    Everything else is NOT chrome specific, thus the guide should apply.

  52. I have downloaded AntiSpy Safeguard on my computer; I want to remove it but I have no clue. Can you please help me

  53. the host file ending with

    ::1 local host

    it is alright then? if nothing wron with the host, how can i removed the antispy safeguard? im not good in safe mood.
    i did install tdsskiller.exe, but the scan doesnt detect anything. the spyware doctor detected some malicious file but i can removed those files unless i buy the full version. is there another way?

  54. syn:
    ::1 : ok, it is for IPv6.
    You can delete these files by expanding the detection results, checking the file location. Then delete file. Just make sure to fix registry as well, as in some cases malicious files are referenced instead important system processes. It would be best first to start msconfig and disable the malicious files from starting up, then deleting them.

  55. What stops you from disabling proxy server? If it reappers, then skill to steps to download removal software, as that is sure sign of malicious processes on PC.

  56. I worked on three computers that had this same problem:
    Windows 7:
    I logged in as another (administrator user and ran MS Security Essentials, then logged back into the infected side and turned off the Proxy server setting:
    Internet Explorer -> Tools -> Internet Options -> Connections tab
    LAN settings button: clear all the check-boxes. (Do this even if you do not have another user login). The proxy server was checked only in one out of 3 machines I helped with.
    Find the AppData folder of this user (with infection) and delete two *.bat files and the *.exe file in the AppData folder.
    Windows Server 2003 (similar to Windows XP):
    Find the Application Data folder for the user (under Documents and Settings and delete any *.exe files there and the *.bat files.
    NOTE: You might find EXE files in the AppData or Application Data folders that belong to Google, Adobe etc. If you see any UNINSTALL programs there run them and then take out all remaining files. (I don’t think these are essential programs.

    Find the TEMP folder of the User’s folder and delete all the files there. The EXE file that generates new names is there. It is called by the BAT files o do this. The one I found is ‘e.exe’.

    Good Luck and let’s hope FBI catches those who gave so much misery to people are caught, fined and jailed for the rest of their lives. (It’s not hard to find them, FBI)

  57. Hey! I had this same problem and got tricked into getting the free version of AntispySafegaurd! But Just simple Compture Restore saved mine. Just set it back to a time before you used the spyware (I set mine to a month back even though I only had this problem for a week) Its very Simple and now my compture works fine.
    Good Luck!
    P.S. AntiSpySafe Gaurd WILL try to restrict this. But just click the “Continue UnProtected” until it allows you.

  58. Thank you so much! I tried everything. I searched everywhere. NOBODY helped me. All it took was the notepad trick. You’re awesome!

  59. I lied. I thought it was fixed but after leaving you that comment I went to google search again and the same stupid redirect happened. Help?

  60. Try disabling proxy server, do a scan with some anti-malware tools, and check if you got TDSS rootkit (run TDSS Killer). See your router settings as well. Generally, try doing the whole guide.

  61. I have done the above steps. My host file has no other lines other than what you say should have.

    I am still getting fake microsoft alerts. My google search on this problem gets redirected, using firefox.

    I have followed the steps on this website http://www.2-viruses.com/remove-fake-microsoft-security-essentials-alert and found nothing. Also rebooted my pc with aoss scan http://www.pctools.com/aoss/ and scan with malware byte but it found nothing.

    After all these, I am still getting fake microsoft alerts 🙁 what else can I try? I downloaded spyware doctor but I have to pay for it. Is there any other free software that I can use?

  62. Kaitlyn : Try Malwarebytes or SuperAntiSpyware. Malware mutates, so no tool is 100%. If SD does not detect particular parasites, It will not remove it in full version probably till next update. Also, have you run TDSS Killer?

  63. […] Google redirect virus is a group of trojans and rootkits that redirect user searches to undesired websites. Such behavior can be noticed during rogue antivirus attacks as well, when search is hijacked and no legitimate malware remover companies are displayed or accessed in results. Thus Google redirects are quite dangerous. These redirects might affect other websites (or search engines) as well. […]

  64. I have thinkpoint have no idea how it got on my computer. I have norton and it says nuthin at all is wrong. I’m runnin windows 7 & I need to know how to get it off it won’t let me online or on anything really I got the task manager to work and that’s the only way I can get online and I have to use my safari cuz it won’t work with explorer it got on my comp last nite somehow and I need help removin it before it gets too bad oh btw was on the phone with a lady from compaq for 3 hours she did nuthin to help she just tried to sell me a recovery disk for $30 🙁 plzz help me I know nuthin about these things

  65. Sebrina: read Thickpoint removal guide. Disable proxy in your other browsers and try searching and deleting file hotfix.exe under your user folder (one level above my documents).

  66. @admin
    This sounds exactly like the virus that I have on my other computer. Not sure if you are familiar with “youcansearch com” but I keep getting directed to that site whenever I try to use another search engine. I have used Malwarebytes Anti-Malware, but nothing seems to show up. In searching on how to get rid of it, I found a site that told me to delete all the files under the etc folder (… ). Here, you say to delete only specific lines from the host file. Can I do either?

  67. I do not recommend deleting all the files from there. They are created by windows for a good reason 🙂
    Just delete additional lines if there are any. If not, virus is somewhere else.

  68. Go through full guide. If it is malware, any scanner will help significantly, as it could be anywhere. If its settings only, then it will be either DNS server settings (in router or on PC), proxy, or hosts file.

  69. Hi, so I know that you said that in order to save the host file you’re supposed to open it as the administrator. I know for a FACT that I am the administrator, but I still cannot save the host file. I always tells me to “contact the system administrator” and then it tells me to save it as a text file in my Documents. What should I do?

  70. Tram:
    Are you on Vista / windows 7 ? If so, you are not running as full admin all the time, even if account is administrators one. That is called UAC window. If a program is launched without elevating the permissions, it will not be able to receive these permissions latter on. That is why it is important to open the file as administrator.
    Neverless, there are forms of malware that change file permissions. For that, you have to right-click on the file and change its attributes.

  71. Yes I believe I am on Vista. But the thing is, when I right-click on the host file, the “open file as admin” is not available. It just goes straight to “open” and then asks me what format I want to open it as. Since I am not really computer savvy, how would I change this?

  72. Hi…I have read thru all your fixes…even tried kasperspy…I did a fresh install of windows and STILL have the redirect….i have tried all the programs….avg.malware.super.adaware…a list of em and they find nothing…any suggestions?….it is IE and firefox not just one…thanks so much

  73. Hi, I had the redirect virus and I did your fix steps and now i don’t get redirects anymore, which is great, thanks. (however, my hosts file was perfectly in tact.)

    The problem I am still having is that every time I open my internet browser (either IE or firefox), usually after restarting my computer or waking it from sleep mode, my proxies are changed and my internet becomes unusable.
    Something keeps changing my proxy settings to “Manual Proxy configuration:” (on firefox, for example) and I have to change it to “no proxy” every time if I want to use my internet. What would be causing this and how would I fix it?

    Thanks.

  74. EDIT: It seems to be the act of opening the browser that re-sets the proxy settings to the setting that won’t let my internet work (Manual Proxy configuration)…. if that helps??

  75. I just scanned with TDSS Killer and there was no problems. Also I checked my Device Manager under Non-Plug and Play Drivers and there was no TDSS there. I have done approximately 20 scans, including scans with many different types of trusted scanners (including the ones you recommended) as well as boot scans and scanning in safe mode.

    However, every time I open my browser my proxies are changed. My hosts file is fine and unchanged, my DNS settings were originally changed, but since my fixing them they haven’t changed back (unlike my proxy settings). What could be causing this? It’s very annoying and it is slowing down my computer quite noticeably.

    Thanks again.

  76. EDIT: I just reinstalled Firefox. Now whenever I open my browser (either IE or Firefox) my proxy settings are unchanged! So I guess the virus was affecting some sort of Firefox file itself? I don’t know… Does this mean the virus is gone? or..?

  77. @Seth
    Ok, to do this correctly, select sll the things you want to keep, and right click, and look for an option that says: Scan with [your virus protection if you have one] and scan, then move to disc.

  78. I downloaded spybot and ran a search. I am no longer redirected to spam sites from google searches but I still cannot open firefox. I opened the wordpad host document and there was nothing unusual. I went through all of the other steps as well, except changing firefox’s settings, because I cannot open it.

  79. Rachel: Spybot in my opinion is severely slow at updating definitions. Your problem is due to infection, and not malicious configurations. Try using couple other scanners: Hitman Pro, Spyware Doctor, Malwarebytes, SuperAntispyware.

  80. Malwarebytes caught nothing. Spyware Doctor found things but because it is the free trial, I cannot do anything about it. I will try Hitman Pro and Superantispyware. Could this infection also be disturbing the connection between my computer and printer or is that an unrelated problem?

  81. I used Hitman Pro and Superantispyware. Both of them found things and deleted them, but I am still being redirected. On the upside, firefox now opens. Its proxy settings look fine.

  82. Expand SD detected items. See the file location. In many cases it is safe to delete or rename detected files. In some cases you will have to modify registry keys.

  83. I been reading through you article and avg and malwarebytes dont pick up the virus of rootkit. Whenver i visit a legit site to download himan pro or superantispyware my mozilla firefox freezes. i heard about it might be a router issue or i should use tdsskiller

  84. Anon
    Yes, TDSS Killer is good approach. Try changing DNS servers though and check which DNS servers your router uses. It happens, that malware infect routers, especially ones with default password for that model.

  85. thanks tdss killer did it then i used malwarebytes to scan. =)So do recommend changing the password on my router and which anti virus/malware/spyware product that in the future can get rid of problems likes this.

  86. If it was TDSS Killer, then your router is likely unaffected. However, it is bad to keep default router password, so if you do, change it (just not to aaaaaa, 123456 or password, the most popular and automatically attacked combos). I recommend getting internet security level of protection for every PC: Eset Smart Security, Kaspersky internet security or PC Tools spyware Doctor with antivirus, or any other from major makers. If not, get Spyware Doctor or Malwarebytes full running with real time protection together with decent antivirus. That should reduce risks of getting infected significantly.

  87. I had this issue and it turned out the dns settings had been hijacked.

    I returned them to google’s dns servers (8.8.8.8, 8.8.4.4) and everything is happy now.

    I don’t think any malware removal tool will find this.

  88. the antivirus software alert wont let me open my host file. i found it but it wont let me open it. what do i do?

  89. Will: This guide is more in cases of handling left-over damage of malware. If you have active malware attack, first scan with regular anti-malware and antivirus tools.

  90. My computer had been redirecting me to infomation-seeking.com ..im using window XP pro.so is there any difrences in steps?

  91. I’m trying to follow this site, & in my eyes it’s complicated. i have no idea what i’m doing. i’ve never had a virus.

  92. ok….what do you mean by good configuration in boot menu after force shutdown would be an option…Idk to much about computers….

  93. I has my system attacked by antivirus8… bought spyware doctor and antivirus. Ran the software and removed malicious items it notified me of. HOwever. I can not get my MOZILLA FIREFOX TO LAUNCH. When i go to lauch i get

    “About internet Explorer Emergency Mode” box to pop up and it tells me that malicious software has infected my PC and the browers can’t be launched. I have uninstalled and reinstalled both Internet explorer and Firefox and I still keep getting this error message.. HELP..

  94. I disabled IE7 addon “Research” and now I don’t seem to get redirected any more (have to test longer though, because it did’t happen each time anyway…) Thanks for the great guide! 🙂

  95. so how to i get to ‘hosts’ because it won’t let me click on it without closing again and bringing another security shield warning…?

  96. I have done everything found on this forum with very itte resuts. After the Windows Performance Manager downoaded itsef onto my computer I ceaned most of it up by searching for unusual programs. I found and deleted the files called cvfgtm.exe and bktgrk.exe. These files apeard to be AVI files. After deleting these files my computer was restored to mostly norma operation. I then used AVG free and IObit 360 to scan again and removed a few bad files. But I wanted to make sure I had all the virus removed so I searched and found this site. As I downoloaded the Spyware Doctor, AVG 2011 also downoaded. Both these files appeared to be maicious viruses and has completley destroyed my computer. I have worked my way back little by little and have just about cleaned up the mess.

    But I have one problem left that I can’t get fixed.When I try to open Notepad in Administrator, it refuses my pasword. Also, Internet Exporer opens only somekind of “Emergency Mode” and refuses to let me open any page except the microsoft.com page that contains the Windows Performance Manager and other viruses.

    Can you help me get my internet going again?
    Thank you

  97. Joe: There are mixed opinions about stopzilla. I would not use it myself, as in my experience it detects infections in files that are harmless ( aka false positives). However, these are not intentional, and the company is legitimate. There are better tools though.

  98. i had this problem too,
    it was a self reinstalling local proxy.
    files(therms) to search in registry:

    Temp\csrss.exe (dont delete anything where path starts with %system… ususally with Temp\csrss.exe you would not even find something starts with %system…)

    data\dwm.exe (not renameable because running, so needs deleted in registry)

    data\wins.exe (rename you will find the path in registry)

    data\conhost.exe (Start > run > msconfig > systemstart > uncheck conhost)

    —- export registry first DONT delete keys just remove values —-

    After restart you will find out (because your internet works only for certain webpages ) that your system LAN-Settings where set to use Proxy for LAN…
    so go to

    Start > Control Panel > Internet > Tab Connections > Button Lan settings > uncheck use Proxy.

    that was it for me, hope it helps someone.

  99. ok ive read this page and it didnt help my google redirects my host files are fine i cant find a tdss thingy i cant download things either it just keeps asking what program would i like to choose to open file and when choose it just does it again my spywaredoctor didnt pick up anything but now i cant even open that my processes seem fine my proxy is disabled so im just going to save money and buy new com btw i using ie8 i believe

  100. Tony: Your file associations are messed up, you will need to fix registry first.
    Check your browser addons and try doing scan in safe mode with networking (full system scan) with several tools

  101. Have trawled various forums, manually hacked away at the superfluous, used malwarebytes’ anti-malware, superanti-spyware, sophos anti-rootkit and unhack me, tried disabling javascript, checked dns, hosts, and proxy settings, and scoured the filesystem for dozens of the usual suspects. My search results still redirect me almost unswervingly towards a goingonearth version of whichever result i’ve clicked. Likely point of infection was mj1.exe and mj2.exe though not sure of where they originated. Close to initiating a total re-install but refuse to be beaten, now 8hrs in and need to sleep. D

  102. phnatduppf:
    Have you checked add-ons in browsers? In some cases router needs checking as well, though that approach works through DNS servers usually and is fixed once you change it.

  103. Cheers for reply,
    all addons are those i installed and none of my anti-* scans flag them.
    Online through t-mobiles web’n’walk mobile broadband and a 3g huawei dongle only use firefox but checked and IE has same issue on my first use of the program.
    What is being referred to when i click a search result? How is it unique only to this action, not downloads or intra/inter-site links, also appears yahoo is unaffected whilst bing and google are. D

  104. Problem appears solved,
    first ran rkill.exe (found grpconv.exe),
    then kaspersky’s tdss killer (found sptd.sys),
    then mbam,
    then hitmanpro (found sapi0.dll).
    So far (>20 searches) no redirects. D

  105. Am stuck at step 1 – how do I save the corrected host file (I don’t see where to “open with admin priveleges on my home PC).

  106. Hi,

    My google direct virus means that all the web browser open up in Chinese – and it appears to be a porn site. This happens for both IE and Mozilla and also appears in Yahoo if I try to search. I have read all the following information and no-one has mentioned Chinese characters. How can I fix this problem?

    Many thanks

    Marg

  107. I’m having trouble opening my file as a note pad. It won’t open at all, I did everything I can, including “Running as Administrator,” nothing seems to work. Please E-Mail me and help me out. I really wish to get this program out of my computer.

  108. I cant open my host files it wont let me and ive tried moving malware anti malware by a usb drive but it still wont let me open it

  109. This goes out to the maker of this virus im trackn you and i will get you its nice in CALIFORIA cant wait to see you

  110. I Can’t find my host file and it won’t let me run notepad as Administrator doesn’t work either, im running Windows 7 64bit Please Help.

  111. You are the best! I have been working on this damn thing all week. The rootkit tdsskiller did the trick! Symantec and Malwarebytes didn’t pick it up.

  112. This worked for me.

    Just make sure guys that when you’re about to edit the host file, “read only” is UNCHECKED in the files properties.

    And if you are having problems with overwriting the file, double click it when you are saving.

  113. @Julius

    Thank you from RDU (Raleigh-Durham NC)! The rootkit tdsskiller did the trick!

    With 12 years computer/network experience — this Malware got me good! Wasted 4 hours of my life!!!

  114. Old hacker trick—mark the hosts files to read only…and if you use WinPatrol
    (the free version is fine) it will show you the hosts file within the application and also everthing running.
    AND it warns you if something writes to the startup
    http://www.winpatrol.com/

  115. Thanks for this information. This virus was causing me all sorts of headaches.

    Now if I could get my hands on the person who put the virus on my computer in the first place, that would be a nice feeling to have. 🙂

    Cheers, Dale

  116. Thank you this guide. all the responses to questions really helped my knowledge on this subject. i checked my addons in Firefox and found “XUL cache.” i removed it and the redirects seem to have stopped. I read somewhere that this addon can somehow get back onto my browser. Is there something that i can do to make sure that i’m in the clear?

  117. Tyler: best advice is to keep decent internet security suite on PC. Malware still has to get in on one’s PC to modify settings and cause redirects (except in case of hijacked router). For the router, nothing beats changing password from default one.

  118. Just wanna say thank you. The instructions totally solved my problem! Really saved me a lot me trouble. Thanks a lot!

  119. @Hi
    To save host file as admin, windows 7, even if you are the admin right click on host file go to properties, under security tab, select user and edit – Select all boxes under Allow. This will grant permission to save the file.

  120. Just removing the following entry from my hosts file did the trick.
    # localhost name resolution is handled within DNS itself.
    # 127.0.0.1 localhost
    # ::1 localhost

    Thank you very much!!!!

  121. @Shokc
    I can’t update the hosts file it won’t let me open it or change the user properties so all users can edit. I can’t download the spyware (*any of them) from the internet as the virus has blocked access to them. I can’t even access the internet settings to change proxy settings…it just says can’t access contact your system administrator. Please help I can’t do anything on my PC and this virus is so fr*king annoying!

  122. Reboot your computer in safe mode and delete the following file in the following folder. Fixed my redirect problem like a champ!!

    File: api-ms-win-core-memory-l1-1-032.dll
    Folder: C:\Windows\SysWOW64

  123. tdsskiller.exe is the one. I think that should be bumped up to Step 1. 🙂

    Thanks for the help.. just glad that I finally got rid of it.

  124. my host file doesn’t look like that it looks faded and it won’t let me save it i have also tried running as administrator

  125. I’m trying to do step one, and my computer wouldn’t let me ‘access’ or save my changes. I noticed extra line that ‘i think’ should be removed, ::1 localhost. How can I let the hosts file save my deletion>

  126. The hosts file suggestion solved the problem that Lavesoft and Ad-Aware didn’t catch this one. Thanks for being awesome.

  127. Thank you thank you! I had to do quite a bit of research for an important paper I’m working on and the problem was hidering me greatly. I followed your instructions and it worked! It was some trojan programs that were quarantined in my virus protection but they were still causing problems. I’m very grateful 🙂

  128. Just wanted to say thanks for the information. My IE has had the same problem as most people have had lately. I had tried about 10 Spyware tools and none found the problem, so I downloaded and ran tdsskiller.exe from Kaspersky. I ran it and the program found 2 files BMLOAD and tcpipBM which it removed and now IE works as it should when I select something from a google search.

    Now to find a fix for why my active window deselects itself after about 25 seconds and I have to click on the window to continue doing whatever.

  129. Dave: Rescan with full kaspersky version or other 10 tools :). This kind of infection might have hidden some other processes from anti-malware tools while active. Also, it might be useful to do a test run with some registry optimizer like CCleaner.

  130. Hi ya Admin.

    I just found what was causing the active window deselection. I recently installed Kies for my Samsung phone. I went through and ended the windows processes that weren’t directly related to windows 1 at a time until it stopped. It was KiesPDLR that was somehow causing the problem. Thanks again for your help.

  131. Great info, unfortunately I’m still having issues.
    Step 1: I modified the hosts file to match yours
    Steps 2 & 3: settings were fine
    Step 4: N/A
    Step 5: I disabled all non-Microsoft addons
    Step 6: I ran Spyware Doctor. It found a high threat and a medium threat. I was surprised that I had to pay $30 to fix these, but I decided that the $30 would be well worth the fix. This didn’t do the trick though.

    When we go to Google & Bing the bottom bar says “waiting for Google.com” and the page just never loads. Yahoo loads, but we can’t search, the searches don’t load. The control key isn’t working properly, I can’t copy and paste using control commands.

    I didn’t continue with steps 7, 8 or 9 because this computer belongs to my parents and I ran out of time. Any advice??

  132. Step #1 was the fix for me. It worked. But before that, I’ve scanned my laptop running Vista Basic Edition with Adaware (free edition) from Lavasoft. I’ve been using Adaware since 2001. I’ve used also CCleaner (free edition) to scan/fix registry entries + stop suspected processes. Both are excellent tools for free. Finally, I’ve uninstalled several “suspectful” third party software using another free tool: Revo Uninstaller. This utility isn’t just uninstalling the software but also offer to clean the registry table of ANY occurrence of the software you’re uninstalling. Then apply the fix proposed here otherwise the malware if not remove previously will keep re-installing itself.

    I can now enjoy ALL the Google / Yahoo searches again.

  133. Thanks! I have been having a nervous breakdown over this and your advice is the first that actually got me anywhere.

  134. I have tried everything. It keeps bringing up Data restore with every error message possible. Please help me I’m not very computer savy and I really need this to work for school…Thank you

  135. Step 4 worked for me, but as I understand it, the automatic setting of proxies still has fake information somewhere, right? How do I fix this to get rid of the problem completely?

  136. Train42: in some cases the original infection is already gone (removed by antivirus), but proxy settings remain. However, I would recommend scanning PC with decent antivirus. If you have no other symptoms, I would recommend scanning with Hitman Pro, as it is fast and scans with multiple antivirus engines http://www.2-viruses.com/reviews/hitman-pro .

  137. […] ZeroAccess rootkit is quite similar to TDSS rootkit, and shares both functionality and even some portions of code. They both hide from anti-malware program scans, stop legitimate programs from working by killing their processes or stopping them from execution. Zero Access is one of the trojans responsible for hijacked Google results. […]

  138. Well I troubleshot all these steps and noticed that all my settings are like that suggested. My internet regarding the proxy settings, however, does not have a proxy port. The only browser I have is Google Chrome. I have a redirect virus that when i click on a trusted site, it stops at a blank screen, pauses, loads then stops and changes the website. It takes me to sites like dictionary sites with “Suggestions” I use an entirely outdated 2005 Media center edition PC so everything isn’t far from Win98.

  139. Here is what I have found with my laptop and google redirects. There is a copy of MS Internet Explorer running in the background. This appears to be related to the redirects. When I rename my IE folders so it will not run and kill the running copy the redirects stop. When I put the folder name back. The IE background process will reappear and the redirects will start again.

  140. I should also say, since IE is disabled I use Firefox or Chrome. Both of which also had the redirects.

  141. Tim: It might be a malicious IE plugin, that creates a process and hijacks all internet access. Have you scanned your PC with multiple tools?

  142. Hate this. I’ve had this problem multiple times, did all of the above fixes, and it changed nothing. Something was still delivering both the fake antivirus program and the redirects in Google, to the machine. Even went as far as to reformat the machine. Then, upon entering dns and static ip info, the machine got infected again. BUT, the server machine (which was really just another computer acting as a server) was not infected. We scanned that thing thoroughly. ODD and extremely stealth, these things are.

  143. Ryan: this guide is for cases when there is no obvious trojan in the system. In your case, I would first do tdss killer scan (and see if it detects), and if not, do a scan with Alternate OS scanners, and then repeat all the steps here.

  144. i have a problem with the cursor it is not stable may be it is due to some virus, pse suggest me how to repair it.

  145. thanks a lot i erased the whole host file cause it gave me no option to modify whwt was on it in fact there were two extra lines one for google and the other for bing after delection the hidden virus cant redirectme anymore. i tried everything before unsuscesfully:system restore,antivirus scanning resseting internet explorer, windows search. etc etc, even listing the page risksearch net on the restricted sites button dint work completely cause even it tried to connect unsuscesfully but redirectme from the right results. i was about to switch the hd, but i found your help online and it worked, thanks

  146. I have located the HOSTS page & opened in notepad, however, after the 127.0.0.1 localhost I have loads of others all with the same number but different name. Do I delete all of them?

  147. I can’t seem to run KasperSky. Google redirects me to cc search sometimes(I’m on google chrome). When downloading, my internet connection gets cut off and I had to restart the computer. Any idea what I should do? I tried opening host, nothing suspicious. Checked proxies and DNS settings also nothing.

  148. Trail : check router settings, although I would suspect active malware on your PC. Download TDSS Killer and some anti-malware program on another pc and use Flash drive .

  149. Unknown
    I would say first get a decent antivirus or anti-malware. There would be far less infections if people would actually use antivirus 🙂
    Professional repair is required for fresh or very aggressive malware or when PC is beyond automatic repair.

  150. Ummm… Hi every time i click on a link in google or any other search site it redirects me to a ramdon Porn Site. i can avoid this by coping the direct link into the serch bar but its a pain doing that all the time.Ive use spyware doctor
    And it only found cookies and one medium RogueAntiSpyware.Antivirus360 and that has nothing to do with my browser or somthing like that But please help me!!

  151. I’m so frustrated with this redirect virus in firefox. I run winxp and have TrendMicro who, surprise surprise, didn’t stop yet another virus from taking hold. I ran malaware bytes and it found 2 reg key trojans and one infected folder. I deleted all 3 then when back in and double checked everything over again. Still i’m getting redirected. Any other suggestions or if someone finds a solution please let me know. Thanx

  152. Oh update. I think I know what the culprit is. It’s this babylon search engine I caught it’s name in the “jump” when it was redirecting me. Now if I can find out how to get rid of this I may be ok. Any help appreciated since this is one of the only sites that acctually gets past the redirect. 😀

  153. @Lulu
    Great news!!! I went to Microsoft’s website and D/L the microsoft emergency response cleaning tool. After many failed attempts by malaware, spybot, trend, and even Hitman nothing removed it. I then called microsoft and they directed me to this. It is a free d/l for windows users. Ran one scan took about 4 hours restarted pc and viola. redirect gone. Hopefully this will work for some one else 😀

  154. Hi,
    I have been having this redirect problem for a few days now and could really use some help. I don’t get redirected every time I click a google link, but occasionally I do and will have to try many times before I actually get through to the requested site…I followed all the steps (all of my settings and folders were already how this guide says they should be) and have done full computer scans with AVG, Malawarebytes, Microsoft Malware Removal tool, and the Microsoft Security Scanner, and the TDSS killer suggested on this page and found nothing. (AVG and Malaware found 2-3 Trojans the first time I scanned, but they all seemed to be unimportant crap that didn’t effect my redirect problem when I removed them). Any Suggestions or Ideas? Please help me out!
    Thanks in Advance.

  155. Matt : Several things.
    1. Are other PCs in the same network experiencing same problem ? If so, router infection is more than likely. It will not be detected by any tools, though DNS change to 8.8.8.8 and 8.8.4.4 (like in guide) might fix the problems. In such case, one should restore router firmware.
    2. Scan with hitman PRO, SuperAntiSpyware, Stopzilla and Spyware Doctor. While majority of microsoft tools are ok, not everything is detected, and personally I do not trust AVG too much. TDSS Killer is against one (nasty) family of infections.
    3. Double check that correct hosts file is empty.
    4. Worst cases? Scan with GMER for unknown rootkits, scan with AVIRA boot cd or PC Tech support time.

  156. two (and a half) words..

    Get..A..MAC. I have Minor trojan problems but as long as I don’t execute and delete it’s all good. Linux is BOMB proof but user unfriendly

  157. Elliott Bettman: Wrong.
    Some of things listed in this guide are possible in Mac as well. For example, HOST file, DNS hijacking, infected router or malicious browser add-on. In fact, they are possible in Linux as well. A mac owner should get an antivirus, and (likely) Linux box owner as well. Everything else is down to market share.

  158. My computer took a turn for the worse today. After much digging and grueling trying to find out what it was – my two biggest clues of my search engine searches being redirected and music/radio/ads playing in background and the help of my secondary computer – it came down to a virus. I bought norton, ran malwarebytes and ran spybot S&D as well as TDSSKILLER….and then ran all the checks you listed here. I am still having issues. Any ideas?

  159. Rebecca Ldj:
    2 issues are most likely :
    First one is yet unknown trojan /adware. For this, try hitman pro, Spyware Doctor, SuperAntiSpyware.
    Second one is malicious browser add-on (if the music plays only after browser is launched) or proxy.

  160. I was having this issue but only in IE. Ran MalwareBytes, Hitman Pro, Spybot, TDSS Killer etc etc. Nothing was finding or fixing anything. I tried using Dr. Web (free version) and it found a Trojan. Once deleted the problem seems to have been fixed 🙂

  161. I deleted Dr. Web but from what I recall it was not an exe file. It was a .dll file in C:\Windows\SysWow64 folder

  162. I tried to delete the extra IPs and files in the hosts file, but when I’m done and go to close the window I’m not able to save it – I’m not actually deleting the multiple lines of IPs permanently. The file is in read only mode. How do you save the new host file once all the junk has been deleted? thanks

  163. Doug: are you on Win 7/Vista? If so, search in menu for notepad, rightclick on it and choose run as administrator.
    If this does not work or you are on XP, run cmd, then run
    attrb -r c:\windows\system32\drivers\etc\hosts

  164. Spybot Search & Destroy found Security Defender and says it fixed the problem, but it didn’t. It keeps coming up. Should I have an extra line in hosts – localhost name resolution is handled within DNS itself?

  165. lines referencing localhost is ok, all other lines should be deleted. If malware is comming up, scan with Malwarebytes, Spyware Doctor or Stopzilla.This is not settings problem, this is malware problem in your case. I do not trust Spybots update frequency that much.

  166. i hope you guys get paid to run this sight thank you so much all this help was absolutely wonderfull u guys are heroes

  167. Thanks. Kaspersky TDSSKiller did the job for me. Btw. there are a couple of other little diagnostics that were useful to me & may be useful to others. Trying to get to http://www.google.com or other search sites with low-level utilities like ping & nslookup also did not work for me, though they had no problems with non-search sites. That told my problem was way down in dns resolution. That and the fact that utilities like malwarebytes & Hitman turned up nothing (or rather turned up a bunch of extraneous false positives), made it likelier that what I was dealing with was rootkit based & very well hidden, as it in fact turned out to be.

  168. Problem:
    Was experiencing the redirect problem, so I used lspfix on my Win7 machine. And now I am apparently connected to the iinternet but no web pages load at all. Is there a fix? I’ve used the net command to reset my connection but received errors.

  169. @admin

    i’m using win7 andi only can open with notepad, i cant open as admin. i have right clicked but it doesnt appear run as admin, what should i do to solve the problem? i’m using mcafee and now the antivirus is not functioning well as the firewall keeping turning off even though i have tried many times to turn it on

  170. how to create another admin user account?i seem saw like got extra unknown user account but i am unable to delete it.is it possible to delete user account? can you please show me the steps? Thank you so much for your help

  171. Sky: If you are in limited user account, you need help of someone that has access to administrative account. The good thing is that malware is likely to have infected your user account only.

  172. First of all, thanks admin, for putting so much work in helping people. Now, for my question: When i open hosts file, it asks me with what i want to open it, there’s a list of programs there including notepad, but i can’t right-click it to open as administrator. When i right-click it pretends nothing happened.
    Please reply.

    ps. I’m not that good with computers so you will have to explain it like i’m a three year old.

  173. So I’ve done everything on here and the redirect still appears in Google. Incidentally, I don’t have any problems with IE 64 bit. But
    I can’t turn on Security Essentials and my services are altered to disabled.
    Hrrmmph – so what do I do now?

  174. i was freaking out for a whole day!!!!!! thank you it fixed the problem i am so greatful, now i can do my research on google again. thanks again.

  175. I am having the same issue and have tried every step (scanned with multiple programs, edited host file, ran gooredfix, tdsskiller, etc) still being redirected, in all browsers, IE9, firefox, chrome. I am running Norton and it found nothing. I have used kapersky and it found nothing. I have cleaned with ccleaner, spybot, etc. Please help!

  176. I’m having major issues with my computer – and even though I’ve deleted the extra host files, it hasn’t solved anything. Done all the scans as suggested and yet I still keep getting redirected to the likes of Facebook Apps (Are YOU Interested, Gogobot, CityVille, etc) and my computer is running so slowly. Any suggestions? I’m running Chrome.

  177. MMC: First, check and disable chrome extensions. Next, change DNS servers to google ones (read the guide). Also, scan with Hitman Pro, Spyware Doctor and Spybot S&D. For me, it looks like some sort of Adware, either toolbar or not.

  178. Thanks for all your detailed information. I have followed your steps up to step 8 (checked the proxy stettings, changed DNS servers to google ones (I think), checked the host file, disabled addons in firefox and ie, downloaded and ran Malwarebytes and Hitman Pro)… so far no luck. I have downloaded TDSSKiller but can’t get it to run. As per your other post, I’ve tried renaming it to xxxx.com also, but it still won’t run. Do you have any suggestions? Thanks for your help!

  179. Melissa
    Weird. I would recommend Scanning with Alternate OS Scanner, like Aviras Boot CD. What error do you get while launching TDSS ?

  180. Ta. No error message, just the usual Vista permission thing (obviously I press continue) then nothing happens. I also scan with AVG (free version) each day. What is Aviras Boot CD? My computer knowledge is very minimal. Malwarebytes has a Windows popup type message about every 1 minute saying it’s bloked a malicious site, even when I don’t have a browser open (it does mention firefox.exe, which I’ve noticed sometimes runs in the background as a process even when it’s closed – I am always connected to the net though.) Thanks so much for you help – very, very appreciated!

  181. Melissa : Aviras Boot CD is a software that has to be burned on CD. You instert CD in your disk drive and reboot, choose to boot from that CD. It might detect parasites that prevent detection while their run.

  182. Hi,

    Thanks for this information.

    I realised I had this virus this morning and instantly download malwarebytes and ran a full scan. It picked up a huge number of bits and pieces (hadn’t scanned my PC in quite a while) but the problem persisted.

    I then found this thread and did everything you suggested. I had one extra line in my hosts file, the same as another poster that you said was harmless, which I deleted. I ran google again but the problem persists – except this time, with Malwarebytes installed, every time I click the link it returns me back to the search page and notifies me with “Successfully blocked access to a potentially malicious website 206.161.121.5 – Type: outgoing – Port: 52442 – Process: boom.exe (boom.exe is what I’ve had to rename Google Chrome, the browser I’m using, as when it’s called chrome.exe Windows refuses to load it and this was the fix I found on the net!)

    So does any of that mean anything to you?! What should I do next? I’m currently running another scan on malwarebytes but should I download another scanner too?
    I tried downloading and installing AVG but halfway through the install it said something about changes to Microsoft Office Professional needing to be undone before the install could complete. I recently installed a new version of MS Office so assumed I didn’t want changes to be undone so I clicked no and the install for AVG terminated. Help!

    Thanks.

  183. A little extra info, don’t know if it will be helpful: it’s literally only clicking on the search results that is the problem. If I right click on the search results and copy the link and paste into the URL bar the real page loads no problem, with no redirection or notification from Malware Bytes.

  184. Emily. This looks like malware infection, either plugin in chrome, or proxy, or attached to network connection or even in router.
    Scan first with TDSS killer (it requires no network).
    Then Hitman Pro. If this finds nothing, scan with Spyware Doctor or try Kaspersky trial.

  185. Thanks for the mega quick response. Just ran Kapersky’sTDSS killer, found nothing. Will try Hitman – but I need to run into university for a practical now so won’t be able to update with results for a couple of hours! Sorry! Thanks so much though. If it was in router is it likely that my other housemates, using the same router and connection, would be affected too?

  186. If they are not affected, it is not router. Look under plugins/extensions, also, download process explorer from microsoft and see what processes run (kill all except chrome’s from %application data%).

  187. Quick update before uni: Ran HitmanPro. No change, problem persists. Will try the other measures you suggested when I get home. Thanks for your helps so far.

  188. So I came back from uni and ran a couple of scans based on my boyfriend’s advice (computer guru).
    First ran Norton Power Eraser. Found some threats and deleted them for me. Miraculously I realised the redirecting had stopped. I assumed the virus had gone and carried on as usual. However between running NPE and realising the redirection had stopped I ran the Norton Online Scan and I suddenly remembered I hadn’t checked the results. Unfortunately this found 91 infected files. And I was finally informed of the name of the virus: ramnit.B.

    Google searches suggest the prognosis isn’t good! What do I do now?!

  189. Emily: Get some decent antivirus, that detects the files as well. For example, get kaspersky trial (30 days free) and scan. Online scanners do not fix system and files.

  190. I have this gnarly redirecting virus. Everytime I type “google.com” in Chrome, it pops up with Oops! Google.com cannot be found. I have tried SuperAntiSpyware, Malwarebytes, Microsoft Security Essentials, PC doctor, McAfee Home Security AND Hitman Pro. I did everything in your manual from checking my host files to checking add-ons and proxy settings.
    I am getting very very very frustrated for I cannot seem to get rid of this thing.
    I have ran everything in Safe Mode and normal mode…
    Any help would be appreciated.

  191. Lindsey : This is not redirect problem, it is related to name resolving. What is your default search provider in browser? If it is something else than google or bing, then it is browser add-on/toolbar problem. Or this might be some sort of DNS problems (change your DNS to 8.8.8.8 and 8.8.4.4 ) /

  192. I have used Combofix and it removed some stuff…I cant get on teh internet now.
    I am going to try your suggestions and get back here and post my comments/results.

  193. Thanks – deleting the extra lines in the hosts file cured my problem. Unbelievably simple fix. two lines – one redirecting google, the other redirecting bing

  194. Thanks, sort-of. Host file fix easy but things stayed bad. Step 8 solved my problem with the root virus, guess I had tdss. The Malwarebytes download seemed to help. However I also tried Spyware Doctor (cost me $29.95) and while it started fine and after the initial scan said it had eliminated some additional issues, very soon it slowed my system down horribly. It also said AVG Free was in its way so I eliminated that. I next did the update it suggested, and then things went fast downhill. No matter how I tried its settings it slowed me to zero, caused hard crashes, etc. I finally after a day’s effort managed to remove it from the machine (I use XP) and I’m now fine (but being very careful). Any advice you can offer re why what you recommended locked me up so hard?

  195. My daughter’s laptop was having an intermittent problem when searching with Google. She would complain that it would “redirect” to other websites. The thing is, it wouldn’t do it all the time. Again, it was an intermittent problem. Usually, whenever I’ve experienced a virus/malware on any computer, it would always take over completely. Those are easy to identify because it’s obvious to see what the problem is. This intrusion, however, is sneaky and does not show itself as boldly as other viruses or malware do. After finally experiencing the problem firsthand, I searched for “google redirect” and ended up at your site. I want to thank you for your detailed explanation of how to remove this nuisance!!! As per your recommendation, I began my removal process at Step #7, but it was Step #8 that did the trick. My daughter and I are thankful for your efforts! Please keep up the great work!!!

  196. Please i need help. The virus i have seems to be a little less severe. I can use the internet and everything is fine except when i use google and it sends me to weird websites. I have tried everything in this page. After conducting the kaspersky scan it said it had removed some threats, but the redirect still occurs. I dont know what to do. Also when i tried to find the host file i went to ect and everything, but i had no hosts file. . Pease help

  197. mr/mrs admin… YOU ARE DA MAN/WOMAN. Thank you verry much. keep up the awsome work. With people like you we can overcome the stupidity that is/are hackers. Thanks again…

  198. I did the steps, and now my computer connects to the LAN connection, but I no longer have internet access. So, I have no idea if it fixed the Google redirects, but now there’s a whole other problem. Is there any way to fix this.

  199. Had serious issues with hijacker, which started with the loss of my personalized google home page before expanding to constant hijacking. While researching the problem I found your site. I had already scanned with Webroot and Malwarebytes, and though both found and removed threats, I still had both problems. Since you recently seemed to recommend TDSS Killer most often, I downloaded and used it. TDSS Killer found and removed one threat, which totally fixed my problems. Thanks very much to you and TDSS Killer.

  200. So I was using Google Image search yesterday, and the redirects started after that. It’s only happened twice so far (when I manually type in an address, it sends me to www youcansearch com). I’ve followed all the first five steps above, but everything was already set up as instructed; I had no changes to make (except my hosts file has all those Spybot entries, which I understand is O.K.?). My Malwarebytes scan didn’t turn up anything. I can’t find anything fishy in my registry editor (though I admit I don’t know too much about what I’m looking for).

    I’m afraid if I don’t nip it in the bud now, it’ll eat up my computer later. Is there another step I’m missing?

  201. Kat : run tDSS killer, also check browser addons. Then scan with more anti-malware programs – it might be fresh parasite which is not in Spybot or MBAM db.

  202. I am trying to track down why this one site (i built) does not go to the actual web address URL from any browser when clicking on the google search results. My host file is fine, proxies, etc look good. Any ideas. The site shows up first if you type mcgonigles as the google search term. Thanks.

  203. Joe : your site is infected. It shows infected pages only if you click on search results. This is due malicious plugin in WP or other CMS you use. OR the server itself is infected. If you need help, ask admin. To reduce the risk, your url was removed from post.

  204. Okay, thanks. It is odd though because I have a number of sites on that same server and none of them are behaving this way. Any thoughts?

  205. Thanks for the suggestion, admin! I ran tDSS killer, and everything came out clean. I ran Spybot, and it was clean. All my add-ons have been unchecked for some time except McAfee. The only other scan I have is McAfee, which is the suckiest of all sucky anti-virus. Is there anything else I should be doing?

  206. KAT: Set DNS Servers to google or opendns ones. Scan with other tools than Spybot (for example, SuperAntiSpyware, Stopzilla (quite aggressive this one), Spyware Doctor). If there is an unknown trojan, these should identify its presence.

  207. @admin
    No matter if I use IE, Chrome or Firefox anytime I do a goggle search I get a message that says Oops! Google.com cannot be found. I can get to Bing or yahoo

  208. For the past 3 days, I have been unable to access my credit union website. I’m receiving Error 7 (net::ERR_TIMED_OUT): The operation timed out. I can get to other websites without any issue. I’ve tried Firefox and IE as well….times out. I’m not very savvy with removal of anything. I have Norton Antivirus 360 v.06 and I’ve run it and it’s come out clean.

  209. If one website is not working, then it is likely website issue and not a virus or malware. I would check proxy server and DNS Settings.

  210. Thank you very much for this article.

    My redirect problem was fixed after doing the following:

    – I have Windows XP.
    – Run Malware Bytes (completely free downloaded software) and removed 7 malware virusses on my computer.
    – Run Avast Full System Scan (completely free downloaded software)and removed 5 more virusses in registry files.
    – Right Clicked on the Hosts file and disabed “Read Only”
    – Then Right Click on the Hosts file again and open with Notepad.
    – Deleted any extra lines in the file that are not included in the screenshot above. I had to delete 2 lines containing Google and Bing with ip addresses.
    – Opened the TCP/IP properties and choose “Obtain IP address” and “Obtain DNS settings” automatically.

    Problems are gone and I can now access the internet again without the frustration of being redirected to spam sites.

    My wish is that the hackers / idiots / oxygen wasters who created these viruses are punished properly in some way or another during their lifetime!

  211. @Ramesh
    Dude! This root-kit link that you put on the thread saved my computer from all the cancers that were in it. I tried doing every single piece of advice I found. But this cleared the root-kit that had put a choke hold on my anti=virus software, preventing it from detecting the bulk of viruses that were embedded. Hugs*. Kaspersky

  212. I tried every steps mentioned, including all the virus/malware programs.

    But nothing changed.

    Then I go to the extreme, using ComboFix.exe. It manages to fix it.

    But the malware is coming back after a while.

    Please help.

    What should I do now(I d not want to format and reinstall my Windows)?

  213. I’ve done that with various anti-malware programs.

    You just name it and I’ve tried them all.

    Nothing!

    Previously my search results will be redirect.

    But after using the ComboFix.exe, currently the redirect will show when I type wrongly an URL.

    What should I do now?

    I am almost giving up and going for the formatting and reinstalling.

  214. I’ve 4 browsers,, I tried all of them. They have the same symptom.

    IE, FireFox, Chrome and Safari

  215. Done everything as instructed.

    Still no luck.

    Still getting redirected when typing an invalid url.

  216. Suddenly google has been taken over! Can you explain the process for getting rid of this virus for Windows 7. It’s so new to me and I can’t even find the folders or the C drive in this unfamiliar control panel and other such stuff. Never realized how user friendly XP was until this came out. it seems my browswer has been highjacked and searches take me to these strange places. Your screen shots were great, but not the same for Windows 7. Any help you can give would be great. I have already run a few scans and it did not fix it. Thanks!

  217. I’ve opened up the hosts file, but it looks nothing like the picture you have. It only has the IP address and “local host” on a single line. I’ve run multiple malware scans and found nothing. Any ideas? Thanks.

  218. I have gone through pretty much all the steps you have listed and even tried to remove it manually (though I could not find a file that looked suspicious in the bootlog). What would happen if I deleted the “host” file and/or lmhosts SAM file completely? I am at a loss.

  219. Billy: double scan with anti-malware programs. if hosts file is empty, make sure you are not infected. Or describe the symptoms more precisely.

  220. Thanks. I also did steps 2-5 and all of those settings were normal. I’ll work through the rest of the steps tonight to see if I can figure it out.

    I’ve already run Malwarebytes and SpyBot Search and Destroy with no luck. SpyBot was rather annoying and kept giving me windows saying something about a change to the regisrty key and asking if i should deny or allow the change.

    So far the search results are being redirected to other random crappy search sites.

  221. Be careful looking at the hosts file. I have seen cases where everything looks normal in notepad, but the redirects are at the end of the file, preceded by a lot of blank lines so you do not see them unless you scroll down,

  222. This worked for me.
    Used all the various scanners listed in this site.
    Malwarebytes full scan found it as c:/windows/system32/tskillf.dll
    It was being launched by the task scheduler as a rundll32.exe program so hijackthis didn’t see it. The task scheduler is not checked by hijackthis or malwarebytes. it can be found in control panel. I removed the launch in scheduler by hand.
    I also ran cclean to wipe out my browers temp files , cookies , etc.
    It got in through firefox as a quicktime update messed up explorer7 , firefox and opera searches. Seamonkey was OK. I’m running windows xp pro.
    Thanks for pointing me in the right direction.

  223. HELP!!! Started noticing redirects about 2 weeks ago but it was off and on, FB redirects to price grabber every time now.I have gone through as many steps as I can with my limited knowledge of computers. I do have a linksys router that was set up a long time ago when I used to have roommate. I no longer need this so I want to take it out and go back to using my local area connection. If I uninstall the program and plug the internet directly back into my pc will this take care of the problem?

  224. OK so I have successfully done all steps except for 7 and 8. I don’t even know what those two are about so I am going to wait for help before I try those ones, thank you in advance for helping me out:)

  225. now I can access Facebook through internet explorer but not mozilla firefox, is that where the problem is? I’m so confused!!!

  226. chose “no proxys” for FF, but no change. I have disabled all add-ons on FF and internet explorer. Is this from using the Linksys? I can still access on internet explorer so far.

  227. why does this effect only Facebook?? or is it effecting other things and I just don’t know it? Is this something from a porn site??? if so I’m gonna kill my husband.

  228. thinking that linksys is the problem I’m trying to uninstall cisco home network/linksys and cannot. I can see cisco in my programs and features but when I select it I’m not given the option to uninstall, what do I do? I know i sound like an idiot, I just need help

  229. @admin

    I now have the google redirect virus. In addition to it redirecting me to various web sites it also has disabled or removed my adobe flash. When I am able to go to website I constantly get an error message saying I need to download adobe flash. I just bought my computer a few months ago and adobe flash was already installed. I went ahead and redownloaded the flash twice and I still get the error message. Is there a way of fixing both problems? I did read what you previously posted above but the options still did not work. I am running windows 7 and it has attached/ attacked my Internet explorer 7. In addition whenever I put http://www.google.com in the address line it’ll will stall for about two minutes then say a page would appear saying I am not connected to the Internet. Even though I am. Pleaseeeeee help me out! I’m not very computer savvy but I will figure it out if you could give me some direction. Thank you very much …

  230. I did show my hidden files and folders, but still there’s no host file.
    So where is the problem? what else should i check?
    thanks before

  231. I have also been hit with a Google Re-direct.

    It is only showing up in a user account and not in the Admin account.

    Host file is clean, the settings are as per the instructions above.

    I have run Kapersky’sTDSS killer and Malwarebytes.

    Suggestions?

  232. David : Browser settings might be stored in user account. Check plugins, proxies, etc.
    Malware infection is still possible. TDSS is very narrow-focused tool and mbam might not be 100%. Superantispyware, Spyhunter, Spybot S&D scan would eliminate possibility of malware.
    Worst case scenario: Go to the users application data, and delete browser data folder.

  233. First of all, many thanks to those who asked and responded above.
    Had trojan tracur detected and removed a couple of days ago, only symptom leftover was a chrome redirect from google.com results. Tried 3 (malm, superantispyware, and hitmanpro, all trials, in that order 🙂 ) Malwarebytes detected 2 registry entries:

    Registry Values Detected: 1
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations|bak_Application (Hijacker.Application) -> Data: http://go.microsoft.com/fwlink/?LinkId=57426&Ext=%s -> Quarantined and deleted successfully.

    Registry Data Items Detected: 1
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations|Application (Hijacker.Application) -> Bad: (……….Malicious url removed …..) Good: (http://shell.windows.com/fileassoc/%04x/xml/redir.asp?Ext=%s) -> Quarantined and repaired successfully.

    the others subsequently scanned clean, yet the search redirect persisted. proxy, DNS, and other settings normal. Looked into the above comment #462, searched for chrome browser user data, found this:
    http://support.google.com/chrome/bin/answer.py?hl=en&answer=142059
    renamed the default file described and voila, no more redirects in Chrome.
    I am running Norton business suite AV, and given the 3 recent scans (and active mbam) can I be relatively certain no further infections exist?

  234. I have Vista, and have followed steps 1-6 and still have the redirect bug. I did notice, however, that there is a Microsoft Visual C++ prog added on my programs list that I did not approve/add. When viewing it on notepad, it appears to state there is a threat. I try to uninstall, but as it is from an unverified pub, my options are “allow:if you are fam with the prog” or “cancel: if not”. I am afraid to allow thinking it might get worse. What should I do? And is this even related to the redirect virus?

  235. Lindsey: It might be some malicious browser add-on. Generally, it should bet detected by one of the anti-malware programs. Viewing it on notepad would show nothing. I recommend first scanning with anti-malware programs, and second, trying to uninstall it with revo uninstaller.

  236. If super antispyware stopped during first scan, does that mean it will not work and should not be trusted? I have used all kinds of things, tdss, av programs, nothing is working… Will try these tips after current scan

  237. Just got verification of my previous post. Certificate info from Google address bar (the red lock icon) said “IopFailZeroAccessCreate”.

  238. i am having an issue getting to google and all google related sites,if i put ip address of google it goes ran everything combofix malwarebytes… didnt find anything

  239. Have the problems with S.M.A.R.T. data recovery program and cannot remove.

    I tried downloading the three programs in “safe mode with networking” (the only mode booting, at present), but when it comes to “Installation”, I get the Yellow Exclamation point and it says: “System Administrator has set policies to prevent this installation”. This, I definitely have not done.

    What now! ………………….. THANKS!

  240. I got the Google re-direct virus and none of the steps worked for me. I have Norton Internet Security 2012 and paid them $99 to have a tech fix my computer with remote access. Here is what they found:

    There was a virus associated with some rundll32.exe file. They found it in:

    c:\documents and settings\owner\local settings\application data\apple computer\apple\qisvdmrmz.dll

    They removed it from the registry and now everything seems fine. I would have no clue how to do that. Also, Norton Internet Security did not find/block it because it was in the Apple folder… weird. Maybe this helps someone else.

  241. Ryan:
    I think that full system scan with anti-malware program would helped in your case. Might have worked with Norton as well. There are quite many PC parasites that cause these problems, but AV/antimalware programs can handle these usually.

  242. Okay, I already went through several steps from different websites. Use TDSSKiller, etc I checked my hosts file and there’s nothing wrong. add-ons etcetera, still nothing unusual. And I still got those problems, in my case though there’s more problem, I can’t login on all sites, can’t open google mail. and browser show error when opening https:// I use personal wifi network with my family, but problems only exist in my notebook, then it’s not possible if the router is infected, right? Or is it possible?

  243. Zathu: In your case it is likely to be malware. Scan with anti-malware programs (TDSS killer is against a small subset of them). It might be proxy too, though unlikely – https would work in most of such cases.

  244. I am also having the problem of saving changes to the notepad. I have right clicked to change to administrator, nothing happens, I am also on my administrator account. There is one extra line after 127.1 etc local host. But I cannot save changes after deleting it?

  245. I have approx. 217 host files that are backups going back a few years.
    The latest modified file is from 2/28/11. Is this the one I need to modify (delete all the extra entries)?
    Also, should I delete the other 216 backup files, is this safe?
    I use XP Home edition

  246. John C: Typically, if your hosts file is backuped, you have some sort of software that modifies it (I think some game launchers do that, maybe some hijack protection software does that too). Yes, you can delete old ones, that is not the problem. I would check what is in it first, and then I would decide if it needs modification or not.

  247. I have not tried these solutions but was searching for something on another computer, trying to fix this problem. My Google was not working properly and whenever I searched a term, the first page had weird links. Also, if I typed, “Why are” normally Google shows a list of frequent phrases. It wasn’t doing this and when typing in the same search from 2 separate computers, one was working as it should and what I’m used too, and one was clearly working wrong. Anyways, I found this online and tried it. While I was waiting for the comp to reboot I ran across this site still looking for other solutions in case it didn’t work. Well it worked. So if you’re having this problem, try this out….

    1.) Exit out of all programs
    2.)goto run enter
    C:\WINDOWS\system32
    3.) then scroll to the bottom of the page and find wdmaud.sys just rename it to BAD_wdmaud.sys
    4.) Immediately reboot the system
    5.) Test the results

    it is important that you do not just search for wdmaud.sys because there is a valid file on your computer named that… but any file in the C:\WINDOWS\system32 folder with that name can be deleted/renamed to fix the problem.

  248. I have a redirect virus which changes sites on every sub search in Firefox. I have ran Malware bytes, Microsoft Scanner, TDDS Rootkit by Kaspersky and Viper with no success. Host file looks normal, and all the setting is in networking. Could use help on this one

  249. Dan:
    Do IE redirects too, or is it firefox only? If it is FF, check extensions first.
    Also check Proxy server (always disable) and DNS server (just in case, unlikely).
    Next, if this is a dll injection, scan with more anti-malware : Hitman pro & maybe Spyhunter.

  250. Thanks for the reply, both IE and FF are going to the same bogus sites. Proxy servers are disabled in tools, networking. My DNS is greyed out and maybe that way since I use a static IP.

  251. Do this: you may need to login with a different profile
    -scan with Hitman Pro, malwarebytes, TDSS killer by Kaspersky
    -use “Autoruns” and “process explorer” to identify running malwares and delete them manually
    -Reset IE setting
    -clear all termporary files using ccleaner
    -check DNS settings in LAN/Wifi Adapters
    -Important: run “sfc /scannow” and Restart

    good luck

  252. This has happened to me before but it pisses me off so much. First of all I NEVER go to porn sites and the main sites I go to are facebook, youtube, hotmail, and my work website. When I type in http://www.facebook.com this is what the browser goes to: < malicious url removed >. WTF???? It’s so annoying, I can’t get to facebook via my laptop, any of the other computers in this house, on my ipod touch, or even on my android. My brother fixed it once but I don’t know how. Apparently it’s our whole network or something and I need to know how I can avoid this in the future and how to fix this because I’m really annoyed. >:(

  253. Whitney: If all your PC and phones show the same result, your PC is not infected, but your router is or DNS server changed. Ask someone to reset your router to network defaults. This might be some sort of ISP problem too.
    There is no chance that Android would be infected with PC malware.

  254. it is very unfortunate that in this very good description concerning google redirect solutions -it is not mentioned -before making a very long total scan, as suggested with spy hunter- that removal of found problems can not be undertaken without buying the full version of the program!!!!
    I think it would have been only fair to include this in the description especially as by linkbugs redirekt it is indicated that a scan and remove of found problems is possible for free!!

  255. kröper: actually, SH offers one of the best malware scans. If there is malware, and you would search for configuration issues, it would take much longer to solve your problem.
    What I like about SH (and doctor ) – these programs display full path to issues thus you can fix them yourself.

  256. I spent the last 2-3 days working on removing this virus and finally got there. I’m using a laptop running Windows 7 Ultimate and Internet Explorer 9. This virus caused Google, Yahoo and Bing all to re-direct, but ASK and DuckDuckGo and Google’s Advanced Search was not affected. I am more willing than others to go into various questionable sites and try new things, mostly because I back-up weekly and have multiple PC’s. Some without any modem so they’re completely clean from the Internet (aka Big Brother).

    1. scanned with Norton Internet Security – scan came back clean, re-direct still exists same search engines
    2. de-installed NIS and installed Microsoft Security Essentials – scan in Safe Mode came back clean, re-direct still exists
    3. restored defaults on IE9 and defaults for manage network connections, for windows 7, c:\windwos\system32\ncpa.cpl
    3. found out that the hosts file in C:\windows\system32\drivers\etc has been corrupted. Note the file does not have an extension. I created a new Hosts file with the ip address 127.0.0.1 and ::1 properly defined – re-direct still exists
    4. found a site suggesting a registry edit for the TDSS system file on my PC, nothing found was abnormal, also searched for specific registry variables associated with TDSS nothing there either. Also never change the registry unless you’re absolutely confident or you can restore you PC without stress
    5. decided to try TDSSKiller by Kaspersky, again re-direct still exists.
    6. searched on rootkit viruses and read all sorts of pages but nothing new
    7. ran Norton Power Eraser and found a DLL file that it cleaned up. I am resetting some registry variables because NPE will delete specific user variables.

  257. When I Go to facebook.com I’m redirected to Linkbucks website… http://63ce2138.qqc.co/ I tried to reformat hd and added windows 7 ultimate and Norton 360 and still same Problem. Norton isn’t picking it up! Any tips???

  258. I am so frustrated with this virus, i downloaded prevx and used the scan hoping it would get rid of the background audio ads and google redirect, but it didn’t, so i started here, but ran into a small problem with step 1…. when i go to C:\Windows\System32\Drivers\etc\hosts, my comp does NOT HAVE A HOSTS FILE!!! ADMIN PLESE HELP! Thanks

  259. Jessica : In your case it was malware (malicious DLL injection) and maybe some other problems. I recommend running scans with Hitman Pro (and spyhunter ) besides antivirus. Hitman checks files/processes against 5 antivirus engines instead of one. Spyhunter has good detection ratio for rootkits and other malware. Only then I would look through DNSes, as these changes are less popular now when DNS Changer malware is no longer distributed.

  260. Gary: You can skip any step from the list, though I would recommend scanning with anti-malware programs in any case.
    Make sure hosts file is not hidden / system. In such case you won’t see it in the list.

  261. Hitman Pro from SurfRight will fix – permanently – the Google redirect virus, and may work for other redirect problems as well. There’s a full version 30-day free trial.

  262. Okay my hosts file looked fine, I have run my normal AVG free scan (said threat detected but then when scan finished said no threats found) so then I downloaded Hitman Pro it found a few things and took care of them, but I was still having the redirect issue, so I downloaded Malwarebytes and it found a few more things and cleaned them up but I’m still having this issue. I use Firefox, and I changed my proxy settings to No Proxy. I am completely at a loss here. Any more tips??

  263. @Jessica
    A very good account of what you’ve done.. and then spoil it by not giving the name of the DLL that had been affected 🙁

  264. What the heck…I have tried all the steps mentioned above and no luck. Have ran hitman pro, tdss, looked in the hosts file and nothing there. Something is not right. Is it the so involved that i need to wipe the os clean? what can i do?

  265. I have scanned with Hitman Pro, Spyhunter(Have to pay???), Microsoft Security, Avast, TDSSkiller…some have found a trojan and claim to remove it but its still there redirecting pages. It is happening on Google and Yahoo the only browsers I use and its happens on the results. Have been through all the steps and nothing has worked so far. Using verizon wireless to connect to internet and checked the TCP\IP settings. Will it be somewhere on there? Can I change router info for a verizon wireless set-up? Any more help will be greatly apperciated.

  266. Bob:
    if there was trojan detected, would be helpful if you provide the name of the trojan. Also, which tools detected it? Do they detect it now?
    If malware exists on your system, then it is likely effect of running malware, not TCP/IP settings. However, you should disable extensions in your browser. You might want to run HijackThis and disable all browser helper objects that you do not need.

  267. I neglected to write down the exact name but the Microsoft Security scan the last one I did last night found two trojans that had Java in both their names and said it wiped them out. All others also acknowledged something was there but not a list of the trojans. After i ran that tool and restarted the computer and tested a few searches the redirect came back and I just gave up last night. Worked all day trying to figure something out. Seems that the programs find something but that the trojan just gets re-born. Know thinking I don’t remember if i ever got the tdsskiller to work properly maybe I can try and download for another computer and use a usb to the infected computer. What extensions are you talikng about? the add-ons?

  268. Bob:
    Yeah, browser addons are possible. Though first you have to eliminate possibility of rootkits. For this, use TDSS Killer and Combofix. Spyhunter is likely to detect them as well (it is good all-around tool). Hitman pro might detect or not them depending on their version.
    Speaking about addons, they are usually missed by many anti-malware / anti-virus tools, thus they can not be eliminated.
    Another possibility is some other malware process, which should be detected by at least one of the programs during full scan.

  269. I’m at a total lost now Admin. I have ran through all steps on your site re-ran TDSSkiller and nothing found. I found another blog that details looking at all the system files that run at startup that are located in the driver folder. He is recommending doing a manual removal if you can find the virus source. Here is the ntbtlog file can you spot anything that shouldn’t be there. Any more help will be greatly apperciated
    [content snipped]

  270. I finally found something that removed the redirect virus on my pc. I just got this viruns within the last 30 days. I have a Norton account and went there to see what they had to clean this up. I downloaded their “Power Eraser” software and ran it. It found a file titled dqzev.dll in my c:\users\[user]\appdata\local\ folder. The software removed the file and rebooted my pc. I no longer am redirected when I click on a link in search results.

  271. @TJ
    Bingo TJ. Thank you. You saved my sanity.
    I have Norton2012 and several full scans over the past week could not find anything but usual tracking cookies.
    When I saw your post today I downloaded and ran Norton Power Eraser and it found the very same dqzev.dll file and removed it. Problem solved!!!

  272. @RB
    Forgot to mention that while I too have a Norton account, Norton Power Eraser is a FREE download, so I did not even have to login to get it.

  273. Got this redirect virus, Was not being detected by my anti virus. Tried Malwarebytes which stopped the redirects but still did not remove it. Kept telling me it was stopping redirects from rundll32. So I went to Start entered msconfig and under the startup tab found ATRBBEV unclicked it, rebooted and redirect virus was stopped. Whatever it is, it is still on the computer, just not running. The source column said rundll32″C as the source. Hope this helps the next victim.

  274. All this info is good but what i found to be the best is to edit c:/windows/system32/drivers/ect/host. Delete anything below last line ie 127.0.0.1.
    Also edit c:/windows/system32/drivers/ect/imhosts. Delete anything below last line.

    This will remove any chances of rediredting. If you feel unconfortable with this just save document on desktop.

  275. Hi, I need your help to get rid of linkbucks which always redirects whenever i open facebook address on browser. all other sites are working fine. I did chk host file n only thing suspicious to me was some calendar host file which i m not sure about. I see some process names crss.exe is working in taskbar menu which i cant stop. plz help

  276. Interestingly for me, when I tried to install Spyware Doctor it caused my system to blue screen and each subsequent reboot brought the blue screen. I had to do a system restore back one day to get my system to boot up.

  277. Bob : Spyware Doctor works poorly with some antiviruses, thats the main problem I have with it now. But it is way good against trojans. Instead of Spyware Doctor in such cases I recommend Hitman Pro (5 AV engines ) Spyhunter (good malware database) or Malwarebytes.

  278. I was clearing a redirect problem for a Client (I own That Bytes! Computer Repair in Austin TX). McAfee, Avira, TDSSKiller, Spybot nor MBAM corrected the problem. I ran HiJackThis and noted an unusual entry, but it looked pretty legitimate, so I left it and continued the hunt for the problem. After a while, I went back to HJT, removed the registry entry, and Voila! The redirects ceased. In this case, the entry was in User_Bob_AppData_Local_Deployment_Dell_QHIXW.DLL. The files and folders were created just 2 days prior. A direct scan of the file with McAfee and MBAM still didn’t identify it as a problem. I removed the file and folders permanently.

    I hope this helps some of you having problems with redirects.

  279. Had the redirect virus. It was awful. Followed your recommendations steps 1 through 7, still had issues. Downloaded Hitman Pro from CNET, and redirect is gone. The one step I did differently than above, was start the computer in safe mode with networking, and ran the anti spyware software from there. I used AVG first, nothing detected. Then ran Malwarebytes, which found 1 infection, and 45 traking cookies. After Malwarebytes, used Hitman Pro which found the infection. Thanks for operating this site!! Life saver.

  280. Annoying as hell, yes…..infecting my computer,probably……but how exactly is a redirect going to force a person to share bank or CC details lol

  281. I appreciate this thread (and amazing dedication from Giedrius, thank you). I recently caught the Google redirect virus.

    AVG Free, Malwarebytes Free, TDSSKiller, Kaspersky Free Virus Scan, MS Safety Scanner did not find anything.

    My host file was large and I used the following to reset it http://support.microsoft.com/kb/972034. It reduced the frequency (I think) but still had the redirect.

    I just used Norton’s Power Eraser and it found xckor.dll which it removed. Interestingly, there is not alot of info on xckor.dll when searched with google.

    Too soon to tell if it fixed my problem but wanted to provide another data point to this group.

  282. The sure way to eliminate bad malware, viruses, adware, spyware, dials, keystroke loggers, backdoor, trojans, worms,etc is to nuke your computer by installing a new windows operating system. Save your data and make sure you have the original user programs of course. Worse comes to worse that is what you do.

    However in the tech field. Which may be something that every day user may want do is to back up their computer. Not just data or system. Everything!!! We in the tech field like using images. Images are basically an exact 1.1 copy of your data files, system files and program files you have in your computer.

    Without going to the hassle of buying/installing a new operating system, loading programs and user data back into your computer that was recovered to factory settings…..That’s were images come in.

    If you make an image of your hard drive at a known good state. And you have all the programs you probably ever going to use. Would be good to back up the whole hard drive with norton ghost and store on an external hard drive. If your computer ever gets messed up beyond repair. Load the image and your computer is back to a known good state with all of your programs and user data at the time of back up. You can back up as often as you like of course. Takes the hasstle of searching the web for quick fixes, which are good to know. Although can’t be sure you got all threats out your system. Images are guaranteed!! (granted you installed windows, programs, and user data independently and remotely from any internet sourse. Updating system utilities and diagnostic programs is ok and safe of course from the internet. Once done, run norton from another computer and create image with hard drive adaptor cables. You’ll need to remove your hard drive from the computer you want backedup). And that’s pretty much it.

    Michael T.
    Samsung PC Tech

  283. Michael : There are 3 issues with your approach :
    1. System is already infected, so this is for future reference only.
    2. Redirections might survive backup/restore if the router firmware is infected and not the PC.
    3. The better way is to make System install image (which you call backup) and then document backup separately. Images might be done after installing important software, and backups should be made each week at the rarest.

  284. google is redirecting me to other locations ads mainly. I have reformated my drive and reinstalled windows 7. i am not recieving any issues with any other search engins but with every browser i use chrome mozilla or E9(guarbage) i still get redirected when trying to make a selection of a web page to go to.
    at this time i dont understand why this is still happening.

  285. seems to be fixed. i restarted my router router after doing a OS install and it cleared out the dir in the router no more issues thus far. will repost if issues come back thank you for the page it was helpfull never knew about this virus before first time dealing with it or knowing anyone who has.

  286. Owen : if you formated the drive and haven’t installed on top, then there is possibility that you are using proxy or your router provides you with wrong DNS. Make sure your browser uses direct connection. Make sure your DNS servers are 8.8.8.8 and 8.8.4.4. Make sure you have good password on router and router uses either automatic DNS settings or well-known and secure ones (like 8.8.8.8 and 8.8.4.4). Yeah, router infections happen too. Almost everything else (except couple rootkits that should be detected with anti-malware scan ) would not survive format. Reinfection is possible too.
    Also, if you have copied whole user dir (or if you would reinstal on top), there are more settings that could have survived. In such case I would create another user account and check if the problems are with other account as well. If not, then your user account settings are hijacked.

  287. problem has been fixed used malware antivirus found only 1 virus a rootkit. i did do a full format i did not copy over when i did the OS install. also another thing i did do was reset my router to factory default.

  288. Lots of tech talk lots of downloads and scans not to mention time and money but it still redirects my browser-I have a hard time believing that the merchants that these sites recommend are not somehow involved in this-where is the profit to be made by redirecting someone’s browser?

  289. I went through the list methodically, and it is fixed. Step 4 seemed to fix it for me. I am little confused, because it seemed to fix it in Chrome and IE also. But I am just grateful it is fixed.

  290. Bob R: typically, malware makers earn money different way from redirects. Some site owners pay (though various advertising networks) for a traffic. Sometimes they do not know that they pay for malware-generated and thus useless traffic, sometimes even advertising network does not know.

  291. I do not have a host file. Running Windows 7 as administrator and hidden files shown. Is it somewhere else on windows 7?

  292. Hi admin,
    my redirecting problem is solved. But if i open any website witout https:// some advertisement is displaying rather than actual content in place of images or vidoes. Which is happening oly in chrome which is my default browser. this working fine with firefox. any suggestions,

  293. Giedrius (Admin)…first of all thank you! for the great article and more importantly all of the assistance that you’ve been providing for everyone in this forum. I think it is awesome! So thank you!!!

    It looks like I’ve got some flavor of the IE Google Mail redirection problem. Although I never actually redirected to anther site I can get on to GMail from IE. When I try to get to GMail (e.g., click on Google Mail on Google website or type in mail.google.com) I can see IE tries to get me google mail but then before it can get me there the browser then tries to send me to (https://accounts.google.com/ServiceLogin?service=mail&passive=true&rm=false&continue=https://mail.google.com/mail/?tab%3Dwm&scc=1&ltmpl=default&ltmplcache=2) to be specific. The browser never makes it to this URL either.It quickly tried to load mail.google.com again..and this loop continues endlessly until I kill the browser. I seem to get to other Google locations (e.g., maps) from IE but not Gmail. Not sure if this re-direct problem that others are seeing or not.

    If it is I’ve done ALL the steps you described in your article except #4 (FireFox is installed on my system but I don’t use it at all). The only things that remain to be done from your article are:

    Run Nod32 and Spy Doctor.

    However I have run: Hitman, MalwareBytes and SpyHunter (2.5 hrs to complete);
    None of these came up with any problems other that a few tracking cookies. No serious threats.

    I just downloaded Kaspersky Internet Security (Trial) and I’m running a scan with it. It tells me I have 2 hours left to complete the complete scan (argh).

    By the way this problem started Friday at my home. I stayed at friends house on Saturday and Sunday and it’s happening here as well…so I don’t think it’s a problem with the router.

    Where do I go from here? Thoughts?

    Thanks,
    Jet

  294. @Jet
    One quick update I downloaded PC Tools Spyware Doctor (~300MB!!!!) and ran it. It identified a could low risk threats (Tracking Cookies) and two high risk threats (Threat.Info-Stealer.Mem). As it turns out this so called high risk threat was actually a mis-identification of Kapersky’s main AV executable and one of their files. I guess this is a known issue with Spyware Doctor as it’s been reported by other people but Symantec hasn’t done anything to fix the problem!!! Between the size of this stupid application and the false identifications I’d say Spyware Doctor SUCKS!! Maybe they just want to scare you into purchasing their product by falsely identifying something that isn’t a problem at all. What a waste of bandwidth and time!!!

  295. Jet: Your problem is not spyware related most likely. Your problem is browser proxy related or cache issues. Clean up browser cache first, and disable all proxy server. Also, which version of IE are you using? Older versios of IE are not supported by Google anymore. You could try using google chrome (which is faster and more secure) or Firefox. It might be toolbar issue, though, but most likely not.

  296. Giedrius, thanks for the reply. In response to your comments:

    1) I cleared the cache CTRL F5 and rechecked the Proxy settings (Step #3) and it looks fine.
    2) I’m using IE9
    3) Yes I could use Chrome or FF but I don’t give up easily and want to fix this issue.

    Other suggestions? (Of your recommendations in your article the only thing I haven’t done is run Nod32….although i must say I’m getting weary of downloading tools and running scans.)

  297. Jet : Using chrome would help eliminate some possible causes of the problems. Also, an option would be running Hijackthis and checking if there are unknown DLLs or BHOs. For me, such redirection looks not malware related, but rather something wrong with google cookie management or similar.

  298. I’ve been having this problem for awhile now. I’ve tried everything in your tutorial except for last step because I am not very computer savvy and I’m afraid I’ll screw something up. I even tried tdsskiller and the fix for tdsskiller with no luck. What else can I do?

  299. Giedrius, thanks for the feedback. I do plan to switch to Chrome but I didn’t want to surrender to some potential Hijacker. Too much fight in me for that. You may be right that this may not be a Hijacker issue. I deleted all the browser history (and I mean all items on the Delete Browser History Option) and it seems to have at least temporarily stopped the problem from occuring. I’m fairly certain I did this before but perhaps I didn’t delete all things in the Browser history. Anyway it is gone for now. If it comes back I may use the HijackThis to scan my system. Do you read HijackThis log files? Or do you suggest going to one of the security forums like BleepingComputer?
    Thanks again for you help…crossing my fingers and hoping the problem won’t reoccur.

  300. Jet : what I mean is that if the problem occurs using chrome, then it is system wide problem. If it is IE specific, then you have modified browser settings or there is some sort of weirdo toolbar. If you are not sure yourself, and HijackThis does not show anything weird (like unknown toobars or programs from %TEMP%, %AppData% that would bring us back to malware issues) then I would suggest going to some sort of remote support (eg crossloop.com )
    Also, this problem is covered in http://boardreader.com/thread/I_use_IE9_when_I_open_my_GMail_it_contin_d4v3t__9a5f99f8-9560-4d70-b0cd-df0d2e02500a.html . It looks like it can be caused by software conflict of some sort, as you have cleaned the cache couple times.
    And you should check your PC date settings too. Is the date/time correct? This could cause problems with cookies that would result in redirect loop.

  301. @admin how do I remove the trojan.zeroaccess infections that the spyware doctor found?? I DESPERATELY need your help. please respond with utmost urgency. thank you for your time.

  302. Giedrius (admin): spyware doctor inormed me that the virus was located in C:\WINDOWS\system32\drivers\redbook.sys is there any way to remove it without having to download any programs? (in case those links don’t work for me) I apologize for any inconveniences.

  303. Giedrius : You are a genius, good sir. I thank you for your time and effort put in to helping each and every one of us who were having trouble with our searches. thank you very much. it worked swell.

  304. Are spyhunter and hitman pro the same as malware bytes? because I already have that program and did a scan with that

  305. Jade : each of anti-malware programs have separate databases. Hitman Pro uses 5 antivirus databases, but checks less files and requires network, it has more limited curing capabilities and no protection. Spyhunter is commercial program competing with mbam, it has better anti-rootkit detection/removal (in my opinion) and different databases. As both programs provide free scan (and remove rootkits on install for free), it is a good shot to confirm if you are infected or not.

  306. Malwarebytes fixed the problem on my computer. TDSS Killer did NOT work, and I could not find TDSS in my registry, hard drive, or system devices.

  307. I have the same problem on a Windows 7 Ultimate 64 Bit, IE 8 system. I’ve run MalWareBytes, Spy Doctor, Norton Power Eraser, Spyware Hunter, and Hitman and while many of them found somehting they didn’t like none of them have solved my problem. I’ve checked DNS, and the hosts file and I can’t seem to fix this. I thought it must be a BHO because it only happens when I use IE, Safari works fine. Anything else I can try?

  308. Tom Westfall:
    It depends if any of the programs detected trojan or only harmless cookies. If it was trojan, then update and scan again, maybe with TDSS Killer too. If not, then run Hijackthis and doublecheck all BHOS it detects

  309. My first scan with MalWareBytes found nothing at all. The others found a few cookies and items I would regard as basically harmless. I did run TDSS Killer as well and it found nothing. I ran the Hijackthis and don’t see anything in there that looks like a problem.

  310. Hello,

    My host file contains only one line :/ It’s the last line of yours! Also I use google chrome as a browser any advice here?

  311. Also every time I perform a scan with Malwarebyte or Kasperspy, my Symantec Antivirus starts automatically and detect a whole bunch of suspicious file! Should I deactivite symantec first and let Kasperspy work? @Nameita

  312. I would recommend doing scan with Kaspersky with disabled Symantec. Suspicious files can be detected for 2 reasons: they are opened for reading and thus checked by 2 antiviruses at the same time, or just these 2 antiviruses do not work together.

  313. I just used Combofix.
    1. Download Combofix (FREE)
    2. Open up a txt file
    3. Copy paste this into it:

    File::
    c:\windows\system32\winupdate.exe
    c:\windows\system32\winhelper.dll
    c:\windows\system32\AVR09.exe
    c:\Program Files\AdvancedVirusRemover\PAVRM.exe

    4. Name it CFScript.txt
    5. Close all apps.
    6. Drag file into Combofix (DRAG THE TEXT FILE INTO THE APP)
    7. Let it do it’s thing.

  314. AmITheOnlyGuyWithAMacAroundHere: Plugin/Extension / DNS server information, even proxy and hosts file exist on mac as well. The particular actions might differ somewhat. I recommend running Sophos antivirus to scan for malware too.

  315. Thank goodness for geniuses like you to help tech-challenged people like me!

    I think I have the google redirect virus. My problems started when my daughter was attempting to download a free game (Disney’s pirates of the caribbean). Next thing I know, google.com just doesn’t look right. The ads that are normally to the right of the results are absent, and the “results” do not really make sense (wikipedia or product based only), and if I click on a link, it takes me to an obvious ad. So, I immediately closed my browser, ran disk cleanup, deleted temp files, uninstalled everything that had been installed from the last few days, and ran a full scan with Norton 360. I still had a problem, and it got worse…the computer shut down and went to the blue screen of death (crash dump or whatever). It was only able to come up in safe modes. I brought it up with safe mode plus networking, and tried the next recommended step: Norton Power Eraser. Upon reboot, it went back to blue screen and would only come up in safe mode still. I ran Norton’s Reboot/recovery tool, as instructed, and still got the blue screen/safe mode cycle. So I tried going to Control Panel–>Recover–system restore and chose a back up source from over a month ago. Upon reboot, I was able to come back in normal mode, but the redirecting is still happening. I contacted Norton’s Tech support and initiated the remote resource with their tech. I explained everything that has happened, but she kept asking me to repeat parts of my story and her first reaction was that my Norton must be out of date. I assured her that I always kept it up to date, as I have a 3 year subscription with auto detect of updates and scans. She then asked if I contacted Microsoft to address the blue screen issue. I asked why would I, when clearly the problems started because of a virus that I thought Norton was supposed to protect me from. When I suggested that I thought I had a redirect virus (which I deduced based on info from sites like yours), she seemed to have no clue what I was talking about and chukled when I brought up the possibility of it being a rootkit infection. After making me feel like an idiot for a few mintues, the tech finally took over my computer and worked through the night. She is apparently off for the weekend, and sent me a message that she would resume work on my system on Monday. I am beyond frustrated. Any insights or suggestions?

  316. @Giedrius Majauskas (admin)
    Ran through your list (which I really didn’t trust myself to do). And….believe it or not, the virus is gone.I believe the Kaspersky TDSSKiller is what did the trick. I am just flabbergasted that Norton’s tech wasn’t more helpful. It amazes me that I was able to find your site, download a solution, and have it fixed in a matter of minutes! Thanks for the info, it was easier than I would have believed. 🙂

  317. NOTHING is working for me. Everything i’ve tried all the way through to TDSSKiller says that my computer is clean. But, all my google search results redirect to advertisements. I tried Bing, and it affects Bing search results as well. Also affects multiple browsers (tried IE8 and Chrome). I’ve tried all the software recommended on this page and it’s not detecting this. I’m so frustrated.

  318. I have run through the steps and none of this is working for me. I don’t know what to do anymore, I thought I had solved the problem but then I went back and googled something and BAM redirected.

  319. Thank you very much. The first step really works wonder. I had like 7KB host file, and after decreasing it to 1 KB the problem has been solved. I’m glad I found this site. ^^

  320. Thank you very much for this very very useful info.

    Deleted that 1 extra line exactly after the last line of the given page.

    Started with ::1….

    Once again thanks for the ultimate information.

  321. Need some input. I am running in circles trying to get rid of this redirect virus. The symtoms are: most of the time my redirect is through [malicious url removed]. My internet explorer is all fouled up as is my task manager. I have had many blue screens.
    My virus scans have been:Norton,Malwarebyte,spybotsdAdware,adwarecleaner,saphros,and hitman. Only hit man said I had something. Two rootkits with a replace option. Have tried TDSSkiller, but refuses to run after the windows run window is checked.
    I am running XP sp2.
    Any suggestion would be helpful and appreciated.

  322. Hello G.M(Admin), I have one PC (XP), one laptop(XP), one android ph and one android tablet. All has google redirect virus (but only when I click one website, it redirect). Why my android ph and tablet has GRV? Is my Router infected GRV?

  323. Possible Solution/fix:
    Google browser hijacked and redirected to 7search, search qandas com, and other advertising sites.
    I fought the Google browser redirect issue for 2 weeks, only Google searches in IE8 were affected, using Bing in IE8 worked OK. I reset to IE8 default settings, tried blocking with IE8 security settings, disabled browser add-ons, and followed many other tech articles/solutions with no luck.

    Listed first below is the SOLUTION I finally found to the Google browser redirect problem:

    HitMan Pro 64 bit found a variant of TDL rootkit/bootkit infecting the Master Boot Record, cleaned and fixed on first scan and reboot. I installed the Free version good for thirty days and will be buying the full license. Marked some Punkbuster files from my games as suspicious but left them alone.

    I installed many antivirus, security, and antimalware programs: both retail versions and freeware.
    Following is a list of programs that missed the TDL Rootkit.

    Norton Internet Security which is my primary and favorite security suite which was installed and up to date but never found the TDL Rootkit.

    Webroot Secure Anywhere Trial was installed but never found the TDL Rootkit. This is my second favorite security suite but tends to interfere more with online games.

    AVG Free 2013 installed but never found the TDL Rootkit.

    SuperAntiSpyware retail version purchased but never found the TDL Rootkit. Seems to be an OK program, but I was disappointed in overall results. Install free version and wait a day or two, and following a scan the program will offer a discounted 1 PC license for 9.95 or 2 PC license for 14.95.

    Spybot Search and Destroy free version installed but missed the TDL Rootkit.

    Malwarebytes free version installed but never found the TDL Rootkit.

    Xoftspy SE trial version installed but missed the TDL Rootkit.

    Windows Malicious Software Removal Tool ran but never found the TDL Rootkit.

    I did not use any McAfee security products because I had a very bad experience with a poor version of McAfee software many years ago and do not use McAfee software.

  324. so here is what ive done
    1.got spy hunter
    2. ran TDSSkiller with loaded modules
    3.check the drivers in the device manger
    4.checked host file
    5.checked TCP/IP
    6.checked proxy settings
    7.cleared browsing data

    and im still having this damn virus its highly annoying

  325. i ran it no good there wasnt anything out of the ordinary just some basic tracking cookies in IE and Firefox chrome was clean and my DNS servers are set to automatic
    also i tryed runing firefox in safemode still redirect along with chrome in safemode

  326. Mine was called Snap.do, it was an add on in internet explorer. I used crap cleaner (CC) that I got on download.com to uninstall it.

    Took 5 seconds, and now good as new, hope it helps.
    Sucked for a couple days till I figured it out.

  327. Please help! This morning I searched a topic on Google (using Internet Explorer, Windows 7), but when I clicked the link it took me to a different site than I thought I was going to. I read a few tutorials about redirect virus removal and have completed the following:

    -Ran McAfee full scan (nothing detected)
    -Confirm HOST file (it was correct)
    -Confirm LAN proxy and DNS settings (they were OK)
    -Deleted internet files, cookies, etc via Internet Options
    -Downloaded and ran Spyware Doctor (nothing detected)
    -Downloaded and ran Hitman Pro (nothing detected)
    -Downloaded and ran TDSS Killer (nothing detected)
    -Downloaded and ran Spyhunter

    Spyhunter originally detected 29 threatening cookies from such sources as 2o7, 7search, Doubleclick, Tribal Fusion, etc. I reopened IE and deleted files again then searched for the “infected files” in the proper directory (reported by Spyhunter) and they were nowhere to be seen. What’s more, when I reperformed the Spyhunter scan, nothing was detected.

    HOWEVER…when I try to click on a Google search result I am STILL being redirected (most often to a site “selling” Norton anti-virus).

    Any suggestions? My next thought was a complete system reload, but I’m not even sure that will get rid of the problem!

  328. Ashley: 3 possible causes.
    Do you get redirect when clicking on ANY search results and website in url bar (before clicking) is google (.com , .uk , etc is ok?)
    . If yes and yes – malware issues, and you will have to use more anti-malware programs ( superantispyware, malwarebytes ), one should have added the particular virus in databases.
    if Yes and No – it is browser hijack and might be aftereffect of toolbar. You will have to change search provider back to google.com.
    If you get such result only if clicking on single site, then the site is infected and not your PC.
    if it is one of the 2 first things, you could post hijackthis logs either here or any computer support forum.

  329. Hello again and thanks for your response.

    Update- Last night I downloaded and ran CCleaner…it helped and I wasn’t redirected! BUT, this morning I tried to click on a Google search result and I was redirected. I tried a number of different searches and any link redirects me. Crap.

    When I pull up Google it looks normal (http://www.google.com) and when I search it still looks fairly normal (google.com/string of #s and letters).

    I just downloaded and ran both Malwarebytes and Superantispyware, but nothing was detected. What did you mean by an aftereffect of toolbar? How would I cange the search provider?

    Lastly, what is a hijackthis log?

    Thanks again!

    PS- If I restore or reload my computer, will that get rid of the problem? I’m at my wit’s end!

  330. After trying everything I could find on the net to get rid of the Google redirect virus (nothing worked), I discovered that if I turned off Gmail, it went away. Really !!

  331. I have clicked on the three-lined icon several times and have been unable to locate the Options menu. It has simply disappeared. Also, my Chrome browser is now working very slowly, and this morning when I opened it, a dialog box appeared that read “Your profile could not be opened correctly. Some features may be unavailable. Please check that the profile exists and that you have permission to read and write its contents.” What can I do?

  332. Watson: if your profile data is unaccessible, then it might be that your crhome instalation is corrupted and you should delete your settings and reinstall chrome. This might be caused by some viruses too, though usually this is due bad settings.

  333. By cleaning hosts file my firefox started to work well. However, issues with internet explorer continued.
    I downloaded demo version of HitmanPro 3 from http://www.surfright.nl/en/hitmanpro/
    It was able to locate and delete fontviewt.dll file in C:\Users\%username%\AppData\Roaming folder.
    Afterwards everything worked just fine.

  334. I had the redirect problem only in Google Chrome – Firefox and IE were fine. I tried everything, uninstall and reinstall, msn security essentials, malwarebytes, combofix, etc. Nothing worked until…

    I downloaded Revo Uninstaller (free), performed the most advanced/deepest uninstall, deleted all found files, selected to delete related registry items, basically just did everything Revo asked. Now, after a reinstall of Google Chrome, everything is fine.

  335. I seem to have the redirect problem as well. I have tried many things to no avail I have done virus scans with malwarebytes, avg, avast, hitman pro, spyhunter, spybot and ran TDSSKiller and combo fix (tried what I can in safe mode as well). Checked the host file and the router, but can’t find anything. I ran hijackthis and it looked ok as well. The problem started with firefox, so I deleted that in tried chrome. It doesn’t seem to happen in IE, but my IE seems to be missing pictures (the google logo doesn’t show, various icons and things on assorted pages, etc). I also seem to get “you’re about to leave a secure connection” message an excessive amount of time.

    Any help or suggestions would be greatly appreciated. (I’m pretty technical, so can handle most manual tasks).

    Paul.

  336. Paul : Check proxy and disable it in browsers. 2. Check toolbars and security settings. For me, lacking of images in IE would indicated to registry messed up or proxy, so you might wish to clean with registry cleaner as well.
    Another possible issue for redirects are toolbars/BHO’s, which are not picked up by anti-virus programs (often), but would be visible in hijackthis log.
    If the redirects continue, check if they are to the same page (toolbar more likely, or registry messed up) or random pages (unknown trojan or proxy or router attack). In the random page case, I would recommend clean windows install if noone detects the parasite.

  337. Oh wow! You’ve helped so many people, it’s actually kind of mindblowing! The sheer effort into responding to these people’s requests for help in diagnosing the problem. Kudos! Kudos! Kudos!

  338. This is a FYI. I am having many of the symptoms described by Paul above. After significant trial and error over a 2 day period we (my IT Person and me) determined this behavior was associated with a rootkit virus. The actual detection was very tricky. We finally identified it using a renamed copy TDSSkiller from a USB drive. The problem software was identified as Rootkit.Boot.SST.b – one very bad hombre.

    Unfortunately the clean option did not work. The next step was to create a boot disk with GPARTed on it to locate and delete the infected partition. The jury is still out on this fix as it takes quite a long time to run.

    The fix is discussed here: http://community.norton.com/t5/Tech-Outpost/Rootkit-Boot-SST-b-is-NOT-coming-off-PLEASE-help/td-p/588858

    Hope this helps shed some light on Paul’s issue.

  339. AFITgrad86 : Some of the symptoms Paul and you have are not directly caused by rootkit, but by the mess-up of registry due to the infection. In very difficult cases, I recommend using Norton Power Eraser or Kaspersky boot CD instead of modifying infected PCs hard disk.

  340. Hi, I have the redirect problems. Ran through all the steps, scanned with MS security essentials, TDSS killer, est nod32, hit man pro. Nod 32 detected “operating memory >>rundll32.exe(3508) – probably a variant of win32/ponmocup.AA Trojan – unable to clean” any ideas of next steps?? Many thanks.

  341. Tom: re-scan with hitman pro (ESET detected trojan in memory but can’t identify the file it came from). If this fails, you will have to scan from alternate OS scanner like Norton Power eraser or Kaspersky bootable scanner.

  342. I am having redirect issues in both Google and IE0 on Windows 7 64 bit OS. I deleted the #::1 localhost line within the hosts folder (as an administrator in notepad), but it did not make a difference. Should I reinsert it (based on your recent response to Shante)? Also, I found no viruses using my installed McAfee virus scan.

  343. Everytime I go to google to search for something, it always redirects me to Bing and I can’t search for anything from that point on. I use Prevx for my anti-virus, and it’s always popping up showing that I have some type of malware to remove…….Can you help me to solve this problem?

  344. Giedrius

    I ran hitman pro and it quaranteed a couple files and that fixed my problems. Neither Google nor IE9 are being subjected to hijacking now. Thanks very much!

    Jeff

  345. @admin
    im having trouble opening lspfix it says im missing a file but i manually went to the file and its there is there something i can do myself or can i fix the lspfix i dont know how to run under admin win7 im not sure what the lspfix is suppose to do

  346. Combo fix worked while all the other solution options didn’t. It took about a half hour from start to finish and well worth every minute!

  347. THANK YOU THANK YOU THANK YOU!! I opened the fedex virus this week and malwarebytes and ccleaner did not do the trick. It was not popping up windows in ff but my browser was VERY sluggish so I opened task manager and saw it was popping up various random application websites one after the other contained there. Killing processes did not work. What finally did was going through your steps and when I got to the add-ons in ie and disabled those disguised as microsoft, it finally stopped. I will FOREVER love you. I just started school and also work two jobs and the computer was my livelihood. You have saved my life.

  348. I have the redirect virus where the web server, be it chrome, explorer, or whatever that is the default continues to open unprompted going to google. Obviously google does not work and just refreshes when you try to type anything. I just ran hitman pro 64 bit and it found one threat but it did not fix the problem. I have tried spy hunter, malware, tdskiller and a few others but they do not detect anything. Even when I open in safe mode the web browser continues to open to google unprompted. Any help would be appreciated

  349. Brian: What Hitman pro removed? If it was trojan, then it might be that there is another one still lurked or hidden in the system. Double check your settings as well. You might want to try running adwcleaner as well.

  350. I ran adwcleaner and it seemed to work for a little while but now it is back to constantly opening browsers again. Any other suggestions?

  351. Brian : Either you
    1. Reinstalled it again by mistake
    2. Got trojan, that reinstalls it.
    3. Got program, that reverts settings back.
    Scan with anti-malware program like spyhunter http://www.2-viruses.com/reviews/spyhunter or Hitman pro to confirm trojan version. if not, remove last installed programs from control panel (that you do not know) and try cleaning again. Use program with real time protection (AV, Spyhunter, full version of Malwarebytes, etc) to protect you from such infections.

  352. @Giedrius Majauskas (admin)
    Don’t know whether this will help others or not. As admin suggested I checked host file and it looked ok. Then noticed in the etc folder a file called lmhost which looked similar in wordpad but with alot of other stuff in it. I moved it to wastebin and have not experienced any redirecting in Chrome since. Been ok for 2 hours now Fingers crossed.

  353. You would think Google would go out of there way to protect the way they make money. Or those that pay google, would get really out of sorts when there page is never brought up. Why pay some one when they don’t provide the service.
    unless, it’s part of the marketing. lead them to pages,us,that are not there search, lets say ten times, the just might hit on something. Time number eleven, Oh my the page you have been clicking on.

  354. Alright, I’ve been fighting this thing for an hour and don’t know what else to do. I went through the steps, but it still redirects me from google to a page that says “It works! =) ” at IP: http://91.219.237.56/
    I’ve tried everything and am in the process of doing a full computer sweep with avast! any advice?

  355. Thank you! I tried these suggestions and it worked. Before, the search engine Icon looked like a Levis Jeans logo with a red rectangle to its left. Thanks again. Jim in Nashville

  356. Thank you I was getting the redirection of Google. Both Spyhunter and MalareByte did find the problem. Hitman Pro 3 fixed my issue

  357. Ok so I have a trial of Norton, Malwarebyte, and SUPERantispyware Free edition and I have scanned with it all and it said my laptop is secure.
    However my Windows Security Center keeps turning off whenever I turn it on and Google always redirects me to anti-virus websites
    How do I stop it and keep my Security Center on?

  358. Maria : Scan with Hitman pro and TDSS Killer first, This might be trojan related. If security center is turned off, then Norton does not help, And other programs (free versions) are not real time protectors.

  359. Hi All,

    I want to get the setup or files of “Google Redirect Virus”. I have to perform experiments on redirect virus. I tried searching on Google. But I didn’t get meaningful results. Can you please help.

    Thank you in advance.

  360. Abhijeet: We do not distribute samples. You should look for browser hijacker samples (easy downloadable from e.g. Conduit website who makes some of them), versions of TDSS rootkit (their servers might be inactive so they might not work ), DNS changer malware ,etc.

  361. I have done all of the above to try to recover the use of my search engine and it is no longer redirecting me to an ad site but it doesn’t take me to the site I am looking for just goes back to the google home page any other suggestions

  362. My Google searches very slowly. Script appears at top of search screen once Google page opens. Bing won’t search either. But Ask.com is very fast. What’s up???

  363. Had a google redirect virus last December and malwarebytes got rid of it. Didn’t work this time. I’m running Vista and IE Explorer.
    I’ve completed steps 1-3 in your list and everything is ok. Don’t have firefox so skipped step 4. Step 5 showed me only one suspicious looking add-on: google gears helper. Publisher is listed as google(unverified). Am afraid to remove w/o checking.
    Could this be the problem? Or do I need to move on to a stronger malware detection progam?

    Thnks.

  364. I should probably add that my redirect problem is intermitent. Google brings up a list of sites properly, but I’m (sometimes – usually but not always) redirected when I click on one of them. And I’ve cleared the cache repeatedly also.

  365. Hitman-pro found one infected file and got rid of it. Didn’t solve problem. Spyhunter found nothing.

    Suggestions for next steps?

  366. i have malware spyware and i seem to have a virus i cant rid. i thought i got rid of it last week by quarantining a Trojan but a week later its back and when i search with malware spyware it comes back with nothing found. i get redirected when i search with google to other sites i don’t wanna see. however when i type in the taskbar it goes to my site that i want. i’m reading ur stuff and its all complicated for me. help

  367. With a little checking around i found that most of my redirects were coming from a server in Germany, evoplus.com. Windows TCP/IP configuration looked fine, Kaspersky and Malwarebytes found nothing and a root kit scan found nothing too. The host file was ok too but when i looked at firefox proxy settings i found it set to use system instead of no proxy. i reset the value, download a new copy of Winsock Fix and ran it. The system did a reboot and everything in the garden is now rosey 🙂

    Thanks OP, diamond.

  368. Thank you. My problem is fixed. BTW for those of you with vista. rename the host file to something like hosts infected. Then delete everything this web site tells you to. when you go to save your new hosts file it will ask you if you want to save to documents. say yes then copy the new hosts file to the ect directory and everything will be fine. to the person who did the original artical. THANK YOU!!!

  369. Thanks, thanks a lot. i have lost the hope and decided to format the laptop.
    but your guidance is really very help. i am able to open all those blocked site.

    thanks again,
    Ali

  370. Thanks so much to John Tea for the solution to Chrome redirects remaining after Tracur removal.
    I was tearing my hair out.
    Creating the new Chrome user profile worked perfectly.
    a thousand thanks !

  371. The hosts file only has spybot stuff. I changed firefox proxy settings, but i am still getting Google redirects. I tried Malwarebytes, but it didn’t detect a single thing. Spyhunter setected over 250 problems, but i have to pay money. D:

  372. After much searching I found your site. Information was spot on and stopped the redirect rubbish.Thank you.

  373. Hi, I have Firefox and followed all the steps above. Everything looked fine, but when I tried to access browser.newtab.url and reset it as you said, it wouldn’t let me do it. Do you know why? I was able to reset the other two.

  374. Wendy : it might be several reasons. For example corrupted by malware User.js file, or some sort of plugin/software on the system. I would try to disable all unknown/unnecessary plugins and uninstalling unnecessary/unknown software, then restarting ff and try again. If not, Scan with anti-malware programs (Adwcleaner, Spyhunter – these detect browser freezers).

  375. Ok so I follow through the steps all the way to anti virus and notice no problems with the steps 1-5. So I move on to steps 6-8 and I believe I need a bootCD. for step 6 I have scanned my computer with Spyhunter Norton and malware bytes. Step 8 I scanned my computer with TDSSkiller and redirects still persist do I need a bootCD or is there something I’m doing wrong

  376. I get redirected once I click the search result. I also get “/?gws_rd=cr” after http://www.google.com and the searches are all funny for example searching for Youtube brings up “Movies – YouTube” when normally it would just bring up Youtube

  377. Yeah that didn’t solve my problem spyhunter malware and Norton aren’t picking up the websearch and I don’t think that’s a websearch this is more detail and this redirect affects me in IE and firefox I got sent here after being told that google redirect wasn’t my problem but this didn’t solve my problem and neither did google redirect when I type http://www.google.com I go to sometimes get changed to “www.google.com/?gws_rd=cr” and after clicking a searched link I get redirected to http://www.ihavenet.com/?search=+&n=1377268224 and that takes me to another site ad/porn or so on site

  378. Hi Hitman Pro picked some stuff up that Skyhunter missed so far seems to be fine. I did a scan in pure safe mode with both hitman and Skyhunter. Which picked some stuff up. Then did another scan from both in Safe Mode Network mode Skyhunter picked up some tracking cookies from Wajam. Now Im currently in normal mode and doing another scan with Skyhunter

  379. Just a final not im not getting redirected from clicking links anymore but I assume those cookies I keep getting are sneaking through random pop ups / adds

  380. Joel: reapearing cookies from Wajam means that you still got wajams adware somewhere. Everything else should be fine. Also, you might want to scan with Spybot, which might pick the adware itself and not the cookies.

  381. I ran all the scans, and I think I have eliminated the virus. My problem: I have lost my administrator privileges. How do I fix this. I have windows XP, 32bit. Please as specific as possible with how to fix, as I am not particularly computer savvy. Thank you.

  382. I’ve had a similar problem all year. google on the iPhone redirects to a different site. I’ve reset my router, changed the DNS to OpenDNS, cleared the iPhones, and iPads caches & histories etc. The problem still occurs intermittently.

    It always effects all iOS devices on my wifi network but never the desktop macs or PCs. Changing over to cell phone data fixes it, changing back to wifi causes the problem again. Sometimes Safari on the iPhone will redirect http://www.google.com, or a search in the upper right google box, to a blank page that says “Hello World!” other times it redirects to an error page, other times it redirects to a Yahoo! developer’s page full of code. Usually it fixes itself within 20 minutes but sometimes it does this for several hours. Rebooting the phone or iPad doesn’t fix the problem either.

    Any other ideas?

  383. I followed your steps. Now on my host file there is a TON of entries put there by Spyhunter. Is this okay or am I REALLY infected now? Most of these are porn and other crap I don’t go to or have ever heard of. I tried re-saving my hosts file without any of that and it won’t let me. I went through the steps a couple of weeks ago and it worked fine. Very concerned!

  384. At least till recently Spyhunter does not added any entries to hosts file. Spybot S&D and some other tools do that to protect from malicious websites. If these entries do not reference some popular sites, they are ok (usually).

  385. When I do google search in Chrome and click on the result links, I get redirected to an unrelated website once every few times. I narrowed it down to an extension called Default Extension 1.0 (unpacked).

    1. Open Chrome, go to Settings, and look at the Extensions installed.
    2. Click on the button that says “Developer Mode”
    3. You can now see the specific “ID” for each extension
    4. Go to “Computer” and find the following folder:
    C:\Users\User_Name\AppData\Local\Google\Chrome\User Data\Default\Extensions
    where “User_Name” is your specific user name.
    5. Find the Extension folder that has the same name as the “ID” for the extension (a seemingly random combination of letters). If you don’t see it, it might be in a folder several folders down e.g. \User Data\Default\Extensions\Default\Default… etc. (for some reason I couldn’t find the folder by searching in Windows).
    6. Delete this folder
    7. Restart Chrome.
    This seemed to work

Leave a Reply

Your email address will not be published. Required fields are marked *