How to fix Google Redirect Virus (browser hijacker) problem

 

Google redirect virus is a browser hijacker targeting google and other search engine search results and redirecting user to infected pages. These pages can be porn–related or full of advertising banners that make creators of this parasite money. Also, these pages might force you to pay something or give away your bank account details. Thus Google redirect virus is quite dangerous.

There are couple different streaks of Google Redirect viruses, and some of them might need heavy scanning with reputable Anti-malware solution like NOD32 Antivirus, Kaspersky, Malwarebytes. Sometimes Google results Redirect virus even blocks reputable sites and it is tough to download automatic software. However, there are couple easy steps to solve less complex problems.

googleredirectvirus-2-viruses

Note, that before trying to fix other things, you are suggested to scan and check if anti-malware programs can identify more precise reason of Google redirect hijacker. We recommend spyhunter, Hitman Pro for this task. You should always scan after performing all these steps as well, as doing anti-rootkit scan might reveal trojans that were hidden due to other infections. In some cases, rootkits will be detected and removed by anti-malware programs.

Basically, there two types of Google redirect viruses:

a) Hijacking search engine settings aka choosing which search engine to use. Your default search engine is named not google, yahoo, or bing, but something else. The first suspect is a plugin – based hijacker, though other cases are possible.

b) Hijacking results of the search engine when you click on them. Your default search engine is the same, but you get different results when clicking on them. The main suspect would be malware infection, but malicious proxy, dns settings, infected router and even hosts file are possible.

Some of the most common infections are:

Mybestvideosearch.com virus, Guard-search.com virus, Search.yourpackagetrackernow.com virus, Searchonlineusa.com virus, Incosic.com virus, Search.mediatab.tv virus, SearchPrivacy.co virus, Search.supermediatabsearch.com virus, Funcionapage.com virus, Search.internetspeedpilot.com virus, Search.greatsocialtab.com virus, Search.funsocialtabsearch.com virus, Search.searcheeh.com virus, Search.yourtelevisioncenter.com virus, Search.searchgmf.com virus, Search.yourspeedtestcenter.com virus, Search.searchpat.com virus, Search.searchtnl.com virus, SportsScore virus, Tw105.com virus, Search.searcheasyw.com virus, Search.searchhdrp.com virus

Steps 1-5 deals with regular hijacking of search results that are due to malicious settings or plugins. Steps 6 and above deal with malware infections that result in Google redirect virus symptoms and are more difficult to detect and fix. However, If any of antivirus programs are stopped from execution this means malware infection and you will have to scan your PC with anti-virus and anti-malware programs.


Step 1. Check your hosts file for Google redirect virus malicious entries


Hosts file resides on C:/Windows/System32/Drivers/etc/hosts on Windows system and /etc/hosts on OS/X and linux-based systems. 
Hosts location
Where Windows is your windows installation directory. Open the file with Notepad.

Note: On windows 7/vista/8, you should open your hosts file with administrative privileges or you will not be able to save it. To do so, On Win 7/vista do following:

  1. Press Start (or round button usually in bottom left corner and enter notepad. Do not press enter
  2. Right-click on the item in the list above
  3. Choose Run as administrator
  4. File->Open and browse to hosts file.

Open Notepad

On Windows 8, enter notepad in search box or type right in the metro interface. Perform steps 2-4 like in Win 7.

Google Redirect virus symptoms might be result of malware adding malicious entries to this file and are removed easily as well.

Hosts file should look like this:
Hosts file

There might be line referencing ::1 as well. This is IPv6 local address and perfectly normal. If you see more lines of code and IPs, you should delete these, especially if they rewrite google or Microsoft subdomains. This is a sign, that you either had or have infection on your PC, as this file can not be accessed remotely usually.

My hosts file is very long, should I be concerned?

You should check the commented with # section. If the writes were done by Spybot S&D or Hosts-file (HP-Host) and there are thousands of them, they are legitimate and prevent your PC from opening suspected websites. Personally, I do not use them.

Note that for Google redirect to be caused by hosts file, it should contain line mentioning it. Typical malicious hosts file is short or medium length (up to several hundred lines) and not longer.

I am in correct folder, but can’t see hosts file. Am I infected?

The hosts file might be hidden with either hidden or system attributes. Make sure you see such files. It is possible to create a regular file named hosts on desktop (an empty one) and move it to the correct location. If system asks to overwrite, then the file is hidden. If not, there was not host file.

Note, that the system will work without any problems with no hosts file (Windows one) in most of the cases.

I can’t edit hosts file even as Administrator

Hosts file can be protected by system and readonly attributes sometimes. To reset these, follow these steps:

  1. Press Start (or circular icon in bottom-left)
  2. enter CMD in the filed, DON’T press enter
  3. Right-click on it, select run as administrator. Accept to elevate its permissions.
  4. Enter in black window following command : attrib -H -R -S C:/Windows/System32/Drivers/etc/hosts  where C:\Windows is your windows install folder.
  5. If it fails, try using file unlockers

Step 2. Check DNS (Domain Name Server) settings

Domain name servers are used to determine what server to access when opening website addresses. Hijacking these settings would allow hijacking various websites including search ones.

1. Go to Control Panel->Network Connections and select your local network.
2. Right-click your local network icon and select Properties.
Network properties

3. A window will open, then select Internet Protocol (TCP/IP) and click Properties.
Network settings

4. You will see a window like the one below – this is the Internet Protocol window. Select “Obtain an IP address automatically” and “Obtain DNS server address automatically” OR enter known good dns servers ( 8.8.8.8 and 8.8.4.4  are good choice – a public DNS servers offered by Google). Both options have its own Pros and Cons : using static DNS IP’s might be a bit slower on some networks, but it prevents some ISP and router caused hijacks. 
IPV4 settings
5. Click OK to save changes.

Step 3. Checking your proxy settings for Google redirect virus


Proxy server settings can be used to implement Google search result hijacking as well. Most of the internet programs use system proxy settings that are accessed from internet explorer and Edge browsers or from control panel. This is simple to fix too:

1. Launch your internet explorer.
2. Tools ->Internet Options, Connections tab. Press LAN Settings
IE network settings
3. Unselect everything or enter parameters that were given by system administrator.
4. Press OK.

Step 4. (Optional) Check your proxy settings on Mozilla Firefox


1. Launch Mozilla Firefox.
2. Tools ->Options. Press Advanced and open Network tab. Then, press Settings button.
Firefox connection settings
3. Select “No proxy” or enter parameters that were given by system administrator.
4. Press OK.

Step 5. Check your browser addons and reset your search settings in browsers

If your search engine changed to unknown one, you might have browser settings changer plugin or program. Typically, these programs will be detected in Step 6, but you will have to fix settings manually.

5.a. Check your IE add-ons and reset search settings


If your browser is hijacked in IE only, check IE browser add-ons. Note: there are malicious plugins that affect both IE and firefox and result in Google redirects in both of the pages. Before this step, make sure you clean your Control Panel from unknown, spammy looking programs.

  1. Launch your internet explorer.
  2. Tools->Manage Addons
  3. Disable all unverified addons (there might be some useful ones, but better re-install them later).
  4. Delete all add-ons that look spammy/unknown
  5. Click arrow on the right of search box
  6. Do following: On IE8-9 choose Manage Search providers, On ie7 click change search defaults
  7. Remove the unnecessary search engines from the list
  8. If settings revert after restart, you will have to do Step 6 and repeat step 5 again.

5.b. Check your Firefox extensions and reset search settings

  1. Press Firefox->Addons
  2. Go through list and disable all unknown or spamy addons.
  3. Repeat the same for Plugin list.
  4. Enter “about:config” in url bar. This will open settings page
  5. Type “Keyword.url” in the search box. Right click it & reset it.
  6. Type “browser.search.defaultengine” in the search box. Right click it & reset it.
  7. Type “browser.search.selectedengine” in the search box. Right click it & reset it.
  8. Search for ‘browser.newtab.url’. Right-click and reset. This will make sure that the search page won’t launch on each new tab.
  9. If the settings revert after browser restart, you will need to delete user.js from Firefox profile or/and perform Step 6 and repeat Step 5.

5.c. Check your Chrome extensions and reset search settings

  1. Click 3 horizontal lines icon on browser toolbar
  2. Click on Extensions. Review extensions there and disable ones you do not need.
  3. Select Settings
  4. Select Basics ->Manage Search engines
  5. Remove unnecessary search engines from list
  6. Go back to settings. On Startup choose open blank page ( you can remove undesired pages from the set pages link too).

Step 6. Scan for malicious parasites with spyware/antivirus removers:

Symptoms: No setting changes are found and all other options are exhausted. Other devices behave normally. OR clicks on search results open completely different pages than expected.

  1. Reimage. It is one of very few tools that both detects malware and can restore completely corrupted files from cloud backups. This helps in cases when Trojan replaces system file completely which happens with Google Redirect virus.
  2. Spyhunter has a very good anti-malware database and quite strong focus against both browser hijackers and Trojans. Review for Spyhunter can be found here.
  3. Hitman. Its a second opinion scanner that uses multiple antivirus databases in the cloud.

These removers should detect majority of google redirects of that kind, sometimes it is useful to use a more niche tool.

Symptoms: The anti-malware tools detected some parasites as trojans/adware but failed to fix them and symptoms persist. OR you can’t launch anti-malware programs.

TDSS and Zero Access rootkits both cause Google redirection symptoms in some cases. Both these rootkits require dedicated programs for removal, and might require alternate OS scanners in worst case. For this specific rootkit a remover can be downloaded from here : support.kaspersky.com/downloads/utils/tdsskiller.exe. Another options is to scan your PC from safe mode or with alternate OS scanners.

Symptoms: Internet is not working after malware got removed or google redirects/clickjacking still present.

Sometimes, the internet connection chain gets corrupted and requires specific fix. These cases are extremely rare today. You might have to fix your winsock 2 settings with LSPFix utility.
Download LSPFix. This is a dangerous program as you have to investigate each item it lists. Some are allowed and legitimate, others are not.

Malware – based Google redirect virus FAQ

Why  don’t  you recommend “insert name” tool?

These anti-malware programs are not random picks, but cover wide range of possible causes for redirection. While specific other tools might be needed or useful, these tools have the best chance to identify the cause. Some of the other applications (Namely, LSPFix, Combofix, etc) might be somewhat dangerous as they are more professional repair tools than malware removal ones. E. G. I would recommend to start with TDSS killer when rootkit infections are more likely, and for browser plugin caused Google redirects Spyhunter or Adwcleaner might be the best option.

I can not recommend tools that don’t work well with the ones I recommend as well. This would cause more problems you rather than help.

I can’t launch anti-malware programs. What to do?

In most cases this is caused by either false positive in antivirus or a malware. Try renaming the anti-malware executable extension from .exe to .com and launch it again. Another approach would be alternate OS scanners – bootable CDs that can scan your hard drive as long as it is not encrypted. The third option would be Hitman Kickstart.

Step 7. Investigate other possibilities

Symptoms: All devices in the network behave the same, especially if they have different OS.

One more possibility is infected router or ISP hijacking both DNS and http requests. It is hard to debug such Google redirect virus problems, but a common sign for these would be same hijacking happening while in the same network, e.g. while at home on several devices and not while in work or somewhere else.

Router google redirect viruses are caused by poor router passwords or well-known vulnerabilities of popular router brands. While an exact fix will be different, you will have to download an updated image and flash your router with it.

For router infections you will need to download router image and reset your router with it. This depend on particular type of device and we can’t provide instructions for all of them in this guide. Afterwards, make sure your router has a strong admin password.

 

Update 2017.08 

I have decided to add quick answers section to particular steps and remove questions/answers about common problems or not relevant to this guide. This is done for usability: most of the comments ask for repeated questions and quick answers add more value.

 
 

About the author

 - Main Editor

I have started 2-viruses.com in 2007 after wanting to be more or less independent from single security program maker. Since then, we kept working on this site to make internet better and safer place to use.