Google redirect virus is a browser hijacker targeting google and other search engine search results and redirecting user to infected pages. These pages can be porn–related or full of advertising banners that make creators of this parasite money. Also, these pages might force you to pay something or give away your bank account details. Thus Google redirect virus is quite dangerous.
How To Fix Google Redirect Virus Browser Hijacker Problem quicklinks
- Causes of Google redirect virus
- My hosts file is very long, should I be concerned?
- I am in correct folder, but can’t see hosts file. Am I infected?
- I can’t edit hosts file even as Administrator
- Malware – based Google redirect virus FAQ
- Why don’t you recommend “insert name” tool?
- I can’t launch anti-malware programs. What to do?
There are couple different streaks of Google Redirect viruses, and some of them might need heavy scanning with reputable Anti-malware solution like NOD32 Antivirus, Kaspersky, Malwarebytes. Sometimes Google results Redirect virus even blocks reputable sites and it is tough to download automatic software. However, there are couple easy steps to solve less complex problems.
Note, that before trying to fix other things, you are suggested to scan and check if anti-malware programs can identify more precise reason of Google redirect hijacker. We recommend spyhunter, Hitman Pro for this task. You should always scan after performing all these steps as well, as doing anti-rootkit scan might reveal trojans that were hidden due to other infections. In some cases, rootkits will be detected and removed by anti-malware programs.
Basically, there two types of Google redirect viruses:
a) Hijacking search engine settings aka choosing which search engine to use. Your default search engine is named not google, yahoo, or bing, but something else. The first suspect is a plugin – based hijacker, though other cases are possible. Quite often a justification for change is provided, for example redirect virus claims that your search is “safer” or “better” and it will try to avoid the name virus whenever it can.
b) Hijacking results of the search engine when you click on them. Your default search engine is the same, but you get different results when clicking on them. The main suspect would be malware infection, but malicious proxy, dns settings, infected router and even hosts file are possible. Such redirect viruses do not justify their actions, they just try to make money fast and prevent removal.
Causes of Google redirect virus
The problem with this parasite group is that Google (and search engine in general) redirects can be implemented in several different ways. We have compiled a list of possible causes and symptoms associated with them.
|Domain-specific||Yes||Yes||Unlikely||Unlikely||Unlikely||AV websites only|
Clickjacking means that pressing on one link (in search results) opens completely different result than expected. Such redirect viruses are highly malicious usually and sign of serious trojan infection.
Multi-OS – Multiple devices or different OS are affected. This means that the likely cause is outside single device or settings between devices were synchronised. Besides plugin, some configurations can affect multiple devices or it might be router or ISP.
Steps 1-5 deals with regular hijacking of search results that are due to malicious settings or plugins. Steps 6 and above deal with malware infections that result in Google redirect virus symptoms and are more difficult to detect and fix. However, If any of antivirus programs are stopped from execution this means malware infection and you will have to scan your PC with anti-virus and anti-malware programs.
Step 1. Check your hosts file for Google redirect virus malicious entries
Hosts file resides on C:/Windows/System32/Drivers/etc/hosts on Windows system and /etc/hosts on OS/X and linux-based systems. It was one of favourite ways to create simple and hard to detect redirect virus.
Where Windows is your windows installation directory. Open the file with Notepad.
Note: On windows 7/vista/8, you should open your hosts file with administrative privileges or you will not be able to save it. To do so, On Win 7/vista do following:
- Press Start (or round button usually in bottom left corner and enter notepad. Do not press enter
- Right-click on the item in the list above
- Choose Run as administrator
- File->Open and browse to hosts file.
On Windows 8, enter notepad in search box or type right in the metro interface. Perform steps 2-4 like in Win 7.
Google Redirect virus symptoms might be result of malware adding malicious entries to this file and are removed easily as well.
Hosts file should look like this:
There might be line referencing ::1 as well. This is IPv6 local address and perfectly normal. If you see more lines of code and IPs, you should delete these, especially if they rewrite google or Microsoft subdomains. This is a sign, that you either had or have infection on your PC, as this file can not be accessed remotely usually.
Common questions related to hosts file and Google hijackers
My hosts file is very long, should I be concerned?
You should check the commented with # section. If the writes were done by Spybot S&D or Hosts-file (HP-Host) and there are thousands of them, they are legitimate and prevent your PC from opening suspected websites. Personally, I do not use them.
Note that for Google redirect to be caused by hosts file, it should contain line mentioning it. Typical malicious hosts file is short or medium length (up to several hundred lines) and not longer.
I am in correct folder, but can’t see hosts file. Am I infected?
The hosts file might be hidden with either hidden or system attributes. Make sure you see such files. It is possible to create a regular file named hosts on desktop (an empty one) and move it to the correct location. If system asks to overwrite, then the file is hidden. If not, there was not host file.
Note, that the system will work without any problems with no hosts file (Windows one) in most of the cases.
I can’t edit hosts file even as Administrator
Hosts file can be protected by system and readonly attributes sometimes. To reset these, follow these steps:
- Press Start (or circular icon in bottom-left)
- enter CMD in the filed, DON’T press enter
- Right-click on it, select run as administrator. Accept to elevate its permissions.
- Enter in black window following command : attrib -H -R -S C:/Windows/System32/Drivers/etc/hosts where C:\Windows is your windows install folder.
- If it fails, try using file unlockers
Step 2. Check DNS (Domain Name Server) settings
Domain name servers are used to determine what server to access when opening website addresses. Hijacking these settings would allow hijacking various websites including search ones. Such redirect viruses included notorious DNSChanger . Antivirus engines have very poor detection for such parasites.
1. Go to Control Panel->Network Connections and select your local network.
2. Right-click your local network icon and select Properties.
3. A window will open, then select Internet Protocol (TCP/IP) and click Properties.
4. You will see a window like the one below – this is the Internet Protocol window. Select “Obtain an IP address automatically” and “Obtain DNS server address automatically” OR enter known good dns servers ( 220.127.116.11 and 18.104.22.168 are good choice – a public DNS servers offered by Google). Both options have its own Pros and Cons : using static DNS IP’s might be a bit slower on some networks, but it prevents some ISP and router caused hijacks.
5. Click OK to save changes.
Step 3. Checking your proxy settings for Google redirect virus
Proxy server settings can be used to implement Google search result hijacking as well. Most of the internet programs use system proxy settings that are accessed from internet explorer and Edge browsers or from control panel. This is simple to fix too:
1. Launch your internet explorer.
2. Tools ->Internet Options, Connections tab. Press LAN Settings
3. Unselect everything or enter parameters that were given by system administrator.
4. Press OK.
Proxie – based redirect viruses are always common. The proxy might be local process (which is detected by anti-malware usually) or remote server (which is hard to detect).
Step 4. (Optional) Check your proxy settings on Mozilla Firefox
1. Launch Mozilla Firefox.
2. Tools ->Options. Press Advanced and open Network tab. Then, press Settings button.
3. Select “No proxy” or enter parameters that were given by system administrator.
4. Press OK.
Step 5. Check your browser addons and reset your search settings in browsers
If your search engine changed to unknown one, you might have browser settings changer plugin or program. Typically, these programs will be detected in Step 6, but you will have to fix settings manually. This type of Google redirect virus might affect both single browser or all of them, however, each browser is infected separately. Browser ad-ons are installed separately into each browser and reside in different locations.
5.a. Remove Google Redirect Virus ad-ons from IE.
If your browser is hijacked in IE only, check IE browser add-ons. Note: there are malicious plugins that affect both IE and firefox and result in Google redirects in both of the pages. Before this step, make sure you clean your Control Panel from unknown, spammy looking programs.
- Launch your internet explorer.
- Tools->Manage Addons
- Disable all unverified addons (there might be some useful ones, but better re-install them later).
- Delete all add-ons that look spammy/unknown
- Click arrow on the right of search box
- Do following: On IE8-9 choose Manage Search providers, On ie7 click change search defaults
- Remove the unnecessary search engines from the list
- If settings revert after restart, you will have to do Step 6 and repeat step 5 again.
5.b. Check your Firefox extensions and reset search settings
- Press Firefox->Addons
- Go through list and disable all unknown or spamy addons.
- Repeat the same for Plugin list.
- Enter “about:config” in url bar. This will open settings page
- Type “Keyword.url” in the search box. Right click it & reset it.
- Type “browser.search.defaultengine” in the search box. Right click it & reset it.
- Type “browser.search.selectedengine” in the search box. Right click it & reset it.
- Search for ‘browser.newtab.url’. Right-click and reset. This will make sure that the search page won’t launch on each new tab.
- If the settings revert after browser restart, you will need to delete user.js from Firefox profile or/and perform Step 6 and repeat Step 5.
5.c. Check your Chrome extensions and reset search settings
- Click 3 horizontal lines icon on browser toolbar
- Click on Extensions. Review extensions there and disable ones you do not need.
- Select Settings
- Select Basics ->Manage Search engines
- Remove unnecessary search engines from list
- Go back to settings. On Startup choose open blank page ( you can remove undesired pages from the set pages link too).
Step 6. Scan for Google Redirect Virus with spyware/antivirus removers:
Symptoms: No setting changes are found and all other options are exhausted. Other devices behave normally. OR clicks on search results open completely different pages than expected.
- Spyhunter has a very good anti-malware database and quite strong focus against both browser hijackers and Trojans. Review for Spyhunter can be found here. Spyhunter is Windows program, if you use Mac, I recommend Combo Cleaner as second choice.
- Hitman. Its a second opinion scanner that uses multiple antivirus databases in the cloud. It is windows based application and handles trojan – based Google redirect viruses well.
These removers should detect majority of google redirects of that kind, sometimes it is useful to use a more niche tool.
Symptoms: The anti-malware tools detected some parasites as trojans/adware but failed to fix them and symptoms persist. OR you can’t launch anti-malware programs.
TDSS and Zero Access rootkits both cause Google redirection symptoms in some cases. Both these rootkits require dedicated programs for removal, and might require alternate OS scanners in worst case. For this specific rootkit a remover can be downloaded from here : support.kaspersky.com/downloads/utils/tdsskiller.exe. Another options is to scan your PC from safe mode or with alternate OS scanners.
Symptoms: Internet is not working after malware got removed or google redirects/clickjacking still present.
Sometimes, the internet connection chain gets corrupted and requires specific fix. These cases are extremely rare today. You might have to fix your winsock 2 settings with LSPFix utility.
Download LSPFix. This is a dangerous program as you have to investigate each item it lists. Some are allowed and legitimate, others are not.
Malware – based Google redirect virus FAQ
Why don’t you recommend “insert name” tool?
These anti-malware programs are not random picks, but cover wide range of possible causes for redirection. While specific other tools might be needed or useful, these tools have the best chance to identify the cause. Some of the other applications (Namely, LSPFix, Combofix, etc) might be somewhat dangerous as they are more professional repair tools than malware removal ones. E. G. I would recommend to start with TDSS killer when rootkit infections are more likely, and for browser plugin caused Google redirects Spyhunter or Adwcleaner might be the best option.
I can not recommend tools that don’t work well with the ones I recommend as well. This would cause more problems you rather than help.
I can’t launch anti-malware programs. What to do?
In most cases this is caused by either false positive in antivirus or a malware – based redirect virus. Try renaming the anti-malware executable extension from .exe to .com and launch it again. Another approach would be alternate OS scanners – bootable CDs that can scan your hard drive as long as it is not encrypted. The third option would be Hitman Kickstart.
Step 7. Investigate other possibilities for browser redirects
Symptoms: All devices in the network behave the same, especially if they have different OS.
One more possibility is infected router or ISP hijacking both DNS and http requests. It is hard to debug such Google redirect virus problems, but a common sign for these would be same hijacking happening while in the same network, e.g. while at home on several devices and not while in work or somewhere else.
Router google redirect viruses are caused by poor router passwords or well-known vulnerabilities of popular router brands. While an exact fix will be different, you will have to download an updated image and flash your router with it.
For router infections you will need to download router image and reset your router with it. This depend on particular type of device and we can’t provide instructions for all of them in this guide. Afterwards, make sure your router has a strong admin password.
I have decided to add quick answers section to particular steps and remove questions/answers about common problems or not relevant to this guide. This is done for usability: most of the comments ask for repeated questions and quick answers add more value.
Read "How to fix Google Redirect Virus problem" in other languages
- Wie man das Problem des Google Redirect Virus lÃ¶st (de)
- Comment fixer problÃ¨me de Le virus Google redirection (fr)
- Como eliminar Google Redirect Virus? (es)
- Como resolver o problema Google Redirect VÃrus (pt)
- Hoe u het Google Redirect Virus probleem (browserkaper hijacker) kunt herstellen (nl)
- Hur man lÃ¶ser Google Redirect Virus problem (se)
- Come sistemare il problema del Google Redirect Virus (reindirizzatore di browser) (it)
- SÃ¥dan klarer du problemet med Google Redirect Virus (Browser hijacker/kaprer) (dk)
- Googleãƒªãƒ€ã‚¤ãƒ¬ã‚¯ãƒˆã‚¦ã‚¤ãƒ«ã‚¹å•é¡Œã®ä¿®å¾©æ–¹æ³• (jp)
- Google ë¦¬ë‹¤ì´ë ‰íŠ¸ ë°”ì´ëŸ¬ìŠ¤ ë¬¸ì œ í•´ê²° ë°©ë²• (kr)