Google Redirect Virus
Posted Under: Free PC Security,Rootkits,Search Redirects
Click here for updated article covering browser redirects, TDSS Rootkits and malware - June 2010
The Google and Search Engine redirect, also known as the 'Google Redirect Virus', although it affects most search engines, is caused by a rootkit (TDL3) which downloads with rogue applications.
Many users have come across this or will be unfortunate enough to come across it and find their searches redirected.
When using search engines users are redirected to other malicious sites or to sites unrelated to the search query.
Removing the rogue application or other malware is usually simple and straightforward using Malwarebytes or Superantispyware but the redirect remains in place.
In many cases this is caused by changes to the System32/Drivers folder and a rootkit being installed in the system which redirects all searches. This is bad news but can also be rectified without too much trouble.
If infected copy the following link and paste it into your browser address bar and download TDSSKiller.zip:
http://support.kaspersky.com/viruses/solutions?qid=208280684
or click this link:
Save this zip file to your desktop, close all open browsers and any other windows you may have open.
Extract the files from the zip file and click on TDSSKiller.exe - the command window will open and it will scan your drive for hidden files.
Once the scan has finished any rootkits found will be listed and users will see a prompt to reboot to remove the rootkit from the system, simply hit y on the keyboard and allow the system to reboot.
Once rebooted it is always advisable to scan with an antimalware program such as Malwarebytes or Superantispyware, both are free remove a great deal of malware and have pro upgrades should you want realtime protection.
Related post:
TDSS Removal
Surf Safer, Surf with WOT - Click Here or the links below
Web of Trust for Internet Explorer
Web of Trust for Firefox
Web of Trust for Google Chrome
Free PC Security, Google Redirect, Search Hijacks, Rootkit, Free Removal
Reader Comments
Hi Colin
I feel I must respond to this posting, I have given this link to many people, whom email me back saying it does NOT work, I give this link because Colin explan's well, however people should understand that rootkits hide many things.
Case No1 – told the person to check out your site & run Norman Tdss cleaner, the person ran TDSSKiller & Norman Tdss cleaner both removed things however they were still being redirected, this person then emailed me saying the above did not work, upon checking his PC found he had two more rootkits & spyware which the first lot of rootkits he remove, were hiding.
Case No2 – Same as above however in this case the rootkit was hiding malware namely antimalware doctor.
Steve.
Sly_Old_Mole
Steve - I will do another article on TDSS as I have been playing with tdl4 and the majority of TDSS variants are downloaded with fake / rogue programs and hiding behind them.
User need to use Kaspersky TDSSKiller and Norman TDSS cleaner, run one, reboot then run the other and if necessary use both, reboot until NO rootkits appear and use RKill to end known malware processes then scan with malwarebytes.
Works on most rootkit variants and users should also use either Sandboxie or Returnl to secure their surfing
All the best mate, hope all is well with you
Colin
Thanks Colin,
Two more points I would like to make:
1. I've yet to see TDL3 or TDss come on its own so if you have TDL3 or TDss then there's more (more being malware/spyware/rootkits/virus)
2. If the above works or not tell Colin (help us; help you).
Steve.
Sly_Old_Mole
Keep up the good work Colin.
Steve - They are getting somewhat more devious and last example I downloaded was Defense Centre. This had 5 TDSS rootkits that TDSSKiller found, Norman found 0.
Malwarebytes when allowed to run after using RKill and TDSSKiller found a further 4 TDSS along with other rogue security programs that had also downloaded in the background.
On Friday, it was a devil to remove, but by late Saturday MBAM had updated its definitions and worked a treat, but stil had tio run RKill and TDSSKiller first, then rechecked for TDSS after MBAM's reboot and all was clean
Was a fun weekend lol
Hope all is well with you my friend,
All the best
Colin
Hi Colin,
Good update & I agree.
I'm OK; hope your well mate.
Steve.
Sly_Old_Mole
Hi Colin
Helped a person called Tony from yahoo questions remove google redirect virus yesterday.
Hijackthis log looked clean.
Ran TDSSKiller, removed TDL3; upon re boot.
Norman TDss cleaner - would not run.
Ran rkill from this link:
http://download.bleepingcomputer.com/grinler/rkil...
Would not run.
Ran rkill from this link (rkill renamed to iExplore.exe)
http://download.bleepingcomputer.com/grinler/iExp...
This ran.
Ran malwarebytes & removed, Trojan.Agent; Adware.Gamevance;Trojan.Downloader;Trojan.Dropper
Then ran free Superantispyware which removed more.
Ran TDSSKiller again all clean.
Did clean up with free Ccleaner.
So if removing Google redirtect virus think about what your doing.
Steve.
Sly_Old_Mole.
Steve - Cheers mate
I'm working on a new update for browser redirects, TDSS removal etc.
RKill use first, used Hitman Pro but had to run it twice and reboot after each run whereas running Rkill (whichever version runs) followed by TDSSKiller then reboot, run MBAM and SAS together, reboot on request then run CCleaner, purge restore points, reboot run CCleaner again and create new restore point.
Currently works on redirects and TDSS removal, but I'm sure that in future the malware will become a lot harder to remove.
Hope all is well
Col
in
Hi Colin
look forward to your update using Hitman Pro.
I have had a few emails from people having trouble running Rkill, so here some links to help.
Rkill.com download:
http://download.bleepingcomputer.com/grinler/rkil...
Rkill (Rkill renamed to iExplore.exe:
http://download.bleepingcomputer.com/grinler/iExp...
Rkill (Rkill renamed to eXplorer.exe):
http://download.bleepingcomputer.com/grinler/eXpl...
If your still having trouble try exeHelper works like Rkill:
(you can download in two format)
http://www.raktor.net/exeHelper/exeHelper.com http://www.raktor.net/exeHelper/exeHelper.scr
Steve
Sly_Old_Mole
Steve - New post in place covering Browser Redirects, TDSS Rootkits and Malware.
RKill and exeHelper links are live links which will give users instant download rather than try to visit sites if browser hijacked.
To put a few hours work into a 10 minute video took some doing lol, but I used Defense Center which is one of the worst examples of malware that I have come across as it disables Task manager, uninstalls some security apps, redirects browsers and downloads between 9 and 27 TDSS rootkits, depending on where original download came from. Nasty piece of work.
Thanks for the links too, have also included them
All the best mate
Colin
hi, I followed your directions, up to a certain point things went smoothly but I came across a problem.
After I 'Extract All' ,select TDSSKiller, and run it, it takes me to a 'TDSSKiller rootkit removal tool where it asks to scan your computer, no command window opens .
regardless i pressed SCAN ALL and it performed a 13 second scan but found nothing wrong...the redirect virus is still running srong
what should i do now?
Jessica - Download TDSSKiller.exe (NOT zip) from here: http://support.kaspersky.com/viruses/solutions?qi...
New version has no command window but has a user interface which shows better results.
More details have been been emailed to you.
Regards
Colin
Hi I know that i have a rootkit of some sort. It redirects me to crap sites and makes my browser crash all the time i even know where it is hiding. Problem is I have all the software needed to either detect or remove this malware. The following software is installed on my computer; norton 360, malware bytes, and superspyware. I have tried running the tdsskiller from kapernsky. I have also run rkill and raktor exe.helper. Nothing seems to detect it but tdsskiller and it wont get rid of it. Is there anyway that i can get some help? i would really appreciate it. Thanks
It's January 2011, and I was finally able to remove a new variant of this virus. I tried to use the anti-TDSS software and it didn't even identify my google redirect virus. I finally downloaded and ran ComboFix (saved it under a different name) and it totally fixed everything. This was after trying MBAM, Spybot, GMER, OTL, Stinger, etc. I was unable to get Avira to update, and that problem stopped as soon as I ran ComboFix. I didn't do anything fancy... just downloaded the newest version and let it run. From what I remember, the Rootkit was associated with the Desktop, as more than one Desktop file had to be fixed.
Your lucky you did not have TDL4 - ComboFix does not remove TDL4.
I don't recommend ComboFix, unless you know how to use it.
Steve.
Sly_Old_Mole
If you have a Google Redirect virus in Windows XP, check the file C:WindowsSystem32DriversEtchosts. It's a list of the IP addresses your browser must use for certain URLs. Some malware makes additions to the list, to redirect your browser's calls to Google and other search engines. These additions remain after the malware is removed and must be deleted by hand. The malware may also hide "hosts" from Windows and DOS: if you have Norton Internet Security, Norton Power Eraser will find and fix it.