# How does Google Search Redirect Virus work? And how to get rid of it?

Tags:
1. Jun 10, 2011

### chingkui

It is in my desktop now, every time I click a google search result, I got redirected to some unknown websites (the same thing happen with IE, Firefox and Chrome). I use AVG at home, did several whole computer scan, it couldn't find anything wrong.

However, if I am connected to the internet, AVG warning will pop up once in awhile alerting some threat found in one of my local temp folders. But when I click the button to throw that into the vault, AVG would just tell me the threat cannot be located... if I am disconnected to the web, no alert would pop up.

So, how does this work? Where is it hiding itself? I search on the web and was told to look at the HOSTS file, except that I couldn't even find the file in the directory it is supposed to be (C:\WINDOWS\system32\drivers\etc, I only see 4 files: lmhosts.sam, networks, protocol and services. I am running Vista). Did the virus manage to delete my hosts file? If so, what is the browser reading then?

I also tried System Restore to restore to an earlier restore point, and after that I enjoyed normal google search for the first 5 minutes. Of course, I celebrate way too early, the virus/trojan is obviously smarter than me and greet me once again in all google search.

Does this sound familiar? Any suggestion/insight would be much appreciated. I am not very smart in networking, and don't understand TCP-IP etc, so, a lot of what I found on the web is way too difficult for me to understand. Though I definitely would like to learn more of these if someone could explain it to an amateur.

2. Jun 10, 2011

### Borg

Windows hides system files by default. I'm not sure if the hosts file is considered as one though. As a start, try the instructions on this site.

If the above link is too difficult, you could try this link. It won't rid your computer of the virus but should turn it off so that you can work on getting rid of it permanently.
How to Remove Google Redirect Virus

3. Jun 10, 2011

### Ivan92

Hmm...My bro's computer had the same problem. I Google "Miranda Rights" and it redirects me to some other websites. So prior to this, I was battling a beat of malware but I got rid of it now. I believe a couple days later, he got the Google Redirect virus. So I didn't get to it til now and I believed I fixed it. Download this program called rkill.

I ran it and it got rid of it. So far so good. Let me know how that goes.

4. Jul 16, 2011

### mikelepore

In that case, I wonder if a good approach would be, every few months or so, copy the entire "Windows" and "Program Files" folders to an external drive, or to DVDs. Then, if a virus occurs, copy them back to the hard drive to overwrite everything. Then I think the System Restore should take care of the registry. Would this fix a virus? But perhaps this wouldn't work because the corrupted file(s) would be "currently in use" and therefore not overwritten -- or would booting in Safe Mode prevent that?

5. Jul 16, 2011

### Pattonias

You should make sure that your proxy setting have not been changed in the IE settings.
(The proxy should be disabled).
You should also make sure that you don't have a strange website set as your home address.

The fix on bleepingcomputer above should fix the problem also.

6. Jul 18, 2011

### AtomicLance

It's a form of the Alureon virus that sneaks into your computer with a printer process, so Windows doesn't suspect a thing. It cloaks itself pretty well from anti-virus as well, and in my experience when I had it, I could not run or install new software that would help get rid of it.

The only way to remove it is to do so manually with careful steps. Have you been able to use your keyboard or mouse? I ask because sometimes it affects your devices too.

You might find this useful

7. Aug 26, 2011

### rhody

I have the same thing, thought I had successfully killed it, no dice. I bought a tool that ID'd a proxy setting, and said it would repair it. Ran it and still, it is there. I have e-mail in to their tech support with screen grab and their summary report .xml file to ask how to proceed from here. The previous two days I used every free tool and must have watched at least 4 or 5 videos suggesting how to get rid of it. The free tools, Kaperski, anti-malwarebytes, and one other whose name escapes me at the moment, by themselves and combined did not do the job either, as the OP, Chingkui stated. I feel your pain, man, this thing is a royal pain in the ... If I achieve success, real lasting success I will report back on how I did it. That doesn't guarantee it will for you, but my main symptoms are after a google search any link I click is redirected to some stupid AD site. I realize the IP address is being hijacked in the clever way by some proxy DNS method.

Rhody... :grumpy:

P.S. I use Firefox, and it changed my proxy settings, I changed it to use none, but after a short time appearing to be fixed, it came back, and the settings menu still showed no proxy selected, so it (the virus) found it's way around that too. I figure since I spent a few bucks on the tool (which will remain nameless for now) which advertises it will fix it. I am hoping it is some new variant they haven't seen yet. Since this thread it is only a week old, it is a possibility.

Last edited: Aug 26, 2011
8. Aug 26, 2011

### rcgldr

I do something similar, I install the OS on one partition of a drive, and a second OS on a different partition (usually a different hard drive). I then boot into the second OS and copy the entire partition of the primary OS to a partition on a second hard drive to back up the OS partition and then do a compare with an program like windiff to verify the backup. I also save the volume serial number of that partition in a text file. If a problem occurs, I boot into the second OS, quick format the first OS partition, then manually "restore" the volume serial number of that partition using a volume serial number changer (I have to restart after doing this with the tool I use), then I copy the OS from the backup image and do a verify. This works fine for Windows XP, but I'm not sure about Windows 7. To save time, I use separate partitions for OS, applications, and data. This keeps the amount of data in the OS partition small, which reduces the restore time in case there's a problem.

9. Aug 26, 2011

### criel

I had this same issue. I had tried every imaginable thing to try and fix it, even reinstalling windows didn't fix it. I figured that viruses can't go through a reinstall so I wondered 'can wireless routers get viruses' and I read up on that. I switched to a new wireless router and the redirects went away.

10. Aug 26, 2011

### rhody

I may have a one stop, multiple pass solution to the problem. I am running Windows 7. I used Hitman Pro 3.5.9 Build 129 from SurfRight in the Netherlands.

You can download a 30 day free trial. I had to download it from a non-infected machine to a thumb drive, then launch it from the infected computer. Once installed, I had an issue I wasn't fully aware of, but became aware by reading other sources before I used this tool. Launch Hitman, on the main page, click settings button, then the proxy tab, and select, No Proxy. That is the way that the virus hijacks the google IP address by redirecting it. This ensures at least for now it won't be happening.

Next shut down all antivirus (so it would not start on reboot), then reboot your machine.

Run the Hitman, it took about 10 minutes. If infected, you will see rootkits, cookies, etc... and they will be marked repair or delete. Select repair, and let the machine reboot. Run Hitman again and see if any more trojans, rootkits, etc are dected. I had to do this three times because one layer essentially hid a deeper layer below, cute huh ? You may be told that the ..\AppData\Roaming\Microsoft\Windows\Cookies folder has cookies that should be deleted. For some reason on my machine that folder wasn't visible from Explorer, so I launched a shell, (cmd) from the windows start menu and navigated to that folder. I then deleted the unwanted cookies manually.

After reboot, rerun Hitman as many times as it takes to rid yourself of all trojans, rootkits, etc... and let the machine reboot. When you finally come up clean, then you are done. Restart your antivirus program, and reboot one more time, making sure your antivirus program starts successfully on boot. The using google search, click on the resulting links and ensure you are not being redirected. If this is ok, you are done.

I bought a three PC Lic for one year for 29.95 $Small potatoes when it comes to the hours of aggravation and research I spent trying to hunt down and fix all the errors that these nasty buggers did to my system. If anyone else tries it, following the steps I have listed above and FAILS, please report. If anyone else tries it and it works 100% please report that too. I want to make sure my case was not just a fluke. Good luck, now get to downloading... and... make it snappy !!! Rhody... P.S. Can anyone tell me how to make the ..\Cookies folder visible from explorer ? That would be nice, remember this is for Windows 7 only. 11. Aug 29, 2011 ### rhody Has anyone tried Hitman Pro ? with success ? Rhody... 12. Aug 29, 2011 ### jhae2.718 I use Linux almost exclusively these days, so my Windows memory is rusty, but I believe either the "show hidden files" or "show protected system folders" options in "Control Panel -> Folder Options" should do it. 13. Aug 30, 2011 ### rhody Hey jh, Tried that, these folders are NOT visible except using a command prompt. They are protected by Windows 7 somehow, there are other folders hidden there as well. I can do it with a script, but shouldn't have to. Thanks for taking the time to reply though. Rhody... 14. Aug 30, 2011 ### rcgldr I'm not sure about Windows 7, but try manually entering "Cookies" after reaching the folder it resides in, in the address bar of Explorer. This trick works for accessing "content.ie5" for Windows XP. Another alternative is to log out and log in as a different user (with admin rights), in which case folders with special names are not hidden. 15. Aug 30, 2011 ### rhody I am pretty sure it is the fact that I do not have logins enabled, and even when I mess with properties, security and enable visiblilty with subfolder propogation for system admin, and what I believe is my account (even though logins are not enabled) the folders do not show up. Any suggestions ? I have been fairly thorough and fastidious about this before posting the question, I don't want to waste anyone's time. Thanks... Rhody... 16. Aug 30, 2011 ### jhae2.718 What happens if you manually enter the directory path? If you can see the results, another solution would be to set an environment variable that you could type to access it. Also, can you get the security permissions for ./Cookies in cmd? 17. Sep 3, 2011 ### Mholnic- I've had this hit me a few times, running ComboFix would sort it out every time. 18. Mar 23, 2012 ### jambaugh I've just been struggling with this redirect$%#& as well. One final task I had to perform manually.

The TDSSKiller got rid of the malware but I had to manually remove the redirect in the host file.

On windows 7 check: C:\Windows\System32\drivers\etc directory. There's a file named host and host.umbrella edit this as admin and remove the lines directing google and bing to the malicious ip address.
delete:
Code (Text):

you can do this with a text editor but you'll have to temporarily make the file write enabled as admin (right-click properties...)

19. Mar 23, 2012

### Borg

I have been making edits to my hosts file for years. I never saw or heard of the host.umbrella file though. Are you sure that is a valid file and wasn't put there by the virus? I'm asking because Google didn't turn up much either way.

20. Mar 27, 2012

### jambaugh

...quick google... ahhh it looks like it was left there by a program tinyUmbrella when I was fiddling with my iPhone on my pc. Not related to this virus.

EDIT[ugg. too late to edit the post.]