How does Google Search Redirect Virus work? And how to get rid of it?

  • #1
193
1
It is in my desktop now, every time I click a google search result, I got redirected to some unknown websites (the same thing happen with IE, Firefox and Chrome). I use AVG at home, did several whole computer scan, it couldn't find anything wrong.

However, if I am connected to the internet, AVG warning will pop up once in awhile alerting some threat found in one of my local temp folders. But when I click the button to throw that into the vault, AVG would just tell me the threat cannot be located... if I am disconnected to the web, no alert would pop up.

So, how does this work? Where is it hiding itself? I search on the web and was told to look at the HOSTS file, except that I couldn't even find the file in the directory it is supposed to be (C:\WINDOWS\system32\drivers\etc, I only see 4 files: lmhosts.sam, networks, protocol and services. I am running Vista). Did the virus manage to delete my hosts file? If so, what is the browser reading then?

I also tried System Restore to restore to an earlier restore point, and after that I enjoyed normal google search for the first 5 minutes. Of course, I celebrate way too early, the virus/trojan is obviously smarter than me and greet me once again in all google search.

Does this sound familiar? Any suggestion/insight would be much appreciated. I am not very smart in networking, and don't understand TCP-IP etc, so, a lot of what I found on the web is way too difficult for me to understand. Though I definitely would like to learn more of these if someone could explain it to an amateur.
 

Answers and Replies

  • #2
Borg
Science Advisor
Gold Member
1,881
2,370
Windows hides system files by default. I'm not sure if the hosts file is considered as one though. As a start, try the instructions on this site.
http://www.computing.net/answers/security/google-search-redirect-virus/24167.html" [Broken]

If the above link is too difficult, you could try this link. It won't rid your computer of the virus but should turn it off so that you can work on getting rid of it permanently.
http://www.ehow.com/how_5842581_remove-google-redirect-virus.html"
 
Last edited by a moderator:
  • #3
186
1
Hmm...My bro's computer had the same problem. I Google "Miranda Rights" and it redirects me to some other websites. So prior to this, I was battling a beat of malware but I got rid of it now. I believe a couple days later, he got the Google Redirect virus. So I didn't get to it til now and I believed I fixed it. Download this program called rkill.

http://www.bleepingcomputer.com/download/anti-virus/rkill

I ran it and it got rid of it. So far so good. Let me know how that goes.
 
  • #4
537
2
I also tried System Restore to restore to an earlier restore point, and after that I enjoyed normal google search for the first 5 minutes. Of course, I celebrate way too early, the virus/trojan is obviously smarter than me and greet me once again in all google search.
In that case, I wonder if a good approach would be, every few months or so, copy the entire "Windows" and "Program Files" folders to an external drive, or to DVDs. Then, if a virus occurs, copy them back to the hard drive to overwrite everything. Then I think the System Restore should take care of the registry. Would this fix a virus? But perhaps this wouldn't work because the corrupted file(s) would be "currently in use" and therefore not overwritten -- or would booting in Safe Mode prevent that?
 
  • #5
167
0
You should make sure that your proxy setting have not been changed in the IE settings.
(The proxy should be disabled).
You should also make sure that you don't have a strange website set as your home address.

The fix on bleepingcomputer above should fix the problem also.
 
  • #6
It's a form of the Alureon virus that sneaks into your computer with a printer process, so Windows doesn't suspect a thing. It cloaks itself pretty well from anti-virus as well, and in my experience when I had it, I could not run or install new software that would help get rid of it.

The only way to remove it is to do so manually with careful steps. Have you been able to use your keyboard or mouse? I ask because sometimes it affects your devices too.

You might find this useful
http://www.squidoo.com/google-redirect-virus-removalz" [Broken]
 
Last edited by a moderator:
  • #7
rhody
Gold Member
630
3
It's a form of the Alureon virus that sneaks into your computer with a printer process, so Windows doesn't suspect a thing. It cloaks itself pretty well from anti-virus as well, and in my experience when I had it, I could not run or install new software that would help get rid of it.

The only way to remove it is to do so manually with careful steps. Have you been able to use your keyboard or mouse? I ask because sometimes it affects your devices too.

You might find this useful
http://www.squidoo.com/google-redirect-virus-removalz" [Broken]
I have the same thing, thought I had successfully killed it, no dice. I bought a tool that ID'd a proxy setting, and said it would repair it. Ran it and still, it is there. I have e-mail in to their tech support with screen grab and their summary report .xml file to ask how to proceed from here. The previous two days I used every free tool and must have watched at least 4 or 5 videos suggesting how to get rid of it. The free tools, Kaperski, anti-malwarebytes, and one other whose name escapes me at the moment, by themselves and combined did not do the job either, as the OP, Chingkui stated. I feel your pain, man, this thing is a royal pain in the ... If I achieve success, real lasting success I will report back on how I did it. That doesn't guarantee it will for you, but my main symptoms are after a google search any link I click is redirected to some stupid AD site. I realize the IP address is being hijacked in the clever way by some proxy DNS method.

Rhody... :grumpy:

P.S. I use Firefox, and it changed my proxy settings, I changed it to use none, but after a short time appearing to be fixed, it came back, and the settings menu still showed no proxy selected, so it (the virus) found it's way around that too. I figure since I spent a few bucks on the tool (which will remain nameless for now) which advertises it will fix it. I am hoping it is some new variant they haven't seen yet. Since this thread it is only a week old, it is a possibility.
 
Last edited by a moderator:
  • #8
rcgldr
Homework Helper
8,708
534
I wonder if a good approach would be, every few months or so, copy the entire "Windows" and "Program Files" folders to an external drive.
I do something similar, I install the OS on one partition of a drive, and a second OS on a different partition (usually a different hard drive). I then boot into the second OS and copy the entire partition of the primary OS to a partition on a second hard drive to back up the OS partition and then do a compare with an program like windiff to verify the backup. I also save the volume serial number of that partition in a text file. If a problem occurs, I boot into the second OS, quick format the first OS partition, then manually "restore" the volume serial number of that partition using a volume serial number changer (I have to restart after doing this with the tool I use), then I copy the OS from the backup image and do a verify. This works fine for Windows XP, but I'm not sure about Windows 7. To save time, I use separate partitions for OS, applications, and data. This keeps the amount of data in the OS partition small, which reduces the restore time in case there's a problem.
 
  • #9
4
0
I had this same issue. I had tried every imaginable thing to try and fix it, even reinstalling windows didn't fix it. I figured that viruses can't go through a reinstall so I wondered 'can wireless routers get viruses' and I read up on that. I switched to a new wireless router and the redirects went away.
 
  • #10
rhody
Gold Member
630
3
I may have a one stop, multiple pass solution to the problem. I am running Windows 7. I used Hitman Pro 3.5.9 Build 129 from http://www.surfright.nl/en" [Broken] in the Netherlands.

You can download a 30 day free trial. I had to download it from a non-infected machine to a thumb drive, then launch it from the infected computer. Once installed, I had an issue I wasn't fully aware of, but became aware by reading other sources before I used this tool. Launch Hitman, on the main page, click settings button, then the proxy tab, and select, No Proxy. That is the way that the virus hijacks the google IP address by redirecting it. This ensures at least for now it won't be happening.

Next shut down all antivirus (so it would not start on reboot), then reboot your machine.

Run the Hitman, it took about 10 minutes. If infected, you will see rootkits, cookies, etc... and they will be marked repair or delete. Select repair, and let the machine reboot. Run Hitman again and see if any more trojans, rootkits, etc are dected. I had to do this three times because one layer essentially hid a deeper layer below, cute huh ? You may be told that the ..\AppData\Roaming\Microsoft\Windows\Cookies folder has cookies that should be deleted. For some reason on my machine that folder wasn't visible from Explorer, so I launched a shell, (cmd) from the windows start menu and navigated to that folder. I then deleted the unwanted cookies manually.

After reboot, rerun Hitman as many times as it takes to rid yourself of all trojans, rootkits, etc... and let the machine reboot. When you finally come up clean, then you are done. Restart your antivirus program, and reboot one more time, making sure your antivirus program starts successfully on boot. The using google search, click on the resulting links and ensure you are not being redirected. If this is ok, you are done.

I bought a three PC Lic for one year for 29.95 $ Small potatoes when it comes to the hours of aggravation and research I spent trying to hunt down and fix all the errors that these nasty buggers did to my system.

If anyone else tries it, following the steps I have listed above and FAILS, please report. If anyone else tries it and it works 100% please report that too. I want to make sure my case was not just a fluke. Good luck, now get to downloading... and... make it snappy !!! :approve:

Rhody... :biggrin:

P.S. Can anyone tell me how to make the ..\Cookies folder visible from explorer ? That would be nice, remember this is for Windows 7 only.
 
Last edited by a moderator:
  • #11
rhody
Gold Member
630
3
Has anyone tried Hitman Pro ? with success ?

Rhody...
 
  • #12
jhae2.718
Gold Member
1,161
20
P.S. Can anyone tell me how to make the ..\Cookies folder visible from explorer ? That would be nice, remember this is for Windows 7 only.
I use Linux almost exclusively these days, so my Windows memory is rusty, but I believe either the "show hidden files" or "show protected system folders" options in "Control Panel -> Folder Options" should do it.
 
  • #13
rhody
Gold Member
630
3
I use Linux almost exclusively these days, so my Windows memory is rusty, but I believe either the "show hidden files" or "show protected system folders" options in "Control Panel -> Folder Options" should do it.
Hey jh,

Tried that, these folders are NOT visible except using a command prompt. They are protected by Windows 7 somehow, there are other folders hidden there as well. I can do it with a script, but shouldn't have to. Thanks for taking the time to reply though.

Rhody...
 
  • #14
rcgldr
Homework Helper
8,708
534
Can anyone tell me how to make the ..\Cookies folder visible from explorer?
I'm not sure about Windows 7, but try manually entering "Cookies" after reaching the folder it resides in, in the address bar of Explorer. This trick works for accessing "content.ie5" for Windows XP. Another alternative is to log out and log in as a different user (with admin rights), in which case folders with special names are not hidden.
 
  • #15
rhody
Gold Member
630
3
I'm not sure about Windows 7, but try manually entering "Cookies" after reaching the folder it resides in, in the address bar of Explorer. This trick works for accessing "content.ie5" for Windows XP. Another alternative is to log out and log in as a different user (with admin rights), in which case folders with special names are not hidden.
I am pretty sure it is the fact that I do not have logins enabled, and even when I mess with properties, security and enable visiblilty with subfolder propogation for system admin, and what I believe is my account (even though logins are not enabled) the folders do not show up. Any suggestions ? I have been fairly thorough and fastidious about this before posting the question, I don't want to waste anyone's time.

Thanks...

Rhody...
 
  • #16
jhae2.718
Gold Member
1,161
20
What happens if you manually enter the directory path? If you can see the results, another solution would be to set an environment variable that you could type to access it.

Also, can you get the security permissions for ./Cookies in cmd?
 
  • #17
43
0
I've had this hit me a few times, running ComboFix would sort it out every time.
 
  • #18
jambaugh
Science Advisor
Insights Author
Gold Member
2,221
254
I've just been struggling with this redirect $%#& as well. One final task I had to perform manually.

The TDSSKiller got rid of the malware but I had to manually remove the redirect in the host file.

On windows 7 check: C:\Windows\System32\drivers\etc directory. There's a file named host and host.umbrella edit this as admin and remove the lines directing google and bing to the malicious ip address.
delete:
Code:
<malicious ip address> www.google.com
<malicious ip address> www.bing.com
you can do this with a text editor but you'll have to temporarily make the file write enabled as admin (right-click properties...)
 
  • #19
Borg
Science Advisor
Gold Member
1,881
2,370
I have been making edits to my hosts file for years. I never saw or heard of the host.umbrella file though. Are you sure that is a valid file and wasn't put there by the virus? I'm asking because Google didn't turn up much either way.
 
  • #20
jambaugh
Science Advisor
Insights Author
Gold Member
2,221
254
I have been making edits to my hosts file for years. I never saw or heard of the host.umbrella file though. Are you sure that is a valid file and wasn't put there by the virus? I'm asking because Google didn't turn up much either way.
...quick google... ahhh it looks like it was left there by a program tinyUmbrella when I was fiddling with my iPhone on my pc. Not related to this virus.

EDIT[ugg. too late to edit the post.]
 
  • #21
jim hardy
Science Advisor
Gold Member
2019 Award
Dearly Missed
9,839
4,879
Now it's a "DLINK Redirect Virus" that takes one instead of where he wants to go, to www1.dlink.com which is a search-looking page that wont let you go anywhere.

This showed up shortly after the kids installed a d-link brand router.
Removing the router removes the symptom, but one cannot trust anything when troubleshooting computers.
I suspect a virus.

But just in case, the router is now sitting outside in the rain and will be dispatched as soon as I decide whether by 12-gage or .303 . Latter is easier to clean afterwards.

There's hundreds of hits from a search on D-Link virus - you'd think that company would be actively trying to save their reputation like Tylenol did.

Anyone here fluent in this particular malware?

EDIT: Making www1.dlink.com a 'restricted site' with highest security setting, under ie10's 'internet options" tool, seemed also to clear the symptom.
But right now in my household anything named Dlink suffers from brand name association with a bad experience .

old jim
 
Last edited:
  • #22
Borg
Science Advisor
Gold Member
1,881
2,370
EDIT: Making www1.dlink.com a 'restricted site' with highest security setting, under ie10's 'internet options" tool, seemed also to clear the symptom.
But right now in my household anything named Dlink suffers from brand name association with a bad experience .

old jim
I would still modify the hosts file to completely restrict any access to that site. That's the best way to really stop a site from being accessed. If you're not familiar with editing the hosts file, here are the steps and a general description. I'm putting in extra detail for those who may not be familiar with some terms:

  • Open C:\Windows\System32\drivers\etc\hosts with a text editor like Wordpad
  • For each site that you wish to block, add a line entry like this one:
    127.0.0.1 *.myblockedsite.com
  • Save the file.

The entry tells Windows to redirect internet access for anything under myblockedsite.com to go instead to the 127.0.0.1 (localhost) address. Localhost is the standard address for your computer. Since there isn't a website running on your computer, nothing ever gets returned and the browser will display a standard massage about the website not being found.
 
  • Like
Likes 1 person
  • #23
jim hardy
Science Advisor
Gold Member
2019 Award
Dearly Missed
9,839
4,879
Thank You , Borg !

Wordpad cautions me that it is about to strip all formatting

so I cancelled out.

I notice hosts is file type "file"
will wordpad store it as such?

I'm apprehensive, will experiment on a copy..

jim
 
  • #24
Borg
Science Advisor
Gold Member
1,881
2,370
Thank You , Borg !

Wordpad cautions me that it is about to strip all formatting

so I cancelled out.

I notice hosts is file type "file"
will wordpad store it as such?

I'm apprehensive, will experiment on a copy..

jim
Don't worry about the formatting. It's just a simple text file and the formatting can be stripped without hurting anything. Of course, the rule of thumb is to always back up files like that before editiing them.

I'm guessing that you have the default Windows setting to hide file formats. The hosts file has no file format hence Windows calling it a "file". I.E. it's full name is just "hosts" and nothing like "hosts.txt". When you save it with Wordpad or Notepad make sure it isn't trying to save it as a .txt file. As long as you don't end up with two hosts files, it probably worked.

Note that the # at the beginning of a line indicates a comment that is ignored. Only the lines without the # actually do anything so your file probably has only one or two at most. If you have a bunch of entries that you didn't add, it is likely a virus that added them - especially if they don't point to 127.0.0.1.

Feel free to PM me if you have any questions.
 
Top