Your computer is infected with malicious software? Do you have popups on your PC?
If so, search this blog for removal instructions or find computer threats by category.

Thursday, February 4, 2010

Remove Google redirect virus

Tell your friends:
In this article you will find recommendations how to remove Search Engine Redirect virus or Google Redirect virus. Most of the time it’s called Google redirect problem but please note that the redirect virus affects Yahoo and Bing search results too. This problem is very frustrating and unfortunately there is no one-click solution for it. Google redirecting virus is usually a by-product of malicious software. Many people say that this problem remains after removing rogue security software or Trojans. In some cases anti-virus and anti-spyware programs remove Trojans, but unfortunately can’t detect changes made by the virus. Anyhow, below is a list of things that you should do or check in order to remove Google Redirect virus or fix Search Engine Redirect problem.
  • Check Local Area Network (LAN) settings
  • Make sure that DNS settings are not changed
  • Check Windows HOSTS file
  • Manage Internet Explorer add-ons. Remove unknown or suspicious add-ons
  • Use TDSSKiller tool to remove malware belonging to the family Rootkit.Win32.TDSS
  • Scan your computer with legitimate anti-malware software (ComboFix)
  • Use CCleaner to remove unnecessary system/temp files and browser cache
  • Reset your Router back to the factory default settings

1. Check Local Area Network (LAN) settings
a) Open Internet Explorer. In Internet Explorer go to: Tools->Internet Options.
b) Click on “Connections” tab, then click “LAN settings” button.


c) Uncheck the checkbox under “Proxy server” option and click OK.


2. Make sure that DNS settings are not changed
a) Open Control Panel (Start->Control Panel).
b) Double-click “Network Connections” icon to open it.
c) Right click on “Local Area Connection” icon and select “Properties”.


d) Select “Internet Protocol (TCP/IP)” and click “Properties” button.


e) Choose “Obtain DNS server address automatically” and click OK.


3. Check Windows HOSTS file
a) Go to: C:\WINDOWS\system32\drivers\etc.
b) Double-click “hosts” file to open it. Choose to open with Notepad.


c) The “hosts” file should look the same as in the image below. There should be only one line: 127.0.0.1 localhost in Windows XP and 127.0.0.1 localhost ::1 in Windows Vista. If there are more, then remove them and save changes. Read more about Windows Hosts file here: http://support.microsoft.com/kb/972034



4. Manage Internet Explorer add-ons. Remove unknown or suspicious add-ons
a) Open Internet Explorer. In Internet Explorer go to: Tools->Manage Add-ons.
b) Uninstall unknown or suspicious Toolbars or Search Providers.


5. Scan your computer with legitimate anti-malware software.
Download at least one anti-malware software from the list below and scan your computer. Don’t forget to update it before scanning.

Download recommended anti-malware software and run a full system scan to remove this virus from your computer.





It's possible that an infection is blocking anti-malware software from properly installing. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe. Don't forget to update the installed program before scanning.

Alternate malware removal tools can be used in case recommended anti-malware software has missed a threat:
6. Use TDSSKiller tool to remove malware belonging to the family Rootkit.Win32.TDSS
a) Download the file TDSSKiller.exe
b) Execute the file TDSSKiller.exe.
c) Wait for the scan and disinfection process to be over.
More detailed TDSSKiller tutorial: http://support.kaspersky.com/viruses/solutions?qid=208280684



7. Use CCleaner to remove unnecessary system/temp files and browser cache
CCleaner is a freeware system optimization. It’s not a malware removal tool. However, it’s always a good idea to get rid of unnecessary internet/system files or corrupter Windows registry values that may cause various problems to your computer. Downlaod CCleaner.

8. Reset your Router back to the factory default settings
This step is optional and should be completed only if you have followed all the above recommendations and you still have the redirect virus on your computer. First of all, please follow this guide: How to Reset a Router Back to the Factory Default Settings. Then you should flush DNS cache:

1. Go to Start->Run (or WinKey+R) and type in "cmd" without quotes.


2. In a new window please type "ipconfig /flushdns" without quotes and hit Enter. And that's it!


These recommendations shouldn’t be too complicated. I hope this article was helpful. If you have any questions don’t hesitate and ask. Comments are always welcome.

Share this information with other people: 

200 comments:

Anonymous said...

Thanks; I have been looking ofr quite some time now for soultions. your info seems to be the best out there-- straight forward with direct download links. It's my turn to now try it all out.

Anonymous said...

This worked! Thanks for the solution and the clarity of presentation.

Deeply grateful.

Anonymous said...

Thanks
the description and step are clear and help me
get ride of my google redirect
thanks a lot

Admin said...

You are welcome!

Anonymous said...

Hi. I've had the Google redirect virus lately as well, however, mine is on mozilla firefox. If you have instructions relevant to mozilla, I'll be really grateful!! Thank you in advance.

Admin said...

Yes, I think I will have to include Mozilla Firefox in this tutorial too. Meanwhile, you can still complete these steps:

2. Make sure that DNS settings are not changed
3. Check Windows HOSTS file
5. Use TDSSKiller tool to remove malware belonging to the family Rootkit.Win32.TDSS
6. Scan your computer with legitimate anti-malware software (ComboFix)
7. Use CCleaner to remove unnecessary system/temp files and browser cache

Anonymous said...

i havent even the problem and was impressed with the solution might try it myself JUST to be sure :-)

Anonymous said...

i got up to the part about add ons but i dont know which one is considered to be suspicious. I also scanned my computer twice with updated versions of malewarebytes and avast. They found the trojans but i still get redirected.

Anonymous said...

Win XP: I did everything as per the very well written instructions. The TDSSKiller found nothing, ComboFix found nothing, CCCleaner picked up some trash. But, the redirecting fro what appears to be google still persists.

From start/Run, I enter "www.Google.com". It puts me into Google, but the Google name image is standard. However, when I do the same on an uninfected computer, the Google name image is a special graphic; not the standard. Could this mean that even before the redirection, I've been captured by the virus on the first PC?

I have spent hours using MalwareBytes, ComboFix, Hitman, AVG, and CCCleaner to no avail. They all claim the computer is clean, yet the redirecting behavior still persists.
- Jim

Anonymous said...

I noticed a difference between an infected computer and a non-infected computer. When I go into a DOS command window and perform a ">ping http://www.google.com/", my non-infected computer resolves and completes the ping successfully; while the infected computer fails to resolve the url.

On my non-infected computer, the AVG link icons show up by each google search result item; while on the infected pc, the icons neve show up (and they used to).

Also, the fact that the Google name today is supposed to be comprised of guitars and is on my non-infected pc; it is the std rendition of the Google name on the infected computer. It is my opinion that the redirect virus is more that mere redirection from google. I believe it hijacks the browser on the way into google and fakes being there, when in reality, it is somewhere else already.
- Jim

Anonymous said...

I am positive that the redirect virus is hijacking the PC by preventing it from ever reaching the real Google web site in the first place. Evidence: Notice the "@Year-Privcy" phrase in the middle of the form. For infected PCs, it reads "@2009-Privacy", while for uninfected PCs, it reads "@2010-Privacy".

The problem is not redirection after entering Google, but rather redirection before entering it.
- Jim

Anonymous said...

This worked very well for me for Firefox and Internet explorer. Thank you very much. I have been trying for two complete days to delete this virus!!

Anonymous said...

Thank you!

You have saved me a lot of hassle.

it worked perfectly

Ian said...

I run TDSS Killer, and it says press any button to continue. I do so, and it disappears, both from my screen and from the task manager. No scanning, no asking if I want to restart my computer, nothing.

Any idea?

Anonymous said...

THANKS A BUNCH!

Had strange behaviour while using Google, i.e. 'Cached' pages not appearing, sometimes redirected to Facebook, and so on...

Issue was DNS Servers, being 93.188.164.61 and 93.188.161.104 instead of those of my French ISP. I've corrected settings of course, and blocked these on ACL of my Cisco router, just in case ...

Again, a BIG THANK YOU!

Anonymous said...

I too have spent 2 days trying to clean this mess. Have done the exact steps here twice and still have the issue. Counter what "Jim" said above, I get redirected from Google or Yahoo on IE or Firefox -- all the same. Any new ideas on this? Thanks, Tom.

Darren said...

just use combo fix and it will be gone

Darren said...

here is the link for combofix http://www.forospyware.com/sUBs/ComboFix.exe
and heres a guide
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Anonymous said...

Just wanted to say a big thank you for your advice.

I had the same Google re-direct problem on both Firefox and Explorer. I went straight to the Combofix option and it looks to have resolved the issue. I've run the Combofix scan and followed the instructions and it looks to have done the job.

Many thaks again.

Anonymous said...

I have done all of this, run combofix, spybot, malwarebytes and still I have the redirect virus! Any suggestions?

Bijay said...

I'm using MAC. Is there any solutions for it/

gaztruman said...

Thank you very much.

I had posted a thread on a forum about this, then I found this and it worked a treat.

Great blog post, this virus was driving me mad.

Anonymous said...

Thanks so much for saving me many hours with tech support, with perhaps an inevitable format C at the end of it all. Combofix is KING! Kitty ate the virus, and now my PC is clean as a whistle again! TDSS Killer found the offending file (atapi.sys) and tired to delete it on reboot, but was foiled everytime by the rootkit. But Combofix did the trick, and did it perfectly. Now TDSS Killer confirms I'm clean, and no more problems. Google Chrome loads fine again, and no redirects in IE. Thanks a million, my friend! (Don't forget to set a new Restore Point once you're clean, and then delete all the previous restore points.)

Warren said...

I seem to be back up and running well. Thanks soooooo much for posting the fix on this nightmare problem. BTW - Combofix demands money to fix your comp. So, I used Hitmanpro and it worked like a champ! Take care :-)

Anonymous said...

when i try to change host file, it says make sure path and file name are correct. help please

Anna said...

OH MY WORD!!! GOD BLESS YOU!! Your instructions helped me to remove that google redirect BS off of my computer!!! I thought that I was going to have to re install windows or whatever and lose EVERYTHING!!!! God led me to this site but i kept trying other stuff before i came back to download the combofix because i was scared to use it... i've been working on my computer since i came home from work THIS MORNING AT 7AM!!!! It is now 10:47PM PEOPLE and the combofix and ccleaner removed that BS in less than 30 minutes!!!!!

Again Thank you!!

ChrisT said...

AWESOME - i went through all the steps and I didn't find anything to fix until I got to the TDSSkiller file - it found ONE filed and deleted it upon reboot.

NOW IM GOOD TO GO! woo hoo - I alrdy had malwaremalbytes thing and it hadn't found anything, but this worked perfect.

Anonymous said...

Yes GOD Bless You !!

I'm finally back in business! Just when I felt like I lost control of my browser the way it kept redirecting my search links like mad. Just to add I also lost the ability to even perform Windows update.
I had this issue for days and this info here was what I was missing to fix it.
I two spent days of executing every adware and antivirus tool I could find. Today I ran a host file restore and combofix and yet STILL had a nasty piece left behind until I ran across this information posted here and found your suggestion about TDSSKiller. This discovered this was all due to the Rootkit.Win32.TDSS and thus cleaned it out. I went ahead and followed it up with CCleaner just to stay on target. WOW! I'm so pleased!
Everythings back to normal now so I think I'm ready to run one more overnight malware scan (for peace of mind) so I can make another good Windows restore point.

GUYS If anyone out there discovers thier browser is behaving like what you read in these posts just follow the authors 7 steps in ORDER and I think you will be happy! .. cause I sure know I am =)
Thanks again!

Anonymous said...

Thank you - I had the redirect virus that occurred anytime I clicked a link in search results. I tried running Malwarebytes' Anti-Malware and Super AntiSpy but they said there was no infection. Then I ran ComboFix and the kitty removed the virus. Thanks again for posting this.

Anonymous said...

Phew.... thank god I found this site.... solved it straight away... it had been bugging me for weeks. Great information, presented in a logical way. Keep up the good work

Anonymous said...

I'm going to repeat what everyone else said, GOD BLESS YOU. I have been trying all day to figure this out. This is a great explanation and help.

Anonymous said...

Only ComboFix did it for me. It also deleted a few dlls from innocent programs, but nothing major. Thanks!

Anonymous said...

Thank you very much appreciated

Anonymous said...

Thanks for the info. Worked to fix my issue. Google redirect and Symantec HTTP: Tidserv Request found error.

Anthony said...

Outstanding thanks so much. Fixed my redirect issue as well as getting back my windows updates.

Anonymous said...

thank you! this is the only thing i found that did the trick for me!

Henry said...

Thank you! I'm not technically skilled at all and I was able to follow your very well laid-out instructions with no problems whatsoever. My problem has been solved and my computer is running better than ever. Keep up the good work!

Anonymous said...

thanks alot, worked perfectly

Anonymous said...

Hi, so when I try to save the HOST file I edit, it saves it as a different type of file. And still has the actual old HOST file saved there. How am I supposed to save it to replace the old HOST file? In my case, there were honestly a million or so lines after the line that says "localhost."

aleciaob said...

Thank you thank you! I'm not tech savvy, yet was able to follow your clear instructions.
For those that are having difficult re-saving the edited host file, right click the original file before you edit it and make sure you UNCHECK 'Read-Only'. Then open the file with notepad, edit it and bob's your uncle.
Thanks so much.

Anonymous said...

I opened my hosts and had an unknown second host on there. I highlighted and delete it, but then could not save... the program asked if I wanted to replace it which I said yes to, then received a popup notice that the file cannot be created and to make sure the file path and name are correct... I have not changed any information that pops up automatically, I only deleted the host that is shown as ::1 localhost
on the notepad... Any ideas? (Read-only was not checked

Anonymous said...

Thank You!!! I think TDSSKiller is what solved it, but I ran combo fix to be sure too.

Anonymous said...

I FREAKIN LOVE YOU!

Anonymous said...

Thank you for great info. I got rid of redirect virus using hitman pro. It detected and got rid of them for good. It was annoying few days.

Anonymous said...

I've ran Hitman pro, TDSSKiller, and Combofix, but none of them detect anything on my computer even though I still get redirected on my searches. Maybe I should just reinstall the OS..?

Anonymous said...

Thank you so much. I've had this problem for ages. I've done system restores multiple times, thinking that it would do the trick, but it didn't. I've searched through so many sites, but all they did was describe it. They didn't really provide solutions. I've downloaded MalwareBytes which seemed to help the performance of my computer a little, but it didn't get rid of the Browser Hijacker. I even downloaded the Google Pack with the Spyware Doctor, but it completely messed with my computer. I'm so happy I found this site. The TDSSKiller definitely did the trick. I tried the ComboFix but it said something about not being able to rename the file. Thank you so much for your help. (:

Anonymous said...

I changed my hosts file and when i tried to save i got this error message:
"Cannot create the C:\WINDOWS\System32\drivers\etc\hosts file.

Make sure that the path and file name are correct."

Help me Please

Admin said...

Windows XP HOSTS file download link:
http://download.bleepingcomputer.com/misc/host-files/windows-xp/hosts

Save this file to the C:\WINDOWS\System32\drivers\etc\ directory.

Good luck!

Peter_out said...

Brilliant! There are so many confused, confusing & misleading quasi-solutions to this problem circulating.....some suggesting the same methods but none quite so effectual.....thankyou so much!!

Anonymous said...

I guess the virus is gone. TDSKiller did not find any. I think the combofix deleted it. Thanks a bunch.

Anonymous said...

Just wanted to say thank you for such clear instructions. I had tried everything to get rid of this virus. It was flushing the DNS cache which did the trick. I would never have thought of that. You are the man.

Admin said...

You are welcome! :)

Rhoniel said...

thank you, it really works,

just having problem saving the 'hosts' file, i save it to desktop first, then delete the original and copy the file new 'hosts' file to the same directory.

Anonymous said...

Thank you very much! I ran the Tdss killer and it cured it and the suspicious problem got deleted also!!!

Anonymous said...

I am at the part of the instructions to go into the etc. folder, but have nothing named "hosts". I have something that says "lmhosts.sam". Please help from here. Thanks so much!!!

Math-Aids.Com said...

I can not thank you enough!!! I have been fighting this for days!!! It worked perfectly.
My computer is now virus free!!!


Great site for Kindergarten Worksheets

Michael said...

Thanks for this great post. It worked. I really apperciated the step-by-step hand holding. It was do-able for a non-expert like me. thanks again.

Anonymous said...

Can some one help me PLEASE
I have the redirect problem on multiple
computers (network)
I have ran Hitman pro, TDSSKiller, and Combofix, but none of them detect anything on any computer
I still get the redirect problem on IE and chrome
My Host file on my computer has one line:
127.0.0.1 localhost
It does not have the info above like the
Windows XP HOSTS file download link: has
Is that my problem or is having a network?
I noticed that after i ran Combofix
it changed the modified date on the host file
Did ComboFix change this file?
Please help SOMEONE?

Anonymous said...

I found the best fix for the Yahoo redirect VIRUS
in our small office network
was to do
3. Check & Replace the Windows HOSTS file
and to
8. Reset your Router back to the factory default settings (Which i think solved my problem)
because i scanned with all the programs and
nothing worked until i reset the router
SO THANKS FOR THIS GREAT POST

Anonymous said...

Great post. Got rid of the beast with it and the help of TDSSKiller tool. Combofix is also a great tool (but takes a bit of faith and patience). Many thanks.

Anonymous said...

WOW!! Finally a post with concise, accurate instructions on how to get rid of this pain in the a.. virus. Thank you so much for posting these. After two and a half days I finally got my computer back. Thank you!

Anonymous said...

Ok I dont have this Google redirect virus. But I do have a redirect virus, google appears as normal ie the logo changes. My searches work but on the first instance when I click on a link I am sent to a site other than that indicated by google. Is this just a different breed of the same virus. I will try to rid myself of it using the excellent guide above, and comeback to let you know if it worked.

Anonymous said...

Great info. This fixed my system after messing with it for a good part of a day. tdsskiller seems to be the step where the problem went away. I ran combofix before that and it found some things but still had the problem. I only wish I knew what site I went to to pick up that virus so I don't go there again.
Thanks alot
Steve

starr said...

THANK YOU THANK YOU THANK YOU!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Anonymous said...

i can do everything you said except change the hosts file. tere is a line under 127.0.0.1 that reads "::1 localhost"
but when i remove it and go to save, it says it can`t create the file and asks me to make sure the path and file name are correct :(??

Admin said...

Hello,

The ::1 localhost entry is the default entry of Windows Host File. ::1 Localhost is the equivalent to 127.0.0.1 Localhost but using IPv6 protocol format.

Quote: In Windows, the default hosts file contains (inactive) comment lines followed by IPv4 or IPv6 localhost entries, or it may be blank.

# Comment
127.0.0.1 localhost
::1 localhost

You should keep it as it is. Good luck!

Anonymous said...

I followed all the steps but was still getting those google link mis-directs. So I went through the steps again and re-did step 4, (removing suspicious add-ons). I didn't have any suspicious add-ons, but there were three Java-type add-ons so I deleted them all (why not) and THAT fixed my problem.
No more mis-directs!!!!!!Thank you so much!!!!!! - this site is awesome!

Anonymous said...

I am in your debt for this AMAZING article
I was so frustrated how all my programs wouldnt open
Thank you!

Anonymous said...

Thank you, I have finally got rid of google redirect and my sound is working again - as previous poster said - i am in your debt, thanks :)

Anonymous said...

Following the steps listed here worked for me at first, but the next day the redirects started happening again. I used Hitman Pro 3.5 and it worked. If you use hitman pro, you may need to find your Windows installation disc. Anyway, the problem seems to be gone. Seems to be...

Anonymous said...

Thank you very much. The steps looked intimidating at first glance, but it was easy to follow once I tried. I wish I tried it the first time I saw it. It would had saved a lot of time.

The steps helped to get rid of audio and redirect problems. Although, I never got Malwarebytes to work without crashing. Now I am getting help at the malwarebytes forum.

Do you think I still have a virus?

Thanks!!

Anonymous said...

thanks for taking the time to help

Anonymous said...

Thanks so much! This worked for me! I had this virus for 2 months & did everything to get rid of it, but nothing worked until now!!
You're Awesome!!

Anonymous said...

You are great

Anonymous said...

Thank you for this advice. I downloaded the hitman, ran that and it seems to have cured the problem (hopefully!) I think it's only free for 30 days and then expires and you can then purchase it.
Thanks again :-)

Anonymous said...

Thanks much for your clear and easy to follow instructions. Problem solved. No more redirects.

Pathways Soul Coaching said...

Thank YOU so much!!! It worked!!! You totally rock!!!

Anonymous said...

I've had this problem for weeks and my IT consultant was unable to take care of it. The advice provided was easy to follow.My redirect virus was active on Google, Yahoo, and Bing and worked in Firefox, Internet Explorer, and Safari. Everything works perfectly now.

Thanks!!

Anonymous said...

THANK YOU THANK YOU THANK YOU!!!!!!!!!!!!
I tried so many solutions and this one acutally worked and the directions were clear and concise. I really do appreciate the fact that I didn't have to get tricked into various "buy my product" scams.

Anonymous said...

Yeah!! It works again!! Your instructions were very easy to understand. Thank you!

Jacksmom said...

Help!!! I can do everything until I get to step 6 and it seems no matter which malware removal program I try to download, I get the download box, then within a few seconds I get a dialog box that says that Internet Explorer cannot open internet site. It says that he site is either unavailable or cannot be found, please try again later. Yet if I go directly to the site and attempt to download it, I get the same message. I am so frustrated as this is happening on our only computer, and now we can only log in on my husband's account. Can you plese help me!?!?!?

Anonymous said...

Easy to follow instructions and only had to get as far as TDSSKiller to do the trick. Thank you.

Anonymous said...

Yay! So far it appears combofix has worked for me!

camille said...

i have windows 7 and my page under network connections looks nothing like yours and i do not know what to do.

Anonymous said...

I'm having the same trouble with my Commodore Amiga 1200! Any suggestions?

Anonymous said...

oh thank you so much..... it works..... i found the rootkit problem..... with spybot and tdsskill. thank you. and YHWH bless you

Anonymous said...

I've got this on Safari on my wifes itouch. That seems to be the only equipment affected on our network - all laptops and desktops are ok. I've tried deleting the DNS entries but this seems to have no effect. Anyone any ideas? Thanks in advance.

Anonymous said...

Thanks so much - this was the only set of directions that helped remove a virus no other site or post was able to, including my virus scan software.

GardenGirl said...

OK I my laptop to Staples to get rid of the virus, thinking that if I paid someone it would get taken care of more efficiently. Well $220 and 3 days without my computer later, I guess I should have just come here. They got rid of the trojan horse - but despite my attempts to get them to understand this virus and actually READ UP on it, they just put it through their regular tests. Now, I THINK (fingers crossed) after running ComboFix it looks like the computer is clean! Thank you so much! (and thanks for finding my rant on Twitter!)

Anonymous said...

I have XP and had redirected web pages every time ,tracking cookies by the hundreds every day,I couldn't upgrade anything. I tried AVG, MS Essentials,Super Antispyware,and anything I thought might help. Nothing was found. I downloaded TDSS killer, ran it and everything workes like new,plus I gained 3 Gigs of space. What a great fix, thanks again

Anonymous said...

tried some other websites' suggestions, and they actually made it worse.

this site worked for me, thanks!
tdsskiller and combofix

Anonymous said...

Have tried all of these and thought that it all fixed, but it's back again. No problems found by any scans, router reset to original factory settings. Redirecting occurs not all the time, and after trying back button several times often can get back to the topic was looking for. Also, totally random redirecting, and often to quite legitimate sites ling Bing or AOL, with info.com being the most frequent.

Anonymous said...

Thanks. Followed all steps but after running /flushdns seem to worked

Anonymous said...

Malwarebytes' Anti-Malware found & removed the Trojan first time round but it returned. I had to execute TDSSKiller then run Combofix, in fact I did every step in the sequence you set out, only then it seemed to work. Combofix requested the installation of MS Recovery Console during it's scan. It also creates a logfile & directory on drive C:. WOW, what a business! I have a Virus Checker but it could not get rid of this virus. Your article & choice of products is TOPS! Can't thank you enough!!

Anothernonymouse said...

I am not using a router - I am plugged directly into the cable modem. I have run tdsskiller and all the usual scans, which all say my system is clean, but I still have the redirect virus.
Grateful for any suggestions.

Anonymous said...

Excellent Site and walk thru. This did the trick!!!

Anonymous said...

It works. I just did the TDSSKiller thing and it worked. Thanks a lot!

Renata said...

Thank you very much.

Anonymous said...

Thank yooooo! It worked!

Anonymous said...

Awesome instructions. Very easy to follow. Thank you!

Anonymous said...

my problem is i can't find the hosts file. all i have is hosts.ics and lmhosts. i went to microsoft website which is the link that u gave on instructions 3 and tried the automatic fix it program offered by microsoft and then i restart my computer.. when i check the folder the hosts file is still not there pls help!!!!

Sam said...

i can't seem to run tdss killer. i have saved it on the desktop and changed the name as some websites have suggested. I have tried running it in safe mode. it's just not going. is there any other solution?

Anonymous said...

This hasn't worked for me.

First off, TDSSKiller didn't find anything.
Then when it looked like the virus had been given the boot, it came back.

I'm using Google Chrome, if that matters at all.

Anonymous said...

THanks man after 100 other fail "solutions" this one worked first time...and to note im useing mozilla firefox and it cleaned it right up. I think combofix was the key for mine. Thanks again.

Nguyen Nguyen said...

I downloaded the TDSSkiller.zip and ran it, but nothing found in my computer, and the virus still remains in my computer. I don't know why. I follow all your steps. Please give me some advice.Thanks

Anonymous said...

Dude. You. Rock.

Anonymous said...

God bless you!!! I have been fighting for almost a week and couldn't find a solution but this finally worked! Thank you! I'm not a very tech savvy person but your directions made it simple and it worked. Thank you so much.

Anonymous said...

i cant thank you enough!!!

Kirby said...

Thankyou for this clear outline.
TDSSkiller worked for me, to polish off the culprit.

Previously, my Emsisoft Anti-Malware free version picked up a couple of trojans, but didn't fix the google problem (I use Mozilla Firefox)
I also use AVG as my main scanner for links and the like. Was recommended the other one, because as has been mentioned before, sometimes one will pick up what another doesn't.

One thing I discovered - I needed an up-to-date version of Java to make Emsisoft complete the trojan clean up. But yes, the TDSSkiller did the trick for me, and I've made a fresh system restore point, so hopefully all will now be good. :)

Anonymous said...

Great article! Combofix did it for me. I want to just mention to the readers that the same redirect virus can effect computers in different ways. What works for one does not necessarily mean the same process will work for another. This aretle lays it out nicely and should be followed in the order presented. Good luck to all.

Anonymous said...

Help! My computer will not let me install combofix or Tdsskiller.

What do I do next?

Thanks

Anonymous said...

20110622
Ran the TDSSKiller and it seemed to work
THe virus was redirecting any searches on
Google or Wikipedia
=
Tries to save the Local Host
as per instruction but wasn't successful.
=
This all started by clicking on
a fake Vista virus warning
=
Any way, problem solved.
Many thx.

Anonymous said...

YAY! IT WORKED! Thanks so much. I was getting really annoyed by this virus.

If I hear anyone complaining about the same problems, I'll be sure to link them here. :)

ShahM said...

Thanks..a lot..it worked for me..combofix did the trick..great tool

Anonymous said...

We tried every recommendation...these clean concise directions finally removed the malware and prevented a $400 tech support fee. Thank you very much!

Anonymous said...

i have this problem but i have it on windows 7 not xp

Anonymous said...

To All:

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org
This Malware program Seems to have taken the virus out.
This is what was found in the register and deleted.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_XMLLookup (Hijacker.XMLLookup) -> Value: bak_XMLLookup -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_Application (Hijacker.Application) -> Value: bak_Application -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\bak_intl (Hijacker.intl) -> Value: bak_intl -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Thanks to all whom posted.

Anonymous said...

please post a version for Windows 7, i cant get past part 3 with this version

Anonymous said...

Yesterday, I searched Hydraulic in the address line and my computer was redirected to Gateway. my search engine is Google. I am going to try this solution tonight. Is this invasive to the degree that it can capture all my passwords and login to my financial accounts?

Anonymous said...

I love you, that is all.

Anonymous said...

Worked great - I just had the stupid plugin

Anonymous said...

Hi! I am a computer engineer. I got infected after running a supposed-to-be patch (he, he). It even looked suspicious and, instead of testing it in a sandbox first, I just run it and got a redirect virus. This is what happens when we stopped following the good practices). I'd like to tell that after using ComboFix my computer would only boot from the "Last known configuration that worked". Then Combofix would show some reports. This allows ComboFix to finish its job. To have the computer to boot normally again:
1. Make sure ComboFix has shown its final report (ComboFix.txt in the active partition).
2. The active partition also shows another report called TDSSKiller.2.5.13.0_dd.mm.yyyy_hh.mm.ss_log.txt
3. Run msconfig.
4. Choose the General tab.
5. Choose "Normal startup".
6. Restart the computer.

Silvana Santos said...

Fiz todos os procedimentos TDSSKILLER e COMBOFIX.
A minha dúvida é que após obter o relatório do COMBOFIX, qual site poderia me ajudar a respeito.
Quando executei o COMBOFIX não tinha a opção salvar, onde o localizo para colocar atalho no desktop? Qual a imagem do atalho?

Xzavier said...

Guys here is the removal for the redirect virus. You need to check your Host file and lmHost file. You will see THOUSANDS of domain entries in their. Next open the registry and go to these 2 hives. HKEY_LOCAL_MACHINE & HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains delete everything except microsoft.com. Also go to the Key P3P 2 folders up and delete the history. You will see THOUSANDS of entries! If you can replace the entire KEY on both Hives!!!

Anonymous said...

I can't save the hosts file :( help!!!

Anonymous said...

THANK YOU, this solved my problem with google redirect! i especially appreciate the super clear directions, i wish all instructions for Windows machines were this straightforward.

- sara

Anonymous said...

Thank you very much. Not only did this fix my issues but it was extremely thorough with helping me solve other issues on my computer.

Anonymous said...

I just wanted to ask you guys that if combofix runs safely. I read somewhere that it shuld only be used by experts and im not much of an expert. Does it delete saved data or personal folers..etc. I am running windows hom edition 64-bit and I have been struggling with this problem for a loongggg time. I followed every step until step 6 which is the part with combofix. Ive used every other anti-malware program like malwarebytes etc. I also wanted to know what exactly happns when you reset your modem. I have a bell modem with a wep key and I read online somehwere that once you reset ur modem, ur password or key might be gone....... NEED ANSWERS PLEASE!!!!!!!!

1 MORE THING....when you flush ur computer's dns, there are no files or anything that get deleted right?

I WANT TO RUN COMBOFIX BUT DONT KNOW IF IT IS A SAFE OR GOOD CHOICE FOR MY COMPUER BECAUSE IM NOT LOOKING TO SPEND MONEY TO FIX IT.

Anonymous said...

In order to save the host file changes, I had to run notepad as an administrator. This was the only way it worked. I right-clicked on it, chose "run as administrator," and then made my changes.

Anonymous said...

YES THIS WORKED! I got the redirect from a FireFox add-on I can remember the day but not the file !! In fact I was shopping around for free virus scanners - and clicked on a fake downloader for Panda - never do this! Trust verified sites only!!!

Anonymous said...

I got the redirect virus in both Firefox and Explorer when using both Bing.com and google.com. Firefox is my default internet browser so I was under the impression that it's better than Explorer but I was wrong. The worse part is I got the virus after owning a brand new laptop with 15 month subscription from Mcafee, which did not detect this virus. Anyway, the virus was removed using malwaresbytes but I followed the instructions in this page just to be sure. For over 24 hours, the virus seem to be gone. But I will keep scanning to be sure. I backup the system files and everything the first day of owning this laptop so the full recovery should not be of too much headache.

Anonymous said...

I've done everything you said - LAN settings checked; DNS settings are not changed; Windows HOSTS file checked and changed; no any mozilla add-ons; downloaded tdsskiller nothing was found; scanned my computer with my anti-virus software - webroot and Malwarebytes'; run CCleaner; and reset my router..... AND, I still have the same problem!!! Please help!!! :(

Anonymous said...

Wooow!! Thank you very much! ComboFix did the job. Thank you for this perfect tutorial!

Anonymous said...

ComboFix got it for me also. Hitman didn't which saddens me and neither did Malwarebytes. Thanks guys!

Anonymous said...

really appreciate ur help, man!!

Anonymous said...

Thanh you.
With ComboFix works.
Now i can see Youtube.

Anonymous said...

Had the redirect problem but no antivir program would properly clean it. Also noticed a "numbers:numbers.exe" process I couldn't kill, IExplore.exe processes I never started, and a TVNserver.exe process that would automatically restart if I killed it. I disabled System Restore, rebooted in Safe Mode (F8), then used the Search function to delete anything named TVNserver or IExplore. I then ran RegEdit and deleted all entries with those names in them. Rebooted and all is well now.

Admin said...

numbers:numbers.exe this is a typical process related to the ZeroAccess rootkit. TDSSKiller should be able to remove it. If your are using 32-bit system, you can use ZeroAccess removal tool:

http://deletemalware.blogspot.com/2011/09/zeroaccesssirefefmax-rootkit-removal.html

Anonymous said...

Thanks very much for this extremely easy to follow step by step instructions on how to troubleshoot this problem.

All too often there's lousy help for stuff like this. But this was easy-peasy, livin greasy!

Anonymous said...

By JohnE
Thanks for the article.
I have the problem but typing in the wesite address rather than clicking a link or just deleting and going in again was a work around for me, but it is getting worse.
I wondered if the instructions at top take into account the comments made, lots of different descriptions (off the same proplem?)
How can one block a reinfection of this kind of attack?
How could I monitor (seprate screen?) and counter attacks as they happen?
Regards

Admin said...

It's a very widespread infection, no wonder there are lots of different description of the same problem. The only way to keep your computer virus free is to use a solid antivirus product.

Anonymous said...

I had tried TDSSKiller, Hitman Pro, Malware Bytes, ComboFix, SUPER, to no avail. I even learned to live with the virus and remember to double-click a Google search result instead of clicking it once.

Then after a few weeks I downloaded ComboFix again, and saw this time it had been recently updated. Ran it, and it deleted the virus.

intrepiddevildog said...

Remove or stop 63.209.69.107 Redirect

I went into "tools" then "manage Extentions"(after updating to IE9 and down loading microsoft securuty essentials (at microsoft totally free,) http://www.microsoft.com/en-us/security_essentials/default.aspx

I found " SXNewVoice Module" I then disabled it. Then closed all tabs the reopened it. Now things are searching OK. It has only been a few hours but good so far. Death to malware producers!!!

Name: SXNewVoice Module
Publisher: (Not verified) Sony Corporation
Type: Browser Helper Object
Version: 1.0.2.11210
File date:
Date last accessed: ‎Today, ‎October ‎23, ‎2011, ‏‎3 minutes ago
Class ID: {1024CB52-DFE7-460E-B781-46C4705DC81D}
Use count: 178
Block count: 0
File: TCPIPSys32.dll
Folder: C:\Users\MYNAMEDELETED\AppData\Local

intrepiddevildog said...

By the way I also did all the things in the article. Very easy to folllow. Thank you for your efforts.

Anonymous said...

Aaahhh!!! You guys helped me get rid of the xp antimalware hoax AND this redirect thing! You people freaking rock!!!

Anonymous said...

i have tried most of the step but TDSSkiller wont work. i have a feeling that it will. i downloaded it and it scanned my computer. it found 17 threats, when i try to delete them i have to reboot my computer. when i do i get this blue screen crash. and when i scan again the same 17 threats are found but i cant remove them! please help

Anonymous said...

Um, I have two internet protocols,Version 4 and Version 6...which one do I choose?

Admin said...

Choose 4.

Anonymous said...

Man, you saved my day! many thanks for your post!

Anonymous said...

This one worked. I have been searching for 2 weeks for something that was easy to do. Excellent !!!

Anonymous said...

Thanks..Thanks...Thanks....:)

gurero said...

great info, works for me..thanks a lot ^^

Anonymous said...

I don't have that 127.0.0.1 line so I removed nothing O_O. Anyways I haven't completed all the steps yet but I hope it still works :D

Anonymous said...

Hello,
First of all: thank you!
An excellent guide in order to remove this virus
and ..indeed..it works.

Anonymous said...

Thanks!
Worked for me too. I used malwarebytes.

Anonymous said...

Thanks a lot.
It worked for me.
You are the man. Keep up the good work.

Thanks again.

Anonymous said...

Hello. So I have this redirect virus I think. The main thing with my firefox is that when I get redirected if I go back to the google search right under the link I clicked on there is something that says "block all results from..." and it is either numbers or bizzclick,com when i click on that than google takes me to gmail log in, after which i click backwards to the google search and it does not redirect me no more. But I need to do that on every search so I do not get redirected and also sometimes it does not want to take me back to the list of the search results so I can block this. After I got tired of doing this I decided to clean it I checked everything you said LAN and DNS settings and the windows hosts files, also checked on my firefox add ons and deleted some i found not familiar, I have northon antivirus program so I could not danload the spyware doctor, instead i scanned with malwarebytes antimalware, spybot s&d, tdsskiller, something simular that i found on another website, i forgot the name of it and i am not at home to check what it was, and also ccleaner, i also ran the tdsskiller and ccleaner and the malwarebytes antimalware in safe mode. When I was running them in safe mode tdsskiller detected some infections and cured them i think, than the spybot s&d I scanned with in normal mode and it found some stuff that it deleted. After which it was weird because I did a search on google and it did not redirect me on all searches but it still redirected me on some of them. So I do not know what else to do if you have any suggestions it will be awesome. I would like to add that I am not really good about computers I usually just ask google what to do and now it has been very hard to ask anything there :D I think the main problem i have is the blzzclick website but i did not find anything that says how to get rid of it except one that tells me to mess with the win32 system files and i am not really sure i should do that when i am not that good with computers any help would be great Thank you

Anonymous said...

I have a question. I have done this 3 times with no success, had the IT guy out twice and it always looks like it is gone but never is! It went away for about 3 hours then back?

KeefBeef said...

Thanks for this process.

I originally came across this problem as my Adwords Editor was not reaching Google.com for updates.

I worked through it step by step. My HOSTS file had been modified to redirect google, bing and yahoo to the IIS7 site.

I also ran Malwarebytes which took 5 hours and found nothing.

I then ran Combofix which found a rootkit called ZeroAccess and fixed it within 30 minutes.

Thanks

Slickinator said...

combofix has never demanded money ever its one of the best

Edoardo said...

The true working solution is using TSSKiller.
After having removed all what the program found you'll probably have to fix the Master boot record.
For doing this you have to use the Recovery Console by the original windows DVD: load the disc and type 'R', after this select your Windows installation directory and type 'fixmbr' (without '). That's all.

Anonymous said...

You are a live savior. Was having the problem for 2 days, finally hit upon this post. Thanks a lot!!

Anonymous said...

ok so, i ran the TDSSKiller tool, and abnow.com is still there when I search something..

William G said...

I Have been having issues with redirects and 404 Not Found nginx. All the research I found pointed to residuals from a virus I had removed. Well I must say I finely found a cure. I ended up doing two things and am not sure if it was one or both. I went to MS and followed their steps for the host file in this location. C:\WINDOWS\system32\drivers\etc. Then down loaded MalwareBytes Anti-malware a free version from C/net. Which ever one did it I am now able to click links on my browser and not get redirected and am able to look up in Google. I am happy now.

Anonymous said...

it really worked... blody abnow removed using TDSSKILLER TOOL.. GREAT JOB..
THANKS

Clay said...

Worked like a charm! Excellent site with good free information- thank you! The problem was with Windows Host file (step 3. This particular bug also hides the file so you have to change file settings by clicking on Tools>Folder Options>View>Show Hidden Files and then you can use Windows Notepad to edit the file so it only contains the single command line "127.0.0.1 localhost" as stated in the instructions above (step 3).

Anonymous said...

Finally I solved the problem

Thanks a lot You are the best

David

Buck said...

THANK YOU TDSSKiller!
You saved me from having to do a full windows restore on my computer!

Anonymous said...

I got repeated 404 File Not Found nginx redirects after a multiple Malware attack. I got this after the computer had been scanned and cleaned with AVG, SpyBot Search and Destroy and Malware Bytes. None of the solutions regarding proxy (which is what i thought was still causing it), bad add-ons or host file worked. TDSSKiller finally got the last lingering issue. 404 error is gone. I have heard in the past that Kaspersky was an excellent security program. Maybe I'll have to trade in AVG?

Anonymous said...

At long last I have fixed this problem! I have attempted to remove this bug several times now and downloaded half a dozen Malware removing tools, anti-spyware, and virus protection programs that have yielded little progress and no success ...Thank you so much for such a well articulated/presented resolution!

Anonymous said...

didnt solve a dang thing :(

ben said...

very useful. I clear mime using combofix.

I nearly gave up last night and was ready to re-format and re-install Windows. I did one last search on google and found this article.

Listy said...

I can't get passed the first step as it seems to have locked me out of internet options.

Anonymous said...

YAY! The TDSSKiller worked! Thank you so much! You are my hero! :)

Anonymous said...

Thanks! The TDSS Killer worked perfectly, Now I can surf the web without any issues :D Once again thanks.

Anonymous said...

dude..... YOU ARE AWESOME

MarieSelje said...

it didnt work i have 2 : TCP/IPv4 and TCP/IPv6 which one to remove?

and i cant remove anything on hosts: # localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
what do i do?

Jazz said...

After 2 months of this virus, this site has help me get rid of the virus finally!!! Thank you so much for your help!

Anonymous said...

Nothing else, but the TDSSkiller helped me to get rid of this rootkit. ACPI.sys was infected. I had found this site by the keywords of my PC behavior. Thank You!

Anonymous said...

I finally found something that removed the redirect virus on my pc. I just got this viruns within the last 30 days. I have a Norton account and went there to see what they had to clean this up. I downloaded their “Power Eraser” software and ran it. It found a file titled dqzev.dll in my c:\users\[user]\appdata\local\ folder. The software removed the file and rebooted my pc. I no longer am redirected when I click on a link in search results.

Anonymous said...

Thanks to this post and the anon above me! I had to use combofix, tdsskiller, malwarebytes,spyware doctor, and superantispyware. Afterwards it started to redirect less but sometimes it would still redirect. So reading through all the comments, I tried the Power Eraser. I was already feeling hopeless but it worked! Already a few hours pass and no problems. Later I will have to find a better way to protect my computer. Thank you so much for this blog!
(excuse me if I sent this twice)

Anonymous said...

How do i delete "suspicious" add-ons? Will only allow me to disable them..

Anonymous said...

Also: My windows xp came on my computer. I do not have any discs, and some of these anti-virus programs want me to insert a disc when running them. How do i do this?
THANK YOU SO MUCH FOR YOUR WONDERFUL, INSTRUCTIONS AND INFO IN LAYMAN TERMS! EASY TO UNDERSTAND WITH YOUR STEP BY STEP INSTRUCTIONS!!

Anonymous said...

Spywaredoctor ran the scan or should I say scaM- reported I had 83 threats and then kept REDIRECTING me to "register" which means PAY for their FREE download before they would remove all these anti-virus"threats".

Anonymous said...

Worked perfect! good manual!!

Anonymous said...

Combofix worked...

Anonymous said...

Wow. Great article. it worked!

Guy said...

Great info - best I've found.

RE step 4: Specifically check in Firefox for addon "Performance Cache 1.0" By Identity Ltd. This apparently was the infection on my machine.

Also, Symantec has FixTDSS.exe tool. Some online sources say that FixTDSS.exe may work in cases where TDSSKiller.exe does not.

Good luck.

Anonymous said...

I had been looking everywhere for a solution to this redirect problem. I did everything you could think of and finding your page was the only solution that worked for me. The PC Tools Spyware Doctor found it right away, when no other program listed did. Its worth the 30 bucks you have to pay...THANK YOU SO MUCH

Lorraine said...

Do I need to back up anything on my computer before doing any of this?

Anonymous said...

I believe I've got this virus, but it does not always redirect me, but only sometimes. Is it possible?

Anonymous said...

I also had a strange dll that had nothing to do with windows "fontdmin.dll" delete that as a final step, it should be in "C:/windows/system32" somewhere, it might be hidden and protected too so a restart might be necessary

Anonymous said...

Nov. 15,2012 - maybe I had the latest version, but I tried everything to get rid of this - auto, manual, you name it(McAfee couldn't find it, Malware couldnt' find it, TDSS killer couldn't find it) - checking manual settings found nothing out of the ordinary - onlything that worked was combofix.

Anonymous said...

I also wanted to add, a way around the virus is to right-click and open your search result in a new tab - the first time you do this the virus still pops open a new window with it's modified result - close that, then right click again and open in a new tab and this time your result will open and as long as you leave that window open, right clicking and open in a new tab will work.

Anonymous said...

I can't get rid of my Google redirect, I can't download any antivirus software that has a chance at finding rootkits and the Google redirect virus, even after renaming them. It makes me feel as if the virus is protecting itself.

BT said...

Comnbofix worked for me.

TDSSKiller did not solve the problem.
CC cleaner did not solve it
AVG anti-virus did not solve it

combofix DID solve it for me.


Thank you.

Anonymous said...

I have this insidious virus (Windows 7) and cannot get rid of it. My hosts file has a second line (":: local host"), but when I delete that line I'm unable to save it. I'm told I don't have permission to save it in that location. So I went to the Microsoft support link and it says that the 2nd line SHOULD be there!?! I've done Malwarebytes, which found & quarentined 2 problems - Hijack.ExeFile & Exploit.Drop.9. I've done ccleaner & TDSS Killer. If I go back to factory settings (saved on disk after purchase), will this get rid of the beast? PS. Two other computers use the same router and they are not infected.

Anonymous said...

Thanks the instructions seem to be working, will see in a day or two if this is the final solution.

Anonymous said...

My "hosts" file has two lines, but I can't provide administrator permission to save the file - which strikes me as weird because I am the administrator.

My specific problem is being redirected to "start.sweetpacks.com" - I've run SpyHunter 4 and it picks up a bunch of malware, but I have to buy the full version to remove it. Is there a specific program that will remove sweetpacks?

Anonymous said...

THANK YOU SOOOOO MUCH :D i love you <3. this hepled meee