Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Google Redirect Virus

Name Google Redirect Virus
Type Rootkit
Short Description Executes redirect scripts into legitimate Google search results.
Symptoms Redirects to third-party sites of unknown origin by clicking on search results. Difficulty to remove.
Distribution Method By clicking on a malicious link. By opening an infected email attachment.
Detection tool Download an advanced anti-malware tool, to See If Your System Has Been Affected By Google Redirect Virus
User Experience Join our forum to discuss about Google Redirect Virus.

google-virusGoogle Redirect Virus is among the most dangerous, annoying and difficult to remove infections that are now spreading through the World Wide Web. The virus is causing redirection of the google search results. Users have reported that every time when they click on a desired search result, instead of going to the original page, they are being redirected to a third-party sites. Such web locations can be very dangerous, since they are well known to either scam users, install adware PUPs (Potentially unwated programs) or infect them with malware.

How Does Google Redirect Virus Affect the User’s Computer?

When the user of the Google Redirect Virus affected PC is doing a search in Google, the search machine shows approximately ten links. When the user clicks on these links he is redirected to advertisement or hacker hoax webpages. These pages are designed to trick the user and to steal one’s personal information.
The experts sometimes refer to this virus as Yahoo Redirect Virus or Bing Redirect Virus, as the same infection affects the other search engines too. A new variant of this infection has been recently found and called Happili Redirect Virus and Nginx Redirect Virus. All these symptoms are caused by the same group of computer infections.

More About Google Redirect Virus

According to Enigma security experts’ report the virus has been reported to hotlink to many suspicious sites, the most notorious of which are:

  • search.babylon.com(One of the most famous browser hijacker related search engines).
  • livejasmin.com (Ad-supported online adult website).
  • adf.ly(Legitimate ad-supported service that can be exploited via malvertising).
  • neatsearchserver.com (known associations with ZeroAccess rootkit).

Besides those, there are several other sites which are reported to be associated with this virus:

→“Search.babylon.com, scour.com, blinkx.com, Worldslife.com, Blendersearch.com, Bodisparking.com, coolsearchserver.com, webplains.net, find-fast-answers.com, search-netsite.com, toseeka.com, AboutBlank, La.vuwl.com, 10-directory.com, 63.209.69.107, 67.29.139.153, 7search.com, adorika.com, adf.ly, admarketplace.com, alive-finder.com, alltheservices.com, articlemule.org, asklots.com, ave99.com, b00kmarks.com, background-sleuth.net, bargainmatch.com, beoo.com, bestdiscountinsurance.com, bestsearchpage.com, bestclicksnow.com, bestmarkstore.com, bestwebchoices.com, bestwebsearch.com, bidsystem.com, secure.bidvertiser.com, britewallet.com, budgetmatch.net, buzzclick.com, celebrity-gossip.net, cheapstuff.com, citysearch.com, clicksor.com (Clicksor), clkads.com, feed.clickbizz.com, comparedby.us, comparestores.net, couponmountain.com, digitaltrends.com, easilyfindlocal.com, everythinghere.com, evoplus.com, expandsearchanswers.com (expand search answers), fastfinder.com, feedsmixer.org (starFeedsMixer), find-quick-results.com, FilesCup.com (FilesCup), findexmark.com, find-answers-fast.com, Zinkwink.com, us-srch-system.com, finditreport.com, findology.com, finderquery.com, findstuff.com, flurrysearch.com, forless.com, gimmeanswers.org, glimpse.com, google-redirect.com, googlesearchserver.net, get-search-results.com, goingonearth.com, goodsearch.com, gomeo.co.uk, gossipcenter.com, gquestionnaire.com, greatsearchserver.com, greenluo.com, grooveswish.com, guide2faucets.com, happili.com, HelloLocal.com, hyperpromote.com, informationgetter.com, inruo.com, jerseyscatalog.com, juggle.com, k100searches.com, YouPorn, liutilities.com, livejasmin.com (creative.livejasmin.com popups), local-search-pages.com, localpages.com, localsearchbug.com, lowpriceshopper.com, manufacturersdirectory.com, multifind24.com, mybestclick.net, mycustomsearch.cn, mydealchoices.com, mydealmatch.com, mylocalhero.com, neatsales.com, neatsearchserver.com (neat search server ZeroAccess rootkit), netsearchfinder.com, netshoppers.com, nexplore.com, privacycheck.ru, Pulse360.com, qooqle.com, questyes.com, quick-search-results.com, quick-suggest.com, redirectsite.net, results5.google.com, safecompare.com, saveandcoupon.com, savecompare.com, savingwithads.com, scoursearch.net, search-redirector.com, searchforall.info, searching4all.com, search-results.com (int.search-results.com), searchbacon.com, searchdiscovered.com, searchqu.com, searchqualitysites.com, searchnext.com, searchspice.com, shopcompare.net, shopcompareus.com, shopfinded.com, shopica.com, shopica.com/search, shopzilla.com, socialsurvey2011.info, Social Search Redirect, Search-netsite.com, kitchenrenopages.com, kingtopsearch.net, kiseek.com, lawyerinsight.org, letsbuystuff.com, njksearc.net, qooqlle.com, Storeordersonline.com, somesearchsystem.com, startnow.com, startsearcher.com, supersearchserver.com, TabDiscover.com, tazinga.com (tazinga!), theifinder.com, Thewebtimes.com, Marveloussearchsystem.com, merchantsnearby.com, monstermarketplace.com, mooter.com, TheTop10.com, tubedownloader.com, theyellowpages.com, theyellowpagez.com, topdaodrugs.com, tubedownloader.com, Therelatedsearch.com, unblock-us.com, valueapproved.com, vshare.toolbarhome.com (vShare), vehiclefind24.com, whatcarefreefeelslike.com,weeklycontestwinner.org, weeklyusa-winner.com, webshoppinghelper.com, webresults6.org, yellowmoxie.com, search.yellowise.com, ylwbook.addresses.com, youfindmore.com and Zwankysearch.com.”

Malware such as this does not say ‘Hi, I am here!’. In fact, it aims to do exactly the opposite –stay concealed within your machine for extended periods of time to monitor your online activities. Cyber-crooks usually seek to infect PCs on a massive scale as parts of different campaigns. Such campaigns ensure them different benefits, some of which may be generating profit and obtaining different information about the user of the PC. If they have one user’s information, it is insignificant. However, it is important to know that they do this on a massive scale that allows them to be very powerful. More so, they can make money on pay-per-click schemes by receiving profit per percentage as a part of an affiliate agreement or a particular contract. This is a more advanced marketing strategy that may aim to push the abovementioned sites’ traffic upwards.

According to Wiki security analysts(HL: http://www.wiki-security.com/wiki/Parasite/GoogleRedirectVirus/), Google Redirect Virus is believed to be associated with these processes, DLL files, registry values and other objects on your PC:

Processes
dmgsh.exe
C:\WINDOWS\Xzagua.exe
Xzagua.exe
Xwk.exe
Xwo.exe

DLLs
C:\WINDOWS\system32\UAC.dll
C:\WINDOWS\system32\uacinit.dll
C:\WINDOWS\system32\_VOID.dll
C:\WINDOWS\SYSTEM32\4DW4R3c.dll
C:\WINDOWS\SYSTEM32\4DW4R3.dll
C:\Documents and Settings\All Users\Application Data\_VOIDmainqt.dll

Other Files
C:\Windows\System32\wdmaud.sys
TDSSserv.sys
C:\WINDOWS\_VOID\
C:\WINDOWS\_VOID\_VOIDd.sys
C:\WINDOWS\system32\UAC.db
C:\WINDOWS\system32\UAC.dat
C:\WINDOWS\system32\uactmp.db
C:\WINDOWS\system32\_VOID.dat
C:\WINDOWS\SYSTEM32\4DW4R3sv.dat
C:\WINDOWS\system32\drivers\_VOID.sys
C:\WINDOWS\system32\drivers\UAC.sys
C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3.sys
C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3.sys
C:\WINDOWS\Temp\_VOIDtmp
C:\WINDOWS\Temp\UAC.tmp
%Temp%\UAC.tmp
%Temp%\_VOID.tmp

Registry Keys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOIDd.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOID
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\4DW4R3

In fact, Symantec researchers have identified a new malicious threat associated with the virus, naming it Backdoor.Tidserv. Also, they have created a removal tool especially for this virus, calling it the Backdoor.Tidserv removal tool. More to it than that, Symantec researchers believe that this threat uses sophisticated rootkit – like behaviour with the purpose of staying undetected for longer periods of time. Such applications are created with one and only purpose – to generate profits to their author. Most adware applications only display three to four ad-supported search results, pop-ups or sometimes redirects. This malicious application may display redirects from genuine links on the computer. So in case you get redirected multiple times by clicking on genuine links you know for sure are legitimate (Facebook, eBay, etc.) this is a clear, sign that you have the Google Redirect Virus on your system.

What Does Google Redirect Virus Infection Do?

Google Redirect Virus can cause many infections. Some of them are simple like modification of the host file, others however are very serious as they are state of the art computer rootkits like the fearsome rootkit from the TDSS family. The rootkit infections are hard to be removed, as they are quite different from the ordinary virus. When the PC user is affected by a simple virus, it can be deleted from the hard drive. The users have to search through the system when not loaded and get an idea of the situation.
The rootkit infections are different. They are viruses written in a special way that get inside the computer and integrate into the heart of the operating system. The rootkits make the users’ PC windows show them things that they hide the things that should be there and show things that do not exist. In addition to that, the rootkit of Google Redirect Virus can download Trojans.

Why Removing Google Redirect Virus Is So Difficult?

All computer experts confirm that the removal of Google Redirect Virus is very difficult. This virus has the power to alter the Master Boot Record (MBR) and make a partition of its own. The experts cannot find this when Windows is running and without special anti-rootkit techniques.
When infected, some of the main windows files will be patched and the operating system will keep on working as intended. However the patched files can receive commands from hackers and then they can do anything they want to the user’s system. It is not simple to delete these files, as windows will not boot.
How can one remove Google Redirect Virus?
Manual removal is not possible with the rootkit infection. In order to fix this problem, the user will need professional removal tools. Here is what the user can do on one’s own:

  • Remove the suspicious extensions and add-ons from the browsers Internet Explorer, Mozilla Firefox or Google Chrome.
  • Reset browser settings.
  • Manually remove the browser hijacked homepage.
  • Manually remove the unwanted search engine.
  • Modify the Windows hosts file and delete the unwanted IP addresses.
  • Review the Domain Name Server (DNS), as it might be poisoned.
  • Check the proxy settings.

It is also an essential strategy to disconnect the web connection and boot the computer in Safe Mode while performing the abovementioned actions. Experts highly recommend to download an offline installer of the latest version of an advanced malware protection from a safe PC and install it in the infected computer in order to scan and remove all traces of Google Redirect Virus completely. More to it than that, in order to be thorough, it is essential to use a portable rootkit remover program and a registry cleaner. In order to clean your browser data, boot your PC in safe mode and attempt any manual removal please refer to the removal guide below and download a particular anti-malware tool after manual removal. Also refer to the above mentioned files associated with Google Redirect Virus.

donload_now_250
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

1. Start Your PC in Safe Mode to Remove Google Redirect Virus
2. Remove Google Redirect Virus automatically with Spy Hunter Malware - Removal Tool.

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.