Google Redirect Virus continues to plague users globally in 2017. This redirect is among the most dangerous, annoying and difficult to remove infections that are now spreading through the World Wide Web. The virus is causing redirection of the Google search results. Users have been reporting for a few years now that every time when they click on a desired search result, instead of going to the original page, they are being redirected to third-party sites. Such web locations can be very dangerous, since they are well known to either scam users, install adware PUPs (potentially unwated programs) or infect them with malware.
Threat Summary
| Name | Google Redirect Virus |
| Type | Rootkit |
| Short Description | Executes redirect scripts into legitimate Google search results. |
| Symptoms | Redirects to third-party sites of unknown origin by clicking on search results. Difficulty to remove. |
| Distribution Method | By clicking on a malicious link. By opening a malicious email attachment. |
| Detection Tool | See If Your System Has Been Affected by Google Redirect Virus Download Malware Removal Tool |
| User Experience | Join Our Forum to Discuss Google Redirect Virus. |
How Does Google Redirect Virus Affect the User’s Computer?
When the user of the Google redirect virus affected PC is doing a search in Google, the search machine shows approximately ten links. When the user clicks on these links he is redirected to advertisement or hacker hoax webpages. These pages are designed to trick the user and to steal one’s personal information.
The experts sometimes refer to this virus as Yahoo redirect virus or Bing redirect virus, as the same infection affects the other search engines too. A new variant of this infection has been recently found and called Happili redirect virus and Nginx redirect virus. All these symptoms are caused by the same group of computer infections.
To be more precise, there isn’t one particular virus responsible for the so-called Google redirect virus, or the similar redirects mentioned above. This term is used to describe various issues and infections stemming from malware or viruses leading to redirecting users to Google or a page that is made to look like the search engine. In fact all the displayed search results will lead to further issues and interacting with them is not advisory, to say the least.
Google Redirect Virus: Technical Details
According to security researchers, the virus has been reported to link to many suspicious sites, the most notorious of which are:
- search.babylon.com (One of the most famous browser hijacker related search engines).
- livejasmin.com (Ad-supported online adult website).
- adf.ly(Legitimate ad-supported service that can be exploited via malvertising).
- neatsearchserver.com (known associations with ZeroAccess rootkit).
Besides those, there are several other sites believed to be associated with the Google redirect virus:
→“Search.babylon.com, scour.com, blinkx.com, Worldslife.com, Blendersearch.com, Bodisparking.com, coolsearchserver.com, webplains.net, find-fast-answers.com, search-netsite.com, toseeka.com, AboutBlank, La.vuwl.com, 10-directory.com, 63.209.69.107, 67.29.139.153, 7search.com, adorika.com, adf.ly, admarketplace.com, alive-finder.com, alltheservices.com, articlemule.org, asklots.com, ave99.com, b00kmarks.com, background-sleuth.net, bargainmatch.com, beoo.com, bestdiscountinsurance.com, bestsearchpage.com, bestclicksnow.com, bestmarkstore.com, bestwebchoices.com, bestwebsearch.com, bidsystem.com, secure.bidvertiser.com, britewallet.com, budgetmatch.net, buzzclick.com, celebrity-gossip.net, cheapstuff.com, citysearch.com, clicksor.com (Clicksor), clkads.com, feed.clickbizz.com, comparedby.us, comparestores.net, couponmountain.com, digitaltrends.com, easilyfindlocal.com, everythinghere.com, evoplus.com, expandsearchanswers.com (expand search answers), fastfinder.com, feedsmixer.org (starFeedsMixer), find-quick-results.com, FilesCup.com (FilesCup), findexmark.com, find-answers-fast.com, Zinkwink.com, us-srch-system.com, finditreport.com, findology.com, finderquery.com, findstuff.com, flurrysearch.com, forless.com, gimmeanswers.org, glimpse.com, google-redirect.com, googlesearchserver.net, get-search-results.com, goingonearth.com, goodsearch.com, gomeo.co.uk, gossipcenter.com, gquestionnaire.com, greatsearchserver.com, greenluo.com, grooveswish.com, guide2faucets.com, happili.com, HelloLocal.com, hyperpromote.com, informationgetter.com, inruo.com, jerseyscatalog.com, juggle.com, k100searches.com, YouPorn, liutilities.com, livejasmin.com (creative.livejasmin.com popups), local-search-pages.com, localpages.com, localsearchbug.com, lowpriceshopper.com, manufacturersdirectory.com, multifind24.com, mybestclick.net, mycustomsearch.cn, mydealchoices.com, mydealmatch.com, mylocalhero.com, neatsales.com, neatsearchserver.com (neat search server ZeroAccess rootkit), netsearchfinder.com, netshoppers.com, nexplore.com, privacycheck.ru, Pulse360.com, qooqle.com, questyes.com, quick-search-results.com, quick-suggest.com, redirectsite.net, results5.google.com, safecompare.com, saveandcoupon.com, savecompare.com, savingwithads.com, scoursearch.net, search-redirector.com, searchforall.info, searching4all.com, search-results.com (int.search-results.com), searchbacon.com, searchdiscovered.com, searchqu.com, searchqualitysites.com, searchnext.com, searchspice.com, shopcompare.net, shopcompareus.com, shopfinded.com, shopica.com, shopica.com/search, shopzilla.com, socialsurvey2011.info, Social Search Redirect, Search-netsite.com, kitchenrenopages.com, kingtopsearch.net, kiseek.com, lawyerinsight.org, letsbuystuff.com, njksearc.net, qooqlle.com, Storeordersonline.com, somesearchsystem.com, startnow.com, startsearcher.com, supersearchserver.com, TabDiscover.com, tazinga.com (tazinga!), theifinder.com, Thewebtimes.com, Marveloussearchsystem.com, merchantsnearby.com, monstermarketplace.com, mooter.com, TheTop10.com, tubedownloader.com, theyellowpages.com, theyellowpagez.com, topdaodrugs.com, tubedownloader.com, Therelatedsearch.com, unblock-us.com, valueapproved.com, vshare.toolbarhome.com (vShare), vehiclefind24.com, whatcarefreefeelslike.com,weeklycontestwinner.org, weeklyusa-winner.com, webshoppinghelper.com, webresults6.org, yellowmoxie.com, search.yellowise.com, ylwbook.addresses.com, youfindmore.com and Zwankysearch.com.”
Google redirect virus won’t be easy to locate and recognize, as it won’t display any visible signs as with other virus-related scams (e.g. tech support scams). In fact, the redirect aims to do exactly the opposite – stay concealed within your machine for extended periods of time to monitor your online activities. Cybercrooks usually seek to infect PCs on a massive scale as parts of different campaigns. Such campaigns ensure them different benefits, some of which may be generating profit and obtaining different information about worldwide users. If they have one user’s information, it won’t be nearly enough to satisfy their malicious needs. However, if infections are done on a massive scale that allows them to be very powerful. More so, they can make money on pay-per-click schemes by receiving profit per percentage as a part of an affiliate agreement or a particular contract. This is a more advanced marketing strategy that may aim to push the above-mentioned sites’ traffic upwards.
According to Wiki researchers, the Google redirect virus is believed to be associated with the following processes, DLL files, registry values and other objects on your PC:
→Processes
dmgsh.exe
C:\WINDOWS\Xzagua.exe
Xzagua.exe
Xwk.exe
Xwo.exe
→DLLs
C:\WINDOWS\system32\UAC.dll
C:\WINDOWS\system32\uacinit.dll
C:\WINDOWS\system32\_VOID.dll
C:\WINDOWS\SYSTEM32\4DW4R3c.dll
C:\WINDOWS\SYSTEM32\4DW4R3.dll
C:\Documents and Settings\All Users\Application Data\_VOIDmainqt.dll
→Other Files
C:\Windows\System32\wdmaud.sys
TDSSserv.sys
C:\WINDOWS\_VOID\
C:\WINDOWS\_VOID\_VOIDd.sys
C:\WINDOWS\system32\UAC.db
C:\WINDOWS\system32\UAC.dat
C:\WINDOWS\system32\uactmp.db
C:\WINDOWS\system32\_VOID.dat
C:\WINDOWS\SYSTEM32\4DW4R3sv.dat
C:\WINDOWS\system32\drivers\_VOID.sys
C:\WINDOWS\system32\drivers\UAC.sys
C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3.sys
C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3.sys
C:\WINDOWS\Temp\_VOIDtmp
C:\WINDOWS\Temp\UAC.tmp
%Temp%\UAC.tmp
%Temp%\_VOID.tmp
→Registry Keys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOIDd.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOID
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\4DW4R3
Furthermore, Symantec researchers have identified a new malicious threat associated with the virus, naming it Backdoor.Tidserv. Also, they have created a removal tool especially for this virus, calling it the Backdoor.Tidserv removal tool.
In addition, Symantec researchers believe that this threat uses sophisticated rootkit–like behavior with the purpose of staying undetected for longer periods of time. Such threats are created with one and only purpose – to generate profits to their author. Most adware applications only display three to four ad-supported search results, pop-ups or sometimes redirects. This threat may display redirects from genuine links on the computer. So in case you get redirected multiple times by clicking on genuine links you know for sure are legitimate (Facebook, eBay, etc.) this is a clear, sign that you have the Google redirect virus on your system.
What Is a Rootkit?
First of all, rootkits can be both malicious and legitimate. Some rootkits can be installed as parts of legitimate apps.
Malicious rootkit is the type application that no user wants to ever encounter. It is an application designed to hide its presence, or the presence of another program, on the system. To do so, rootkits use some of the lower layers of the OS such as API function redirection. This approach makes rootkits very persistent to detection, at least by average anti-malware program.
How do rootkits infect systems? The most common distribution method is via Trojan horses or malicious email attachments. Nonetheless, there are other infection vectors, including the installation of dubious plugins and the overall unsafe user behavior.
What Does Google Redirect Virus Infection Do?
The Google redirect virus can lead to many other infections. Some of them are simple like modification of the host file, others however are very serious as they are state-of-the-art computer rootkits like the fearsome rootkit from the TDSS family. The rootkit infections are hard to be removed, as they are quite different from the ordinary virus. When the PC user is affected by a simple virus, it can be deleted from the hard drive. The users have to search through the system when not loaded and get an idea of the situation.
The rootkit infections are different. They are viruses written in a special way that get inside the computer and integrate into the heart of the operating system. The rootkits make the users’ PC windows show them things that they hide the things that should be there and show things that do not exist. In addition to that, the rootkit of Google Redirect Virus can download Trojans.
Why Removing Google Redirect Virus Is So Difficult?
All computer experts confirm that the removal of this redirect is very difficult. This virus has the power to alter the Master Boot Record (MBR) and make a partition of its own. The experts cannot find this when Windows is running and without special anti-rootkit techniques.
When infected, some of the main windows files will be patched and the operating system will keep on working as intended. However the patched files can receive commands from hackers and then they can do anything they want to the user’s system. It is not simple to delete these files, as windows will not boot.
How Can You Remove Google Redirect Virus?
Complete removal is not possible with the rootkit infection. In order to fix this problem, the user will need professional removal tools. Here is what the user can do on his own:
- Remove the suspicious extensions and add-ons from the browsers Internet Explorer, Mozilla Firefox or Google Chrome.
- Reset browser settings.
- Manually remove the browser hijacked homepage.
- Manually remove the unwanted search engine.
- Modify the Windows hosts file and delete the unwanted IP addresses.
- Review the Domain Name Server (DNS), as it might be poisoned.
- Check the proxy settings.
It is also an essential strategy to disconnect the web connection and boot the computer in Safe Mode while performing the actions described above. Experts highly recommend to download an offline installer of the latest version of an advanced malware protection from a safe PC and install it in the infected computer in order to scan and remove all traces of Google redirect virus completely.
Also, in order to be thorough, it is essential to use a portable rootkit remover program and a registry cleaner. In order to clean your browser data, boot your PC in safe mode and attempt any manual removal please refer to the removal guide below and download a particular anti-malware tool after manual removal. Also refer to the above mentioned files associated with Google Redirect Virus.
Manually delete Google Redirect Virus from your computer
1. For Windows 7,XP and Vista.
2. For Windows 8, 8.1 and 10.
Automatically remove Google Redirect Virus by downloading an advanced anti-malware program
1. Install SpyHunter to scan for and remove Google Redirect Virus.
1. For Windows 7 and earlier
