One of my fellows came to me telling me that there was some problem with his system. Whenever he wanted to search something in Google, an advertisement would open up instead of the search results. That was unusual because Google never does this type of ads. First I checked Google search on my system. It was running perfectly fine. Then I remembered that about a year ago, a virus had come that did the same thing. It would redirect all the Google queries to advertisements, sometimes it would open a page loaded with Adsense ads otherwise it would open a fake advertisement page.

I went to the affected system to investigate the problem. First of all I always run Hijackthis to find the hidden startup information about the system. I ran hijackthis and found out an R3 entry which is a URLSearchHook. If you are having the same problem, kindly use hijackthis to check this entry if you don’t know the file mentioned in this entry.

Then I looked at the hosts file that can be found at C:\windows\system32\drivers\etc where C is your Windows drive. Make sure that you have only one entry in the file that is:

127.0.0.1       localhost

My hosts file looks like this:

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a ‘#’ symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

Look at the processes running under your username in the Task Manager. Make sure you don’t have anything suspicious running in background.

Make sure that you have a legitimate primary and secondary DNS Servers in your network settings. In case you don’t know your ISP DNS, you can use OpenDNS whose primary and secondary DNS IP addresses are given as under:

208.67.222.222

208.67.220.220

Now disable System Restore and Re-enable again to make sure that all your restore points data is lost and the virus is not residing in the System Restore data file.

Also run CCleaner to clean the temporary and junk files to make sure everything is gone.

Now reboot your computer. This is what I have done to get rid of Google redirect virus.

To make sure that you are running clean, make sure that you have an up to date antivirus. Here is our top 5 free antivirus collection. If you are still having problem, please let me know through comments.