One of my fellows came to me telling me that there was some problem with his system. Whenever he wanted to search something in Google, an advertisement would open up instead of the search results. That was unusual because Google never does this type of ads. First I checked Google search on my system. It was running perfectly fine. Then I remembered that about a year ago, a virus had come that did the same thing. It would redirect all the Google queries to advertisements, sometimes it would open a page loaded with Adsense ads otherwise it would open a fake advertisement page.
I went to the affected system to investigate the problem. First of all I always run Hijackthis to find the hidden startup information about the system. I ran hijackthis and found out an R3 entry which is a URLSearchHook. If you are having the same problem, kindly use hijackthis to check this entry if you don’t know the file mentioned in this entry.
Then I looked at the hosts file that can be found at C:\windows\system32\drivers\etc where C is your Windows drive. Make sure that you have only one entry in the file that is:
My hosts file looks like this:
# Copyright (c) 1993-2006 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a ‘#’ symbol.
# For example:
# 22.214.171.124 rhino.acme.com # source server
# 126.96.36.199 x.acme.com # x client host
Look at the processes running under your username in the Task Manager. Make sure you don’t have anything suspicious running in background.
Make sure that you have a legitimate primary and secondary DNS Servers in your network settings. In case you don’t know your ISP DNS, you can use OpenDNS whose primary and secondary DNS IP addresses are given as under:
Now disable System Restore and Re-enable again to make sure that all your restore points data is lost and the virus is not residing in the System Restore data file.
Also run CCleaner to clean the temporary and junk files to make sure everything is gone.
Now reboot your computer. This is what I have done to get rid of Google redirect virus.
To make sure that you are running clean, make sure that you have an up to date antivirus. Here is our top 5 free antivirus collection. If you are still having problem, please let me know through comments.
17 responses to “Google Redirect Virus Removal”
It is a good thing that your memory served you correct in resolving this issue. Resolving these sort of problems can be very time consuming. The steps you took; very professional.
Thanks a lot Rick. I keep myself updated with your blog. Recommended to every techie.
I’ve spent the last week trying to find a solution to remove the Google redirect virus. First of all I’m not even sure how I got it. I ran Hijack this and did find the R3 entry as described above. I removed it rebooted the pc and it seemed ok then I starting having the same problem again. Came across some info on another website who had several PC users having good luck with a program called HitmanPro3.5. Ran it and it found a “rootkit” trojan installed in my windows drivers section. Removed it and so far no more issues. It took one week of constantly researching on the web to find this program and I’m suprised that it didn’t come up in the searches quicker. Hope this helps and saves you some time:)
I’m very grateful for your hard research work, Steve. HitMan Pro (ver 3.5 is the latest as of this writing) fixed my Google & Yahoo Redirect Virus. The file culprit was named 7n8001.sys and was located in the Drivers sub-directory under C:\Windows\System32. It took several hours of research and experimentation before I came upon this solution.
I found the software on CNet. Looks like it’s free for 30 days. It’s a cloud computing solution. If you try deleting or renaming the virus yourself, it regenerates itself. It’s nasty and persistent.
As of today, 1/20/2010, the latest updates for AVG, Malwarebytes, Spybot Search & Destroy, and AdAware could not fix it., although one of these spotted it (can’t rememebr which), but couldn’t fix it (couldn’t write to the HOSTS file in C:\Windows\System32\Drivers\ETC. Windows and IE updates were current.
Correction: I found my notes. It was XDELBox that found the virus but couldn’t fix it (couldn’t write to the HOSTS file in C:\Windows\System32\Drivers\ETC.)
Check out the Full info about the Virus here
How to remove mtn5.goole.ws and popup.adv.net Malware
Downloaded/installed/used Hitman Pro yesterday, and virus redirect was gone–and here it is AGAIN this am!
FYI: Looked at lmhosts which is about 80-90 lines long–and have no line without a # before it; final comment “it is not advisable to simplyadd lmhosts file entries onto the end of this file.” So where is the entry with number and localhost to check it?
HELP! and thx!!
You need to see the HOSTS file not lmhosts. It is in the same directory as lmhosts.
I have found to disable to disable your browser from utilizing Java scripts also works well in the case of the google redirect issues..
This issue is also beginning to effect Firefox..this is how i have found to stop it on firefox , without having to buy some other program, or risking further pc infection by using a third party program.
simply hit Tools:
hope this helps..
I had this same one hit me and I’ve spent 5 days straight trying to get it off… I reasearched and did several fixes.. kept running AV searches from est.com in safe mode.. it is finally gone – nothing get it off in one step.. reboot in safe mode (F-8) start in safe mode with networking. Was already running S&D teatimer and AVG… make a fix file and go to majorgeeks.com and downloaded cookie monsters to try to find the cookies causing this.. also ATF to earase all temp files (be sure to turn off system restore as to not re-infected) – I went to the registry and searched for DisableCMD and searchpage and Default_Search_URL deleted the CMD disabling and changed the pages to microsoft.com (they were redirected)- many other little entrys I thought bad I messed with too – some may of helped with this..also used ComboFix ( worked pretty well to find root activity) and started running and using OTL.. basically kept running scan and finally it is all gone.. whew.. what a time consumer – yuck! – I also had to reinstall AVG, S&D and Foxfire it messes with all of them so I just uninstalled and deleted any registry keys or files on C I found for them as I was trying anything to keep it from coming back… found lots of good info on bleepingcomputers.com on different tools to use…
I have a problem with my laptop. No webpage opens when type in the address. It says 500 ERROR. Server not available. When I try to open gmail, google or microsoft pages I get redirected to some other pages with the same names such as google, gmail and microsoft. What do I do to get rid of this?
I had host-redirection problem, just like yours. It redirected my web page to some unknown place and after sometimes all network connection problem. Used TrendMicro, no use. So I started computer in the safe mode,and simply tried microsoft’s spyware removal tool, it worked! That was pretty easy.
bleepingcomputers.com sucks all they say is run combofix,thats their snake oil cure for everything !little do they tell you combofix is USELESS for 64bit !
i would assume your friend uses IE.
first of all, stop using IE. use firefox with the following firefox extensions installed:
to at least block those unwanted ads and trackers. like this website alone have 4 trackers which i blocked. who knows what they are.
then installed avast! anti-virus. last, but not the least, stop being stupid by clicking all the popups and ads that comes along! THINK!
Most of the time it’s called Google redirect problem but please note that the redirect virus affects Yahoo and Bing search results too. This problem is very frustrating and unfortunately there is no one-click solution for it.