Are you facing problems with your web browser getting automatically redirected to strange and suspicious looking websites? Are these redirects mainly pointing towards an e-commerce site, porn, gambling sites? Do you have many pop-ups coming up displaying ad contents? Chances are you might have a Google Redirect Virus.
Google redirect virus is one of the most annoying, dangerous and toughest infection ever released on internet. The malware may not be considered deadly, as the presence of this infection is not going to crash your computer and make it useless. But it is considered annoying than deadly because of the unwanted redirects and pop ups which may frustrate anyone to no end.
Google redirect virus not only redirects Google results, but is capable of redirecting Yahoo and Bing search results as well. So don’t be surprised to hear Yahoo Redirect Virus or Bing Redirect Virus. The malware also infects any browser including Chrome, Internet explorer, FireFox etc. Since Google Chrome is the most used browser, some call it Google Chrome Redirect virus based on the browser it redirects. Recently, malware coders modified its codes to create variations to escape easy detection from security software. Some recent variations are Nginx Redirect Virus, Happili Redirect Virus etc. All these infections come under redirect virus, but variation in the codes and mode of attack.
According to a 2016 report, Google redirect virus have already infected more than 60 million computers wide, out of which 1/3rd is from US. As of May 2016, the infection seems to have made a come back with increasing number in reported cases.
What makes Google Redirect Virus elusive and difficult to remove
- Google Redirect Virus is a rootkit and not a virus. The rootkit gets itself associated with some of the important windows services which makes it work like an operating system file. This makes it difficult to identify the infected file or code. Even if you identify the file, it is difficult to delete the file because the file is running as part of operating system file.
- The malware is coded in such a way that it creates different variants from the same code from time to time. This make it difficult for the security software to catch the code and release a security patch. Even if they succeed in creating a patch, it becomes ineffective if the malware attack again which contains a different variant.
A Quick Note
My first experience with Google Redirect Virus was while working on a Symantec Project. It took a lot of trial and error to finally figure out an effective way to identify and get rid of this infection. The steps mentioned here are the original steps followed. This is now followed by virus removal experts around the world to remove these type of infections. I have done my best to explain the manual removal process. If followed properly, you will be able to remove the redirect virus. Windows 8 and 10 users might find it hard to remove the infection through manual methods because of the changes made in OS architecture. For them, virus removal using software is recommended.
- Due to the complicated technical nature, I have created a video and did my best to explain the steps to simplify the task. You may watch the video below.
- If you find the steps complicated or not working in your OS, as a final step you may opt for getting professional help using google redirect virus removal tool.
How to remove Google Redirect Virus
Google Redirect Virus can be removed mainly using two methods.
- Remove google redirect using software
The easiest way to get rid of Google Redirect Virus is by using the google redirect virus removal tool. Removal using software is quick and there is no question of human error in finding infected file. This is also highly recommended for Windows 8 and 10 users.
- Remove google redirect manually
It is possible to remove this infection by manually removing the files responsible for redirect. You have all the necessary step by step instructions and video in this article. But don’t get me wrong.
But, let me set the right expectation. The manual steps is a little technical in nature. Failure to follow the instructions properly or possibility of human error in identifying the infected file can render your efforts ineffective. The manual removal method is also time consuming. As a virus removal technician, 50-60 minutes is the average time spent on Google redirect virus infected computer.
The troubleshooting steps and video is given below.
If you are looking for a quicker and easy solution, try google redirect virus removal tool. Believe me, you won’t regret opting their service. This is a dedicated team of professionals involved in finding fix for redirect issues. Run the tools and do a scan as given in their user guide. As a final option, I highly recommend using the service as it is cheaper to pay $29.99 compared to a Tech shop repair which may cost couple hundred dollars.
- Highly Effective Tools: Multiple tools available, which are constantly updated for handling the latest variants of this infection. If one tool fails, you can try the other to remove the infection. Free access to their future updates. Guidance on how to use the tools also provided.
- Save Time: Quick resolution so you can save time and prevent countless unproductive hours.
- Save Money: Online service is cheaper. Professional services such as tech shop repairs and virus removal services charge may charge couple of 100$ for getting rid of this infection
- Dedicated Tech Support: A dedicated team providing 24/7 support within a certain time frame.
Watch Manual Removal Steps for Removing Google Redirect Virus
Troubleshooting steps for removing Google Redirect Virus manually
Unlike most of the infections, in case of Google Redirect Virus you will find only one or two files which is related to the infection. But if the infection is ignored initially, the number of infected files seems to increase over a period of time. So better get rid of the infection as soon as you find redirect problems. Follow the troubleshooting methods mentioned below to get rid of google redirect virus. There is also a video below.
- Enable hidden files by opening folder options
Operating system files are hidden by default to prevent accidental deletion. Infected files try to hide among the OS files. So it is advised to unhide all hidden files before starting troubleshooting.
- Press Windows Key + R for opening Run Window
- Type Control folders
- Click View tab
- enable show hidden files, folders and drives
- uncheck hide extensions for known file types
- uncheck hide protected operating system files
- Open msconfig
Use the msconfig tool to enable bootlog file.
- Open Run window
- Type msconfig
- Click Boot tab if you are using Windows 10, 8 or 7. In you are using Win XP, select boot.ini tab
- check bootlog to enable it
- Click Apply and click OK
The bootlog file is only needed in the last step.
- Restart computer
A message will appear to restart computer. Restart computer to make sure that changes you made are implemented. (On restarting computer, a file ntbttxt.log is created which is discussed later in troubleshooting steps)
- Do a complete IE optimization
Read this article on how to do an Internet Explorer optimization. Follow the steps to the end.
Internet explorer optimization is done to ensure that redirection is not caused by problems with IE or a corrupted internet settings. Even if you use a different browser other than Internet explorer, IE optimization is compulsory as IE settings acts as the basic settings for any web browser using windows operating system.
- Check Device Manager
Device Manager is a windows tool which list all the devices inside your computer. Some infections are capable of hiding hidden devices which can be used for malware attack. Check device manager to find any infected entries.
- Open Run window (Windows Key + R)
- Type devmgmt.msc
- Click View tab on the top
- Select show hidden devices
- Look for non-plug and play drivers. Expand it to see entire list under option.
- Check for any entry TDSSserv.sys. If you don’t have the entry, look for any other entries which looks suspicious. If you can’t make up your mind about an entry is good or bad, then do a google search with the name to find if it is genuine.
If the entry is found to be an infected one, right click on it and then click uninstall.
Once the uninstall is complete, don’t restart computer yet. Continue troubleshooting without restarting.
- Check registry
Check for the infected file inside the registry
- Open Run window
- Type regedit to open registry editor
- Click Edit > Find
- Enter the infection name. If it is a long one, enter the first few letters of infected entry
In this case, I used TDSS and searched for any entries starting with those letters. When an entry starting with TDSS is shown, click on it to find what is the value of that entry on right side.
If there is just an entry, but no file location mentioned, then delete it directly. Continue searching for next entry with TDSS
The next search took me to an entry which got details of file location on right which says C:\Windows\System32\TDSSmain.dll.You need to utilize this information. Open folder C:\Windows\System32, find and delete TDSSmain.dll mentioned here.
Assume that you were not able to find file TDSSmain.dll inside C:\Windows\System32.This shows entry is super hidden. You need to remove file using command prompt. Just use command to remove it. del C:\Windows\System32\TDSSmain.dll
Repeat same until all entries in registry starting with TDSS is removed. Make sure if those entries are pointing towards any file inside folder remove it either directly or by using command prompt.
Assume that you were not able to find TDSSserv.sys inside hidden devices under device manager, then go to Step 7.
- Check ntbtlog.txt log for corrupted file
If you did the Step 2, a log file called ntbtlog.txt is automatically generated inside the location C:\Windows. It’s a small text file containing lot of entries which might run to more than 100 pages if you take a printout. You need to scroll down slowly and check if you have any entry TDSSserv.sys which shows that there is an infection. Follow steps mentioned in Step 6.
In above mentioned case, I mentioned only about TDSSserv.sys, but there are other types of rootkits which do same damage. Let’s take case of 2 entries H8SRTnfvywoxwtx.sys and _VOIDaabmetnqbf.sys listed under device manager in my friends PC. The logic behind understanding if it is a dangerous file or not is mainly by their name. These name makes no sense and I don’t think any self respecting company will give a name like this to their files. Here, I used first few letters H8SRT and _VOID and did steps mentioned in Step 6 to remove infected file. (Please Note: H8SRTnfvywoxwtx.sys and _VOIDaabmetnqbf.sys are just an example. The corrupted files can come in any name, but it will be easy to recognize because of the long file name and presence of random numbers and alphabets in the name.)
Please try these steps at your own risk. Steps mentioned above won’t crash your computer. But to be on the safer side, it is better to take a backup of important files. Also ensure you have the option to repair or re-install operating system using OS disk if needed.
Some users might find troubleshooting mentioned here complicated. Let’s face it, infection itself is complicated and even the experts struggle in order to get rid of this infection.
You now have detailed instructions including video to get rid of google redirect virus. Also you know what to do if this didn’t work out. Take action immediately before the infection spreads to more files and render the PC unusable.
If you like this tutorial, please share. You might help someone looking for solution to this problem. Good Luck.
Google Redirect Virus Rating
- Ease of Use
- Product Effeciency
- Product Support
- Value for Money
google redirect virus