Anup Raman, the man behind A Technical Journey is a tech enthusiast, blogger and trainer with 10+ yrs of experience in IT related services. Expert in operating systems and virus removal techniques. Author of Virus Removal Secrets Revealed, a guide on removing computer infections manually without using any security software. Love writing articles on technical issues and giving honest product reviews.
Google redirect virus is one of the most annoying, dangerous and one of the toughest infection ever released on the internet. The virus redirect google search results or normal website links to a malicious webpage which is either related to some sort of advertisement or a page which enable hackers to gather information from you. Apart from google redirect virus, it is also called yahoo redirect virus or bing redirect virus, based on which search engine is infected. In real, all these are same. Not much computer users know that Google redirect virus is not a virus, but in fact a rootkit. Rootkit infections unlike virus, spyware or trojan infections are very difficult to remove. In very rare cases, google redirect virus rootkit is seen associated with Trojans which makes it more deadly. According to a 2011 report, Google redirect virus have already infected 45,00,000 computers worldwide, out of which 1/3rd is from US.
Google redirect virus is tough to remove because of its ability to hide deep inside the operating system and also remove traces and footprints on how it got inside the computer. As of today, there is not even a single security software in the market which can provide you 100% protection from this infection. That explains, how you got infected even with a security software installed for virus protection. This article explains how to handpick and remove google redirect virus. For a virus removal technician, this is the most effective method ever developed and the one used by technicians working for some of the biggest names in security software industry. So most probably, if you contact them for removing google redirect virus, they might try the same manual steps in your computer.
To remove google redirect virus, there are 2 ways to approach it
- Try tools available online or go for a professional tool
Lots of free tools are available, but none of them are good enough to ensure you 100% solution to this problem. Most probably, you might have already tried couple of them. Biggest disadvantage of a free tool is that it is hard on the operating system and might corrupt files. This might cause your computer to crash completely or end up with operating system not loading inside your computer.In some of my early articles, I did mention some free tools for this infection, but then I stopped recommending once I started getting more reports of computer crash using these tools. So take precautions before you try these tools. Better be safe than sorry.
Professional tools on the other hand are more responsible, effective and save you lot of time because of the easiness to use the tools. If I am looking for a quick solution and don’t want to get my hands dirty, this will be my choice. For getting professional help which offer 60 day money back guarantee, click here.
- Try to remove google redirect virus manually
This is my most favored method. It might be time consuming and some of you might find it hard to follow the instructions cos of its technical nature. For those who dont mind getting their hands dirty, you may try the steps mentioned here. This method is very effective, but failure to follow the instructions properly or possibility of human made error can render your efforts ineffective. To make it easier for everybody to follow, I have created a step by step video explaining the details. It shows the same exact steps used by virus removal experts to remove virus infection manually. You can find the video towards the end of this post.
Troubleshooting steps for removing Google Redirect Virus manually
1) Enable hidden files by opening folder options (start –>run –> control folders),under view tab
- enable show hidden files, folders and drives
- uncheck hide extensions for known file types
- uncheck hide protected operating system files
2) Open msconfig (start –>run –> msconfig)
- Click “Start” –> run –> msconfig)
- Go to “boot” tab if you are using Vista or Win 7. In case of XP, select “boot.ini” tab
- check bootlog
3) Restart computer
Restart computer for making sure that the changes you made are implemented. (On restarting the computer a file ntbttxt.log is created which is discussed later in the troubleshooting steps)
4) Do a complete IE optimization
Read this article on how to do an Internet Explorer optimization. Internet explorer optimization is done to ensure that the redirection is not as a result of some basic change in IE settings. Even if you use a different browser other than IE, still you need to do follow IE optimization as IE settings are the basic settings for web browsers in windows operating system.
5) Open device manager (start –>run –> devmgmt.msc)
- Click “Start” –> run –> devmgmt.msc
- Click “view” tab on the top. Select “show hidden devices”
- Look for “non-plug and play drivers”. Expand it to see the entire list under the option.
- Check if you have any entry TDSSserv.sys. Note down the name carefully. Right click on the entry and uninstall it. Don’t restart computer yet, cancel it. Continue troubleshooting without restarting.
6) Open the registry (start –>run–>regedit). Take a backup of registry before making changes
- Click on edit –> find. Enter the first few letters of the infection name. In this case, I used TDSS and searched for any entries starting with those letters. Every time there is an entry starting with TDSS, it shows the entry and the value on the right side.
- If there is just an entry, but no file location mentioned, then delete it directly. Continue searching for the next entry with TDSS
- The next search took me to an entry which got details of file location on the right which says C:\Windows\System32\TDSSmain.dll.You need to utilize this information. Open folder C:\Windows\System32, find and delete TDSSmain.dll mentioned here.
- Assume that you were not able to find the file TDSSmain.dll inside C:\Windows\System32.This shows the entry is super hidden. You need to remove the file using command prompt. Just use the command to remove it. del C:\Windows\System32\TDSSmain.dll
- Repeat the same until all entries in registry starting with TDSS is removed. Make sure if those entries are pointing towards any file inside folder remove it either directly or by using command prompt.
Assume that you were not able to find TDSSserv.sys inside hidden devices under device manager, then go to Step 7.
7) Check ntbtlog.txt for corrupted file
By doing Step 2, a log file called ntbtlog.txt is generated inside C:\Windows. It’s a small text file containing lot of entries which might run to more than 100 pages if you take a printout. You need to scroll down slowly and check if you have any entry TDSSserv.sys which shows that there is an infection. Follow the steps mentioned in Step 6.
In the above mentioned case, I mentioned only about TDSSserv.sys, but there are other types of rootkits which do the same damage. Let’s take the case of 2 entries H8SRTnfvywoxwtx.sys and _VOIDaabmetnqbf.sys listed under device manager in my friends PC. The logic behind understanding if it is a dangerous file or not is mainly by their name. The name makes no sense and I don’t think any self respecting company will give a name like this to their files. Here, I used the first few letters H8SRT and _VOID and did the steps mentioned in Step 6 to remove the infected file.
Please try these steps at your own risk. The steps mentioned above won’t crash your computer. But to be on the safer side, it is better to take a backup of important files and ensure that you have the option to repair or re-install operating system using the OS disk.
Some users might find the troubleshooting mentioned here complicated. Let’s face it, the infection itself is complicated and even experts in this field have to struggle in order to get rid of the infection.
In case the above methods fail and if you need professional help without having to spend too much money contacting professional service, then you may try getting help from specialists by clicking on the link Fix Google Redirect Virus. My recommendation is based on 2 reasons. Personally, I feel the cost of their service is much lower than what you might end up paying for a tech shop repair which costs a minimum of 75$-100$ or more. It also comes with a money back guarantee of 60 days which means they will refund if the issue could not be fixed.
So don’t wait anymore. Take action and get rid of google redirect virus before it does more damage on your PC. Hope this article help you in fixing the problem. Wish you all good luck.
{ 41 comments… read them below or add one }
This is wonderful. None of the tools helped me in fixing, but manually I managed to remove it. Bit complicated though.Thanks for your help
Good job!!!!!!!!!!
Good to know it worked…..
I like the helpful information you supply on your articles. I will bookmark your blog and check again here frequently. I’m fairly certain I will be informed lots of new stuff right right here! Best of luck for the next!
Hi Anup,
Thanks for the wonderful article and guidance. The steps you mentioned is a bit complicated for a dumb computer user like me. I am sure these steps might have helped others.It would have been helpful for people like me, if you had a vidoe describing what you said.
As you suggested, I got this damn issue sorted out finally with fixredirectvirus.org fixed.
I like Your Article about Google redirect virus – Remove Manually Perfect just what I was searching for!
Agree with Cynthia…please add a video.I am totally lost after reading these steps.But I am sure you did a great job in helping people.
First of all….loved the way of explaining things. I am not much of a techy, but your suggestion to use the virus removal tool worked for me.Just thought of informing you.Good Job with your site.Merry X’mas and a happy yr in advance
@Clive good to see that your issue is fixed and thanks for the feedback. Enjoy a great Christmas and have a great year ahead.
@Nisha @Cynthia — Yes, I am planning to put on a video. Will do that as soon as I get time… Good to know the issues are fixed.
@John Thanks for the feedback
Bloody Fantastic…. It worked
;-)
Youre so cool! I dont suppose Ive learn anything like this before. So good to seek out any person with some authentic thoughts on this subject. realy thanks for beginning this up. this web site is one thing that’s wanted on the internet, somebody with slightly originality. helpful job for bringing something new to the web!
Only a smiling visitor here to share the love (:, btw great design .
I just tried to use all of your steps, I did not have any TDSSserv.sys, H8SRTnfvywoxwtx.sys, or _VOIDaabmetnqbf.sys. So I am kind of dead in the water here. No fix yet.
Colin, sorry to hear that.
There should be something inside. Apart from ntbtlog file, do check msinfo32 -> Software environment –> loaded modules. Check that list. It might help.
Also check the size of atapi.sys file in c:\windows\system32\drivers folder. If the size is more than a 100KB, that is the infected file. Try to replace it.
I hope you already tried different free tools to get rid of the infection.
Let me know how it went.Good luck.
Nothing looked out of place in msinfo, atapi.sys is 24KB and malware bytes and various other programs failed to find it.
atapi.sys looks normal.
Please read the article http://atechjourney.com/challenges-of-removing-google-redirect-virus-part-3-of-4.html. That might help.
If nothing else helped,my final recommendation will be fixredirect.org It’s a paid tool, but I am sure it’s worth it. If they fail to fix, you can always claim a refund. Please let me know the results.
hi!,I really like your writing very so much! percentage we keep up a correspondence more approximately your article on AOL? I require a specialist on this area to resolve my problem. May be that is you! Looking ahead to peer you.
Anwar recently posted..1
hey this is my first time visiting this site but it looks good so far, not just another drone blog lol.
Gori Peltzer recently posted..1
Do you know your blog is suggested by a number of other blogs? Nice stuff. Thank you very much!
Made it all the way to step 5 easily, however, I don’t have any entries with such names, but I do have the virus. I don’t know how to fix it now, but I guess I will continue to look for a fix. Thanks for all the help you could give.
Good thing I can outsmart this virus by using my mouse to open links.
These are some of the names that I gave here. TDSSmain.dll, _VOIDaabmetnqbf.sys, H8SRTnfvywoxwtx.sys. The virus might come with lot of other names. If you look at these names, it is weird and that is how you identify that this might be a suspicious file.
Check msinfo32 -> Software environment –> loaded modules. Check that list. It might help, if there is any infected file loaded.
Also check the size of atapi.sys file in c:\windows\system32\drivers folder. If the size is more than a 100KB, that is the infected file. Try to replace it.
I don’t have a tddss.sys entry anywhere in my registry. At all. I know how to look for it. I’ve been in the ntbtlogs in the device manager hidden files, all over system32, nothing. And this virus is killing my computer fast. I did find something called tdx.sys that comes up frequently in the ntbtlog but never in the device manager. I can’t find anything that goes by the other names for this virus, either. I don’t know what to do. I used malwarebytes and it found them, proclaimed to remove them, then they came back and nothing I use, not even tddskiller. I’m completely exhausted of options. Please help!
Apologize if this reply came late.
I dont think tdx.sys is an infected file.It must be a driver related file. Check for other files with weird names. like combination of letters and numbers which dont make any sense.
Did you try the Hitman Pro? Try it and let me know the details.
Wonderful posting. Remember to keep up the very really good performance.
detected a sys file in system32 folder.struggled a bit, but i finally figured it out. this articles is really great : D. helped me out a lot, cheers
Shubert recently posted..1
Superb article. Cool.
Great post. Thanks for the info.
I found this in my “non-plug and play drivers” area: MpKsld18f9a41
That doesn’t look normal, but I can’t find anything on it when I type the name into any search engines and I’m afraid of uninstalling something important on my computer. When I click on it, the information says that the publisher and location are unknown. Am I good to uninstall this?
“MpKsld18f9a41″ seems to be a file from Microsoft Antimalware updates which are sent regularly.The random numbers that you see in the file name keeps changing after each update. This is a good file and don’t need to be deleted unless Microsoft Antimalware update is creating some problem.
When you get strange file names like these, it is better to use the first few letters of the file name and then search in google.cos the later part might have been randomly created.
Thank you!
Everything is very open with a precise description of the challenges. It was truly informative. Your website is very useful. Thanks for sharing!
I’m not sure where you are getting your info, but great topic. I needs to spend some time learning more or understanding more. Thanks for wonderful information I was looking for this info for my mission.
I have struggled with this problem for a couple of days now without resolution (having tried everything mentioned). One interesting tidbit I thought I would throw in is that the problem can be gotten around (for google anyway) pretty simply. The virus seems to only look for the http://www.google.com url in the browser, if I type in say http://www.google.com/search?hl=en&source=hp&q=south+lyon+hotel&gbv=1, which is a previously good google search, the search works and from the google page that comes up I can successfully search other topics. I stumbled on this today and I thought is was significant because the virus clearly looks for a very specific url to attack. Any insights?
Anyway, it is clear this is only a work around and not a complete fix to this problem.
Meanwhile, I invite comments from people who tried this and would like to hear the results from you.
Hi there! Your information helped out a ton! Unfortunately for me, your deleting tips didn’t work. In my case, Norton Internet Security was the one behind the virus, and in the end we had to completely uninstall them. It all began when I stopped my service with them about a week ago. Then today they had me restart my computer. Right after the restart is when the “redirecting” started happening. I found an entire file folder full of bad files from them. Be aware NIS users!! NISx64 was the file folder name to look out for!!
Thank you so much for this great article i have been having many problems with these google redirect viruses on my computer they have been infecting a lot of my work and its very bad thank you very much
Jason recently posted..Coupon: $3.00 off on Florastor probiotic
Dear Anup, I have the annoying ‘easyA-Z.com’ Google redirect virus on my laptop and I can’t get rid of it. I’ve run Symantec anti-virus, Malwarebytes, Hitman Pro, SuperAntiSpyware and CClean several times and after the initial scan no threats were found. Is there anything else you can suggest for this particular virus please? I also followed your manual steps above but no joy.
Sammy,
From the list of tools that you used, without doubt you have done everything right.I hope you have done the manual troubleshooting properly cos if you got it wrong,the issue might come back.Manual troubleshooting is very effective,but chances of missing out infected files is very high.My final suggestion is to use the professional service offered for removing google redirect virus.The good part is you can claim a refund, if in case if it failed to fix your problem.It is far better than taking to a tech shop and get it fixed.
Let me know if it helped.
Anup Raman recently posted..Happili Redirect Virus Fix
Dear Anup,
Thanks for your prompt response. I thought I did the manual troubleshooting correctly but I guess I must have missed some infected files which I didn’t recognise as infected. The virus did seem to disappear but was back again once I rebooted. I gave up and took my laptop to the deskside support team at work. They also tried to remove the virus without any joy and I ended up having a complete system refresh! It’s finally gone but knowing my luck I’ll probably end up with the virus again because I don’t know how I got it in the first place… so I don’t know what to avoid
Thank you for your useful tips and advice. I’ve bookmarked your articles/blog for future reference!
My Google search is not being redirected but, it is not working either. When I start typing letter, the intellisense starts making suggestion, regardless if I click on one of the suggestions and then press enter or double click it, it does not do anything, it just sits there. Even if I type the whole phrase and click on the search button it does nothing. Any help? Thanks for taking the time to help.
JC
It looks like an issue with web browser.Try internet explorer optimization assuming you are using IE http://atechjourney.com/how-to-do-a-complete-internet-explorer-optimization.html/
Forgot to mention. I ran Norton and it found no viruses.