Google or any other search engine may become abnormal when a researcher attempts to search or click on a query and redirect him/her from the page that he/she intended to visit. This is known as a redirect and a wide variety of malware can cause it. It is important to understand what may be causing the problem as well as the process for removing it.

These types of Google redirects can be very malicious because they can log personal information and transmit the data to another source. The personal data that is logged and transmitted includes everything from the researcher’s home address, credit card numbers, personal passwords and any other date that is entered into his/her web browser. These types of infections are also created to perform “click fraud,” which in turn causes the researcher to visit an alternative website and view products or services that may be related to his/her search query. The alternative website then pays the infection’s creator(s) with illegitimate advertising revenue.

Computer infections that are known to cause redirect problems include:

  • TDSS
  • Sinowal
  • Whistler
  • Phanta
  • Trup
  • Stoned
  • Alureon

The main Google redirect virus symptom is the redirection of searches, but other symptoms may also include:

Problems running programs on the system – the possibility of having programs disabled on the system is an indicator that there is a problem. Programs may give an error or simply not start. It may prevent access to important software such as anti-virus or anti-malware and tools that could help remove problems from the computer.

Slow web browsing – Web browsing will be considerably slower due to the extra steps that the redirect virus takes to hijack search results. The browser may also be using an unusual amount of system resources due to what the redirect virus is running in the background processes under the guise of the browser.

Unusual bubble dialog system tips – The bubble style tip dialog messages may begin showing up on the researcher’s system. These can easily be spotted as they claim to have knowledge of an infection or a virus on the researcher’s system and claim to have a solution available if the researcher clicks the tip window. Clicking on said tip will open the default browser and redirect the home page to a fake anti-malware software option that claims to remove problematic software such as viruses from the system. Installing such software requires payment to remove the infections, while causing other problems in the process (such as infecting the computer with other viruses that require another “partnered” antiviral scanner/removal tool).

Common browser hijackers such as “Webplains(dot)com” use certain methods to infect a system so that a plain anti-virus program alone cannot detect them. This redirect hijacker lays dormant then substitutes web searches made with Google and other search engines from time to time with results from one of the following fake search engines:

  • Thenewstoday(dot)net
  • Thewebtimes(dot)net
  • Newsranch(dot)net
  • Frontwebpage(dot)net
  • Thenightrain(dot)com
  • Thewebplane(dot)com
  • Thealltimes(dot)com
  • 101news(dot)net
  • Businessite(dot)net
  • Bywill(dot)net
  • Goingonearth(dot)com
  • Webplains(dot)net
  • Whatsinnews(dot)com
  • Whatsinstores(dot)net

Note: The use of the enclosed “(dot)” is used instead of a period “.” to prevent hyperlinks from accidentally appearing on the browser, which, if opened, could infect one’s system. Additionally, do not visit any of the websites in the bulleted list above as one will risk getting infected with the hijacking malware.

Browser Helper Objects

The researcher may have installed a browser helper object either willingly or without knowing that may be causing the redirects. The majority of browser helper objects are packaged as a toolbar or an extension that is installed into the browser(s). If one notices a new toolbar on the browser window that is enabled or even hidden, one should take caution with one’s online data and hold off from going to any sensitive websites such as those for banks, credit cards, email, social networking. If possible, do not make any online purchases via the infected computer.

Extensions to the Web Browser

Web browsers such as Mozilla Firefox, Microsoft Internet Explorer, Google Chrome, Opera, and Apple Safari commonly use browser “extensions.” Extensions are additional pieces of software that can be utilized to provide extended functionality to the web browser. One can intentionally or unintentionally download malicious browser extensions that can cause a browser redirect problem. These malicious extensions get through to the computer due to a lapse in computer security, user confusion or ignorance (not reading the EULA), and malicious software being packaged with other seemingly harmless software.

Fixing the Google Redirect Problem

Since the problem may be sourced at the Master Boot Record, one is required to use the “FixMBr” command during a Windows Recovery Console treatment. A wide variety of system files may be infected and or created that have no legitimate use other than to re-infect the system if an anti-virus does not find them.

Some of these infections will go as far as blocking access to Windows Update and attempting to disable some anti-virus products that are already installed or are yet to be installed. In fact, many of these infections go to great lengths to block websites such as those designed for computer help and security in an attempt to ensure that the system stays infected. This requires that help and information are accessed from an uninfected system or device. It is recommended that one downloads anti-virus software on another machine that can then be transferred to the infected system via a form of permanent media such as a CD-DVD when possible. This ensures that the correct files are downloaded and that the infection cannot modify them during installation on the infected computer.

1. Download the Kapersky TDSSKiller

The Kapersky TDSSKiller is a tool designed to target and remove infections of the Rootkit.Win32.TDSS (Tidserv, TDSServ, and Alureon) family.

2. Download the ZeroAccess Rootkit Removal Tool

The ZeroAccess Rootkit Removal Tool is designed to target and remove infections of the advanced kernel mode rootkit ZeroAccess (Max++) family.

3. Download the Combofix

Combofix works on Windows XP (32-bit only), Windows Vista (32-bit/64-bit), and Windows 7 (32-bit/64-bit). It is an advanced tool that is capable of detecting and removing a wide spectrum of malware while automatically correcting the problems on the system.

4. Download MalwareBytes Antimalware

MalwareBytes Antimalware is designed to find and remove malware infections on the computer. A free edition is available for home use.

5. Download SUPERAntispyware

This software program is a useful alternate to MalwareBytes Antimalware. It also has a free edition that can be used for home licensing.

6. Download SpyBot Search and Destroy

SpyBot Search and Destroy is an advanced tool that is designed to locate and remove malware of several different types. It comes with a wide array of tools that are used to immunize the computer to prevent future infections.

7. Download Hitman Pro (Current Version)

Hitman Pro is basically a tool designed to find, remove, and protect from rootkit, Trojan, virus, worm, spyware, and adware infections.

8. Get Microsoft Security Essentials

This is the official Microsoft anti-malware tool that is only available to systems that pass the Genuine Microsoft Software check. Once the tool is installed, it starts working to disinfect the system as well as prevent future problems from occurring.

Run each tool in the order listed to clean the system (also update the software if possible). Follow prompts to restart if necessary. On rare occasions, one may not be able to load the installation procedure for one of these tools due to the redirect malware blocking the software on initiation. If this occurs, one needs to have the tools available on a compact disk or other media that can be read through the available hardware that boots with the system in safe mode. USB storage devices are not recommended because Windows may not be able to load the drivers that they install on the system to access the hardware.

Once one is armed with these tools, restart the computer and log into safe mode with an administrator account. Safe mode is used because it loads Windows, but bypasses startup processes and system drivers that are not necessary to run the basic Windows configuration. Getting into safe mode requires restarting the computer and repeatedly pressing the “F8” (Function 8) key on the keyboard until the Startup Menu is displayed. The List will have options similar to:

  1. Normal
  2. Logged
  3. Safe Mode
  4. Step by Step

Select “Safe Mode.”

Load the medium that the above list of products was saved on and install them on the computer in the order listed above. Run them through their cleaning process one by one until finished. If they prompt for a computer restart to finish cleaning, follow the directions and allow the system to restart normally to complete the process then restart in safe mode to continue with the rest of the anti-malware tools.  Be sure to run the Windows system update process to help patch and prevent these issues from recurring.

If these anti-malware tools do not fix the issue after a complete run, the problem may be a new type of malware that an anti-malware scanner is not yet able to discover. Also, some forms of “worm” viruses can actually infect vital system files required for the computer to work correctly, which may disable the system if an anti-virus program removes or alters them. Therefore, professional support is recommended.