Case study of Google Redirect Virus

Article Views: 14562
Comments (0)
Rate this Article:
Category: Badware News

Google Redirect Virus is one of the most dangerous and frustrating infections that you could get on your system. Constant redirections, absolute inability to use the search engine, pop-ups, and annoying adverts are among the most annoying symptoms. And unfortunately, it is extremely difficult to remove the infection. This is due to the fact that Google Redirect Virus is not an ordinary piece of malware; in fact, it is an infection that was attached to rootkit software.

Rootkits are able to spread deep into the operating system, so deep that some records show that it is able to gain access into kernel. One of the main features of rootkits is a remote command/control feature, this means allowing someone, legitimate or not, to control computer administratively and remotely – executing files, accessing logs, monitoring activity etc. In a way it works a lot like a backdoor Trojan, exposing your system and sensitive data to people you would never share it with. Another disastrous element is that not a lot of antispyware applications are able to detect a rootkit, thus most of the time Google Redirect Virus will infect the system without your knowledge. Thus, this makes this particular infection one of the most dangerous infections to have on your system. The stealthy design of redirect virus makes it one of the most annoying and difficult to remove infections around.

It is important to note that Google Redirect Virus is not only malware that only hits and affects the Google search engine, it was also noted that this redirect virus hits other search engines: Bing, Yahoo, Ask – to name a few, thus in general this infection could be regarded as a Redirect virus.

What Google Redirect Virus does is that it constantly redirects users to a website that is in no way related to the original search. For instance, if user is searching for a Wikipedia article of some sort; at first the search looks as ordinary as ever, but once the user clicks on the Wikipedia link, he gets redirected and lands on some sort of malicious website, thus making the ability to use the search almost impossible.

In simple terms, the user will land on a site that is in no way related to the real one. Redirections are the main problem with this malware, because websites that user gets redirected to could and probably are full of malicious links thus, exposing the system to even more infections.

Another common feature with the Google redirect virus is websites that are replicas of the real thing. The website could appear as a legitimate one, for instance, your banking system page, but in reality it is just a bogus website that mimics the original, so by entering your bank account details you would just provide cyber criminals with your sensitive data. The same goes for any of your sensitive data: e-mail accounts, social security numbers, addresses etc.

Most of the redirections occur as targeted ads as the infection gathers info about your searches, so it redirects you to a site that in a way is tailored for you. Thus, you generate traffic and make money for cyber criminals by doing so. Although the system breakdown is not common when it comes to the Google Redirect Virus it has been recorded. This is so because due to the infection your system is left vulnerable to other kind of malware that could cause a breakdown. This is due to the fact that a rootkit infection allows access to your system at all times. Be careful and look for any signs of this infection, and if any is present remove the infection immediately!

There is not much of originality in ways various infections are spread, but that is probably due to the fact that it still works pretty well. Google Redirect Virus moves in ways that most of malware applications do. So opening suspicious e-mail attachments from unknown sender is always risky and has been reported as one of the main ways that this infection is distributed - you might also get infected by clicking on dubious pop-up windows thus allowing various installations to take place on your system.

Avoid visiting doubtful websites and always check what you are allowing to install on your computer. This might include a mimic of flash update, or a system update. Recent events concerning Microsoft’s Internet Explorer made users even more exposed to various infections due to RCE exploit, thus this means that a cyber criminal would be able to infect your computer even without the your interaction.

A drive-by-download is another way that users get infected with Google Redirect Virus. Bundled software is one of the main ways that malware spreads around these days. Suspicious websites provide various free downloads, but this is a great risk, as most of the time these freeware applications are bundled with something that you have no knowledge of. Bundling has become a major issue as most users do not bother with whatever they are installing on their system, most of the time performing a “quick” installation method. By doing so users have no actual idea what is being installed on the systems and what are they agreeing to. The best way to prevent infections is to take time during installations. Reading everything on the screen is advised so you would save some time, as deleting Google Redirect virus is even more time consuming and annoying in general.

Manual detection of Google Redirect Virus is quite tricky, due to the earlier mentioned stealthy design of this infection. But there are a few tip-offs that might help user to indentify malware within the system. Most of the time this virus will make changes within the host file that is located at c:\Windows\System32\drivers\etc. The host file should, by default, contain only one IP address: localhost. By using notepad to open the file you can check if there are any alterations.

Infection will also create and insert various .dll files within the Windows system. These are mostly found in the c:\Windows\System32\ directory, with names like: TDSSoexh.dll, TDSSciou.dll, TDSSriqp.dll, 4DW4R3c.dll, and sometimes some random .dll files might be included, hence the complicated removal process. Other common files associated with this particular infection are: TDSSserv.sys, TDIdrv2.sys, 4DW4R3sv.dat. All of these files communicate with each other and entries that there made within Windows registry in order to redirect the browser. Most likely at the point of execution of your browser these files are ticked off into a various processes that unfortunately cannot be simply traced. Rootkits rank among the most difficult software infections to be removed.

Remove Google Redirect Virus

Getting rid of Google Redirect virus can be quite tricky, thus trying a professional and legitimate antispyware program is always a good idea! It is important to remove the infection as it will make your system work slower and may make your system vulnerable in general. By leaving your system out in the open you risk a lot!

Your bank account details might be stolen, your e-mail passwords, user names, social security numbers as well, thus this might even end up in an identity theft! I will provide a manual removal of Google Redirect Virus here. But you have take caution as manual removal is quite tricky and you might forget something, thus leaving your system with traces of infection. By leaving your system not entirely clean the user risks future infections as the user might have left the backdoor to the system and that is a gateway for infections.

Clean system is of great importance as it will allow using your computer to its full advantage. This manual removal is for an advanced user, otherwise delete Google Redirect Virus with a legitimate and professional antimalware tool. Do so immediately!


  1. File/Folder visibility to be enabledOpen any folder within your computer and click on Organize then select Folder and search options. The Folder Options window will pop up. There you have to select View and in the Advanced settings section check the Show hidden files, folder and drives. Now all of your folders/files are visible within your system.Screens:

  2. Boot Log enablingNow click on the Windows Start button and type run, hit Enter. In the Command line type msconfig. The System Configuration window will pop up. Within that window select Boot section that is located in the above. Within that section check the Boot log. Now apply the changes and reboot you system in order for those changes to take placeScreens:

  3. Delete TDSSserv.sys form the Device ManagerOnce again open up Run and in the Command line type devmgmt.msc. Now you will see that window of Device Manager. Within it click on View and select Show hidden devices. The Non-Plug and Play Drivers section will appear. Within that section search for TDSSserv.sys and remove it.
  4. Windows registry cleaningIn the Start section type regedit. The Registry editor will open up. Within the window select Edit and click on Find. In the Find section type TDSS. Search and remove all registry keys/values associated with TDSS.Screens:

  5. Delete TDSSmain.dll fileThe TDSSmain.dll file will be located in C:\Windows\System32\ directory. Open it up and remove the mentioned fileScreens:
  6. Delete the TDSS associated strings from ntbtlog.txtThe ntbtlog.txt is located in the C:\Windows directory. Thus it will not be hard to find it. Once you do so open it up and remove everything associated with TDSS, save and close the ntbtlog.txt.Screens:

If you have followed the guide precisely your system should be free of Google Redirect Virus. But there is always a human element and you should never be 100% sure, thus removing this particular and any other infection with a professional or antimalware software is always advisable.


Your email address will not be published.


Enter the numbers in the box to the right *