Trojan.Redirector Removal Guide

Trojan.Redirector is a malicious program developed to create a proxy for the Internet Explorer browser. It allows the malware to redirect all traffic while users are searching with Google, Yahoo, or other well-known engines. Then, the displayed results could be replaced with annoying third-party ads, sponsored links, advertising banners, and so on. Additionally, the software might be used to track or spy on users. Thus, if you want to browse safely, erasing this Trojan is a necessity. We placed removal instructions below to help you delete it manually, although if the process appears to be too difficult, we could also suggest downloading a reliable antimalware tool. It is also important to mention that in the article we will explain how this threat spreads and other crucial details about it, so keep reading the text, and you may learn how to avoid software such as Trojan.Redirector in the future.

From what our researchers have learned, it seems that the malware could be distributed with altered MSI files. This data might be made to look like installers of popular applications, e.g. WinRAR, YouTube Downloader, and so on. Moreover, it might be that such setup files are spread through suspicious web pages or unreliable file-sharing websites. To avoid similar threats, you should stay away from such sites and download installers or any other data only from reliable sources. Additionally, users could use a trustworthy antimalware tool to scan setup files or any other data that could be suspicious.

When the user has launched the malicious file, Trojan.Redirector should begin its installation by creating scripts called reset.txt and update.txt in the %COMMONPROGRAMFILES(x86)% and %COMMONPROGRAMFILES% folders. Then it should modify AutoConfigURL value name in the HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS or HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS directory. This modification should make the Internet Explorer browser use automatic configuration scripts that redirect all traffic and allows to replace content displayed on google.com or any other search engine.

Unfortunately, the replaced pop-ups, sponsored links, and other ads could redirect you to harmful web pages. For instance, the site may distribute browser hijackers, potentially unwanted programs, adware or even malicious software, such as Trojans, worms, ransomware, and so on. In other words, if you interact with the program's displayed content, you might expose your system to other threats. Thus, we advise you to eliminate Trojan.Redirector before it gets the chance to cause you more trouble.

The malware could be erased manually, although it may not be an easy task. For starters, the user should get rid of the scripts that we mentioned before. Then, it is important to change AutoConfigURL value data in the Windows Registry. Lastly, you should delete fake Adobe Flash files from the %WINDIR%\System32\Tasks or %WINDIR%\Tasks directory. These files could be named as Adobe Flash Scheduler, Adobe Flash Update, or similarly. For further instructions take a look at the recommended removal steps available below. Nevertheless, if these tasks seem to be too complicated, you can also install a reliable security tool and let it deal with Trojan.Redirector. Just launch the tool and start the scanning process. Then wait till it is over and click the deletion button.

Eliminate Trojan.Redirector

1. Open the Explorer and navigate to these locations one by one:
   %COMMONPROGRAMFILES(x86)%
   %COMMONPROGRAMFILES%
   %COMMONPROGRAMFILES(x86)%
   %COMMONPROGRAMFILES%
2. Look for files called reset.txt and update.txt. Right-click these files separately and select Delete.
3. Go to these directories separately:
   %WINDIR%\System32\Tasks
   %WINDIR%\Tasks
4. Search for files called as Adobe Flash Scheduler, Adobe Flash Update, and so on. Right-click them and select Delete.
5. Close the Explorer.
6. Press Windows Key+R, type regedit and click OK.
7. Navigate to these directories separately:
   HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
   HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS
8. Find value names called AutoConfigURL, right-click them and select Modify.
9. Erase current value data (e.g. http://wpad.com.gr/server.pac) and click OK.
10. Close the Explorer.
11. Empty Recycle bin.