Google Redirect Virus

Google Redirect Virus Description

ScreenshotThe Google Redirect Virus has been around for quite some time and is known by many aliases, although, the primary behavior remains constant. Basically, the Google Redirect Virus plays tricks on the minds of PC users who desire Google web searches by randomly redirecting them to malicious web pages or search engines.

Any form of the Google Redirect Virus is dangerous due to the malicious commands it executes and the stealth programming techniques used to hide its files from prying eyes and anti-virus software radars. Malware such as the Google Redirect Virus may come bundled and cloaked inside a legitimate download of freeware, shareware, or a codec needed to view a movie. Plug-ins are another form of deceptive transport that exploits PC users' ignorance to Internet security, since many blindly click without knowing the origin.

Google Redirect Virus's main goal is to hijack your web browser and redirect it to malicious websites, including but not restricted to: Search.babylon.com, scour.com, blinkx.com, Worldslife.com, Blendersearch.com, Bodisparking.com, coolsearchserver.com, webplains.net, find-fast-answers.com, search-netsite.com, toseeka.com, AboutBlank, La.vuwl.com, 10-directory.com, 63.209.69.107, 67.29.139.153, 7search.com, adorika.com, adf.ly, admarketplace.com, alive-finder.com, alltheservices.com, articlemule.org, asklots.com, ave99.com, b00kmarks.com, background-sleuth.net, bargainmatch.com, beoo.com, bestdiscountinsurance.com, bestsearchpage.com, bestclicksnow.com, bestmarkstore.com, bestwebchoices.com, bestwebsearch.com, bidsystem.com, secure.bidvertiser.com, britewallet.com, budgetmatch.net, buzzclick.com, celebrity-gossip.net, cheapstuff.com, citysearch.com, clicksor.com (Clicksor), clkads.com, feed.clickbizz.com, comparedby.us, comparestores.net, couponmountain.com, digitaltrends.com, easilyfindlocal.com, everythinghere.com, evoplus.com, expandsearchanswers.com (expand search answers), fastfinder.com, feedsmixer.org (starFeedsMixer), find-quick-results.com, FilesCup.com (FilesCup), findexmark.com, find-answers-fast.com, Zinkwink.com, us-srch-system.com, finditreport.com, findology.com, finderquery.com, findstuff.com, flurrysearch.com, forless.com, gimmeanswers.org, glimpse.com, google-redirect.com, googlesearchserver.net, get-search-results.com, goingonearth.com, goodsearch.com, gomeo.co.uk, gossipcenter.com, gquestionnaire.com, greatsearchserver.com, greenluo.com, grooveswish.com, guide2faucets.com, happili.com, HelloLocal.com, hyperpromote.com, informationgetter.com, inruo.com, jerseyscatalog.com, juggle.com, k100searches.com, YouPorn, liutilities.com, livejasmin.com (creative.livejasmin.com popups), local-search-pages.com, localpages.com, localsearchbug.com, lowpriceshopper.com, manufacturersdirectory.com, multifind24.com, mybestclick.net, mycustomsearch.cn, mydealchoices.com, mydealmatch.com, mylocalhero.com, neatsales.com, neatsearchserver.com (neat search server ZeroAccess rootkit), netsearchfinder.com, netshoppers.com, nexplore.com, privacycheck.ru, Pulse360.com, qooqle.com, questyes.com, quick-search-results.com, quick-suggest.com, redirectsite.net, results5.google.com, safecompare.com, saveandcoupon.com, savecompare.com, savingwithads.com, scoursearch.net, search-redirector.com, searchforall.info, searching4all.com, search-results.com (int.search-results.com), searchbacon.com, searchdiscovered.com, searchqu.com, searchqualitysites.com, searchnext.com, searchspice.com, shopcompare.net, shopcompareus.com, shopfinded.com, shopica.com, shopica.com/search, shopzilla.com, socialsurvey2011.info, Social Search Redirect, Search-netsite.com, kitchenrenopages.com, kingtopsearch.net, kiseek.com, lawyerinsight.org, letsbuystuff.com, njksearc.net, qooqlle.com, Storeordersonline.com, somesearchsystem.com, startnow.com, startsearcher.com, supersearchserver.com, TabDiscover.com, tazinga.com (tazinga!), theifinder.com, Thewebtimes.com, Marveloussearchsystem.com, merchantsnearby.com, monstermarketplace.com, mooter.com, TheTop10.com, tubedownloader.com, theyellowpages.com, theyellowpagez.com, topdaodrugs.com, tubedownloader.com, Therelatedsearch.com, unblock-us.com, valueapproved.com, vshare.toolbarhome.com (vShare), vehiclefind24.com, whatcarefreefeelslike.com,weeklycontestwinner.org, weeklyusa-winner.com, webshoppinghelper.com, webresults6.org, yellowmoxie.com, search.yellowise.com, ylwbook.addresses.com, youfindmore.com and Zwankysearch.com.

Not all malware announces its presence, but unless you changed your own host file, you can be certain you have a browser hijacker or Google Redirect Virus when your search requests forcibly routes you to unwanted websites. Cybercriminals create malware to multi-task and achieve one or more payloads. The foreign websites may include links that yield cybercrooks unearned pay-per-click (PPC) residuals or might help promote a rogue security program.

Google Redirect Virus has rootkit characteristics meaning it may go undetected from many applications. Google Redirect Virus can be said to be very similar to the parasites and fake security applications known as Backdoor.Tidserv, Alureon, Windows Necessary Firewall and even Fast Windows Antivirus 2011.

Malware exploits vulnerabilities found in software or hardware or takes advantage of human behavior and the ignorance of executing Internet security practices. So if you or someone using your PC indulged in one of the following, it could explain how your PC got infected with the Google Redirect Virus.
  1. You took your chances and decided against installing a reputable anti-malware tool.
  2. You installed an anti-malware tool but got comfortable and did not renew it.
  3. You were drawn into clicking on a dubious link of some online suicide or
    celebrity hoax.
  4. You were spammed because you didn't verify the source of that email attachment or link from
    your family or friend, whose accounts was hijacked by a cybercriminal.
  5. You love the word free and pirated music or movies.
  6. You love freeware and shareware and downloaded an infectious codec to view a movie or video.
  7. You love visiting porn sites, gaming sites or warez ones and got infected.

To combat malware short and long-term is to understand its structure and malicious intent. Below is a
general outline of what is in store for PCs housing the Google Redirect Virus:
  • Trojan gains deceptive entry by exploiting vulnerabilities in hardware, software or good ole
    human behavior and weak Internet security practices.
  • Modifies system registry and makes an entry so that its random named executable (done to keep
    the Internet security community guessing) is run at every boot.
  • Drops a .TMP file in your temporary folder and this file installs other malicious components.
  • The .TMP file (randomly named) will register itself as a legitimate service (thus bypassing your
    firewall and eluding AVG efforts) by copying a legitimate .dll file and infusing it with its poisonous
    script to load its malicious .TMP file.
  • It then exploits vulnerabilities in Microsoft Windows DLL listing by adding the 'modified' .dll file
    and having it loaded into memory along with the other 'legitimate' ones.
  • Once loaded, the venomous .TMP file creates a randomly named file in your 'driver' folder
    (usually with the .sys extension). This random file is the component that hides all its malicious
    files and programs from prying eyes (yours and AVG radar).
  • Once the random .sys file is deployed, it drops a .dll file in your 'system' folder and this file is
    then injected into the SVCHOST executable, which downloads more malicious components from
    the Internet. It is these configuration files that help a hacker do the following:

    a. Perform HTTP transfers (i.e. to send or receive new transmissions)
    b. Display or trigger pop-up adverts
    c. Inhibit programs or applications from running, especially those threatening malicious
    attacks.
    d. Set command delay
    e. Order DNS attacks
    f. Spoof email accounts and spam persons on contact list
    g. Download other malicious programs such as:
    i. Trojan keylogger = steal vital data out of cache or directly off-web based forms
    ii. Trojan backdoor = exploit remote assistance tool to secretly make use of your PC
    iii. Trojan hijacker = change your host files and redirect web searches to malicious or unwanted websites
    iv. Trojan dropper = drop more malicious components or programs in your PC

In addition to the Google Redirect Virus hijacking your browser, your system may become impaired, and
you might notice the following:
  • Keyboard malfunctioning
  • Windows will unexpectedly requests reactivation of drivers
  • System runs slow or freezes up
  • Applications do not run properly
  • Homepage changed or browser redirects you to unwanted websites
  • Icons added or missing and hardware or drivers inoperable

The longer you allow the Google Redirect Virus to fester, the bigger the risk or threat to your data and
system, as these malicious programs use a lot of resource and could cause a system crash.

However, don't be surprised if you are assaulted by pop-ups adverts or scary alerts and fake warnings, or if a slick-looking interface appears out of nowhere and runs an unauthorized scan. This is the typical behavior of a rogue security program, a well-used scam used to scare PC users into blindly handing over their credit card and bank routing number to buy a useless piece of software. Never trust any program that self-loads, runs an unauthorized scan or hijacks your browser.

Don't waste time and don't let some hacker steal your personal information. Fight fire with fire by using a reliable anti-malware tool that is capable of digging into the root of your system and finding all traces of the Google Redirect Virus.

In the interim, disconnect your Internet to stop any new transmissions of data to some remote server. Get to a malware-free PC and change your logins and security credentials for your online accounts.
Aliases: Trj/Genetic.gen [Panda], HEUR:Trojan.Win32.Generic [Kaspersky], WIN.Trojan.Agent-83670 [ClamAV], TROJ_GEN.RCBZ7A6 [TrendMicro-HouseCall], WS.Reputation.1 [Symantec], Trojan.Kryptik!bnm2LXIQg/s [Agnitum], Trojan/Kryptik.akco [TheHacker], Trojan [K7AntiVirus], Artemis!A99D0C59FDB7 [McAfee], Trojan.Vundo.Gen [CAT-QuickHeal], Trojan.Win32.ZPACK.bebabu [NANO-Antivirus], Trojan.Agent/Gen-Kryptik [SUPERAntiSpyware], UnclassifiedMalware [Comodo], Generic29.AKVZ [AVG] and W32/Kryptik.KO!tr [Fortinet].

Infected with Google Redirect Virus? Scan Your PC for Free

Download SpyHunter’s Spyware Scanner
to Detect Google Redirect Virus

Security Doesn't Let You Download SpyHunter or Access the Internet?


Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
  • Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
  • Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
  • Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in 'Safe Mode with Networking' and install SpyHunter in Safe Mode.
  • IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.

If you still can't install SpyHunter? View other possible causes of installation issues.

Technical Information

Infection Statistics


Our MalwareTracker shows malware activity across the world. Explore real-time data of Google Redirect Virus outbreaks and other threats from global to local level.

File System Details

Google Redirect Virus creates the following file(s):
# File Name Size MD5 Detection Count
1 %LOCALAPPDATA%\AIM Toolbar\[RANDOM CHARACTERS].dll 96
2 %LOCALAPPDATA%\AlwaysNeat\Adobe\[RANDOM CHARACTERS].dll 95
3 %LOCALAPPDATA%\AIM\Adobe\[RANDOM CHARACTERS].dll 94
4 %LOCALAPPDATA%\Akamai\[RANDOM CHARACTERS].dll 86
5 %LOCALAPPDATA%\Adobe\Acer\[RANDOM CHARACTERS].dll 81
6 %USERPROFILE%\Local Settings\Application Data\Conduit\Babylon\xriotabb.dll 485,376 2a69d434d9d6d6d120fc39a190ca00d3 78
7 kbd101V.dll 135,168 a99d0c59fdb79c60d748b35f3ec3e448 75
8 %LOCALAPPDATA%\7-Zip\[RANDOM CHARACTERS].dll 65
9 %LOCALAPPDATA%\Affinix\[RANDOM CHARACTERS].dll 64
10 KBDSL1B.dll 120,832 6f1ad64ccb0b277c0668318e20ef27fc 54
11 %LOCALAPPDATA%\Adobe\[RANDOM CHARACTERS].dll 30
12 %APPDATA%\Bitrix Security\[RANDOM CHARACTERS].dll 21
13 %WINDIR%\system32\msdeltam.dll 458,752 0517f1b0c76bd2a32f0cb681617bee80 17
14 %LOCALAPPDATA%\APN\Adobe\[RANDOM CHARACTERS].dll 13
15 %LOCALAPPDATA%\Ahead\[RANDOM CHARACTERS].dll 12
16 TDSSserv.sys N/A
17 C:\WINDOWS\system32\uacinit.dll N/A
18 C:\WINDOWS\SYSTEM32\4DW4R3.dll N/A
19 C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3.sys N/A
20 C:\WINDOWS\Xzagua.exe N/A
21 Xwo.exe N/A
22 C:\Windows\System32\wdmaud.sys N/A
23 C:\WINDOWS\system32\UAC.dll N/A
24 C:\WINDOWS\SYSTEM32\4DW4R3c.dll N/A
25 C:\WINDOWS\system32\drivers\UAC.sys N/A
26 C:\Documents and Settings\All Users\Application Data\_VOIDmainqt.dll N/A
27 Xwk.exe N/A
28 dmgsh.exe N/A
29 C:\WINDOWS\_VOID\_VOIDd.sys N/A
30 C:\WINDOWS\system32\_VOID.dll N/A
31 C:\WINDOWS\system32\drivers\_VOID.sys N/A
32 Xzagua.exe N/A
33 C:\WINDOWS\system32\UAC.dat N/A
34 C:\WINDOWS\SYSTEM32\4DW4R3sv.dat N/A
35 %Temp%\UAC.tmp N/A
36 C:\WINDOWS\system32\UAC.db N/A
37 C:\WINDOWS\system32\_VOID.dat N/A
38 C:\WINDOWS\Temp\UAC.tmp N/A
39 C:\WINDOWS\_VOID\ N/A
40 C:\WINDOWS\system32\uactmp.db N/A
41 C:\WINDOWS\Temp\_VOIDtmp N/A
42 %Temp%\_VOID.tmp N/A

More files

Registry Details

Google Redirect Virus creates the following registry entry or registry entries:
HKEY..\..\..\..{RegistryKeys}
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\4DW4R3
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOID
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOIDd.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys

Site Disclaimer

7 Comments

  • crack says:

    This article is really a good one it assists new internet people, who are wishing for blogging.

  • search engine says:

    I blog often and I seriously appreciate your content. This great article has truly
    peaked my interest. I am going to book mark your website and keep
    checking for new details about once a week. I subscribed to your RSS feed as well.

  • Shipping says:

    Greate article. Keep writing such kind of info on your blog.
    Im really impressed by your blog.
    Thanks for sharing your thoughts on Google Redirect Virus. Regards

  • Exterior says:

    This page definitely has all the information I needed concerning this subject and didn’t know who to ask.

  • Google Virus Guy says:

    Google direct virus is difficult to remove and it change your host file as well.

  • Ganoderma says:

    My spouse and I stumbled over here from a different web address and thought I may as well check things out. I like what I see so i am just following you. Look forward to checking out your web page again.

  • Lynn Hauman says:

    Can I get help for free?

Leave a Reply

IMPORTANT! To be able to proceed, you need to solve the following simple math.
Please leave these two fields as-is:
What is 8 + 12 ?