Google Redirect Virus Description

[+] Click Image to Enlarge

• 
• 

The Google Redirect Virus has been around for quite some time and is known by many aliases, although, the primary behavior remains constant. Basically, the Google Redirect Virus plays tricks on the minds of PC users who desire Google web searches by randomly redirecting them to malicious web pages or search engines.

Any form of the Google Redirect Virus is dangerous due to the malicious commands it executes and the stealth programming techniques used to hide its files from prying eyes and anti-virus software radars. Malware such as the Google Redirect Virus may come bundled and cloaked inside a legitimate download of freeware, shareware, or a codec needed to view a movie. Plug-ins are another form of deceptive transport that exploits PC users’ ignorance to Internet security, since many blindly click without knowing the origin.

Google Redirect Virus’s main goal is to hijack your web browser and redirect it to malicious websites, including but not restricted to: Search.babylon.com, scour.com, blinkx.com, Worldslife.com, Blendersearch.com, Bodisparking.com, coolsearchserver.com, webplains.net, find-fast-answers.com, search-netsite.com, toseeka.com, AboutBlank, La.vuwl.com, 10-directory.com, 63.209.69.107, 67.29.139.153, 7search.com, adorika.com, adf.ly, admarketplace.com, alive-finder.com, alltheservices.com, articlemule.org, asklots.com, ave99.com, b00kmarks.com, background-sleuth.net, bargainmatch.com, beoo.com, bestdiscountinsurance.com, bestsearchpage.com, bestclicksnow.com, bestmarkstore.com, bestwebchoices.com, bestwebsearch.com, bidsystem.com, secure.bidvertiser.com, britewallet.com, budgetmatch.net, buzzclick.com, celebrity-gossip.net, cheapstuff.com, citysearch.com, clicksor.com (Clicksor), clkads.com, feed.clickbizz.com, comparedby.us, comparestores.net, couponmountain.com, digitaltrends.com, easilyfindlocal.com, everythinghere.com, evoplus.com, expandsearchanswers.com (expand search answers), fastfinder.com, feedsmixer.org (starFeedsMixer), find-quick-results.com, FilesCup.com (FilesCup), findexmark.com, find-answers-fast.com, Zinkwink.com, us-srch-system.com, finditreport.com, findology.com, finderquery.com, findstuff.com, flurrysearch.com, forless.com, gimmeanswers.org, glimpse.com, google-redirect.com, googlesearchserver.net, get-search-results.com, goingonearth.com, goodsearch.com, gomeo.co.uk, gossipcenter.com, gquestionnaire.com, greatsearchserver.com, greenluo.com, grooveswish.com, guide2faucets.com, happili.com, HelloLocal.com, hyperpromote.com, informationgetter.com, inruo.com, jerseyscatalog.com, juggle.com, k100searches.com, YouPorn, liutilities.com, livejasmin.com (creative.livejasmin.com popups), local-search-pages.com, localpages.com, localsearchbug.com, lowpriceshopper.com, manufacturersdirectory.com, multifind24.com, mybestclick.net, mycustomsearch.cn, mydealchoices.com, mydealmatch.com, mylocalhero.com, neatsales.com, neatsearchserver.com (neat search server ZeroAccess rootkit), netsearchfinder.com, netshoppers.com, nexplore.com, privacycheck.ru, Pulse360.com, qooqle.com, questyes.com, quick-search-results.com, quick-suggest.com, redirectsite.net, results5.google.com, safecompare.com, saveandcoupon.com, savecompare.com, savingwithads.com, scoursearch.net, search-redirector.com, searchforall.info, searching4all.com, search-results.com (int.search-results.com), searchbacon.com, searchdiscovered.com, searchqu.com, searchqualitysites.com, searchnext.com, searchspice.com, shopcompare.net, shopcompareus.com, shopfinded.com, shopica.com, shopica.com/search, shopzilla.com, socialsurvey2011.info, Social Search Redirect, Search-netsite.com, kitchenrenopages.com, kingtopsearch.net, kiseek.com, lawyerinsight.org, letsbuystuff.com, njksearc.net, qooqlle.com, Storeordersonline.com, somesearchsystem.com, startnow.com, startsearcher.com, supersearchserver.com, TabDiscover.com, tazinga.com (tazinga!), theifinder.com, Thewebtimes.com, Marveloussearchsystem.com, merchantsnearby.com, monstermarketplace.com, mooter.com, TheTop10.com, tubedownloader.com, theyellowpages.com, theyellowpagez.com, topdaodrugs.com, tubedownloader.com, Therelatedsearch.com, unblock-us.com, valueapproved.com, vshare.toolbarhome.com (vShare), vehiclefind24.com, whatcarefreefeelslike.com,weeklycontestwinner.org, weeklyusa-winner.com, webshoppinghelper.com, webresults6.org, yellowmoxie.com, search.yellowise.com, ylwbook.addresses.com, youfindmore.com and Zwankysearch.com.

Not all malware announces its presence, but unless you changed your own host file, you can be certain you have a browser hijacker or Google Redirect Virus when your search requests forcibly routes you to unwanted websites. Cybercriminals create malware to multi-task and achieve one or more payloads. The foreign websites may include links that yield cybercrooks unearned pay-per-click (PPC) residuals or might help promote a rogue security program.

Google Redirect Virus has rootkit characteristics meaning it may go undetected from many applications. Google Redirect Virus can be said to be very similar to the parasites and fake security applications known as Backdoor.Tidserv, Alureon, Windows Necessary Firewall and even Fast Windows Antivirus 2011.

Malware exploits vulnerabilities found in software or hardware or takes advantage of human behavior and the ignorance of executing Internet security practices. So if you or someone using your PC indulged in one of the following, it could explain how your PC got infected with the Google Redirect Virus.

1. You took your chances and decided against installing a reputable anti-malware tool.
2. You installed an anti-malware tool but got comfortable and did not renew it.
3. You were drawn into clicking on a dubious link of some online suicide or
   celebrity hoax.
4. You were spammed because you didn’t verify the source of that email attachment or link from
   your family or friend, whose accounts was hijacked by a cybercriminal.
5. You love the word free and pirated music or movies.
6. You love freeware and shareware and downloaded an infectious codec to view a movie or video.
7. You love visiting porn sites, gaming sites or warez ones and got infected.

To combat malware short and long-term is to understand its structure and malicious intent. Below is a
general outline of what is in store for PCs housing the Google Redirect Virus:

• Trojan gains deceptive entry by exploiting vulnerabilities in hardware, software or good ole
  human behavior and weak Internet security practices.
• Modifies system registry and makes an entry so that its random named executable (done to keep
  the Internet security community guessing) is run at every boot.
• Drops a .TMP file in your temporary folder and this file installs other malicious components.
• The .TMP file (randomly named) will register itself as a legitimate service (thus bypassing your
  firewall and eluding AVG efforts) by copying a legitimate .dll file and infusing it with its poisonous
  script to load its malicious .TMP file.
• It then exploits vulnerabilities in Microsoft Windows DLL listing by adding the ‘modified’ .dll file
  and having it loaded into memory along with the other ‘legitimate’ ones.
• Once loaded, the venomous .TMP file creates a randomly named file in your ‘driver’ folder
  (usually with the .sys extension). This random file is the component that hides all its malicious
  files and programs from prying eyes (yours and AVG radar).
• Once the random .sys file is deployed, it drops a .dll file in your ’system’ folder and this file is
  then injected into the SVCHOST executable, which downloads more malicious components from
  the Internet. It is these configuration files that help a hacker do the following:

  a. Perform HTTP transfers (i.e. to send or receive new transmissions)
  b. Display or trigger pop-up adverts
  c. Inhibit programs or applications from running, especially those threatening malicious
  attacks.
  d. Set command delay
  e. Order DNS attacks
  f. Spoof email accounts and spam persons on contact list
  g. Download other malicious programs such as:
  i. Trojan keylogger = steal vital data out of cache or directly off-web based forms
  ii. Trojan backdoor = exploit remote assistance tool to secretly make use of your PC
  iii. Trojan hijacker = change your host files and redirect web searches to malicious or unwanted websites
  iv. Trojan dropper = drop more malicious components or programs in your PC

In addition to the Google Redirect Virus hijacking your browser, your system may become impaired, and
you might notice the following:

• Keyboard malfunctioning
• Windows will unexpectedly requests reactivation of drivers
• System runs slow or freezes up
• Applications do not run properly
• Homepage changed or browser redirects you to unwanted websites
• Icons added or missing and hardware or drivers inoperable

The longer you allow the Google Redirect Virus to fester, the bigger the risk or threat to your data and
system, as these malicious programs use a lot of resource and could cause a system crash.

However, don’t be surprised if you are assaulted by pop-ups adverts or scary alerts and fake warnings, or if a slick-looking interface appears out of nowhere and runs an unauthorized scan. This is the typical behavior of a rogue security program, a well-used scam used to scare PC users into blindly handing over their credit card and bank routing number to buy a useless piece of software. Never trust any program that self-loads, runs an unauthorized scan or hijacks your browser.

Don’t waste time and don’t let some hacker steal your personal information. Fight fire with fire by using a reliable anti-malware tool that is capable of digging into the root of your system and finding all traces of the Google Redirect Virus.

In the interim, disconnect your Internet to stop any new transmissions of data to some remote server. Get to a malware-free PC and change your logins and security credentials for your online accounts.

Type: Viruses

How Can You Detect Google Redirect Virus?

Google Redirect Virus Removal Details

Google Redirect Virus has typically the following processes in memory:

• TDSSserv.sys
• C:\WINDOWS\system32\uacinit.dll
• C:\WINDOWS\SYSTEM32\4DW4R3.dll
• C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3.sys
• C:\WINDOWS\Xzagua.exe
• Xwo.exe
• C:\Windows\System32\wdmaud.sys
• C:\WINDOWS\system32\UAC.dll
• C:\WINDOWS\SYSTEM32\4DW4R3c.dll
• C:\WINDOWS\system32\drivers\UAC.sys
• C:\Documents and Settings\All Users\Application Data\_VOIDmainqt.dll
• Xwk.exe
• dmgsh.exe
• C:\WINDOWS\_VOID\_VOIDd.sys
• C:\WINDOWS\system32\_VOID.dll
• C:\WINDOWS\system32\drivers\_VOID.sys
• C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3.sys
• Xzagua.exe

Google Redirect Virus creates the following files in the system:

• C:\WINDOWS\system32\UAC.dat
• C:\WINDOWS\SYSTEM32\4DW4R3sv.dat
• %Temp%\UAC.tmp
• C:\WINDOWS\system32\UAC.db
• C:\WINDOWS\system32\_VOID.dat
• C:\WINDOWS\Temp\UAC.tmp
• C:\WINDOWS\_VOID\
• C:\WINDOWS\system32\uactmp.db
• C:\WINDOWS\Temp\_VOIDtmp
• %Temp%\_VOID.tmp

Google Redirect Virus creates the following registry entries:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOID
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOIDd.sys
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\4DW4R3

Important Article Disclaimer