Google Redirect Virus

Threat Scorecard

Threat Level: 80 % (High)
Infected Computers: 146
First Seen: September 20, 2011
Last Seen: May 26, 2022
OS(es) Affected: Windows

Google Redirect Virus Screenshot Image 1The Google Redirect Virus has been around for quite some time and is known by many aliases, although, the primary behavior remains constant. Basically, the Google Redirect Virus plays tricks on the minds of PC users who desire Google web searches by randomly redirecting them to malicious web pages or search engines.

The Google Redirect Virus Makes Online Searches Ineffective and Dangerous

The Google Redirect Virus (GRV) has been frustrating Internet users for several years now, yet it looks like there is still no effective method for avoiding the infection. In fact, it has even become one of the most severe cybersecurity issues of our time due to the vast popularity of the Google search engine that allows attackers to reach a large number of potential victims. The malware affects Windows, MacOS, and Linux operating systems, while recently Google Redirect Virus versions for mobile devices have surfaced as well.

Profound research shows that there is not just one particular threat called Google Redirect Virus, the name rather encompasses a series of infections and issues affecting most popular browsers with the common result of redirecting the user to malicious web pages through fake search results. The Google Redirect Virus malware is also known as "Chrome Redirect Virus," "the Google Virus," "Yahoo Redirect Virus," and "Bing Redirect Virus." Newer versions have also been identified, and they are known as "Happilli Redirect Virus" and "Nginx Redirect virus."

The most obvious symptom of a Google Redirect Virus-type of infection is that all Google searches of a user get redirected to some unknown or shady domains, or to pages of other search engines that could have malicious content. Users having the Google Redirect Virus on their computers will experience the redirecting to unrelated or obnoxious websites when they click on any of the results from their Google search, regardless of which browser they use. Thus, the main functionalities of the Google Redirect Virus have not changed over the years and through the different versions, as well as the intentions of its authors whose main goal is to make money by boosting artificially the visits to their own web pages and the views of the advertisements displayed on them.

All of the locations to which the threat redirects its victims are dangerous since they force the user to purchase malicious software, or may contain scripts that directly install malware or PUPs on the user's device. A clear sign that a PC has been infected with the Google Redirect Virus is that the user gets redirected multiple times from links that are certainly legit, like or Facebook. Redirecting programs like the Google Redirect Virus also collect information on users' browsing habits and common search terms, apart from injecting unwanted ads within the search results.

The Google Redirect Virus Disrupts the Overall Performance of Your PC

Google Redirect Virus will not only hijack your browser but also your entire system will be severely impaired so that you might experience some of the following symptoms:

  • Unexpected requests for reactivation of drivers
  • Applications not running properly
  • A changed homepage of your default browser
  • Misfunctioning hardware components or drivers
  • System freezing or slowing down
  • New icons being added to or icons missing from your desktop

Another possible side effect is the user being assaulted with advertisements, pop-up windows or security alerts. The sudden appearance of unsolicited anti-virus scans that run out of nowhere and warn the user of some non-existing malware threat being detected on his or her PC is also in store for systems infected with a Google Redirect Virus. This last trick is the typical behavior of a rogue security program that attempts to lure the user into purchasing some fake AV software and, respectively, providing their credit card data.

At first sight, the Google virus can be classified as a browser hijacker since it changes the infected browser's settings and causes an overall sluggish and ineffective surfing on the Internet. More recent research shows, however, that this malware can cause more severe damage to infected computers than just the redirecting issues and the annoying ads.

Not a Virus, But a Rootkit

Though its name, a Google Redirect Virus is actually not a virus but a Trojan with rootkit capabilities. The discovery has been made a while ago after the researchers have detected a new malicious program associated with the Google Redirect Virus - it is known as Backdoor.Tidserv. Since then, it is believed that the Google Redirect Virus is a version of the TDSS rootkit which puts itself on the top of a system driver where it cannot be detected and removed. Therefore, any form of the Google Redirect Virus executes malicious commands and employs sophisticated programming techniques to hide its files from anti-virus software radars, making the infection very dangerous, hard to detect, and particularly hard to remove.

As a rootkit-type of malware, Google Redirect Virus is capable of gaining privileged access to the infected computer. Then, it executes redirect scripts into the results of a regular Google search so that the user is redirected to third-party websites when clicking on the search results. A characteristic feature of rootkits is that they use the lower layers of the operating system, like the API function redirection, which makes them really hard to detect. Rootkits can also make the infected system hide from the user existing files and running processes while at the same time displaying non-existent things. A further capability is to download additional threats, like Trojans for example.

Rootkits are extremely hard to remove as well as they integrate themselves into the heart of the operating system. The Google Redirect Virus alters the Master Boot Record (MBR) and makes its own partition on it so that a special anti-rootkit technique is necessary to find the location and this is only possible when the operating system is not running. In addition to that, the malware modifies the main Windows files to receive and execute commands from the attackers while at the same time these files do not look affected since they keep working as normal. Complete removal of the Google Redirect Virus is usually not possible without a professional removal tool.

The Google Redirect Virus Sneaks into PCs Through Many Different Channels

Google Redirect Virus may come bundled within legitimate freeware, shareware, a codec needed to view a movie or any other application that a user deliberately installs without knowing that the package includes hazardous add-ons as well. Plug-ins are another possible means of distribution of the malware, however, the favorite way of rootkits to spread is through Trojan horses. Trojans typically land on a PC when the user opens a malicious email attachment or visits compromised Internet pages. All of these distribution channels exploit users' ignorance of Internet security consisting of blindly installing files and programs without knowing their origin.

Indulging in any of the following activities can explain how a user's PC has become infected with the Google Redirect Virus:

  • Clicking on suspicious links and visiting untrusted websites on the Internet
  • Opening email attachments from unknown senders or clicking on links embedded into such emails
  • Downloading freeware, shareware, or some sort of hacked software or pirated music and movies from dubious sources or networks
  • Visiting websites that are notorious for containing dangerous and malicious content, like gambling, gaming or adult web pages
  • Not installing a reputable anti-malware application on the computer, or having one with an expired license and an obsolete definitions base

Technical Details of the Google Redirect Virus

Since the Google Redirect Virus is a rootkit, it has the ability to stay hidden within the hard disk of the infected machine for extended periods of time, from where it monitors the user's online behavior and Internet browsing habits. At the same time, the virus does not give any recognizable signs of its presence. In order to identify a Google Redirect Virus on a computer, the user should look for the following processes, which researchers believe to be associated with the malware:


GVR's malicious traces can also be found in the registry as the following registry keys:


DDLs and other files which are known to be related to the malware are:

C:\Documents and Settings\All Users\Application Data\_VOIDmainqt.dll

Below is a general outline of what actions the Google Redirect Virus performs on an infected PC:

Modifies the system registry so that the malware's executable runs at every boot. The malware picks the name of that malicious file at random, and it is different each time so that it cannot be recognized by cybersecurity researchers
Drops a .TMP file in the temporary folder. This file is also randomly named and, later on, it installs other malicious components.
The .TMP file registers itself as a legitimate service in order to bypass the firewall and to avoid AV scanning engines. It achieves that by copying a legitimate .dll file and infusing it with its own script, forcing thus the affected file to load the malicious .TMP file.
The malware then exploits vulnerabilities in Microsoft Windows DLL listing by adding the 'modified' .dll file and having it loaded into the memory along with the other legitimate files.

Once loaded, the malicious .TMP file creates another randomly named file in the PC's 'driver' folder, usually a file with the .sys extension. This random file is the component that conceals all of the malware's malicious files and codes from the user as well as from malware detection tools.
Once the random .sys file is deployed, it drops a .dll file in the system folder and this file is then injected into the SVCHOST executable which, in turn, downloads more malicious components from the hackers' servers. It is these configuration files that help the attackers do the following:

  • Prevent programs or applications from running, especially such that threaten the malware's processes
  • Spoof email accounts and spam persons on the victim's contact list
  • Display or trigger pop-up windows and ads
  • Perform HTTP transfers (i.e., to send or receive new transmissions)
  • Order DNS attacks
  • Download other malicious programs such as:
  1. Trojan keylogger which can steal vital data out of the cache or directly off web-based forms
  2. Trojan backdoor which can exploit remote assistance tools to secretly make use of the infected PC
  3. Trojan hijacker which can change the computer's host files and redirect web searches to malicious or unwanted websites
  4. Trojan dropper which can drop more malicious components or programs to the PC

Websites Associated with Google Redirect Virus

Some of the suspicious web pages that Google Redirect Virus is known to link to include questionable search engines (like, adult websites (like, and ad-supporting services (like The complete list of websites associated with the malware includes:,,,,,,,,,,, AboutBlank,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, (Clicksor),,,,,,,,,, (expand search answers),, (starFeedsMixer),, (FilesCup),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, YouPorn,, ( popups),,,,,,,,,,,,, (neat search server ZeroAccess rootkit),,,,,,,,,,,,,,,,,,,, (,,,,,,,,,,,,,, Social Search Redirect,,,,,,,,,,,,,,, (tazinga!),,,,,,,,,,,,,,,, (vShare),,,,,,,,,, and

Not all malware announces its presence, but unless you changed your own host file, you can be certain you have a browser hijacker or Google Redirect Virus when your search requests forcibly routes you to unwanted websites. Cybercriminals create malware to multi-task and achieve one or more payloads. The foreign websites may include links that yield cybercrooks unearned pay-per-click (PPC) residuals or might help promote a rogue security program.

Google Redirect Virus has rootkit characteristics meaning it may go undetected from many applications. Google Redirect Virus can be said to be very similar to the parasites and fake security applications known as Alureon, Windows Necessary Firewall and even Fast Windows Antivirus 2011.

The longer you tolerate the presence of a Google Redirect Virus on your computer, the higher the risk of severe damage to your data and system as these malicious programs use a lot of resources and could lead to a complete system crash. Therefore, you should not waste time, letting hackers steal your personal information and destroying your computer. Instead, purchase a reliable anti-malware program that is capable of digging into the root of your system to find and clear all traces of the Google Redirect Virus.

In the meantime, you are advised to disconnect your device from the Internet to prevent any new transmissions of data to a remote server. You should also use a malware-free PC to change your logins and security credentials for all your online accounts.

Malware exploits vulnerabilities found in software or hardware or takes advantage of human behavior and the ignorance of executing Internet security practices. So if you or someone using your PC indulged in one of the following, it could explain how your PC got infected with the Google Redirect Virus.

  1. You took your chances and decided against installing a reputable anti-malware tool.
  2. You installed an anti-malware tool but got comfortable and did not renew it.
  3. You were drawn into clicking on a dubious link of some online suicide or
    celebrity hoax.
  4. You were spammed because you didn't verify the source of that email attachment or link from
    your family or friend, whose accounts was hijacked by a cybercriminal.
  5. You love the word free and pirated music or movies.
  6. You love freeware and shareware and downloaded an infectious codec to view a movie or video.
  7. You love visiting porn sites, gaming sites or warez ones and got infected.

To combat malware short and long-term is to understand its structure and malicious intent. Below is a general outline of what is in store for PCs housing the Google Redirect Virus:

  • Trojan gains deceptive entry by exploiting vulnerabilities in hardware, software or good ole human behavior and weak Internet security practices.
  • Modifies system registry and makes an entry so that its random named executable (done to keep the Internet security community guessing) is run at every boot.
  • Drops a .TMP file in your temporary folder and this file installs other malicious components.
  • The .TMP file (randomly named) will register itself as a legitimate service (thus bypassing your firewall and eluding AVG efforts) by copying a legitimate .dll file and infusing it with its poisonous script to load its malicious .TMP file.
  • It then exploits vulnerabilities in Microsoft Windows DLL listing by adding the 'modified' .dll file and having it loaded into memory along with the other 'legitimate' ones.
  • Once loaded, the venomous .TMP file creates a randomly named file in your 'driver' folder (usually with the .sys extension). This random file is the component that hides all its malicious files and programs from prying eyes (yours and AVG radar).
  • Once the random .sys file is deployed, it drops a .dll file in your 'system' folder and this file is then injected into the SVCHOST executable, which downloads more malicious components from the Internet. It is these configuration files that help a hacker do the following:
    a. Perform HTTP transfers (i.e. to send or receive new transmissions)
    b. Display or trigger pop-up adverts
    c. Inhibit programs or applications from running, especially those threatening malicious attacks.
    d. Set command delay
    e. Order DNS attacks
    f. Spoof email accounts and spam persons on contact list
    g. Download other malicious programs such as:
    i. Trojan keylogger = steal vital data out of cache or directly off-web based forms
    ii. Trojan backdoor = exploit remote assistance tool to secretly make use of your PC
    iii. Trojan hijacker = change your host files and redirect web searches to malicious or unwanted websites
    iv. Trojan dropper = drop more malicious components or programs in your PC

In addition to the Google Redirect Virus hijacking your browser, your system may become impaired, and you might notice the following:

  • Keyboard malfunctioning
  • Windows will unexpectedly requests reactivation of drivers
  • System runs slow or freezes up
  • Applications do not run properly
  • Homepage changed or browser redirects you to unwanted websites
  • Icons added or missing and hardware or drivers inoperable

The longer you allow the Google Redirect Virus to fester, the bigger the risk or threat to your data and system, as these malicious programs use a lot of resource and could cause a system crash.

However, don't be surprised if you are assaulted by pop-ups adverts or scary alerts and fake warnings, or if a slick-looking interface appears out of nowhere and runs an unauthorized scan. This is the typical behavior of a rogue security program, a well-used scam used to scare PC users into blindly handing over their credit card and bank routing number to buy a useless piece of software. Never trust any program that self-loads, runs an unauthorized scan or hijacks your browser.

Don't waste time and don't let some hacker steal your personal information. Fight fire with fire by using a reliable anti-malware tool that is capable of digging into the root of your system and finding all traces of the Google Redirect Virus.

In the interim, disconnect your Internet to stop any new transmissions of data to some remote server. Get to a malware-free PC and change your logins and security credentials for your online accounts.
Google Redirect Virus Screenshot Image 2Google Redirect Virus Screenshot Image 3Google Redirect Virus Screenshot Image 4Google Redirect Virus Screenshot Image 5Google Redirect Virus Screenshot Image 6Google Redirect Virus Screenshot Image 7


15 security vendors flagged this file as malicious.

Anti-Virus Software Detection
Panda Trj/Genetic.gen
AVG Generic29.AKVZ
Fortinet W32/Kryptik.KO!tr
Ikarus Win32.Malware
AhnLab-V3 Trojan/Win32.Milicenso
Microsoft Trojan:Win32/Vundo
AntiVir TR/Crypt.ZPACK.Gen2
Comodo UnclassifiedMalware
Kaspersky HEUR:Trojan.Win32.Generic
ClamAV WIN.Trojan.Agent-83670
Symantec WS.Reputation.1
K7AntiVirus Trojan
McAfee Artemis!A99D0C59FDB7
CAT-QuickHeal Trojan.Vundo.Gen
Panda Generic Malware

SpyHunter Detects & Remove Google Redirect Virus

File System Details

Google Redirect Virus may create the following file(s):
# File Name MD5 Detections
1. xriotabb.dll 2a69d434d9d6d6d120fc39a190ca00d3 102
2. msdeltam.dll 0517f1b0c76bd2a32f0cb681617bee80 17
3. TDSSserv.sys
4. C:\WINDOWS\system32\uacinit.dll
7. C:\WINDOWS\Xzagua.exe
8. Xwo.exe
9. C:\Windows\System32\wdmaud.sys
10. C:\WINDOWS\system32\UAC.dll
11. C:\WINDOWS\SYSTEM32\4DW4R3c.dll
12. C:\WINDOWS\system32\drivers\UAC.sys
13. C:\Documents and Settings\\Application Data\_VOIDmainqt.dll
14. Xwk.exe
15. dmgsh.exe
17. C:\WINDOWS\system32\_VOID.dll
18. C:\WINDOWS\system32\drivers\_VOID.sys
19. Xzagua.exe
20. C:\WINDOWS\system32\UAC.dat
21. C:\WINDOWS\SYSTEM32\4DW4R3sv.dat
22. %Temp%\UAC.tmp
23. C:\WINDOWS\system32\UAC.db
24. C:\WINDOWS\system32\_VOID.dat
25. C:\WINDOWS\Temp\UAC.tmp
27. C:\WINDOWS\system32\uactmp.db
28. C:\WINDOWS\Temp\_VOIDtmp
29. %Temp%\_VOID.tmp
30. kbd101V.dll a99d0c59fdb79c60d748b35f3ec3e448 0
31. KBDSL1B.dll 6f1ad64ccb0b277c0668318e20ef27fc 0

Registry Details

Google Redirect Virus may create the following registry entry or registry entries:


Can I get help for free?

My spouse and I stumbled over here from a different web address and thought I may as well check things out. I like what I see so i am just following you. Look forward to checking out your web page again.

Google Virus Guy Reply

Google direct virus is difficult to remove and it change your host file as well.

This page definitely has all the information I needed concerning this subject and didn't know who to ask.

Greate article. Keep writing such kind of info on your blog.
Im really impressed by your blog.
Thanks for sharing your thoughts on Google Redirect Virus. Regards

I blog often and I seriously appreciate your content. This great article has truly
peaked my interest. I am going to book mark your website and keep
checking for new details about once a week. I subscribed to your RSS feed as well.

This article is really a good one it assists new internet people, who are wishing for blogging.

Is there a Mac version of Spyhunter? If not, can you suggest a similar program that runs on Mac.

Yes, my Mac is infected with this virus! Beware Mac peeps, this can happen to you.

I keep getting this redirect and have tried everything available, it is annoying and when it redirects, it does this about 2-3 times, always about downloading a google extension, how can i find it in my registry and zap it? thanks... this is the link that shows up in a new tab

Pablo A Velazquez Reply

my account was hack in jan.29 2016 since them no clue about my personal info friends games pic or what people did with my account and blame me for it nobody from yahoo goggles or facebook has contacted me this was a set up please call me so i can tell my version

what do I need to do to fix this problem?

How do I get rid of this virus??

Few days ago I got this virus. AVG and Malwarebytes couldn't detect it. I didn't know what to do and then stumbled here, since i don't know any other programs I bought SPyHunter. Apparently it's miracle worker. My PC is squeaky clean now. Thank you!

My husband and friend put " Apatche" licenses on my phone trying to hide theirstuff from me. They are gone but not it. Is this any good at getting that off my android without erasing all theyve done? Its on my phone and both Ipads and really gets my goat. Thanks

I have no idea what I am doing I just need some help!!!

Alright so what do i have to do more to be able to understand this more better thanks

Jeg har fået det anbefalet af en kammerat

what do i write


do not know what is required

Thank you

toda ayuda es valiosa y gratis mejor

es una herramienta util

joyce saffarano Reply

I tried everything, and I still have a million pop ups. My screen doesn't even look like my screen anymore, can some please please help me. thank you


Dawud Muhammad Reply

I am so F_____cking frustrated with this redirect virus. I'm googling and it's taking me to Bing. What kind of people create such a thing? Seriously I don't know who to trust. Thanks for the article. I guess I'll spend more money trying to get rid of this virus.

Google Lead Services is gone.Yaaaaaaaaay! Good job. Five stars. Thanks.

hi guys :). I am looking for help for me and my girl. i am from France

Salve credo che il pc del mio amico sia stato infettato da un Virus cambiando estensione ,jpg,vari
a questo punto ho formattato non sapendo cosa fare,chiaramente avevo fatto la copia dei mie file sull hard disk ed ho visto cche non è cambiato nulla ad esempio italia,jpg,vari ora come posso ristabilire le mie foto e altro alla normalita' Graxzie attendo vostre notizie

When i click google chrome it takes me to a different search thing called Search Marquis i just want google chrome 🙁

Related Posts


Most Viewed