These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used.
This happens when the system is infected with any of these variants; Trojan Win32/Daonol.A/B, Trojan.JSRedir/Trojan.Gumb
lar, Win32.Alureon, Win32.Olmarik, Trojan.generic, TDSS rootkits, Backdoor.Tidserv!.inf.
Some variants of TDSS rootkit TDL3 also patched system drivers e.g., iaStor.sys, atapi.sys, iastorv.sys, cdrom.sys etc.
ISSUES:
clicking on the link of a Google search result redirects to random sites.
disabled utilities such as cmd and regedit, or running cmd or regedit command may reset Explorer.
error popup message “DCOM server protocol launcher server terminated”.
SOLUTION:
Older variants that hijack the valuedata of the HKLM\software\microsoft\windows nt\currentversion\drivers32 key like Trojan.JSRedir, Daonol and Gumblar are easily removed using MalwareBytes, but recent ones, especially variant of TDSS/TDL3 that MBAM fails to remove can be taken care of using TDSSKiller, so I suggest you go straight for TDSSKiller.
Download TDSSKiller , extract and run the TDSSKiller.exe
Additional info on how to remove malware belonging to the family of Rootkit.Win32.TDSS
http://support.kaspersky.com/viruses/solutions?qid=208280684
FireFox Only Hijacker:
Google Search redirects that affect only Firefox browser but NOT Internet Explorer.
Other hijackers are only targeting Firefox browser. Searches are redirected via domains e.g., resultsad2.doubleclicker.net, goored, zfsearch.com and goougly.com, googlesearchserver.net, 66.230.188.* and others displaying unwanted search results. Some of these variants may target Chrome as well.
SOLUTION:
Thanks to malware Expert/Developer jpshortstuff for creating a tool that handles this infection.
Just download GooredFix.exe to your Desktop.
Make sure all Firefox windows are closed then double-click the executable or right-click and "Run As Administrator" in Vista.
If the problem persists, use ComboFix, and ask a question in the Virus & Spyware sub-zones and attached the ComboFix log, as there are other infections that also caused search engine redirects.
Recently, there's an infection doing the rounds patching either one of these files “ws2_32.dll” and “user32.dll” where you need to replace the file to stop the redirects.
As was the case with this recent question on EE.
I hope you find this article helpful.
Comments (14)
Commented:
Commented:
Commented:
Thanks
Commented:
The evil thing redirects to asearchclub.com which then redirects to some random website which of course are sponsoring this illegal tactic, such as DailyRx.com, etc.
Commented:
1. I search for recently created files.
2. In the C:\WIndows\syswow64 directory I found a file called dbgrid321.dll. This file was unsigned, and had no discription in the file properties as to what it was. I also happened to notice that a second after this file was created a job was created in the task scheduler called qnhces. This task started the above file at startup. The dbgrid321.dll file was set so the only rights assigned were read and execute for the System account.
3. Disabling the task and adding the deny full control to the dbgrid.dll file fixed the google issue.
View More