Community Pick: Many members of our community have endorsed this article.
Editor's Choice: This article has been selected by our editors as an exceptional contribution.

“Google Hijack” — Google Search Gets Redirected

rpggamergirl
CERTIFIED EXPERT
Published:
These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used.
This happens when the system is infected with any of these variants; Trojan Win32/Daonol.A/B, Trojan.JSRedir/Trojan.Gumblar, Win32.Alureon, Win32.Olmarik, Trojan.generic, TDSS rootkits, Backdoor.Tidserv!.inf.
Some variants of TDSS rootkit TDL3 also patched system drivers e.g., iaStor.sys, atapi.sys, iastorv.sys, cdrom.sys etc.


ISSUES:

clicking on the link of a Google search result redirects to random sites.
disabled utilities such as cmd and regedit, or running cmd or regedit command may reset Explorer.
error popup message “DCOM server protocol launcher server terminated”.

SOLUTION:

Older variants that hijack the valuedata of the HKLM\software\microsoft\windows nt\currentversion\drivers32 key like Trojan.JSRedir, Daonol and Gumblar are easily removed using MalwareBytes, but recent ones, especially variant of TDSS/TDL3 that MBAM fails to remove can be taken care of using TDSSKiller, so I suggest you go straight for TDSSKiller.

Download TDSSKiller , extract and run the TDSSKiller.exe

Additional info on how to remove malware belonging to the family of Rootkit.Win32.TDSS
http://support.kaspersky.com/viruses/solutions?qid=208280684



FireFox Only Hijacker:

Google Search redirects that affect only Firefox browser but NOT Internet Explorer.
Other hijackers are only targeting Firefox browser.  Searches are redirected via domains e.g., resultsad2.doubleclicker.net, goored, zfsearch.com and goougly.com, googlesearchserver.net, 66.230.188.* and others displaying unwanted search results. Some of these variants may target Chrome as well.


SOLUTION:

Thanks to malware Expert/Developer jpshortstuff for creating a tool that handles this infection.
Just download GooredFix.exe to your Desktop.
Make sure all Firefox windows are closed then double-click the executable or right-click and "Run As Administrator" in Vista.

If the problem persists, use ComboFix, and ask a question in the Virus & Spyware sub-zones and attached the ComboFix log, as there are other infections that also caused search engine redirects.
Recently, there's an infection doing the rounds patching either one of these files “ws2_32.dll” and “user32.dll” where you need to replace the file to stop the redirects.
As was the case with this recent question on EE.

I hope you find this article helpful.
43
18,284 Views
rpggamergirl
CERTIFIED EXPERT

Comments (14)

Commented:
Voted yes, very helpful!
CERTIFIED EXPERT

Commented:
superb... !!

Commented:
As always, the best help on the web is right here on Experts Exchange and people like you are the reason why.  I read all sorts of possible solutions before logging into E.E.  I went right to this post, downloaded the suggested program and solved the problem.  Maybe 10 minutes start to finish!

Thanks

Commented:
I must have a really recent Google hijacker virus, because the TDSSKiller didn't work.  Grrrr....

The evil thing redirects to asearchclub.com which then redirects to some random website which of course are sponsoring this illegal tactic, such as DailyRx.com, etc.
Hello, I just cleaned a virus that was redirecting Google searches to malicous sites.  I ran the following tools and none of them found the virus: Malwarebytes, Trend Micro Worry-Free Business Security 7.0, MalwareBytes Root kit finder, TDSSKiller.  Finally I found the virus by doing the following.

1. I search for recently created files.
2. In the C:\WIndows\syswow64 directory I found a file called dbgrid321.dll.  This file was unsigned, and had no discription in the file properties as to what it was.  I also happened to notice that a second after this file was created a job was created in the task scheduler called qnhces.  This task started the above file at startup.  The dbgrid321.dll file was set so the only rights assigned were read and execute for the System account.
3.  Disabling the task and adding the deny full control to the dbgrid.dll file fixed the google issue.

View More

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.

Get access with a 7-day free trial.
You Belong in the World's Smartest IT Community