[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More


“Google Hijack” — Google Search Gets Redirected

Published on
56,063 Points
43 Endorsements
Last Modified:
Editor's Choice
Community Pick
These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used.
This happens when the system is infected with any of these variants; Trojan Win32/Daonol.A/B, Trojan.JSRedir/Trojan.Gumblar, Win32.Alureon, Win32.Olmarik, Trojan.generic, TDSS rootkits, Backdoor.Tidserv!.inf.
Some variants of TDSS rootkit TDL3 also patched system drivers e.g., iaStor.sys, atapi.sys, iastorv.sys, cdrom.sys etc.


clicking on the link of a Google search result redirects to random sites.
disabled utilities such as cmd and regedit, or running cmd or regedit command may reset Explorer.
error popup message “DCOM server protocol launcher server terminated”.


Older variants that hijack the valuedata of the HKLM\software\microsoft\windows nt\currentversion\drivers32 key like Trojan.JSRedir, Daonol and Gumblar are easily removed using MalwareBytes, but recent ones, especially variant of TDSS/TDL3 that MBAM fails to remove can be taken care of using TDSSKiller, so I suggest you go straight for TDSSKiller.

Download TDSSKiller , extract and run the TDSSKiller.exe

Additional info on how to remove malware belonging to the family of Rootkit.Win32.TDSS

FireFox Only Hijacker:

Google Search redirects that affect only Firefox browser but NOT Internet Explorer.
Other hijackers are only targeting Firefox browser.  Searches are redirected via domains e.g., resultsad2.doubleclicker.net, goored, zfsearch.com and goougly.com, googlesearchserver.net, 66.230.188.* and others displaying unwanted search results. Some of these variants may target Chrome as well.


Thanks to malware Expert/Developer jpshortstuff for creating a tool that handles this infection.
Just download GooredFix.exe to your Desktop.
Make sure all Firefox windows are closed then double-click the executable or right-click and "Run As Administrator" in Vista.

If the problem persists, use ComboFix, and ask a question in the Virus & Spyware sub-zones and attached the ComboFix log, as there are other infections that also caused search engine redirects.
Recently, there's an infection doing the rounds patching either one of these files “ws2_32.dll” and “user32.dll” where you need to replace the file to stop the redirects.
As was the case with this recent question on EE.

I hope you find this article helpful.
LVL 38

Expert Comment

A lot of really solid technical advice here that many of our Members will be able to use.
Thank you for putting it together.

"Yes" vote above.
LVL 47

Author Comment


Thanks for the "Yes" vote.

Expert Comment

Worked perfectly, thank you.
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

Expert Comment

I wanted to mention another utility that I found helpful. The makers of Spybot Search and Destroy have come out with a method for building a WINPE disk that allows you to run Search and Destroy and also access the Registry and File areas that are typically impacted by malware. In order to perform the build of the disk you will need to have the Windows Automated Installation Kit installed on your PC where you are performing the build and also download and install Spybot Search and Destroy, RunAlyzer and RegAlyzer. More information is available at http://forums.spybot.info/showthread.php?t=21313.

In my particular case I was able to use RegAlyzer to look at the Internet Explorer Add-Ins and delete the ones that had GUID names.

Expert Comment

Just saw a TDL3 variant that changed the DNS servers to &
Hitman Pro was able to detect it, but I had to first change back the DNS servers to default in order to run updates on HMP.  
LVL 10

Expert Comment


Expert Comment

thanks voted yes, fixed my issue
LVL 27

Expert Comment

Excellent advice, as always!  Thank you.

Voted "Yes" above.
LVL 47

Author Comment

WBierley, thank you for sharing that info I'm sure it will help someone.

TODD, HitmanPro is a good scanner and good with TDL3, but it is not too good for infections that patch system files. TDL4 has been on the rise and this one modifies mbr. I don't think HitmanPro has been great on this one afaik. Thanks for your input.

To everyone who voted Yes or commented(or both) thanks for your support on this article.

Expert Comment

Voted yes, very helpful!
LVL 16

Expert Comment

by:Wasim Akram Shaik
superb... !!

Expert Comment

As always, the best help on the web is right here on Experts Exchange and people like you are the reason why.  I read all sorts of possible solutions before logging into E.E.  I went right to this post, downloaded the suggested program and solved the problem.  Maybe 10 minutes start to finish!


Expert Comment

I must have a really recent Google hijacker virus, because the TDSSKiller didn't work.  Grrrr....

The evil thing redirects to asearchclub.com which then redirects to some random website which of course are sponsoring this illegal tactic, such as DailyRx.com, etc.

Expert Comment

Hello, I just cleaned a virus that was redirecting Google searches to malicous sites.  I ran the following tools and none of them found the virus: Malwarebytes, Trend Micro Worry-Free Business Security 7.0, MalwareBytes Root kit finder, TDSSKiller.  Finally I found the virus by doing the following.

1. I search for recently created files.
2. In the C:\WIndows\syswow64 directory I found a file called dbgrid321.dll.  This file was unsigned, and had no discription in the file properties as to what it was.  I also happened to notice that a second after this file was created a job was created in the task scheduler called qnhces.  This task started the above file at startup.  The dbgrid321.dll file was set so the only rights assigned were read and execute for the System account.
3.  Disabling the task and adding the deny full control to the dbgrid.dll file fixed the google issue.

Featured Post

Learn Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

Join & Write a Comment

Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month