Google Redirect Virus

Posted: May 18, 2009

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	8/10
Infected PCs:	342

First Seen:	September 20, 2011
Last Seen:	May 26, 2022
OS(es) Affected:	Windows

Google Redirect Virus is a rootkit and backdoor Trojan that earned its name from Google Redirect Virus' central function of redirecting you to unrelated websites, after you click a search result link. Despite this function being Google-specific, Google Redirect Virus infections can also have many different secondary functions, with prominent possibilities including downloading other malicious programs, creating a backdoor in your PC security and creating advertisements. Although Google Redirect Virus has no beneficial purposes and shouldn't remain on your computer, removing Google Redirect Virus and related rootkits can be extremely difficult. It's recommended that you use only the best and most thoroughly-updated anti-virus software that you have available to delete Google Redirect Virus.

The Many Origins of the Google Redirect Virus

Although Google Redirect Virus is often known by the 'virus' title, a more appropriate classification would be rootkit or Trojan. Google Redirect Virus is caused by various types of the infamous TDSS Rootkit, which is known by a variety of other names, including Alureon, Tidserv, Backdoor.Tidserv, Trojan:WinNT/Alureon.D, TrojanSpy:Win32/Chadem.A and many other variations.

As you might expect from the many possible aliases, Google Redirect Virus infections can contain many different kinds of secondary symptoms. However, the primary Google Redirect Virus attack is always the same. After you click on a link in a Google search result, Google Redirect Virus will redirect you to a completely unrelated website. These websites are designed to generate revenue for the criminals behind the Google Redirect Virus enterprise. Some websites may use the artificial traffic to boost affiliate payments, while others may attempt to trick you into purchasing fake security software such as Windows Necessary Firewall or Fast Windows Antivirus 2011.

Google Redirect Virus hijacks Google search results and redirects to several websites. Among them are coolsearchserver.com, webplains.net, Bodisparking.com, Zwankysearch.com, find-fast-answers.com, njksearc.net, qooqlle.com, Blendersearch.com, Thewebtimes.com, Marveloussearchsystem.com, search-netsite.com, toseeka.com, AboutBlank, La.vuwl.com, 10-directory.com, 63.209.69.107, 67.29.139.153, 7search.com, adorika.com, adf.ly, alive-finder.com, alltheservices.com, articlemule.org, asklots.com, ave99.com, b00kmarks.com, background-sleuth.net, bargainmatch.com, beoo.com, bestdiscountinsurance.com, bestsearchpage.com, bestclicksnow.com, bestmarkstore.com, bestwebchoices.com, bestwebsearch.com, bidsystem.com, secure.bidvertiser.com, blinkx.com, britewallet.com, budgetmatch.net, buzzclick.com, celebrity-gossip.net, cheapstuff.com, citysearch.com, clicksor.com (Clicksor), clkads.com, feed.clickbizz.com, comparedby.us, comparestores.net, couponmountain.com, digitaltrends.com, easilyfindlocal.com, everythinghere.com, evoplus.com, expandsearchanswers.com (expand search answers), fastfinder.com, feedsmixer.org (starFeedsMixer), find-quick-results.com, FilesCup.com (FilesCup), findexmark.com, find-answers-fast.com, finditreport.com, findology.com, finderquery.com, findstuff.com, flurrysearch.com, forless.com, gimmeanswers.org, glimpse.com, google-redirect.com, googlesearchserver.net, get-search-results.com, goingonearth.com, goodsearch.com, gomeo.co.uk, gossipcenter.com, gquestionnaire.com, greatsearchserver.com, greenluo.com, grooveswish.com, guide2faucets.com, happili.com, HelloLocal.com, hyperpromote.com, informationgetter.com, inruo.com, jerseyscatalog.com, juggle.com, k100searches.com, YouPorn, kitchenrenopages.com, kingtopsearch.net, kiseek.com, lawyerinsight.org, letsbuystuff.com, liutilities.com, livejasmin.com (creative.livejasmin.com popups), local-search-pages.com, localpages.com, localsearchbug.com, lowpriceshopper.com, manufacturersdirectory.com, merchantsnearby.com, monstermarketplace.com, mooter.com, multifind24.com, mybestclick.net, mycustomsearch.cn, mydealchoices.com, mydealmatch.com, mylocalhero.com, neatsales.com, neatsearchserver.com (neat search server ZeroAccess rootkit), netsearchfinder.com, netshoppers.com, nexplore.com, privacycheck.ru, Pulse360.com, qooqle.com, questyes.com, quick-search-results.com, quick-suggest.com, redirectsite.net, results5.google.com, safecompare.com, saveandcoupon.com, Storeordersonline.com, savecompare.com, savingwithads.com, scour.com, scoursearch.net, search-redirector.com, searchforall.info, searching4all.com, search-results.com (int.search-results.com), searchbacon.com, searchdiscovered.com, Search.babylon.com, searchqu.com, searchqualitysites.com, searchnext.com, searchspice.com, shopcompare.net, shopcompareus.com, shopfinded.com, shopica.com, shopica.com/search, shopzilla.com, socialsurvey2011.info, Social Search Redirect, somesearchsystem.com, startnow.com, startsearcher.com, supersearchserver.com, TabDiscover.com, tazinga.com (tazinga!), theifinder.com, TheTop10.com, tubedownloader.com, theyellowpages.com, theyellowpagez.com, topdaodrugs.com, tubedownloader.com, Therelatedsearch.com, unblock-us.com, us-srch-system.com, valueapproved.com, vshare.toolbarhome.com (vShare), vehiclefind24.com, Worldslife.com, weeklycontestwinner.org, weeklyusa-winner.com, webshoppinghelper.com, webresults6.org, Wickedsearchsystem.com, whatcarefreefeelslike.com, yellowmoxie.com, yellowise.com, ylwbook.addresses.com, youfindmore.com. Zinkwink.com

In all cases, you should minimize any contact that you have with the websites that Google Redirect Virus redirects you towards, since these websites can be a source of fraud and other infections that use browser exploits to install themselves.

The Rootkit and Trojan Attacks That Google Redirect Virus May Also Use Against Your Computer

Its primary function is bad enough, but Google Redirect Virus can also use other attacks against your PC, many of which are even more serious. Some of the major possibilities that have been linked to infection by Google Redirect Virus-spawning rootkits include:

The appearance of unwanted and potentially dangerous advertisements. In addition to redirecting you to dangerous sites and slowing down your PC, these advertisements may use drive-by download scripts via Flash or Java to install harmful programs.
The creation of a backdoor hole in your security. These holes can include a disabled firewall, exceptions added to your firewall or network ports being opened to allow traffic to pass through them uncontested. Backdoor attacks are strongly associated with remote attacks by criminals and endanger your computer's security and privacy.
Some variants of Google Redirect Virus will take their Trojan duties a little more seriously than other variants and may install other threats to your PC, including rogue security programs, keyloggers, ransomware and other harmful applications.

All versions of Google Redirect Virus use rootkit tactics to hide themselves, so that you will not detect any separate Google Redirect Virus files or memory processes. Since rootkits are extremely difficult to remove, you should only use the most reliable anti-virus software that you can access, to get rid of Google Redirect Virus. Anything less than the best may easily fail to remove Google Redirect Virus, even if Google Redirect Virus appears to have been removed in a scan.

Aliases

Trj/Genetic.gen [Panda]Generic29.AKVZ [AVG]W32/Kryptik.KO!tr [Fortinet]Win32.Malware [Ikarus]Trojan/Win32.Milicenso [AhnLab-V3]Trojan:Win32/Vundo [Microsoft]TR/Crypt.ZPACK.Gen2 [AntiVir]UnclassifiedMalware [Comodo]HEUR:Trojan.Win32.Generic [Kaspersky]WIN.Trojan.Agent-83670 [ClamAV]WS.Reputation.1 [Symantec]Trojan [K7AntiVirus]Artemis!A99D0C59FDB7 [McAfee]Trojan.Vundo.Gen [CAT-QuickHeal]Generic Malware [Panda]
More aliases (48)

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%USERPROFILE%\Local Settings\Application Data\Conduit\Babylon\xriotabb.dll

File name: xriotabb.dll
Size: 485.37 KB (485376 bytes)
MD5: 2a69d434d9d6d6d120fc39a190ca00d3
Detection count: 239
File type: Dynamic link library
Mime Type: unknown/dll
Path: %USERPROFILE%\Local Settings\Application Data\Conduit\Babylon
Group: Malware file
Last Updated: May 26, 2022

kbd101V.dll

File name: kbd101V.dll
Size: 135.16 KB (135168 bytes)
MD5: a99d0c59fdb79c60d748b35f3ec3e448
Detection count: 75
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
Last Updated: April 24, 2013

KBDSL1B.dll

File name: KBDSL1B.dll
Size: 120.83 KB (120832 bytes)
MD5: 6f1ad64ccb0b277c0668318e20ef27fc
Detection count: 54
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
Last Updated: August 13, 2013

%WINDIR%\system32\msdeltam.dll

File name: msdeltam.dll
Size: 458.75 KB (458752 bytes)
MD5: 0517f1b0c76bd2a32f0cb681617bee80
Detection count: 40
File type: Dynamic link library
Mime Type: unknown/dll
Path: %WINDIR%\system32
Group: Malware file
Last Updated: November 12, 2013

dmgsh.exe

File name: dmgsh.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

TDSSserv.sys

File name: TDSSserv.sys
File type: System file
Mime Type: unknown/sys
Group: Malware file

Xwo.exe

File name: Xwo.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

Xwk.exe

File name: Xwk.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

Xzagua.exe

File name: Xzagua.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

C:\Windows\System32\wdmaud.sys

File name: C:\Windows\System32\wdmaud.sys
File type: System file
Mime Type: unknown/sys
Group: Malware file

C:\WINDOWS\Xzagua.exe

File name: C:\WINDOWS\Xzagua.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

C:\WINDOWS\_VOID\

File name: C:\WINDOWS\_VOID\
Group: Malware file

C:\WINDOWS\_VOID\_VOIDd.sys

File name: C:\WINDOWS\_VOID\_VOIDd.sys
File type: System file
Mime Type: unknown/sys
Group: Malware file

C:\WINDOWS\system32\UAC.dll

File name: C:\WINDOWS\system32\UAC.dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file

C:\WINDOWS\system32\uacinit.dll

File name: C:\WINDOWS\system32\uacinit.dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file

C:\WINDOWS\system32\UAC.db

File name: C:\WINDOWS\system32\UAC.db
Mime Type: unknown/db
Group: Malware file

C:\WINDOWS\system32\UAC.dat

File name: C:\WINDOWS\system32\UAC.dat
File type: Data file
Mime Type: unknown/dat
Group: Malware file

C:\WINDOWS\system32\uactmp.db

File name: C:\WINDOWS\system32\uactmp.db
Mime Type: unknown/db
Group: Malware file

C:\WINDOWS\system32\_VOID.dll

File name: C:\WINDOWS\system32\_VOID.dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file

C:\WINDOWS\system32\_VOID.dat

File name: C:\WINDOWS\system32\_VOID.dat
File type: Data file
Mime Type: unknown/dat
Group: Malware file

C:\WINDOWS\SYSTEM32\4DW4R3c.dll

File name: C:\WINDOWS\SYSTEM32\4DW4R3c.dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file

C:\WINDOWS\SYSTEM32\4DW4R3sv.dat

File name: C:\WINDOWS\SYSTEM32\4DW4R3sv.dat
File type: Data file
Mime Type: unknown/dat
Group: Malware file

C:\WINDOWS\SYSTEM32\4DW4R3.dll

File name: C:\WINDOWS\SYSTEM32\4DW4R3.dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file

C:\WINDOWS\system32\drivers\_VOID.sys

File name: C:\WINDOWS\system32\drivers\_VOID.sys
File type: System file
Mime Type: unknown/sys
Group: Malware file

C:\WINDOWS\system32\drivers\UAC.sys

File name: C:\WINDOWS\system32\drivers\UAC.sys
File type: System file
Mime Type: unknown/sys
Group: Malware file

C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3.sys

File name: C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3.sys
File type: System file
Mime Type: unknown/sys
Group: Malware file

C:\WINDOWS\Temp\_VOIDtmp

File name: C:\WINDOWS\Temp\_VOIDtmp
Group: Malware file

C:\WINDOWS\Temp\UAC.tmp

File name: C:\WINDOWS\Temp\UAC.tmp
File type: Temporary File
Mime Type: unknown/tmp
Group: Malware file

%Temp%\UAC.tmp

File name: %Temp%\UAC.tmp
File type: Temporary File
Mime Type: unknown/tmp
Group: Malware file

%Temp%\_VOID.tmp

File name: %Temp%\_VOID.tmp
File type: Temporary File
Mime Type: unknown/tmp
Group: Malware file

C:\Documents and Settings\<username>\Application Data\_VOIDmainqt.dll

File name: C:\Documents and Settings\<username>\Application Data\_VOIDmainqt.dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\..\..{Subkeys}HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOIDd.sysHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOIDHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sysHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\4DW4R3

Google redirect hijacker

21 Comments

gm says:

September 14, 2010 at 11:46 pm

does Google condone redirect ? Does Google make money allowing "redirect" ?
Mr Bob says:

April 18, 2011 at 5:18 pm

I can no longer use Google. I keep getting redirected to other sites, including porn. I have to block Google from my computer. Ugh...
ChrisLumpkin says:

June 22, 2011 at 6:35 pm

I have tried everthing.I have pc tools doctor and other online tools and nothing can touch this SOB. Google and Bing are the same. Please Help.
Swenton says:

November 7, 2011 at 10:10 am

most of my web surfing now redirects me to sites that i do not want. what do i do? i have tried running spybot but nothing helps. going to try your malware scan to see if that does the trick.
Creation de site web en Flash says:

January 19, 2012 at 1:04 pm

I savor, lead to I found exactly what I was having a look for. You've ended my four day long hunt! God Bless you man. Have a nice day. Bye
Blossom Leso says:

February 3, 2012 at 6:00 pm

The google redirect virus is killing me... anyone know any good alternatives to remove this darn virus?
Lily Honan says:

March 28, 2012 at 4:29 am

The easiest way to remove Win 7 Anti-Virus 2011 malware is to buy a Mac!
Chris Tiler says:

April 10, 2012 at 12:17 pm

I can not access to the Regedit in order to change tha paramether. Are there any other way to access to it. Thank you.
Featherstipe says:

June 23, 2012 at 1:35 pm

It didnt work for me. I was just going on the minecraft page and the "redirect" thing stopped me. redirect always brigns me to a scuba diving gear thing. about five weeks ago there was this scan thing that told me i had 16 viruses. i could not go on the internet because of it. i could remove all the viruses but i didnt cuz it costed money.now i wish i did, but at that point i thought that the scan was fake and it was a viruse but i guess not.
Featherstipe says:

June 23, 2012 at 1:37 pm

lol smart! 😉
howard erickson says:

August 20, 2012 at 9:38 pm

I would love to have help getting rid of Babalon
sm says:

September 21, 2012 at 11:07 am

Why can't google remove the redirect. Doesn't it hurt them that because of this pest, people will avoid using google search!
Satyanarayana says:

December 30, 2012 at 12:53 pm

Are you serious? kid, you can not deetle the Windows Host file. No one listens to this retard. The only way to get rid of the redirect virus is by going on to your internet connection properties, click on Internet protocol version (TCPIP) v4, then click on properties . at the bottom of the box make sure you click on Obtain DNS server address automatically and make sure you uncheck use the following DNS address .Do not listen to idiots who will fuck up your machine or want to charge you
SheilaTodd says:

January 24, 2013 at 12:26 pm

Satyanarayana would you please elaborate a little in reference to your comment 12/30/12? I am having difficulty navigating to find the Internet protocol version (TCPIP) v4, and have the redirect virus really bad on my main computer. Please...any info would be so appeciated. Thanks Sheila
katalog stron says:

January 28, 2013 at 6:22 pm

This website won't show up correctly on my i phone - you may want to try and fix that
johnny says:

March 22, 2013 at 9:33 am

This post is great. I realy like it!
turi says:

November 11, 2013 at 12:50 pm

sto appendo provarlo
Dr. Paul M. Kloepfer says:

January 26, 2014 at 7:27 am

Remove anything CONDUIT.
Make everything as my only Search Engine as GOOGLE.
antonio ferreira says:

September 4, 2014 at 7:18 am

já o tenho num computador e estou satisfeito com o programa
insurance agency management system says:

October 20, 2014 at 6:08 am

nicely done and thank's