Google Redirect Virus

Posted: May 18, 2009
Threat Metric
Threat Level: 8/10
Infected PCs 276

Google Redirect Virus Description

ScreenshotGoogle Redirect Virus is a rootkit and backdoor Trojan that earned its name from Google Redirect Virus' central function of redirecting you to unrelated websites, after you click a search result link. Despite this function being Google-specific, Google Redirect Virus infections can also have many different secondary functions, with prominent possibilities including downloading other malicious programs, creating a backdoor in your PC security and creating advertisements. Although Google Redirect Virus has no beneficial purposes and shouldn't remain on your computer, removing Google Redirect Virus and related rootkits can be extremely difficult. It's recommended that you use only the best and most thoroughly-updated anti-virus software that you have available to delete Google Redirect Virus.

The Many Origins of the Google Redirect Virus

Although Google Redirect Virus is often known by the 'virus' title, a more appropriate classification would be rootkit or Trojan. Google Redirect Virus is caused by various types of the infamous TDSS Rootkit, which is known by a variety of other names, including Alureon, Tidserv, Backdoor.Tidserv, Trojan:WinNT/Alureon.D, TrojanSpy:Win32/Chadem.A and many other variations.

As you might expect from the many possible aliases, Google Redirect Virus infections can contain many different kinds of secondary symptoms. However, the primary Google Redirect Virus attack is always the same. After you click on a link in a Google search result, Google Redirect Virus will redirect you to a completely unrelated website. These websites are designed to generate revenue for the criminals behind the Google Redirect Virus enterprise. Some websites may use the artificial traffic to boost affiliate payments, while others may attempt to trick you into purchasing fake security software such as Windows Necessary Firewall or Fast Windows Antivirus 2011.

Google Redirect Virus hijacks Google search results and redirects to several websites. Among them are coolsearchserver.com, webplains.net, Bodisparking.com, Zwankysearch.com, find-fast-answers.com, njksearc.net, qooqlle.com, Blendersearch.com, Thewebtimes.com, Marveloussearchsystem.com, search-netsite.com, toseeka.com, AboutBlank, La.vuwl.com, 10-directory.com, 63.209.69.107, 67.29.139.153, 7search.com, adorika.com, adf.ly, alive-finder.com, alltheservices.com, articlemule.org, asklots.com, ave99.com, b00kmarks.com, background-sleuth.net, bargainmatch.com, beoo.com, bestdiscountinsurance.com, bestsearchpage.com, bestclicksnow.com, bestmarkstore.com, bestwebchoices.com, bestwebsearch.com, bidsystem.com, secure.bidvertiser.com, blinkx.com, britewallet.com, budgetmatch.net, buzzclick.com, celebrity-gossip.net, cheapstuff.com, citysearch.com, clicksor.com (Clicksor), clkads.com, feed.clickbizz.com, comparedby.us, comparestores.net, couponmountain.com, digitaltrends.com, easilyfindlocal.com, everythinghere.com, evoplus.com, expandsearchanswers.com (expand search answers), fastfinder.com, feedsmixer.org (starFeedsMixer), find-quick-results.com, FilesCup.com (FilesCup), findexmark.com, find-answers-fast.com, finditreport.com, findology.com, finderquery.com, findstuff.com, flurrysearch.com, forless.com, gimmeanswers.org, glimpse.com, google-redirect.com, googlesearchserver.net, get-search-results.com, goingonearth.com, goodsearch.com, gomeo.co.uk, gossipcenter.com, gquestionnaire.com, greatsearchserver.com, greenluo.com, grooveswish.com, guide2faucets.com, happili.com, HelloLocal.com, hyperpromote.com, informationgetter.com, inruo.com, jerseyscatalog.com, juggle.com, k100searches.com, YouPorn, kitchenrenopages.com, kingtopsearch.net, kiseek.com, lawyerinsight.org, letsbuystuff.com, liutilities.com, livejasmin.com (creative.livejasmin.com popups), local-search-pages.com, localpages.com, localsearchbug.com, lowpriceshopper.com, manufacturersdirectory.com, merchantsnearby.com, monstermarketplace.com, mooter.com, multifind24.com, mybestclick.net, mycustomsearch.cn, mydealchoices.com, mydealmatch.com, mylocalhero.com, neatsales.com, neatsearchserver.com (neat search server ZeroAccess rootkit), netsearchfinder.com, netshoppers.com, nexplore.com, privacycheck.ru, Pulse360.com, qooqle.com, questyes.com, quick-search-results.com, quick-suggest.com, redirectsite.net, results5.google.com, safecompare.com, saveandcoupon.com, Storeordersonline.com, savecompare.com, savingwithads.com, scour.com, scoursearch.net, search-redirector.com, searchforall.info, searching4all.com, search-results.com (int.search-results.com), searchbacon.com, searchdiscovered.com, Search.babylon.com, searchqu.com, searchqualitysites.com, searchnext.com, searchspice.com, shopcompare.net, shopcompareus.com, shopfinded.com, shopica.com, shopica.com/search, shopzilla.com, socialsurvey2011.info, Social Search Redirect, somesearchsystem.com, startnow.com, startsearcher.com, supersearchserver.com, TabDiscover.com, tazinga.com (tazinga!), theifinder.com, TheTop10.com, tubedownloader.com, theyellowpages.com, theyellowpagez.com, topdaodrugs.com, tubedownloader.com, Therelatedsearch.com, unblock-us.com, us-srch-system.com, valueapproved.com, vshare.toolbarhome.com (vShare), vehiclefind24.com, Worldslife.com, weeklycontestwinner.org, weeklyusa-winner.com, webshoppinghelper.com, webresults6.org, Wickedsearchsystem.com, whatcarefreefeelslike.com, yellowmoxie.com, yellowise.com, ylwbook.addresses.com, youfindmore.com. Zinkwink.com

In all cases, you should minimize any contact that you have with the websites that Google Redirect Virus redirects you towards, since these websites can be a source of fraud and other infections that use browser exploits to install themselves.

The Rootkit and Trojan Attacks That Google Redirect Virus May Also Use Against Your Computer

Its primary function is bad enough, but Google Redirect Virus can also use other attacks against your PC, many of which are even more serious. Some of the major possibilities that have been linked to infection by Google Redirect Virus-spawning rootkits include:

  • The appearance of unwanted and potentially dangerous advertisements. In addition to redirecting you to dangerous sites and slowing down your PC, these advertisements may use drive-by download scripts via Flash or Java to install harmful programs.
  • The creation of a backdoor hole in your security. These holes can include a disabled firewall, exceptions added to your firewall or network ports being opened to allow traffic to pass through them uncontested. Backdoor attacks are strongly associated with remote attacks by criminals and endanger your computer's security and privacy.
  • Some variants of Google Redirect Virus will take their Trojan duties a little more seriously than other variants and may install other threats to your PC, including rogue security programs, keyloggers, ransomware and other harmful applications.

All versions of Google Redirect Virus use rootkit tactics to hide themselves, so that you will not detect any separate Google Redirect Virus files or memory processes. Since rootkits are extremely difficult to remove, you should only use the most reliable anti-virus software that you can access, to get rid of Google Redirect Virus. Anything less than the best may easily fail to remove Google Redirect Virus, even if Google Redirect Virus appears to have been removed in a scan.

Screenshot

Aliases


Trj/Genetic.gen [Panda]Generic29.AKVZ [AVG]W32/Kryptik.KO!tr [Fortinet]Win32.Malware [Ikarus]a variant of Win32/Kryptik.AKCOTrojan/Win32.Milicenso [AhnLab-V3]Trojan:Win32/Vundo [Microsoft]Win32.Troj.Undef.(kcloud)Trojan/Generic.aziifGen:Variant.Symmi.1594 (B)TR/Crypt.ZPACK.Gen2 [AntiVir]UnclassifiedMalware [Comodo]Trojan.Agent/Gen-KryptikTrojan.Win32.ZPACK.bebabuHEUR:Trojan.Win32.Generic [Kaspersky]
More aliases (48)

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Google Redirect Virus may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%USERPROFILE%\Local Settings\Application Data\Conduit\Babylon\xriotabb.dll File name: xriotabb.dll
Size: 485.37 KB (485376 bytes)
MD5: 2a69d434d9d6d6d120fc39a190ca00d3
Detection count: 206
File type: Dynamic link library
Mime Type: unknown/dll
Path: %USERPROFILE%\Local Settings\Application Data\Conduit\Babylon\
Group: Malware file
Last Updated: July 13, 2020
kbd101V.dll File name: kbd101V.dll
Size: 135.16 KB (135168 bytes)
MD5: a99d0c59fdb79c60d748b35f3ec3e448
Detection count: 75
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
Last Updated: April 24, 2013
KBDSL1B.dll File name: KBDSL1B.dll
Size: 120.83 KB (120832 bytes)
MD5: 6f1ad64ccb0b277c0668318e20ef27fc
Detection count: 54
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
Last Updated: August 13, 2013
%WINDIR%\system32\msdeltam.dll File name: msdeltam.dll
Size: 458.75 KB (458752 bytes)
MD5: 0517f1b0c76bd2a32f0cb681617bee80
Detection count: 40
File type: Dynamic link library
Mime Type: unknown/dll
Path: %WINDIR%\system32\
Group: Malware file
Last Updated: November 12, 2013
dmgsh.exe File name: dmgsh.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
TDSSserv.sys File name: TDSSserv.sys
File type: System file
Mime Type: unknown/sys
Group: Malware file
Xwo.exe File name: Xwo.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Xwk.exe File name: Xwk.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Xzagua.exe File name: Xzagua.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
C:\Windows\System32\wdmaud.sys File name: C:\Windows\System32\wdmaud.sys
File type: System file
Mime Type: unknown/sys
Group: Malware file
C:\WINDOWS\Xzagua.exe File name: C:\WINDOWS\Xzagua.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
C:\WINDOWS\_VOID\ File name: C:\WINDOWS\_VOID\
Group: Malware file
C:\WINDOWS\_VOID\_VOIDd.sys File name: C:\WINDOWS\_VOID\_VOIDd.sys
File type: System file
Mime Type: unknown/sys
Group: Malware file
C:\WINDOWS\system32\UAC.dll File name: C:\WINDOWS\system32\UAC.dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
C:\WINDOWS\system32\uacinit.dll File name: C:\WINDOWS\system32\uacinit.dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
C:\WINDOWS\system32\UAC.db File name: C:\WINDOWS\system32\UAC.db
Mime Type: unknown/db
Group: Malware file
C:\WINDOWS\system32\UAC.dat File name: C:\WINDOWS\system32\UAC.dat
File type: Data file
Mime Type: unknown/dat
Group: Malware file
C:\WINDOWS\system32\uactmp.db File name: C:\WINDOWS\system32\uactmp.db
Mime Type: unknown/db
Group: Malware file
C:\WINDOWS\system32\_VOID.dll File name: C:\WINDOWS\system32\_VOID.dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
C:\WINDOWS\system32\_VOID.dat File name: C:\WINDOWS\system32\_VOID.dat
File type: Data file
Mime Type: unknown/dat
Group: Malware file
C:\WINDOWS\SYSTEM32\4DW4R3c.dll File name: C:\WINDOWS\SYSTEM32\4DW4R3c.dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
C:\WINDOWS\SYSTEM32\4DW4R3sv.dat File name: C:\WINDOWS\SYSTEM32\4DW4R3sv.dat
File type: Data file
Mime Type: unknown/dat
Group: Malware file
C:\WINDOWS\SYSTEM32\4DW4R3.dll File name: C:\WINDOWS\SYSTEM32\4DW4R3.dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
C:\WINDOWS\system32\drivers\_VOID.sys File name: C:\WINDOWS\system32\drivers\_VOID.sys
File type: System file
Mime Type: unknown/sys
Group: Malware file
C:\WINDOWS\system32\drivers\UAC.sys File name: C:\WINDOWS\system32\drivers\UAC.sys
File type: System file
Mime Type: unknown/sys
Group: Malware file
C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3.sys File name: C:\WINDOWS\SYSTEM32\DRIVERS\4DW4R3.sys
File type: System file
Mime Type: unknown/sys
Group: Malware file
C:\WINDOWS\Temp\_VOIDtmp File name: C:\WINDOWS\Temp\_VOIDtmp
Group: Malware file
C:\WINDOWS\Temp\UAC.tmp File name: C:\WINDOWS\Temp\UAC.tmp
File type: Temporary File
Mime Type: unknown/tmp
Group: Malware file
%Temp%\UAC.tmp File name: %Temp%\UAC.tmp
File type: Temporary File
Mime Type: unknown/tmp
Group: Malware file
%Temp%\_VOID.tmp File name: %Temp%\_VOID.tmp
File type: Temporary File
Mime Type: unknown/tmp
Group: Malware file
C:\Documents and Settings\All Users\Application Data\_VOIDmainqt.dll File name: C:\Documents and Settings\All Users\Application Data\_VOIDmainqt.dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file

Registry Modifications


The following newly produced Registry Values are:

HKEY..\..\..\..{Subkeys}HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOIDd.sysHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\_VOIDHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sysHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\4DW4R3

Related Posts

Home Malware Programs Viruses Google Redirect Virus

21 Comments

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.