The Google Redirect virus is one of the most annoying that we have dealt with. It will redirect most URLs from your browser back to the Google homepage. In particular it will redirect sites like Microsoft, CNET, AVG etc back to Google, so it makes it difficult to download any type of virus removal tools to eliminate the malware.

The Google redirect malware is quite tricky so start off with the steps below, but it is most likely that you will need to perform step (3) in order to actually remove it.

1) Check your hosts file

First make sure that your Hosts File hasn’t been infected. The hosts file in Windows tells where to direct various URLs. Basically if you don’t see anything in the hosts file, it is clean. There will probably just be one line in there. The modern variations of the Google redirect probably won’t use the hosts file.

Your hosts file is located at:
c:\windows\system32\drivers\etc\hosts

2) Make sure your browsers aren’t using a proxy

Unless you are wanting to use a proxy, you should not have proxy settings enabled in your browser. The following provides a screenshot of how it should appear:

To view your proxy settings in IE:
Tools -> Internet Options -> Connections -> LAN Settings

You should not have anything in the Proxy server section. Some varations will perform redirects by using the proxy settings.

3) Use Combofix and TDSS killer

The only way we were able to remove this virus was with Combofix. However, the version of Combofix we had installed wasn’t working, possibly because the virus stopped it, so what you need to do is get the latest version of Combofix from a different computer, then load it onto your computer after you boot into safe mode. You will also need to get a download called Tdss Killer. These downloads are all completely FREE.

Download Combofix from Bleeping Computer

Download TDSS Killer

Restart your computer and when it is rebooting, press the F8 key (repeatedly). It will boot to a menu, from here select Safe Mode. After it boots into safe mode, run Combofix, then run TDSS Killer. After this, your virus should be gone.

You may also want to investigate the folders that Combofix identifies and double check by searching the Registry to ensure they are removed. These folders and files will generally be in the User Profile Area and they are given weird random names.

Finally…Double check your user profile

If your infected files were in your User Profile area, make sure they are gone. If you connect to a Windows domain, you will need to check that the files were also deleted from your roaming profile, otherwise they can get copied back down again when you login.