Spyware, Viruses, & Security forum

General discussion

Redirect search malware

by Willy / December 20, 2009 1:33 PM PST

Somehow, I've gotten infected with a "redirect search" malware. Well, I call it that and others have too. No matter how I search the WWW, some nonsense web search result get me redirected to some website. Of course using google or any other websearch itself gets reproduced, so its hard to find help to correct. While I can directly link or type-in a website, that's hardly what you want in a web search result. I believe it a browser or Java infection of some sort. Can someone point me to a removal tool or directions.

I have tried Malawarebytes AV and others to no avail, the redirection keeps coming back. Yes, I have turned off restore feature and deleted the restore points. I know a manual removal is required but where? thanks -----Willy Happy

Post a reply
Discussion is locked
You are posting a reply to: Redirect search malware
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Redirect search malware
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Please Supply Info On Browser(s)
by tobeach / December 20, 2009 1:56 PM PST

used & ANY "toolbars" on board. Thxs. Happy

Collapse -
No toolbars
by Willy / December 20, 2009 2:41 PM PST

I use Firefox 3.5.6 and no added toolbars. What is default std. Firefox setup gets used. I have checked the setting and see no obvious changes at least it seems that way. -----Willy

Collapse -
Willy, I hope you don't have the Vundo
by Donna Buenaventura / December 20, 2009 6:14 PM PST
In reply to: No toolbars
Collapse -
tried some fixes....
by Willy / December 20, 2009 10:38 PM PST

Thanks for the reply. I've stayed up late last night and finally had to sleep. The links I manually cur&paste so I wouldn't allow the redirect to grab hold of. It works that way but no idea if any of the help online actually works. Following some posting instruction actually found nothing of what I was expected to find when it came to the final text/line/correction. It seems hard to resolve if nothing is there to correct. My last search called it the "google redirect virus" which is helpful as at least I have a name for the problem. regardless, I still can't resolve it for now. I'll follow your links and see what comes up. thanks -----Willy Happy

Collapse -
by Willy / December 20, 2009 10:51 PM PST

It sure acts like what the vundo virus maybe doing. Oh yes, no detection so far of the normal goto websites and AVs used here that provide online scans. When I did a BitDefender last night it froze, so I think its trying to protect itself or else something else is at work here. It all boils down I can't actively find the root malware to remove it. Though some scan did find something, I think most were remnants and/or false positives which got removed anyways. But those were removed seemed not related to the virus I query for. Working on it. -----Willy Happy

Collapse -
Willy, if nothing can fix it yet
by Donna Buenaventura / December 20, 2009 11:20 PM PST
In reply to: Addenum...

You might want to give a try the guide in removing such Vundo that affect Firefox:

Part of the message in the blog is below (I'm copying here... just in case you can't view the page using FF) :

You are clicking on your search results and instead of going to the intended target, you are going everywhere else: Yahoo Hotjobs, Fake Anti-Virus sites, Second rate search sites, or you are getting Error 404 Page not found. You may also be seeing popups though popups are blocked. You may also find Internet Explorer (iexplore.exe) running in your Task Manager as a backgound process, even though you have not opened it.

"The short fix:
You will find this one living in the extensions folder of Firefox. What you need to do is find the offending file, delete or encrypt it, then replace it with a blank dummy file.
Here are the steps:
Navigate to: C:\Program Files\Mozilla Firefox\extensions\, look for a folder that is a string of letters, created around the time you began having the problem. Something like "{BCB94CDD-5542-403F-9FB3-07D3DB1E9951}"
Open the folder, and then open the folder called "chrome", then "content", and look for a file inside called overlay.xul (variants may have different names).
Verify that it is the virus: does it have code similar to this: click to see code
If you have found the culprit, delete the file (or encrypt with Axcrypt which is reversible).
Replace it with a blank text file with the same name and extension.
Repeat the process - you may have multiple copies in multiple folders.
Test: Go back to Google, try your search results again.

The better fix:
What you will do here is the short fix listed above, plus you will also run several Malware programs, remove all old versions of Java and download the new Java. If that doesn't cure your problem you may need to run some more serious software. Here are the steps:
Do the "short fix" listed above.
Remove old versions of Java by downloading JavaRa and unziping it to your desktop.
Double-click on JavaRa.exe to start the program and Click on Remove Older Versions.
Download and install the latest version of Java (Most likely the first download you see here).
Install Malwarebytes and SuperAntiSpyware
Update them, run them, and delete all bad stuff.
Shutdown, restart, run them again.
If you are clean then test for redirects in Google."

Willy, there is also another tool that you try: GooredFix
Direct download of GooredFix is in http://jpshortstuff.247fixes.com/GooredFix.exe

Found it in MBAM forums with the following post:

"GooredFix is a tool written to deal with this Firefox Hijack. Option#1 will display what it thinks is bad and Option#2 will delete what it thinks is bad. If you are unsure, post a log from Option#1.

This infection has been around since about October/November last year, and has 4 different "variants". Currently, no AntiVirus/AntiSpyware programs detect this."


I hope you'll get this fix. Not all browser in your PC is affected, right?

Collapse -
Back at it...
by Willy / December 21, 2009 2:57 AM PST

I've d/l'ed those AV pgms. that have ID'ed vundo or redirect virus. Now, I have to see if it works. So far, even after deleting or blanking out whatever needs to be done, the redirect still remains. I find it harder once it should be gone. It also apparently wants to delve deeper or maybe I missed it. No matter sooner or later I'll get it. But, for now I've already deleted Firefox. I may have to delete the last Java update and return to reload it also. I had a felling it was a java or browser issue. But, even with the help so far, it doesn't appear straightout even when using those helpful pgms. for the time being. Checking it out is becoming frustrating of the moment. get back to you later. ----Willy Happy

Collapse -
I have the same issue.
by blur57 / December 21, 2009 10:57 AM PST
In reply to: Back at it...


Win defender
Malwarebytes AM
AD Aware

I scanned with AVG and Melwarebytes and Win defender.
All 3 detected bunch of problems.
I removed what those viruses and malware.
AVG detected "Vundo generic." even through multiple scans.
I still have browser redirects problem though.

Collapse -
My attamepts so far...
by Willy / December 21, 2009 9:58 PM PST
In reply to: I have the same issue.

The virus can be one of the variants of vundo and/or just google redirect. Its important to know that as it will take various attempts to remove it to be successful. So far, I have found some but yet it still infects my systems. This is why I mention beforehand to get the right removal tool and/or manual method. The last resort is of course, a system OS reload, fresh reload. Your AV pgms. can hit and remove the virus but it comes back. Its important to trun-off the system restore feature. Save any critial data you want, but do a manual direct save, don't do a load drive or similar if and when possible, otherwise when you return data, you may re-infect again a fresh reload. I have found, if you cut&paste the search result link say like google, the actual link(lower section) will not allow the redirect to grab hold(so far). If you see a web page other than the googled supplied(proper one) you have a nonsense response(annoyance) for now BUT don't click on anything, in fact kill that webpage and start the browser again. It is very important you don't do an banking online or financial services until the problem is entirely resolved(you've been warned).

Most removal tools deal with a specific infection so if you get any hits by your AV, note it down. While, I mention vundo, that's a generic term for such infections though it maybe another name. Since, some AV pgms. don't even see a new infection(type/variant) its quite possible it will be missed. Then use as many AV pgms as possible and/or tools in dealing with the virus. These should include AV pgms., rootkits, removal tools, spyware, malware and/or hijackthis pgm. as well. If you have any toolbars on your browser, remove them for now or disable. The virus can rehatch as it hides or uses different names to do its tasks. Check the task manager for any so-called "redirect" process at work, you shouldn't have any listed, thus kill it. Alas, it seems just an infection is found it may attack the scanner system files, so be prepared to reload your AV pgm.. All or any protection pgms. should be burn to a CD/DVD in order to load or reload them. if you reload, be sure to totally wipe out past installs. Reload the AV and then update it. Updates for any required protection pgms., to have the latest info it needs. Beware of false help websites, use your judgment.

I'm a tech or worse a field engineer. To have this happen to me is unnerving. My attempts so far while having hits and or corrections seems not to stop this one. I can only imagine its changing on me. For now I'm at the redirection part of the virus, if you get hijacked, then expect either more spam or worse impact on banking.

tada -----Willy Happy

Collapse -
Another thing that comes to mind is
by Donna Buenaventura / December 22, 2009 3:39 PM PST
In reply to: Back at it...

the TDSSserv infection. I hope deleting Firefox really get rid of it and if you will reload Java and other plugins but in case you have not, Willy:

Show Hidden Devices under Hardware Device Manager in your Windows Control Panel.
Look for "TDSSserv.sys". If found, right-click it then select disable. Do not select uninstall but choose to "disable"
Reboot the pc.
Scan the system using up-to-date antivirus or anti-malware.

Many are affected now Sad

Popular Forums
Computer Help 49,613 discussions
Computer Newbies 10,349 discussions
Laptops 19,436 discussions
Security 30,426 discussions
TVs & Home Theaters 20,308 discussions
Windows 10 360 discussions
Phones 15,802 discussions
Windows 7 7,351 discussions
Networking & Wireless 14,641 discussions

Coming soon

Get behind the wheel with Roadshow

Love cars? Climb into the driver's seat for the latest videos, reviews, shopping advice and picks by our editors delivered to your inbox every week.