Saturday, May 1, 2010

Google Redirect Virus Solved

If you've noticed that your web searches are being hijacked and redirected to various ad web sites, you may have picked up the so-called "redirect virus". It has been associated with Google, but it can affect any search engine in any browser. After months of fighting this thing and trying just about every solution out there, I found a solution.

HOW IT STARTED
I first noticed a problem when a phony Windows security alert popped up and a counterfeit computer scan began. I knew it was fake because it showed a view of My Computer which I never use (Large Icons rather than my normal Details List). The phony window is quite convincing and can fool you into thinking it is a genuine Windows Explorer window. After the "scan" a message will pop up saying your computer is infected and you need to download a utility to fix it. Clicking any button, even the Close button, in this message box starts the download and installation of the utility. You don't want to allow this install to continue! It will bring the virus into your system. The first time I encountered this, I didn't stop it soon enough and my pc was infected.

ANTI-VIRUS SOFTWARE FAILED TO DETECT OR REMOVE IT
I tried several solutions proposed by others and none of them worked. I was running AVG and it didn't prevent my pc from getting the virus nor could it remove it. I installed Norton Security Suite after I got the virus (too late!) and Norton did not detect it in the system. There are many "free" utilities out there that claim to fix the problem, but they didn't work for me.

WHERE'S THE PROBLEM?
In my case, the problem was in my "hosts" file located in c:\windows\system32\drivers\etc directory. The default hosts file normally looks like this:

# Copyright (c) 1993-1999 Microsoft Corp.

#

# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.

#

# This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should

# be placed in the first column followed by the corresponding host name.

# The IP address and the host name should be separated by at least one

# space.

#

# Additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a '#' symbol.

#

# For example:

#

# 102.54.94.97 rhino.acme.com # source server

# 38.25.63.10 x.acme.com # x client host


127.0.0.1 localhost


As you can see above, the active line (not preceded by "#") in the default hosts file is "127.0.0.1 localhost". The redirect virus adds many other lines to this file which redirect your browser when you do a search. You may notice Google pages returning hits in other languages and when you click on the hits you don't get the page you expected but some unrelated ad page.

At first, I thought the fix would be easy. I deleted all the extra lines, saved the hosts file and opened my browser. It was still doing the redirects! I again opened the hosts file and noticed all the extra lines were still there! After more investigation, I found the hosts file attributes were changed to "System file", "Read Only", and "Hidden". This means the file is invisible in Windows Explorer and cannot be changed by the user.

I went into DOS (start | run | cmd.exe). I navigated to c:\windows\system32\drivers\etc and listed the directory. I saw no "hosts" file. I could list it with a "dir /ah" command. However, I could not rename it, edit and save it, or even erase it.

I searched the forums for ideas which had worked for others. These included cacls.exe (to modify the "access control list" of a file) and the "attrib" command to change the attributes of a file. I also installed a small utility called Unlocker to change the attributes of the file so I could modify it. None of these worked.

OK, OK, so what finally worked, you ask?

You can't work on the engine of a car when it is moving you down the road. I knew I would need to boot the pc from a CD or with another OS so that the hosts file wouldn't be active and I could then modify it.

THE ANSWER
Having some Linux background, I downloaded SLAX which is a Linux distribution (http://www.slax.org/). SLAX allows you to burn a bootable CD with enough components to operate the PC. I burned the downloaded .ISO file to a CD and rebooted the pc from that. Using the included text-based editor called Master Commander, I was able to see my hard drive files and navigate to the directory where "hosts" lived. When I viewed the directory, I was relieved to see the hosts file sitting there! I knew then I'd be able to either edit it or delete it entirely. I chose to delete it (I have a backup copy just in case).

I exited SLAX and rebooted the pc. Windows launched and I took a look at the "etc" directory for the presence of the hosts file. It wasn't there. I started my browser and did some testing. All the redirects were gone and it runs much quicker!

I hope this works for you if have been unable to get rid of the redirect virus.