Removing A Redirect Virus Manually
Removing this type of virus manually can be at the least challenging and if embedded too deeply in the system, a complete system reformat may be the only answer.
The virus cannot only change system settings, replace normal programs and systems libraries. It can also infect firmware such as network cards, hard drives or even system bios.
Learn more about the virus
Attackers normally create variations of a virus as a type of insurance that if one gets found there is a different variant ready to kick in. Unlike a worm type virus, the Google redirect virus does not spread by replication; it simply spreads by user interaction i.e. redirecting to sites with more malicious content.
As it also remains hidden you can see that it is a difficult virus to find and remove. One variant will either change Domain Named Server (DNS) settings, Local Area Network (LAN) settings or windows host file, described below are the processes for checking these settings.
Remember you do this at your own risk.
Begin by booting up your PC in safe mode this ensures that only windows basic processes will start.
Next you need to check your PC’s Local Area Network (LAN) settings. This is to ensure that the redirect virus is not using a malicious proxy server.
1: Open internet explorer.
2: Tools, Internet options, connections
3: Click on LAN settings
4: Make sure that you use a proxy server for your LAN is unchecked.
1: Open Firefox.
2: Tools, options, advanced, networks, settings.
3: Make sure that no proxy radio button is selected.
If you are using other browsers, the methods may vary slightly.
Next you need to check your Domain Named Server (DNS) settings,
(DNS basically acts as a database mapping domain name to IP addresses the redirect virus can change these settings sending you to malicious sites.)
2: Control panel
3: Network connections
4: Right click local network connection, select properties
5: Highlight 'Internet Protocol (TCP/IP)
6: Click ‘Properties’ in the next window ensure the option ‘Obtain a DNS server address automatically’ is selected.
Next Windows Hosts files settings need checking.
Simply put, Windows Host files are PC’s local DNS these settings can also be changed by the redirect virus.
Host files are standard text files and can be found in c:\windows\system32\drivers\etc\hosts…
When prompted as to which program you want to open this file use a text editor such as notepad or WordPad.
The Host file should contain the IP address 127.0.0.1 local hosts. If there are other entries in the Hosts file then remove those entries.
If you are nervous at this point you can always keep a copy of the text file and reinstate it should you have problems.
The redirect virus usually adds itself as a service, so we need to disable it.
DO NOT DELETE IT.
To do this go to Start, control panel, >System>Hardware>Device Manager>View>Show Hidden Devices…
Look for Non-plug and Play Drivers expand the option (the + sign) then for ‘TDSSserv.sys’ and disable it. The reason you do not delete it, is because when you reboot the system, the virus will be reinstalled.
Reboot and scan your system, with an anti-malware scanner. Malwarebyte is a great free program, which I highly recommend. Finally, clean up with CC cleaner to remove any debris left by this rootkit virus.
Finally create a restore point in system restore.
This explanation of how to remove this virus is done at your own risk.
The problem will hopefully now be gone, but depending on how many more infections your system picked up while being in such a vulnerable state, it still could be problematic, if this is the case, you are left with two choices having it removed automatically online or backing up your data and doing a complete reformat of your hard drive.
seven tips to help you avoid redirect viruses