Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Search engine redirect virus

Created: 21 Sep 2010 | 4 comments

I run Windows XP on a Dell laptop.  I have Symantec Endpoint protection.  All updates are current.

I have what appears to be the search engine redirect virus.  I don't know how it got past Endpoint, any ideas?

How can I find and delete this virus from my computer?

Thank You.

Comments 4 CommentsJump to latest comment

setral's picture

Here's a question.

 

Do you get redirects randomly from any link you click in searches.

 

Or is it only specific websites that you get redirected from?

 

I'm asking, because there was a exploit with some portal sites, such as older versions of vbSEO, that when you do a search and click on a link to a site using that portal, the first time during that browser session, it will redirect you. After that it works fine. This would be an exploit on their server not your PC, but would appear to be a redirect virus.

ccsmith51's picture

I get redirects on any search engine I have tried (Yaho, Google, Bing) from any search result that I select.  I use Firefox but have the same problem with IE.  When in Firefox I get redirected I can click on the back arrow and in the list that comes down is a "redirect" listing.  So, I am pretty sure I have a redirect virus.

I'd like to know how it got through Endpoint Protection, which my company says is the best.  And how to get rid of the virus.  Thank You.

setral's picture

I'm not sure how, and I don't use Endpoint Protection.

 

However, it usually modifies your Internet Explorer Connection settings to use a Proxy of 127.0.0.1 or something. If you go into Internet Options, Connections, Lan Settings. Make sure there isn't anything under Proxy Settings that shouldn't be there. If it's like 127.0.0.1, uncheck it.

Also, it probably modified your hosts file. In WinXP that is under C:\Windows\System32\Drivers\ETC\hosts. You can open this file up in Notepad, but it might be marked readonly.

If you see anything out of the ordinary (Besides 127.0.0.1 localhost) you can use a # at the beginning of the line to remark it out. Might need to reboot for that to take effect.

That will keep you from using the redirect proxy temporarily, you'll likely have to check your PC with Malwarebytes or some other Malware/Spyware removal tool you are familiar with to clean up. (Again, I only say that because I'm not familiar with Endpoint Protection)

Nurb4000's picture

sounds like a toolbar extension to me.  One of my users had that, and it was really having problems with the Ajax stuff in the portal.

1/2 the time a Ajax refresh would trigger the 'redirect' to one of their paid advertisers.  It really was not a virus, but a 'feature' of something the user had installed, so antivirus didn't kill it.