A little while ago a customer needed me to clean up his laptop. He had accidentally downloaded some junk programs and search engines. He was seeing lots of ad and his search engine on his browser had changed. I figured it would be relatively simple to remove, but this one surprised me.
Here are the steps I used to remove the Yahoo redirect virus.
1. I uninstalled the junk programs I found.
2. I ran Malwarebytes and removed all the threats I found.
3. I removed all the weird search engines and home pages I found in Internet Explorer and Google Chrome.
4. I ran ccleaner to get rid of unnecessary registry files and trash that got installed.
5. I restarted the computer and it was fast and seemed to be working fine. However, when I did a search in Google Chrome this stupid Yahoo redirect came up.
So I tried a couple more things. I removed all the extensions and add-ons in Chrome. I also made a new Chrome profile. I did a couple searches and I thought I had gotten the virus finally removed, so I told the customer he was all fixed up.
It wasn’t long later the customer contacted me that he was still getting the Yahoo redirect every now and then. When he did a Google search most of the time it would return a Google search result but 10% of the time the stupid Yahoo search engine would come up.
I had a couple more things to try. I decided to try uninstall Google Chrome and reinstall it. But it wasn’t long till that Yahoo redirect was back at it. I ran another Malwarebytes scan and it returned clean. I did some searches online and I ran across a comment in one article that got me thinking. It mentioned something about the DNS servers. I decided to give that a try.
I went into the network and sharing center and found that the DNS server was statically assigned to the following addresses:
I removed the DNS servers and boom!, the Yahoo redirect issue was gone. Apparently, the virus statically assigned those DNS servers which was causing our issue.
If this still doesn’t prove to kill your Yahoo redirect, I would make sure your browser doesn’t have a proxy settings. Go to Internet Options > Connections > LAN Settings and make sure you are set to Automtically detect settings.
Update 6/27/14: Here is another troubleshooting tip I came across, that could be affecting some of you. Some malware and adware is smart enough to change the mapping of IP addresses to host names in the default Windows HOSTS file. Here is how to check if that is changed.
1. Open Command Prompt and run the following commands . . .
If you run that command correctly it will bring up a document that should look close to the following.
Check what your IP address mappings to each corresponding host name is. If you find weird IP addresses, “Google” them and see where they are coming from. If you are sure they are malicious DNS servers, remove that line in the document, and save the file again. Restart your computer and then do another search and see if the Yahoo redirect clears up.
I hope this helps you out!! This was posted by techspeeder.
Thank you!!! The statically assigned DNS servers were preventing me from accessing my company’s intranet sites. I tried everything. AdwCleaner, Malwarebytes, clearing my browser cache, uninstalling chrome, nothing worked… until I found your blog and removed the preset DNS server ips.
I ran into this resilient malware when I was installing Virtual Clone Drive so I could extract the installer from an ISO I downloaded, without having to actually burn the ISO onto a disk or usb. Turns out Virtual Clone Drive would not install unless I installed some additional software. I’ve removed that junk before, I figured, so what the heck. Big mistake haha. It’s my first week at my new company and you helped me clean up my own mess and avoid embarrassment. So thanks again.
I already had my LAN setting like that but I’m still getting redirected.
Hello, please take a look at my article again. I updated it today. The troubleshooting tip I wrote about might fix you up! Good luck!
Thank you! I spent a good amount of the day trying to figure out the problem. Hopefully I got rid of the bug(s) after I played with the router settings after reading your article.
Thank you. I think getting rid of the statically assigned DNS servers finally did the trick.
Thanks a lot, didn’t need to drill down to the host file, stat DNS did the trick, after 3 “days” of trying every trick in the “book” and then some and some even repeatedly, you got rid of this aggravator, thanks again.
Werner from Montreal
You are great! I wish I could pay you in some way. This’s been horrible nightmare for me and you saved me. I could not say enough thank you to you. To hell with Yahoo and those who created this virus.
Thank you so much!! I have been stuck with stupid with this problem for a week finally I can fixed it … Thanks again for sharing your knowledge..you the best!!
Thanks so much for this post. I was pulling out my hair last nite, but my computer is back in my control!
Ps why cant Norton deal with this?
Hello Steve, thanks for commenting. I’m glad I could help you. The more traditional antivirus software, such as Norton, AVG, and Windows Intune, do a great job of blocking viruses. However, these programs don’t do so well against adware and spyware . Here is a great article on LifeHacker that helps explain the differences between Antivirus and Antimalware http://lifehacker.com/the-difference-between-antivirus-and-anti-malware-and-1176942277 and what software you should use to protect yourself.
Dude, you rock! I ran everything that other pages suggested. Nothing worked.
The solution was hiding in a place I would never have thought to look.
Thank you for your persistence.
HI i have one word Thank You So Much! G-D Bless You!!
# 18.104.22.168 rhino.acme.com # source server
just one Q i have this two IP address just like your host file has. is this Ip addresses ok?
i made a Google search they say its probable Virus but i don’t want to mess up. pl ease let me know.
Thank you Again!
Hello ari, Glad I was able to help you! If your host file looks the same as the one in the example you are fine. The host file screenshot was taken from a computer that was running correctly and wasn’t infected.