Google Pop Up Virus Removal in Windows and Mac

2010-08-24

Page content

Malware Creators and Google.com

Google.com is the top search engine in the Internet. Popular search engine like Google.com is often the target of malware creators and distributors who create Google viruses. By creating malicious software that will hijack any web searches using Google or clicking on links using a browser, the bad guys are earning money or may steal valuable data such as username, password, credit card number, social security number, etc. If Internet Explorer, Firefox, Chrome, Safari or Opera browsers are opening another browser window, a pop-up window or sending your clicked links to fake Google URL, the problem is not with Google.com servers but at your end. The PC or your modem or router has been hijacked by virus or other type of malware.

How to remove Google pop up virus?

There are several methods to try in cleaning up the mess that the malware has done to your computer. You need to ensure to follow the steps below in order to start removing a Google pop up virus infection. Note that the said infection will not stop you in browsing the Internet so this is easy to handle. However, it is best to not to use the infected computer or networking device to login in secure websites such as online banking to prevent the malware in getting what they want to get from victims.

Trojans or DNSChanger Trojans can modify the DNS server settings in your router, modem or Internet settings so your first step is to ensure that the DNS servers has not been hijacked or modified. Reset the router, modem or Internet settings to default and make the necessary changes that the ISP has suggested. If you have to reset a router or modem, do not forget to change the password or pass phrase with a strong password. Note that Mac OS users are also affected by DNSChanger Trojans. If resetting the device or Internet options setting has helped, proceed to scan the computer using up-to-date scanner.

If resetting the router or modem did not help, you need to download the DNS Trojan Removal tool for your operating system:

For Mac OS users - download the DNSChanger Removal Tool from https://macscan.securemac.com/files/DNSChangerRemovalTool.dmg. You read about the tool in SecureMac website, the maker of MacScan anti-malware for Apple operating systems.
For Windows users - download TDSKiller from Kaspersky website. This is a standalone removal tool of Trojans or rootkits that is targeting web searches or hyperlinks. You can also use Windows Malicious Software Removal tool by Microsoft that should detect and remove Alureon Trojan infection.

Manual Removal of Google pop up virus

If you would rather remove the infection causing the Google pop up virus, Google redirect virus or Google blank search virus, manually, follow the steps

Disable Simple File Sharing in Windows will help remove Google Pop Up Virus

below, for Windows users:

Open the registry editor in Windows by typing regedit in run command box. Locate HKEY_CLASSES_ROOT\.htc registry key. In the right pane, you will find “Content Type” registry key value. The default is text/x-component. If you see {space} as value of Content Type, you are on the right track, the system is indeed hijacked by TDSS or Alureon Trojans, also known as DNSChanger Trojan.

Another way to verify the infection is indeed the DNSChanger is by navigating to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List. If you find a data value “Flash Media”, you will be able to identify the location of the malicious processes or executable. Note that the Trojan will also add a processes or executable in the Userinit registry key (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit) in Windows so that it will automatically start, right after Windows have started.

To start removing the infection that is causing Google pop up virus, here are the steps:

Open Folder options in Windows then click “View” tab. In XP, uncheck the box for “Use simple file sharing” while in Vista or Windows 7, uncheck the box for “Use sharing wizard”.
Since you’ve identified the location of the malware executable or processes in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit registry keys, locate it using Windows Explorer or third-party file manager for Windows. Browse for the location of the malicious processes that the Userinit and List keys are displaying. Next, right-click the executable to open the properties window. Then select “Security tab”, add a new user for the current user profile and give a deny access for all permission in the said volume, for the said malicious processes or executable.
Reboot the computer
Proceed in browsing the location of the malicious processes again that you’ve identified in the Userinit and List registry keys. Delete it manually.
Edit the registry key by restoring the default value: “HKCR\.htc\Content Type” = “text/x-component”
“HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit” = “C:\WINDOWS\system32\userinit.exe”
Delete the registry key value Flash Media in HKLM\Software\Microsoft\Windows\CurrentVersion\Run and from HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Proceed in updating your antivirus program to scan the computer for any other malware residing in your computer.

Image Credit: Screenshot taken by Donna Buenaventura