Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Goored Infection?


  • This topic is locked This topic is locked
2 replies to this topic

#1 fish360

fish360

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:28 AM

Posted 28 December 2008 - 03:49 PM

After performing a search in google, if I click a link on the results page I am frequently redirected to an ad website. (MountainCoupons.com seems to be the most frequent one.) When clicking the link, the goougly.com or googadsonline.com websites flash in the bottom status bar. I have read the goored removal forum here, and included the log file but it did not find any suspected entries and the problem persists. Please let me know if you have any suggestions - thanks!

UPDATE: I read here that goored uses javascript. I've disabled Javascript in firefox and have not had a re-direction since. This is not a final fix, but hopefully a clue to someone who know more than I do!! Thanks again.


DDS (Version 1.1.0) - NTFSx86
Run by Brendan Fischer at 15:38:06.84 on Sun 12/28/2008
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1114 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Brendan Fischer\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig
uInternet Settings,ProxyOverride = *.local
BHO: {36a0f738-a60c-49c5-bbd4-0b49b6f171db} - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: microsoft.edu
Trusted Zone: villanova.edu
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: ggdibb.dll,avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\brenda~1\applic~1\mozilla\firefox\profiles\1bxpr57r.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\real\realplayer enterprise\netscape6\nppl3260.dll
FF - HiddenExtension: XUL Cache: {9792CD13-4EAA-44EE-A589-21BA6A037DBC} - c:\documents and settings\administrator\local settings\application data\{9792CD13-4EAA-44EE-A589-21BA6A037DBC}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-25 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-25 26824]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-12-25 353680]
R2 aawservice;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" [2008-9-10 611664]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-25 231704]
R2 McAfeeFramework;McAfee Framework Service;"c:\program files\mcafee\common framework\FrameworkService.exe" /ServiceStart [2008-5-5 103744]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service []
S1 62adc581;62adc581;c:\windows\system32\drivers\62adc581.sys []
S1 mferkdk;VSCore mferkdk;\??\c:\program files\mcafee\virusscan enterprise\mferkdk.sys []

=============== Created Last 30 ================

2008-12-28 15:07 <DIR> --d----- c:\docume~1\brenda~1\applic~1\Ruckus Network
2008-12-28 14:40 <DIR> --d----- c:\docume~1\brenda~1\applic~1\Malwarebytes
2008-12-28 14:20 <DIR> --d----- C:\HJT
2008-12-28 14:02 <DIR> --d----- c:\program files\CCleaner
2008-12-28 14:00 <DIR> --d----- C:\ComboFix
2008-12-26 11:01 <DIR> --d----- c:\docume~1\brenda~1\applic~1\ICAClient
2008-12-26 11:01 <DIR> --dsh--- c:\documents and settings\brendan fischer\UserData
2008-12-26 11:01 <DIR> --d----- c:\documents and settings\brendan fischer\RealEnterprise
2008-12-26 11:01 <DIR> --d----- c:\documents and settings\Brendan Fischer
2008-12-25 16:48 <DIR> --d-h--- C:\$AVG8.VAULT$
2008-12-25 16:44 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-12-25 16:43 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2008-12-25 00:07 4,212 a---h--- c:\windows\system32\zllictbl.dat
2008-12-25 00:06 <DIR> --d----- c:\program files\Zone Labs
2008-12-24 23:49 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-24 23:48 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-24 23:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-24 23:48 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-24 22:49 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-12-24 22:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-12-24 21:54 <DIR> --d----- c:\windows\system32\drivers\Avg
2008-12-24 21:54 <DIR> --d----- c:\program files\AVG
2008-12-24 21:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-12-24 11:20 2 a------- C:\2084136823
2008-12-24 11:20 73,728 a------- C:\tstk.exe
2008-12-23 20:07 1 a------- c:\windows\system32\za.dat
2008-12-22 23:20 <DIR> --d----- c:\program files\Lavasoft
2008-12-22 23:19 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-12-22 23:03 <DIR> --d----- c:\program files\NoAdware
2008-12-19 12:08 <DIR> --d----- c:\program files\Emergent Music LLC
2008-12-19 12:08 <DIR> --d----- c:\program files\Ruckus Player
2008-12-19 11:53 <DIR> --d----- c:\program files\iPod
2008-12-19 11:53 <DIR> --d----- c:\program files\iTunes
2008-12-19 11:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-19 11:53 <DIR> --d----- c:\program files\Bonjour
2008-12-19 11:51 32,000 a------- c:\windows\system32\drivers\usbaapl.sys
2008-12-19 11:36 <DIR> --d----- c:\program files\MSECache
2008-12-17 08:45 <DIR> --d----- c:\windows\ms
2008-12-17 08:44 <DIR> --d----- c:\windows\system32\ccmsetup
2008-12-17 08:44 <DIR> --d----- c:\windows\system32\VPCache
2008-12-10 13:54 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-12-10 13:54 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2008-12-10 13:54 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2008-12-10 13:53 333,824 -c------ c:\windows\system32\dllcache\srv.sys
2008-12-10 13:53 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-10 13:53 2,189,184 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-10 13:53 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-10 13:53 2,066,048 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-10 13:53 1,846,400 -c------ c:\windows\system32\dllcache\win32k.sys
2008-12-10 13:53 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2008-12-10 13:52 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2008-12-10 13:47 23,576 a------- c:\windows\system32\wuapi.dll.mui

==================== Find3M ====================

2008-12-26 11:01 183,321 a------- c:\windows\system32\nvModes.dat
2008-11-13 15:18 1,221,008 a------- c:\windows\system32\zpeng25.dll
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-03 05:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-05-12 09:57 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008050520080512\index.dat
2008-05-12 09:57 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051220080513\index.dat

============= FINISH: 15:38:35.25 ===============





GooredFix v1.6 by jpshortstuff
Log created at 14:15 on 28/12/2008 running Option #1
Firefox version 3.0.5 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

Attached Files


Edited by fish360, 28 December 2008 - 04:00 PM.


BC AdBot (Login to Remove)

 


#2 fish360

fish360
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:28 AM

Posted 28 December 2008 - 07:42 PM

Resolved the problem. Used the directions from the first link in the previous post - the offending files/folder was stored under a different user name than the one I was using! Thanks to all those who looked.

#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,329 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:28 AM

Posted 03 January 2009 - 08:25 PM

Appreciate you telling us your solution.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users