Posted 05 January 2009 - 08:14 PM
I think I've fixed it. The problem cropped up when doing a search, either from a search engine or from the Google toolbar. The search results looked completely normal, but when you would click on one of the results it would redirect you to one of a number of websites, most often shopica.com or toseeka.com, which would give you a list of shopping links to buy whatever you were searching for. You could click the "Back" button on the browser, click on the same link, and it would take you to the correct site. The redirect didn't happen every time, more like every other search or every third search. I ran a number of antivirus & antispyware programs and online scanners, but they didn't find anything. The Kaspersky online scan found something, but I think you have to buy their software to have it remove the item.
I found the bleepingcomputer forum after doing a search on the problem, and I found the thread where boopme was helping Cynthia3333. In one of the posts boopme asks: "Hi, Are you noticing anything like Google searches being redirected through google.goored (or also zfsearch)??" So I checked the status bar at the bottom of the browser after I hit "Search". Sure enough, for a split second it says something about "zfsearch". I looked at the add-ons (Firefox 3.0.3) and there was one that I didn't recognize called "XUL Cache 1.0". I disabled it and the zfsearch on the status bar stopped appearing, and I was not redirected to toseeka or other sites. I then enabled the "XUL Cache 1.0" and the zfsearch redirect was active again. It is now disabled, but the "Uninstall" button is grayed out.
on the Firefox Add-Ons toolbar the hijacker component reads: "XUL Cache 1.0 - XUL cache support for firefox extensions/plugins" (note Firefox is not capitalized)
An internet search with "XUL Cache" shows that there is a real function by that name in Firefox, so apparently this browser hijacker is trying to hide itself as that. I haven't found anything on the internets about XUL Cache being malware, so is it a new problem? Or is the XUL Cache 1.0 just a conduit for the problem rather than being the malware itself?