Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Toseeka; shopica; findlinks


  • Please log in to reply
10 replies to this topic

#1 Nathan005

Nathan005

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 05 January 2009 - 03:55 PM

Cynthia,

I am having the same problem and have not been able to fix it yet (search is redirected to shopica, toseeka, or other spam sites). I noticed (after reading this thread) that my browser gets redirected to zfsearch - only visible for a split second after I hit the search button. After searching for zfsearch it appears to be a worm. Does anyone know how to remove it? None of the online scanners or spyware/adware scanners have been able to find anything so far, and I've tried a few of them in safe mode as well as normal boot.

Nathan
Windows Vista SP1
IE 7.0.6.... & FireFox 3.0.5
AT&T DSL w/ 2wire router


MOD EDIT: added Op's comment,

I think I may have found the culprit. I disabled an add-on in FireFox called "XUL Cache 1.0", search appears to have returned to normal. I don't recall ever installing that add-on, but I do recognize all of the other add-ons listed.

Edited by boopme, 05 January 2009 - 04:14 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:52 AM

Posted 05 January 2009 - 04:08 PM

Hi Nathan i have split you to your own topic. It gets confusing going with multple people at different stages of repair.
Please run GMER from post 14 here,the original place you posted,
http://www.bleepingcomputer.com/forums/topic191667-15.html
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Nathan005

Nathan005
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 05 January 2009 - 04:54 PM

Thanks for your help

I tried running gmer and following your directions, but the latest version does not have the "Settings" tab. I will download an older version and run it

Nathan

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:52 AM

Posted 05 January 2009 - 05:57 PM

Hello.

Sorry for jumping in here boopme, thought I would give Nathan005 a speech on running GMER as it may be easier.

I have a speech for running GMER, try following the instructions below, you need to select the >>> tab to be able to see the Setting tab. :thumbsup:

Download and Run Scan with GMER

We will use GMER to scan for rootkits.
  • Download gmer.zip and save to your desktop.
    Alternate Download Site 1
    Alternate Download Site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>> tab
  • Now Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:Please do not select the Show all checkbox during the scan..

Post back with the GMER log.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:52 AM

Posted 05 January 2009 - 06:04 PM

Thanks extremeboy! Teamwork is always appreciated.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Nathan005

Nathan005
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 05 January 2009 - 06:16 PM

Thanks for the help...unfortunately the latest version of the gmer program no longer has the "Settings" tab. The tabs are now [Processes, Modules, Services, Files, Registry, Rootkit/Malware, Autostart, and CMD] I went back and downloaded an older version that has the "Settings" tab, but it crashes, probably due to an incompatible .dll or .sys file. I reinstalled the newer gmer.exe, but now it crashes after scanning for a minute.

I am now going to try again in safe mode. Can you please look at the new gmer program (ver 1.0.14.14536) and update the directions?

#7 Nathan005

Nathan005
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 05 January 2009 - 06:50 PM

gmer is still crashing in safe mode when it gets to \Device\HarddiskVolumeShadowCopy1

I'll try the gmer site and boards to see they can help get it working

Nathan

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:52 AM

Posted 05 January 2009 - 06:56 PM

Hello Nathan.

GMER does not have the "Settings" tab for Vista, if I'm not mistaken.

From your other post, the issue has been resolved by disabling a firefox extension, correct? If so, there should be no need to run GMER.

With Regards,
The Panda

#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:52 AM

Posted 05 January 2009 - 07:04 PM

Hello.

Yes. Vista machines doesn't have the settings tab when I worked with another member that was using Vista. Sorry for not reading your exact problem and didn't realize you were using Vista.. Wasn't reading the other thread but do you have any other problems? Does your current problem still remain? An explanation of your problem will be helpful :thumbsup:

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 Nathan005

Nathan005
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 05 January 2009 - 08:14 PM

I think I've fixed it. The problem cropped up when doing a search, either from a search engine or from the Google toolbar. The search results looked completely normal, but when you would click on one of the results it would redirect you to one of a number of websites, most often shopica.com or toseeka.com, which would give you a list of shopping links to buy whatever you were searching for. You could click the "Back" button on the browser, click on the same link, and it would take you to the correct site. The redirect didn't happen every time, more like every other search or every third search. I ran a number of antivirus & antispyware programs and online scanners, but they didn't find anything. The Kaspersky online scan found something, but I think you have to buy their software to have it remove the item.

I found the bleepingcomputer forum after doing a search on the problem, and I found the thread where boopme was helping Cynthia3333. In one of the posts boopme asks: "Hi, Are you noticing anything like Google searches being redirected through google.goored (or also zfsearch)??" So I checked the status bar at the bottom of the browser after I hit "Search". Sure enough, for a split second it says something about "zfsearch". I looked at the add-ons (Firefox 3.0.3) and there was one that I didn't recognize called "XUL Cache 1.0". I disabled it and the zfsearch on the status bar stopped appearing, and I was not redirected to toseeka or other sites. I then enabled the "XUL Cache 1.0" and the zfsearch redirect was active again. It is now disabled, but the "Uninstall" button is grayed out.

on the Firefox Add-Ons toolbar the hijacker component reads: "XUL Cache 1.0 - XUL cache support for firefox extensions/plugins" (note Firefox is not capitalized)

An internet search with "XUL Cache" shows that there is a real function by that name in Firefox, so apparently this browser hijacker is trying to hide itself as that. I haven't found anything on the internets about XUL Cache being malware, so is it a new problem? Or is the XUL Cache 1.0 just a conduit for the problem rather than being the malware itself?

#11 dirk222

dirk222

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 15 February 2011 - 08:50 PM

from what I can tell I was able to uninstall this little bugger(XUL Cache) everything seems to be fine now.


Shawn.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users