Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirecting to unwanted sites.


  • Please log in to reply
38 replies to this topic

#1 rd11

rd11

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 20 February 2009 - 06:00 PM

Hi,

I have been dealing with this problem for several days now. After performing a Google search (using Firefox on Windows XP), I click on one of the search result links and it takes me to one of various strange sites. These sites are often related to my Google search string. (For example, if I search for "CNN" and click the first result on Google, it should take me to the CNN homepage, but instead will take me somewhere like "BizRate.com", where it will have already entered "CNN" as a search string on that site; other times it will take me to automobile websites, or banking sites, or even invalid Google pages.)

Malwarebytes, AVG, SUPERAntiSpyware -- in safe mode, normal mode, whatever -- nothing has managed to fix it (though they did find and eliminate other viruses). I have even tried ComboFix.

I should mention that I have two computers. BOTH of them were exhibiting the same symptoms. ONE of them appears to be fixed, though I can't figure out why or how, since everything I've tried on the fixed computer I have also tried on the one that remains ill.

I have seen many threads on the Internet from people who are experiencing what sounds like a similar problem but no one seems to have a definitive answer regarding how to get rid of it. Can anyone here help me?

Thank you.

Note: Other things I have done since this problem started: installed Zone Alarm firewall, installed AVG (other always-on virus software has since been removed), used Windows Update to get critical updates (one computer didn't even have SP3 on it), ran CCleaner.

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:50 AM

Posted 20 February 2009 - 08:47 PM

Hi and welcome to BC.

Please update and post a Malwarebytes log. We will review it and go from there.

Thanks :thumbsup:

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 rd11

rd11
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 21 February 2009 - 02:09 AM

Thanks, rigel.

Malwarebytes' Anti-Malware 1.34
Database version: 1783
Windows 5.1.2600 Service Pack 3

2/21/2009 2:07:31 AM
mbam-log-2009-02-21 (02-07-31).txt

Scan type: Full Scan (C:\|)
Objects scanned: 137415
Time elapsed: 42 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:50 AM

Posted 21 February 2009 - 09:17 AM

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click GooredFix.exe to run it.
  • Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: Do not run Option #2 yet.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 rd11

rd11
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 21 February 2009 - 10:32 AM

GooredFix v1.91 by jpshortstuff
Log created at 10:31 on 21/02/2009 running Option #1 (Ryan Hayes Dowd)
Firefox version 3.0.6 (en-US)

=====Suspect Goored Entries=====

C:\Program Files\Mozilla Firefox\extensions\{486A3ED7-AD03-4FCD-AD48-D4C9BEBF9F4B}

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"

#6 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:50 AM

Posted 21 February 2009 - 12:15 PM

have you seen these domains mentioned when you search? : Goored or zfsearch

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 rd11

rd11
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 21 February 2009 - 12:26 PM

I have never heard of Goored before. zfsearch sounds vaguely familiar, but I can't say for sure that it is one of the sites I've been redirected to.

#8 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:50 AM

Posted 21 February 2009 - 09:29 PM

Sorry about the delay - checking information.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#9 rd11

rd11
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 22 February 2009 - 01:18 PM

Ok, no problem, just let me know what you need me to do.

#10 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:50 AM

Posted 23 February 2009 - 07:34 AM

You have the latest variant gooredfix "fixes"...

Please download GooredFix and save it to your Desktop.
  • Double-click GooredFix.exe on your Desktop to run it.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#11 rd11

rd11
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 23 February 2009 - 11:38 AM

GooredFix v1.91 by jpshortstuff
Log created at 11:37 on 23/02/2009 running Option #2 (Ryan Hayes Dowd)
Firefox version 3.0.6 (en-US)

=====Goored Deletions=====
C:\Program Files\Mozilla Firefox\extensions\{486A3ED7-AD03-4FCD-AD48-D4C9BEBF9F4B}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.6\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"

#12 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:50 AM

Posted 23 February 2009 - 11:54 AM

Check again for redirects.

Please run the F-Secure Online Scanner
Note: This Scanner is for Internet Explorer Only!
Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#13 rd11

rd11
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 23 February 2009 - 12:09 PM

So far I have not been redirected, but the redirects were not consistent in the first place.

I will now run the F-Secure scan. Thanks for your help.

#14 rd11

rd11
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 23 February 2009 - 02:04 PM

Scanning Report
Monday, February 23, 2009 12:11:02 - 14:03:04

Computer name: DFBV2DF1
Scanning type: Scan system for malware, rootkits
Target: C:\
Result: 1 malware found
Client-IRC.Win32.mIRC (spyware)

* System

Statistics
Scanned:

* Files: 33515
* System: 3426
* Not scanned: 7

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 1
* Submitted: 0

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

Options
Scanning engines:

* F-Secure USS: 3.0.0
* F-Secure Blacklight: 0.0.0
* F-Secure Hydra: 3.6.8511, 2009-02-23
* F-Secure Pegasus: 1.20.0, 1969-11-31
* F-Secure AVP: 7.0.171, 2009-02-23

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

#15 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:50 AM

Posted 23 February 2009 - 03:00 PM

Let's run one more to make sure everything is gone. Then we should be finished :thumbsup:

Please download ATF Cleaner by Atribune & save it to your desktop.
alternate download link DO NOT use yet.

Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the
    definitions before scanning by selecting "Check for Updates". (If you encounter
    any problems while downloading the updates, manually download them from
    here and
    unzip into the program's folder.
    )
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under
    Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner
    Options
    , make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose:
    Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp"

ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users