Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Random Google Redirects... Help


  • Please log in to reply
9 replies to this topic

#1 jontintl

jontintl

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 11 March 2009 - 12:54 AM

I am getting random google redirects which I am sure is part of a click fraud virus. I have scanned my computer with symantec, malbytes and spybot and I am still unable to resolve the issue. Hopefully somebody sees the problem in the Hijack this log:

Mod Edit: Log removed as they are not permitted in this forum.

Edited by quietman7, 11 March 2009 - 08:10 AM.


BC AdBot (Login to Remove)

 


#2 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:22 AM

Posted 11 March 2009 - 06:36 AM

Hi,

Only getting redirects in Firefox?

Try this:

Please download GooredFix and save it to your Desktop.
  • Double-click GooredFix.exe on your Desktop to run it.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

Thanks.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#3 jontintl

jontintl
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 11 March 2009 - 08:26 AM

GooredFix v1.91 by jpshortstuff
Log created at 06:26 on 11/03/2009 running Option #2
Firefox version 3.0.7 (en-US)
(Subsequent Run)

=====Goored Deletions=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{AB127307-CCEC-4D6F-B076-15D2C13DA2A9}"="C:\Documents and Settings\jontintl\Local Settings\Application Data\{AB127307-CCEC-4D6F-B076-15D2C13DA2A9}"

Edited by jontintl, 11 March 2009 - 08:55 AM.


#4 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:22 AM

Posted 11 March 2009 - 08:56 AM

Hi,

Looks like you have a new variant of the Goored/XUL Cache infection.


We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Please right-click your Start button and select Explore. Navigate to the following folder:
C:\Documents and Settings\Joxxxx Frixxxxx\Local Settings\Application Data

Right click on the {AB127307-CCEC-4D6F-B076-15D2C13DA2A9} folder and select Send To > Compressed (zipped) Folder.

Please go to this site:
http://www.bleepingcomputer.com/submit-mal....php?channel=72

And submit the .zip file we just created (should be called {AB127307-CCEC-4D6F-B076-15D2C13DA2A9}.zip, in the same folder we just navigated to).

Let me know when you have done that.

Thanks.

Edited by garmanma, 11 March 2009 - 12:52 PM.

Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#5 jontintl

jontintl
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 11 March 2009 - 09:34 AM

Done.

Is it possible to delete my name from your previous reply and change to username.

Thanks for everything so far.

#6 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:22 AM

Posted 11 March 2009 - 02:24 PM

Looks like a mod has taken care of that, sorry about that.

Anyway, I have updated GooredFix. Please delete your copy of GooredFix, and then download the latest:
http://jpshortstuff.247fixes.com/GooredFix.exe

Run that with Option#2, make sure all Firefox Windows are closed when you run it. Post the log and check for redirects.

Thanks.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#7 jontintl

jontintl
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 11 March 2009 - 06:25 PM

I will monitor redirects over the next day and update this post once I can evaluate whats going on. Thanks for all your help!


GooredFix v1.92 by jpshortstuff
Log created at 16:22 on 11/03/2009 running Option #2 (jontintl)
Firefox version 3.0.7 (en-US)
(Subsequent Run)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{AB127307-CCEC-4D6F-B076-15D2C13DA2A9}"="C:\Documents and Settings\jontintl\Local Settings\Application Data\{AB127307-CCEC-4D6F-B076-15D2C13DA2A9}"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\jontintl\Local Settings\Application Data\{AB127307-CCEC-4D6F-B076-15D2C13DA2A9}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

#8 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:22 AM

Posted 12 March 2009 - 02:19 AM

Looks like we got it, let me know.

Thanks for helping me get this new variant added to GooredFix :thumbsup:
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image

#9 jontintl

jontintl
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:22 PM

Posted 12 March 2009 - 08:11 AM

Glad to be a pioneer in discovering new viruses :thumbsup:

Thanks for all you help, looks like everything is working properly!

#10 jpshortstuff

jpshortstuff

    WhatTheTech Teacher


  • Members
  • 660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:02:22 AM

Posted 12 March 2009 - 10:21 AM

No worries - somebody has to be the first. I have no idea where this infection is coming from though - any idea where you might have got it?

Let's uninstall GooredFix. Click Start >> Run and then copy/paste the following into the box and hit Enter:
%userprofile%\Desktop\GooredFix.exe /uninstall
If any of your security programs query a new Registry/AutoStart value being added please allow the changes.

Thanks.
Trained at the What The Tech Classroom where you too could learn to help others.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users