Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Link Redirect -- Stubborn


  • Please log in to reply
7 replies to this topic

#1 zjemi

zjemi

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 27 March 2009 - 11:45 AM

Symptoms: clicking on a Google search result sends me to a sponsored search or advertisement page. If I go back to the Google results page and try again, usually I get to the correct URL.

My setup: WinXP SP2, Firefox 3.07, Zone Alarm Pro Firewall.

What I've already tried:
--Searching this and other forums for similar problems. My HJT log did not show any of the problems that experts suggested these posters fix. (I didn't see anything else suspicious in the HJT log but I am not an expert.)
--Kaspersky AV 2009 with latest definitions on deepest scan level.
--Malwarebytes latest with latest definitions. (I even repeated this in SAFE mode.)
--SpybotSD ditto.
--SuperAntiSpyware ditto.

Results: found a few nasties and eliminated them. Upon reboot all the above reported clean but the PROBLEM IS UNCHANGED.

Thinking I might have downloaded a malicious Greasemonkey script, I turned off Greasemonkey but this made no difference.

Any suggestions for what to do next would be greatly appreciated.

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:09:46 PM

Posted 27 March 2009 - 02:20 PM

Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 zjemi

zjemi
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 27 March 2009 - 08:47 PM

Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt). Note: Do not run Option #2 yet.


Thank you for the fast reply. Here is the Gooredfix log:

GooredFix v1.92 by jpshortstuff
Log created at 21:31 on 27/03/2009 running Option #1 (Robin)
Firefox version 3.0.7 (en-US)

=====Suspect Goored Entries=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{753F61CD-DB87-4E63-BDFD-0E2800644803}"="L:\Documents and Settings\Robin\Local Settings\Application Data\{753F61CD-DB87-4E63-BDFD-0E2800644803}\"

L:\Program Files\Mozilla Firefox\extensions\{3D2A57FE-1A99-4DB6-B013-F04579D499EB}

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Plugins"="L:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Components"="L:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="L:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{753F61CD-DB87-4E63-BDFD-0E2800644803}"="L:\Documents and Settings\Robin\Local Settings\Application Data\{753F61CD-DB87-4E63-BDFD-0E2800644803}\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{000a9d1c-beef-4f90-9363-039d445309b8}"="L:\Program Files\Google\Google Gears\Firefox\"

#4 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:09:46 PM

Posted 27 March 2009 - 11:10 PM

Please double-click GooredFix.exe on your Desktop to run it.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 zjemi

zjemi
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 28 March 2009 - 03:24 PM

Ah, wonderful. Gooredfix Option 2 seems to have cured the Google redirect problem. No reboots or permissions were called for.

I'm very grateful for your help and for the efforts of this and other antimalware programs' authors. My Option 2 log is below.

I have updated Java since I got infected. Was a wicked Javascript thingie the way I got Goored? Or is there something else I can do to prevent a reinfection?


GooredFix v1.92 by jpshortstuff
Log created at 16:04 on 28/03/2009 running Option #2 (Robin)
Firefox version 3.0.7 (en-US)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{753F61CD-DB87-4E63-BDFD-0E2800644803}"="L:\Documents and Settings\Robin\Local Settings\Application Data\{753F61CD-DB87-4E63-BDFD-0E2800644803}\"
->Backing up value... Done.
->Deleting value... Done.

L:\Documents and Settings\Robin\Local Settings\Application Data\{753F61CD-DB87-4E63-BDFD-0E2800644803}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.
L:\Program Files\Mozilla Firefox\extensions\{3D2A57FE-1A99-4DB6-B013-F04579D499EB}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Plugins"="L:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Components"="L:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="L:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{000a9d1c-beef-4f90-9363-039d445309b8}"="L:\Program Files\Google\Google Gears\Firefox\"

#6 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:09:46 PM

Posted 28 March 2009 - 11:22 PM

Excellent!

Please update and rerun malwarebytes just to make sure. If you have 0's displayed, please finish with the following steps

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Safe surfing!

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 zjemi

zjemi
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 29 March 2009 - 03:20 PM

Updated Malwarebytes found one more trojan, which required a reboot to remove. Now it (and other scanners) say the machine is clean. So I created and labeled a new Restore Point, purged the old, contaminated ones, and now I'll make another disk image.

You ended with the closing, "safe surfing." Short of running Firefox inside Sandboxie, is there anything I can do to avoid reinfection by Goored?

Again, grateful for your prompt and effective advice.

#8 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:09:46 PM

Posted 29 March 2009 - 08:00 PM

You are welcome.
To keep you clean, I would recommend the following.
  • Make sure your antivirus is up to date and run regular scans.
  • Have Windows updated as far as it can be. SP3 and updates.
  • Have a firewall in place.
  • Consider use of a HOSTS file.
  • Practice safe surfing habits - No Crackz - Warez - Hackz
Just to be sure, update and rerun malwarebytes in a week.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users