[jpshortstuff]

This guide pertains to the removal of search engine redirects through domains like clickfraudmanager, v1.adwarefeed.com, google.goored, goougly.com, zfsearch.com and others.

Also known as the "goored" infection, this is a Firefox hijacker that targets a variety of search engines:
Google, Yahoo, Msn, AOL and Ask.

Usually, the first sign of infection is that upon starting Firefox, you receive a notification that "1 new Add-on has been installed", although you did not knowingly install anything. When using any of the above search engines, you may notice that during the search you see names like zfsearch.com, v1.adwarefeed.com flash past in your status bar, as depicted here with a Google search:
http://jpshortstuff.247fixes.com/zfsearch.PNG

Search results appear normal, and hovering over the links shows the legitimate sites. However, after clicking the links, you are directed to other sites. Again, if you check the status bar, you will see the fake domain names that are directing you to these sites.

http://jpshortstuff.247fixes.com/goougly.PNG
http://jpshortstuff.247fixes.com/yahoo.PNG

These domain names are different for each search engine, and some of the common ones are these:
Google - goougly.com, clickfraudmanager
Yahoo - a.l.yimg
MSN - msnooze.com
Ask - wzeu.ask.com

The following removal guide should be followed if and only if you are experiencing these symptoms. It is highly recommended that you post to our Malware Removal Forum after following this guide so that we can make sure this and any other infections have been removed.

There are many other infections that cause redirects as well, so if GooredFix doesn't solve your problem please post to our Malware Removal forum for assistance.

Please read Malware Removal Guides - Information and Guidelines before following any of our guides.

247Fixes.com does not accept any responsibility for any mishaps and problems that occur as a result of these guides.

================

Step 1:

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Ensure all Firefox windows are closed.
  
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista/7).
  
• When prompted to run the scan, click Yes.
  
• GooredFix will check for infections, and then a log will appear.

Step 2:

We recommend that you now post a OTL and GMER logs to our Malware Removal Forum to complete the cleaning process.
>> Before you Post <<

Please include the results of the GooredFix log as well, so that we can see what had been removed. The log can also be found on your Desktop, entitled GooredLog.txt.

Please post any questions or comments about this guide as a reply to this topic. Any further Malware problems should be posted in the Malware Removal Forum.

[Ghengis]

Finally! Thank you so much! I have been looking for a removal tool for a month now. This was easy and fixed my goored and zfsearch problem in less than a minute.

[jpshortstuff]

Glad it helped you :thumbup:

[lance_yien]

First of all,
Best greetings for all from Montpellier in France.

@ jpshortstuff:

I have a personal site ( http://lanceyien.info/ ) for fighting against malwares and I allowed myself a translation for the French-speaking people taking care to put a link towards your original article.

My article is here http://lanceyien.inf...php?topic=371.0 where you can see the link at the end of the page, line:

Quote

Source: http://www.247fixes....?showtopic=2710 )

.

My Canned Speech http://lanceyien.inf...s;sa=view;id=56

Will that pose an unspecified problem to you?

I will have other questions if your answer is OK. :)

Regards ;)

This post has been edited by lance_yien: 10 January 2009 - 03:05 PM

[jpshortstuff]

That's fine lance_yien :)

[DCalabrese]

Thank you so much for this fix. I started seeing this same problem yesterday, and I've been searching for the last couple of hours for info on this problem and surprisingly there wasn't much out there. gooredfix worked perfectly.

I'm curious as to the origin of this trojan, how it installs itself, and how it works. It seems to be a Firefox plugin, but I disabled all plugins and still had the redirection problem. If I understand gooredfix correctly, it appeared to remove the registry entry, and it also removed a directory in "Application Data" which was empty. How did this fix the redirection problem?

Again, many many thanks!!!!

[jpshortstuff]

First of all, I'm glad GooredFix helped you :)

The infection is indeed a Firefox plugin, but is hidden from your plugins list. It works by checking the url bar for things like *google* *yahoo* etc, and then inserting an external Javascript file into the header of each search page. The external javascript file monitors links on the search results page and as soon as you click one it changes it so that it points to wherever it likes, at the moment its the ad2.doubleclicker domain.

GooredFix deleted the registry entry and folder, and then when Firefox next starts it removes the plugin from its cache and loading point as the registry is no longer there.

Hope that helps :)

[lance_yien]

Hello!

Thank you very much for your reply :)
--
I should say that I'm a member of SWI and I have seen your topic here and that was the reason to subscribe here ;)

Does HJT detect that infection? I have tried to understand some topics with this infection but I have seen nothing (sorry I'm not an expert :)).
The single indication is what the user says?

Good luck and thank you again!

[Rorschach112]

Salut Lance

You should not post links to private forums in public

HJT does not detect this infection. You can also detect it with a Custom Scan with OTS2 if you are familiar with that.

Firefox redirects and the user complaining of going to google.goored, goougly.com, zfsearch.com, ad2.doubleclicker are signs


I think this discussion would be better off done in a private forum.

[lance_yien]

Bonjour Rorschach112,

Now I know who I can tell if I have a problem with my poor English :)

Rorschach112, on Jan 11 2009, 03:52 PM, said:

Salut Lance

You should not post links to private forums in public

HJT does not detect this infection. You can also detect it with a Custom Scan with OTS2 if you are familiar with that.

Firefox redirects and the user complaining of going to google.goored, goougly.com, zfsearch.com, ad2.doubleclicker are signs


I think this discussion would be better off done in a private forum.

Sorry, I did not know.

Thank you for your help. :thumbup:

Good luck for all!

[DCalabrese]

jpshortstuff, on Jan 11 2009, 02:19 AM, said:

The infection is indeed a Firefox plugin, but is hidden from your plugins list. It works by checking the url bar for things like *google* *yahoo* etc, and then inserting an external Javascript file into the header of each search page. The external javascript file monitors links on the search results page and as soon as you click one it changes it so that it points to wherever it likes, at the moment its the ad2.doubleclicker domain.

GooredFix deleted the registry entry and folder, and then when Firefox next starts it removes the plugin from its cache and loading point as the registry is no longer there.

Great info! Thanks. That is a nasty infection.

[jpshortstuff]

There is new variant that uses the "XUL Cache" extension to do redirects. You may notice sites like clickfraudmanager.com and v1.adwarefeed.com.

GooredFix should get this now, as of v1.9.

Cheers.

[twistedcon]

Hello.

I was having the same problem except instead of gored, the site is "js.doubleclick.net". It is always redirecting searches from google. I followed the instructions there but nothing.

"GooredFix v1.92 by jpshortstuff
Log created at 22:12 on 23/04/2009 running Option #1 (Administrator)
Firefox version 3.0.9 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.9\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.9\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components""

That's all I get. Please help.

[jpshortstuff]

You've posted a log in the Malware Removal Forum - that is the right thing to do. Looks like you've got a different infection called Wareout, which uses different methods to cause its redirects.

[kanwal]

hi..im new to the forum..my search also redirects me..however i am not able to use gooredfix ..as soon as i run gooredfix a cmd window opens and closes immediately..i am not able to use or type 1 or 2..here is the log..
GooredFix by jpshortstuff (03.07.09)
Log created at 18:49 on 11/07/2009 (KASHMIRA BHARDWAJ)
Firefox version 3.5 (en-US)

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [21:27 11/07/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor" [18:48 10/01/2009]

-=E.O.F=-

someone pls advice