Goored?

[bingo]

Hi Nice People,
I've picked up the goored "google redirect"... searched MG forums but find no mention of it. Googling it on my other computer I see it's been around for at least a few months but doesn't seem a major threat, just a pain. I'm poking around with the usual interminable scans... can anyone shed any light?
-kevin

[bingo]

Hi Good People,
I thought earlier my "goored" post might be an appropriate sidestep but I see it's maybe more complex than I thought.

I have followed the R n R me guide rigourously and am attaching the files in 2 messages. The scans apparently found nothing.

This search-redirect issue is new for me on an old computer so we can't blame Dell ;-)

I can't think of anything wierd i did that might have triggered it.

YIKES! while i was typing the previous I somehow downloaded the firefox update which will install itself next time I start.

Here is some detail of the problem:
a) I do a google search on "senator"
b) hover on a result and the url shown at the bottom of firefox reflects the url shown in google (www.senate.gov)
c) click and hold and said url shows:
http://ad4.doubleclicker.net/c.php?u....com/index.php
d) on mouseup, that ends up at www.monstermarketplace.com
e) just another example, a similar series for search = "fairlane", pointed at "www.shopfairlane.com", dumped me out at http://www.bizrate.com/automotivepar...-fairlane.html
f) Note this doesn't happen EVERY time, but more often than not. Shame on bizrate!

My computer does not seem to have any other problem.

Um, apologies for my still very overburdened desktop! I'm whittling it down but I have to work slowly or I'll lose track of a bunch of projects...

Thanks for doing what you do!!!
-k

[bingo]

oh, I almost forgot: I've seen nothing anywhere at MG or in my previous cleanup about Qoobox, a folder created in my root directory apparently by combofix, seeming to include quarantine and some odds: what to do with it when this is all over?

Here's the SASLog, thanks!
-k

[chaslang]

If you have picked up one of the more recent forms of DNS hijackers, this infection is known to infect router hardware. If you have a router hooked up then you need to follow the instructions for your hardware and reset it to factory default settings. Normally there is a recessed push button type switch that needs to be held down for some number of seconds to do this. After resetting to factory defaults on your router, you will need to reconfigure the router for your network if you have made any changes to the default network setup.

If the above does not help then you should do 100% of the below and then repeat the above.

Please follow the instructions in the READ & RUN ME FIRST link given futher down and attach the requested logs when you finish these instructions.

• If you have problems where no tools seem to run, please try following the steps given in the below and then continue on no matter what you find. You only need to try the TDSSserv steps if having problems getting scans in the Read & Run Me First.
  • TDSSserv Non-Plug & Play Driver Disable
• If something does not run, write down the info to explain to us later but keep on going.
• Do not assume that because one step does not work that they all will not.

READ & RUN ME FIRST. Malware Removal Guide

• After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware, Malwarebytes and Spybot ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
3. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!!!

Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.

[bingo]

Thanks for the router info, I'll prepare for that... this thread should be deprecated in favor of my newer thread "Google redirect" 02-07-09, 17:39
chaslang rocks!

[TimW]

Note@Chas...merged threads.

[chaslang]

Did you reset your router to factory defaults yet? If not, please do so.

Your logs are not showing any problems; however you did not download the current version of MGtools as requested in the READ & RUN ME. You will need to install the current version and give us a new log after doing the below.

First tell me why the below file has a date that is over a year into the future?

Code:

2010-08-01 07:46 . 2010-08-01 07:46 136,976 --a-- c:\windows\system32\SfxBar.dll

Did you install Dockable Tools Library from Software FX, Inc ?



I strongly advise you to cleanup your Desktop. Remove eveything but links to run programs. Do not download and save programs here and defintely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving large files here like you are doing.


Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

After clicking Fix, exit HJT.



Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!



Click Start > Run and type in cmd

• Click OK.
• This will open a command prompt.
• Type or copy and paste the following line in the command window:
  ipconfig /flushdns
• Hit Enter
• Exit the command window

Now download HostsXpert and then follow the below steps.

• Unzip HostsXpert.zip
• It will create a folder named HostsXpert in whatever folder you extract it to.
• Run HostsXpert.exe by double clicking on it.
• Click the Make Writeable? button. (if you only see a Make Read-Only selection, it is already writeable so skip this button).
• Click Restore Microsoft's Hosts File and then click OK.
• Click the X to exit the program

Now run Ccleaner!


Now goto this link Using MGtools and download the new version of MGtools.exe from the black bold print link in the first sentence. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )



Now attach the below log:

• C:\MGlogs.zip

Make sure you tell me how things are working now!

[bingo]

OK Chas, that was not as scary as it looked!

Quote:

Originally Posted by chaslang

Did you reset your router to factory defaults yet? If not, please do so.

Done

Quote:

Originally Posted by chaslang

Your logs are not showing any problems; however you did not download the current version of MGtools as requested in the READ & RUN ME. You will need to install the current version and give us a new log after doing the below.

Oops... I thought it updated!

Quote:

Originally Posted by chaslang

First tell me why the below file has a date that is over a year into the future?

Code:

2010-08-01 07:46 . 2010-08-01 07:46 136,976 --a-- c:\windows\system32\SfxBar.dll

Did you install Dockable Tools Library from Software FX, Inc ?

1) I have no idea 2) I don't think so

Quote:

Originally Posted by chaslang

I strongly advise you to cleanup your Desktop...

Working on that: I have to go slow or I'll lose track of a bunch of projects...

Quote:

Originally Posted by chaslang

...remove Windows Messenger.

Run... HijackThis... and select the following lines:
<snip>
After clicking Fix, exit HJT.

Done and done

Quote:

Originally Posted by chaslang

Now we need to Reset Web Settings:...

...ipconfig /flushdns

Done and done

Quote:

Originally Posted by chaslang

...Restore Microsoft's Hosts File

This seemed a strange result: I now have a "sample hosts file" with 2 probably spurious entries and that's it.

Quote:

Originally Posted by chaslang

Now run Ccleaner!

Done... is there a way to restore defaults in ccleaner? I had all boxes checked for this run, but in the past I've unchecked a couple of boxes and couldn't see a way to restore defaults...

Something else: I'm running Firefox 3 and after all this it's still offering lots of autocompletes in the url field (tho some have gone)

Quote:

Originally Posted by chaslang

...download the new version of MGtools
...
...Run MGtools.exe
...
...Now attach the below log:
...
Make sure you tell me how things are working now!

Well, I still get that "http://ad4.doubleclicker.net/c.php?url=http://www.blablabla" in the destination field when I click on a google search result, but it hasn't actually executed a redirect (yet)...

I suppose I should have mentioned earlier that there's a small household network, with this computer, a linux box, and a Mac G4 wired in and my winXP laptop and housemate's ibook hitting it wirelessly. I need to reset our WEP passwords after the router reset... and firefox updated itself on my laptop without asking permission, which it's never done before, but the autoupdate might have reset when I upgraded to firefox 3.0.5 a couple weeks ago...

so, well, here's the log, my friend: what next?

[chaslang]

Quote:

Originally Posted by bingo

This seemed a strange result: I now have a "sample hosts file" with 2 probably spurious entries and that's it.

Not sure what you mean. The default host file that was restored should have a bunch of comment lines (lines begining with a # are comment lines) at the top and then just one line showing 127.0.0.1 localhost

Your DEFAULT hosts file should like like in the below code box:

Code:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host
127.0.0.1       localhost

Quote:

Originally Posted by bingo

... is there a way to restore defaults in ccleaner? I had all boxes checked for this run, but in the past I've unchecked a couple of boxes and couldn't see a way to restore defaults...

Not that I know of anywhere. Uninstalling, deleting the CCleaner folders and then reinstalling may do this as long as they do not store all settings in the registry and they do not forget to remove them.

Quote:

Originally Posted by bingo

Something else: I'm running Firefox 3 and after all this it's still offering lots of autocompletes in the url field (tho some have gone)

I'm not sure what you mean by this. Could you elaborate.

Quote:

Originally Posted by bingo

Well, I still get that "http://ad4.doubleclicker.net/c.php?url=http://www.blablabla" in the destination field when I click on a google search result, but it hasn't actually executed a redirect (yet)...

What do you mean by destination field? Do you mean the status bar at the bottom of the browser window.

Are you have browser redirect issues? If yes, please download the current version of MGtools just released that may help us locate potential issues with FireFox browser redirection. So download this MGtools.exe to the root folder of your C drive overwriting the old version. Then run it and attach the new MGlogs.zip file.

[bingo]

OK, did that, hosts looks fine, I just thought there'd be more of it.

In the url field where I enter my target url, firefox seems to remember a lot of urls I have previously visited even after running ccleaner.

Yes, by destination field I meant the status bar at the bottom of the browser window.

yeas, still having search redirect issues.
New mglogs attached

thank you chas!

[chaslang]

Quote:

Originally Posted by bingo

OK, did that, hosts looks fine, I just thought there'd be more of it.

There will be when you reimmunize with Spybot.

Quote:

Originally Posted by bingo

In the url field where I enter my target url, firefox seems to remember a lot of urls I have previously visited even after running ccleaner.

This is not a malware issue. Check your settings in CCleaner on the Applications tab.

Quote:

Originally Posted by bingo

yeas, still having search redirect issues.

Where are you being redirected to? What do you put in for a URL and where do you go?
Have you tried using IE to see if it also happens with it? If not, please try it.
Also check with both browsers to see if the problem happens in safe boot mode.

[bingo]

Quote:

Originally Posted by chaslang

Where are you being redirected to? What do you put in for a URL and where do you go?
Have you tried using IE to see if it also happens with it? If not, please try it.
Also check with both browsers to see if the problem happens in safe boot mode.

Thanks Chas, the behavior which I explained in my first post has not changed at all. This does not happen with IE, only with Ffox and only in Google, and does happen in safe mode. Let me try to explain it less confusedly:

Example (really happened):
1) I point ffox at google, search for "senator"
2) choosing the first result, on mouseover, the status bar shows the correct url (www.senate.gov)
3) on mousedown, the statusbar shows http://ad4.doubleclicker.net/c.php?u....com/index.php
4) on mouseup, firefox goes to http://www.monstermarketplace.com/
5) This happens the first time only: subsequently the sequence is repeatable through step 3, but at step four, on mouseup ffox goes to www.senate.gov as it should.

The sequence I just described is what happened a week ago. Today, with the same google search, at step 3 mousedown I get http://ad4.doubleclicker.net/c.php?u....com/index.php and at mouseup ffox goes www.senate.gov

Note the wierd url stuff happens with every search I do, but actual redirect happens only occasionally.

Using for example the url www.SAMPLE.com, the url switch is always in the form of http://ad4.doubleclicker.net/c.php?u....com/index.php

My guess is that doubleclicker is selling my hits to liquidatedlots who are in turn selling them to monstermarketplace, bizrate, etc...

As for "(in the address bar) firefox seems to remember a lot of urls I have previously visited even after running ccleaner."
you said
"This is not a malware issue. Check your settings in CCleaner on the Applications tab."

I did, and they're set to clear everything including recently-typed urls from IE, but the ccleaner settings for firefox offer no such option. I ran ccleaner with every button checked except the 2 shortcut boxes in "system" and the entire "advanced" section. Using ffox's "clear private data" tool also clears much, but not all, of this stuff (ie fewer options for autocomplete in the address bar). Occasionally one of these options looks suspect to me and I'm concerned that this is somehow related to whatever caused my google redirect issues. Odd things flickering through the status-bar as well, especialy when entering or leaving a google results page... why would this show "waiting for zfsearch.com"? Please excuse my ignorance about this stuff; this is an area where I veer from quite clever to wierdly superstitious... Do I need to worry about the other computers on our small network? Should I sacrifice a chicken to my internet cache?

I'm going to go ahead and immunize with spybot and then carry on til I hear from you. Thanks as always!

[chaslang]

I'm not seeing anything in your logs that indicates a problem. Are you actually being hijacked to a incorrect websites or do the links still take you to the correct addresses?


I would like to get some more info on the c:\windows\system32\SfxBar.dll file that I asked about earlier. Right click Start and select Explore to bring up Windows Explorer. Use it to navigate to the file and right click on it and select Properties. Now see if there is a Version[ tab in the window. If so, select the Version tab and on the next window select each of the listed Item names (one at a time) to get more info about the file. The most important Item is the company name. If there is no Version tab, tell me that too.

Also in the meantime, please try the below in FireFox.

• Click Tools
• Select the Content icon
• Uncheck the Enable JavaScript check box and then click OK.
• Close all FireFox tabs/windows
• Open a new FireFox window and see if you still have the same problem

[bingo]

Quote:

Originally Posted by chaslang

I'm not seeing anything in your logs that indicates a problem. Are you actually being hijacked to a incorrect websites or do the links still take you to the correct addresses?

As I and other petitioners have said, actually ending up at a wrong site happens only occasionally. It looks to me (from what I see my browser doing and what I've read in other forums) that the browser always redirects but usually passes through the redirect and on to the correct URL.

Quote:

I would like to get some more info on the c:\windows\system32\SfxBar.dll file that I asked about earlier. <>...navigate to the file <>...select Properties <>...select the Version tab<>...select each of the listed Item names (one at a time) to get more info about the file. The most important Item is the company name.

File Version -- 1.0.17.0
Description -- Dockable Tools Library
Copyright -- Copyright © 1997-1998 Software FX, Inc.
-------------------------
Comments value = Provides support for Toolbars, CommandBars and Dockable Frames
Company value = Software FX, Inc.
File Version value = 1.0.17.0
Internal name value = Sfxbar
Language value = English
Legal trademarks value = null set
OLESelfRegister value = null set
Original File name value = Sfxbar.dll
Product Name value = Software FX, Inc.
Product Version value = 1.0

Quote:

[*]Uncheck the Enable JavaScript check box and then click OK...[*]Open a new FireFox window and see if you still have the same problem

The problem goes away when JavaScript is disabled.

~~~~~~~~~~~~~~~~~~~~~~~
I did a little rooting on the net about zfsearch:
Over at 247fixes.com/forums, the administrator "jpshortstuff"
has connected zfsearch to Goored and written a tool called GooredFix.exe:
http://www.247fixes.com/forums/Inact...ml&hl=zfsearch

Meanwhile there's a report at threatexpert.com mentioning it in
connection with "Email-Worm.Win32.Zhelatin.zb"
http://www.threatexpert.com/report.a...f-444264f08ae8

GooredFix is also mentioned with zfsearch in forums at
http://www.tech-101.com/solutions-netorks/topic101.html
"A link to GooredFix by jpshortstuff and help using it is now offered on a number of different malware removal forums..."

Several other petitioners also mention doubleclicker.com... I don't know if it's related, but it's interesting that in March '08 Google bought DoubleClick ("a premier provider of digital marketing technology and services") for $3 billion...

I hope this helps, chas, and really appreciate your assistance.
-kc

[chaslang]

I had been working on a new version of MGtools to try and display additional info for FireFox in an attempt to try and locate what is causing this. I'm not quite finished with it yet. Have you attempted to use the GooRedFix program yet

[bingo]

No I have not tried to use the gooredfix program; changing horses mid-stream, too many cooks, etc... didn't want to muddy the waters.

I had a vague notion that there was an effort afoot to integrate gooredfix into combofix

[chaslang]

Quote:

Originally Posted by bingo

No I have not tried to use the gooredfix program; changing horses mid-stream, too many cooks, etc... didn't want to muddy the waters.

Okay this is what we normally would prefer so that is good. But I do not want to delay your attempts to getting this fixed. I would however ask if you could first run the below beta version of some scans I'm working on for MGtools.

Please download this MGbeta.zip file to the C:\MGtools folder. Then extract the two files from it overwriting the current GetRunKey.bat and ShowNew.bat programs you have. Then double click on the GetLogs.bat file in the C:\MGtools folder. When it finishes running, attach the new C:\MGlogs.zip file.



Now let's try running GooRedFix.

• Please download GooredFix and save it to your Desktop.
• Double-click Goored.exe to run it.
  • Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
  • A log will open which you can just close. The log file is named Goored.txt and is on your Desktop.
• Please attach the Goored.txt log to your next reply
• Note: Do not run Option #2 yet.

[bingo]

I will do this instantly... stand by for logs

[chaslang]

Quote:

Originally Posted by bingo

I will do this instantly... stand by for logs

Thanks! I'll be here for a little while longer although getting tired at 2:30 AM my time.

[bingo]

Here the logs you requested http://forums.majorgeeks.com/images/smilies/wave.gif