This guide pertains to the removal of search engine redirects through domains like clickfraudmanager, v1.adwarefeed.com, ad4.doubleclick.net, google.goored, goougly.com, zfsearch.com and others.

Also known as the "goored" infection, this is a Firefox hijacker that targets a variety of search engines:
Google, Yahoo, Msn, AOL and Ask.

Usually, the first sign of infection is that upon starting Firefox, you receive a notification that "1 new Add-on has been installed", although you did not knowingly install anything. When using any of the above search engines, you may notice that during the search you see names like zfsearch.com, v1.adwarefeed.com flash past in your status bar, as depicted here with a Google search:


Search results appear normal, and hovering over the links shows the legitimate sites. However, after clicking the links, you are directed to other sites. Again, if you check the status bar, you will see the fake domain names that are directing you to these sites.




These domain names are different for each search engine, and some of the common ones are these:
Google - goougly.com, clickfraudmanager, v1.adwarefeed.com
Yahoo - a.l.yimg
MSN - msnooze.com
Ask - wzeu.ask.com

The following removal guide should be followed if and only if you are experiencing these symptoms. It is highly recommended that you post to our Malware Removal and Spyware Removal after following this guide so that we can make sure this and any other infections have been removed.

There are many other infections that cause redirects as well, so if GooredFix doesn't solve your problem please post to our Malware Removal forum for assistance.

Please read Malware how-to guides information before following any of our guides.

This is a self-help guide. Use at your own risk.

================

Step 1:

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Ensure all Firefox windows are closed.
• To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
• When prompted to run the scan, click Yes.
• GooredFix will check for infections, and then a log will appear.

Step 2:

We recommend that you now post a HijackThis log to our Malware Removal Forum to complete the cleaning process.
>> Malware and Spyware Cleaning Guide (to be completed before posting a log) <<

Please include the results of the GooredFix log as well, so that we can see what had been removed. The log can also be found on your Desktop, entitled GooredLog.txt.

Please post any questions or comments about this guide as a reply to this topic. Any further Malware problems should be posted in the Malware Removal and Spyware Removal forum.

Updated guide to use latest version of GooredFix.

Hi, i was wondering if this type of virus has anything to do with identity theft/bank details, as i do a fair bit of internet shopping, although i have not yet come across this type of virus yet thankfully.
Also on the topic as a generalisation where and how do viruses start? Is it anything to do with the antivirus companies- creating a need for their product?
thanx

The infection mainly redirects you to specific sites in an attempt for you to view whatever advertising is shown there. Also, those sites that you are redirected to can have other malware associated with them.


Most infections today are about stealing your identity, banking details or goading you into purchasing rogue products with the intent of removing malware. I highly doubt that any legitimate anti-virus company would be actively pursuing the path of creating infections. The work we do here and at other malware removal sites often assists anti-virus companies in providing consumer protection that is needed today and in the future.

Sorry, i did not mean that in an offensive way.
My train of thought was to question the purpose of creating a virus or if they can be created in another means. I was not implying that anyone here had ill intentions. Purposes often revolve around money so it was just a speculation on whether an antivirus company might want to do a thing like that and asking if you/others thought there was any logic/truth in that. Im sorry if i caused offence as i only meant it as a question.

No offence taken.

I just wanted to point out that infections these days are mainly around gaining access to personal information etc in an effort to take advantage of a person's financial status. It would be a legitimate anti-virus company's downfall if ever such an infection was traced back to them as being the creator of such code. The topic of anti-virus companies doing that type of thing has been around for years and I highly doubt that there is any truth in it.

thanx
Lol I hadnt thought of the tracing possibilty. How would you go about doing that? Iv heard its to do with your IP? can anyone trace the route of an item (virus,text,video,image etc) with a little know how?
I only asked because like you say the topic comes up, unless you know a bit about things it can seem feesable.
Thanx

This is not the topic that this issue should be discussed, so I won't take this any further than to add that you may be surprised what and how things can be traced. Maybe you would like to start a topic in this forum for some serious discussion between members about tracing abilities and computer forensics.

Hi,

I ran Gooredfix and then flushed my DNS.

Seems to have fixed the problem. Thanks

Does my log confirm the presence of goored?

Cheers

P



GooredFix by jpshortstuff (12.07.09)
Log created at 18:30 on 23/09/2009 (xxxxxxxx)
Firefox version 3.0.14 (en-GB)

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [20:49 20/06/2009]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [16:44 27/03/2009]
{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [20:44 04/08/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor" [20:17 11/03/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [16:41 27/03/2009]

---------- Old Logs ----------
GooredFix[17.30.02_23-09-2009].txt

-=E.O.F=-

That log looks clean, but you ran the tool twice by the looks of things:
---------- Old Logs ----------
GooredFix[17.30.02_23-09-2009].txt

For that section of the log to be showing, it means that GooredFix has previously found and removed something, so I think its safe to say GooredFix was successful in removing the problem

Hi,

thanks for getting back so quickly.

I'm still getting the same redirecting problem with google search results in firefox. Do you know of any similar viruses/solutions?

Please go to the malware forum and follow the instructions at the top....Especially the CLICK HERE.

That will give you several steps that will help you clean up 70 percent of all problems by yourself. If at the end of the process you are still having difficulty--and you may not be-- then post an OTListIt log in THAT forum.

I'm also still getting these problems. Goored did not find or remove any registry entry according to the logs.

Here's info on the problem:
I got this 6 months ago on my other PC and completely cleaned it back to new. But this time it's different, what worked last time no longer works. I was able to remove 90% of the problems with Malwarebytes, but not this one. I tried almost a dozen antivirus and anti spyware programs.

Reinstalling Firefox won't work. I noticed that there is a persistent profile (a horrible security decision) and other persistent data that don't get uninstalled. Deleting the profiles which contain extensions, etc.. does not work. In fact, I believe something is reinstalling the extension each time and it isn't part of the Firefox install but is possibly triggered by Firefox's startup. Possibly something in the registry or a background/startup tool that does this.

Workarounds that do work:
* When using google, never click on a lick to use it. Right click and copy the link to your clipboard and paste it into the url. This always works.
* Use Chrome or some other browser.

Any ideas on what will fix the redirect trojan this time? Reinstalling firefox doesn't work, there's something persistent I can't find.

Please go to the malware forum and follow the instructions at the top....Especially the CLICK HERE.

That will give you several steps that will help you clean up 70 percent of all problems by yourself. If at the end of the process you are still having difficulty--and you may not be-- then post an OTListIt log in THAT forum.