How To Remove clickfraudmanager, adwarefeed, zfsearch Firefox Redirect, Using GooredFix Options

[jpshortstuff]

This guide pertains to the removal of search engine redirects through domains like clickfraudmanager, v1.adwarefeed.com, ad4.doubleclick.net, google.goored, goougly.com, zfsearch.com and others.

Also known as the "goored" infection, this is a Firefox hijacker that targets a variety of search engines:
Google, Yahoo, Msn, AOL and Ask.

Usually, the first sign of infection is that upon starting Firefox, you receive a notification that "1 new Add-on has been installed", although you did not knowingly install anything. When using any of the above search engines, you may notice that during the search you see names like zfsearch.com, v1.adwarefeed.com flash past in your status bar, as depicted here with a Google search:


Search results appear normal, and hovering over the links shows the legitimate sites. However, after clicking the links, you are directed to other sites. Again, if you check the status bar, you will see the fake domain names that are directing you to these sites.




These domain names are different for each search engine, and some of the common ones are these:
Google - goougly.com, clickfraudmanager, v1.adwarefeed.com
Yahoo - a.l.yimg
MSN - msnooze.com
Ask - wzeu.ask.com

The following removal guide should be followed if and only if you are experiencing these symptoms. It is highly recommended that you post to our Malware Removal and Spyware Removal after following this guide so that we can make sure this and any other infections have been removed.

This is a self-help guide. Use at your own risk.

================

Step 1:

Please download GooredFix, making sure that you save this file to your Desktop.

• Double-click GooredFix.exe on your Desktop (Note: If you are using Vista right-click GooredFix and select Run As Administrator...)
• Select Option#1 - Find Goored (no fix), by typing 1 and pressing Enter
• A logfile should popup shortly, that will look something like this:

  GooredFix v1.92 by jpshortstuff
  Log created at 08:35 on 24/12/2008 running Option #1 (Administrator)
  Firefox version 3.0.3 (en-GB)
  
  =====Suspect Goored Entries=====
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
  "{ABB56C42-1843-46EF-A93E-482DE0F5B5AA}"="C:\Documents and Settings\Administrator\Local Settings\Application Data\{ABB56C42-1843-46EF-A93E-482DE0F5B5AA}"
  
  C:\Program Files\Mozilla Firefox\extensions\{D96F1D71-4F95-443A-8AF3-541BFDBA096D}
  
  =====Dumping Registry Values=====
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.3\extensions]
  "Plugins"="C:\Program Files\Mozilla Firefox\plugins"
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.3\extensions]
  "Components"="C:\Program Files\Mozilla Firefox\components"
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
  "{ABB56C42-1843-46EF-A93E-482DE0F5B5AA}"="C:\Documents and Settings\Administrator\Local Settings\Application Data\{ABB56C42-1843-46EF-A93E-482DE0F5B5AA}"
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
  "jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
  "{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"

  
  
• Take a look at the section highlighted in red. As shown in this log, there should be an entry there with a random string of numbers and letters enclosed in {} (in this case {ABB56C42-1843-46EF-A93E-482DE0F5B5AA}), that shows a folder in C:\Documents and Settings\<your name>\Local Settings\Application Data\{the same random numbers and letters}. A newer version of the infection just consists of a folder in Firefox's extenions directory, in this case: C:\Program Files\Mozilla Firefox\extensions\{D96F1D71-4F95-443A-8AF3-541BFDBA096D}.
  
  
• If these entries is present, and if there are no other entries that you think may be legitimate in the "Suspect Goored Entries" section, then do the following:
  • Close all Windows and Browsers, especially any Firefox Windows.
  • Double-click GooredFix.exe on your Desktop (Note: If you are using Vista right-click GooredFix and select Run As Administrator...)
  • Select Option#2 - Fix Goored by typing 2 and pressing Enter.
  • At the prompt, type y and press Enter.
  • GooredFix will now remove the infection (if it requires a reboot, please restart your computer), and a new log will popup. Please proceed to Step 2.
  
  
  
  
• If neither of these entries isn't present, or if there are other entries in the "Suspect Goored" section, or if you are unsure at all, please do not run Option#2, and proceed straight to Step 2.

Step 2:

We recommend that you now post to our Malware Removal Forum to complete the cleaning process.
>> Before You Post Your OTListIt2 Log <<

Please include the results of the GooredFix log as well, so that we can see what had been removed. The log can also be found on your Desktop, entitled GooredLog.txt.

Please post any questions or comments about this guide as a reply to this topic. Any further Malware problems should be posted in the Malware Removal and Spyware Removal forum.