Fix Uninitiated Google Redirects With GooredFix [Firefox]

Martin Brinkmann
Jan 14, 2010
Updated • Jun 2, 2016
Security, Windows software

Goored is an abbreviation for (malicious) Google Redirects. although redirects have been experienced by users affected by the issue in other search engines like Yahoo as well.

Firefox users who have been hit with a Goored infection will notice that some of their searches are redirected to other websites.

This usually happens when they click on a search result in Google but may also happen without them doing anything (which means pages are opened automatically).

The Google redirect redirects user initiated searches to toher websites, it especially seems to happen often when searching for items that can be bought online like computer equipment, household items and basically anything that is available online.

The cause of this search redirect in Google seems to be a Firefox add-on / plugin that gets installed without the user's consent. What makes this problematic is that the add-on or plugin is not listed when you open the list of installed extensions.

It is not clear how the add-on is installed other than that it is done automatically without the user's consent.

Google redirects make use of JavaScript and a first temporary fix is to disable JavaScript in the Firefox web browser to stop the redirects. This can be done in Tools > Options > Content tab by unchecking Enable JavaScript.

Update: Press F12 in newer versions of Firefox, click on the settings icon at the top right of the developer tools window that opens up, scroll down and check "disable JavaScript". Note that this only disables it for the active session and that it will be enabled again on next start of Firefox. End

This is also a good indicator if the computer has been infected with Goored. If the redirects stop, it is Goored. If they continue it is something else that is probably not running on the browser level but on the system level. In that case, try this solution to fix Google redirects on the system level.

The easiest way to clean Goored is by using the GooredFix tool that can be downloaded here. This tool should be executed as an administrator and Firefox needs to be closed before it is executed.

To execute the tool as an administrator right-click it and select Run as administrator from the menu.

The program will automatically scan the Firefox directories and the Registry entries of the web browser. It will furthermore clean offending add-ons if they are discovered and write a log file to the computer desktop.

While the tool worked fine during tests, it is highly suggested to create a system backup before you run it.

The developer of GooredFix has provided the following description of the program:

The infection is indeed a Firefox plugin, but is hidden from your plugins list. It works by checking the url bar for things like *google* *yahoo* etc, and then inserting an external Javascript file into the header of each search page. The external javascript file monitors links on the search results page and as soon as you click one it changes it so that it points to wherever it likes...
GooredFix deleted the registry entry and folder, and then when Firefox next starts it removes the plugin from its cache and loading point as the registry is no longer there.

[There are also new variants that use] the "XUL Cache" extension to do redirects

Users should restart Firefox after the cleanup and perform a few searches in Google with JavaScript enabled to see if the problem persists or if GooredFix has removed the offending add-on.

Article Name
Fix Uninitiated Google Redirects With GooredFix [Firefox]
The guide walks you through the steps of removing a malicious browser extension that is the cause for unintentional redirects when using Google.
Ghacks Technology News

Tutorials & Tips

Previous Post: «
Next Post: «


  1. Norrin Radd said on August 29, 2011 at 1:55 am

    Worked exactly as described.

    thanks for the research and tools. very well described.

    side note…i tested ie and it was fine. so i knew then it was firefox…

    its aug 28 211…date of known infection

  2. HS said on July 14, 2011 at 6:18 am

    Thank you so much, I had spent several days and pretty much every single malware program. Gooredfix did the job, wish I had seen this much earlier.

  3. Douglas McGregor said on April 8, 2011 at 10:25 am

    Worked for me, and thought the problem was solved, but noticed it’s back today after switching on this morning. Very annoying. Would love to hear of a permanent fix. Wonder if Google are aware of the problem.

  4. Mike said on February 28, 2011 at 3:26 am

    GooredFix worked 100% for me. I believe hak01 (see first post) was presumptious in his statement about rootkits usually being at fault. Well it wasn’t for me, and that presumption (which I see all too frequently) misdirected me for the longest time. No amount of antivirus software found the real culprit (a plugin). Did anyone ever think that there are so many websites dedicated this problem, all encouraging the use of one antivirus program or another, because these (antivirus) suggestions don’t usually work! Blaming viruses for everything is an easy way to sell antivirus software. jpshortstuff (GooredFix’s author) deserves some serious acknowledgment for his “outside of the box” thinking.

  5. Anon said on November 29, 2010 at 11:27 pm

    Worked fine in my case… hard to google things when you’re being redirected all the time. now, to find a cork for those add-ons…

  6. Joseph Ting said on May 22, 2010 at 1:16 pm

    Have been using Ad-Aware and SpyBot for half a day. Searched and searched in safe mode too. =X

    Thanks to you. I’ve knew their name and voila!
    Thanks for the fix. Totally clean and even Norton Internet Security identifies it as safe. LoL~

    A ton of thanks to you. =)

  7. Carl said on May 12, 2010 at 7:01 am

    If I turned off my Java Script and it works like normal, does that mean I can use this GooRed fix to clean it up? or should I use the TDSS killer?

  8. - said on May 4, 2010 at 6:39 am

    never had trouble with this, but google recently changed their meta or scripts or something on image search page.
    as of now, I haven’t been able to rewrite my filters to get rid of google’s tracking garbage. (I’m referring to the ei and gbv tracking and garbage, which i’d had under control for a few years. also tbs has turned up in image-search urls in the last few months. tbs has use on plain web searches, and maybe eventually google will make use of tbs, but for now it’s just junk in the url.)

  9. yutannelson said on April 22, 2010 at 4:10 am

    I about went crazy trying to fix this. Every recommendation I found did not help until I found this one. Thank you to whoever posted this. Everyone needs to repost this elsewhere on the web to get the message out.

    Look in (windows)\system32\drivers\etc\hosts. There should be only some lines starting with # and “ localhost”. Anything else in there might be redirecting you to a fake Google or other fake site.

  10. john said on March 1, 2010 at 7:28 pm

    just found your page, haven’t been able to try the fix yet.
    i first noticed the redirect in firefox friday, saturday it started to happen in ie too. will this fix take care of both issues?
    thank you

    1. Martin said on March 1, 2010 at 7:50 pm

      Nope only for Firefox. you might want to check out the other solution that I posted a day later

  11. Doug said on February 24, 2010 at 5:59 pm

    Martin, this fix seems to have worked for me. It was very easy, GooredFix took only a few seconds to run. Thank you very much!

  12. hak01 said on January 14, 2010 at 2:15 pm

    hmm, it’s only one among the many reasons why google redirects. In most cases it’s caused by rootkits not by the plugin. Anyway thanks for this great suggestion.

    1. Martin said on January 15, 2010 at 5:17 pm

      hak01 you are right but before you start looking for rootkits you should consider the obvious, especially if it is only happening in Firefox and not in other web browsers.I will publish another cause today.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.