Redirect adware/malware

ukgg

ukgg last edited by

I can see from general web searches that I am not the only one with this problem. My browsing experience is being seriously disrupted by redirections to adware sites. Using what settings and extensions are available I have now prevented them from opening in pop ups BUT there is only one way to stop them randomly opening in new tabs, and that is to turn off Javascript. Obviously I don't want to resort to that as it is even more disruptive to using the web. (Before anyone asks I have run full scans on Kaspersky and nothing is found). I would obviously like to prevent my browser from opening up new tabs when I haven't asked it to. Perhaps someone can tell me if this is possible (I can find nothing in settings that appears to do that) PLEASE? If not perhaps such an option could be added????

sgunhouse

sgunhouse Moderator Volunteer last edited by

You have the same problem on desktop and phone, or is this one in the wrong forum?

blackbird71

blackbird71 last edited by

You need to download and run scans using Malwarebytes and/or AdwCleaner, and then use them to remove any adware they find. After they have done their job, re-run them until you get a clean response. Many AV's, while otherwise fine for dealing with malware, will not find and remove embedded adware - especially redirection/hijacking adware. Once the system is cleaned, check all shortcuts to browsers to remove any additions to the command lines which specify the browser to open at some site (http or https).

lando242

lando242 last edited by

Kaspersky

There is your problem. As blackbird71 stated having only a single scanner is not the best way to go. I second the use of Malwarebytes and AdwCleaner and would throw Spybot Search & Destroy in for good measure. Don't double up on virus scanners though, they don't play nice together.

ukgg

ukgg last edited by

I do have the same problem on my laptop and phone but I do use them to browse the same sites whilst researching stuff. Malwarebytes found nothing. However, Adwcleaner seems (fingers crossed) for now to have solved it. Here is the log in case anyone knows what the hell the registry entries are about!??

AdwCleaner v4.111 - Logfile created 04/03/2015 at 01:06:07

Updated 18/02/2015 by Xplode

Database : 2015-03-02.3 [Server]

Operating system : Windows Vista (TM) Ultimate Service Pack 2 (x86)

Username : GG-VAIO

Running from : C:\Users\GG\Downloads\adwcleaner_4.111.exe

Option : Cleaning

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Scheduled tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{826D7151-8D99-434B-8540-082B8C2AE556}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{6DDA37BA-0553-499A-AE0D-BEBA67204548}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{F25AF245-4A81-40DC-92F9-E9021F207706}

Not Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes{592F70EC-5BDD-4C5D-BF70-35FC64E7D829}

Key Deleted : HKCU\Software\Myfree Codec

Not Deleted : HKCU\Software\YahooPartnerToolbar

Key Deleted : HKLM\SOFTWARE\Myfree Codec
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{A2D81E70-2A98-4A08-A628-94388B063C5E}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\trovit.co.uk
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\veoh.com
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local

***** [ Web browsers ] *****
-\ Internet Explorer v9.0.8112.16609
-\ Opera v27.0.1689.76

---

AdwCleaner[R0].txt - [2615 bytes] - [04/03/2015 00:47:05]
AdwCleaner[S0].txt - [2597 bytes] - [04/03/2015 01:06:07]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2656 bytes] ##########

sgunhouse

sgunhouse Moderator Volunteer last edited by

As you'll note, markdown can cause some strange formatting ...

All that UUID stuff is meaningless to me. The proxy setting could effect Opera - obviously the IE settings would not. Anything look familiar comparing it to what's installed on your phone? Myfree Codec seems to be singled out there ...

merkurypl

merkurypl last edited by

How can i delete this comment on phone

sgunhouse

sgunhouse Moderator Volunteer last edited by

Click on (tap) the gear icon below your avatar, then Delete.

blackbird71

blackbird71 last edited by

Regarding the removed entries, the registry key related to "ask" refers to a toolbar that is considered by many experts to be adware. "Veoh" is a web-player bundled with freeware downloads and is linked to the Conduit class of adware. YahooPartner toolbar is legitimate, but prone to be easily infected itself by other adware and viruses. Searchscope entries for IE can be hijacked by malware. To be on the safe side, most anti-adware products will remove all of these.

Myfree codec is possibly a legitimate software associated with certain Samsung products, though it is often auto-removed by anti-adware programs.

Trovit (assuming that is spelled correctly in your listing) is a legitimate search engine for classified ads; however, if it's actually spelled "trovi" instead, it's a particularly nasty type of adware/malware.

It appears that a number of adware-related toolbars and search engines or hijackers may, in fact, have made it onto your system. These are normally the result of a user clicking directly on a suggested toolbar or by being bundled (openly or covertly) with freeware downloads and installed along with that freeware. I'd suggest being much more careful in the future about what I installed on the system, and from where... ie: more carefully practice "safe hex".

ukgg

ukgg last edited by

Thanks again everyone. I don't know how that stuff got on my laptop as (believe it or not) I am extremely careful what I click on and don't download stuff except from genuine sites (such as Opera!) and always 'unclick' any bloatware in the setup procedure. One more question - whilst checking the shortcut properties as suggested I saw a file called server_tracking_data in my Opera folder. Anyone know what that is? I don't want Opera (or anyone else tracking my web activity (and have set 'Do not Track' in my browser settings) - if that is what it is, can I safely delete it?
I guess the registry stuff will remain (as it always has to me!) a mystery

A Former User

A Former User last edited by

servertrackingdata

"server_tracking_data"?
There's certain formatting here. I can advise on using "backticks" to show precise input (if it's crucial).

ukgg

ukgg last edited by

joshl - yes that is the correct filename. I have set Opera to send 'do not trcck' so if this file is just those settings for the browser to use that is ok. If it is opera or something else tracking me that is not ok. That is all I would like to know - so if it is the latter I can delete it.
The file content is

MmM0MTMyMjk0OGVmYTc2NzA2YjM5ZWJhNGM1MzhiYjZlNjNmMzFlNGYyM2U4OTRjYWU1MWRmZWQzNmU3MjYyMDp7ImNvdW50cnkiOiJHQiIsInJlbW90ZV9hZGRyIjoiOTIuMjAuNDYuMjQwIiwicXVlcnkiOiIvb3BlcmEvc3RhYmxlL3dpbmRvd3M/aHR0cF9yZWZlcnJlcj1odHRwOi8vd3d3Lmdvb2dsZS5jby51ay91cmxfc2FfdF9yY3Rfal9xX19lc3JjX3NfZnJtXzFfc291cmNlX3dlYl9jZF81X3ZlZF8wQ0RRUUZqQUVfdXJsX2h0dHAlM0ElMkYlMkZ3d3cub3BlcmEuY29tJTJGYWJvdXRfZWlfMlhiT1ZKamxCcUtPN0FhVW9vRElCd191c2dfQUZRakNORkhEY0FMYW9tSHdGUVpjeEp3Wi1IalRfN1FOQV9idm1fYnYuODUwNzY4MDlfZC5iR1EmdXRtX3NvdXJjZT1nb29nbGVfdmlhX29wZXJhX2NvbSZ1dG1fbWVkaXVtPW9zZSZ1dG1fY2FtcGFpZ249Z29vZ2xlX29zZV92aWFfb3BlcmFfY29tIiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKGNvbXBhdGlibGU7IE1TSUUgOS4wOyBXaW5kb3dzIE5UIDYuMDsgVHJpZGVudC81LjApIiwidXVpZCI6IjI1MjU1ZWJjLTY4ODMtNGUwNC04NWZlLTU0NDRiNTUxMzliYSIsImh0dHBfcmVmZXJyZXIiOiJodHRwOi8vd3d3Lm9wZXJhLmNvbS9jb21wdXRlci90aGFua3M/bmk9c3RhYmxlJm9zPXdpbmRvd3MiLCJ0aW1lc3RhbXAiOiIxNDIyODE3MTk0LjQyOTciLCJ1dG0iOnsic291cmNlIjoiZ29vZ2xlX3ZpYV9vcGVyYV9jb20iLCJjYW1wYWlnbiI6Imdvb2dsZV9vc2VfdmlhX29wZXJhX2NvbSIsIm1lZGl1bSI6Im9zZSJ9fQ==

cheers