Redirect adware/malware
-
-
blackbird71 last edited byYou need to download and run scans using Malwarebytes and/or AdwCleaner, and then use them to remove any adware they find. After they have done their job, re-run them until you get a clean response. Many AV's, while otherwise fine for dealing with malware, will not find and remove embedded adware - especially redirection/hijacking adware. Once the system is cleaned, check all shortcuts to browsers to remove any additions to the command lines which specify the browser to open at some site (http or https).
-
lando242 last edited by
Kaspersky
There is your problem. As blackbird71 stated having only a single scanner is not the best way to go. I second the use of Malwarebytes and AdwCleaner and would throw Spybot Search & Destroy in for good measure. Don't double up on virus scanners though, they don't play nice together.
-
ukgg last edited by
I do have the same problem on my laptop and phone but I do use them to browse the same sites whilst researching stuff. Malwarebytes found nothing. However, Adwcleaner seems (fingers crossed) for now to have solved it. Here is the log in case anyone knows what the hell the registry entries are about!??
AdwCleaner v4.111 - Logfile created 04/03/2015 at 01:06:07
Updated 18/02/2015 by Xplode
Database : 2015-03-02.3 [Server]
Operating system : Windows Vista (TM) Ultimate Service Pack 2 (x86)
Username : GG-VAIO
Running from : C:\Users\GG\Downloads\adwcleaner_4.111.exe
Option : Cleaning
***** [ Services ] *****
***** [ Files / Folders ] *****
***** [ Scheduled tasks ] *****
***** [ Shortcuts ] *****
***** [ Registry ] *****
Key Deleted : HKLM\SOFTWARE\Classes\AppID{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{826D7151-8D99-434B-8540-082B8C2AE556}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{6DDA37BA-0553-499A-AE0D-BEBA67204548}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{F25AF245-4A81-40DC-92F9-E9021F207706}
Not Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes{592F70EC-5BDD-4C5D-BF70-35FC64E7D829}
Key Deleted : HKCU\Software\Myfree Codec
Not Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\SOFTWARE\Myfree Codec
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{A2D81E70-2A98-4A08-A628-94388B063C5E}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\trovit.co.uk
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\veoh.com
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local***** [ Web browsers ] *****
-\ Internet Explorer v9.0.8112.16609
-\ Opera v27.0.1689.76
AdwCleaner[R0].txt - [2615 bytes] - [04/03/2015 00:47:05]
AdwCleaner[S0].txt - [2597 bytes] - [04/03/2015 01:06:07]########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2656 bytes] ##########
-
sgunhouse Moderator Volunteer last edited by
As you'll note, markdown can cause some strange formatting ...
All that UUID stuff is meaningless to me. The proxy setting could effect Opera - obviously the IE settings would not. Anything look familiar comparing it to what's installed on your phone? Myfree Codec seems to be singled out there ...
-
-
-
blackbird71 last edited by
Regarding the removed entries, the registry key related to "ask" refers to a toolbar that is considered by many experts to be adware. "Veoh" is a web-player bundled with freeware downloads and is linked to the Conduit class of adware. YahooPartner toolbar is legitimate, but prone to be easily infected itself by other adware and viruses. Searchscope entries for IE can be hijacked by malware. To be on the safe side, most anti-adware products will remove all of these.
Myfree codec is possibly a legitimate software associated with certain Samsung products, though it is often auto-removed by anti-adware programs.
Trovit (assuming that is spelled correctly in your listing) is a legitimate search engine for classified ads; however, if it's actually spelled "trovi" instead, it's a particularly nasty type of adware/malware.
It appears that a number of adware-related toolbars and search engines or hijackers may, in fact, have made it onto your system. These are normally the result of a user clicking directly on a suggested toolbar or by being bundled (openly or covertly) with freeware downloads and installed along with that freeware. I'd suggest being much more careful in the future about what I installed on the system, and from where... ie: more carefully practice "safe hex".
-
ukgg last edited by
Thanks again everyone. I don't know how that stuff got on my laptop as (believe it or not) I am extremely careful what I click on and don't download stuff except from genuine sites (such as Opera!) and always 'unclick' any bloatware in the setup procedure. One more question - whilst checking the shortcut properties as suggested I saw a file called server_tracking_data in my Opera folder. Anyone know what that is? I don't want Opera (or anyone else tracking my web activity (and have set 'Do not Track' in my browser settings) - if that is what it is, can I safely delete it?
I guess the registry stuff will remain (as it always has to me!) a mystery -
A Former User last edited by
servertrackingdata
"
server_tracking_data"?
There's certain formatting here. I can advise on using "backticks" to show precise input (if it's crucial). -
ukgg last edited by
joshl - yes that is the correct filename. I have set Opera to send 'do not trcck' so if this file is just those settings for the browser to use that is ok. If it is opera or something else tracking me that is not ok. That is all I would like to know - so if it is the latter I can delete it.
The file content isMmM0MTMyMjk0OGVmYTc2NzA2YjM5ZWJhNGM1MzhiYjZlNjNmMzFlNGYyM2U4OTRjYWU1MWRmZWQzNmU3MjYyMDp7ImNvdW50cnkiOiJHQiIsInJlbW90ZV9hZGRyIjoiOTIuMjAuNDYuMjQwIiwicXVlcnkiOiIvb3BlcmEvc3RhYmxlL3dpbmRvd3M/aHR0cF9yZWZlcnJlcj1odHRwOi8vd3d3Lmdvb2dsZS5jby51ay91cmxfc2FfdF9yY3Rfal9xX19lc3JjX3NfZnJtXzFfc291cmNlX3dlYl9jZF81X3ZlZF8wQ0RRUUZqQUVfdXJsX2h0dHAlM0ElMkYlMkZ3d3cub3BlcmEuY29tJTJGYWJvdXRfZWlfMlhiT1ZKamxCcUtPN0FhVW9vRElCd191c2dfQUZRakNORkhEY0FMYW9tSHdGUVpjeEp3Wi1IalRfN1FOQV9idm1fYnYuODUwNzY4MDlfZC5iR1EmdXRtX3NvdXJjZT1nb29nbGVfdmlhX29wZXJhX2NvbSZ1dG1fbWVkaXVtPW9zZSZ1dG1fY2FtcGFpZ249Z29vZ2xlX29zZV92aWFfb3BlcmFfY29tIiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKGNvbXBhdGlibGU7IE1TSUUgOS4wOyBXaW5kb3dzIE5UIDYuMDsgVHJpZGVudC81LjApIiwidXVpZCI6IjI1MjU1ZWJjLTY4ODMtNGUwNC04NWZlLTU0NDRiNTUxMzliYSIsImh0dHBfcmVmZXJyZXIiOiJodHRwOi8vd3d3Lm9wZXJhLmNvbS9jb21wdXRlci90aGFua3M/bmk9c3RhYmxlJm9zPXdpbmRvd3MiLCJ0aW1lc3RhbXAiOiIxNDIyODE3MTk0LjQyOTciLCJ1dG0iOnsic291cmNlIjoiZ29vZ2xlX3ZpYV9vcGVyYV9jb20iLCJjYW1wYWlnbiI6Imdvb2dsZV9vc2VfdmlhX29wZXJhX2NvbSIsIm1lZGl1bSI6Im9zZSJ9fQ==
cheers
