Redirect adware/malware

blackbird71

blackbird71

You need to download and run scans using Malwarebytes and/or AdwCleaner, and then use them to remove any adware they find. After they have done their job, re-run them until you get a clean response. Many AV's, while otherwise fine for dealing with malware, will not find and remove embedded adware - especially redirection/hijacking adware. Once the system is cleaned, check all shortcuts to browsers to remove any additions to the command lines which specify the browser to open at some site (http or https).

lando242

lando242

Kaspersky

There is your problem. As blackbird71 stated having only a single scanner is not the best way to go. I second the use of Malwarebytes and AdwCleaner and would throw Spybot Search & Destroy in for good measure. Don't double up on virus scanners though, they don't play nice together.

ukgg

ukgg

I do have the same problem on my laptop and phone but I do use them to browse the same sites whilst researching stuff. Malwarebytes found nothing. However, Adwcleaner seems (fingers crossed) for now to have solved it. Here is the log in case anyone knows what the hell the registry entries are about!??

AdwCleaner v4.111 - Logfile created 04/03/2015 at 01:06:07

Updated 18/02/2015 by Xplode

Database : 2015-03-02.3 [Server]

Operating system : Windows Vista (TM) Ultimate Service Pack 2 (x86)

Username : GG-VAIO

Running from : C:\Users\GG\Downloads\adwcleaner_4.111.exe

Option : Cleaning

***** [ Services ] *****

***** [ Files / Folders ] *****

***** [ Scheduled tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{826D7151-8D99-434B-8540-082B8C2AE556}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID{6DDA37BA-0553-499A-AE0D-BEBA67204548}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{F25AF245-4A81-40DC-92F9-E9021F207706}

Not Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes{592F70EC-5BDD-4C5D-BF70-35FC64E7D829}

Key Deleted : HKCU\Software\Myfree Codec

Not Deleted : HKCU\Software\YahooPartnerToolbar

Key Deleted : HKLM\SOFTWARE\Myfree Codec
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{A2D81E70-2A98-4A08-A628-94388B063C5E}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\trovit.co.uk
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\veoh.com
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local

***** [ Web browsers ] *****
-\ Internet Explorer v9.0.8112.16609
-\ Opera v27.0.1689.76

AdwCleaner[R0].txt - [2615 bytes] - [04/03/2015 00:47:05]
AdwCleaner[S0].txt - [2597 bytes] - [04/03/2015 01:06:07]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2656 bytes] ##########

sgunhouse

sgunhouse Moderator Volunteer

As you'll note, markdown can cause some strange formatting ...

All that UUID stuff is meaningless to me. The proxy setting could effect Opera - obviously the IE settings would not. Anything look familiar comparing it to what's installed on your phone? Myfree Codec seems to be singled out there ...

merkurypl

merkurypl

How can i delete this comment on phone

sgunhouse

sgunhouse Moderator Volunteer

Click on (tap) the gear icon below your avatar, then Delete.

blackbird71

blackbird71

Regarding the removed entries, the registry key related to "ask" refers to a toolbar that is considered by many experts to be adware. "Veoh" is a web-player bundled with freeware downloads and is linked to the Conduit class of adware. YahooPartner toolbar is legitimate, but prone to be easily infected itself by other adware and viruses. Searchscope entries for IE can be hijacked by malware. To be on the safe side, most anti-adware products will remove all of these.

Myfree codec is possibly a legitimate software associated with certain Samsung products, though it is often auto-removed by anti-adware programs.

Trovit (assuming that is spelled correctly in your listing) is a legitimate search engine for classified ads; however, if it's actually spelled "trovi" instead, it's a particularly nasty type of adware/malware.

It appears that a number of adware-related toolbars and search engines or hijackers may, in fact, have made it onto your system. These are normally the result of a user clicking directly on a suggested toolbar or by being bundled (openly or covertly) with freeware downloads and installed along with that freeware. I'd suggest being much more careful in the future about what I installed on the system, and from where... ie: more carefully practice "safe hex".

ukgg

ukgg

Thanks again everyone. I don't know how that stuff got on my laptop as (believe it or not) I am extremely careful what I click on and don't download stuff except from genuine sites (such as Opera!) and always 'unclick' any bloatware in the setup procedure. One more question - whilst checking the shortcut properties as suggested I saw a file called server_tracking_data in my Opera folder. Anyone know what that is? I don't want Opera (or anyone else tracking my web activity (and have set 'Do not Track' in my browser settings) - if that is what it is, can I safely delete it?
I guess the registry stuff will remain (as it always has to me!) a mystery

A Former User

servertrackingdata

"server_tracking_data"?
There's certain formatting here. I can advise on using "backticks" to show precise input (if it's crucial).

ukgg

ukgg

joshl - yes that is the correct filename. I have set Opera to send 'do not trcck' so if this file is just those settings for the browser to use that is ok. If it is opera or something else tracking me that is not ok. That is all I would like to know - so if it is the latter I can delete it.
The file content is

MmM0MTMyMjk0OGVmYTc2NzA2YjM5ZWJhNGM1MzhiYjZlNjNmMzFlNGYyM2U4OTRjYWU1MWRmZWQzNmU3MjYyMDp7ImNvdW50cnkiOiJHQiIsInJlbW90ZV9hZGRyIjoiOTIuMjAuNDYuMjQwIiwicXVlcnkiOiIvb3BlcmEvc3RhYmxlL3dpbmRvd3M/aHR0cF9yZWZlcnJlcj1odHRwOi8vd3d3Lmdvb2dsZS5jby51ay91cmxfc2FfdF9yY3Rfal9xX19lc3JjX3NfZnJtXzFfc291cmNlX3dlYl9jZF81X3ZlZF8wQ0RRUUZqQUVfdXJsX2h0dHAlM0ElMkYlMkZ3d3cub3BlcmEuY29tJTJGYWJvdXRfZWlfMlhiT1ZKamxCcUtPN0FhVW9vRElCd191c2dfQUZRakNORkhEY0FMYW9tSHdGUVpjeEp3Wi1IalRfN1FOQV9idm1fYnYuODUwNzY4MDlfZC5iR1EmdXRtX3NvdXJjZT1nb29nbGVfdmlhX29wZXJhX2NvbSZ1dG1fbWVkaXVtPW9zZSZ1dG1fY2FtcGFpZ249Z29vZ2xlX29zZV92aWFfb3BlcmFfY29tIiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKGNvbXBhdGlibGU7IE1TSUUgOS4wOyBXaW5kb3dzIE5UIDYuMDsgVHJpZGVudC81LjApIiwidXVpZCI6IjI1MjU1ZWJjLTY4ODMtNGUwNC04NWZlLTU0NDRiNTUxMzliYSIsImh0dHBfcmVmZXJyZXIiOiJodHRwOi8vd3d3Lm9wZXJhLmNvbS9jb21wdXRlci90aGFua3M/bmk9c3RhYmxlJm9zPXdpbmRvd3MiLCJ0aW1lc3RhbXAiOiIxNDIyODE3MTk0LjQyOTciLCJ1dG0iOnsic291cmNlIjoiZ29vZ2xlX3ZpYV9vcGVyYV9jb20iLCJjYW1wYWlnbiI6Imdvb2dsZV9vc2VfdmlhX29wZXJhX2NvbSIsIm1lZGl1bSI6Im9zZSJ9fQ==

cheers