Redirect adware/malware

  • I can see from general web searches that I am not the only one with this problem. My browsing experience is being seriously disrupted by redirections to adware sites. Using what settings and extensions are available I have now prevented them from opening in pop ups BUT there is only one way to stop them randomly opening in new tabs, and that is to turn off Javascript. Obviously I don't want to resort to that as it is even more disruptive to using the web. (Before anyone asks I have run full scans on Kaspersky and nothing is found). I would obviously like to prevent my browser from opening up new tabs when I haven't asked it to. Perhaps someone can tell me if this is possible (I can find nothing in settings that appears to do that) PLEASE? If not perhaps such an option could be added????

  • You have the same problem on desktop and phone, or is this one in the wrong forum?

  • You need to download and run scans using Malwarebytes and/or AdwCleaner, and then use them to remove any adware they find. After they have done their job, re-run them until you get a clean response. Many AV's, while otherwise fine for dealing with malware, will not find and remove embedded adware - especially redirection/hijacking adware. Once the system is cleaned, check all shortcuts to browsers to remove any additions to the command lines which specify the browser to open at some site (http or https).

  • Kaspersky

    There is your problem. As blackbird71 stated having only a single scanner is not the best way to go. I second the use of Malwarebytes and AdwCleaner and would throw Spybot Search & Destroy in for good measure. Don't double up on virus scanners though, they don't play nice together.

  • I do have the same problem on my laptop and phone but I do use them to browse the same sites whilst researching stuff. Malwarebytes found nothing. However, Adwcleaner seems (fingers crossed) for now to have solved it. Here is the log in case anyone knows what the hell the registry entries are about!??

    AdwCleaner v4.111 - Logfile created 04/03/2015 at 01:06:07

    Updated 18/02/2015 by Xplode

    Database : 2015-03-02.3 [Server]

    Operating system : Windows Vista (TM) Ultimate Service Pack 2 (x86)

    Username : GG-VAIO

    Running from : C:\Users\GG\Downloads\adwcleaner_4.111.exe

    Option : Cleaning

    ***** [ Services ] *****

    ***** [ Files / Folders ] *****

    ***** [ Scheduled tasks ] *****

    ***** [ Shortcuts ] *****

    ***** [ Registry ] *****

    Key Deleted : HKLM\SOFTWARE\Classes\AppID{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID{826D7151-8D99-434B-8540-082B8C2AE556}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID{6DDA37BA-0553-499A-AE0D-BEBA67204548}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface{03E2A1F3-4402-4121-8B35-733216D61217}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{F25AF245-4A81-40DC-92F9-E9021F207706}
    [x] Not Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes{592F70EC-5BDD-4C5D-BF70-35FC64E7D829}
    Key Deleted : HKCU\Software\Myfree Codec
    [x] Not Deleted : HKCU\Software\YahooPartnerToolbar
    Key Deleted : HKLM\SOFTWARE\Myfree Codec
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall{A2D81E70-2A98-4A08-A628-94388B063C5E}
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\trovit.co.uk
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\veoh.com
    Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.local

    ***** [ Web browsers ] *****
    -\ Internet Explorer v9.0.8112.16609
    -\ Opera v27.0.1689.76


    AdwCleaner[R0].txt - [2615 bytes] - [04/03/2015 00:47:05]
    AdwCleaner[S0].txt - [2597 bytes] - [04/03/2015 01:06:07]

    ########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2656 bytes] ##########

  • As you'll note, markdown can cause some strange formatting ...

    All that UUID stuff is meaningless to me. The proxy setting could effect Opera - obviously the IE settings would not. Anything look familiar comparing it to what's installed on your phone? Myfree Codec seems to be singled out there ...

  • How can i delete this comment on phone
  • Click on (tap) the gear icon below your avatar, then Delete.

  • Regarding the removed entries, the registry key related to "ask" refers to a toolbar that is considered by many experts to be adware. "Veoh" is a web-player bundled with freeware downloads and is linked to the Conduit class of adware. YahooPartner toolbar is legitimate, but prone to be easily infected itself by other adware and viruses. Searchscope entries for IE can be hijacked by malware. To be on the safe side, most anti-adware products will remove all of these.

    Myfree codec is possibly a legitimate software associated with certain Samsung products, though it is often auto-removed by anti-adware programs.

    Trovit (assuming that is spelled correctly in your listing) is a legitimate search engine for classified ads; however, if it's actually spelled "trovi" instead, it's a particularly nasty type of adware/malware.

    It appears that a number of adware-related toolbars and search engines or hijackers may, in fact, have made it onto your system. These are normally the result of a user clicking directly on a suggested toolbar or by being bundled (openly or covertly) with freeware downloads and installed along with that freeware. I'd suggest being much more careful in the future about what I installed on the system, and from where... ie: more carefully practice "safe hex".

  • Thanks again everyone. I don't know how that stuff got on my laptop as (believe it or not) I am extremely careful what I click on and don't download stuff except from genuine sites (such as Opera!) and always 'unclick' any bloatware in the setup procedure. One more question - whilst checking the shortcut properties as suggested I saw a file called server_tracking_data in my Opera folder. Anyone know what that is? I don't want Opera (or anyone else tracking my web activity (and have set 'Do not Track' in my browser settings) - if that is what it is, can I safely delete it?
    I guess the registry stuff will remain (as it always has to me!) a mystery

  • servertrackingdata

    "server_tracking_data"?
    There's certain formatting here. I can advise on using "backticks" to show precise input (if it's crucial).

  • joshl - yes that is the correct filename. I have set Opera to send 'do not trcck' so if this file is just those settings for the browser to use that is ok. If it is opera or something else tracking me that is not ok. That is all I would like to know - so if it is the latter I can delete it.
    The file content is

    MmM0MTMyMjk0OGVmYTc2NzA2YjM5ZWJhNGM1MzhiYjZlNjNmMzFlNGYyM2U4OTRjYWU1MWRmZWQzNmU3MjYyMDp7ImNvdW50cnkiOiJHQiIsInJlbW90ZV9hZGRyIjoiOTIuMjAuNDYuMjQwIiwicXVlcnkiOiIvb3BlcmEvc3RhYmxlL3dpbmRvd3M/aHR0cF9yZWZlcnJlcj1odHRwOi8vd3d3Lmdvb2dsZS5jby51ay91cmxfc2FfdF9yY3Rfal9xX19lc3JjX3NfZnJtXzFfc291cmNlX3dlYl9jZF81X3ZlZF8wQ0RRUUZqQUVfdXJsX2h0dHAlM0ElMkYlMkZ3d3cub3BlcmEuY29tJTJGYWJvdXRfZWlfMlhiT1ZKamxCcUtPN0FhVW9vRElCd191c2dfQUZRakNORkhEY0FMYW9tSHdGUVpjeEp3Wi1IalRfN1FOQV9idm1fYnYuODUwNzY4MDlfZC5iR1EmdXRtX3NvdXJjZT1nb29nbGVfdmlhX29wZXJhX2NvbSZ1dG1fbWVkaXVtPW9zZSZ1dG1fY2FtcGFpZ249Z29vZ2xlX29zZV92aWFfb3BlcmFfY29tIiwidXNlcmFnZW50IjoiTW96aWxsYS81LjAgKGNvbXBhdGlibGU7IE1TSUUgOS4wOyBXaW5kb3dzIE5UIDYuMDsgVHJpZGVudC81LjApIiwidXVpZCI6IjI1MjU1ZWJjLTY4ODMtNGUwNC04NWZlLTU0NDRiNTUxMzliYSIsImh0dHBfcmVmZXJyZXIiOiJodHRwOi8vd3d3Lm9wZXJhLmNvbS9jb21wdXRlci90aGFua3M/bmk9c3RhYmxlJm9zPXdpbmRvd3MiLCJ0aW1lc3RhbXAiOiIxNDIyODE3MTk0LjQyOTciLCJ1dG0iOnsic291cmNlIjoiZ29vZ2xlX3ZpYV9vcGVyYV9jb20iLCJjYW1wYWlnbiI6Imdvb2dsZV9vc2VfdmlhX29wZXJhX2NvbSIsIm1lZGl1bSI6Im9zZSJ9fQ==

    cheers

Log in to reply
 

Looks like your connection to Opera forums was lost, please wait while we try to reconnect.