Browser hijacked with www1.ramirocampos.pro adware!



  • Hi. I'd appreciate directions as to the removal of this really unwanted nuissance. I've found instructions on how to remove it from every browser except Vivaldi. I am running Vivaldi in portable. I'm running W7 x64 SP1 fully updated. Thanks for your help.


  • Ambassador

    @foulke said in Browser hijacked with www1.ramirocampos.pro adware!:

    Hi. I'd appreciate directions as to the removal of this really unwanted nuissance. I've found instructions on how to remove it from every browser except Vivaldi. I am running Vivaldi in portable. I'm running W7 x64 SP1 fully updated. Thanks for your help.

    Hijacker are quite annoying, but luckily they are usually installed as usual programs and can be removed as such. The difficulty lies in the fact that they are hosted in several places of the system and even in the shortcuts of the browsers, from where they can be installed again.
    To eliminate them you have to do the following in this order
    1 Close the browser
    2 Go to the Windows Control Panel and Programs and search the list for the name of this bug to uninstall it
    3 Remove Vivaldi shortcuts and create them again from the executable
    4 Search the Registry for entries of this malware to remove it there too (for this you can use CCleaner, or better Glary Utilities)
    5 Open Vivaldi and reset the search engine to default values

    If the problem continues, you can also do a scan with AdwCleaner (free program and standalone). This should be resolve it.


  • Ambassador

    @Catweazle You can also add Malwarebytes or HitmanPro to the list of reputable and free standalone programmes to scan your machine. (Hitmanpro is free for a 30 day trial, Malwarebytes is just free.)


  • Ambassador

    @greybeard , I know, but MalwareBytes has reported some conflicts with Vivaldi and AdwCleaner, which is also a product of MalwareByte, there are none and it is a program specialized in this type of mal- and junkware


  • Ambassador

    @Catweazle I've used both MalwareBytes and HitmanPro with no issues to Vivaldi Snapshot.


  • Ambassador

    @greybeard ,

    Well, this incompatibility of MalwareBytes may have been resolved, although I don't have it installed. Currently I only use Windows Defender, I have the AdwCleaner and the TDSS Killer if necessary, apart from the nano extensions and Trace Extension in Vivaldi and my common s ense. With this I settle



  • First thing I'd check if I get unwanted notifications is the service-workers, and unregister any from sites I don't trust:
    vivaldi://serviceworker-internals

    Not saying it's necessarily just a nasty service-worker, but it would be the first place to check instead of assuming whole system is hijacked by malware. If it comes back after that, then there might be a browser-hijack process running on the system.


  • Moderator

    @foulke said in Browser hijacked with www1.ramirocampos.pro adware!:

    I've found instructions on how to remove it from every browser except Vivaldi.

    If you can find instructions for chrome browser, they may also work for vivaldi as both browsers share an engine.


  • Ambassador

    @Pathduck , most of the hijacker are system based. It may be enough to look in service workers, but I doubt it. Where this malware is shure, is located in the Vivaldi shortcut, that is, although it removes the Vivaldi hijacker, it will appear again when starting Vivaldi from the shortcut.
    You can check with right click on this shortcut and look in Properties where it points. If it is not in the executable address, then it is infected and must be deleted to create it again from the Vivaldi executable.



  • Hi. Thanks very much for all the answers. I've gone to chrome://settings/content/notifications

    And found the www1. ramirocampos. pro site setting which was to allow notifications! I have no clue where it came from, quite possible ad.fly.

    I use Malwarebytes Premium, Defender regularly (they are installed) and have scanned with UnHackMe. All apps report a clean system. I have removed the site from chrome://settings/content/notifications and so far is has not returned.

    It seems ridiculous that a very trivial procedure just like that got rid of the notifications, and instead all the "security" applications running in my system failed to see it. Go figure.

    Thanks again, and I'll post back if the nuissance returns.



  • @foulke A setting allowing notifications is often linked to a Service-worker, so be sure to check that page as well.

    The reason malware scanners won't find it is that it's hard for them to know if a user has allowed this site on their own. It's just a setting in the browser, not strictly "malware". Often these sites change their URLs or domains so often it's nearly impossible to scanners to keep up anyway. Probably some guy named "Ramiro Campos" had a legitimate site but it got taken over by dirty scammers to run their affiliate link schemes.

    Good to hear you got rid of it! 👍


  • Ambassador

    @Catweazle much the same but using Sophos Home Premium (they also have a free version) as AV. I had issues a few months back and used MalwareBytes as verification.
    I do use Nirsoft's CountryTraceRoute as it is more versatile.



  • Hi again. I did check Service-Worker's entries, and it was OK. Thanks very much for the valuable help provided.


  • Ambassador

    @greybeard said in Browser hijacked with www1.ramirocampos.pro adware!:

    @Catweazle much the same but using Sophos Home Premium (they also have a free version) as AV. I had issues a few months back and used MalwareBytes as verification.
    I do use Nirsoft's CountryTraceRoute as it is more versatile.

    Not the same as the extention

    Trace can protect against:

    • Canvas Fingerprinting
    • Audio Fingerprinting
    • WebGL Fingerprinting
    • JS Crypto Currency Mining
    • Common Tracking Protection (New!)
    • WebRTC Leakage
    • Media Device Enumeration (New!)


  • I note that this issue is now remarked as "resolved", but I hope that the following will be useful to other people with infected machines (and also to the OP to ensure theirs is definitely now clean!!).

    I second @Catweazle 's recommendation of the "trace" browser extension. It covers the functions of multiple separate privacy extensions. Until the ad and analytics networks clean up their acts, privacy extensions are a great way of avoiding malware.

    With regards to cleaning up your system, I note that you mentioned your copy of Vivaldi was a portable one; in which case it's easier to delete it and recreate it from scratch, which might get rid of the adware (depending on where it's took hold - if it's embedded itself into the Windows registry etc. then this will do nothing).

    Finally, malware doesn't like to be lonely. For each piece that's made its presence known, you may well have a few more friends it's downloaded for company. If any of my relatives or friends comes to me with a suspect computer, there's a couple of utilities I like to sweep it clean with:

    • F-Secure Online Scanner is very fast and pretty good.
    • Emsisoft Emergency Kit is also pretty quick and has a fantastic detection rate.
    • Windows Defender has a reasonable detection rate nowadays. A final "offline scan" with this utility will give added piece of mind. It's under the option "run advanced scan". It's a boot-time scan that catches things before Windows has loaded and normally runs very quickly.
    • Comodo Cleaning Essentials can help get the last bits of crud off your computer, but I've always seen lots of false positives when I've used it.

    Those utilities (excluding WD) are portable, so you don't need to install them. Emsisoft and F-Secure have good reputations, too. Comodo have had their share of embarrassments and controversies over the years, but they're well known and still have a reasonable reputation.

    Honourable mentions also go out to:

    • I think Kaspersky TDSSkiller, McAfee Stinger, and Malwarebytes' AdwCleaner have already been mentioned - they're pretty good portable cleaners.
    • You could also try the regular Malwarebytes and Spybot - but be aware that these products can integrate into the security centre, which might disable your existing AV product. I have also noticed that (in my limited experience) their detection rates are no where near as good as they once were. (The last machine I actually found a piece of spyware on with a Spybot scan was running Windows ME).
    • Zemana antimalware used to have a good reputation, but development stalled for a while, and it also leaves lots of traces (some still active) when you uninstall it. Additionally I have never found its detection rate to be particularly good. If you're desperate, it's one more tool to help with the cleanup effort, but I personally stopped using it years ago.

    Obviously, don't run all cleaners at the same time. Run 1, reboot and check your system's not bricked, run the next, reboot... and so on.


  • Ambassador



  • Hi. The issue has been resolved. I've run many tools (including ComboFix) to look for suspicious stuff. MalwareBytes, UnHackMe, Defender, also give me the thumbs up. Worse case scenario I'll restore an image from 10 days ago, but I think it's safe to say I'm good to go. Thanks much everybody!


  • Ambassador

    @Catweazle Looks like a totally different application.
    Using uBlock Origin with nano Adblocker and IBM Trusteer Rapport for all that.
    Also there is MSoft's Window's Defender Browser Protection app for chrome which protects against Phishing and Malware.


  • Ambassador

    uBlock Origin with nano Adblocker? nano Adblocker contains all uBlock filters, it is a fork of uBlock Origin with some changes. Or did you mean nano Defender? (hides the adblocker)



  • You guys know that uBlock Origin also comes with uBlock Origin Extra, which is the anti-anti-adblocker, right? Exactly what Nano Adblocker+Nano Defender are. uBO+uBO Extra were there already. There's no need to gets your panties twisted about Nano Defender, all the Nano stuff are just forks of uBO, that guy is pratically living off someone else's work. If you keep the lists updated, it's just a matter of using one or another but they do the same exact thing.


Log in to reply
 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.