I've got malware

[arcturus]

Looks like my browser, Opera, has been afflicted with some malware. What happens is it frequently redirects to mediaplex. In searching for a removal solution I see numerous avenues available to Win users, none for Linux.One reason for moving to Linux was to avoid circumstances like this.Help!

[V.T. Eric Layton]

WOW! That's wild! I've been surfing here, there, and everywhere with FF since July and I've never (to my knowledge) run across anything evil that affected apps in Linux.

[Bruno]

This is a first ! . . . I never have come across any malware myself nor was it reported on the forum by anyone. Are you sure it is not a popup ( -over -under ) on a second tab generated by a site you are visiting ? What you can try to fix it is to remove the /home/arcturus/.opera folder ( maybe first back it up so you will not loose your bookmarks ) and restart your browser. It then will re-build that directory automatically and give you a fresh start. The "malware" should then be gone. Bruno

[V.T. Eric Layton]

From MediaPlex's Website:

MEDIAPLEX IS NOT INVOLVED WITH ADWAREMediaplex is an application service provider that has been serving the marketing communications industry under the AdVault® product name. Mediaplex AdVault® software enables advertising agencies and other companies to operate their businesses more efficiently, through effective agency management, media management, and content management and has nothing to do with monitoring individual consumer's online activities. Mediaplex absolutely does not create, support or deploy any software related to spyware or tools that remove spyware or cookies from local desktops. In fact, the vast majority of our clients use AdVault® solutions for offline activities.

Not that this means anything. This company is a wholy owned subsidiary of ValueClick, another adserver company that's been around since forever.

[Urmas]

Now this is interesting... using Opera, I tried to Google "mediaplex opera", then "mediaplex"... nothing. Google don't "work". Using Firefox, I find this:http://www.heise.de/newsticker/meldung/64327

news 27.09.2005 13:07 heise online<< Vorige | Nächste >>Opera: eBay-Suche mit UmleitungAufmerksamen Lesern von heise online ist aufgefallen, dass Opera bei eBay-Suchen den Benutzer nicht direkt auf die Seiten des Auktionshauses führt, sondern den Zugriff über die Seiten des Werbedienstleisters Mediaplex leitet. Auf Nachfrage erklärte der Browser-Hersteller gegenüber heise online, dass man den Link von eBay erhalten habe.eBay wiederum erklärte, bei der Vorgehensweise handele es sich "um die marktübliche Art und Weise zu 'tracken', wie viele Besucher auf diesem Weg zu eBay kommen". Opera ist im eBay-Partnerprogramm, erhält also für Klicks, die es an eBay weitervermittelt, eine Vergütung. Bei der Umleitung über Mediaplex würden alle datenschutzrechtlichen Aspekte eingehalten. Die Daten werden laut eBay nicht personalisiert und nur anonym über Mediaplex dargestellt.Bei Firefox hatte ein ähnlicher Fall Ende 2004 für einen Sturm der Entrüstung gesorgt. Auch der Mozilla-Browser führte seine Benutzer über eine Umleitung zu eBay. Der Protest der Nutzerschaft führte letztlich dazu, dass die Umleitung ausgebaut wurde.Da Opera dies nicht plant, müssen Benutzer des norwegischen Browsers, die den Angaben von eBay und Opera nicht trauen, auf die Suchfunktion verzichten -- oder sie von Hand ändern. Dazu muss man die Datei search.ini im Profilordner mit einem Texteditor editieren. Den Ordner gibt Opera aus, wenn man

about:opera

in die Befehlszeile eingibt. Beendet man den Browser und ersetzt man die (hier aus Platzgründen zweizeilig dargestellte) Zeile

URL=http://adfarm.mediaplex.com/ad/ck/707-1065-8356-16?RedirectEnter&partner=01234&loc=http://search.ebay.de/search/search.dll%3Fshortcut=4%26st=2%26query=%s

durch

URL=http://search.ebay.de/%s

sollte Opera anschließend ohne Umwege direkt bei eBay suchen.

So...

What happens is it frequently redirects to mediaplex.

eBay related? If so... (translating the essentials from the above quote):This is a browser issue. Opera redirects eBay searches to Mediaplex. Firefox did the same a couple of years ago, but user reactions made them change their evil ways. No such luck with Opera (yet). So... you've got to tweak tweak tweak:The file you have to edit (with your text editor of choice) is

/home/user/.opera/search.ini

.Close Opera. Tweak search.ini: Replace

URL=http://adfarm.mediaplex.com/ad/ck/707-1065-8356-16?RedirectEnter&partner=01234&loc=http://search.ebay.de/search/search.dll%3Fshortcut=4%26st=2%26query=%s

with

URL=http://search.ebay.de/%s

Lemme know if this helps... I'm gonna rant a bit about this on Opera Forums. I hate this kind of crap. Oh... arcturus: can you please give me a "redirect example"... I tried an eBay search, and had no problems with it. However, I'm plenty p*ssed of about not being able to do "mediaplex" Google search using Opera... maybe it's an Adblock issue. EDIT: AHA... MY OPERA ADBLOCK BLOCKS MEDIAPLEX.

Edited January 6, 2007 by Urmas

[Bruno]

And I found this:http://slashdot.org/comments.pl?threshold=...e&sid=13109Maybe just to be sure add this section to the bottom of your /etc/hosts file:

127.0.0.1 adfarm.mediaplex.com127.0.0.1 img-sjc.wip.mediaplex.com127.0.0.1 img-iad.wip.mediaplex.com127.0.0.1 img-snv.wip.mediaplex.com127.0.0.1 mojofarm.mediaplex.com127.0.0.1 altfarm.mediaplex.com 127.0.0.1 mediaplex.com

Bruno

[Urmas]

One reason for moving to Linux was to avoid circumstances like this.

Well... when it's the browser doin' "sanctioned" miskin, what can OS do?Opera Adblock filter set:http://www.fanboy.co.nz/adblock/opera/In Linux urlfilter.ini is stored in ~/.opera/urlfilter.ini Edited January 6, 2007 by Urmas

[arcturus]

ok everyone thanks for the great suggestions.At first I tried to delete the mediaplex cookie in Opera. Unfortunately it reappeard!Then I deleted the .opera/cookies4.dat file and set the cookie options more restrictively. This seems to have worked ... at least for now.I'm not sure how this all started other than the redirect happened when typing the following url specifically: http://mail.yahoo.comWhether this was trigged by some type of eBay search is unknown, but when I get back to this machine I'll check out the browser history.When I start typing the mail.yahoo.com url, autocompletion kicks in and low and behold, one of the url options which appears is the redirected url address, something similar to mail.yahoo.com BUT, at the very far right of the url, "Mediaplex - Redirect Google"

[Urmas]

OK... now... options so far:* Bruno's "host file approach"... that'll tale care of Mediaplex in all your browsers.* "Search.ini tweak" from the German link... nixes Mediaplex in Opera only.* Installing the Adblock filter set... this is something I think you should do anyway... takes care of all the crap in Opera... Mediaplex included.And: clear page history etc. etc... and take a shower.Here's my (Opera 9.10) "search.ini" file for comparison... no "Mediaplex" in there :

Opera Preferences version 2.1; Do not edit this file while Opera is running; This file is stored in UTF-8 encoding[Version]File Version=8[Search Engine 1]Name=Verbtext=0URL=http://www.google.com/search?q=%s&sourceid=opera&num=%i&ie=utf-8&oe=utf-8Query=Key=gIs post=0Has endseparator=0Encoding=utf-8Search Type=0Position=-1Nameid=1632215285[Search Engine 2]Name=Verbtext=0URL=http://search.opera.com/?search=%s&global=noQuery=Key=sIs post=0Has endseparator=0Encoding=utf-8Search Type=3Position=-1Nameid=-1752296957[Search Engine 3]Name=Verbtext=0URL=http://www.answers.com/%s?nafid=3Query=Key=aIs post=0Has endseparator=0Encoding=utf-8Search Type=10Position=-1Nameid=-1752296958[Search Engine 4]Name=Verbtext=0URL=http://www.amazon.com/exec/obidos/external-search?tag=opera-20&index=blended&keyword=%sQuery=Key=zIs post=0Has endseparator=-1Encoding=iso-8859-1Search Type=40Position=-1Nameid=-1752296956[Search Engine 5]Name=Verbtext=0URL=http://www.pricerunner.com/ref-site=operasearch/search?q=%sQuery=Key=cIs post=0Has endseparator=0Encoding=utf-8Search Type=41Position=-1Nameid=1632215290[Search Engine 6]Name=Verbtext=0URL=http://www.qksrv.net/click-1458483-5463217?loc=http%3A//search.ebay.com/search/search.dll%3Fcgiurl%3Dhttp%253A%252F%252Fcgi.ebay.com%252Fws%252F%26krd%3D1%26from%3DR8%26MfcISAPICommand%3DGetResult%26ht%3D1%26SortProperty%3DMetaEndSort%26query%3D%sQuery=Key=eIs post=0Has endseparator=0Encoding=iso-8859-1Search Type=3Position=-1Nameid=-1752296955[Search Engine 7]Name=Verbtext=0URL=http://redir.opera.com/downloadsearch/?q=%sQuery=Key=wIs post=0Has endseparator=0Encoding=iso-8859-1Search Type=5Position=-1Nameid=-1752296931[Search Engine 8]Name=Verbtext=0URL=http://redir.opera.com/torrents/?q=%sQuery=Key=bIs post=0Has endseparator=-1Encoding=utf-8Search Type=7Position=-1Nameid=-1971470391[Search Engine 9]Name=Verbtext=0URL=http://groups.google.com/groups?q=%s&sourceid=opera&num=%i&ie=utf-8&oe=utf-8Query=Key=rIs post=0Has endseparator=0Encoding=utf-8Search Type=10Position=-1Nameid=-1971470393[Search Engine 10]Name=Verbtext=0URL=http://news.google.com/news?q=%s&sourceid=opera&num=%i&ie=utf-8&oe=utf-8Query=Key=nIs post=0Has endseparator=-1Encoding=utf-8Search Type=13Position=-1Nameid=-1971470390[Search Engine 11]Name=Verbtext=0URL=Query=Key=fIs post=0Has endseparator=0Encoding=Search Type=12Position=-1Nameid=-1453429782[Search Engine 12]Name=Verbtext=0URL=http://www.opera.com/support/supsearch/supsearch.cgi?options=complete&maxhits=0&platform=&name=%sQuery=Key=oIs post=0Has endseparator=0Encoding=iso-8859-1Search Type=11Position=-1Nameid=-1971470392[Search Engine 13]Name=Verbtext=0URL=http://redir.opera.com/dictionary/?query=%sQuery=Key=Is post=0Has endseparator=0Encoding=iso-8859-1Search Type=50Position=-1Nameid=-1539396211[Search Engine 14]Name=Verbtext=0URL=http://redir.opera.com/encyclopedia/?query=%sQuery=Key=Is post=0Has endseparator=0Encoding=iso-8859-1Search Type=51Position=-1Nameid=1634087069[Search Engine 15]Name=Verbtext=0URL=http://ekit.lycos.com/ekit/Currency/?amount=%s&fromCurrency=%s&toCurrency=%s&action_convert.x=0&action_convert.y=0Query=Key=Is post=0Has endseparator=0Encoding=iso-8859-1Search Type=52Position=-1Nameid=-1567414664[Search Engine 16]Name=Verbtext=0URL=http://redir.opera.com/translation/?text=%s&from=en&to=frQuery=Key=Is post=0Has endseparator=0Encoding=iso-8859-1Search Type=100Position=-1Nameid=1104168855[Search Engine 17]Name=Verbtext=0URL=http://redir.opera.com/translation/?text=%s&from=en&to=deQuery=Key=Is post=0Has endseparator=0Encoding=iso-8859-1Search Type=101Position=-1Nameid=1104168855[Search Engine 18]Name=Verbtext=0URL=http://redir.opera.com/translation/?text=%s&from=en&to=itQuery=Key=Is post=0Has endseparator=0Encoding=iso-8859-1Search Type=102Position=-1Nameid=1104168855[Search Engine 19]Name=Verbtext=0URL=http://redir.opera.com/translation/?text=%s&from=en&to=ptQuery=Key=Is post=0Has endseparator=0Encoding=iso-8859-1Search Type=103Position=-1Nameid=1104168855[Search Engine 20]Name=Verbtext=7731URL=http://redir.opera.com/translation/?text=%s&from=en&to=esQuery=Key=Is post=0Has endseparator=0Encoding=iso-8859-1Search Type=104Position=-1Nameid=1104168855[Search Engine 21]Name=Verbtext=0URL=http://redir.opera.com/translation/?text=%s&from=fr&to=enQuery=Key=Is post=0Has endseparator=0Encoding=iso-8859-1Search Type=106Position=-1Nameid=1104168855[Search Engine 22]Name=Verbtext=0URL=http://redir.opera.com/translation/?text=%s&from=fr&to=deQuery=Key=Is post=0Has endseparator=0Encoding=iso-8859-1Search Type=107Position=-1Nameid=1104168855[Search Engine 23]Name=Verbtext=0URL=http://redir.opera.com/translation/?text=%s&from=fr&to=itQuery=Key=Is post=0Has endseparator=0Encoding=iso-8859-1Search Type=108Position=-1Nameid=1104168855[Search Engine 24]Name=Verbtext=0URL=http://redir.opera.com/translation/?text=%s&from=fr&to=ptQuery=Key=Is post=0Has endseparator=0Encoding=iso-8859-1Search Type=109Position=-1Nameid=1104168855[Search Engine 25]Name=Verbtext=0URL=http://redir.opera.com/translation/?text=%s&from=fr&to=esQuery=Key=Is post=0Has endseparator=0Encoding=iso-8859-1Search Type=110Position=-1Nameid=1104168855[Search Engine 26]Name=Verbtext=0URL=http://redir.opera.com/translation/?text=%s&from=de&to=enQuery=Key=Is post=0Has endseparator=0Encoding=iso-8859-1Search Type=111Position=-1Nameid=1104168855[Search Engine 27]Name=Verbtext=0URL=http://redir.opera.com/translation/?text=%s&from=de&to=frQuery=Key=Is post=0Has endseparator=0Encoding=iso-8859-1Search Type=112Position=-1Nameid=1104168855[Search Engine 28]Name=Verbtext=0URL=http://redir.opera.com/translation/?text=%s&from=it&to=enQuery=Key=Is post=0Has endseparator=0Encoding=iso-8859-1Search Type=113Position=-1Nameid=1104168855[Search Engine 29]Name=Verbtext=0URL=http://redir.opera.com/translation/?text=%s&from=it&to=frQuery=Key=Is post=0Has endseparator=0Encoding=iso-8859-1Search Type=114Position=-1Nameid=1104168855[Search Engine 30]Name=Verbtext=0URL=http://redir.opera.com/translation/?text=%s&from=pt&to=enQuery=Key=Is post=0Has endseparator=0Encoding=iso-8859-1Search Type=115Position=-1Nameid=1104168855[Search Engine 31]Name=Verbtext=0URL=http://redir.opera.com/translation/?text=%s&from=es&to=enQuery=Key=Is post=0Has endseparator=0Encoding=iso-8859-1Search Type=116Position=-1Nameid=1104168855[Search Engine 32]Name=Verbtext=0URL=http://redir.opera.com/translation/?text=%s&from=es&to=frQuery=Key=Is post=0Has endseparator=0Encoding=iso-8859-1Search Type=117Position=-1Nameid=1104168855[Search Engine 33]Name=Verbtext=0URL=http://redir.opera.com/translation/?text=%s&from=en&to=jaQuery=Key=Is post=0Has endseparator=0Encoding=iso-8859-1Search Type=118Position=-1Nameid=1104168855[Search Engine 34]Name=Verbtext=0URL=http://redir.opera.com/translation/?text=%s&from=ja&to=enQuery=Key=Is post=0Has endseparator=0Encoding=EUC-JPSearch Type=119Position=-1Nameid=1104168855

Edited January 6, 2007 by Urmas

[Bruno]

Here's my (Opera 9.10) "search.ini" file for comparison... no "Mediaplex" in there

If you want to make sure nobody can change/delete/edit that file, even not the owner or root . . . you can set the "immutable flag" ( I do that to my "hosts" file )The command to set it is:

# chattr +i testfile

This way the file is protected and can not be altered not even by root ! . . . The command to remove the "immutable flag" is

# chattr -i testfile

One word of WARNING: don't set the "immutable flag" randomly at loads of files . . . only on 1 or 2 that you think are most important to protect ! And do not forget that you did set them . . . because you will later wonder why you are not able to edit/delete the file ( the command chattr is only for advanced users ! )On my system only the /etc/hosts is immutable because somehow it got messed up now and then ( not one item per line but all items in just one line . . . . and I found it difficult to manage that way ). BrunoPS: There will be a Tip posted about chattr and other advanced permissions soon . . . I have it written out, only need to format it with tags.

[arcturus]

Thanks everyone, back in business While kind of a pain it was nevertheless informative. Makes me wonder if I shouldtry to repeat this all over again and learn even more! Nah

[zlim]

slightly OT: Is this Opera behavior also true of the windows version?If someone thinks they are infected and uses Opera to browse, it might be good to tell them they aren't infected, they either need a good hosts file or an adblocker.

[Bruno]

slightly OT: Is this Opera behavior also true of the windows version?If someone thinks they are infected and uses Opera to browse, it might be good to tell them they aren't infected, they either need a good hosts file or an adblocker.

From what I did read it does indeed affect Windows version of Opera too . . . . . :ph34r: Bruno

[Urmas]

slightly OT: Is this Opera behavior also true of the windows version?If someone thinks they are infected and uses Opera to browse, it might be good to tell them they aren't infected, they either need a good hosts file or an adblocker.

Yup... I found a couple of threads like this:http://my.opera.com/community/forums/topic.dml?id=142084Now get this: I had to search the Opera Forums using Firefox, because my Opera Adblock filter kills everything "Mediaplex"... even forum searches, whereas the browser itself...

"honk honk"--Harpo Marx

[Guest LilBambi]

There is an Opera Wiki that might help as well:http://operawiki.info/OperaAdblock

[Urmas]

There is an Opera Wiki that might help as well:http://operawiki.info/OperaAdblock

Yes... but that doesn't mention (third party) filter sets... I hate the process of teaching the b*oody thing what to block; this is the one I use (from my earlier post):http://www.fanboy.co.nz/adblock/opera/

[Guest LilBambi]

Very true.BTW: Where would one put that *.ini file exactly?

[Urmas]

BTW: Where would one put that *.ini file exactly?

The default location:Linux: ~/.opera/urlfilter.ini(The lesser OS: C:\Documents and Settings\...\Application Data\Opera\Opera\profile)

[Guest LilBambi]

Great, thought so.Also in the Mac, that would likely be:~/Library/Preferences/Opera Preferenceswhere the bookmarks etc. are for Opera, which is where I put it for the Mac.

[Urmas]

OR: the cross-platform egghead solution that actually allows you to put the file wherever you want:In address bar, type "opera:config", choose "Network", specify the "URL Filter File" location.I love "opera:config".

[Guest LilBambi]

Nice!

[Guest LilBambi]

According to opera:config, the location in Mac OS X Tiger:~/Library/Preferences/Opera Preferences/urlfilter.iniwhere I replaced the actual user home area with the ~ for pasting purposes since it means the same thing in *NIX.

[Bruno]

LOL . . . Temmu ! . . I kind of knew you would pick out the exiting stuff . . . . . LOL . . . chattr is a nice command, but I hope you took note of the "warning" as well

One word of WARNING: don't set the "immutable flag" randomly at loads of files . . . only on 1 or 2 that you think are most important to protect ! And do not forget that you did set them . . . because you will later wonder why you are not able to edit/delete the file ( the command chattr is only for advanced users ! )

Bruno