Q. How do I get rid of ib.adnxs.com

ib.adnxs is browser redirect malware that installs into your browser, and sends your web searches to different sites instead of where you want to go. It will persistently popup its own addresses in your browser.  It will change your home page and search engine settings, and may change your DNS settings.  There is disagreement whether this is a simple browser redirect entry, or a Trojan or possibly a rootkit.  The instructions below cover removing the redirect commands from your browser(s), however the problem may recur if the malware is a persistent trojan or rootkit virus.

Download Malwarebytes from http://www.malwarebytes.org

and CCleaner http://computer-answers.ca/2011/computer-questions/windows-questions/favorite-windows-utilities-from-piriform/

I would recommend starting in Safe mode (F8) and running a Full Malwarebytes scan to check the machine and registry. Running CCleaner to clean the registry wouldn’t hurt either.

Then clean the browsers individually:

Firefox:

Go to Manage Search Engines in Firefox and remove any entries for adnxs

http://support.mozilla.org/en-US/kb/search-bar-easily-choose-your-search-engine

Check if you have adnxs in your Firefox menu > Add Ons and remove any items for adnxs. Check both the Plug ins tab and the Extensions tab (on older versions, Tools >  Add-ons).

http://support.mozilla.org/en-US/kb/disable-or-remove-add-ons

Set the Home page to the search engine of your choice (the default Google search entry is http://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q= )

http://support.mozilla.org/en-US/kb/How%20to%20set%20the%20home%20page?s=Set+home+page&r=1&as=s

Remove adnxs or any unknown search engine entry from the search engine default for unrecognized pages

  1. In the address bar enter “about:config” and hit Enter
  2. Bypass the warranty screen(s) by clicking
  3. On the next screen enter “adnxs” in the Filter window (a search in the config)
  4. If you find adnxs or unknown entries showing up.
  5. Highlight each of these entries one at a time, right click and choose “reset”.
  6. When finished.close the file.
Chrome 
  1. Click on the wrench icon in the Google Chrome address bar and from the drop down menu select Settings > Extensions or Tools > Extensions — depending on your version
    (or enter chrome://settings/extensions in the location bar)
  2. Check if any items of adnxs or unknown entries are listed in the browser Extensions. If the Click on uninstall to remove the toolbar(s) from the browser.
  3. Close the window. Choose the wrench icon again and depending on your version choose Settings > Settings or Options from the drop down menu.
  4. Check the Home Page setting under Basics to see if adnxs or unknown entries are listed. Replace it with another search engine that you want to use for your home page.
  5. Click Manage search engines, check if adnxs or unknown entries are listed on the page. Hover your mouse over the entries, click the X icon to uninstall it. Go back to the previous page and pick another available search engine as the default browser search engine.
  6. Check the On Start Up entry in Settings, click on Go to a specific page… and enter http://www.Google.com  or your preferred search engine.

Internet Explorer

(note, we no longer recommend the use of Internet Explorer)

If you don’t have any preferences and settings in Internet Explorer that you particularly want to keep, you can do a reset of the IE Settings http://www.microsoft.com/security/pc-security/browser-hijacking.aspx

Otherwise you can remove it manually

Delete the adnxs or unknown entries in Toolbars

  1. Open Internet Explorer and click on “Tools”.
  2. Select “Manage Add Ons”,  search for adnxs or unknown entries in the list of add-ons.
  3. Right Click on the adnxs or unknown entries and select “disable”.
  4. Click on “Ok” and restart Internet Explorer.

Restore your home page to the one you want

http://www.microsoft.com/security/pc-security/homepagerestore.aspx

Remove adnxs or unknown entries from the search engine default for unrecognized pages (note this requires editing your Registry. Back it up first.  If you are not confident, refer the work to someone experienced)

  1. Open “RegEdit” through the launch menu.
  2. Find this entry
  3. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\About URLs\Tabs
  4. Change the entry that points to adnxs or unknown entries, to the search engine you want (Google for example).

Check your DNS settings

Go to Start menu > Control Panel > right-click Local Area Connection > double-click Properties

Select Internet Protocol(TCP/IP), and then click on Properties

Check: Obtain DNS server address automatically, and then click OK
– OR – manually enter the OpenDNS server addresses 

Clean Up

After removing and resetting, I would recommend starting in Safe mode (F8) and running Malwarebytes or SuperAntiSpyware again to check the machine and registry, and run CCleaner to clean the registry.  Then test your browser(s) by opening them and typing in some nonsense in the URL/location bar to make sure the defaults have been successfully changed.

You may have the adnxs still remaining on your machine

Go to C:\Program Files\ and delete any folder related to adnxs
Go to C:\Program Files (X86) and delete any folder related to adnxs

Restart the machine in Safe Mode (F8) and run CCleaner

  1. Open CCleaner,
  2. Click Tools,
  3. Select adnxs from the list if it is on it,
  4. Click Uninstall.
  5. Run the Registry tool,
  6. Run the cleaner.

YouTube video tutorials on removing ib.adnxs

List of files for manual removal – a complication for manual removal is that adnxs is reputed to be able to randomize filenames and entries. The following suggestions have been copied from online sources which have not been tested. Please do not alter your machine or registry unless you know what you are doing.

%AppData%[trojan name]toolbarcouponsmerchants.xml,
%AppData%[trojan name]toolbarguid.dat
%AppData%[trojan name]toolbarlog.txt
%AppData%[trojan name]toolbarpreferences.dat
%AppData%[trojan name]toolbarstats.dat
%AppData%[trojan name]toolbaruninstallIE.dat

Delete associated files of Ib.adnxs.com Redirect virus:

C:\WINDOWS\assembly\KYH_64\Desktop.ini
C:\Windows\assembly\KYH_32\Desktop.ini
C:\WINDOWS\system32\giner.exe

Remove registry entries of isearch.claro-search.com Redirect virus:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\random
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run\random
HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\5ATIUYW62OUOMNBX256 “(Default)”=”1?
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\“UninstallString” = “‘%AppData%\[RANDOM]\[RANDOM].exe” -u
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\“ShortcutPath” = “‘C:\Documents and Settings\All Users\Application Data\5ATIUYW62OUOMNBX256.exe” -u’”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce “5ATIUYW62OUOMNBX256” = “‘C:\Documents and Settings\All Users\Application Data\5ATIUYW62OUOMNBX256.exe’

 If the problem still exists, then you would need to treat it as a serious viral infection, possibly a rootkit.  See more information the Google Redirect rootkit

About Browser Security:

Installing an Ad blocker in your Web browser or turning on the browsers anti-popup features is a first step, but it is not enough.

Many viruses that are launched from a poisoned Web page or banner ad rely on Java and/or Javascript running in your web browser software to execute their instructions.  If you turn off Java entirely, or remove it from your Web browser, you will be safer.  Turning off Javascript however is more problematic, because many of the legitimate sites you visit use Javascript for drop down menus, calendars, form filling, etc. and the sites won’t function without scripting.  My recommended solution is to use Firefox as your Web browser, with the addition of NoScript plugin, which allows you to control which scripts that you allow to run, and blocks all others.

This entry was posted in Computer Questions and Answers, Security, Viruses and malware, Windows questions and tagged , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.