Topic: wtf: many advertisements in chrome (YouTube) but no AV finding virus

[devnullius]

2 computers:
one of a new friend, the other from an old-old-old friend.

PC 1, old friend:
- systemprotect
- PC Tools Spyware Doctor
- Avast Home
- anvir taskmanager
- temp file cleanup script at logon, by Devnullius
- soluto
- browserprotect

PS 2, new friend:
- obsolete expired McAfee
- no recent windows microsoft updates
- many nasties, all removed with
* kaspersky boot cd
* avast bood cd
* avg boot cd
* combofix
* ADWCleaner: clean up "helper" programs. http://scforum.info/index.php/topic,8558.msg22099.html#msg22099
* Junkware removal tool
* superantispyware
* hitman pro
* tdskiller
* malwarebytes 30-day trial
* eset nod32 30-day trial
* RogueKiller
* BitDefender 30-day trial
* EmiSoft Emergency Kit
* Bitdefender Rescue CD
* 360TS ("new" Chinese AV going global)
- clean chrome profile

I cleaned PC 2 and all looked fine to me. I think I didn't use the laptop enough, because my friend called back (I thought you were good? - AUW) They still had popups and advertisements all over the place.

I focussed on the advertisement I saw in Youtube: above "other titles of interest" there would be a google ad (big square banner).
It should not be there!

Back to PC1: my friend already said he messed up after visiting  some sexsite and avast warnings. Indeed, stuff needed to be removed. It seemed like a simple enough task which I spread out over a few visits (start scan, bye bye). All looked clean again (and still looks clean) but when I went to YouTube... Again, a big advertisement!!

And that ad should not be there. PC 1 did not have  popups but indeed way too many advertisements on all pagesi. Did not notice it at first, due to my blisful online life with ad muncher

Code of the YouTube page:
(edit) (can't copy paste: only lines)

You can clearly see the traces off  a well known virus, but I cannot get rid of it nor does it get detected by *anything*

Funny part is the google advertisements follow the intro-ad from youtube / google flawlessly... Mostly big, sometimes small banners. I'm starting to believe they belong there ;p

Sigh... Clean install, really?? For this?

Open to EXPERT suggestions!

Devvie

twitter.com/devnullius

[jheysen]

Time to use sysinternals, start with process explorer and see wich DLLs are injected into the browser.
I suppose you ran a test with safe mode with net capabilities :p

[neerajrawat1]

Try malwarebytes for adwares and then Emsisoft emergency kit for the virus. Please do share the outcome here.

It happened only once with me that none of the above listed softwares including the two mentioned by me were unable to fix the malware issue, like the one you are facing and then I had to do a clean install as I did not have more time to go ahead with things like combo fix (though, I never tried it).

[488077P]

I don't know if this will help. Had the  same issue myself a few weeks ago and I ran various malware removal kits. ADWCleaner worked, but, upon restarting browsers, the issue slowly but surely grew again. I even reinstalled Firefox cleanly, but, the issue remained in Chrome, which propogated into IE and Firefox. All of this based from Deltasearch being default search engine, not my doing. ADWCleaner removes the malware, but, you have to change the settings and remove references to Delatsearch from Chrome manually in settings. Note: beware of spurious versions of ADWCleaner, get it from Bleepin only, ( http://www.bleepingcomputer.com/download/adwcleaner/ ) earlier in article. If a msg pops up saying a new version is available, do not click on the link.
Once I had removed the reference to Delatsearch from Chrome, I then reinstalled Firefox again, and, clean and green for 2 weeks. I guess this would work with IE and Chrome, since I reinstalled these too, using base (recommended) settings.
Curiously, I thought I had cleared the infection prior to the above actions, when I used my laptop at my mothers, new IP address. I did not have any issues whilst at mums, and I was there for a week. Issue only recurred when I went home, which lead me to think it was to do with my broadband provider.
You have to be as persistent to rid this rubbish from your machine.
If you are having the issue with Google Ads, then this could be down to their ADService, which appears to have no proper 'OPT Out' methodology. Maybe there will be a public backlash?

Good luck

[neerajrawat1]

This can be useful as well http://www.expertsgalaxy.com/2012/07/sophos-free-virus-malware-removal-tool.html

As of now, I am scanning my computer with Sophos so thought to share it as well.

[Samker]

Did you check what happened with different browsers? It could come to some conclusions...

Also, try with some Online Anti-Malware Scanners (BitDefender, Panda...): http://scforum.info/index.php/topic,734.0.html

You might be surprised by the result...

[devnullius]

Did you check what happened with different browsers? It could come to some conclusions...

Also, try with some Online Anti-Malware Scanners (BitDefender, Panda...): http://scforum.info/index.php/topic,734.0.html

You might be surprised by the result...

First, move this post to the correct board? I think I posted it wrongly here ;p

I'll follow jheysen's advise... No AV is finding anything, so I expect an online scan not to add anything that the regular installed version cannot...? Correct me if I'm wrong.

I still have to edit all tools used... I don't expect a hi-jack of the chrome process, but wel'll see. I'll even remove chrome.exe AND try IE. Brrr... IE....

Devvie

[Samker]

...

I'll follow jheysen's advise... No AV is finding anything, so I expect an online scan not to add anything that the regular installed version cannot...? Correct me if I'm wrong.

I still have to edit all tools used... I don't expect a hi-jack of the chrome process, but wel'll see. I'll even remove chrome.exe AND try IE. Brrr... IE....

...

Ok, keep us informed about "news"...

...

First, move this post to the correct board? I think I posted it wrongly here ;p

...

Done, Topic is now in "PC Help Center": http://scforum.info/index.php/board,16.0.html

[devnullius]

Did you check what happened with different browsers? It could come to some conclusions...

You might be surprised by the result...

In safe mode now, with IE & Chrome, still those advertisements on PC1 (the one I'm actually testing all these removal tools on)

[devnullius]

Time to use sysinternals, start with process explorer and see wich DLLs are injected into the browser.
I suppose you ran a test with safe mode with net capabilities :p

No I did not go to safe mode yet ;p

I am now.

No special hooks to be found... All makes sense, for Chrome any ways

This process (in safe mode) looked a bit freaky
\??\C:\Windows\system32\conhost.exe "-60535637113785521401212644738-281049011790157655123640945610263405341151337691

But should be legit.

Something red poppud up once in a while (danger!) but it turned out to be PAV2WSC.exe, a Panda Security process...