Topic: wtf: many advertisements in chrome (YouTube) but no AV finding virus

[jheysen]

You should not see the colors, but see wether the processes are Digitally Signed (You can check that with Process explorer) and begin to check wich DLLs are hooked to the browsers...
The other attack vector is going with ProcessMonitor... but you should have an idea of what are you looking for before opening it

[devnullius]

Sophos Virus Removal tool cannot install (in safe mode): no network location found.

Strange error :s

Gonna reboot and give up I suppose? Two full new installations... Will take me well over a week!

Devvie

[devnullius]

You should not see the colors, but see wether the processes are Digitally Signed (You can check that with Process explorer) and begin to check wich DLLs are hooked to the browsers...
The other attack vector is going with ProcessMonitor... but you should have an idea of what are you looking for before opening it

I understand I should not look for colors ;p It was one of the two proceses that didn't made immediate sense

I looked with your comments in mind, but still looks good to me?



http://i.imgur.com/L9bBdBM.png
That said, I should really clean chrome.exe shortcuts and stuff... I do not like the yellow pop-up for chrome... Does not make a lot of sense, unless hi-jacked in the simplest way possible... Shortcut modification. And yes, I did not test for that Cleaned %AppData% for chrome, not shortcuts. Still, IE is not good either!

We'll test and see

Devvie

[jheysen]

There's a strange call to explorer.exe
And maybe you can throw into action ProcessMonitor filtering just for chrome.
Did you check the usual hooks for explorer and WinLogon?

[devnullius]

There's a strange call to explorer.exe
And maybe you can throw into action ProcessMonitor filtering just for chrome.
Did you check the usual hooks for explorer and WinLogon?

Oh F* me! You are right! How could I not see this... I'm not as much an expert as I thought, lol.

I guess I need your help now... How to proceed next?

[devnullius]

Sophos and 360 Total Security on high still returned clean scans.

I must say, I really like 360 Total Security. You should check it out, might replace my avast real soon! ;p

Really need some advice on that explorer hi-jack you uncovered... https://encrypted.google.com/search?rlz=1C1GPCK_enNL430NL430&{google:acceptedSuggestion}oq=goo&sourceid=chrome&ie=UTF-8&q=google#q=C%3A%5CWindows%5Cexplorer.exe+%2Ffactory%2C%7Bceff45ee-c862-41de-aee2-a022c81eda92%7D+-Embedding



Did I mention PC1 is Windows 7 Enterprise...? Might this explain the hi-jack?

Devvie

[neerajrawat1]

Did you try Emsisoft and malwarebytes as well?

[devnullius]

Did you try Emsisoft and malwarebytes as well?

Yes, everything in the list has been installed / ran... To no avail!

I mean: YOU guys do not have an advertisement square banner above suggested titles in youtube when watching videos, right? I really think they should not be there, but... Starting to doubt myself now



Devvie

[devnullius]

Did you check the usual hooks for explorer and WinLogon?

Shouldn't any decent AV detect this stuff...?

[neerajrawat1]

No idea what are you referring to? I am using Adblock Plus, try it, may help.