This has to be the worst Adware ive seen. Page 1 / 2

nzoomed, Apr 3, 7:03am
Ive recently seen this on a handful of computers in different variants.
No antivirus software ive tried can remove it and there is no reliable source of information i can find anywhere about it.
The two things that hijack the browser are ad options and a hot deals sidebar, seems to only affect chrome and firefox on this machine.
https://trademe.tmcdn.co.nz/photoserver/full/374007882.jpg

Ive ran combofix, nod32, adwcleaner, rougekiller, aavast, malwarebytes, hitmanpro, tdsskiller to name a few.
On the other machines ive seen it on one had an uninstaller of all things in control panel, but this doesnt have anything like that nor any other suspicious apps or toolbars etc. Ive used system restore in the past too, but want to know if there is any information about this particular infection, i believe it could be some sort of rootkit, but again no scanner has detected it. I have also completley wiped and reinstalled firefox with no results.

mr-word, Apr 3, 7:18am
Are the ads loading with flash? Could it be one of your tool bars. What happens when you right click one of the ads?

I think you need a bleeping computer.com expert to help you with this?
It may be easier just to reinstall windows.

You are using the right kind of tools to get rid of the adware but you *Must*
follow the removal instructions carefully, because it came from some pup
that was bundled with some adware you downloaded.

These programs may not be removing the program because you accidentally agreed to install it when you installed the freeware.

http://malwaretips.com/blogs/hot-deals-popup-virus/


d.snell, Apr 3, 7:31am
not sure where you were looking, typing "remove hot deals popup" into google bought up 1,140,000 results and the first few are extremely informative.

mazdasix, Apr 3, 7:35am
I got the same malware. It's the first malware I've ever got cos i'm always careful. But no amount of antimalware software or instructions on google will get rid of it. I had to reinstall my OS.

44kiwi, Apr 3, 7:41am
I am also having a very similar problem and have tried the same cleaners as you and they all say my computer is clean as a whistle! Ready to give it a kick! Windows8. Just go into a program like TM then other web pages hijack the page I'm looking at! So I have to start again. Not just pop ups full web pages!

nzoomed, Apr 3, 8:03am
He did have YTD youtube downloader on there, but he has had it on there for some months in the past with no issues, i did uninstall it, but i dont think it was the culprit, although i would still class it as a PUP.
Installing the noscript addon in firefox stops it coming up, so i expect there are javascripts at play, i would like to take it to someone at bleepingcomputer.
Its a pretty sneaky program and im unsure how it operates, if there is a known file or exe at play that is attaching itself to a process, i cant identify it and no scanner is detecting it, i wonder if it actually physically replaces certain files in the system with its own code.
Usually i can find such suspicious items in memory but nothing is popping out at me here.
Ive submitted quite a substantial amount of suspicious files in the past which have consequently been added to the virus defs shortly after back in the day, but very rarely do i come across such infections these days.
https://noscript.net/

nzoomed, Apr 3, 8:07am
I googled "hot deals" sidebar or "ad options" adware, i cant find any reliable source of information, alot are just pointing to download spyhunter which is a well known rouge program.

Anyway, the results im getting with what you suggest are still pretty much what i got. Nothing in add/remove programs that i can point as the culprit.

mephismeltdown, Apr 3, 8:23am
I know how to get rid of it. but sorry can't tell you on here.

gibler, Apr 3, 8:51am
DNS Hijack. Proxy?
I usually have a quick look with Autoruns and see what is happening with Process Explorer.

I once had someone with malware that popped up a dating ad about once every few days. Nothing at the time was detecting it.

deodar1, Apr 3, 9:03am
nzoomed you need this software ASAP!

Start price: $45,000.00No reserve No reserve Closes: 9 hoursWatchlist Listing #: 864758972

suicidemonkey, Apr 3, 9:31am
I'm embarrassed to say I got this too. It's the first malware or virus that I've been infected with in decades. I'm generally extremely careful with what I download - but it seems to have come with a Youtube downloader Chrome extension. I made the mistake of "trusting" what's in the Chrome Store.

A malware scan in safe mode seems to have done the trick.

wayne416, Apr 3, 9:34am
Uninstall browser and restart, then go to c drive and then show hidden folders and remove anything related to which browser has the problem under program files, program data, users, user name, app data, local, low and roaming then run Ccleaner registry cleaner and reboot and reinstall browser. May help.

nzoomed, Apr 3, 10:47am
Wasnt this one by any chance?
http://www.ytddownloader.com/

drsr, Apr 3, 8:59pm
Browse the same sites in Chrome incognito mode, which doesn't load extensions by default, and see if it still shows up. If it does, and none of the extensions on your list have "allow in incognito" checked, then it's a lower-level hijack, if not then it's an extension, probably one being dropped in by some malware.

You can use this method to check which content scripts are affecting your page:
http://www.howtogeek.com/213096/how-do-you-find-chrome-extensions-that-inject-ads-into-web-pages/ I like to use Autoruns to manually clean or check for successful cleaning, more or less as described here: http://www.howtogeek.com/howto/12837/use-autoruns-to-manually-clean-an-infected-pc/

Make sure to check the "Scheduled tasks" tab as this is how malware reinstalls itself sometimes.

mrfxit, Apr 3, 9:26pm
Just for the heck of it, install & run "Ghostery".
It's a small tidy tracker blocker, I would be interested to know if it detects anything outgoing or anything being dragged in by that bugger of an infection

king1, Apr 3, 9:41pm
have a look in the extensions folder for chrome and see if it ties up with whats listed in chrome
C:\Users\%USERNAME%\AppData\Lo-
cal\Google\Chrome\User Data\Default\Extensions

Maybe one that isn't listed inside chrome - don't know if its possible but might be worth a look

nzoomed, Apr 3, 10:24pm
Ive since removed chrome because he doesnt use it.
I will try ghostery and see what it picks up, i still have the same problem with all the addons disabled in firefox. Im quite interested to discover how this infection operates, if i could install it in a sandbox environment it should be possible to monitor what it does to the system.

tail_red, Apr 3, 10:39pm
Disable all startup items, reboot to safe mode (w/o networking), and do a full system scan from there.

nzoomed, Apr 3, 10:46pm
Its detected and blocked adcash, ad4game and revenuehits so far, which are pages which are automatically redirecting while browsing a page.

nzoomed, Apr 3, 10:48pm
ive done a complete offline scan with NOD32, found nothing.

king1, Apr 3, 10:56pm
presumably you've checked task manager processes for unknowns.

nzoomed, Apr 3, 10:59pm
Yes, looks as clean as could be, i think whatever this thing is infects or overwrites a normal file, absolutley nothing i can see of concern.

tail_red, Apr 3, 11:02pm
Antivirus might not help because most don't classify adware as a "threat."

What you can try is find out the process' name in the task manager and its file location, then manually delete the folder in safe mode (or portable Linux if that fails) and clean the registry after. It's not the most elegant solution, but it usually works.

muzza3, Apr 3, 11:06pm
I am fairly sure I had this a few weeks back, eventually gave in and purchased Spyhunter , that got the little bastard , squashed with a big size 10

nzoomed, Apr 3, 11:07pm
Im going to do a system restore, but typically in the past i can usually run a process manager and see if any suspicious dll files etc have attached themselves to a process such as explorer.exe or firefox etc, nothing stands out in front of me that looks suspicious. I think that this thing actually is doing some rather malicious activity, and is doing a good job at hiding itself.

Still surprised combofix does not detect it.

Share this thread

Buy me a coffee :)Buy me a coffee :)