This has to be the worst Adware ive seen.

Ive recently seen this on a handful of computers in different variants.
No antivirus software ive tried can remove it and there is no reliable source of information i can find anywhere about it.
The two things that hijack the browser are ad options and a hot deals sidebar, seems to only affect chrome and firefox on this machine.

Ive ran combofix, nod32, adwcleaner, rougekiller, aavast, malwarebytes, hitmanpro, tdsskiller to name a few.
On the other machines ive seen it on one had an uninstaller of all things in control panel, but this doesnt have anything like that nor any other suspicious apps or toolbars etc. Ive used system restore in the past too, but want to know if there is any information about this particular infection, i believe it could be some sort of rootkit, but again no scanner has detected it. I have also completley wiped and reinstalled firefox with no results.

geek_nzoomed, Apr 3, 8:03 pm

Are the ads loading with flash? Could it be one of your tool bars. What happens when you right click one of the ads?

I think you need a bleeping expert to help you with this?
It may be easier just to reinstall windows.

You are using the right kind of tools to get rid of the adware but you *Must*
follow the removal instructions carefully, because it came from some pup
that was bundled with some adware you downloaded.

These programs may not be removing the program because you accidentally agreed to install it when you installed the freeware.

geek_mr-word, Apr 3, 8:18 pm

not sure where you were looking, typing "remove hot deals popup" into google bought up 1,140,000 results and the first few are extremely informative.

geek_d.snell, Apr 3, 8:31 pm

I got the same malware. It's the first malware I've ever got cos i'm always careful. But no amount of antimalware software or instructions on google will get rid of it. I had to reinstall my OS.

geek_mazdasix, Apr 3, 8:35 pm

I am also having a very similar problem and have tried the same cleaners as you and they all say my computer is clean as a whistle! Ready to give it a kick! Windows8. Just go into a program like TM then other web pages hijack the page I'm looking at! So I have to start again. Not just pop ups full web pages!

geek_44kiwi, Apr 3, 8:41 pm

He did have YTD youtube downloader on there, but he has had it on there for some months in the past with no issues, i did uninstall it, but i dont think it was the culprit, although i would still class it as a PUP.
Installing the noscript addon in firefox stops it coming up, so i expect there are javascripts at play, i would like to take it to someone at bleepingcomputer.
Its a pretty sneaky program and im unsure how it operates, if there is a known file or exe at play that is attaching itself to a process, i cant identify it and no scanner is detecting it, i wonder if it actually physically replaces certain files in the system with its own code.
Usually i can find such suspicious items in memory but nothing is popping out at me here.
Ive submitted quite a substantial amount of suspicious files in the past which have consequently been added to the virus defs shortly after back in the day, but very rarely do i come across such infections these days.

geek_nzoomed, Apr 3, 9:03 pm

I googled "hot deals" sidebar or "ad options" adware, i cant find any reliable source of information, alot are just pointing to download spyhunter which is a well known rouge program.

Anyway, the results im getting with what you suggest are still pretty much what i got. Nothing in add/remove programs that i can point as the culprit.

geek_nzoomed, Apr 3, 9:07 pm

I know how to get rid of it. but sorry can't tell you on here.

geek_mephismeltdown, Apr 3, 9:23 pm

DNS Hijack. Proxy?
I usually have a quick look with Autoruns and see what is happening with Process Explorer.

I once had someone with malware that popped up a dating ad about once every few days. Nothing at the time was detecting it.

geek_gibler, Apr 3, 9:51 pm

nzoomed you need this software ASAP!

Start price: $45,000.00No reserve No reserve Closes: 9 hoursWatchlist Listing #: 864758972

geek_deodar1, Apr 3, 10:03 pm

I'm embarrassed to say I got this too. It's the first malware or virus that I've been infected with in decades. I'm generally extremely careful with what I download - but it seems to have come with a Youtube downloader Chrome extension. I made the mistake of "trusting" what's in the Chrome Store.

A malware scan in safe mode seems to have done the trick.

geek_suicidemonkey, Apr 3, 10:31 pm

Uninstall browser and restart, then go to c drive and then show hidden folders and remove anything related to which browser has the problem under program files, program data, users, user name, app data, local, low and roaming then run Ccleaner registry cleaner and reboot and reinstall browser. May help.

geek_wayne416, Apr 3, 10:34 pm

Wasnt this one by any chance?

geek_nzoomed, Apr 3, 11:47 pm

Browse the same sites in Chrome incognito mode, which doesn't load extensions by default, and see if it still shows up. If it does, and none of the extensions on your list have "allow in incognito" checked, then it's a lower-level hijack, if not then it's an extension, probably one being dropped in by some malware.

You can use this method to check which content scripts are affecting your page: I like to use Autoruns to manually clean or check for successful cleaning, more or less as described here:

Make sure to check the "Scheduled tasks" tab as this is how malware reinstalls itself sometimes.

geek_drsr, Apr 4, 9:59 am

Just for the heck of it, install & run "Ghostery".
It's a small tidy tracker blocker, I would be interested to know if it detects anything outgoing or anything being dragged in by that bugger of an infection

geek_mrfxit, Apr 4, 10:26 am

have a look in the extensions folder for chrome and see if it ties up with whats listed in chrome
cal\Google\Chrome\User Data\Default\Extensions

Maybe one that isn't listed inside chrome - don't know if its possible but might be worth a look

geek_king1, Apr 4, 10:41 am

Ive since removed chrome because he doesnt use it.
I will try ghostery and see what it picks up, i still have the same problem with all the addons disabled in firefox. Im quite interested to discover how this infection operates, if i could install it in a sandbox environment it should be possible to monitor what it does to the system.

geek_nzoomed, Apr 4, 11:24 am

Disable all startup items, reboot to safe mode (w/o networking), and do a full system scan from there.

geek_tail_red, Apr 4, 11:39 am

Its detected and blocked adcash, ad4game and revenuehits so far, which are pages which are automatically redirecting while browsing a page.

geek_nzoomed, Apr 4, 11:46 am

ive done a complete offline scan with NOD32, found nothing.

geek_nzoomed, Apr 4, 11:48 am

presumably you've checked task manager processes for unknowns.

geek_king1, Apr 4, 11:56 am

Yes, looks as clean as could be, i think whatever this thing is infects or overwrites a normal file, absolutley nothing i can see of concern.

geek_nzoomed, Apr 4, 11:59 am

Antivirus might not help because most don't classify adware as a "threat."

What you can try is find out the process' name in the task manager and its file location, then manually delete the folder in safe mode (or portable Linux if that fails) and clean the registry after. It's not the most elegant solution, but it usually works.

geek_tail_red, Apr 4, 12:02 pm

I am fairly sure I had this a few weeks back, eventually gave in and purchased Spyhunter , that got the little bastard , squashed with a big size 10

geek_muzza3, Apr 4, 12:06 pm

Im going to do a system restore, but typically in the past i can usually run a process manager and see if any suspicious dll files etc have attached themselves to a process such as explorer.exe or firefox etc, nothing stands out in front of me that looks suspicious. I think that this thing actually is doing some rather malicious activity, and is doing a good job at hiding itself.

Still surprised combofix does not detect it.

geek_nzoomed, Apr 4, 12:07 pm

I got a "redirect" virus on my machine. Despite running different scans i still cannot remove it. Apparently it is buried deep in the operating system and can erase its footprint, so avoids all the scans.

geek_ycart3, Apr 4, 12:12 pm

Makes me wonder if the people behind spyhunter actually are the same people who produce this malware, since alot of links ive been reading point to using this program to remove it. Im unsure how legit that program is, since ive read some bad reviews, although it appears there are several products that claim to be called spyhunter. I take it you downloaded it from enigma software?

geek_nzoomed, Apr 4, 12:13 pm

maybe a firewall (eg eset smart security in interactive mode, or kerio if its still around) would block the connection and in doing so identify the process that is making the connection. or it will just identify it as chrome etc

geek_king1, Apr 4, 12:13 pm

and one of my last resorts before I throw it at the wall is the Avast boot time scan - has found stuff others haven't on more than one occasion for me.

geek_king1, Apr 4, 12:17 pm

geek_king1, Apr 4, 12:18 pm

geek_king1, Apr 4, 12:23 pm

Yeah it is exciting when you nail them.
This sort of thing was the only thing that kept me same at my old job, i used to be the guy stuck in the workshop who was always manually detecting new malware and submitting them to virustotal etc, mainly because my boss insisted on us using norton, and it wasnt until i took it upon myself to install a trial version of NOD32 on our workshop computer that i was able to get him to change to NOD32 after seeing the huge success with it! lol Thankfully such stubborn infections such as this are a rarity for me nowdays.

geek_nzoomed, Apr 4, 12:24 pm

another interesting possibility is here, although this relates to chrome again.
especially the 'about:memory' which gets the PID for something
then in task manager, with the PID, you can open file location.

geek_king1, Apr 4, 12:30 pm

That is quite a handy feature in chrome to have.

When running the process monitor all the traffic in question points to firefox, but would be good if i can see what modules are running on top of firefox, the process monitor in spybot search and destroy used to be good for that.

geek_nzoomed, Apr 4, 12:51 pm The about:addons-memory Extension will give you a nice looking page showing how much memory each of your extensions is using. You can use that information to decide if the overhead imposed is worth the functionality it provides, or if you should look for a more lightweight extension that has similar functionality.
Also, the about:memory page will give you a very technical view of how Firefox is using the memory that's been allocated.

Edit: its an extension here

geek_king1, Apr 4, 1:07 pm

geek_wayne416, Apr 4, 1:09 pm

i cant even get that to work, double clicking on the icon does nothing, bit weird

geek_nzoomed, Apr 4, 1:56 pm

have you checked the HDD, i find to many weird things happening often lead back to hdd issues

geek_king1, Apr 4, 1:59 pm

Yes its all good, turns out there is a 64 bit version, which is working fine, the link i had downloaded a 32 bit edition. fingers crossed.
Im facing a reinstall of windows here, system restore failed on me which is not surprising.

geek_nzoomed, Apr 4, 2:19 pm

I think a friend of mine has this too. There was something similar last I saw his PC, and he's still having problems with something now which I presume is the same thing.

geek_schizoid, Apr 4, 3:04 pm

I did a system restore and also deleted the you tube download-at the moment mine is working perfectly again. Like you nzoomed everything I threw at computer-came up clean-talk about frustrating!

geek_44kiwi, Apr 4, 3:07 pm

Theres a task manager in there so you can see whats running.

geek_wayne416, Apr 4, 3:28 pm

How did it go?

geek_wayne416, Apr 5, 12:04 pm

Could have been avoided if you imaged your system partition frequently. I mainly use the free version of Macrium Reflect. Paragon has a good free one also.

geek_r.g.nixon, Apr 5, 1:15 pm

Your onto it. I use Macrium, anything goes horribly wrong which is frequently, [will download anything to get the result I want], although Comodo catches most, With an image i'm up and running a few minutes later.

geek_wayne416, Apr 5, 1:39 pm

don't think it's his.

geek_king1, Apr 5, 1:52 pm

Its a shame they didn't push Windows 7 and 8s ability to image a drive but then again nobody seems to burn recovery disks and that is pushed fairly hard. I have no sympathy for people who install illegal software, that's just looking for problems but if looking for legit programs most are full of crap that can catch anyone if not alert.

geek_wayne416, Apr 5, 2:07 pm

my sister and i are both having exactly the same problem and am completely over it. have tried lots of things and cant get rid of it. trademe is almost completely unusable. element blocker on adblocker is helping with some of it but its like a bandaid - its not getting rid of it at all.

am going to have to pay for a professional to help me because most of the advice above is beyond my understanding, hahaha

geek_dropsofjupiter, Apr 13, 12:23 pm

this is helpful, thanks. Doesnt get rid of it from my computer but at least i can message on the boards, hahahahahaha

geek_dropsofjupiter, Feb 24, 5:00 am

Share this thread