Malware shows integrated ads on any site with product srch results (Chrome only)

[eberger79]

I was on IKEA.com and clicked on a link, when all of a sudden Avast intercepted harmful code, which I found was weird.

Turns out, that for some reason Chrome inserts third-party ads above my search results after some 10 seconds. It shows in small letters "ads not by this site". The items advertised for are not unrelated to the search results (e.g. furniture ads on IKEA.com) but the links go to results.premium-display.com and apparently include malicious software some way or another. Apart from IKEA, I tried a second-hand marketplace and the same thing happens after some 10 seconds.

The first thing I do, of course, is to check my Chrome add-ons. Nothing there, however.

I've never seen this thing before. And inserting search results right above the search results of "any" page, sounds quite advanced. How do I get rid of this thing? I seem to have it only in Chrome.
I'd better start checking my Windows registry, but thought it'd be interesting to report this right away...

[Asyn]

Please attach your logs. (AdwCleaner, MBAM, and OTL..!!)
Instructions: http://forum.avast.com/index.php?topic=53253.0

[eberger79]

Seems to have been resolved ("hat sich erledigt") using ADWCleaner (though the link on the "logs to assist" page led to a seemingly older version of ADWCleaner than on the picture). Thanks for the tip.

[Pondus]

(though the link on the "logs to assist" page led to a seemingly older version of ADWCleaner than on the picture).

The new Version was removed for bug fix.... should soon be back

[Asyn]

Thanks for the tip.

You're welcome.

[eberger79]

Just for the sake of completeness, here the ADWCleaner cleaning log:
# AdwCleaner v2.306 - Logfile created 08/18/2013 at 22:07:44
# Updated 19/07/2013 by Xplode
# Operating system : Windows 7 Home Premium  (64 bits)
# User : Erik - EMACHINES
# Boot Mode : Normal
# Running from : C:\Users\Erik\Documents\Datorn\InstPgm\security\adwcleaner.exe
# Option [Delete]


***** [Services] *****

Stopped & Deleted : BrowserProtect

***** [Files / Folders] *****

File Deleted : C:\Users\Erik\AppData\Local\Google\Chrome\User Data\Default\bProtector Web Data
File Deleted : C:\Users\Erik\AppData\Local\Google\Chrome\User Data\Default\bprotectorpreferences
Folder Deleted : C:\Program Files (x86)\Freecorder extension
Folder Deleted : C:\Users\Erik\AppData\Local\jZip
Folder Deleted : C:\Users\Erik\AppData\Local\Temp\jZip
Folder Deleted : C:\Users\Erik\AppData\Roaming\DataMgr
Folder Deleted : C:\Users\Erik\AppData\Roaming\HMN
Folder Deleted : C:\Users\Erik\AppData\Roaming\SDIV 2.0

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\SmartBar
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\DataMngr
Key Deleted : HKCU\Software\DataMngr_Toolbar
Key Deleted : HKCU\Software\jZip
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\bProtectSettings
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{553318DA-D010-469E-84B1-496563CAE1BF}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{B15BBE59-42F5-4206-B3F0-BE98F5DC4B93}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{553318DA-D010-469E-84B1-496563CAE1BF}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B15BBE59-42F5-4206-B3F0-BE98F5DC4B93}
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\928c8ab335e447
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{18B9B16E-716F-43DF-A6AD-512C7D2EB983}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{19975B78-1907-4DD6-A437-4C48120F46A4}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{544C2426-48FD-4C40-AE3B-31257FF334D0}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{562B9316-C08A-444A-9482-62080DD851AE}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{562B9317-C08A-444A-9482-62080DD851AE}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{BDB69379-802F-4EAF-B541-F8DE92DD98DB}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\AddonsFramework.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ButtonSite.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\RegistryHelper.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\ScriptHost.DLL
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHost.Tool
Key Deleted : HKLM\SOFTWARE\Classes\ScriptHost.Tool.1
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\Software\DataMngr
Key Deleted : HKLM\SOFTWARE\Wow6432Node\928c8ab335e447
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{1917AB4C-E2E9-42AE-A51E-B5750F160BFB}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{43969E3F-3E7C-4911-A8F1-79C6CA6AC731}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{6C65F1F0-8088-414B-828C-813207ADE75A}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{A4341726-E922-47BB-86A6-23F4F4F67342}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{B15BBE59-42F5-4206-B3F0-BE98F5DC4B93}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{C9B4F046-2A8C-46BD-B1A1-CF0EAE5EA521}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{DCA1528D-A3C0-4A9F-AA6E-DCE643F91495}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{045F91B3-695F-423A-98C7-8DE3C47AA020}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{1348BD1B-C32A-41A7-9BD4-5377AA1AB925}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{395AFE6E-8308-48DB-89BE-ED5F4AA3D3EC}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{43969E3F-3E7C-4911-A8F1-79C6CA6AC731}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{43B390F0-6BA2-45CA-ABF2-5DB0CEE9B49D}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{93CF54F5-CFAA-4440-B588-8ED0DFAD5C21}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{94CADA2E-1D3F-419F-8A3D-06C58EDF53C8}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{9E52EB8B-8DD9-4605-AD36-D352BCD482F2}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{A1440EC3-F0FA-407A-B811-DE6668C06D29}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{B887CA3B-D82B-4A01-AD29-E97444D01CE6}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{B9A84AD0-5777-46FD-8B8F-1EBD06750FBC}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{C1995F88-1C7F-40D7-B0FA-6F107F6308B8}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{C815E3DA-0823-49B0-9270-D1771D58B317}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{D3BC53E7-0437-4C97-90EE-2CD6FF47FB14}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\pgafcinpmmpklohkojmllohdhomoefph
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3614D305-2DBB-4991-9297-750DD60FFC73}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AFB904C4-C255-4540-B97E-A75A34F1FFB0}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B15BBE59-42F5-4206-B3F0-BE98F5DC4B93}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Freecorder extension
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1917AB4C-E2E9-42AE-A51E-B5750F160BFB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{43969E3F-3E7C-4911-A8F1-79C6CA6AC731}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6C65F1F0-8088-414B-828C-813207ADE75A}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A4341726-E922-47BB-86A6-23F4F4F67342}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{B15BBE59-42F5-4206-B3F0-BE98F5DC4B93}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{C9B4F046-2A8C-46BD-B1A1-CF0EAE5EA521}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DCA1528D-A3C0-4A9F-AA6E-DCE643F91495}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{045F91B3-695F-423A-98C7-8DE3C47AA020}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1348BD1B-C32A-41A7-9BD4-5377AA1AB925}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{395AFE6E-8308-48DB-89BE-ED5F4AA3D3EC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{43969E3F-3E7C-4911-A8F1-79C6CA6AC731}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{43B390F0-6BA2-45CA-ABF2-5DB0CEE9B49D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{93CF54F5-CFAA-4440-B588-8ED0DFAD5C21}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{94CADA2E-1D3F-419F-8A3D-06C58EDF53C8}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E52EB8B-8DD9-4605-AD36-D352BCD482F2}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A1440EC3-F0FA-407A-B811-DE6668C06D29}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B887CA3B-D82B-4A01-AD29-E97444D01CE6}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B9A84AD0-5777-46FD-8B8F-1EBD06750FBC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C1995F88-1C7F-40D7-B0FA-6F107F6308B8}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C815E3DA-0823-49B0-9270-D1771D58B317}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D3BC53E7-0437-4C97-90EE-2CD6FF47FB14}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B15BBE59-42F5-4206-B3F0-BE98F5DC4B93}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes [bProtectorDefaultScope]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7600.17267

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Default_Page_URL] = hxxp://search.fbdownloader.com/?channel=sfse203fbdgy19 --> hxxp://www.google.com

-\\ Google Chrome v28.0.1500.95

File : C:\Users\Erik\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [7842 octets] - [18/08/2013 22:04:15]
AdwCleaner[R2].txt - [7902 octets] - [18/08/2013 22:06:43]
AdwCleaner[S1].txt - [8037 octets] - [18/08/2013 22:07:44]

########## EOF - C:\AdwCleaner[S1].txt - [8097 octets] ##########


With version 3.000 it also found C:\Windows\System32\Tasks\BrowserProtect.

Most of this is from an infection that I had in April, but which I thought had been removed. And then suddenly four months later, it got reactivated with new unseen behaviour (the ads), which disappeared after removal of the mentioned stuff (including the Freecorder Chrome extension, which probably started it all...)