How can I remove unwanted ads on top of sites?

Question

I'm running Windows 7. Yesterday, when I opened a website with Firefox, I saw 3 ads at the top of the site.

Then, when I checked other websites with different browsers, I saw these ads:

In the page source, I can't see any code for these ads. After using Inspect Element, this code was added to the header:

<iframe src="http://85.25.138.211/index.php?3a2j"></iframe>

And the code in the body for this ad is:

<a href="http://track.impreskin.pl/product/ImpreSkin/?uid=21002&amp;pid=153&amp;bid=1659" rel="nofollow" title="wygladzanie zmarszczek"><img src="http://track.impreskin.pl/banner/?uid=21002&amp;pid=153&amp;bid=1659" alt="wygladzanie zmarszczek"></a>

I don't see any new and unwanted plugins in my browsers, and I haven't installed Hotspot Shield.

Is this malware, and if so, how can I remove it?

Answer 1

You are experiencing malware which has been designed to operate just before your web browser displays web pages. It typically intercepts a browser request to retrieve a web page, analyzes the site you are visiting and tries to inject HTML ADs which may or may not be pertinent to what you are viewing.

You will have to check the proxy settings of all of your web browsers and run full malware and antivirus scans on your PC because your computer is severely infected

Adblock will not help you, this is a virus. I would confidently guess that all web pages are loading very slowly and if you check your task manager then FireFox is probably using 300-500 MB just to view one website.

Answer 2

After research I found this answer by Martin Prikryl:

... the problem is happening on cellular network only because of caching. After some time of being connected on cellular network and keeping refreshing, the problem went away. And reappeared only after connecting back to the Wi-Fi.

This made it obvious that the problem is due to compromised router. Resetting it back to factory settings fixed it.

Answer 3

I have the exact same problem. Platform - windows 7 64. It does not only attack firefox. It hacks all your web browsers (firefox, i.e. and I'm guessing it also would have done chrome, too)... that means it's either installed as an extension or as some piece of global cached scripting code (for all browsers)...or maybe even something more global.

I've managed to "hack" a "bandaid" solution to the problem - namely to block these ip's with windows firewall, and also to download the firefox adblock extension, but that does not address the underlying problem, namely that the system itself has been hacked.

PARTIAL RESOLUTION (solves most of the visual misery): Search your windows directory, and edit either "lmhosts" or "hosts" to map these url's to

"localhost":
(promo.cityads.ru)
(track.impreskin.pl)
(rcm-na.amazon-adsystem.com)
(www.juicyads.com)

-or-

block these remote ip's in firewall settings

(72.21.202.62)
(81.177.161.202)
(54.192.118.235)
(199.83.129.149)

-and- install adblock for firefox.

This will =still= leave you with the hacker's name on your pages.

UNRESOLVED ANGLES TO FIX THE REST: I'm still working on this part... but I'm trying a disk file contents search for .js and/or php / css files containing: "wygladzanie zmarsczek" and the above url's

^remove related files

Barring success, see about clearing all .js, php and css caching... sorry, but I'm still working on finding out how to do that.

None of that proves you have really cleaned all the malware from your pc. It's just addressing a symptom (like if you had a disease but took aspirin to reduce the pain). There might be alot more this virus left on the pc.

So this solution is a far cry from "perfection", which would be to understand the attack vector this virus used, to close the security hole, and to remove all files it may have deposited -- but it's still alot better than nothing.

If anyone can come up with the formal name for this attack and answer any of those questions, it would help to build a public understanding which resolves the problem.

RESULTS: These files came back associated with that search signature:

C:\Users\computer_name\AppData\Local\Mozilla\Firefox\Profiles\pxxczg4r.default\cache2\entries\2E0C4058E084A83FFD5E59DF25634B4708213893

C:\Users\computer_name\AppData\Local\Mozilla\Firefox\Profiles\pxxczg4r.default\cache2\entries\C116A7489A2D13D65DA56BD218030121E46D2476

C:\Users\computer_name\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\HND03M2G\ga[1].js

Relativize the path for your own pc by replacing "computer_name" with your own self-referential pc name. Those cache files are generated with what might be a random name under firefox... nuking the entire cache might be the best solution.