Some kind of chrome malware -how to remove?

[rotman253]

Hey there ,
my office computer got infected with some sort of adware evil thing ,
Once or twice a day , when browsing to a website (no matter which) I get an iFrame with an overlay saying : "sponsored by [url I'm browsing to] and then it redirects me to some kind of an full page ad for some sort of naughty online gaming (I forgot the name but next time it happens I'll update here).

Anyway , this is the iframe html :

<div class="asgds_content"><div class="asgds_header"><button class="asgds_close">x</button><h4 class="asgds_title">Sponsored by google.com </h4></div><div class="asgds_body"><iframe src="https://extsgo.com/view/teasers?id=191753" style="height: 873px; width: 100%;"></iframe></div><div class="asgds_footer"><button class="asgds_close_text">Close</button></div></div>

searching google for extsgo.com/view/teasers gives me nothing...
using chrome 53.0.2785.143 m on Windows 8.1

Who can help me with removing this stupid thing?

Thanks a lot.

 

[dakennyj]

Full Screen Flash might be the culprit?

I've had the same problem. I noticed when I uninstalled Full Screen Flash that it redirected me to extsgo.com as well... given some of the reviews intermittently complaining of advertising redirects, I think it's a distinctly possible culprit. Do you have that extension installed?

For what it's worth, this happened on both my home and work machines and Chrome is the only thing really shared between them. Home has MalwareBytes and McAfee, work has Trend Micro. No malware hits on either end, so I'm quite certain that some Chrome extension or another is responsible.

 

[dcooterfrog]

i had full screen flash shut it off and it solved the problem

 

[rotman253]

well ,
it must be something else , since I never heard about this chrome extension...
Would appreciate more ideas about this issue.
Thanks

 

[rotman253]

Hey ,
I think I got the name of this adware , it's called adnow , any reliable removal tool / guide?
Thanks

 

[t_dub]

Me too

I have managed to end up with this thing too. I've seen it injected into both a site I'm hosting locally and sites across the web (both in Chrome; not seeing it injected when I'm in Firefox). I did not notice it until recently, as I typically use EFF's Privacy Badger, which blocks the actual injection script from loading. I've seen it block requests to extsgo.com and st.adxxx.com, neither of which is related to the local build of the project I'm working on where I see it injected.

It's definitely something (presumably an extension) that is getting synced via Chrome sync as I've noticed it in a Windows 10 installation on one machine and within a Linux VM inside a Windows 7 host OS on a different machine. All software fully up to date.

I see nothing I'm not expecting in terms of extensions and I do not have the "Full screen Flash" extension. Windows Defender has not found anything on the Win 10 install, nor on the Windows 7 one.

Is it perhaps another extension that got hijacked? I know sometimes developers sell extensions and malware makers acquire them for the instantly-installed userbase. Everything in the Chrome Web Store is supposedly scanned, of course, so who knows.

Anyone have any other ideas?

Thanks!
~tw

---------- Post added at 02:13 PM ---------- Previous post was at 01:19 PM ----------

Insert jQuery (not including link; you'll know if you have it) appears to have been the culprit extension. The behaviour I was seeing is consistent with this description: gist.github.com/jimbo1qaz/bc73a2491f0c39b7f206359f089dd79c complete with the redirection to a shady fake magazine URL when I uninstalled Insert jQuery, the issues went away. So this is consistent with a rash of extensions getting updated with updates that include new malware. I originally intended to install that extension....several years ago. I've been using it occasionally ever since.

(My) case closed.

 

[Watchful1]

This just happened to me as well. Exactly once on my work computer, then once on my home computer a few hours later, different sites. Both chrome, but different accounts and mostly different extensions. I'll compare extension lists and post the common ones when I get back to my work computer tomorrow. But I don't have either of the mentioned extensions installed.

This thread was the only google result for the url.

Edit: googling the id of the modal div, "asgds_modal", leads to a reddit thread with a few people complaining. They pointed out two new extensions, "http headers" and "w3schools hider". I'm guessing my culprit is the http headers one, as it is on both my computers.

 

[kmskrishna]

I figured it out.

Live HTTP Headers extension is the culprit. A couple of days ago I checked that it was giving a 404 error for the JS script it was requesting from an AWS server. I thought some one would buy it. And the same thing happened I guess. The chrome web store page is not working for that extension. Most probably because it is removed. But, you people should uninstall that from your chrome browsers.

 

[martixy]

Live HTTP Headers extension is the culprit. A couple of days ago I checked that it was giving a 404 error for the JS script it was requesting from an AWS server. I thought some one would buy it. And the same thing happened I guess. The chrome web store page is not working for that extension. Most probably because it is removed. But, you people should uninstall that from your chrome browsers.

Thank you man, you're my hero.

 

[YAYAYA26]

Hi guys!
I really need your help here please
I seem to have encountered a similar problem as you but i don't have the header http extension you all talked about
it's happen to me only on chrome in different sites, i get this "sponsored by adnow" ads
and i'm not sure what to do, it's on the exact same place where outbrain or taboola show their ads, and its cover it.

i think but not sure that the div id is sc_tblock_319318 and from what i understand it's block the original ad(by outbrain in this case and then it recreate a new one

Is there anyone here who could help me please? really i tried almost every thing...
sorry if my english is not perfect
and thanks in advance!