Google showing ad popups on Win 7

[JustAnotherTechie]

Hi everyone, small security problem I need a hand with...

So this isn't on my computer, it's my 9 year old brother who likes to tinker with everything I tell him not to touch, on his own computer as well as my parents', which is also having this issue. I don't live with them so I'm instructing my brother via email. Both machines are Win 7: one is x64, the other is an old netbook which my brother reduces to treacle speed within days of me sorting it out with his aforementioned tinkering - as such he can now only use it in Safe Mode.

Apparently when you Google something and click a result, a popup will appear and try to load a doubleclick advert - it fails because I think there are ad blockers in use. This only happens with Google (Bings fine) and in all browsers.

I assumed it was some piece of malware doing something similar to the Flashback malware on the Mac, so I told him first to run a scan with MSE and to install and run Spybot S&D. He sent me the S&D log, and it just seemed to be a few tracking cookies, nothing unexpected. When he got to MSE he started getting errors - apparently the scan stopped at around 10% and displayed "Service has stopped", code 0x80070424. Trying to reinstall MSE threw an error that he didn't specify. I told him to try and repair the error in various ways but he just moved on, because he's 9.

Next I told him to install the free version of avast!, my old favourite AV, and run a boot time scan. This apparently found nothing, but is still on the system.

Most recently I told him to run HijackThis and throw me the log -- I've actually never used HJT, but nothing in the log seems unusual to me. I'll copy it in below.

Suggestions people! Not having physical access to the machine and having to diagnose via a 9 year old is a nightmare! I've also never had adware like this, so I'm unfamiliar with it's habits.

Thanks for any advice, now here's the log...

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 19:32:40, on 02/05/2012
Platform: Windows 7  (WinNT 6.00.3504)
MSIE: Unable to get Internet Explorer version!
Boot mode: Safe mode with network support
Running processes:
C:\Windows\Explorer.EXE
C:\Windows\system32\ctfmon.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\rundll32.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\Downloads\HijackThis.exe
C:\Users\Administrator\AppData\Local\Google\Chrome\Application\chrome.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fsui.exe" -autorun
O4 - HKLM\..\Run: [AsusACPIServer] C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1484195527-3910559358-2384544936-1000\..\Run: [Google Update] "C:\Users\Jamie\AppData\Local\Google\Update\GoogleUpdate.exe" /c (User 'Jamie')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\microsoft shared\windows live\wlidnsp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
--
End of file - 4095 bytes
[/CODE]

[Steven P. Administrators]

Does the machine not have system restore enabled? If so, it might be an idea to restore it to a date you and/or your brother knew it wasn't happening?

Edit: You might want to suggest he install CCleaner as well and give it a full scan.

[BouncinDave]

Doing the scan in SafeMode may also be a good step. But yeah, agree with above, System Restore is the easiest way forward.

[Dot Matrix]

It's Google. What do you expect? Their **** is nothing but adverts.

[firey]

It's Google. What do you expect? Their **** is nothing but adverts.

Yet they are still better than bing... hmm, they must be on to something.

[JustAnotherTechie]

The netbook probably has Sys Restore disabled - it's only a ~15gb SSD so anything non-essential that consumes disk space is disabled - the desktop machine I don't know about.

I will pass on CCleaner -- any opinions on malwarebytes? I've seen it used a bunch in threads on similar problems.

[Japlabot]

Malwarebytes. Spybot is old school. When you sort it out, do yourself a favour and give them limited user accounts and malwarebytes PRO

[JustAnotherTechie]

Yeh Spybot is what I used last time I had something like this, definetly pre-Vista.

They do have limited accounts, with Live Family Safety for web filtering and a whole load of group policy restrictions, only my parents know the admin passwords. Trouble is I've had to relinquish some control to him, eg, he's getting in to programming in some basic language which creates console apps, so I had to give him cmd and a few other things. That and he lies to my mum to get time in the admin account. When I go home he sits behind me watching everything I do like a hawk - he sent me a mail a few weeks ago about using takeown and icacls to delete some temporary junk in the drive root because he'd "seen me do it".

Anyway, emailing him now. Probably get a reply in a day or so...

[DevilsNotDead]

It's Google. What do you expect? Their **** is nothing but adverts.

Do you have anything to help OP rather than post useless things?

Its seems like a trend in your post that you go to any article which is about google and troll...

Suggestion To OP: try using TeamViewer to troubleshoot the problem by remote desktop.

It would be easier

[Dot Matrix]

Do you have anything to help OP rather than post useless things?

Its seems like a trend in your post that you go to any article which is about google and troll...

Suggestion To OP: try using TeamViewer to troubleshoot the problem by remote desktop.

It would be easier

Ok, then. Install AdBlock, and make sure the lists are up to date.

Make sure built in adblockers' lists are up to date.

Take a look at the processes that are running on the system.

If it's only happening on Google, than something is getting through the block lists.

[Detection]

Check hosts file, and check if you use google as your homepage that its not a dodgey URL

[bjoswald]

MalwareBytes, virus scan, update hosts file (mvps.org/winhelp2002 is what I use), adjust pop-up blocking from within browser(s), download a decent crap blocker (AB+ for Chrome), etc.