A common form of malware isn't really malware as such because you install it yourself. Commonly when you install software there will be boxes already ticked such as as "Install Delta Search Toolbar" and you will be in such a hurry you will leave them ticked. They pretend to be Google Chrome and you may not even notice them until you try to remove them. When you do, expect much swearing.
Google Images is heavily infected with nasty stuff and it is best avoided if you can.
I use YouTube and Google Images thousand of times per month ... what location are these nasty little gremlins hiding at ?
I run Norton 360, and MS Security Essentuals, and Malwarebytes, and they rarely show any infections.
Norton is always showing: "Blocked Fake Blah Blah Virus Toolkit"
Lewis is correct. This is one of the many infection vectors, as they call it. These add-ons are nasty crapware that gets in the machine. Spigot Search is the latest. Others include that horrific WeatherBug which causes such poor machine performance, you'll think you're running a '486 instead of an i7!
The asynchronous downloads, as Lewis mentions, is really all about the web these days and the way these things work is simple, though very nasty, because they make use of how the internet and HTML, and AJAX works. The biggest and worst infection vector is right off of the search pages. Never, ever, ever, click on a search link on a Google webpage unless you know what you are looking for. And, more importantly, if you need to click on a link, go for those on the lower pages. The even better way to choose a link is to type the link in yourself once you find it. You'll understand this methodology in a minute.
The malware-writers infect a website and change where the web links point. The link will display properly, but the underlying code points to a new location in the HFREF code. The new location is most likely their hacked FTP server that contains the pop-up ad which says something like "Your machine is infected with a Viruses! Install our fake antivirus (fill in the name of your favorite company here. They usually pick someone such as AVAST, AVG, MALWAREBYTES, even NORTON, or many others, or even their own fake product such as Antivirus 2013 Ultimate Virus Fighter (name made up here). The problem is you can close the window, however, they have now snuck down code in the background. This is by using asynchronous exchanges. In the old days, webpages would be downloaded singly. In other words, you'd download and wait, and wait, and wait some more for your page to display then you'd go on to download the next one. With the newer, faster networks, multimedia, JavaScript, and other coding, webpages can be downloaded in the background while you are viewing the one in front of you. This is how Google Earth works. How could you view this continuous slice of earth so quickly if you waited for each and every page to download. The same with viewing movies on YouTube, or other multimedia applications on the web. There's nothing wrong with this underlying technology when it's used for good purposes, such as online mapping and movies, however, there are always those that will find ways to make goods things work for bad reasons.
So... getting back to our example here. You've clicked on a link, thinking you've picked the correct one on Google Search. This brought up another website that displayed an advertisement you couldn't close right away. Then your browser crashes, locks up, or just plain disappears from view. You are infected now! The software has downloaded a dropper to your machine and put in hooks into your browser. The hooks are what caused your browser to crash, and this doesn't just happen to Internet Explorer. I've seen this with Chrome, Firefox, and even Opera. This by the way, is how this stuff enters into the Apple Macintosh computers too. Yes, Apple computers get viruses!
The little dropper now waits for a bit, perhaps until your next reboot or maybe an hour or two. The reason for the wait is to throw you off track. In the older versions of this hack, the dropper would go right back out to the network and download the rest of the fake product and underlying malware bits. So now by waiting a bit, they'll throw the average user off track. You reboot your machine for any number of reasons and the dropper does its thing by downloading the rest of the code. Remember, today the networks are a lot faster so these small bytes of data can sneak in without too much notice. The code is now installed and ready for action.
You now get a pop-up screen that says "Antivirus 2013 Ultimate Virus Fighter". The interface is fake, though it shows multiple viruses, usually 35 or more, and there's a scanner screen showing a progress bar. You try to cancel the virus scan, but you can't. The thing brings up a pop-up window or windows that prevent you from closing down the program.
You now reboot the machine. Nope it scans again, and now worse, your start menu and desktop have disappeared and it says to remove these viruses, buy our product for $99.99!
You are now in a panic! Don't ever, ever, buy that product. All you're doing is sending money to some Eastern European mafia gang. Seriously! The majority of this malware is written by Eastern European college students looking for quick beer money. They either purchase a kit, or are handed the kit to write the code and they're paid $30.00 for the code, which is bought by the Eastern European or Russian mobs.
You said that your Norton 360 found the code. This is possible, but after the fact, once it's installed. The full infection has never been removed and the problem now is the code will be replaced upon the next connection to the network. Again, they also infect Windows recovery files as well. If you attempt to do a system restore, you'll find that you'll receive the virus back. They also infect the system files which are protected and are replaced by Windows upon reboot. This puts the virus code back in, making the removal difficult. As I said, the best way to remove this is to run a separate product. There are many of them out there for this, but are best left for the professional IT person to use. If you are interested in removing these infections, at your own risk, visit:
www.bleepingcomputer.org
John