Google is at it again, new YouTube security threat

I have detected a serious YouTube security threat that needs exposure. All IT and security experts welcome to please check into my findings and chime in. Here is what I found so far.

Years ago this was a problem. Just going to youtube or Google mail at all even on another tab without logging in would load strong spyware in your browser and even in your machine permanently which required reinstalling your OS to remove. It tracked logins on other tabs and was gaining access to keyboards, microphones, and cameras even if you just landed on their site by accident. Folks caught on and exposed it and then it stopped.

It is back... I am starting to get the warnings again so they are up to their old tricks again. You can't even load Youtube up on another tab and be safe on the one you are already in. As soon as you do it crosscripts and tries to hitchhike with you into the site you are logged into or logging into giving them direct over the shoulder API account access. I discovered it because our site has IP detection security that kicks you out on the fly if there is any change of your IP address status forcing you to log back in and verify it is actually you. But my IP address remained the same.

So it detected the second IP address trying to access my account along with my current IP address as soon as I landed on youTube. Our site immediately kicked me out and made me log back in with warnings about the crossscripting from Youtube coming from my developer tools. They are attaching a real time cross domain API to our browsers that gathers credential and identity data about our logins. I had to go clear all my data and history cache before I could login safely without it.

This is serious, this is not just for sites like the FR, it is every site you log into with credentials. Work, business, shopping, banks... Everything. So If you use youtube or Google be sure and clear everything in your cache before you go log in anywhere else. And DO NOT use it while already logged in anywhere. It immediately jumps in bed with you and is also logged in with you. I am testing now but the only cure I see that might be easy and work to prevent it would be to bring up Youtube in a second browser to run YouTube in separate from the other browser where you are logged into or logging into other sites. I am still testing this option to make sure the browser does actually keep them apart from each other. hopefully it will not take tweaking to make them secure from each other. Any and all help from the experts here is welcome.

I will repeat information you already know here in case anyone in Rio Linda wants to follow along.
I made lists of programs for which I wanted a clean download and went to the library to use their computers. I like the way the library computers allow me to download to a hard drive and copy to my flash, and when I log off and log back in, the OS has 'forgotten' I was there previously.
I wondered how the library does that - what software they might use. I noted their system uses 'Cybrarian'. The library computer takes long enough to reboot after I log off for me to guess that it is reinstalling an image to at least one partition (user files) and possibly more (browser add ons?)
The library uses 'Cybrarian' to run the library guest computers. I was going to look into it, to see if it automates re-installatin of partitions or if it is only to grant users access, techs remote control for maintenance etc. When I returned home, I searched for the program and noticed that although the search results below look, at first glance, legitimate, the second listing uses a different spelling in their domain name. I have to say I'm skeptical that the second site is legit.
This puts a cherry on top of the 2 hours I spent in the library trying, and failing to find a way to download a clean version of any file.
I tried installing NoScript (thank you for the recommendation(s)) and it was easily done. I blocked google but while working google search results emerged. I hadn't reasoned that the declared search engine in settings could over ride NoScript settings because Settings in Firefox are not scripts. *face palm*
Since I saw scripts pouncing on every attempt to load websites like rufus.com, I searched to find the download page and wrote down the full URL (I was optimistic).
I switched the browser Search setting to 'Bing.' I didn't see any ride-alongs when I navigated to Bing.com.
So I rebooted and installed noscript in the firefox browser again - turning off everything in the NoScript 'settings' list.
I went to Bing.com (all was well) but when I tried to follow search results off the Bing page, I kept experiencing thread hi-jack (the first 3 letter prefix of the very very long link was 'ink'). The library's security software advised me the page I was trying to access had a different URL and was an ad server. That happened regardless of which website I followed (rufus etc.), so I still couldn't download my files. Well, let's say I didn't feel comfortable doing so.
I tested DuckDuckGo primary website and didn't see any scripts running. But I didn't have time to test if I can actually try downloading rufus without thread hijacking.
I was there to download Windows64 from microsoft - which almost worked but my guest permission limits block running the installation software needed to save the Windows65 ISO, so even if DuckDuckGo works, I can't get a clean install for Windows there.
A friend is happy to loan me his flash drive Windows install media, but he has elected to live with malware in the belief that there's no escape, so I don't see how his flash drive could be 'clean'.
Quesion 1:
I know I created a recovery flash there weeks ago, but no doubt it was permeated by Google before I got there. If Microsoft erases everything on a recovery flash drive before installing recovery software, is there any hope that malware was not also installed on the recovery flash?
Question 2: Is there any hope of finding, if there is a recovery partition on my computer, that the recovery software is not now 'owned and operated' by malware? By that I mean, could a recovery partion still supply a clean, outdated copy of Windows?
Question 3: I downloaded linux and created an installation USB. Since the hash was valid, then I could have transfered other kinds of problems to my computer, but the Linux ISO is still valid, right?
4. If the answer to Question 3 is 'yes', then might the same hold true if I hvae a compromised machine, download Windows64 to create an ISO, and if there's a valid hash of that file, the file MIGHT still be able to create an CLEAN USB install copy of Windows? Malware present but not on the flash (my fingers are crossed here).
5. I used to think purchasing a copy of the disc from Microsoft would mean a clean install, but I am jaded. But still, is it the cleanest way to install Windows10 in this day and age? Still, buying a disc when the program is free would be a poke in the eye, but perhaps it's the only way?
6. Should I give up, install Linux 'along side' my computer's Mad Max version of Windows64, and never launch the internet from the windows partition, or just surf the web but no downloading? *sigh*
My preference is create a clean install of WIndows64 (make an image) and then load my programs on top of it (make a second image here) and then figure out how to 'lock down' my machine the way the library does it? Meanwhile, try to learn to transition to linux.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.