here is the part of the code

<div id="mbnr4web" style="z-index: 1000001; transform: translateY(-150px); position: absolute; top: 0px; left: 0px; right: -17px;">
<div id="fbqsr-wrapper" data-type="header" class="fbqsr-mobile" style="z-index: 1000001; height: 150px;">
<div id="fbqsr-popup" class="fbqsr-popup-steady fbqsr-popup-ready">
<div class="mbnr4web">
<div id="fbqsr-button">
<div class="mbnr4web__image-container">
<div class="mbnr4web__image" id="fbqsr-image" style="width: 1200px; background-image: url(&quot;https://tpc.googlesyndication.com/pagead/imgad?id=CICAgKC7iozrBxABGAEyCHAbWsf2bvlL&quot;);">
</div></div></div>
<div id="fbqsr-popup-close" class="mbnr4web__close">
</div></div></div></div></div>

appears not always disabling plugins, etc. I can’t determine whether the code has completely disappeared or not
, and yes, advertising appears later, but due to the inconsistent appearance of advertising, it is difficult to trace the process of loading scripts.
and also searched for a fragment by the phrases fbqsr-popup; mbnr4web etc in files via notepad++ but no result.
________________________________________________________________________________________________
In general, thanks to everyone, the following concept of actions served as a solution to the problem: I switched the site to an insecure connection, thereby advertising appeared again. Through the debugger, we managed to trace the leading js to the site redhelper.ru

<!-- RedConnect -->
<script id="rhlpscrtg" type="text/javascript" charset="utf-8" async="async"
src="https://web.redhelper.ru/service/main.js?c=blablabla"></script>
<div style="display: none"><a class="rc-copyright" 
href="http://redconnect.ru">Сервис звонка с сайта RedConnect</a></div>
<!--/RedConnect -->

Which I myself put for feedback.
He creates a bunch of unnecessary directories with his scripts, until I know I upload backup)
________________________________________________________________________________________________
No, I didn’t find any directories, apparently it loads everything from its sources

• Unupdated version of WP
  I suggest setting the directory and WP code files to read-only .
  Like 0 comments

The question is not in the router, but in the provider, they directly confirmed to me that at the conclusion of the contract I agreed to receive advertising through networks.
The issue is resolved by an application to technical support.

This is

<!DOCTYPE html>
  <!--[if IE 8]>
    <html xmlns="http://www.w3.org/1999/xhtml" class="ie8" lang="ru-RU">
  <![endif]-->
  <!--[if !(IE 8) ]><!-->
    <html xmlns="http://www.w3.org/1999/xhtml" lang="ru-RU">
  <!--<![endif]-->

Generally past the checkout. Harmless code.
If it is not your hosting that inserts the ads, then first disable the plugins: check. If so, change the subject. What's left is to reinstall the VP.
This way you can determine what is causing the problem.
If the theme is yours, custom, then look in the theme files.
Once you've determined what's causing the problem, start by looking for the mechanism.
If the problem is with the plugin, reinstall it. If the problem persists, contact the developer and temporarily disable it. If there is a problem with the theme, the actions are similar.
Is the malicious code coming from the server? If so, look for any hooks that are called at that location. Does the ad show up later? Look in the debugger to see what scripts you have loaded. What causes them. Search and try to disable them.
Don't forget to reset all WP user, database and FTP passwords

I have exactly the same garbage on one of my sites, which is not accessible from outside.
And what is more interesting, in one service in which I work. It can only be accessed with a username and password.
And the code is the same.
I suspect either a plug-in is installed in the browser and does this, or a virus on the computer. But I definitely did not put any redhelper.ru on my site. There is no chat at all and such things.

Hello. Same problem, reg.ru hosting, OcStore 2.3 engine (Opencart).
Installed modules:

<div id="mbnr4web" style="z-index: 99999992; transform: translateY(-150px); position: absolute; top: 0px; left: 0px; right: -17px;"><div id="fbqsr-wrapper" data-type="header" class="fbqsr-mobile" style="z-index: 99999992; height: 150px;">
  <div id="fbqsr-popup" class="fbqsr-popup-steady fbqsr-popup-ready">
    <div class="mbnr4web"><div id="fbqsr-button"><div class="mbnr4web__image-container">
      <div class="mbnr4web__image" id="fbqsr-image" style="width: 1200px; background-image: url(&quot;https://tpc.googlesyndication.com/pagead/imgad?id=CICAgKC7ioSs5AEQARgBMgh13G8JYIQXgg&quot;);"></div>
    </div>
  </div>
  <div id="fbqsr-popup-close" class="mbnr4web__close"></div>
</div>
</div>
</div>
</div>

Does anyone have an idea how to deal with this? Checking the site for viruses did not give anything, a local search for fragments of the virus code also did not bring results. Please help.

Means so.... it not a hoster is a local infection. It appeared on two computers (win7 and 8) in two browsers (Chrome and FF). It only showed up on the phone once.
I go from mobile in point mode, there are no banners, I switch to home wifi, banners immediately climb.
I thought that the router was hacked, disconnected it from the network, reset it to the factory settings, changed the password to enter the router, but the problem did not go away. Apparently the house router is infected or even deeper.
Provider - Rostelecom. City of Angarsk, Irkutsk region

Hello! Has anyone solved this problem? I want to report that this problem is not only on WP but on all CMS, I have the same problem on three Joomla sites. Climbs periodically, especially after clearing the browser cache. Interestingly, nothing appeared on a stationary computer before, ads popped up exclusively on a smartphone and only on a Yandex browser when using a WI-FI network. I thought smart was infected, reset everything to factory settings, it did not help. The next thing I thought was that the router was infected, because. if you turn off WI-FI, and use the mobile Internet, then nothing pops up. I reset the router to factory settings, reflashed, reconfigured and what do you think, the effect is zero, everything pops up. I tried it through WI-FI at work through another provider and lo and behold !!! There is nothing and no advertising and banners. Peace and quiet. 100% comp, smartphone and sites are clean, checked with 5 antiviruses. The conclusion suggests itself as follows: Advertising and all this muck does not appear through the networks of other providers, it also does not appear when using the mobile Internet. Climbs only through the network provider ROSTELECOM. I totally agree with givi_san's conclusions. I think in the Rostelecom network something is completely wrong !!! What I safely informed them about this, I have been waiting for an answer for the 5th day already. Who else has any thoughts? Share. I've been waiting for an answer for 5 days now. Who else has any thoughts? Share. I've been waiting for an answer for 5 days now. Who else has any thoughts? Share.
-------------------------------------------------- ----------------------------
I'm 100% sure that the problem is not in the sites. The antivirus company Revizium checked the sites and made an expert opinion. SITES ARE CLEAR!!! For (webga webga ). As far as I understand, the browser can be which one. At me this infection is shown on all except Google Chrome. Foreign experts point to Google AdWords. But damn it with the Internet from other providers, nothing gets out !!! Rostelecom is silent and does not answer.
I did an analysis of the site logs, found out suspicious IPs and made a htaccess ban. Now the pictures themselves have disappeared, and the place for the banner and the code is still loaded from the outside.
Hello!!! After lengthy correspondence with Rostelecom and presentation of evidence, the problem went away. There are no banners for 2 days. But Rostelecom does not recognize the problem, but the fact is, after the correspondence, there are no banners for 2 days either on computers or on mobile. Evidence provided including from this site. Convinced that the problem is global. Thanks to all!!! Especially givi_san givi_san for the right tip!!!

The same bullshit. At work, the Internet was turned off, I came to work at home (and Rostelecom at home). And rushed. Iron is 100% pure, the trouble is clearly on the side of Rostelecom.

I have a similar problem, I also have Rostelecom, but I sin on Google Chrome because ads do not appear in other browsers.
Has anyone figured out how to solve the problem?

Today I wrote to Rostelecom technical support, they created an application. They called back from technical support and confirmed that now Rostelecom, like other providers, inserts ad units into the http protocol and it is impossible to disable this feature for one specific subscriber. They said that they themselves recently found out about this, as there were many similar appeals.

Here I painted it in an accessible way two months ago on this problem:
https://vk.com/x733337x?w=wall13108281_8116

The problem remains. div id="mbnr4web" is stupidly embedded before /body. Internet via Tele2, ancient Chrome browser, Ubuntu system! The site is self-written, but with a built-in bootstrap and CDN fonts. You should still check them out in a good way.

Issue resolved in my case. A chain has been found that causes ads with id="mbnr4web" to appear , image and content resources: mobilebanner.ru, news.truth.delivery .
The scripts are loaded by everyone's favorite bootstrap.min.js , which loads the p.mobilebanner.ru/ad/base.js script - and off we go to load all sorts of garbage.
Check your templates, if there is this script, try to throw it out and see if the problem is gone.

Faced the same problem, as a result, the router became the culprit, tk. directly without it, this ad does not appear. Router Rostelecom, and how it got there (or was originally supplied with it) has so far remained a mystery.

The same problem, banners appear on the site. Google reported hacking saved passwords. When you log in from other browsers or even in Chrome under other accounts, the banner disappears.
I solved the problem like this: Google Account - Security check - Access for third-party applications (disable all)