Possible Malware: best-deals-products

Darkmoon · November 22, 2014, 01:09:16 PM

When I say "possible", I don't mean that as it might be a good program -- it's not. It's adware. Here's my issue:

Every once in a while when I'm browsing a site I see, in the little status bar at the bottom of Firefox, best-deals-products.com/blahblah show up very very briefly. I've noticed nothing that comes with the known adware (no ads, no link injection, nothing), but knowing the sites I go to (including this one, from time to time, which has NO ads on it at all), I know I shouldn't be seeing that address pop up in the status bar.

So I checked it out online and went through all the steps (via CCleaner and again manually), and I can't find any trace of the malware on my computer (nothing running in the Processes, no addons in any of my browsers, nothing in the registry). And yet, every once in a great while, there that address is in my status bar for my browser.

My question is, then, what do you tech savvy folk think is going on? I have to assume some remnant is on my computer somewhere, but hell if I know how to track the damn thing down at this point.

Suggestions?

Tuyu · November 24, 2014, 04:27:12 PM

As far as I can see, it's just an advertising site like many others. CCleaner will remove traces related to it, but you'll pick it up again any time you visit a site that has it among their ad scripts.

Do you use NoScript or AdBlock? You'd need some kind of continuously running software to keep it from coming back.

Darkmoon · November 24, 2014, 11:09:02 PM

I have AdBlock Plus. First thing I install whenever I install Firefox. Adding the site to my block list takes care of the address showing up, but that doesn't solve the issue of why it shows up at all. Someone must have it as an injection malware script, which is wierd since I barely go anywhere on my computer (about ten sites total daily).

llearch n'n'daCorna · November 25, 2014, 09:08:28 AM

The question is, what are the sites, and what sites were you going to or had just gone to when it shows up?

The folks who set these things up like to run onclose(), as it were, as that tends to hide their involvement...

Darkmoon · November 25, 2014, 11:48:41 PM

My websites (CVRPG and CMF), the AV Club, the Dissolve, Cracked, Twitter, Tumblr, Gmail, Hotmail, Google News, Slashdot, Ars Technica, XKCD, Leftover Soup, Oglaf, and Kickstarter. That's pretty much it (aside from the occasional search for technical info).

After running CCleaner and going through all the steps to remove the malware I came to this site and immediately saw it again.

So...

llearch n'n'daCorna · November 26, 2014, 02:01:01 PM

It's not the site you hit, it's the one you just left that's the possibly dodgy one.

I'd be iffy about Cracked and Tumblr, depending on how you use them. But, in all honesty, it's probably an advert included on one of them. Maybe. :-/

All a bit tricky to diagnose from here. :-(

Darkmoon · November 26, 2014, 11:58:28 PM

Yeah, I agree.

Well, I have my firewalls up. I have AdBlock taking care of the addresses. And I'm using my virus scanners and CCleaner. I guess I'll just hope I got it enough for it not to be able to do any damage.

Alondro · December 03, 2014, 03:39:03 PM

It's probably the secret NSA spy program.

THEY ARE WATCHING US ALL!!!!

*nukes the world, just to be on the safe side!*

Darkmoon · December 04, 2014, 12:44:03 AM

It's the only way to be sure.