ublock log (trying to get to the bottom of some adware)
Options
Comments
-
Thanks; my first job on any computer I see is to run an AV/malware check. I currently run; in sequence :-Run adwcleaner
AV (whatever is installed as long as its uptodate)
adwarecleaner
malwarebytes
hitman pro
I think the problems I've been seeing this time around (although I'm still not sure its fixed) are Java Scripts; I'm playing with noscript at the moment in Firefox (not sure what do do about Chrome, Edge...) but the aim is to be able to advise people what to do (it needs to be simple which may be wishful thinking on my part) and so far its... Firefox+noscript...
EDIT: just had to allow moneysavingexpert.com for example otherwise it messes up posts+edits.
EDIT2: and trying uMatrix in Chrome. Shows those evil js in the bbc website...
If you put your general location in your Profile, somebody here may be able to come and help you.0 -
grumpycrab wrote: »I'll look at noscript next. See how "average punter" friendly it is.
Great piece of software but I am not sure how “user-friendly” it is for the average user.
Have you tried the Firefox extension Toggle Javascript?0 -
grumpycrab wrote: »Thanks; my first job on any computer I see is to run an AV/malware check. I currently run; in sequence :-
AV (whatever is installed as long as its uptodate)
adwarecleaner
malwarebytes
hitman pro
I think the problems I've been seeing this time around (although I'm still not sure its fixed) are Java Scripts; I'm playing with noscript at the moment in Firefox (not sure what do do about Chrome, Edge...) but the aim is to be able to advise people what to do (it needs to be simple which may be wishful thinking on my part) and so far its... Firefox+noscript...
EDIT: just had to allow moneysavingexpert.com for example otherwise it messes up posts+edits.
EDIT2: and trying uMatrix in Chrome. Shows those evil js in the bbc website...
The BBC does not have advertising on it's website for UK users,
http://www.bbc.co.uk/bbc.com/faq/
http://www.bbc.co.uk/faqs/inappropriate_advertising
I use Ghostery and looking at what reports BBC home page using Chartbeat and Maxymiser
https://apps.ghostery.com/en/apps/chartbeat
https://apps.ghostery.com/en/apps/maxymiser
So unless you have a VPN setting this PC outside the UK there should not be any ads and probably not that lottery.
I used opera with vpn set on and adblock set off and it displayed ads within content, not popups.
Going back to your original post the issue was one of an ad popping up on the BBC website on a neighbours PC. Not sure if you are fixing it in their house or yours?
Most adware is user based because ads are all about targetting the demographic and creating a profile for the user so that there is a higher click thru and conversion, but if the user logs on with an Admin login all the time it could affect any user.
Ss you probably know, adware it is installed when people go install some free software and they do not UNtick the relevant boxes. The uninstall usually removes this and Revo uninstaller may help do a complete undo.
It seems to me that you need to first establish whether this affects all users, so creating a new Standard User on the same PC and going to the BBC site.
If it does still show then it suggests that issue is machine wide.
Note that adware does not wish to be deleted so it will not show ads every time, so use ccleaner between tests.
If no ads show after tests then it seems reasonable to focus on the profile that does show ads.
Going back to that profile I would install another browser in that first profile.
If ads do NOT show in that new browser it suggests that issue is within Firefox, in which case disable all add ons in firefox, run ccleaner again, reboot and see if still exists.
To fix any problem you have to first be able to reproduce it, then you have to narrow down when it appears. Then you have the target what is infected.Please be nice to all MoneySavers. That’s the forum motto. Remember, the prime aim is to help provide info and resources. If you don’t like someone, their situation, their question or feel they’re intruding on ‘your board’ then please bite the bullet and think of the bigger issue. :cool::)0 -
Thanks Ed for your work. I have been unable to repeat the adware anywhere; at neighbours the other computers are ok and DNS looks ok. Damn sneaky adware! Lucky it happened when I had ublock running otherwise nobody would believe me.
Here's the ublock log again
https://expirebox.com/download/a3fb4274bac29a16c3deb6989b3af826.html
(reading from bottom) all seems to go wrong with "inline script" lines
googl.co.uk gloode.com and lrt7a.coldcertainchannel.com (the items before these are a couple of jpgs)
EDIT: I've just run coldcertainchannel through virustotal and a few scanners have identified the site as malicious. But not Kaspersky :- (BitDefender spotted it and has been receommended to me.)
https://www.virustotal.com/en/url/430ffcca28abc4669c5f456b26d9a5aafceed62f9049b70e345c35352cf8caaf/analysis/If you put your general location in your Profile, somebody here may be able to come and help you.0 -
Well I would do the steps I recommended previously so that you at least know whether the whole PC is infected or just the profile and just firefox.
It does seem to be a code injection, by WHAT, you have still to determine by following steps above.
I would send a copy of the script to Nominet and ask they shut down the domain
googl.co.uk
Pointing out that is is part of a adware/malware scam that injects into BBC and other sites (ebay is a popular target as is any of top 500 sites).
You have to laugh
Registrant: Bridgeport Enterprises Limited Registrant type: Non-UK Corporation Registrant's address: Box 1491 St Johns Antigua Antigua and Barbuda
ns1.torresdns.com
follow their own DNS server and it goes to
http://ww1.survey-winner.net/ (at least they have a sense of humour)
But if you follow what loads next in your script, the DNS of
gloode.com
points to the same
http://ww1.survey-winner.net/
Now they might say "we are just being served ads"
but the fact that they hide they web assets and ownership in offshore havens like
Nassau & Antigua
Suggests they are hiding to prevent enforement and legal action
I would also copy to ICANN referring to
gloode.com & coldcertainchannel.com
If you follow the web assets it seems that are run by these people it is all the darker side of ads (adware) along with !!!!!!, gambling (illegal in US) etc.
They hide most of their assets with offshore privacy
Bridgeport Enterprises Limited
But this company is one of many that were leaked
https://offshoreleaks.icij.org/nodes/20167533
At the end of the day you can only report this and pass on the info to the legal team at the BBC so that they may also make complaints about the domains used. It is the best way to stop the income from the people doing this.
If you can't reproduce I would move all data off and do a fresh install because it is a neighbour and they may not be able to cope with the next onslaught.
When you do that, make sure they use the PC with standard user accounts and have admin accounts for admin work (which they will rarely use), make sure they understand that if something prompts them for an admin password when they are using the standard account, they should consider it nefarious unless they are doing something that requires admin login (e.g. task manager -- show all processes).Please be nice to all MoneySavers. That’s the forum motto. Remember, the prime aim is to help provide info and resources. If you don’t like someone, their situation, their question or feel they’re intruding on ‘your board’ then please bite the bullet and think of the bigger issue. :cool::)0
This discussion has been closed.
Categories
- All Categories
- 343.3K Banking & Borrowing
- 250.1K Reduce Debt & Boost Income
- 449.7K Spending & Discounts
- 235.3K Work, Benefits & Business
- 608.1K Mortgages, Homes & Bills
- 173.1K Life & Family
- 248K Travel & Transport
- 1.5M Hobbies & Leisure
- 15.9K Discuss & Feedback
- 15.1K Coronavirus Support Boards