Malware or Adverts?

Hi,

While watching TV on ITV player (on ITV TV channel’s own website) in full screen mode some tabs must have opened in firefox, as when I switched out of full screen mode there were 3 extra tabs open.
A supermarket page, and two pages for a job finding site.
The extra pages had url’s that seem to belong to the ligit companies.

Are these normal ads, or malware?

The only other webpage I’d been to since switching on the computer was wikipedia.

I’ve updated and run MBAM full scan, and updated Avast and run a boot scan, also windows defender, all are clear.

Anyone else seen these types of pages appear? Is it normal?

Many Thanks.

hey i suggest you upload the url code to virustotal and post the result here so we can have a look on the site your talking about.

https://www.virustotal.com/

Hi, Thanks for the reply.

I’ve not been able to recreate the issue. Scans are still clear.

The url of the site I was looking at?
It’s on the official ITV TV channel website:

http://www.itv.com/itvplayer/video/?Filter=302560

To browse to it I did this:

  • Search for ITV
  • Go to the official ITV webpage
  • Click ITV player at the top
  • Click A-Z near the top
  • Go to ‘J’ The Jonathon Ross Show
  • Choose to watch the show from 21st Jan.

I’d missed the show on TV so went to the TV channel’s own site to watch it later. (I am in the UK, it is a channel on TV in the UK)

The tabs that came up in the background were:

www.sainsburys-live-well-for-less.co.uk/brand-match/
And two pages for Reeds job finding site, that said 'More jobs, more choice at Reeds'

They seem to be the actual webpages for the proper companies.

Is this likely to be normal advertising?
Although, I haven’t seen the pages appear again, even when watching the same vid.

I’ve not heard of malware that shows you extra tabs with pages for actual companies, has anyone else?

Thanks.

Main site you visited has this:
-www.itv.com/_devpacks/dotcomplayer/js/itv-onclick.js suspicious
[suspicious:2] (ipaddr:64.215.158.203) (script) -www.itv.com/_devpacks/dotcomplayer/js/itv-onclick.js
status: (referer -www.itv.com/itvplayer/video)saved 2820 bytes 8b981cd106e28f92067b6bd0388746ba6a83b86e
info: [decodingLevel=0] found JavaScript
suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes
This was suspicious code on the tab that came up:
0ajax.googleapis.com/ajax/libs/jquery/1.6.2/jquery.min.js suspicious
[suspicious:2] (ipaddr:173.194.64.95) (script) ajax.googleapis.com/ajax/libs/jquery/1.6.2/jquery.min.js
status: (referer=-www.sainsburys-live-well-for-less.co.uk/brand-match/)saved 91556 bytes 7622c9ac2335be6dcd3ab8b47132e94089cef931
info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
info: [decodingLevel=0] found JavaScript
error: undefined function a.getElementsByTagName
error: undefined variable a
suspicious:
given clean here: http://urlquery.net/report.php?id=18377
see: http://wepawet.iseclab.org/view.php?hash=fdeceee6af5697946595dfe03118cc03&t=1327942448&type=js

Could have been doubleclick adserving via AiMatchAdvertStub dot htm.
Use an Adblocker like Adblock Plus to stop your browser
from serving these ads/ adpages, see: -http://d01.www.itv.com/Html/AiMatchAdvertStub.htm?d=d&t=0
given as ad.test which re-directs to -http://counter.rambler.ru/top100.cnt?739465
via a webbug image.gif

polonus

Hi, thank you for all the information.

My apologies, I don’t understand much of the details given.
What is it that is coming up as ‘suspicious’? The ads on the pages, the content on the pages themselves, or something else?
The pages I saw are all from ligit big companies, as far as I know.

I have adblock plus (with Easylist, and allow non-intrusive is not checked), and NoScript on Firefox.

What is “a webbug image.gif”

I’ve not seen the ad pages come up again (or any other similar ad pages) even if I go to the same ITV page.
Is it more likely that this is a one off, than malware on the computer?

Many thanks for your help.

Hi Tobias4051,

What came up as suspicious was javascript in the source code ot the webpage. Scanned with a special scanner the scanner alerts to suspicious parts of the code if found. That does not mean it must ne malware, but it could be. As you use NoScript you can configure it to block webbugs as well. Webbugs are very tiny object like a tag gif, mostly invisible to the visitor, that may check/track the visitor of the webpage. Sometimes these webbugs can be malicious of nature, but normally they are not. With NoScript you can block webbugs and javascript that does not origin from a non-main site.
So you are secure,

polonus

Thank you very much for all your help and for the information.

With NoScript you can block webbugs and javascript that does not origin from a non-main site.
How do you block webbugs with NoScript I couldn't see the option?

I am curious about the ‘virtual machine’ mentioned in your sig, but I’ll start a new thread on another board in this forum as it is OT in this thread.

In NoScript you could block Web Bugs with NoScript - Open “Options”- Go to the Tab “Advanced”
and there tag Forbid “Web Bugs” - Bye, bye Web Bugs. That was before the regression and the option is no longer there in Noscript
see: http://forums.informaction.com/viewtopic.php?p=33321#p33321 poster Giorgio Maone, the developer of NoScript
What do Web Bugs do, and you have three categories of Web Bugs, re: : http://w2.eff.org/Privacy/Marketing/web_bug.html link article author = by Richard M. Smith
Now an example. If you do not want to block Web Bugs right out, and want to be alerted to them and see what they actually do, and if they are third party etc., install FoxBeacon Web Bug Detector: from here: https://addons.mozilla.org/en-US/firefox/addon/9202
And now a pratical example and the proof that you can come across them everywhere:
Whenever you visit the BBC News page, it alerts you to a web bug,
Ghostery has the possibility to vlock webbugs: https://addons.mozilla.org/nl/firefox/addon/ghostery/
and also could get rid of other "snoopers"for ye,

polonus

Thank you for the informative reply, I’ll take a look at Ghostery.