Badmovies.org Forum

WHOAH! SOMENE IS HACKING US! THE UNDERLINED WORDS ARE HIDING ADS!

Did you actually see something or was this a joke?

I ask, as there is a new ad network running and they do run "contexual ads" which would look like you seem to be describing.  However, contexual ads are not selected and should not be appearing.

If they are, this should be in trouble tickets (just checking :smile:)

 No joke. In the "Hottest actress" thread,many of the underlined words...including the "boo" in my post,when clicked on had an ad hidden in it,which poped up,as well in a few hidden under some the the other posters acress choices. Also,the"leet' thing (now gone) that replaced my post number...and a number of other odd flashes. No, I'm not drinking or seeing things...and I'm defintly not goofing! I'm just worried that a hacker is loose.

Sorry I didn't put it "Trouble tickets" I just wanted to alert everybody fast.

Not happening for me, but I have Internet Explorer, do you have anything different?

I was just able to replicate this.  It is the new advertiser for some reason.  I will check to see what is going on.  Their contexual ads should not be turned on - only the regular banner ads.

They arn't there any more...geez,I feel like the shmuck who see's  aghost,and it disappears before anyone else see's it.

I saw them too.

I don't know if this is related, but I got hit with spyware when I last entered the forum. My browser locked up and attempts were made to install something. There was some ad banner about some games site at the time, if that offers any help.

I presently have a dll (gebcdbc.dll) that keeps trying to add itself as a browser helper, and it is really annoying trying to keep it at bay. If I can get it with a scanner, I'll have to go into safe mode to delete the file and try to edit the registry.


EDIT: The banner is something about playing 400 games, but I don't know if the advertiser has anything to do with the spyware as that was the thing I saw before.

This is the url for the banner: http://click.linksynergy.com/fs-bin/click?id=OgxcJ07Gfq0&offerid=94521.10000060&type=4&subid=0

Okay, it appears that the "contextual" ads (the ones that RCMerchant and Jase described) are now turned off.

Menard, I am searching to see if I can find that banner, but I do not know of a way to check through all the ads from Google and Clicksor (the new advertiser).  As it is, I am trying to replicate what you experienced.  Only two ads run on the forum, the top and the bottom banners.

Well, the regedit and safe mode did not work. This dll is running even in safe mode and Windows won't allow it to be removed. I have programs like Windows Explorer trying to access the internet which should not be behaving in that manner. I am going to try to find some of my Linux distros and see if I can delete the file through Linux running as a non-resident OS.

When I ran the scanner, it did find a toolbar called Smitfraud (that was not misspelled).

My main concern is that apparently this dll is not alone as it is still apparently writing itself to the registry, so there must be another file associated with it.

When I got onto the forum, I was introduced to a program called pre.chm which was trying to download to my computer; something was downloading though, but my download manager should have stopped the chm file, not that I can quite fiqure why a help file is trying to download.

About every minute or two, this dll keeps trying to add itself to the browser, so it is incredibly annoying (as I am constantly having to deny permission), and it is making it a slow process to write this post.

I have tried to replicate this due to the forum doing something, but cannot.  I have done a compare with the files on the server and my local version and everything looks kosher.   I have also checked the output from numerous pages and not found any rogue code, so I am at a loss if you believe it came from here. 

Is it possible that it came from somewhere else and only managed to start its active infection around the time you came on the forum?

I found some info on Smitfraud for you:

http://en.wikipedia.org/wiki/Spyware_Quake

http://www.anti-spyware-101.com/remove-smitfraud/

The spyware did not start to download till I entered the forum, but it is entirely possible that it could have been seeded on another site to be triggered when I went to another site, such as the forum. I don't know how this could have been done, but I do know such scripting is possible. I was getting warnings as well that an activex control was trying to access my system, but evereything was locking up so I couldn't do much about it.

Are you familiar with this site enough to trust using the smitfraud removal tool they are offering?

I cannot say that I am, though I found several references to the removal tool by S!Ri on the web:

http://www.tech-forums.net/pc/f51/smitfraudfix-site-139176/
http://www.lavasoftsupport.com/lofiversion/index.php/t4337.html
http://siri.geekstogo.com/SmitfraudFix.php
http://www.bleepingcomputer.com/files/smitfraudfix.php
http://www.castlecops.com/t187055-smitfraudfix.html

Internet explorer was locking up my computer earlier today, similar to what you describe.  Whenever I started my computer, it would lock up as soon as my internet connection would become active.  I finally had to unplug my modem and run Ad Aware and Anti Vir, which seems to have fixed it.  The last place I visited before logging off before that was badmovies.org/forum.

About what time was this?  The only thing that had changed was the new ad network.  When the "contextual" inline ads were appearing and Menard said he had a problem, I disabled them.  If it looks like the problem came from there, I will drop that network.

I have finished going through all of the forum files, but cannot find any weird changes.  Ditto with checking the server.  Menard and akiratubo, if you encountered malicious code on here the only possibility I cannot discount is a banner advertisement.  Since I do not think the one Movies Unlimited could do it (but I went ahead and removed it), the only options would be the Google ads, the Amazon.com ads, or the new advertiser.  I have seen reports of malicious code from a Google ad, but it also appears they usually find and disable the offending ad quickly.

I will continue to keep an eye on everything, as always.  We had a problem about two years ago where a hacker apparently captured the site's password and had placed malicious code on the front page.  At that time, best I can figure, the hacker got the password from the webhosting company's trouble ticket system (the site was on Hostgator back then, I have moved hosts since).

My intent is to provide a safe haven here.  Even the possibility that something malicious came from the site is something I will take seriously.  I have denied a number of potential advertisers, because they or their ad code worried me.

UPDATE:  I believe that what was encountered came from the new advertiser, Clicksor.  I did some checking and encountered an attempted drive-by install from one of their ads, apparently from the domain Drivecleaner.com (known adware).  I have emailed them to delete Badmovies.org's account and removed all code from the system.  I definitely apologize if anyone had problems due to this.  I do not accept or run ads that do anything besides what they are supposed to do.

I hope we never have to put up with those contextual ads. I scan with my cursor while reading the screen and those thing really p**s me off when they pop up.

I have the same opinion of them, which was why I had taken steps to ensure they were turned off.

This is the same issue as years ago, when I had problems with Advertising.com.  I had pop-ups and pop-unders turned off for the site, but they kept slipping them in.  After three strikes, I wrote them that they had violated the contract and it was null and void - I would no longer display their ads.  That was the end of that.

The only ads displayed are simple "takes up this much space" ads.  I do not allow any pop-ups, pop-unders, ads between pages, inline text ads (that is what the automatic hyperlinks were called), or other intrusive formats.  If you see them, let me know.  Take a screen capture if possible.