HACKER ALERT!

[RCMerchant]

WHOAH! SOMENE IS HACKING US! THE UNDERLINED WORDS ARE HIDING ADS!

[Andrew]

Did you actually see something or was this a joke?

I ask, as there is a new ad network running and they do run "contexual ads" which would look like you seem to be describing.  However, contexual ads are not selected and should not be appearing.

[Doc Daneeka]

If they are, this should be in trouble tickets (just checking )

[RCMerchant]

 No joke. In the "Hottest actress" thread,many of the underlined words...including the "boo" in my post,when clicked on had an ad hidden in it,which poped up,as well in a few hidden under some the the other posters acress choices. Also,the"leet' thing (now gone) that replaced my post number...and a number of other odd flashes. No, I'm not drinking or seeing things...and I'm defintly not goofing! I'm just worried that a hacker is loose.

Sorry I didn't put it "Trouble tickets" I just wanted to alert everybody fast.

[Doc Daneeka]

Not happening for me, but I have Internet Explorer, do you have anything different?

[Andrew]

I was just able to replicate this.  It is the new advertiser for some reason.  I will check to see what is going on.  Their contexual ads should not be turned on - only the regular banner ads.

[RCMerchant]

They arn't there any more...geez,I feel like the shmuck who see's  aghost,and it disappears before anyone else see's it.

[JaseSF]

I saw them too.

[Menard]

I don't know if this is related, but I got hit with spyware when I last entered the forum. My browser locked up and attempts were made to install something. There was some ad banner about some games site at the time, if that offers any help.

I presently have a dll (gebcdbc.dll) that keeps trying to add itself as a browser helper, and it is really annoying trying to keep it at bay. If I can get it with a scanner, I'll have to go into safe mode to delete the file and try to edit the registry.


EDIT: The banner is something about playing 400 games, but I don't know if the advertiser has anything to do with the spyware as that was the thing I saw before.

This is the url for the banner: http://click.linksynergy.com/fs-bin/click?id=OgxcJ07Gfq0&offerid=94521.10000060&type=4&subid=0

[Andrew]

Okay, it appears that the "contextual" ads (the ones that RCMerchant and Jase described) are now turned off.

Menard, I am searching to see if I can find that banner, but I do not know of a way to check through all the ads from Google and Clicksor (the new advertiser).  As it is, I am trying to replicate what you experienced.  Only two ads run on the forum, the top and the bottom banners.

[Menard]

Well, the regedit and safe mode did not work. This dll is running even in safe mode and Windows won't allow it to be removed. I have programs like Windows Explorer trying to access the internet which should not be behaving in that manner. I am going to try to find some of my Linux distros and see if I can delete the file through Linux running as a non-resident OS.

When I ran the scanner, it did find a toolbar called Smitfraud (that was not misspelled).

My main concern is that apparently this dll is not alone as it is still apparently writing itself to the registry, so there must be another file associated with it.

When I got onto the forum, I was introduced to a program called pre.chm which was trying to download to my computer; something was downloading though, but my download manager should have stopped the chm file, not that I can quite fiqure why a help file is trying to download.

About every minute or two, this dll keeps trying to add itself to the browser, so it is incredibly annoying (as I am constantly having to deny permission), and it is making it a slow process to write this post.

[Andrew]

I have tried to replicate this due to the forum doing something, but cannot.  I have done a compare with the files on the server and my local version and everything looks kosher.   I have also checked the output from numerous pages and not found any rogue code, so I am at a loss if you believe it came from here. 

Is it possible that it came from somewhere else and only managed to start its active infection around the time you came on the forum?

I found some info on Smitfraud for you:

http://en.wikipedia.org/wiki/Spyware_Quake

http://www.anti-spyware-101.com/remove-smitfraud/

[Menard]

Is it possible that it came from somewhere else and only managed to start its active infection around the time you came on the forum?

The spyware did not start to download till I entered the forum, but it is entirely possible that it could have been seeded on another site to be triggered when I went to another site, such as the forum. I don't know how this could have been done, but I do know such scripting is possible. I was getting warnings as well that an activex control was trying to access my system, but evereything was locking up so I couldn't do much about it.

[Menard]

http://www.anti-spyware-101.com/remove-smitfraud/

Are you familiar with this site enough to trust using the smitfraud removal tool they are offering?

[Andrew]

http://www.anti-spyware-101.com/remove-smitfraud/

Are you familiar with this site enough to trust using the smitfraud removal tool they are offering?

I cannot say that I am, though I found several references to the removal tool by S!Ri on the web:

http://www.tech-forums.net/pc/f51/smitfraudfix-site-139176/
http://www.lavasoftsupport.com/lofiversion/index.php/t4337.html
http://siri.geekstogo.com/SmitfraudFix.php
http://www.bleepingcomputer.com/files/smitfraudfix.php
http://www.castlecops.com/t187055-smitfraudfix.html