Results 1 to 24 of 24
  1. #1
    ABW Ambassador
    Join Date
    January 18th, 2005
    Location
    Reno, NV
    Posts
    856
    Hello,

    I try at all costs to run a clean computer, but looks like something may have sneaked onto my system.

    When making links for a CJ program (which is a good program and parasite free - think this one snuck in their backdoor this time), when I went directly to the merchants site I was redirected through this url:

    http://ads.kwrds.com/###/ where the ### represents various merchant numbers they identify. Type in your own number and see where it takes you - might be surprised.

    Anyways, I went to doxdesk.com and it said my system was clean. I ran adaware 6.0 and it found nothing either.

    This thing isn't redirecting my links, though. Insteasd, it is hijacking direct traffic to the merchants site, then putting in the affiliate ID.

    Does anyone have any idea what this is. I really want to get it off my system, but not knowing what it is makes it rather difficult!

    Thanks.

    Jim

  2. #2
    ABW Ambassador
    Join Date
    January 18th, 2005
    Location
    Nunya, Business
    Posts
    23,684
    http://www.spywareinfo.com/xscan.php

    Try that just to make sure. Sometimes it finds stuff the others miss.

  3. #3
    ABW Ambassador
    Join Date
    January 18th, 2005
    Location
    Reno, NV
    Posts
    856
    Thanks Trust,

    Just went there and did the test. Didn't find anything.



    So, anyone have any ideas??

    This parasite belongs to more than 1700 programs (both on networks and through Indys, including Porn sites), so will be nice to know who it is.

    Jim

  4. #4
    ABW Ambassador
    Join Date
    January 18th, 2005
    Location
    Nunya, Business
    Posts
    23,684
    Don't know, url goes to yahoo. Would it happen to be a yahoo store merchant?

    I work in lounge pants . Looking for a sponsor, PM with offer.

  5. #5
    ABW Ambassador
    Join Date
    January 18th, 2005
    Location
    Reno, NV
    Posts
    856
    Hi Trust,

    Yes, the default will go to Yahoo. But, where the ### is in the url, type in a number instead. Say type in 1700. You'll be re-directed to a merchant.

    Jim

  6. #6
    ABW Ambassador
    Join Date
    January 18th, 2005
    Location
    Reno, NV
    Posts
    856
    More interesting notes on this.

    I just installed the new version of Zone Alarm, and wiped out all my previous permissions. Also deleted all cookies.

    Same thing still happened (zone alarm didn't give me an alert that it blocked a program from accessing the internet) - direct traffic was hijacked by this program. Thus, something with a "built in" database is sitting on my computer - looking for merchant keywords I type into the address bar. When it sees it, it redirects through this ads.kwrds.com url. Since it sits on my computer and is not communicating with a central server, it is making it very difficult to track down.

    Jim

  7. #7
    ABW Ambassador
    Join Date
    January 18th, 2005
    Location
    Nunya, Business
    Posts
    23,684
    Yeah, see it went to a couple of porn sites, depending on what # you put in. So you made some CJ links to a particular merchant, clicked the link and was redirected thru that url? Does this happen with only that merchant or have you tried making links with another CJ merchant to see if it is redirected again?

    I work in lounge pants . Looking for a sponsor, PM with offer.

  8. #8
    ABW Ambassador
    Join Date
    January 18th, 2005
    Location
    Reno, NV
    Posts
    856
    No, wasn't redirected. Instead, it is hijacking my DIRECT traffic instead. Discovered this when I went to the merchants site to browse around for products to link to. It redirected me. But, when I put a CJ link to the merchant on my own site, it didn't redirect the click. But, if I then typed in the merchants url, it will hijack the request and take it through the ads.com link.

    - and its more than just porn sites. Saw several CJ merchants in the list by typing in various numbers, including HSN, Dell and the Chocolate Source. I don't partner with any of them, but these merchants seem built into the system of whoever this parasite is.

    Jim

  9. #9
    ABW Ambassador
    Join Date
    January 18th, 2005
    Location
    Reno, NV
    Posts
    856
    Getting deperate here.

    Just deleted my index.dat file in my cookies folder. Using a index.dat viewer, was able to find a CJ PID for the merchant in question. Yet, even after deleting the file, I'm still being hijacked when I attempt to go to this merchants site.

    Jim

  10. #10
    ABW Ambassador
    Join Date
    January 18th, 2005
    Posts
    2,419
    Sounds ugly Jim,

    Run msconfig and take a good look at what is running at startup - it's probably there that this thing gets started.

    By selectively turning off crap and rebooting you can likely figure out which one it is and then backtrack from there and figure out more on the program itself.

    ===================================
    Child labor laws exist yet, parasite partnering merchants (PP Merchants) and the COC allow an adult affiliates income to be diverted into the pockets of parasites and consider it normal business!

    Why give parasites unlimited cookie durations and credit for sales where they divert our users and overwrite our cookies. PP merchants and the COC directly supports what many consider unfair trade practices, identity theft and thievery!

  11. #11
    ABW Ambassador
    Join Date
    January 18th, 2005
    Location
    Reno, NV
    Posts
    856
    Hi HappyMoon,

    Thanks for the tip. Ran MSCONFIG and it didn't show anything out of the ordinary. Everything that was running was either Macromedia, Microsoft, ZoneAlarm or McAfee stuff. Nothing jumped out at me that didn't belong.

    Hope someone has some more ideas - I really want this thing off my system!!

    Jim

  12. #12
    ABW Ambassador Andy's Avatar
    Join Date
    January 18th, 2005
    Posts
    4,178
    Jim,

    It certainly sounds like you might have something sinister going on. When did this start happening? You can do a search for new files as of that date, and see if anything turns up there.

    This thing is going to have to phone home at some point, it will need to update the merchant list, which might be where you catch what it is. These apps that aren't listed in the start up menu can be really difficult to track down.

    I'm sorry that I can't offer any words of wisdom on this thing, but best of luck in tracking it down!

    Andy

    _______________
    <font color="red">Call the Exterminators! We've Got PARASITES!</font>

  13. #13
    ABW Adviser Panel Dynamoo's Avatar
    Join Date
    January 18th, 2005
    Location
    Opposite the Slough of Despond
    Posts
    5,465
    Have you run Sybot Search & Destroy? Make sure you download all the latest updates when you run it. Great program.. if it's helpful then make a donations

    Hey it sounds like Commission Disjunction (warning - this site is a parody).

    1300 goes through a Linkshare link - click.linksynergy.com/fs-bin/click?id=wbQaVPWRqIk&offerid=16721.10000001&type=3&subid=0 - which has already been terminated.

    1501 is a Befree link - service.bfast.com/bfast/click?bfmid=30991737&siteid=38700847&bfpage=wkly_hot_deals - which is still active

    1502 is a CJ link - www.qksrv.net/click-596220-546790

    1503 - another Befree link - service.bfast.com/bfast/click?bfmid=1391718&siteid=38356688&bfpage=microhome_468_60

    1504 - Befree - service.bfast.com/bfast/click?bfmid=37919209&siteid=38530944&bfpage=homepage

    1505 - Befree - service.bfast.com/bfast/click?bfmid=37920129&siteid=38879974&bfpage=home

    1506 - CJ - www.qksrv.net/click-893794-6341538

    1600 - Clickserve - //clickserve.cc-dt.com/link/click?lid=41000000000181401

    1788 - CJ - www.qksrv.net/click-879304-5592531

    1801 - CJ - www.qksrv.net/click-879304-35039

    1820 - CJ - www.qksrv.net/click-1211340-5837645

    1830 - CJ - www.qksrv.net/click-1211340-5029349

    There are hundreds of these

    ________
    "All your commission are belong to us." - Slimeware Corporation

  14. #14
    Merchant Linda's Avatar
    Join Date
    January 18th, 2005
    Location
    TN, USA
    Posts
    1,030
    Sorry, don't have a solution and haven't heard of them before but I looked them up in Whois. Looks to me like they want to keep their identity a secret. "Active Keywords" hmmm -

    Registrant:
    Active Keywords hostmaster@KWRDS.COM 31-20-5087621
    Active Keywords
    PO Box 44861
    Amsterdam,NL,Netherlands 1100DJ


    Domain Name:kwrds.com
    Record last updated at 2003-05-04 13:06:03
    Record created on 2002/6/1
    Record expired on 2004/6/1


    Domain servers in listed order:
    ns.rackspace.com 207.235.16.2
    ns2.rackspace.com 207.71.44.121

    Administrator:
    name: Active Keywords

    mail: hostmaster@KWRDS.COM tel: 31-20-5087621
    org: Active Keywords

    address: PO Box 44861
    city: Amsterdam
    ,province: NL
    ,country: Netherlands
    postcode: 1100DJ

    PO Box 44861
    Amsterdam,NL,Netherlands 1100DJ

    Technical Contactor:
    name: Active Keywords
    mail: hostmaster@KWRDS.COM tel: 31-20-5087621
    org: Active Keywords

    address: PO Box 44861
    city: Amsterdam
    ,province: NL
    ,country: Netherlands
    postcode: 1100DJ

    PO Box 44861
    Amsterdam,NL,Netherlands 1100DJ

    Billing Contactor:
    name: Active Keywords

    mail: hostmaster@KWRDS.COM tel: 31-20-5087621
    org: Active Keywords

    address: PO Box 44861
    city: Amsterdam
    ,province: NL
    ,country: Netherlands
    postcode: 1100DJ

    PO Box 44861
    Amsterdam,NL,Netherlands 1100DJ

  15. #15
    ABW Ambassador
    Join Date
    January 18th, 2005
    Posts
    1,663
    In the off-chance there is a text file on your computer containing data driving this parasite, perhaps a file search might turn up something if you look for files containing the string 'kwrds' or perhaps your merchant number.
    Worth a shot?

    Have you contacted Yahoo about this? They might be able to help.

    Wayne

  16. #16
    ABW Ambassador
    Join Date
    January 18th, 2005
    Posts
    2,419
    Here are a couple of other things you should check.

    From IE: Look Tools - internet options - connections

    They may have added an entry there. If no entry click on lan settings and look for a possible entry there as they may have provided a proxy server.

    If nothing there, one other thing to do would be to edit your win.ini file in the windows directory and look for run= or rundll= defined there. I put a run="program.exe" on my dads pc to mess with him one time - That was really fun but another story altogether.

    ===================================
    Child labor laws exist yet, parasite partnering merchants (PP Merchants) and the COC allow an adult affiliates income to be diverted into the pockets of parasites and consider it normal business!

    Why give parasites unlimited cookie durations and credit for sales where they divert our users and overwrite our cookies. PP merchants and the COC directly supports what many consider unfair trade practices, identity theft and thievery!

  17. #17
    ABW Adviser Panel Dynamoo's Avatar
    Join Date
    January 18th, 2005
    Location
    Opposite the Slough of Despond
    Posts
    5,465
    Just trying to get a range of links. SamSpade is useful for this. Lots of active affiliate IDs here.


    1300 - http://click.linksynergy.com/fs-bin/...type=3&subid=0

    1350 - http://click.linksynergy.com/fs-bin/...type=3&subid=0

    1400 - http://click.linksynergy.com/fs-bin/...type=3&subid=0

    1425 - http://click.linksynergy.com/fs-bin/...type=3&subid=0

    1450 - http://service.bfast.com/bfast/click...e=lens_express

    1475 - http://service.bfast.com/bfast/click...bfpage=buttons

    1500 - http://service.bfast.com/bfast/click...bwhite_125x125

    1525 - http://www.qksrv.net/click-596220-1931860

    1550 - http://service.bfast.com/bfast/click...fpage=homepage

    1575 - http://click.linksynergy.com/fs-bin/...type=3&subid=0

    1600 - http://clickserve.cc-dt.com/link/cli...00000000181401

    1625 - http://www.qksrv.net/click-879304-1110164

    1650 - http://in.yummyasian.com/cgi-bin/fmp.cgi/140/2125854/X

    1675 - http://www.cocktime.com/1991352620

    1700 - http://c.fsx.com/c?z=1,38011,1,rsm,h...lshemales.com/

    1725 - http://clickserve.cc-dt.com/link/cli...00000000352973

    1750 - http://service.bfast.com/bfast/click...ge=vcshomepage

    1775 - http://www.qksrv.net/click-1215666-6268604

    1800 - http://www.qksrv.net/click-1215666-171867

    1825 - http://www.qksrv.net/click-1215666-1556312

    1850 - http://click.linksynergy.com/fs-bin/...&u1=2495365492

    1875 - http://service.bfast.com/bfast/click...pe=periodicals

    1900 - http://click.linksynergy.com/fs-bin/...&u1=2495365492

    1925 - http://click.linksynergy.com/fs-bin/...type=3&subid=0

    1950 - http://www.qksrv.net/click-1035472-7134231

    1975 - http://www.qksrv.net/click-1188214-8791889

    2000 - http://click.linksynergy.com/fs-bin/click?
    offerid=40643.10000010&subid=0&type=3&u1=ebs23324120sbe&id=AysPbYF8vuM

    2025 - http://click.linksynergy.com/fs-bin/...type=3&subid=0

    2050 - http://click.linksynergy.com/fs-bin/...type=3&subid=0

    ________
    "All your commission are belong to us." - Slimeware Corporation

  18. #18
    ABW Adviser Panel Dynamoo's Avatar
    Join Date
    January 18th, 2005
    Location
    Opposite the Slough of Despond
    Posts
    5,465
    One of those links was for walmart.com - it's likely that the text for that is sitting on a file on your hard disk, which could give a clue. (Of course it will now be in your IE cache too).

    ________
    "All your commission are belong to us." - Slimeware Corporation

  19. #19
    Merchant Linda's Avatar
    Join Date
    January 18th, 2005
    Location
    TN, USA
    Posts
    1,030
    Looking at the affiliate links that Dynamoo posted, here are the different affiliate ids.

    Linkshare - 4 different accounts??
    wbQaVPWRqIk (Linkshare has deativated account)
    WOVEJjWWnuk
    6o8JG0hWlQI (Linkshare has deativated account)
    SP00/CHoJOs

    BeFree siteid - possibly the same account or could be up to 10 different accounts
    38531623 (This merchant is no longer participating in the affiliate program.)
    38530946 (This merchant is no longer participating in the affiliate program.)
    38356696
    38771039
    39671849
    39462198 (This merchant is no longer participating in the affiliate program.)
    38700847
    38356688
    38530944
    38879974

    CJ PID - could all be under one account but you only sign up a site once to get a PID and since this is one site, this looks like 7 different CJ accounts
    596220 (account deactivated)
    879304 (account deactivated)
    1215666 (account deactivated)
    1035472
    1188214
    893794
    1211340 (account deactivated)


    This one is an eBates affiliate link - Dynamoo, do you have eBates on your computer?
    2000 - http://click.linksynergy.com/fs-bin/click?
    offerid=40643.10000010&subid=0&type=3&u1=ebs23324120sbe&id=AysPbYF8vuM

  20. #20
    2005 Linkshare Golden Link Award Winner  ecomcity's Avatar
    Join Date
    January 18th, 2005
    Location
    St Clair Shores MI.
    Posts
    17,328
    Good sleuthing folks and now all I can say is where are the networks openions replying to these rogue BHO's and drive-by installers. Where are the compliance checkers and the outrage thta some sumbag affiliates get to hijack traffic and commissions with S/W.

    Mike & Charlie ...

    If they won't adopt and feed a bird ..flip them one! BBQ some Gator and remember to flush WhenU..

  21. #21
    ABW Ambassador Nature Boy's Avatar
    Join Date
    January 18th, 2005
    Location
    Tennessee
    Posts
    1,423
    Have you checked your HOSTS file?


    BTW, add these to the befree list:
    39284724 (1611)
    39464029 (1751)
    39257191 (1755)
    39744387 (1758)

    The question to the networks is: why would a "publisher" have so many affiliate ID's?

    -----------------------------
    Scott

    "Can't we all just get along? Only when we've been drinking."

    [This message was edited by TravelDepot on November 15, 2003 at 02:43 PM.]

  22. #22
    ABW Ambassador
    Join Date
    January 18th, 2005
    Location
    Reno, NV
    Posts
    856
    This may have been a false alarm after all. Thanks Linda for clearing it up.

    The link in question was for IrvsLuggage. I assumed, wrongly, the irvs.com also owned irvsluggage.com. Thus, was rather surprised when I got redirected from irvsluggage.com through an affiliate link. Apparently, an affiliate owns irvsluggage.com.

    Thanks again Linda.

    Jim

  23. #23
    ABW Adviser Panel Dynamoo's Avatar
    Join Date
    January 18th, 2005
    Location
    Opposite the Slough of Despond
    Posts
    5,465
    (Note: this is not an accusation of any of the webmasters listed below, it's just an analysis of the data)

    Using the magic of Altavista -

    link:siteid=38356696 gives two site matches.. http://www.hotdealsweb.com/ and http://www.luckyamerican.com/

    luckyamerican.com has this interesting code snippet:

    <BLOCKQUOTE class="ip-ubbcode-quote"><font size="-1">quote:</font><HR>
    &lt;A HREF="http://service.bfast.com/bfast/click?bfmid=37628499&siteid=38356696&bfpage=test_hot_deals" TARGET="_blank"&gt;&lt;font color="#FFFFFF"&gt;&lt;script src="http://ad.linksynergy.com/fs-bin/show?id=9aBlff7bfeA&bids=38611.505&catid=1&gridnum=1&type=14&subid=0"&gt;&lt;/script&gt;&lt;noscript&gt;&lt;/a&gt;
    <HR></BLOCKQUOTE>

    And hotdealsweb this one:

    <BLOCKQUOTE class="ip-ubbcode-quote"><font size="-1">quote:</font><HR>&lt;A HREF="http://service.bfast.com/bfast/click?bfmid=37628499&siteid=38356696&bfpage=test_hot_deals" TARGET="_blank"&gt;&lt;IMG SRC="http://di.dell.com/images/us/html/segments/bsd/images/affiliates/affiliate_468x60.gif" BORDER="0" WIDTH="468" HEIGHT="60" ALT="Dell Business Weekly Promo"&gt;&lt;/A&gt;<HR></BLOCKQUOTE>

    However the domain owners are different. Odd looking HTML in the first case.

    link:siteid=38700847 also gives hotdealsweb.com

    <BLOCKQUOTE class="ip-ubbcode-quote"><font size="-1">quote:</font><HR>&lt;a HREF="http://service.bfast.com/bfast/click?bfmid=30991737&siteid=38700847&bfpage=wkly_hot_deals" TARGET="_blank"&gt;BestBuy.com&lt;/a&gt;<HR></BLOCKQUOTE>

    link:siteid=38530944 also gives hotdealsweb.com

    <BLOCKQUOTE class="ip-ubbcode-quote"><font size="-1">quote:</font><HR>&lt;a HREF="http://service.bfast.com/bfast/click?bfmid=37919209&siteid=38530944&bfpage=homepage" TARGET="_blank"&gt;Dick's Sporting Goods&lt;/a&gt;<HR></BLOCKQUOTE>

    link:siteid=39284724 gives.. yes, you've guessed it it's hotdealsweb.com again.

    <BLOCKQUOTE class="ip-ubbcode-quote"><font size="-1">quote:</font><HR>&lt;a href="http://service.bfast.com/bfast/click?bfmid=37920289&siteid=39284724&bfpage=hnc_hotdeals" target="_blank" &gt;Sony Style: MP3 Players&lt;/a&gt; <HR></BLOCKQUOTE>

    For CJ, link:click-1215666 give http://www.computersmonthly.com/

    <BLOCKQUOTE class="ip-ubbcode-quote"><font size="-1">quote:</font><HR>&lt;a href="http://www.qksrv.net/click-1215666-1556312" target="_blank" onmouseover="window.status='http://www.sportsmansguide.com';return true;" onmouseout="window.status=' ';return true;"&gt;SportsMansGuide.com&lt;/a&gt;<HR></BLOCKQUOTE>

    link:click-879304 gives http://www.zeronow.com/sections.php

    <BLOCKQUOTE class="ip-ubbcode-quote"><font size="-1">quote:</font><HR>&lt;a href=http://www.qksrv.net/click-879304-5834907&gt;Inside Sessions&lt;/a&gt;<HR></BLOCKQUOTE>

    link:click-893794 gives http://www.mynapster.com/faq.php

    <BLOCKQUOTE class="ip-ubbcode-quote"><font size="-1">quote:</font><HR>&lt;a href="http://www.qksrv.net/click-893794-2202776" target="_blank" &gt;Verizon&lt;/a&gt;<HR></BLOCKQUOTE>

    Ah.. you might be thinking, we have a great global conspiract here, but..

    <UL TYPE=SQUARE><LI>luckyamerican.com is registered to someone in Chicago
    <LI>hotdealsweb.com is registered to a location on 8th Avenue, New York
    <LI>computersmonthly.com is registered to an address on 57th Street, New York
    <LI>zeronow.com is registered to Edmonton, Canada
    <LI>..as is mynapster.com[/list]

    mynapster.com and zeronow.com have the same contact details:

    MyNapster spam@mynapster.com 780-484-6656
    MyNapster
    17008-90th Avenue Suite #164
    Edmonton,AB,Canada T5T 1L6

    They both operate out of a Mail Boxes Etc: http://www.mbe.com/hpgen/CenterPage....nterNum=CA0300

    Hotdealsweb.com matches to an outfit called Integral Media Services, (212) 366-4300, 37 W 17th St, New York, NY 10011 - website at http://www.imsconnection.com/

    luckyamerican.com looks like a PO box number.

    computersmonthly.com I can't tie down.. looks like an office block or PO box in NY.

    Apart from the two in Edmonton, I can't see a connection except there's not one residential address amongst them.. you'd expect to see affiliates working from home.


    Now, a slightly interesting thing about zeronow.com is that it has been hacked in the past: http://lists.insecure.org/lists/attr.../Jan/0310.html

    luckyamerican.com and computersmonthly.com have no references in Google.

    So there's nothing here that shouts "THESE ARE THE PERPETRATORS".. I can't see anything specific linking the sites together.

    Hmmm.

    ________
    "All your commission are belong to us." - Slimeware Corporation

  24. #24
    ABW Adviser Panel Dynamoo's Avatar
    Join Date
    January 18th, 2005
    Location
    Opposite the Slough of Despond
    Posts
    5,465
    <BLOCKQUOTE class="ip-ubbcode-quote"><font size="-1">quote:</font><HR>This may have been a false alarm after all. Thanks Linda for clearing it up. <HR></BLOCKQUOTE>

    aaargh!

    It is *darned* strange though.

    ________
    "All your commission are belong to us." - Slimeware Corporation

  25. Newsletter Signup

+ Reply to Thread

Similar Threads

  1. Possibly orders not being tracked
    By CrazyHunter in forum Google Affiliate Network - GAN
    Replies: 13
    Last Post: April 28th, 2009, 08:44 AM
  2. Possibly The Dopiest SPAM Ever!
    By Cheesehead in forum Midnight Cafe'
    Replies: 5
    Last Post: October 28th, 2005, 09:55 AM
  3. DoubleClick Possibly Up For Sale
    By Kellie aka Ms. B in forum Google Affiliate Network - GAN
    Replies: 3
    Last Post: November 3rd, 2004, 05:10 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •