Welcome to WebmasterWorld Guest from 54.167.83.224

Forum Moderators: incrediBILL & martinibuster

Message Too Old, No Replies

HTTP Trojan Mebroot Request served through AdSense?

my users are complaining about a trojan

     
4:13 pm on Apr 26, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 1, 2002
posts:1421
votes: 0


Is anybody else seeing this?

A bunch of users on my forum say they are getting warnings from their antivirus programs. Is it a false positive or is some advertiser trying to spread infected flash ads?
5:17 pm on Apr 26, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Dec 20, 2004
posts:2377
votes: 0


We had this happen a few months back. Turns out it was a problem with our banner ad network (TribalFusion). They told us one of their IP addresses got on the virus list by mistake. They told us it would be fixed in the next update of the user's anti-virus software.

We said that was not acceptable. We suggested they swap that IP out. They offered no other solution and just kept telling us to re-install their code. We dropped them. It was making us look pretty bad, like we had a virus on our site.

Turns out we make more by running an Adsense image banner there than we did with their ads, so it was a net gain for us, and a big net loss for Tribal... ;-)
5:32 pm on Apr 26, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 1, 2002
posts:1421
votes: 0


After searching a bit, I saw some references to the "Real Media" network.

It looks like one of Google's ad partners.

If there is a way to confirm this, then we could simply block that network in the AdSense settings.
5:32 pm on Apr 26, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 1, 2002
posts:1421
votes: 0


maximillianos, I agree. This makes my site look really bad. People think that we are somehow spreading the trojan or that the forum is infected.
6:00 pm on Apr 26, 2010 (gmt 0)

New User

5+ Year Member

joined:Apr 26, 2010
posts: 23
votes: 0


YES! I've been getting the same reports from my visitors since Friday 4/23. I have seen very little about this, so it appears Google isn't aware of the issue. So I have blocked all 3rd party networds on Adsense for now (102 of them!). I don't know yet if this will temporarily solve the issue.

I'd sure like to hear directly from Google on what they're doing about this, and an ETA when it will be fixed.
6:51 pm on Apr 26, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 1, 2002
posts:1421
votes: 0


I just blocked all networks. Wonder how much time it takes to go into effect.

On a side note, I was wondering what it would do to my ecpm. I wanted to try blocking them all and run this test for a while. I guess now is a good opportunity to try it.
7:13 pm on Apr 26, 2010 (gmt 0)

New User

5+ Year Member

joined:Apr 26, 2010
posts:23
votes: 0


I'll take the temporary hit in ecpm. I can't afford to have visitors think MY site is delivering viruses!
7:58 pm on Apr 26, 2010 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member netmeg is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Mar 30, 2005
posts:12678
votes: 144


Every time I've seen this happen before it's turned out to be some weird thing with the AV program. I used to see it from time to time with Trend Micro. Then they'd issue another update, and it would go away.
8:03 pm on Apr 26, 2010 (gmt 0)

New User

5+ Year Member

joined:Apr 26, 2010
posts:23
votes: 0


I initially thought that too, unfortunately this is coming from visitors with different AV programs (Avast, Norton, McCafee, etc)...all at the same time. It's extremely unlikely all the AV programs have the same problem at the same time.
9:55 pm on Apr 26, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 1, 2002
posts:1421
votes: 0


Same here. Different AV vendors. So either they pull signature databases from each other or there really is an infected ad somewhere on the ad network.
9:02 pm on Apr 27, 2010 (gmt 0)

New User

5+ Year Member

joined:Apr 26, 2010
posts:23
votes: 0


It's been 24hrs and I've seen no drop in my ecpm. In fact, I noticed an increase. Go figure!

Still no word on the viruses, but I have found more threads elsewhere reporting various viruses being spread via adsense.

I've had no reports of viruses since removing those networks.
11:46 pm on Apr 27, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 1, 2002
posts:1421
votes: 0


Same here. I see a lot fewer flash ads. So most of them probably came from other networks. ECPM is the same so far, but it's too early to tell.

And yes, no more reports of a virus from the users.

I might actually keep the settings this way.
3:26 pm on May 29, 2010 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:July 1, 2002
posts:1421
votes: 0


Well, I'm getting reports from users again.

Anyone else?
7:03 pm on May 31, 2010 (gmt 0)

Full Member

10+ Year Member

joined:Sept 14, 2005
posts:272
votes: 0


Not me (so far), but I am concerned about the effect this could have on the Adsense program.
Have you reported it to Google?
There is an Adwords feedback form at [adwords.google.com...]
but it seems to be mainly for reporting offensive ads, not ads with malware.