Welcome to WebmasterWorld Guest from 126.96.36.199
Is this widespread or a few isolated cases? Pay close attention to your accounts, this started in my account since yesterday!
I didn't setup these accounts and got emails stating some ads weren't approved by Google.
I looked in the credit card billing info area and noticed someone elses credit card info, name and address.
[edited by: GregOne at 4:05 pm (utc) on April 24, 2007]
IF you know that your system was compromised, I would be inclined to do a format/reinstall. It really is the only way to know for sure you got it all. It can be a complete pain, but so many hacks are so invasive you may never completely get rid of it and even if you do, you won't necessarily know.
I keep an image of a fresh install with all my needed programs already installed for just this reason. I can wipe everything and be back up and running in about 15 minutes.
It's possible your PC was rooted, and a program installed to send your AdWords account info to persons unknown. I wouldn't assert anything this "paranoid-sounding" except for the fact that the entry in your hosts file indicates a specific interest in AdWords.
Report anything else you find to AdWords.
This sounds very serious, and I suspect G will take it seriously.
Hopefully, you're not the first wave of a flood of compromised accounts...
From the sounding here it appears to me to have been done through activeX code on Internet Explorer. I am guessing you use IE, I would personally format reinstall to get rid of all the bad code and then get firefox.
Plus change Adwords password and contact your credit card company as they could have those details as well.
It sets up adgroups and uses common keywords such as business and orbitz, then tries to load the activex component or somehow does, on other computers.
It spreads by installing the activex on the computer that clicks the ad and looking to see if the infected host uses adwords, then does the same to their account.
It's sophisticated to say the least.
[edited by: GregOne at 2:49 pm (utc) on April 25, 2007]