I went to my travelpod page and this very agressive pop-up ad appeared (see attachment) and required three clicks to get rid of!

It is appearing on my page every time I refresh, I'm not very impressed.

I have enabled pop-ups on travelpod so that I can use the image upload bar, but am upset that this has been exploited and I'm getting agressive pop-up advertising as a result!

Not to mention that I'm asking my not very tech-savvy family to go to this page, where they'll probably fall for the ad and get hassled further.

Click to view attachment

Wow, that is pretty bad! I've emailed our advertising partner and forwarded them your forum post. They will remove it.

Thanks for letting us know.

We certainly don't endorse these types of ads.



Cobi, I cant seem to replicate this popup... are you sure you don't have any spyware installed?

Can you reboot and see if you can get the advert again?

Thanks.

That was on my work computer, I tried it on my boyfriend's computer at home, where we run spyware scans regularly.

Using this computer there's a pop up that appears when you go to leave the page (see attachment).

I noticed both times that as well as the pop-up, one of the ads to the right is about the same security software... so it looks like abuse of the 'legitimate' advertising...

Click to view attachment

I also checked the profiles of a few other people in my travelpod 'neighbourhood' and the same popups appear on every page.

Luc

I to am seeing this in certain parts of Travelpod. I have never seen this till today. I do not have any spyware installed. I was looking up a user Suzem when it appeared. I virus check my PC reguarly. If you say no, it just tries to install. The only way around is to close the TP page I am using

I have included a copy of the pop-up

Thanks we're in contact with our ad network and trying to find the ad.

We can't seem to replicate this. Does any one get this popup consistently?

Luc

I just tried it again. If I click on the advance link, then once in there, I type in the username suziem, it takes me to the home page for the user, then if I move my mouse cursor around without clicking on any of the advirtisements or links, the pop up appears. It will not accept me saying no to not install.

Weird, it doesn't do that for me... Can you take a screen shot and post it. Make sure to include both ads. The last one you posted only showed the top one. I would like to see the right side ad.

If you could also post the HTML source that would help.

The only possibility I can think off would be that it comes from our Ads.

Thanks

Luc

It keeps the URL for the user. I have created another doc with the screen dump for what I see. There is no link down the side. This is the first time it has happened to me

I have just attempted it for another user with a blog, but no stories and this is the URL - http://www.winantispyware.com/download/200...xit&lid=sw7

I hope this helps you

Ok, I think we figure this out. It seems that our Google Ads are including some dubious popups which certainly shouldn't be allowed.

We've added filters to block those ads. It should take a few hours before this change takes place on Google.

Please let us know asap if you find anymore of these tomorrow.

Thanks to David for all his help!

No worries. Glad to help you. Hopefully it will all be sorted soon

Here's another:




I don't have any trojans on my laptop - I've just rerun SpybotSD to confirm.
This type of advertising is dishonest, preys on people and gives travelpod a bad name - I hope you can filter it out.

cheers

It's definitely the Zedo advertising! Here's the source:

And another. Hope you can get this sorted soon.

Thanks for posting htis. Seems to be from another advertiser: amena.com

I've added a filter to block this one too.

Please post any other screen shots anyone gets of these here and we'll filter them out.

If you go to the overviews of any country and click on any of the blog links you always get this spyware popup. It is definitely caused by the advert banner on the left hand side of the page. You can see the offending ad in the pic attached. If you click on the advert link then it pops up with a download.

Time to switch advertising providers.

We added a filter this morning for amaena.com which seems to be the source of this add. It should be blocked today. Please let us know if you still get these later today.

It takes a few hours before the filter kicks in.

Luc

Still seeing exactly the same as yesterday on any user when I want to have a look via the advanced or even the search function

I'm getting a similarly annoying ad that blocks a good portion of my blog text. It's not a pop-up but rather is an ad that moves down the right side of the page as one scrolls down. One of my friends complained to me about it when he read my blog, so it's not just on my computer that this ad is appearing. If people can't read blogs due to them being covered with blog-blocking ads, well, then there's not much point in them visiting the site!

The attached screen shot shows what it looks like. At the bottom you can also see what appears to be the source of the ad.

It seems that this is a different issue. It turns out that this entry had a very long "============" string which stretced the enty out and slipped it under the ad.

We fixed the entry for you.

Cheers,

Aha! So it was a result of something that I had done. Sorry! And thanks very much for fixing it.

Hi. I also just experienced that. An add about Normandy in France made it impossible to read a travel blog that I thought may be interesting.

I'm still getting that annoying popup so the filter just isn't working.

Same here - for an example see the following person's profile:
http://www.travelpod.com/members/helsbells

We can't replicate the problem here. If anyone sees this popup ad please post a screen shot and please capture the URL where the ad takes you to. That way we can block it if it hasn't been blocked already.

Thanks.



We're going to update TP so that this just doesnt happen anymore.

Thanks for the feedback.
Cheers!

It does it with every travelogue and country profile page. Click on the link for random traveller and let the page fully load. The advert will take a few seconds to load. Then try clicking on the name of their blog and it'll popup the error.

Just got another new error. Theres no getting away from the fact it is the xedo advertising. I ran Spybot just now and had 90 items of spyware on my pc including 9 from Xedo.

<!-- begin ZEDO for channel: - TravelPod ROS, publisher: Travelpod , Ad Dimension: Super Banner - 728 x 90 -->
<script language="JavaScript">
var zflag_nid="355"; var zflag_cid="958"; var zflag_sid="46"; var zflag_width="728"; var zflag_height="90"; var zflag_sz="14";
</script>
<iframe src="http://c5.zedo.com/jsc/c5/ff2.html?n=355;c=958;s=46;d=14;w=728;h=90" frameborder=0 marginheight=0 marginwidth=0 scrolling="no" allowTransparency="true" width=728 height=90><script language="JavaScript" src="http://c5.zedo.com/jsc/c5/ff2.js"></script><noscript>
<a href="http://xads.zedo.com/ads2/r?n=355;c=958;s=46;x=3584;u=j;z=[timestamp]" target="_blank"><img border="0" width="728" height="90" src="http://xads.zedo.com/ads2/x?n=355;c=958;s=46;x=3584;u=j;z=[timestamp]" alt="Click here"></a>
</noscript>
</iframe>
<!-- end ZEDO for channel: TravelPod ROS, publisher: Travelpod , Ad Dimension: Super Banner - 728 x 90 -->

Right just used spybot to remove all the spyware installed and tried loading up travelpod straight away. I end up with 11 bits of Zedo spyware after getting the popup.

Ok,

We've blocked tons of sites in our Google Ads but our advertising partner is advising that any Zedo spyware warnings you get are simply warning you that Zedo is setting cookies, which is fine. Don't worry about those.

That being said, it seems like the popups are related to a trojan going around the net.

It seems that there is a worm that is spreading on the net that can install dubious software without your consent. Once installed, it falsely warns you that certain ads are spyware and tries to get you to install their software.

Try scanning your PC with SpyBot:
http://www.spybot.com/

Here is a post about this which sounds very similar to what you guys are experiencing:

http://www.techshout.com/internet/2006/16/...e-stops-riding/

This would imply are that somehow your PCs got infected with this.

One of our members who was getting popups ran the above scan and found they they were infected with SmitFraud-C.toolbar888

More Info:
http://www.2-spyware.com/remove-smitfraud....CFSAeWAodIHiBoQ

Please check your PCs for spyware...

Apparently this may clean these buggers too but I haven't tried. The member that cleaned their PC used the above SpyBot link
http://www.pandasoftware.com/download/Software/

If you are still getting the popup, try with a different PC to see if you still get the popup.

Cheers,

For what it's worth or maybe help you to trouble shoot, I have not experienced any serious problems with pop up ads.

I am using a Macintosh Mini, OS X 10.3.9 my ISP is optonline.net -- a very fast and reliable cable system, my browser is Mozilla FireFox. My location is Yonkers, NY just North of NYC.

I am not really aware of my virus protection or spyware. Probably should be.

Hope that helps.

I'm still getting the popup ad that I last posted on my work computer, even though Norton AntiVirus (inc. spyware check) is up to date.

We have to get permission from our IT guys before installing software so I can't just download more spyware software as you suggest Lucky.

Nor do I want to make my readers download software in order to read my travelpod without being hassled.

I ran our spyware software at home, and all it found were the zedo cookies, which it pointed out weren't that sinister but it recommended to delete them anyway. I did, and I don't get the popups at home any more.

So that would suggest the cookies ARE the problem...

this isn't the first dodgy issue with zedo. I guess their advertising is worth enough to travelpod to make up for this consternation among members!

Cobi, apparently the spyware installs without you knowing so it's possible that your PC is infected.

This would have come from another site and not TravelPod.

The cookies are harmless. If our theory is correct, spyware already installed on your PC is causing this.

Please try from another PC to see if you still get this popup.

Ok I believe it is spyware as well but nothing I have tried will fix it. A quick search for Amaena on google came up with the details on the worm and a couple of programs to fix the probs. Neither of them worked.

Looked through all the processes running on my computer and the only thing out of the ordinary was a file called AU_.exe. This is apparantly some spyware called Spyfox or something although it says there should be a blicking icon in the system tray and I don't have this.

Spybot does nothing, just installed AVG Spyware and trying scanning now. Don't hold out much hope.

Edit: Well that file disappeared after restarting Windows and AVG reports no errors. Can't see anything wrong with my pc.

Try the Look2me-destroyer.exe as suggested here:

Forum post

tried it. makes no difference and finds no infected files.

As I said, I'm still getting it on my work computer even though I ran a spyware scan this morning.

Surely the answer is to remove the offending advertising, because you can't expect every travelpod reader to go through this process?

My mum freaks out when the antivirus software updates normally, there's no way I can talk her through all this!

Anyone know any other sites that contain zedo advertising? It doesn't seem to effect google ads so I'd like to check on another site.

The same pop-up is occurring when I try to read my son's blog. it happened on my pc, on my husband's laptop and on my other son's PC. and now one of my friends have said they have had the same trouble too.
Norton is up-to-date and so is ad-aware. Nothing is stopping it or blocking it.

People will stop reading the site if this keeps happening and it seems to be directly related to your advertising.

Yes Lucky this is serious... I've been looking into setting up my own domain today because this is the second time zedo advertising has driven me crazy...

I enjoy being part of the travelpod community, but not at the price of this hassle.

We are doing our best to get to the root of this... your support and patience is appreciated.

I've just asked our ad partner to remove Google Ads, we'll if this helps.

We have already blocked many ads but this does not seem to be the root of the problem.

Hang in there, we'll get to the bottom of this.

Seems weird cos it's not happening to me at the moment.

Yes, it has now stopped appearing for me as well.

Finding a couple days ago that I could hardly browse TravelPod.com with my IE, I installed Firefox to see if it was a spyware problem with the browser. As soon as I entered the Travelpod Page, I was prompted to download a Flash plug-in which is normal, but once it installed, the same annoying messages for SystemDoctor, ErrorSafe and what not came back. Mind you, in Firefox the TP page is less affected than in IE. And from what I've seen, the messeges appear on and off. Sometimes they stop, sometimes they come back.

hey all,

my name is danny choriki, i am in charge of information technology and operations at travelad network which is travelpod's advertising partner. i have been helping lucky figure this out. he asked me to post directly to answer a couple of issues because he was away from a computer. my personal sense of netiquette kept me from dropping into this thread over the weekend, since i am really an outsider to this community. but hey... here i am.

so along with barging in, let me also apologize for the length of this post. unfortunately this isn't a simple issue, indeed it is relatively technical and there are a number of misconceptions going on here.

so please bare with me.

first let's talk about ad serving and specifically zedo.

in terms of total traffic (i.e. total ads served) zedo is the third largest ad server in the world pushing out literally billions of ads every day.

in my opinion, zedo, doubleclick, atlas, realmedia and on and on... the people who serve ads have a huge investment in ensuring that they are NOT a vector for spreading malicious software. they are constantly scanning for and trying to stay on top of anything that might get by them. given the economics and scale involved, if malware were coming via an advertising channel, it would probably be on the six o'clock news tonight.

let's get to cases.

i am a little reluctant to answer the question, "what other sites are running ad served by zedo", because if as i believe there is malicious software running on "infected" pc's checking it out on other sites running zedo ads or travelad network ads does not prove or disprove anything.

but in the spirit of transparency, here are a couple of additional sites in our network that are running our ads through zedo:

• WorldAtlas
• FareCompare
• FlightStat

and here are some sites that use zedo technology to serve ads, but are not part of our network:

• CNET
• Bloomberg
• Wall Street Journal

now this latter list is even more of an issue for me to share, because they are not dropping a zedo cookie, they are dropping their own cookie which has the same information zedo needs to track things like the browser you are using, whether or not you have flash installed, how many times you have seen a particular ad, and on and on. these cookies will be named wsj, cnet and bloomberg. the only way to make sure that these cookies are not on your system is to

1. delete all cookies; and
2. setup your browser to never ever accept a cookie.

this leads to a big part of the confusion, which is that there are two distinct things that a programmer can do that are generally referred to as spyware. many of the spyware scanning solutions do not do a great job of distinguishing between them. and even if they did, it still would require an understanding of the difference.

so let's talk about the difference between tracking cookies and malicious software, known in the vernacular as malware.

spyware

first the similarity and why they are both considered spyware. both technics (1) allow a remote computer to see what you have done with your web browser; and (2) both are writing something to your personal computer without your explicit permission (unless you set your browser to always ask you before it runs anything or writes anything to your computer).

tracking cookies

first tracking cookies. these are text files that can be opened and read by any text editor like notepad or word processor such as Microsoft Word. these files are written or updated when ever a webpage is loaded. the next time a page is loaded it reads the relevant cookies and makes decisions about what to load. one good example of how helpful tracking cookies can be is here on travelpod. when you log onto the site two cookies are written onto your hard drive, one for your userid and one for your password. without that information accessible to the travelpod webserver, it would have to ask for your information on every page. (if you totally disable cookies in your browser, you would not be able stay logged onto travelpod.)

any scanner that spots a tracking cookie will list it as a mild or moderate threat. the threat is NOT that the tracking cookie is running potentially harmful programs as it isn't a program but a file that can be read. the threat is to your privacy. a malware (or a snoopy roommate) can look in these cookies and see what websites you have visited and to some degree where you are purchasing things online (BTW no website should be storing financial information like credit card numbers in cookies, not at least without encrypting the data, but that is a whole other topic.)

anyway, spyware is about threats to privacy, so technically speaking a tracking cookie is a threat to privacy. the important distinction is that a cookie is a data object. it does not have the ability to do anything like sending your credit card information to a thief by itself.

malware

not to belittle the threat to privacy that tracking cookies present, but malicious software is a lot worse. these are programs that exploit security holes in browsers and email clients to install themselves on your computer without letting you know. there is often, though not always, a delay between when they install and when you start seeing the effects (if you see the effect at all). malware can be spyware when it is used to look for and send out your personal information or when it "hijacks" you web browser.

the incidents that we are discussing here in my opinion are examples of malware that have "hijacked" the ad space that zedo is trying to serve into the travelpod pages.

they have unfortunately become rather common in recent years and do things like changing your home page, redirecting you to a specific page no matter where you try to go, adding popups, and replacing a "legitimate" ad (yah, i know what is a legitimate ad...) with one of their own. one of the recent "innovations" is embedding the malicious code in codex, or in english the programs that video needs to run in order to display video on websites. if in recent weeks you went to run a video and the site said you need to install a program for this to work and the program was not flash, quicktime or realvideo, then there is a good chance that is where it came from.

there are two things that i consider to be pain points with malware, first where you see it first and where you got it do not have to be related and second there is no one definitive solution or method for getting rid of these dang things.

malware -- danny's personal solution

this is not an endorsement or guarantee of any of the following. it is just what i would do if it were my computer. what i might do if it was my wife's computer (well, okay, yah i would do it for my wife's computer). if it were a work computer, i'd call in the tech consultant and make him do it. and if it were a friend, well i might do it, but they probably wouldn't get anything for christmas... ) this is all to say that the process is a pain, it is known in the tech world as being a pain, and there is just no way around it.

there have been a couple of times when i have known that i have a malware running on a system and it has taken me up to the fifth scanner to find one that would identify it. the reasons for this are varied, but the point remains the same. just because you have scanned with one or two scanners and have an anti-virus program running does not mean that you have a clean system. if your computer is doing something that you are not telling it to do, you need to keep scanning.

that said here is what i do.

prevention. running zonealarm as a personal firewall and norton anti-virus for scan protection against known threats. i run the firewall because it tells me when the computer is trying to do something on the internet that i have not explicitly given it permission to do. unfortunately, unless you understand what your computer is doing, this isn't a great solution. the anti-virus program catches a lot of things, specially the ones coming in from email. however, this is dependent on keeping the definitions current and on the vendor spotting the problem and adding it to the list they are scanning for.

once you have one.

first i scan with the three things i have on my system.

• norton antivirus
• lavasoft's ad aware
• spybot search and destroy

if that doesn't identify the problem, then i try symantec's (norton anti-virus) online scanner and the the online scanner at trendmicro. there are a few other online scanners that are out there.

the very last line of identifying the issue is something called hijack this. i don't recommend it for the uninitiated. basically it scans your system and you send the log to some experts and they look at it, ask questions and figure out what is weird or know to be an issue.

once you have scanned and identified, then one of two things has happened. hopefully one of the tools you used not only identified the problem but also successfully deleted it. unfortunately, the people writing malware are just as aware of this as the people trying to get rid of malware. so they are constantly changing what they are doing and trying to prevent their code from being deleted.

if not, it gets manual and complicated. and i am not going there right now.

so after all that...

let me say this.

1. the ads seen are not advertisers coming directly through travelad network. they are not coming through any of the companies we use as backups either. all of these were checked when i first received notice of the problem. the only one that i can not vouch for is google and that is because it is an "open" advertising network. personally i don't think it is coming though google, but that the google ad calls are being hijacked by malware.
2. it is not technically impossible for malware to come through an ad. it is however, highly improbably. ad networks are constantly looking for and scanning for these things.
3. i am highly confident that the malware is not coming from the travelpod either.
4. spotting malware often requires multiple scanners.
5. fixing a computer with malware is challenging.
6. update your operating system, browser and software regularly.
7. if you have managed to stick with me, i appreciate it. i will continue to monitor this thread and help work towards a resolution. let me know if there is anything i can do to help.

enough already...
ciao,
danny

Well, as nice as all this tech support info is, the offending ads seem to have gone away now and I’m not getting the popups on either of my computers.

I haven't done any of the extra spyware scanning steps besides my usual... so there you go.

Now I’m just seeing travel ads again, the way things should be. Phew!

Thanks for the clarification. I can see how it could have been a rather ingenious piece of malware hijacking the ad somewhere. I'm b*ggered if I can find it on my computer tho.

I've run Spybot, Ewido (AVG) and HijackThis and found no sign of the blighter. I'm running firewall and anti-virus. Yet the behaviour reported occurred on all three machines I use: my desktop computer, my laptop and my computer in work. I find it odd that all three could've been infected - especially a machine behind a corporate firewall/anti-virus. The only possibility I can come up with is that none of the anti-spyware programs actually knew about it!

Something else I also find strange was that we all experienced the reported behaviour at the same time, within hours of each other. Possible explanation: perhaps this malware has been lurking dormant on our machines for months, and triggered (like some viruses do) only on a certain date?

And even stranger, it ended at the same time for all of us, as well. What stopped it? Well, www.amaena.com appears to be no longer there... looks like someone else had a problem with it and took it down!


It wasn't a google ad - it was a Zedo ad call being hijacked. It was the Zedo code fragment I posted above. To test this I copied that same block of javascript into a text file and renamed it test.html. When I displayed test.html, guess what I got? The amaena advert.

Oh well, back to normal - I don't like the idea that something may be lurking on my machine tho. I expect to run anti-spyware software in a month's time and it identify and remove this blighter.

If it doesn't, then I will never be totally convinced that there was anything on my computer in the first place...

Does anyone still get the popups or are they all gone?

We removed Google Ads which we suspect where triggering the mal-ware.

If anyone find a way to get rid of the bugger on their PC, please post here so that the other members can help thuemselves too.

Now we just need to figure out how to get our Google Ads replaced.

I really don't think it was the google ads as almost every site uses them and this was the only site that was a problem for me. Had to be the zedo ads. Quite why it went away I don't know but its gone so no worries now.

Actually we didn't remove the Zedo ads, they are still running on TP.

Only the Google Ads ... the way it works is that once our partner ( who runs Zedo ) runs out of ads, they show Google Ads ( through Zedo ) ...

Our partner removed the Google Ads from our ad rotation.

these are falling into a class of malware called "winfixer". apparently they have been releasing an update of it every month or so. my guess is that the update they did last week made it hijack the google ads. and that what was on your systems updated itself.



luc and i decided to make a change yesterday which was to stop serving the google ad. the google as was being server through the zedo ad tag.

which is why, see below, it appeared to be coming from zedo. the ad tag on the page was the zedo ad tag place by travelad network. however the ad being served at the time of the hijack (we believed) was a google ad. the fact that the offending ads have seemed to disappear would support this.



As i said above, the google ad, which you never saw cause it was hijacked was being server through zedo's ad tag.

One thing you could do to help convince me that it is only the google ad is to go to this page and let me know what happens on the 300x250 ad in the text on the left. this is a google ad running straight from google.



oh i hear you. we are continuing to monitor the situation. if we find good solution, we will post it.

danny

Nothing happens on visiting that site.