PPC advertisers (e.g. shop.com)
money viewers
   Yahoo Overture   
money viewers
Intermix Sirsearch
money viewers
money viewers
Qklinkserver.com / Srch-results.com

Screenshots - Unlabeled PPC Links Inserted into Third Party Web Sites - by Qklinkserver.com / Srch-results.com, Searchdistribution.net, and Intermix's Sirsearch
The Spyware - Click-Fraud Connection -- and Yahoo's Role Revisited - Ben Edelman

This page gives screenshots showing on-screen displays as traffic flowed from Qklinkserver and its controlling server Srch-results.com through Searchdistribution.net and Intermix's SirSearch, then on to Yahoo Overture and finally to a Yahoo advertiser.

This traffic is notable both because it resulted from spyware installed on my test PC without my consent, and beause it resulted from insertion of advertising links into third parties' web sites (without their consent). In particular, as shown below, this traffic was predicated on Qklinkserver inserting link into the New York Times web site, without its consent and without any on-screen labeling.

All testing occurred on April 2, 2006.

See also discussion in main article, as well as a packet log and video.

Note also that Qklinkserver's uninstaller is missing - yielding a 404 error.


Ad Inserted into Third Party's Web Site without Permission

On a test PC with Qklinkserver, I observed numerous extraneous hyperlinks inserted into third parties' sites. See e.g. the New York Times site below. Note the stray hyperlink labeled "prime minister" -- words that are not actually a hyperlink on the "real" New York Times site, as viewed on uninfected test PCs.


The Initial Popup

I clicked the "prime minister" hyperlink shown in the preceding screenshot, and I recorded what happpened next. I shortly received a popup that, in its title bar, indicated that it came from the qklinkserver server. See video at 0:03.


The Intermediate Popup

The popup immediately redirected to briefly show a URL at srch-results.com. See video at 0:03.


The Final Popup

The popup further redirected to load the shop.com site. See video at 0:08


Resulting Cookies

Reviewing my cookies folder, I notice that Yahoo Overture.com cookies have been created (second cookie in the listing at screen left). This image comes from 0:10 in my screen-capture video.

See also packet log to confirm the precise chain of redirects.


Attempting to Uninstall the Qklinkserver Spyware

Using my packet sniffer, I determined that the links at issue were inserted by software from Qklinkserver.com. I visited that server to see whether it offered an uninstall procedure. It claimed to offer an uninstall -- see teh "uninstall instructions" linked at page bottom. However, when I clicked that link, I got a 404 (page not found) error message. See second screenshot below.