Foistware from CFC?
- Thread starter scoutsout
- Start date
scoutsout
Minstrel Boy
To those of you who recommended SpyBot:
It caught things that Ad-Aware missed, and caught parts of things that I tried to manually get (but missed).
That stuff is awesome! To MSIE users: That thing "immunizes" your browser against something like 1500+ known malware programs. If you don't have it, you need it.
To those involved in system administration who have no doubt checked up on some adverts by now, thank you to you too; for that and all the other hard work you do.
It caught things that Ad-Aware missed, and caught parts of things that I tried to manually get (but missed).
That stuff is awesome! To MSIE users: That thing "immunizes" your browser against something like 1500+ known malware programs. If you don't have it, you need it.
To those involved in system administration who have no doubt checked up on some adverts by now, thank you to you too; for that and all the other hard work you do.
MarineCorps
Explosion!
I just ran spy bot on my computer and guess what it finds? A tracking cookie that gets on to your computer when you follow a link to activate a subscription. And I only clicked on one activation link since the last I ran spy bot. And that was to get e mail notices from the makers of adaware about the latest news on spyware and all that other crap. 
SewerStarFish
King
Whenever I access CFC with explorer my spybot blocks "Avenue A, Inc. " adware. It only happens at CFC and never when I access it through AOL.
- Joined
- Oct 25, 2000
- Messages
- 12,615
I just emailed Telefragged about it along with a link to this thread.
MarineCorps
Explosion!
Oh trust me "Avenue A, Inc. " is still DL onto your computer. In know as I also use aol but I still get it.SewerStarFish said:
@Dell19: Spybot did not detect adaware and say it was bad. It detected a tracking cookie that you only get when you click on activation links. And the only activation link I clicked on was for a news letter from the makers of adaware.
scoutsout
Minstrel Boy
Spybot and Ad-Aware:
During the install routine for Spybot, it noted that Ad-aware was installed, and noted that Ad-Aware will detect Spybot, and see records of things related to spyware that Ad-Aware "may not like", but instructions were given for Ad-Aware and Spybot to co-exist peacefully....
@Thunderfall: Thank you. I strongly suspect that if the foistware came from a popup through this site, CFC was unaware of the advertiser's behaviour. I know that the people who work to hold this thing together (you included) are a pretty ethical crowd, and that it is impossible to avoid having one "slip through the cracks" from time to time.
During the install routine for Spybot, it noted that Ad-aware was installed, and noted that Ad-Aware will detect Spybot, and see records of things related to spyware that Ad-Aware "may not like", but instructions were given for Ad-Aware and Spybot to co-exist peacefully....
@Thunderfall: Thank you. I strongly suspect that if the foistware came from a popup through this site, CFC was unaware of the advertiser's behaviour. I know that the people who work to hold this thing together (you included) are a pretty ethical crowd, and that it is impossible to avoid having one "slip through the cracks" from time to time.
I have to pop in to say that I also beleive some of the pop ups are tossing homepage redirects and malware on my systems. For the last couple days, every time I've hit the CFC homepage, my OS detects changes to root files, my home page is changed to a pop up site, and I need to run Ad Aware/Spybot to clean out my system. I have verified it was CFC by cleaning the system, and then immediately going to the CFC site, at which point it was repeated. Since I do this from work, (Naughty me! Naughty naughty!) I dont really need pop ups broadcasting the fact I'm browsing. 
DJMGator13
Still breathing
Make it #4 & #5. Had it happen on my home computer last night and more annoying on my work computer when I poped in this morning to check on SGOTM.
TeleFragged
Chieftain
Guys,
I need to know what ad at the bottom of the page is smuggling the popups in. Sometimes the official ads (728x90 at the bottom) are delivered by third party servers and they do not always play fair. In fact, by slipping in these popups they are cheating us and they are cheating you. So lets catch these a-holes.
I need screenshots of the popup and the ad present at the bottom of the page when the popup occured.
Thanks for your help,
-Paul
I need to know what ad at the bottom of the page is smuggling the popups in. Sometimes the official ads (728x90 at the bottom) are delivered by third party servers and they do not always play fair. In fact, by slipping in these popups they are cheating us and they are cheating you. So lets catch these a-holes.
I need screenshots of the popup and the ad present at the bottom of the page when the popup occured.
Thanks for your help,
-Paul
- Joined
- Oct 25, 2000
- Messages
- 12,615
Hi Paul,
For the last several days when I visit the main site, I often see an EzzMedia popup. The strange thing is that popup window doesn't show up, even when I try to restore the window. It only appears in the task bar. It could be trying to download some malicious files in the background, or maybe my computer is too secured for it to exceute some scripts. I haven't encountered the homepage redirect problem some people experienced recently.
Below is a screenshot showing the ezzmedia ad in the task bar.
mad-bax posted a screenshot about a ringtone ad in another thread late last month:
For the last several days when I visit the main site, I often see an EzzMedia popup. The strange thing is that popup window doesn't show up, even when I try to restore the window. It only appears in the task bar. It could be trying to download some malicious files in the background, or maybe my computer is too secured for it to exceute some scripts. I haven't encountered the homepage redirect problem some people experienced recently.
Below is a screenshot showing the ezzmedia ad in the task bar.
mad-bax posted a screenshot about a ringtone ad in another thread late last month:
Attachments
I have my internet security settings set so that I am prompted every time an active x controller is going to be installed on my system. This occurs every time I load a page on these forums...twice. Granted, that does not mean they are malicious, but something is trying to install itself on my system...over and over and over...
scoutsout
Minstrel Boy
@Thunderfall: I have noticed the EzzMedia popunder that can't be maximized as well. Interestingly, - that company is headquartered not far from me (Lake Mary, FL/Metro Orlando).
@Telefragged: As I see it, a problem with getting help from users to help you catch these guys is that the only users who are 'in tune' enough to help out have already taken steps to prevent these people from foisting their malware on us... I suspect there is a good sized base of users that are getting barraged by popups (or worse) who are not even aware that the site feedback forum exists...
@Telefragged: As I see it, a problem with getting help from users to help you catch these guys is that the only users who are 'in tune' enough to help out have already taken steps to prevent these people from foisting their malware on us... I suspect there is a good sized base of users that are getting barraged by popups (or worse) who are not even aware that the site feedback forum exists...
DJMGator13
Still breathing
I had the same EzzMedia item on my work computer this morning. A lot of the cleanup I did centered around something called "ezula". On my home computer last night "sloth.com" loaded a search bar automatically to my IE. I have only partially cleaned my home computer so if I find anything else I'll post a screenshot.
When I loaded my firewall alerts last night I noticed a lot of activity trying to come in throught port "65404??" sounded like the same port that was exploited in the Sasser virus a few weeks ago. I have Window 2000 at work and at home. Could this also be whats causing the problem? Not the virus but the adware people using the same exploit to gain access to people's machines. Both XP & W2K were suseptible.
When I loaded my firewall alerts last night I noticed a lot of activity trying to come in throught port "65404??" sounded like the same port that was exploited in the Sasser virus a few weeks ago. I have Window 2000 at work and at home. Could this also be whats causing the problem? Not the virus but the adware people using the same exploit to gain access to people's machines. Both XP & W2K were suseptible.
scoutsout
Minstrel Boy
My last Spybot scan found a "DSO Exploit". These are the changes in the reg keys:
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-696373264-2571401814-3144446700-1137\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-696373264-2571401814-3144446700-1137\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
I have to say this throughlly sucks- my own PC is now a smoledering, unisable hulk because of this exact proble, and origionaly, did not think t came from CFC_ however looging on to CFC from a school computer, and having it them proptlly happen there prooves it, I certianlyl hope that not only wil this stop, but that some one ca direct me to a place where i can get directions to rid my PC of all this- as currentlly, i am exiled ot moms work computer, a machintosh, and thus unable to access a great deal of important information, not to mention recreational use.
scoutsout
Minstrel Boy
@Xen: Scroll back a page and get the link to Spybot - that seems to get most of the problems...
However - I've noted something with respect to the DSO exlpoit noted above. A few minutes ago I shut down my browser, ran Spybot, problem detected (again). "Fixed" the problem, shut down Spybot, restarted spybot, and the same DSO exploit showed up. The only plausible explanation: there's a TSR running on my machine that is making this mod on the fly. And Spybot isn't getting to the source of the problem.
However - I've noted something with respect to the DSO exlpoit noted above. A few minutes ago I shut down my browser, ran Spybot, problem detected (again). "Fixed" the problem, shut down Spybot, restarted spybot, and the same DSO exploit showed up. The only plausible explanation: there's a TSR running on my machine that is making this mod on the fly. And Spybot isn't getting to the source of the problem.
