Spyware

[Trummp]

Hey guys

Long time viewer of these forums.

I have been running STOPzilla on, and for some reason there are a lot of attempts from something on this website trying to get into my computer. Stopzilla has popped up several messages saying it prevented them.

Is it possible the RMT banners are causing this? I didn't have any other websites open and it found several just from looking at several post's and topics on this page.

-Trummp

[Septimus]

Hey guys

Long time viewer of these forums.

I have been running STOPzilla on, and for some reason there are a lot of attempts from something on this website trying to get into my computer. Stopzilla has popped up several messages saying it prevented them.

Is it possible the RMT banners are causing this? I didn't have any other websites open and it found several just from looking at several post's and topics on this page.

-Trummp

That is entirely possible, they have done that with ads on other sites.

I would suggest staying logged in (since you don't get ads), and installing NoScript to block out anything from outside of this page from loading. If you still have problems, then we are going to have an angry Ragn that will hunt down the source and make it pay.

[Trummp]

Ugh,

I'm now getting tons of popups too... since viewing these forums, and tons of new infections. Once I quit the browser on this website, tons of popups for the same website kept coming up, second after second, and it crashed my computer.. I had to restart. Someone please look into this, this has updated definitions too and cannot stop all of them.

BTW, hello septimus- You helped me get my moldavite earring about 3 years ago

[WraithLakshmi]

You sure it's not all the porn sites you been on? BG not doin anything like that for me.

[Devek]

You already have spyware, and it is giving you the popups.

[Kimiko]

What sort of specific popups? Please elaborate.

[Arkanna]

This site has been 100% clean for me since I started lurking a long-ass time ago. I'd say you've already got a malware infestation that's causing your pop-ups.

1. Google "Spybot" and download it. Update, run the Immunization feature, then run the full scan.
2. Google "Threatfire", download it. Run a scan and let it stay resident (loaded in your systray).
3. Extra insurance; download "Malwarebytes" and run that scan.

The above should handle your current malware issue (maybe; if not, you might have to boot in safe mode).

4. Go to AVG Free - Download antivirus and antispyware software for Windows XP and Vista and download the free edition of AVG Anti-Virus 8.0. It's a great virus scanner and malware scanner, in one package.
5. If, after all this, you still have issues, Google "Hijackthis", run it, and choose to scan and save a log file. Post the contents of the log file here, but don't do anything else with it just yet.

[Kimiko]

Ugh,

I'm now getting tons of popups too... since viewing these forums, and tons of new infections. Once I quit the browser on this website, tons of popups for the same website kept coming up, second after second, and it crashed my computer.. I had to restart. Someone please look into this, this has updated definitions too and cannot stop all of them.

BTW, hello septimus- You helped me get my moldavite earring about 3 years ago

Most likely then you've got some kind of rootkit or other deeply embedded malware infecting your system. Try disabling system restore then rerun the scan.

Also, look for MalwareBytes in Google and download it, then run that sucker. It's been known to find the more difficult to remove malware better than anything else out there.

[Thistle]

Posts like this make me love Firefox, noscript, adblock, etc all the more.

[DAKPluto]

Posts like this make me love Firefox, noscript, adblock, etc all the more.

this

[Correction]

Ugh,

I'm now getting tons of popups too... since viewing these forums, and tons of new infections. Once I quit the browser on this website, tons of popups for the same website kept coming up, second after second, and it crashed my computer.. I had to restart. Someone please look into this, this has updated definitions too and cannot stop all of them.

BTW, hello septimus- You helped me get my moldavite earring about 3 years ago

You are very likely infected with a virus. I suggest you run a virus scan. This virus is likely installing malware and taking you to sites which exploit browser vulnerabilities to install more malware on your machine. It's a relatively common exploit.

Then install at least two types of adware/malware removal tools. Do this after you run your virus scan. The adware/malware removers can be uninstalled once they're done cleaning your system.

When you're done there, update your installation of flash/IE and run windows update.

Then ask the mods to move this thread into tech support.

[Not Kuno]

You are very likely infected with a virus. I suggest you run a virus scan. This virus is likely installing malware and taking you to sites which exploit browser vulnerabilities to install more malware on your machine. It's a relatively common exploit.

Then install at least two types of adware/malware removal tools. Do this after you run your virus scan. The adware/malware removers can be uninstalled once they're done cleaning your system.

When you're done there, update your installation of flash/IE and run windows update.

Then ask the mods to move this thread into tech support.

Do this, then when you're 100% clean change your password.

[Trummp]

Malwarebytes' Anti-Malware 1.31
Database version: 1551
Windows 5.1.2600 Service Pack 2

12/26/2008 5:17:59 PM
mbam-log-2008-12-26 (17-17-59).txt

Scan type: Quick Scan
Objects scanned: 52680
Time elapsed: 5 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 9
Registry Values Infected: 4
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\fopihofu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\pasufizi.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\botapepe.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\ponegiwu.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{ac7f4ff3-1a7c-4aff-974b-bf8eb6f4b095} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ac7f4ff3-1a7c-4aff-974b-bf8eb6f4b095} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{d5bf49a2-94f1-42bd-f434-3604812c807d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\bivevegine (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\cpm2b18779e (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\fopihofu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\fopihofu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\fopihofu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\ponegiwu.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\ponegiwu.dll -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\pasufizi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\izifusap.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\botapepe.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\ponegiwu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\fopihofu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\sorofita.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xmbexxid.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yayyVppo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jkkIbAtu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gebegimi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

[Trummp]

I also disabled Windows Restore, do you think they might have been using that to keep restoring the files? StopZILLA found much of the same files that Malware did, but they kept coming back.

[Cephius]

Go into your system 32 folder and make sure the files listed as "Delete on reboot" are really gone. If they're not, download Killbox and try to delete them through that.

Can also try a special vundofix tool, which you can grab from Here

Though it's probably best to just reformat.

[Trummp]

here are the type of AD's that STOPzilla has blocked so far..

EDIT : Obviously Do not click on these sites, I just copied these from the "black board" from stopzilla. They probably will infect your computer


lifewithoutboundary.com
U.S. Automakers - Business Exchange
BuyCarNow.net
http://www.mysearch-finder.com/ts/f/?s=home
http://www.mysearch-finder.com/ts/f/?s=snow
Searchme: Visual Search - Beta
http://www.fallensword.com/?ref=adon7_9
New car prices, new car reviews at Edmunds
http://a.tribalfusion.com/h.click/aa...rd=2025001527?
http://a.tribalfusion.com/h.click/av...mbppf3knemniu/
http://a.tribalfusion.com/p.media/ar...486/frame.html
GO211 : Action sports videos for snowboarding, skateboarding, surfing, & BMX
http://www.bankingmyway.com/product/mortgages?cm_ven=dcomm$miva&psv=dcomm$miva$bmw_ron $mortgages$rnt+seasonal
http://a.tribalfusion.com/h.click/ak...rd=2028131802?
http://a.tribalfusion.com/p.media/al...476/frame.html
Account Settings
Snowboarding & Skiing Videos in Action Sports from GO211
High School Sports & College Recruiting: Cheerleading, Wrestling, Basketball, Football – Sports scholarships, videos, photos & rankings – Takkle.com
BNQT.com — Banquet Action Sports Digital Network
Untitled Page

Im doing Malware full system scan now, I have also disabled Windows Restore. It seems the AD's happen when I have a browser open, wheter It's Firefox (which has no script) or Google Chrome.

[orinthia]

Sounds like your host file got mangled. That's the only thing that can screw around with all browsers in windows. If in winxp goto C:\WINDOWS\system32\drivers\etc and look inside the file named "hosts" (has no extension). If you've never messed with it before then it should be fairly empty. If mangled it should be filled with redirections for popular sites to malware sites.

Learn more about the hosts files here: Blocking Unwanted Parasites with a Hosts File

I recommend Hostman to help you manage the file itself. Go here for it: abelhadigital.com It'll make adding and deleting entries much, much easier. Just be sure to restart your browsers when you make an edit. Sometimes the online updated hosts files contain sites that shouldn't be blocked so you'll have to do a little searching with hostman to get those pages to work again but it's worth the small hassle to block access to the sites within completely for all programs.

[Correction]

Okay it doesn't sound like you're following directions. Did you run a virus scan? Do you even have an antivirus installed?

[MisterBob]

Wow, stay off the porn sites.

[Arkanna]

Okay it doesn't sound like you're following directions. Did you run a virus scan? Do you even have an antivirus installed?

^ This .....and what the fuck, do your Windows updates, jesus.

Malwarebytes' Anti-Malware 1.31 Database version: 1551 Windows 5.1.2600 Service Pack 2