Valhalla Legends Archive

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FunWebProducts; .NET CLR 1.0.3705; .NET CLR 1.1.4322)

I've seen several people with this user-agent string already.

Spyware is too easy to get on clueless users' Windows computers these days.

Yah.... spyware is everyware

everywhere*

Attention: Someone around here, who visited my localhost webserver a week ago (August 23) through a link I pasted in Op [vL], has this spyware.
Mysterious spyware-infected user: Your ISP is cox.net (I won't post the exact IP here, but it's in the 68.10.*.* range). If this is your ISP and range, it might be you - so run an anti-spyware program such as Spybot Search & Destroy as soon as possible!

ew, that matches me, but I ran Spybot S&D this morning (~4 hours ago) and it came up with nothing. :o

Quote from: Yoni on August 29, 2004, 03:40 AM
Mysterious spyware-infected user: Your ISP is cox.net (I won't post the exact IP here, but it's in the 68.10.*.* range). If this is your ISP and range, it might be you - so run an anti-spyware program such as Spybot Search & Destroy as soon as possible!

I started panicking when you said cox.net, and I read 68. and was like "Ohhh shit", but I'm .107.*.* :)

So am I safe? :D

Quote from: Newby on August 29, 2004, 10:32 AM

Quote from: Yoni on August 29, 2004, 03:40 AM
Mysterious spyware-infected user: Your ISP is cox.net (I won't post the exact IP here, but it's in the 68.10.*.* range). If this is your ISP and range, it might be you - so run an anti-spyware program such as Spybot Search & Destroy as soon as possible!

I started panicking when you said cox.net, and I read 68. and was like "Ohhh shit", but I'm .107.*.* :)So am I safe? :D

Maybe, but you should check it anyway.  I'm presently 69.*, but my ISP used to issue me 24.* addresses.  The change just happened one day, and they never announced/explained it.  So, I'd suggest scanning even if you don't have the IP mask Yoni posted.

I did a fresh install of Windows 2000, and while I was doing windows update I decided to check out some websites. 10 minutes later I had 10-15 spyware programs installed on my computer. I've cleaned them all out, but my computer is still not working properly. Running ipconfig outputs nothing in the console now. It also looks like cmd.exe has been deleted. Has anyone else had this problem?

After Yoni telling me this, I started getting really paranoid. Neither Spybot S&D or Adaware picked up FWP, though they both have in the past. I'm still reluctant to use Firefox on a regular basis, so I installed Guard Bar (http://www.guardbar.com) about 3 spyware detection programs, updated to XP SP2, installed a software firewall, etc. I like to think I'm safe from all but that dragging and dropping of the scrollbar thing. :(

Quote from: hismajesty[yL] on August 29, 2004, 08:51 PM
Neither Spybot S&D or Adaware picked up FWP

Is there another program that does?

Quote from: Falcon[anti-yL] on August 29, 2004, 08:58 PM

Quote from: hismajesty[yL] on August 29, 2004, 08:51 PM
Neither Spybot S&D or Adaware picked up FWP

Is there another program that does?

They're both supposed to, and have in the past. Possibly I deleted it within the past 7 days, but I don't remember running any anti-spyware software within that time period.

Quote from: hismajesty[yL] on August 29, 2004, 08:51 PMI'm still reluctant to use Firefox on a regular basis

Notice the user-agent: "Mozilla/4.0 (compatible; MSIE 6.0;..."
Only spoofs and IE identify themselves in this way.

You guys should go to www.ipchicken.com - it tells you your User-Agent.

QuoteBrowser: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FunWebProducts-MyWay; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.40607)

Apparently I still have it installed. Which is odd since _nothing_ is showing I have it!

QuoteBrowser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2

Yay :)
Whats Gecko?

Quote from: Falcon[anti-yL] on August 30, 2004, 03:32 PM

QuoteBrowser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2

Yay :)
Whats Gecko?

http://wp.netscape.com/browsers/future/gecko.html

Anybody have any suggestions as far as FWP? It's still showing up in my user agent, but I've scanned with Spybot S&D, Adawre, Hijackthis, Pest Patrol, and Spyware Blaster. Nothing is even detected it, and they're all fully updated.  :o

Quote from: hismajesty[yL] on August 30, 2004, 04:08 PM
Anybody have any suggestions as far as FWP? It's still showing up in my user agent, but I've scanned with Spybot S&D, Adawre, Hijackthis, Pest Patrol, and Spyware Blaster. Nothing is even detected it, and they're all fully updated.  :o

Maybe it is in the registry (http://www.winguides.com/registry/display.php/799/)?

Apparently, it's not.

http://www.funwebproducts.com/eula/

removal:
http://www.funwebproducts.com/uninstall.html

If that doesn't work are you booting into safe mode after you update your spy removal software?

I went to fwp.com/uninstall.html earlier - I have none of those programs installed.

Post your hijack this log. Or email it to me at [email protected]

Logfile of HijackThis v1.97.7
Scan saved at 11:09:40 PM, on 8/30/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Winamp\Winampa.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.40607\aspnet_admin.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\PROGRA~1\BANDWI~1\Bandwidth Monitor Pro.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Winamp\winamp.exe
C:\Documents and Settings\Matthew\My Documents\Bots\PandaChat\PandaChat.exe
C:\Documents and Settings\Matthew\My Documents\Bots\Copy of PandaChat\PandaChat.exe
C:\Program Files\Gaim\gaim.exe
C:\Program Files\eclipse\eclipse.exe
C:\WINDOWS\system32\javaw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Matthew\Desktop\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {62F5BBB6-A71E-46E7-AE78-73D25185EDC8} - C:\Program Files\GuardBar\GuardBar.dll
O3 - Toolbar: GuardBar - {7F4D8DE6-AC92-4A13-9DE9-F360736F2464} - C:\Program Files\GuardBar\GuardBar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [PC-CAM 350 STI App Registration] RunDLL32.exe P1060pin.dll,RunDLL32EP 513
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\Windows Registry Repair Pro.exe -X
O4 - HKCU\..\Run: [Bandwidth Monitor Pro] "C:\PROGRA~1\BANDWI~1\Bandwidth Monitor Pro.exe" /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1092366150437
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38211.7910069444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

I didn't see but a couple of things that were suspicious so I got with someone else and he asked about the same things that came to my attention.
O2 - BHO: (no name) - {62F5BBB6-A71E-46E7-AE78-73D25185EDC8} - C:\Program Files\GuardBar\GuardBar.dll
O3 - Toolbar: GuardBar - {7F4D8DE6-AC92-4A13-9DE9-F360736F2464} - C:\Program Files\GuardBar\GuardBar.dll
C:\PROGRA~1\BANDWI~1\Bandwidth Monitor Pro.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe

Guard Bar is a toolbar for IE I installed after Yoni warned me of this. I posted about it earlier in this thread, it's safe. It's just a popup blocker/spyware detecter for IE basically.

Bandwidth Monitor Pro monitors my download/upload levels.
Registry Cleaner is a registry checker, if a problem is found I can fix it/restore it.

Info on this ad-ware:
http://www.nwfusion.com/newsletters/web/2003/1208web2.html (http://www.nwfusion.com/newsletters/web/2003/1208web2.html)