Pup Funmoods

[WilliamP]

I have the latest Sandboxie and Avira. This morning I was some where on the web where I shouldn't have been. I have SB set to empty the sandbox when I close the browser. When I closed FF I noticed that my taskbar icon for Avira had moved. So I ran Superantispyware and it found Pup Funmoods toolbar. Then I ran Malwarebytes and it found a whole bunch of trash. I have run several scans and I believe I have cleaned it all out. It has really caused me to question the effectivity of SB. How was this stuff able to get to my system

[bo elam]

Quote:

Originally Posted by WilliamP

How was this stuff able to get to my system

After searching Google for a little while, I found that people get Funmood either bundled with other software that gets installed in the computer or someone gets an installer and installs it. I am no expert on any of this but I don't think you get Funmood browsing. According to what I read is an addon for social networks like Facebook.

Good luck

Bo

[WilliamP]

I didn't download anything that I know of.

[Montmorency]

I can assure you something like this would never come out of Sandboxie.
You made some mistake.

[WilliamP]

I know that you are correct but I don't how. I never came out of FF ,so I never left the sandbox. And I didn't download anything.

[bo elam]

Quote:

Originally Posted by WilliamP

I didn't download anything that I know of.

Look around your system, you ll find folders or files in Program files, AppData, Document and settings, related to Funmoods. Theres got to be some, somewhere. When you locate it, look at the date and you ll see that Funmoods was installed before the browsing session that you think is when you got the PUP.

Bo

[WilliamP]

I have done several searches and there is nothing left. And there was nothing there before. Some how it got out of SB ,shut down Avira, got on the system then re-started Avira. I know it is hard to understand. But that is how I noticed that the Avira icon in the task bar had moved. It had been re-started.

[Montmorency]

Do you have FF to force run in Sandboxie (paid version).
If not, are you absolutely sure FF was sandboxed? When you noticed Avira icon moving did you see the red X in Sandboxie's icon?

[WilliamP]

I have the paid version of SB and I always watch for the little red X on the SB icon when I close FF. It did that time. So I know it was sandboxed. I always open FF sandboxed.

[Doodler]

Doubtful that we'll ever know what really happened. Malware experts like Buster (who frequents the Sandboxie forum and this one) test thousands and thousands of malware on an ongoing basis using Sandboxie. Not to discount your sincerity, but it seems to me if something was able to escape your sandbox, he'd be aware of it.

[WilliamP]

Well Doodler,I have always had faith in SB. I have no idea how it happened. All I know is that it had to have gotten around it some how.

[Montmorency]

Quote:

Originally Posted by WilliamP

All I know is that it had to have gotten around it some how.

That's exactly what I find to be strange.
If we were talking about something sophisticated... but even the most perfected malware can't break out of SBIE (up to now)... let alone this simple stuf.

[WilliamP]

I don't know if this means anything but Superantspyware found the toolbar and Malwarebytes found 33 other things that I know were not there before.

[Montmorency]

I tried to install Funmoods inside Sandboxie

[Montmorency]

Afterwards I scanned the machine with MBAM and HitmanPro and it came out clean.

Think "alternative vectors." Is it possible for instance that you plugged in an infected USB stick at some point?

[AlexC]

Quote:

Originally Posted by WilliamP

I don't know if this means anything but Superantspyware found the toolbar and Malwarebytes found 33 other things that I know were not there before.

Its easy to test if funmoods can get out the sandbox or not... but i really don´t think that it can.

edit: Montmorency already did it

Maybe you have recovered the file to the real location or you have your download location with direct access?

[crofttk]

Quote:

Originally Posted by Gullible Jones

Think "alternative vectors." Is it possible for instance that you plugged in an infected USB stick at some point?

Another for instance, I don't believe it's been established that the OP is the only user or person having access to the machine in question. I would hope OP, however, would have pointed out that possibility.

[WilliamP]

I am willing to just let it go as something unexplainable. I am an old retired fart that has a computer and my wife has her computer. No one uses this computer but me. I can guarantee you that nothing came up on my display showing anything like what was shown in Montmorency's post.

[DBone]

The OP made a mistake somewhere, somehow. That PUP did not bypass Sandboxie.

[cheater87]

CAV detected the exe. Will test with Avast soon to see what it detects in it.

[crofttk]

Quote:

Originally Posted by WilliamP

I am willing to just let it go as something unexplainable. I am an old retired fart that has a computer and my wife has her computer. No one uses this computer but me. I can guarantee you that nothing came up on my display showing anything like what was shown in Montmorency's post.

Nothing at all wrong with that and an admirable place to be as far as I'm concerned. I was just trying to help rule out some possibilities.

[Osaban]

Quote:

Originally Posted by WilliamP

I have the latest Sandboxie and Avira. This morning I was some where on the web where I shouldn't have been.

If you remember where you shouldn't have been, maybe you can try to create the same situation and see if that happens again.