Pup Funmoods

Discussion in 'sandboxing & virtualization' started by WilliamP, Aug 8, 2012.

Thread Status:
Not open for further replies.
  1. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I have the latest Sandboxie and Avira. This morning I was some where on the web where I shouldn't have been. I have SB set to empty the sandbox when I close the browser. When I closed FF I noticed that my taskbar icon for Avira had moved. So I ran Superantispyware and it found Pup Funmoods toolbar. Then I ran Malwarebytes and it found a whole bunch of trash. I have run several scans and I believe I have cleaned it all out. It has really caused me to question the effectivity of SB. How was this stuff able to get to my systemo_O
     
  2. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    After searching Google for a little while, I found that people get Funmood either bundled with other software that gets installed in the computer or someone gets an installer and installs it. I am no expert on any of this but I don't think you get Funmood browsing. According to what I read is an addon for social networks like Facebook.

    Good luck

    Bo
     
  3. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I didn't download anything that I know of.
     
  4. Montmorency

    Montmorency Registered Member

    Joined:
    Oct 9, 2011
    Posts:
    181
    I can assure you something like this would never come out of Sandboxie.
    You made some mistake.
     
  5. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I know that you are correct but I don't how. I never came out of FF ,so I never left the sandbox. And I didn't download anything.
     
  6. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    3,770
    Location:
    Nicaragua
    Look around your system, you ll find folders or files in Program files, AppData, Document and settings, related to Funmoods. Theres got to be some, somewhere. When you locate it, look at the date and you ll see that Funmoods was installed before the browsing session that you think is when you got the PUP.

    Bo
     
  7. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I have done several searches and there is nothing left. And there was nothing there before. Some how it got out of SB ,shut down Avira, got on the system then re-started Avira. I know it is hard to understand. But that is how I noticed that the Avira icon in the task bar had moved. It had been re-started.
     
  8. Montmorency

    Montmorency Registered Member

    Joined:
    Oct 9, 2011
    Posts:
    181
    Do you have FF to force run in Sandboxie (paid version).
    If not, are you absolutely sure FF was sandboxed? When you noticed Avira icon moving did you see the red X in Sandboxie's icon?
     
  9. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I have the paid version of SB and I always watch for the little red X on the SB icon when I close FF. It did that time. So I know it was sandboxed. I always open FF sandboxed.
     
  10. Doodler

    Doodler Registered Member

    Joined:
    Dec 23, 2007
    Posts:
    219
    Doubtful that we'll ever know what really happened. Malware experts like Buster (who frequents the Sandboxie forum and this one) test thousands and thousands of malware on an ongoing basis using Sandboxie. Not to discount your sincerity, but it seems to me if something was able to escape your sandbox, he'd be aware of it.
     
  11. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    Well Doodler,I have always had faith in SB. I have no idea how it happened. All I know is that it had to have gotten around it some how.
     
  12. Montmorency

    Montmorency Registered Member

    Joined:
    Oct 9, 2011
    Posts:
    181
    That's exactly what I find to be strange.
    If we were talking about something sophisticated... but even the most perfected malware can't break out of SBIE (up to now)... let alone this simple stuf.
     
  13. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I don't know if this means anything but Superantspyware found the toolbar and Malwarebytes found 33 other things that I know were not there before.
     
  14. Montmorency

    Montmorency Registered Member

    Joined:
    Oct 9, 2011
    Posts:
    181
    I tried to install Funmoods inside Sandboxie
     

    Attached Files:

    • S01.PNG
      S01.PNG
      File size:
      110.3 KB
      Views:
      1,805
    • S02.PNG
      S02.PNG
      File size:
      36.9 KB
      Views:
      1,801
    • S03.PNG
      S03.PNG
      File size:
      27.8 KB
      Views:
      1,800
    • S04.PNG
      S04.PNG
      File size:
      22.8 KB
      Views:
      1,798
    • S05.PNG
      S05.PNG
      File size:
      68 KB
      Views:
      1,807
  15. Montmorency

    Montmorency Registered Member

    Joined:
    Oct 9, 2011
    Posts:
    181
    Afterwards I scanned the machine with MBAM and HitmanPro and it came out clean.
     
  16. Think "alternative vectors." Is it possible for instance that you plugged in an infected USB stick at some point?
     
  17. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,280
    Its easy to test if funmoods can get out the sandbox or not... but i really don´t think that it can.

    edit: Montmorency already did it :thumb:

    Maybe you have recovered the file to the real location or you have your download location with direct access?
     
  18. crofttk

    crofttk Registered Member

    Joined:
    May 15, 2004
    Posts:
    1,976
    Location:
    Eastern PA, USA
    Another for instance, I don't believe it's been established that the OP is the only user or person having access to the machine in question. I would hope OP, however, would have pointed out that possibility.
     
  19. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I am willing to just let it go as something unexplainable. I am an old retired fart that has a computer and my wife has her computer. No one uses this computer but me. I can guarantee you that nothing came up on my display showing anything like what was shown in Montmorency's post.
     
  20. DBone

    DBone Registered Member

    Joined:
    Nov 24, 2010
    Posts:
    1,041
    Location:
    SoCal USA
    The OP made a mistake somewhere, somehow. That PUP did not bypass Sandboxie.
     
  21. cheater87

    cheater87 Registered Member

    Joined:
    Apr 22, 2005
    Posts:
    3,125
    Location:
    Pennsylvania.
    CAV detected the exe. Will test with Avast soon to see what it detects in it.
     
  22. crofttk

    crofttk Registered Member

    Joined:
    May 15, 2004
    Posts:
    1,976
    Location:
    Eastern PA, USA
    Nothing at all wrong with that and an admirable place to be as far as I'm concerned. :) I was just trying to help rule out some possibilities.
     
  23. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    If you remember where you shouldn't have been, maybe you can try to create the same situation and see if that happens again.
     
Thread Status:
Not open for further replies.