spyware problem

OK whats up.

Thankx to and idiot on http://forum.starmen.net/?t=msg&th=13768&start=0#msg_241541

I am forced to go here.

Anyways, I have a spyware problem. I am 100% sure its a spyware problem.

Basically when I go to this site. Instead of seeing what is supposed to be there "Wolves" I see a very pornographic image. I have done everything I can do to clean up my computer and have found nothing. Many people tell me that they see what is supposed to be there.

So heres all I ask, I just need one person to go to this site and reply to this topic saying they see wolves. THATS ALL! JUST ONE! A print screen would also be nice.

 

Here is a screen shot, you take it to the other forum

 

wolves

 

Well thankx everyone! Turns out the wolves were supposed to appear on but the spyware also affected that banner on

Thank you everyone! You helped me make a guy on the INTERNET look like a total jerk, what an accomplishment! Apparently he is also a member of your forums.

 

Ladies and Gentlemen...
Please recheck the page with your browsers and see the results this time around.

 

here is the wolfs

 

I get the same thing I got before at the url's

 

Makofusion everyone! Give him a hand!

 

Sorry four double posting but how many people would say that the pornographic image I am getting (that is replacing the wolves) is either spyware or a virus?

 

I also have Opera now and it keeps changing from wolfs to tubgirl and back... Whoever has the site is putting up both pics... Check for yourself!

 

Well maybe because the spyware doesnt affect opera?

Anyways I am pretty sure this is something new, Since it obviously affects firefox.

 

I don't see what you are seeing but I would say you have some sort of malware. But that said I do not want this thread to become a forum dispute between them and us. If you want to continue posting to try and clean your computer that is just fine. you should go to the link and follow the instructions and it should remedy your problem.

thanks
let us know how it goes.

 

I tend to think this is a rotating banner... Just most of the time its spent on the tubgirl site and the other few times its the wolves site! Not spyware but a design of the site for some sick reason.. It still keeps going back and forth even with Opera!

 

Ugh. Look the people that were in IRC that I showed you that link to were using firefox. Give it a rest.

 

Thats already been done thanks...
http://forum.starmen.net/?t=msg&th=13768&start=0#msg_241493

Code:

<head>


<!--// Start Injected Proxomitron Filters -->

	<!-- Saved From: http://www.silverwolf-den.com/ @ 11:15:19 -->

	<script type="text/javascript">
	 var ProxError = 1 ;
	 var ProxMouse = 1 ;
	 var ProxStatus = 1 ;
	 var ProxPopup = 1 ;
	 var ProxAlert = 1 ;
	 var ProxAllowRequested = 1 ;
	 var ProxWindow = 1 ;
	 var ProxPopupNotify = 1 ;
	 var ProxPopUpControl = 1 ;
	 var ProxOnload = 0 ;
	 var ProxOnloadButton = 0 ;
	 var ProxAllowAlerts = 1 ;
	</script>

	<link href="http://local.ptron/JD_HTML/Css/prox-links.css" type="text/css" rel="stylesheet" />
	<script type="text/javascript" src="http://local.ptron/JD_HTML/JavaScript/JD_Start.js"></script>

<!--// End Proxomitron Section -->


</head>
<meta name="description" content="The Silverwolf Family's un-official Realms of Despair information page and official guild of rangers page">
<meta name="keywords" content="Avatar, Darkhaven, Inconnu, Realms of Despair, RoD, Equipment, Armor, guild, orders, dragonslayer, maidenstone, ringbearers, pkill, newbie, ranger, warrior, mage, cleric, nephandi, druid, paladin, area, smaug, stats, Vandon">
<META HTTP-EQUIV="Refresh" CONTENT="15; URL=http://www.silverwolf-den.com/realms">
<head>
<LINK REL="SHORTCUT ICON" href="/favicon.ico"> 
<title>The Silverwolf Family's (un-official) Realms of ...</title>
</head>
<body bgcolor="#000000" text="#FFFFFF" link="#FFFFFF" vlink="#FFFFFF"><center>
<a href="http://www.silverwolf-den.com/realms">
<img border="0" src="pic/wolf.jpg" align="center" width="950" height="507"></a><br>
<a href="http://www.silverwolf-den.com/realms">Enter the Silverwolf Den</a><br><br>

<a href="http://www.silverwolf-den.com/tgt">Visit the Official TGT 2K5 Page</a>
<br><br><br><br><br>
<font color="gray">Checked with <a href="http://www.dead-links.com/"><font color="gray">Dead-links</font></a>.</font>
</Center>




<!--// Below Injected by Proxomitron -->

	<div id="ProxMenuMain" onmouseover="javascript:ShowIcon()">	<img src="http://local.ptron/clear.gif" width=16 height=16 alt="" border=0>	</div>	<div id="ProxIcon" onmouseout="javascript:HideIcon()" style="display:none">	<a href="javascript:void()" title="Open Proxomitron Menu | Page Last Modified: Thu, 19 May 2005 22:40:40 GMT" onclick="javascript:ShowMenu()"><img src="http://local.ptron/JD_HTML/Prox.gif" border=0 width=17 height=17 alt=""></a>	</div>		<div id="ProxMenuSub" style="display:none"> 	<a class="menbar-header" href="javascript:HideMenu()">Close Menu</a>	<a class="menbar-item" target="_blank" href="http://Cmd.bypass..www.silverwolf-den.com/">Bypass All Filters</a>	<a class="menbar-item" href="http://Cmd.bweb..http://www.silverwolf-den.com/">Bypass Web Filters</a>	<a class="menbar-item" target="_blank" href="http://Cmd.bin..www.silverwolf-den.com/">Bypass Header Filters (in)</a>	<a class="menbar-item" target="_blank" href="http://Cmd.bout..www.silverwolf-den.com/">Bypass Header Filters (out)</a>	<div class="sep">&nbsp;</div>	<a class="menbar-item" target="_blank" href="http://Cmd.src..www.silverwolf-den.com/">View Source</a>	<a class="menbar-item" target="_blank" href="http://Cmd.src..bypass..www.silverwolf-den.com/">View Source (Bypassed)</a>	<div class="sep">&nbsp;</div>	<a class="menbar-item" target="_blank" href="http://Cmd.dbug..www.silverwolf-den.com/">DBUG Page</a>	<a class="menbar-item" target="_blank" href="http://add.to.blockfile/CookieList/www.silverwolf-den.com/http://www.silverwolf-den.com/">Add Page to..</a>	<div class="sep">&nbsp;</div>	<a class="menbar-item" href="javascript:tkills()">Toggle Kills</a>	<div class="sep">&nbsp;</div>	<a class="menbar-item" href="javascript:translate()">Translate Page</a>	<a class="menbar-item" href="javascript:shrtlink()">Create Short Link</a>	<div class="sep">&nbsp;</div>	<a class="menbar-item" href="http://Cmd.load//JD_Basic.cfg?www.silverwolf-den.com/">Load Basic Config</a>	<a class="menbar-item" href="http://Cmd.load//Default.cfg?www.silverwolf-den.com/">Load Default Config</a>	<div class="sep">&nbsp;</div>	<a class="menbar-item" target="_blank" href="http://local.ptron/.pinfo/urls/">Recent URL's</a>	<a class="menbar-item" target="_blank" href="http://local.ptron/.pinfo/lists/">Current Blocklists</a>	<div class="sep">&nbsp;</div>	<a class="menbar-item" target="_blank" href="http://Cmd.file:///C|/Program%20Files/Proxomitron%20Naoko-4/JD_Help/filters.htm">View Help Files</a>	<div class="sep">&nbsp;</div>	<a class="menbar-header" href="javascript:HideMenu()" onmouseout="javascript:HideMenu()" >Close Menu</a>	</div> 
	<span id="ProxDisplay"></span>

	<script type="text/javascript" src="http://local.ptron/JD_HTML/JavaScript/JD_End.js" DEFER></script>

<!--// End Proxomitron Section -->

</body>
</html>

Unhijacked browser... No cookies enabled... View only images from ORIGINAL site ONLY... referrers are set to 0... Firefox... SpywareBlaster updated... Spybot updated... Ad-aware updated... MS-AntiSpyware updated... TDS-3 updated... Process Guard showing no unusual processes running... HiJack This log checked and nothing bad found... Java OFF... JavaScript OFF... ActiveX disabled (by Firefox naturally) and (blocked by my network router) Proxomitron on with JD5000 Advanced filter set... Look 'n' Stop firewall on with all advanced options checked and Phant0m's ruleset...

Logfile of HijackThis v1.99.1
Scan saved at 11:26:36 PM, on 6/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Soft4Ever\looknstop\looknstop.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Gaim\gaim.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Mikk\Desktop\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Look 'n' Stop] "C:\Program Files\Soft4Ever\looknstop\looknstop.exe" -auto
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/w uweb_site.cab?1118805693953

Proxomitron Header Log

Code:

*** Log Reset ***
Connection Time-Out: 68
Client opened: total 1
BlockList 69: in UserAgents, line 18

+++GET 69+++
GET /realms/ HTTP/1.1
Host: www.silverwolf-den.com
User-Agent: Mozilla/5.0 (Windows; U)
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
If-Modified-Since: Sun, 12 Jun 2005 19:14:24 GMT
Cache-Control: max-age=0
Connection: keep-alive
Browser reload detected...

+++RESP 69+++
HTTP/1.1 200 OK
Date: Mon, 20 Jun 2005 03:38:26 GMT
Server: Apache/1.3.33 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_ssl/2.8.22 OpenSSL/0.9.7a PHP-CGI/0.1b
Last-Modified: Sun, 12 Jun 2005 19:14:24 GMT
Accept-Ranges: bytes
Content-Length: 5135
Keep-Alive: timeout=5, max=10000
Connection: Keep-Alive
Content-Type: text/html
Match 69: Correct:  Invalid Body and HTML {R}
Match 69: Remove:  Junk from Titles, Snip Excess {3.d}
Match 69: Correct:  Invalid Body and HTML {R}
Match 69: Increase:  Small Text Sizes - FONT {2}
Client opened: total 2

+++GET 70+++
GET /ViewSrc.css HTTP/1.1
Host: local.ptron
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

+++RESP 70+++
HTTP/1.1 200 Local file
Date: Mon, 20 Jun 2005 03:38:30 GMT
Server: Proxomitron
Connection: close
Last-Modified: Thu, 13 Feb 2003 06:27:48 GMT
Content-Length: 399
Content-type: text/css
+++CLOSE 70+++
Client closed: total 1
Match 69: Increase:  Small Text Sizes - FONT {2}
Match 69: Correct:  Invalid Body and HTML {R}
Match 69: Correct:  Invalid Body and HTML {R}
Match 69: Mark:  Page End {R}
Match 69: Skip:  Useless Code {R}
Match 69: Proxomitron Menu - Part 2 {3.in}
Match 69: Inject:  Proxomitron Helper Script - End {R}
Match 69: Remove:  Page Markers {R}
Match 69: Correct:  Invalid Body and HTML {R}
Match 69: Correct:  Invalid Body and HTML {R}
Connection stored: 69
+++CLOSE 69+++
Client closed: total 0
Connection Time-Out: 66
Connection Time-Out: 69

And as for Opera I am using...

Version 8.01
Build 7642
Platform Win32
System Windows XP

Java Java not installed
XHTML+Voice Plug-in not loaded

 

I am running opera also and I don't see any porno there after several visits

 

Yea I am sorry about turning this into a war, No one was helping me in the other channel.

Anyways I have completely cleaned my system with Adaware, Norton, Spybot SD, MS antivirus, and Spyware doctor. All of these programs are fully updated. The silverwolf site is not the only site that is affecting me. If you want further proof take a look at this site.

www.tokai.ws/links.htm

Now this is an advertisement snuck into the html in some fashion.
http://images5.theimagehosting.com/links.9.th.jpg

 

Meaning if you "unaffected" people don't see whats in my print screen, then tubgirl is definently not an affect of the silverwolf site, but either a virus, or spyware problem.

 

I tried firefox and it definatly showed the alternate pic there. pretty gross. it is possible the site has been hacked.

 

Hmmm. Well I have talked to people using firefox that did not see that banner.

Anyways, maybe its just something that firefox is affected by? It my not be spyware or a virus. But a flaw within the browser?

 

I an removing all links to silverwolf so that our members here aren't subjected to that type of filth.

 

very sorry about that. However what do you think could be causing the problem? I am 100% sure its not the site, and I just asked someone that used firefox to access the site. Its also affecting other sites as you may of noticed on www.tokai.ws/links.htm (just a ad)

 

I have Opera open and two tabs open...

When I go here

and keep pressing refresh
it does the tubgirl banner

and when I go here

and keep pressing refresh
it does the wolves banner...

Hmmmm!

 

I doubt the site was hacked. I have seen tubgirl 100% of the time I am forced to visit it (with Firefox and iexplore). It's most likely a vunerability within firefox that is being affected. But why not on more secure sites like Yahoo or Google affected?

I apologize that you had to see that, I am trying to fix this because it is my mom's computer and I don't want her or my family running into anything like that.

 

It sounds like a good site to stay away from. and that is the best advice I can give you.