spyware problem

Discussion in 'privacy problems' started by cossack, Jun 20, 2005.

Thread Status:
Not open for further replies.
  1. cossack

    cossack Guest

    OK whats up.

    Thankx to and idiot on http://forum.starmen.net/?t=msg&th=13768&start=0#msg_241541

    I am forced to go here.

    Anyways, I have a spyware problem. I am 100% sure its a spyware problem.

    Basically when I go to this site. Instead of seeing what is supposed to be there "Wolves" I see a very pornographic image. I have done everything I can do to clean up my computer and have found nothing. Many people tell me that they see what is supposed to be there.

    So heres all I ask, I just need one person to go to this site and reply to this topic saying they see wolves. THATS ALL! JUST ONE! A print screen would also be nice.
     
    Last edited by a moderator: Jun 20, 2005
  2. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    Here is a screen shot, you take it to the other forum
     

    Attached Files:

  3. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    wolves
     

    Attached Files:

    • wolf.gif
      wolf.gif
      File size:
      10.5 KB
      Views:
      186
  4. Cossack

    Cossack Guest

    Well thankx everyone! Turns out the wolves were supposed to appear on but the spyware also affected that banner on

    Thank you everyone! You helped me make a guy on the INTERNET look like a total jerk, what an accomplishment! Apparently he is also a member of your forums. :)
     
    Last edited by a moderator: Jun 20, 2005
  5. MakoFusion

    MakoFusion Registered Member

    Joined:
    Jun 25, 2003
    Posts:
    130
    Ladies and Gentlemen...
    Please recheck the page with your browsers and see the results this time around.
     
  6. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    here is the wolfs
     

    Attached Files:

  7. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma

    I get the same thing I got before at the url's
     
  8. Cossack

    Cossack Guest

    Makofusion everyone! Give him a hand!
     
  9. Cossack

    Cossack Guest

    Sorry four double posting but how many people would say that the pornographic image I am getting (that is replacing the wolves) is either spyware or a virus?
     
  10. MakoFusion

    MakoFusion Registered Member

    Joined:
    Jun 25, 2003
    Posts:
    130
    I also have Opera now and it keeps changing from wolfs to tubgirl and back... Whoever has the site is putting up both pics... Check for yourself!
     
    Last edited by a moderator: Jun 20, 2005
  11. Cossack

    Cossack Guest

    Well maybe because the spyware doesnt affect opera?

    Anyways I am pretty sure this is something new, Since it obviously affects firefox.
     
  12. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    I don't see what you are seeing but I would say you have some sort of malware. But that said I do not want this thread to become a forum dispute between them and us. If you want to continue posting to try and clean your computer that is just fine. you should go to the link and follow the instructions and it should remedy your problem.

    thanks
    let us know how it goes.
     
  13. MakoFusion

    MakoFusion Registered Member

    Joined:
    Jun 25, 2003
    Posts:
    130
    I tend to think this is a rotating banner... Just most of the time its spent on the tubgirl site and the other few times its the wolves site! Not spyware but a design of the site for some sick reason.. It still keeps going back and forth even with Opera!
     
  14. Cossack

    Cossack Guest

    Ugh. Look the people that were in IRC that I showed you that link to were using firefox. Give it a rest.
     
  15. MakoFusion

    MakoFusion Registered Member

    Joined:
    Jun 25, 2003
    Posts:
    130
    Thats already been done thanks...
    http://forum.starmen.net/?t=msg&th=13768&start=0#msg_241493

    Code:
    <head>
    
    
    <!--// Start Injected Proxomitron Filters -->
    
    	<!-- Saved From: http://www.silverwolf-den.com/ @ 11:15:19 -->
    
    	<script type="text/javascript">
    	 var ProxError = 1 ;
    	 var ProxMouse = 1 ;
    	 var ProxStatus = 1 ;
    	 var ProxPopup = 1 ;
    	 var ProxAlert = 1 ;
    	 var ProxAllowRequested = 1 ;
    	 var ProxWindow = 1 ;
    	 var ProxPopupNotify = 1 ;
    	 var ProxPopUpControl = 1 ;
    	 var ProxOnload = 0 ;
    	 var ProxOnloadButton = 0 ;
    	 var ProxAllowAlerts = 1 ;
    	</script>
    
    	<link href="http://local.ptron/JD_HTML/Css/prox-links.css" type="text/css" rel="stylesheet" />
    	<script type="text/javascript" src="http://local.ptron/JD_HTML/JavaScript/JD_Start.js"></script>
    
    <!--// End Proxomitron Section -->
    
    
    </head>
    <meta name="description" content="The Silverwolf Family's un-official Realms of Despair information page and official guild of rangers page">
    <meta name="keywords" content="Avatar, Darkhaven, Inconnu, Realms of Despair, RoD, Equipment, Armor, guild, orders, dragonslayer, maidenstone, ringbearers, pkill, newbie, ranger, warrior, mage, cleric, nephandi, druid, paladin, area, smaug, stats, Vandon">
    <META HTTP-EQUIV="Refresh" CONTENT="15; URL=http://www.silverwolf-den.com/realms">
    <head>
    <LINK REL="SHORTCUT ICON" href="/favicon.ico"> 
    <title>The Silverwolf Family's (un-official) Realms of ...</title>
    </head>
    <body bgcolor="#000000" text="#FFFFFF" link="#FFFFFF" vlink="#FFFFFF"><center>
    <a href="http://www.silverwolf-den.com/realms">
    <img border="0" src="pic/wolf.jpg" align="center" width="950" height="507"></a><br>
    <a href="http://www.silverwolf-den.com/realms">Enter the Silverwolf Den</a><br><br>
    
    <a href="http://www.silverwolf-den.com/tgt">Visit the Official TGT 2K5 Page</a>
    <br><br><br><br><br>
    <font color="gray">Checked with <a href="http://www.dead-links.com/"><font color="gray">Dead-links</font></a>.</font>
    </Center>
    
    
    
    
    <!--// Below Injected by Proxomitron -->
    
    	<div id="ProxMenuMain" onmouseover="javascript:ShowIcon()">	<img src="http://local.ptron/clear.gif" width=16 height=16 alt="" border=0>	</div>	<div id="ProxIcon" onmouseout="javascript:HideIcon()" style="display:none">	<a href="javascript:void()" title="Open Proxomitron Menu | Page Last Modified: Thu, 19 May 2005 22:40:40 GMT" onclick="javascript:ShowMenu()"><img src="http://local.ptron/JD_HTML/Prox.gif" border=0 width=17 height=17 alt=""></a>	</div>		<div id="ProxMenuSub" style="display:none"> 	<a class="menbar-header" href="javascript:HideMenu()">Close Menu</a>	<a class="menbar-item" target="_blank" href="http://Cmd.bypass..www.silverwolf-den.com/">Bypass All Filters</a>	<a class="menbar-item" href="http://Cmd.bweb..http://www.silverwolf-den.com/">Bypass Web Filters</a>	<a class="menbar-item" target="_blank" href="http://Cmd.bin..www.silverwolf-den.com/">Bypass Header Filters (in)</a>	<a class="menbar-item" target="_blank" href="http://Cmd.bout..www.silverwolf-den.com/">Bypass Header Filters (out)</a>	<div class="sep">&nbsp;</div>	<a class="menbar-item" target="_blank" href="http://Cmd.src..www.silverwolf-den.com/">View Source</a>	<a class="menbar-item" target="_blank" href="http://Cmd.src..bypass..www.silverwolf-den.com/">View Source (Bypassed)</a>	<div class="sep">&nbsp;</div>	<a class="menbar-item" target="_blank" href="http://Cmd.dbug..www.silverwolf-den.com/">DBUG Page</a>	<a class="menbar-item" target="_blank" href="http://add.to.blockfile/CookieList/www.silverwolf-den.com/http://www.silverwolf-den.com/">Add Page to..</a>	<div class="sep">&nbsp;</div>	<a class="menbar-item" href="javascript:tkills()">Toggle Kills</a>	<div class="sep">&nbsp;</div>	<a class="menbar-item" href="javascript:translate()">Translate Page</a>	<a class="menbar-item" href="javascript:shrtlink()">Create Short Link</a>	<div class="sep">&nbsp;</div>	<a class="menbar-item" href="http://Cmd.load//JD_Basic.cfg?www.silverwolf-den.com/">Load Basic Config</a>	<a class="menbar-item" href="http://Cmd.load//Default.cfg?www.silverwolf-den.com/">Load Default Config</a>	<div class="sep">&nbsp;</div>	<a class="menbar-item" target="_blank" href="http://local.ptron/.pinfo/urls/">Recent URL's</a>	<a class="menbar-item" target="_blank" href="http://local.ptron/.pinfo/lists/">Current Blocklists</a>	<div class="sep">&nbsp;</div>	<a class="menbar-item" target="_blank" href="http://Cmd.file:///C|/Program%20Files/Proxomitron%20Naoko-4/JD_Help/filters.htm">View Help Files</a>	<div class="sep">&nbsp;</div>	<a class="menbar-header" href="javascript:HideMenu()" onmouseout="javascript:HideMenu()" >Close Menu</a>	</div> 
    	<span id="ProxDisplay"></span>
    
    	<script type="text/javascript" src="http://local.ptron/JD_HTML/JavaScript/JD_End.js" DEFER></script>
    
    <!--// End Proxomitron Section -->
    
    </body>
    </html>
    Unhijacked browser... No cookies enabled... View only images from ORIGINAL site ONLY... referrers are set to 0... Firefox... SpywareBlaster updated... Spybot updated... Ad-aware updated... MS-AntiSpyware updated... TDS-3 updated... Process Guard showing no unusual processes running... HiJack This log checked and nothing bad found... Java OFF... JavaScript OFF... ActiveX disabled (by Firefox naturally) and (blocked by my network router) Proxomitron on with JD5000 Advanced filter set... Look 'n' Stop firewall on with all advanced options checked and Phant0m's ruleset...

    Logfile of HijackThis v1.99.1
    Scan saved at 11:26:36 PM, on 6/19/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Soft4Ever\looknstop\looknstop.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Gaim\gaim.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Program Files\Proxomitron Naoko-4\Proxomitron.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Mikk\Desktop\hijackthis\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [Look 'n' Stop] "C:\Program Files\Soft4Ever\looknstop\looknstop.exe" -auto
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/w uweb_site.cab?1118805693953

    Proxomitron Header Log
    Code:
    *** Log Reset ***
    Connection Time-Out: 68
    Client opened: total 1
    BlockList 69: in UserAgents, line 18
    
    +++GET 69+++
    GET /realms/ HTTP/1.1
    Host: www.silverwolf-den.com
    User-Agent: Mozilla/5.0 (Windows; U)
    Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
    Accept-Language: en-us,en;q=0.5
    Accept-Encoding: gzip, deflate
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Keep-Alive: 300
    If-Modified-Since: Sun, 12 Jun 2005 19:14:24 GMT
    Cache-Control: max-age=0
    Connection: keep-alive
    Browser reload detected...
    
    +++RESP 69+++
    HTTP/1.1 200 OK
    Date: Mon, 20 Jun 2005 03:38:26 GMT
    Server: Apache/1.3.33 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_ssl/2.8.22 OpenSSL/0.9.7a PHP-CGI/0.1b
    Last-Modified: Sun, 12 Jun 2005 19:14:24 GMT
    Accept-Ranges: bytes
    Content-Length: 5135
    Keep-Alive: timeout=5, max=10000
    Connection: Keep-Alive
    Content-Type: text/html
    Match 69: Correct:  Invalid Body and HTML {R}
    Match 69: Remove:  Junk from Titles, Snip Excess {3.d}
    Match 69: Correct:  Invalid Body and HTML {R}
    Match 69: Increase:  Small Text Sizes - FONT {2}
    Client opened: total 2
    
    +++GET 70+++
    GET /ViewSrc.css HTTP/1.1
    Host: local.ptron
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
    Accept: text/css,*/*;q=0.1
    Accept-Language: en-us,en;q=0.5
    Accept-Encoding: gzip,deflate
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Keep-Alive: 300
    Connection: keep-alive
    
    +++RESP 70+++
    HTTP/1.1 200 Local file
    Date: Mon, 20 Jun 2005 03:38:30 GMT
    Server: Proxomitron
    Connection: close
    Last-Modified: Thu, 13 Feb 2003 06:27:48 GMT
    Content-Length: 399
    Content-type: text/css
    +++CLOSE 70+++
    Client closed: total 1
    Match 69: Increase:  Small Text Sizes - FONT {2}
    Match 69: Correct:  Invalid Body and HTML {R}
    Match 69: Correct:  Invalid Body and HTML {R}
    Match 69: Mark:  Page End {R}
    Match 69: Skip:  Useless Code {R}
    Match 69: Proxomitron Menu - Part 2 {3.in}
    Match 69: Inject:  Proxomitron Helper Script - End {R}
    Match 69: Remove:  Page Markers {R}
    Match 69: Correct:  Invalid Body and HTML {R}
    Match 69: Correct:  Invalid Body and HTML {R}
    Connection stored: 69
    +++CLOSE 69+++
    Client closed: total 0
    Connection Time-Out: 66
    Connection Time-Out: 69
    And as for Opera I am using...

    Version 8.01
    Build 7642
    Platform Win32
    System Windows XP

    Java Java not installed
    XHTML+Voice Plug-in not loaded
     
  16. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma


    I am running opera also and I don't see any porno there after several visits
     
    Last edited: Jun 20, 2005
  17. cossack

    cossack Guest

    Yea I am sorry about turning this into a war, No one was helping me in the other channel.

    Anyways I have completely cleaned my system with Adaware, Norton, Spybot SD, MS antivirus, and Spyware doctor. All of these programs are fully updated. The silverwolf site is not the only site that is affecting me. If you want further proof take a look at this site.

    www.tokai.ws/links.htm

    Now this is an advertisement snuck into the html in some fashion.
    http://images5.theimagehosting.com/links.9.th.jpg
     
  18. Cossack

    Cossack Guest

    Meaning if you "unaffected" people don't see whats in my print screen, then tubgirl is definently not an affect of the silverwolf site, but either a virus, or spyware problem.
     
  19. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    I tried firefox and it definatly showed the alternate pic there. pretty gross. it is possible the site has been hacked.
     
  20. Cossack

    Cossack Guest

    Hmmm. Well I have talked to people using firefox that did not see that banner.

    Anyways, maybe its just something that firefox is affected by? It my not be spyware or a virus. But a flaw within the browser?
     
  21. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    I an removing all links to silverwolf so that our members here aren't subjected to that type of filth.
     
  22. cossack

    cossack Guest

    very sorry about that. However what do you think could be causing the problem? I am 100% sure its not the site, and I just asked someone that used firefox to access the site. Its also affecting other sites as you may of noticed on www.tokai.ws/links.htm (just a ad)
     
  23. MakoFusion

    MakoFusion Registered Member

    Joined:
    Jun 25, 2003
    Posts:
    130
    I have Opera open and two tabs open...

    When I go here

    and keep pressing refresh
    it does the tubgirl banner

    and when I go here

    and keep pressing refresh
    it does the wolves banner...

    Hmmmm!
     
    Last edited by a moderator: Jun 20, 2005
  24. Cossack

    Cossack Guest

    I doubt the site was hacked. I have seen tubgirl 100% of the time I am forced to visit it (with Firefox and iexplore). It's most likely a vunerability within firefox that is being affected. But why not on more secure sites like Yahoo or Google affected?

    I apologize that you had to see that, I am trying to fix this because it is my mom's computer and I don't want her or my family running into anything like that.
     
  25. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    It sounds like a good site to stay away from. ;) and that is the best advice I can give you.
     
Thread Status:
Not open for further replies.