Mark de Jager
Member
Hello,
I have a rant about the GOTD of 20-5-2013, CLICK ME FOR IT.
This website is blocked by Malwarebytes Anti-Malware (MBAM) and by Mcafee, I downloaded the program when I disabled MBAM to get the program. The program was infected with malware.
If you computer is infected, visit this website to get it clean.
Bye!
Whiterabbit-uk
Games Guru
Hi Mark,
I've been coming to the giveaway site virtually since it started, and, apart from one instance where a file infected with a trojan was uploaded to the now defunct freeware library, and removed as soon as it was reported (though it took several months for the site to be removed from the red list on McAfee), no other problems have ever been associated with this site. There has never been a giveaway infected with anything. that said I think you could be right about yesterdays giveaway.
I decided to install it late last night before I went to bed. This morning when I booted up and went to the giveaway forums (one of the first things I do every morning (yes I know - really sad). I noticed immediately that virtually every paragraph on all of the threads I visited, at least one word had a hyperlink attached. When you hover over these you get a pop up advert (despite having a decent pop up program installed). This problem wasn't present on my computer yesterday and nothing had been downloaded or installed since the previous day and I'd been using my computer all day with no sign of this problem.
I think the adware is by Smartsuggestor
As yet I've not been able to find any folders with this name attached. I will be checking my registry later to see if I can eradicate it by deleting all reference to Smartsuggestor; but, I suspect there's a small hidden program installed somewhere on my hard drive as well. So, as yet, I'm not sure how to get rid of it. Grrrrr!
I do hope it 'wasn't' yesterdays program that has caused this, but too be honest I can't see how it could havebeen anything else. I'm very careful about what I install on my computer these days. I've trusted the giveaway site for along time now because of the reason I mention above, so never bother to check their giveaways any longer.
I'd like to know if anyone else who installed SoudFrost has this same or similar problem?
mikiem2
Moderator
Mark, the link you posted to the GOTD comments just brings up yesterday's page -- a search for mark on that page in F/Fox doesn't get any hits - So if you've got more info please post it.
RE: McAfee, if you visit https://www.siteadvisor.com/sites/soundfrost.org you'll see:
soundfrost.org
Grey Verdict ImageWe've tested millions of websites, but we haven't tested this one yet. Be the first one to submit feedback on it!
This site has been queued for testing. Please come back soon for automated results.
As you can see McAfee hasn't even looked at it to say the site's good/bad. If MalwareBytes has a site or page where you can make the same kind of inquiry I didn't see it. If you have an issue with either or want to know why they wanted to block soundfrost.org, please contact them -- anything anyone else can say would be a guess or opinion. That said, to get the software itself you should have stuck to the GOTD page -- if you installed the trial from their site you might have also installed MyPrintScreen.
"I think the adware is by Smartsuggestor"
A quick Google using "Smartsuggestor" [w/out quotes] comes up with several hits, including this: http://malwaretips.com/blogs/remove-smart-suggestor/
According to that page if Smartsuggestor's been installed it should be listed in Add/Remove programs. I haven't restored my XP Mode VM yet from yesterday, & didn't see Smartsuggestor in Add/Remove Programs, nor after searching the registry. I didn't see anything out of the ordinary before/during/after install, but to make sure nothing untoward happened I restarted the VM [I had just hibernated it], & afterwards everything's still fine. I also scanned both the trial & GOTD program folders with Microsoft Security Essentials beta & McAfee Total Protection -- neither found any problem. I also used Universal Extractor to unpack the trial setup file, & McAfee says that's clean.
However... I noted in yesterday's post on Soundfrost that McAfee blocked the site: 217.23.8.104, which Soundfrost tried to connect to on 1st start, & again a moment ago when I restarted the XP Mode VM. It doesn't show up as blacklisted http://www.magic-net.info/black-list-checker.dnslookup?black=217.23.8.104. , but I didn't un-block the site either so I've no way to say what happens when Soundfrost connects.
mikiem2
Moderator
I do hope it 'wasn't' yesterdays program that has caused this, but too be honest I can't see how it could havebeen anything else. I'm very careful about what I install on my computer these days. I've trusted the giveaway site for along time now because of the reason I mention above, so never bother to check their giveaways any longer.
FWIW, while it usually takes running an executable or script to infect a system, that doesn't mean you had to actually download & run something you were aware of -- it can happen pretty much invisibly http://www.theinquirer.net/inquirer/news/2234637/driveby-exploits-are-the-top-web-security-threat-says-enisa -- http://blogs.technet.com/b/security/archive/2011/12/08/what-you-should-know-about-drive-by-download-attacks-part-1.aspx -- http://techcrunch.com/2013/01/08/european-cyber-security-agency-enisa-names-drive-by-exploits-the-biggest-threat-spam-on-the-decline/ -- http://www.symantec.com/connect/blogs/internet-explorer-zero-day-used-watering-hole-attack-qa
Whiterabbit-uk
Games Guru
Thanks Mikiem
Whiterabbit-uk
Games Guru
Lots of weird things have been happening to my browser since I posted the above comment (and since I installed SoundFrost) . Amongst them, getting pop ups when I went to Facebook to vote on the next Indie Royale bundle. In fact, when I re-read what the pop up said, I realized virtually 1` in 2 or 3 sites I've been visiting since installing Sound Frost was probably a phishing event. The url's are always slightly different to the ones I'm familiar with and they happen a second or less after I've clicked on my shortcut to that site. When I try to delete the exta bits inserted into the url, my mouse becomes inactive. I can still use the mouse to close the site, or do other things outside of the browser, but I can't do anything within the browser.
The above two images look identical, but if you look closely you can see a difference. I'll leave it up to you to see. :)
Still, after reading what Mikiem wrote, it could be that the code has been injected into my system previously, so I may be wrong.
I would have expected a lot more community members to be reporting this problem if it had been Sound Frost. (I'm trying to take into account all the evidence I have so far. If more members do report this here, I think SoundFrost is going to have to go.
I actually like the program because its enabled me to listen to some of my old favorites from the 70's for example a German 'Kraut rock' band from the late 60's to early 70's called Amon Duul 2. I have several of their albums, but I've not been able to play them for over a decade.
(I've just got a reasonably good second-hand stereo (Denon amp, cassette deck tuner etc), which was left with the house I've just purchased (the previous owner passed away). It has an old Garrard record deck included, but I don't want to play any of my records on it because I don't know what state the needle is in, so Sound Frost is a great way of listening to all of my old favorites. The number of tracks found was a few hundred, quite a few were repeat songs, but of these many were live and from different venues. Amon Duul were a commune based psychedelic rock band with a itinerant group of musicians. Songs varies quite alot due to the changes in members and the way they improvised. most of their songs were several minutes to almost an hour long. I calculated it would take me approximately 30 hours of listening tiome to work through all of the tracks found.
ChrisS
Administrator
Don't a lot of the Browser "Helper" Objects install automatically via Java when you visit an ill-mannered webpage?
I really can't see GOTD allowing SoundFrost to install such odious "helpware" but I can see how SoundFrost could facilitate the installation by searching an "infected" page. I have Java turned off by default to prevent such intrusions but I wonder how SoundFrost would handle that - would the plug-in that is mentioned in the comments turn Java on?
Of course it may well be the SoundFrost is not related to the problem. It could be that the two cases result from visiting "infected" webpages during routine browsing. You might be able to run your browser history through the site advisor mentioned above but you might just get a bunch of "not tested" results.
Shauna
Member
Hello everyone. Long time GOTD user here but I had to sign up to the forums today because I wanted to report this program and the browser activity its producing. I see others have found issues as well, so I'll just add my experiences here.
Since installing SoundFrost, my browser has been opening new tabs in Chrome with redirects. It is always the first page I go to when opening the browser and then randomly from what I can tell after that.
My AVG reports the SoundFrost.exe file as medium suspicious behavioral activity and wants to remove it from my system. Yesterday, I assumed it had to do with the way it searched for music, so I white-listed it and today I removed it to test it. With SoundFrost not even running, it still detects it when trying to use the browser, so something is going on with this program.
After reading others here, I too have noticed, with very heavy ad and popup removal, underlined links with popup ads that were not there before.
I hope I'm wrong because I have to say, the program itself is wonderful but this is unacceptable, both from the developer and GOTD.
I didn't install the program at all. I did think about it. But some of the comments didn't give me a "warm and fuzzy" feeling so I decided against it. Sorry. I have another program on BDJ I am getting the same vibes with the research I have done..so when the sale is available, I think I will stay away from it..
Whiterabbit-uk
Games Guru
Thanks Graylox.
As I said above, I don't blame the giveaway team at all becasue I know they test everything, but there is always a first time for anything. I've downloaded countless programs from this site and have never felt dubious about any one of them, and ui will continue to do so well into the future.
I think this problem may be related to surveillance Star. I've only just thought to check my process list (in Process Lasso and found that and other references such as OCular, both of which are associated with adware. These were definitely not present before I installed Sound Frost.
I'm deleting the program from my system. A pity as I was enjoying listening to music I've not heard in over 10 years. That said, from what I understood from many comments in the giveaway comments section, the music may actually be taken from places like You tube.
I've already checked several pieces that i was listening to and every one of them is also available via You tube (sometimes with a slideshow other times actual concert footage).
You can read about OCular and surveillance star HERE. It also tells you methods for removal.
Shauna
Member
The ads all state when I hover over them they are from SmartSuggestor. I read the removal suggestions listed above on the Malwarebytes website and unfortunately there is nothing listed to uninstall.
However, I checked all 3 browsers (Chrome, Firefox and IE) on my system and all 3 had a SoundFrost extension that I did not install or "OK" during installation of the program. After disabling them, I rebooted my computer and have not had any new redirect tabs and from what I can tell, the underlined popup link ads are also removed.
May be a temporary fix without having to remove the program...for now.
mikiem2
Moderator
"Don't a lot of the Browser "Helper" Objects install automatically via Java when you visit an ill-mannered webpage?"
In my original post on Soundfrost I mentioned how installation turns off some browser protections re: plug-ins/add-ons by changing group policy -- I didn't find a lot of info, but I didn't look *that* hard either... It seems this *setting* might bypass the warnings you'd get before a plug-in/add-on was allowed to install itself. Personally I was a little worried it'd be a bit like leaving the back door ajar:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Ext]
"IgnoreFrameApprovalCheck"=dword:00000001
mikiem2
Moderator
"My AVG reports the SoundFrost.exe file as medium suspicious behavioral activity and wants to remove it from my system."
If you're interested, this forum post http://forums.avg.com/ww-en/avg-forums?sec=thread&act=show&id=397 says you can either email a copy of a suspected file or visit this page & submit it http://samplesubmit.avg.com/us-en/false-detection -- since it's a freely downloadable app you might want to just give the info on that samplesubmit page?
"After reading others here, I too have noticed, with very heavy ad and popup removal, underlined links with popup ads that were not there before."
I'd guess there's a chance an exploit takes advantage of the changed group policy setting, or maybe it's Soundfrost itself? Changing the policy back your web browser [with usual settings or configuration] should tell you whatever site or app wants to install something so you can stop it. If there's a component that downloads & adds something to your browser(s), disabling that add-on might not do any good if that component can just add another copy as soon as you disable one that's already there.
As a home user I don't *think* you'd normally have either of the 2 .pol files Soundfrost adds, but if you want to be safest just rename the files to something like .po_ so you can put things back if or as needed. The 2 files added are ntuser.pol & Registry.pol ... search the Users folder or Documents and Setting folder [win7/XP] & the Windows folder. Once those are gone you can try searching in Regedit for IgnoreFrameApprovalCheck -- backup Windows or the registry or export any keys before deleting them. That should put that portion of things back the way it was, so you can try removing or simply turning off or disabling any browser plug-ins &/or add-ons. If you find disabling whatever plug-in/add-on cures the problems, you can Google on the name of that plug-in/add-on to find directions on how to completely remove it.
If Soundfrost itself is doing something naughty, removing it would stop that, but it won't undo anything Soundfrost has done. Likewise if Soundfrost downloaded & added something, or if something was added coincidentally, removing Soundfrost would leave whatever was added still in place. For those reasons I think you'd be better off finding or making sure you knew the culprit rather than just removing Soundfrost & considering the matter over -- you can still remove it, just keep looking to make sure anything else or any changes to Windows are removed or undone. And if a culprit is not found, I'd consider restoring a recent disk/partition backup, including the 1st disk track, if you have one.
Tools like Systernals Process Monitor might be useful if nothing shows up for example when you check your browser add-ons -- with the browser running you'll see just what other apps & files it's using. If you're afraid your on-line searches & or enquiries might be effected, portableapps.com has a few portable browsers you could use till things were put right -- they should be un-effected by any changes made to the installed versions. If things get really sticky Kaspersky has their free TDSSKiller app you can download & try, &/or Symantic [Norton] I think has something similar though it's said to be pretty aggressive & best used as last resort.
mikiem2
Moderator
I read the removal suggestions listed above on the Malwarebytes website and unfortunately there is nothing listed to uninstall.
The site I mentioned to WR http://malwaretips.com/blogs/remove-smart-suggestor/ goes more in depth as to what else you should do, what else you should try.
mikiem2
Moderator
I've already checked several pieces that i was listening to and every one of them is also available via You tube (sometimes with a slideshow other times actual concert footage).
Assuming you can save the files, FLV Extract might interest you, WR. http://www.videohelp.com/tools/FLV-Extract
It'll pretty easily & painlessly pull the included audio track out as-is.
mikiem2
Moderator
However, I checked all 3 browsers (Chrome, Firefox and IE) on my system and all 3 had a SoundFrost extension that I did not install or "OK" during installation of the program. After disabling them, I rebooted my computer and have not had any new redirect tabs and from what I can tell, the underlined popup link ads are also removed.May be a temporary fix without having to remove the program...for now.
I'd still suggest takeing care of the group policy setting that Soundfrost made to restore the security settings that come with Windows.
Whiterabbit-uk
Games Guru
thanks Mikiem
shawndion
Member
Hello Everyone... long time since I posted in the forum.
Here's what I found with this giveaway (As I installed the version on their site in a sandbox)
For starters 2 applications that hang inside the sandbox.
MyPrintScreen.exe
SoundFrostService.exe
Now check this one out.. I'm sure you'll love this one...
Key Name:
HKEY_USERS\Sandbox_NoNet\machine\software\Classes\AppID\{2580FD71-40E2-4319-8768-49EF61C0452B}
Class Name: <NO CLASS>
Last Write Time: 5/23/2013 - 4:10 AM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: SubsHelperBHO
When you search the AppID first thing that shows up in google is a virus report.
The program also scans for what programs are installed (As sandboxie will copy thoses keys inside it's reghive.)
Lucky I tested it inside a NoNet Sandboxed.. too many keys to be trustworthy to install for once I'm glad I had missed this GAOTD.
I suggest for anyone who plans on properly removing this off your pc to get a reg file done on a similar os as yours to manualy clean the keys out I can give a list but my os is Windows XP SP3 English.
P.S: Like you said Whiterabbit we get so used to the screening done by GAOTD that we sometimes let our guard down.
Shawn
Edit: Just noticed the other Forum post section in regards to the different versions... darn wish i had a older version copy to help out... mostlikely the keys will be different.. :-(
Dear users,
thank you for your feedback on SoundFrost. We were also concerned about your complaints about malware and contacted the Developer.
They said that http://myprintscreen.com/s/nn is used to provide users with an opportunity to submit errors and problems instantly, thus adding to the speed of bug fixing.
In terms of security applications alerts, they are false positives and SoundFrost team is now sending the inquiries to whitelist the program.
Sorry for the inconvenience.
--
Sincerely,
GOTD team
mikiem2
Moderator
" . "
Couldn't agree more! :)
----------
"Now check this one out.. I'm sure you'll love this one...
Key Name:HKEY_USERS\Sandbox_NoNet\machine\software\Classes\AppID\{2580FD71-40E2-4319-8768-49EF61C0452B}
Class Name: <NO CLASS>
Last Write Time: 5/23/2013 - 4:10 AM
Value 0
Name: <NO NAME>
Type: REG_SZ
Data: SubsHelperBHOWhen you search the AppID first thing that shows up in google is a virus report."
FWIW... Not doubting your results, I don't show that key(s) for the trial or GOTD versions, recording install, registration &/or activation, & 1st run of Sounfrost in a very minimal XP Mode VM. I do show:
[HKEY_CLASSES_ROOT\AppID\SubsHelperBHO.DLL]
"AppID"="{2580FD71-40E2-4319-8768-49EF61C0452B}"
[HKEY_CLASSES_ROOT\AppID\{2580FD71-40E2-4319-8768-49EF61C0452B}]
As far as "2580FD71-40E2-4319-8768-49EF61C0452B" [w/out quotes], Google comes up with 3 hits for me, ALL McAfee. If a few more brands came up I'd be concerned, or if one of the market leaders in AV software came up likewise I'd be more worried. *Just* on the basis of the McAfee reports [& the fact there were no others] I'd personally treat it as a 25 or 30% shot it's mal-ware related, & then it could be mal-ware using a legitimate ID. The fact that Mcafee scans everything clean, as does the SE beta reduces those odds, that that AppID = malware, to very close to zero IMHO.
"I suggest for anyone who plans on properly removing this off your pc to get a reg file done on a similar os as yours to manualy clean the keys out I can give a list but my os is Windows XP SP3 English."
Again purely FWIW, Vista/7/8 tend to add more irrelevant keys, & the 64 bit versions also add a couple of 32 bit registry sections, but the registry entries an app adds & uses are for the most part [overwhelmingly actually] identical to what's added/used in XP -- IMO that's why XP's favored as a test/monitoring environ when you're say, monitoring an app to make it portable. OTOH there's a couple of weaknesses with taking a sandbox approach, & why I prefer not to use them for monitoring purposes -- ANY running software makes changes to Windows registry & to the hard drive, including whatever sandbox app, & the sandbox app itself can change things, e.g. the perhaps altered key you recorded.
As far as the actual keys added, search individually in regedit for: [note that this is a combo of trial & GOTD entries so there will be some you don't find unless you installed both]
Soundfrost, d997c836-ff82-4519-b459-1482ba942a4f, 2580FD71-40E2-4319-8768-49EF61C0452B, A1D74F49-2C1A-400B-A3BA-22147E24B208, 7ACA7342-3323-4B4A-A4E2-1D1F140A71DE, IgnoreFrameApprovalCheck, MyPrintScreen, 081524f7-7ed8-43ff-b01e-915c410a9cbe
As noted McAfee blocked the connection to 217.23.8.104 -- I was simply too lazy to restore my VM, turn on Timefreeze, un-block the site, fire up the VM, & then start over just to see what happened when it connected... at the time I wasn't expecting any issues & was just recording info for my own interest/use. With the group policy changes I'd think it entirely possible something could be downloaded added without notice. Because I'd already nixed the app for my own use -- ONLY because I don't like audio processing with ffmpeg -- I didn't try monitoring changes to the VM while actually using Soundfrost to find & get whatever audio files, so I can't say more about if the browser helpers include naughty code or not.
mikiem2
Moderator
My gut response to this whole thing follows, & I can't add enough disclaimers that this is absolutely not factual or anything else...
At least some of the files are Russian language based. The site's very well done & more professional than usual. The company's located in the Islands, which is a plus if you want a nice place to live, not so much for a biz unless they offer some conveniences like escape from the DRM bounty hunters who can make life less pleasant. Soundfrost itself doesn't warrant IMO that sort of a location -- if it was software that did something illegal it would have to bypass DRM which apparently, AFAIK anyway, isn't done. In my experience people who write software for less legal stuff, like DVD/Blu-Ray copy as well as more serious matters, deal with a clientele who don't all feel bound by their conscience to be nice. In effect I think that means that if they cross the line adding spyware etc. retribution will be both swifter & more severe, so they don't -- much of their clientele is also by nature more aware of & on the lookout for that sort of thing. Putting it all together I imagine it's quite possible Soundfrost's developers produce or have produced other software, that they're less inclined because of their background with that other software to include mal-ware of any sort, but that they might include something that they felt didn't cross the line -- smartsuggestor [ http://www.smartsuggestor.com/ ] is a product with decent reviews, whether you consider it worthwhile or not.
SO to me the questions would be does the Soundfrost browser helper include SmartSuggestor code, & If so, is it operating properly? If the 1st answer is yes, then disabling/removing the helper would & should be the end of it -- if the answer's no, then whatever did install the code without permission should be found & eradicated. AFAIK someone else took advantage of the changed group policy setting to add whatever exploit to the site or sites Soundfrost uses normally, so it would be nice to know. As for question number 2, if Smart Suggester is implemented in the browser helper's code, but not operating as it should, can & will it be fixed? That way folks that use Soundfrost can judge whether they want to temporarily disable the add-on, keeping a look out for an update, or else get rid of it entirely if or as they wish.
I can't say I'll get to it, but if I have a chance I'll try to do some more extensive testing in my VMs, though anyone could play with this -- wouldn't be hard... Myself, I'd start with a fresh VM & add [but not run] Soundfrost, disable the group policy changes, enable the strictest browser settings, & disable the browser helper, monitoring the registry etc. to see what happened when I went online. Then I'd enable the helpers, & try the same thing. Then I'd add Smart Suggestor & try it again.
CineDOG
Member
This very bad hackerheaven program is overwrite all the advertise banners all the visited hungarian web pages... no google adsense, no affiliate.hu. Instead allways I see only weight loss banners... spns.gget.net , adshield.anypages.org or adshield.searchglobe.net, and etc. I must download a very hard unnistaller software, and before must stop all the soundfrost process at process manager! What a hell software that! ? Who is the owner of this software? Must go to the prison!
ibwebb
Member
WOW! It has been a while since I have been on and posted... I have been on to read some times, but have not posted in some time. I started having MANY MANY of these problems that are described and have been trying to figure out what it was that was doing it. Then my fiancee mentioned that ever since I added that 'SoundFrost' thing to her laptop it is going to different pages when she clicks on things and just acting strange. I then took a look at hers and notice that it is doing, acting, reading the SAME strange things mine is/are and has been for the same amount of time. I didn't want to believe it and also thought that since it came from here that it could NOT be possible. After a few more days of exhausting other avenues and having a computer IT friend look at it... I have to say that SoundFrost is the only and last answer it can be! I am using AVG which has missed it and according to my friend (who is not willing to go on the record about it) there is some 'hokey' stuff going on with it. I hate to say this, but I think SoundFrost used GAOTD to pass on their bug.... I am bummed and will now begin removing and appologiesing to my fiancee.... *sigh* any of you with a wife, girlfriend, or fiancee know what this is going to be like! LOL I hope the best for you all, but I am riding myself and her of anything and EVERYTHING related to it.. including music, etc from it as suggested by my friend!
Best Regards,
ibwebb
Whiterabbit-uk
Games Guru
The problems have become worse since I last posted. now, when I come to the initial giveaway page, the yellow button that usually takes me to the download page immediately changes to a different download button (green in color), that I won't click on because it's not the giveaway link. Also I can't edit urls using my mouse and pop ups have become more numerous.
I've not had time this week to sort the problem out, but it looks like I'm going to have a real job searching through the registry and my hard drives to find all the registry entries and files associated with this junk.
Its got to have been Sound Frost. Apart from files from the giveaway site and the game sites I get all my games from (Steam, Desura, Gamersgate, GreenmanGaming, GOG, GameFly and Origin), which I've trusted implicitly for years I am very careful what I install. I don't surf the net willy nilly and have always checked when something doesn't appear right (such as PayPal urls that have extra wording.
I hope that the giveaway team contact the people who gave us sound Frost with a strong admonishment. Id even consider withholding any payment (if it hasn't already been made) until they have a fix (or some other gesture) for all of us that have had problems because of this program.
sergio
Member
It is really sad that yesterday i detected that on my Chrome browser, the giveawayoftheday web page buttons had been "hijacked" and replaced with publicity buttons.
today, i realised that a extension had been added by SoundFrost to chrome that was doing this.
THIS IS NOT ACCEPTABLE !
If they have BAD REPUTATION, it is obvious !
Hijacking web page buttons by any company is DEFINITELY something that should blacklist a company.
GOTD Team should POST a warning to ALL USERS that this happened and not ignore something like this.
whatsup
Member
After installing SoundFrost I started getting web page redirects. One of them was to a porn site. I use Firefox and found that SoundFrost installed an extension add-on to Firefox that was the culprit. I disabled it and that stopped the redirects. It also installed a BHO and Run item that HijackThis detected. I removed those. If I find anymore malware from this program, I'm removing it and all traces of SoundFrost.
You must log in to post.
