Max Wachtel wrote:
> AMUN wrote:
>> AMUN wrote:
>>> "AMUN" <antispam@sparmmstop.net> wrote in message
>>> news:gd3pr3$p99$1@aioe.org...
>>>> "Max Wachtel" <maxwachtel@nomail.afraid.org> wrote in message
>>>> news:gd3201$gjn$1@registered.motzarella.org...
>>>>> AMUN wrote:
>>>>>> "Max Wachtel" <maxwachtel@nomail.afraid.org> wrote in message
>>>>>> news:gd2j41$g23$1@registered.motzarella.org...
>>>>>>> AMUN wrote:
>>>>>>>> I'm a bit stumped if my machine picked up some malware infection,
>>>>>>>> or is Yahoo and a few other sites pulling something new ?
>>>>>>>>
>>>>>>>> For the last week or so, I do a search at Yahoo.com, and pages
>>>>>>>> intermittently get re-directed to strange link pages or sales
>>>>>>>> sites. Noticed when I try to go back (using the back button),
>>>>>>>> there are
>>>>>>>> often several strange pages in the history after the page I was
>>>>>>>> at. Some actually do say "re-direct."
>>>>>>>> Yet ran several scans on my system using several
>>>>>>>> anti-mal/spyware's and no malware is being found.
>>>>>>>> Also often noticing the same thing at Amazon.com.
>>>>>>>> Yet other websites show no problems at all.
>>>>>>>>
>>>>>>>> So is my system infected with some rare redirection trojan, or,
>>>>>>>> are some sites getting really ignorant with the ad's ?
>>>>>>> Sounds like your system has been compromised. Are there any other
>>>>>>> strange goings-on? What scanners have you run? (please be
>>>>>>> specific) What browser do you use? Have you installed any
>>>>>>> toolbars lately? I see by your posting headers, you are running
>>>>>>> XP. Is it up-to-date?
>>>>>> First thing I thought was something infiltrated the system.
>>>>>> Classic MO of a redirect trojan.
>>>>>> No changes have been made (to my knowledge) and no new IE helper
>>>>>> apps, or toolbars are installed.
>>>>>> And IE (version 6) security settings are higher than most,
>>>>>>
>>>>>> Only change that was tried, was to update the winamp player (see my
>>>>>> post about that choking AVG)
>>>>>> But even that was removed and an older version restored.
>>>>>>
>>>>>> Spybot and AVG always show 100% clean (with latest updates)
>>>>> You should scan your system with SUPERAntiSpyware and malwarebytes'
>>>>> mbam scanners.
>>>>>> Yet results from yahoo & Amazon often lead to completely wrong web
>>>>>> pages.
>>>>>> Not all the time though. and IE home page is normal.
>>>>>> System does not seem to be showing ANY other problems.
>>>>>> Router logs don't show any suspicious activity either, all
>>>>>> unauthorized access seems to be blocked
>>>>> Have you tried those sites with another browser?
>>>>>> It is XP but a HP ******* version that quit allowing Microsoft
>>>>>> updates months ago.
>>>>>> (last HP/Compaq I ever #*^%$## buy.)
>>>>> This issue must be fixed! (I am using an older compaq laptop)
>>>>> Have you looked into if the update service is running?
>>>>> Administrative Tools/Services
>>>>>> Perhaps tonight I'll look into it further.
>>>>>> We do run the MVP Hosts files, but had not updated in a while, so
>>>>>> I'll try that too.
>>>>>>
>>>>> MVP hosts file should not be causing your problem(I use it also)
>>>>>
>>>>> As a last resort, do you still have the install disk that came with
>>>>> your system? It might be a good idea to make copies of all important
>>>>> files (docs,pics,music,etc) on removable media, today.
>>>>> --
>>>>> Virus Removal http://max.shplink.com/removal.html
>>>>> Keep Clean http://max.shplink.com/keepingclean.html
>>>>> Change nomail.afraid.org to gmail.com to reply by email.
>>>>> nomail.afraid.org is for use in USENET-feel free to use it yourself.
>>>>
>>>> We backup religiously here, so no real chance of losing much of
>>>> importance.
>>>>
>>>> But yes, I do have the HP Install disks, but they only get your
>>>> system back to what HP sold you "loaded" in the first place. So they
>>>> really are more "restore" disks, than "installation"
>>>> As it was full of trial programs and outright malware that took weeks
>>>> to clean out, it's hardly an option I want to repeat.
>>>>
>>>> If it came to that I have a "hacked" version of XP, I'd install
>>>> first, as a CLEAN INSTALL.
>>>>
>>>> Just running Trend micro (second try)on it now.
>>>> First try found a few "questionable" files, but not much info about
>>>> them. Strangely the first run of Trend micro seemed to have zeroed
>>>> in on my
>>>> hosts file, and listed hosts\127.0.0.1 as a bad link/file
>>>> (and why I'm running it a second time before letting it fix anything)
>>>>
>>>>
>>>> And it did show a dozen or so "windows security flaws", so perhaps
>>>> tomorrow I'll phone HP again and rip them a new one over why their XP
>>>> won't update from Microsoft.
>>>> Of course Microsoft will offer no help/support on the "XP" that HP
>>>> sells installed in their systems.
>>>>
>>>> And why I'd never buy another HP "preloaded" computer again.
>>>> (unless they throw in a full version operating system)
>>>> But I suppose all the others like Dell etc, are the same too.
>>>>
>>>> Still a bit strange that after a week of updates both Spybot AND AVG
>>>> still didn't find any problems at all.
>>>> Yet something IS clearly wrong.
>>>>
>>>
>>> Still waiting to see what Trend Micro scan will turn up.
>>> But so far it's showing a strange entry in "application data" \
>>> lobqjkvc\lwrkruxm.exe
>>> And I just don't remember installing "lobqjkvc" at all, either the
>>> full or trial versions <g>
>>>
>>> But decided to also try your suggestions "SUPERAntiSpyware and
>>> malwarebytes' mbam" before I let anything get fixed.
>>>
>>> I'll post the results tomorrow here of what each found.
>>> And which could actually get rid of problems.
>>
>>
>>
>>
>>
>>
>>
>>
>> And my results.
>> (For those who give a crap.)
>> -------------------------------------------------------------------------------
>> Spybot still found nothing wrong
>>
>> AVG still found nothing wrong
>>
>> Trend micro online scan found trojan - gave info on what and exactly
>> where it was located, but could not delete it (could be done manually)
>> Also pointed out various weaknesses in Windows and what updates were
>> needed. Also a repeated false positive (cautionary warning only) about
>> the MPVS host file. (better warned than not though)
>>
>> Superspyware fround (Trojan.FakeAlert.H) but could not delete it
>> (could be done manually)
>>
>> Malwarebytes found (Trojan.FakeAlert.H) and two registry entries,
>> deleted all 3 automatically.
>>
>> So this round has to go to Malwarebytes, but with honorable mention to
>> Trend micro (online scan) for being the most "verbose" of any of the
>> 4 above. Some mention should go to MVPS hosts, as it did seem to do what
>> it was
>> intended to.
>> HOWEVER,......one of the things the tojan seemed to do was exploit
>> that, and re-direct 404 pages to "sales" sites.
>>
>> And explains why mostly yahoo and amazon was affected, as the pages
>> full of ads that MVPS hosts blocked, triggered the trojan to re-direct
>> to other sites.
>>
>>
>> This whole mess does point out that no one program will protect you
>> from everything.
>> And nothing short of never going on the net will keep you 100% safe.
>>
>> None of the any-malware programs could tell me how it got in, in the
>> first place.
>> So I'm still not out of the woods yet.
>>
>>
>> Additional note though.
>>
>> The problem was first noticed after using Yahoo and Amazon and seeing
>> a lot of "adware sites" while trying to back out of pages using the
>> BACK button. And even after the trojan was cleaned out, .....Those still
>> show up in
>> the history, but no longer do much.
>>
>> Sooooooo
>> Yahoo and Amazon ARE sending links past ad-trackers far more often than
>> people might realize.
>> And perhaps using the MPVS hosts solution is doing a lot more good
>> than most ever know.
>>
> Thanks for the update. Glad to hear you got it sorted out! There are
> some programs that say that they can protect the hosts file from
> modifications.


They all promise to protect you, but as you can see, not always.
And I am hardly reckless with opening links to anything and everything, and
still, even I got nailed.

I realized long ago the only thing can really protect you is
backing-up,....often.
(and not just windoze restore, as it can be compromised just as easily)

Knowing I have backups, kept me quite calm, as I know even if the
anti-malware programs fail miserably, at worst I'll only lose a day or two's
worth of data.