Got the dreaded call to help a friend of a friend -- they'd scanned their
system for the first time for spyware and deleted some 400 items. I used
Spybot on it and got eight more niggling spies. The neophyte noticed a
problem gaining access to his credit union account afterwards. I dookied
around the problem -- the page he normally accessed his account from
was bringing up a "_nothing" for the image link when I looked at the .html
source, so I just made a bookmark for the link the image represented. I
wiped explorer's cache and had it check for new pages every connect, and
kept getting the _nothing. However, here at my home system I get the image
button for the link. We're using the same Charter cable service to access
the internet, and live close enough that there shouldn't be too much network
in between us. Is it possible there's some malware lying undetected filtering
port 80 -- looking particulary for references like "bank account" or "credit
union", and poorly enough programmed to drop a null every so often instead of
perfectly passing on the data?

Is this behavior suspicious enough to warrant a system wipe? Or is it
within the regularly-allowable level of glitch?

Getefix wrote:

Hell yea, wipe the system don't wait for a virus to do it!

On 10 Nov 2004, Getefix wrote:

A possibly stupid question...

Have you checked the friend-of-a-friend's "hosts" file?
It may be pointing them to the wrong site.

--
Norman De Forest http://www.chebucto.ns.ca/~af380/Profile.html
af380@chebucto.ns.ca [=||=] (A Speech Friendly Site)
"O'Reilly is to a system administrator as a shoulder length latex glove
is to a veterinarian." -- Peter da Silva in the scary devil monastery

Nope. The site returns a _slightly_ different version of the web page than
I get, and as I said I'm using the same service provider. I've recently
installed PeerGuardian on the suspect system and the program can't find
updates -- damning evidence of hidden malware in my eyes. Going to do a
wipe, but it chills me to think of what is to come.

How many hackers are making money running pokerbots on 'branded' systems?
We're facing a new era of 'cowboys', and their herd consists of the systems
of the neophyte user. It ticks me off that these people are taking advantage
of the friends of my friends. Where's my gun? I got me some varmints to
plug.

Seriously, does anybody have a gun for this?

Getefix wrote:
What's any of that gotta do with checking the hosts file for
redirections. It's quite simple really. The only line you should see
in hosts is 127.0.0.1 localhost. If you see anything else
(especially with the name of the website in question), then your friend
of a friend's PC is being redirected everytime he/she tries to go to
that site. I'd recommend the following:
Check the hosts file (on XP/NT/2000 systems, it's located at
Windows\System32\Drivers\etc\hosts, or
WinNT\system32\drivers\etc\hosts). This could be done with a simple
text editor. If you're still getting a slightly different site, check
the browser settings. Finally, if you still think you're being
redirected, or something just doesn't seem right, it might be worth
checking out http://support.microsoft.com/kb/811259.

"Big Will" <allyourbase@rebelongto.us> wrote in message news:41967a2b$1@darkstar...

Many people actually "use" their hosts file Big Will.

Roger Wilco wrote:
personally don't use one because Mozilla on an XP system doesn't pay
attention to it, and uses cookperm instead. Furthermore, 95% of the
computers I've worked on either didn't have a user modified hosts file,
or had a hosts file with bad entries. Of course, if the friend of a
friend uses his/her hosts file, then he/she should still nonetheless
check it for unintended entries, or if their hosts file comes from a 3rd
party (i.e. spybot s&d) then just install a fresh hosts file.