Hi everyone,
Every now and then I get an error code 12263 in Firefox that is related to "altfarm.mediaplex". Has anyone had any experience with this ? I have searched the net but cannot find any clear information. I have scanned my computer with Spybot search and destroy, Adaware, AVG antispyware, and A-squared. A-squared reported a trace file called "IST Bar"...
C:\WINDOWS\system32\mciwndx.ocx detected: Trace.File.ISTbar
However, System32\mciwndx.ocx seems to be a valid windows file, so I left it alone. Other than that, my system seems clean but I keep getting this error in Firefox every now and then. I recently signed up for ebay and I heard that this might be related. I would like to find a reliable way to remove this infection and/or stop this from happening.
I am using Zone Alarm free, AVG anti-virus free, and Windows Defender as my main security combo. I also scan every now and then with the products mentioned above, and bitdefender. However, I am thinking of installing spywareblaster and Cyberhawk http://www.novatix.com/Cyberhawk/ for some added protection.
My system is an HP Pavilion a1520n running Windows XP media center SP2 with all updates and patches.
I would appreciate any advice or suggestions anyone has to offer.
Thanks again,
John
Hi John...you may find the answer here. If you're not using a modified Hosts file (located in C:\WINDOWS\system32\drivers\etc), you may find the link to the MVPS site (in the third post) of interest. Modified Hosts files can protect you against tracking servers like Altfarm's.
Regarding the MCIWNDX.OCX question, I found this at the SANS site:
(SANS is an antivirus research centre). I don't have that file on my XP system, but then again I don't have Microsoft Visual Studio installed. If you don't either, you should regard that file as suspicious.
Regarding the MCIWNDX.OCX question, I found this at the SANS site:
QUOTE
Description:
MCIWNDX.OCX is an ActiveX control shipped with Microsoft Visual Studio
(VS) to support multimedia programming. The control contains a buffer
overflow vulnerability in the "Filename" property; this property is used
to specify the .mci file to load. The control originally shipped with
Visual Studio 5.0 and is signed by Microsoft. It has never been updated
or patched in VS 6.0 but is still installed by default and registered
with a CLSID. Thus, a malicious website can invoke the control and
exploit the vulnerability, potentially to execute arbitrary code on a
victim client system. Even if the control is locally patched or removed,
a website can still instruct a client to download and install the
vulnerable control and then exploit the hole. (The control may be
silently installed because it is Microsoft-signed; whether or not the
user is prompted depends on IE configuration). Similarly, clients that
have never installed Visual Studio can be attacked in this manner.
MCIWNDX.OCX is an ActiveX control shipped with Microsoft Visual Studio
(VS) to support multimedia programming. The control contains a buffer
overflow vulnerability in the "Filename" property; this property is used
to specify the .mci file to load. The control originally shipped with
Visual Studio 5.0 and is signed by Microsoft. It has never been updated
or patched in VS 6.0 but is still installed by default and registered
with a CLSID. Thus, a malicious website can invoke the control and
exploit the vulnerability, potentially to execute arbitrary code on a
victim client system. Even if the control is locally patched or removed,
a website can still instruct a client to download and install the
vulnerable control and then exploit the hole. (The control may be
silently installed because it is Microsoft-signed; whether or not the
user is prompted depends on IE configuration). Similarly, clients that
have never installed Visual Studio can be attacked in this manner.
(SANS is an antivirus research centre). I don't have that file on my XP system, but then again I don't have Microsoft Visual Studio installed. If you don't either, you should regard that file as suspicious.
Hi HKed
Thanks for your message.
I searched my entire hard drive for "visual studio" and found a small 16.0 KB visual studio folder in C:\program files (common folder).
I also have a 348 KB file named visualstudioteamcore.dll under C:\program files\microsoft office\office 11\vs runtime and a 13 Kb file under C:\program files\ mircosoft office 11\vs runtime\1033
I only have a demo of Microsoft office on my computer which I have never used. I think I will quarantine the suspicious file and delete the office demo from my machine (I use www.openoffice.org).
I will also try to modify my host file to block the mediaplex junk. Thanks for the tip.
Do you have any opinions on the Cyberhawk program http://www.novatix.com/Cyberhawk/ ? I have heard mixed reviews, but it seems like a good concept. I am hoping that the addition of cyberhawk might bring the protection of ZA free at the level of ZA Pro. Cyberhawk seems like a good approach to zero day threats. I'm also going to install spywareblaster & I know you use that program from seeing your posts in other threads.
I was also thinking of replacing windows defender with "spyware terminator" http://www.spywareterminator.com/ because it has HIPS but I have mixed feelings. You would think Microsoft has the resources to provide the best anti-spyware product available, and the knowledge to protect their own operating system better than anyone, but I tend to feel spyware terminator may offer more comprehensive protection than defender. Do you have any opinions on this ?
Thanks again for your help.
John
Thanks for your message.
I searched my entire hard drive for "visual studio" and found a small 16.0 KB visual studio folder in C:\program files (common folder).
I also have a 348 KB file named visualstudioteamcore.dll under C:\program files\microsoft office\office 11\vs runtime and a 13 Kb file under C:\program files\ mircosoft office 11\vs runtime\1033
I only have a demo of Microsoft office on my computer which I have never used. I think I will quarantine the suspicious file and delete the office demo from my machine (I use www.openoffice.org).
I will also try to modify my host file to block the mediaplex junk. Thanks for the tip.
Do you have any opinions on the Cyberhawk program http://www.novatix.com/Cyberhawk/ ? I have heard mixed reviews, but it seems like a good concept. I am hoping that the addition of cyberhawk might bring the protection of ZA free at the level of ZA Pro. Cyberhawk seems like a good approach to zero day threats. I'm also going to install spywareblaster & I know you use that program from seeing your posts in other threads.
I was also thinking of replacing windows defender with "spyware terminator" http://www.spywareterminator.com/ because it has HIPS but I have mixed feelings. You would think Microsoft has the resources to provide the best anti-spyware product available, and the knowledge to protect their own operating system better than anyone, but I tend to feel spyware terminator may offer more comprehensive protection than defender. Do you have any opinions on this ?
Thanks again for your help.
John
Hi John...Visual Studio costs $799, so I think you'd know if it was installed. 
That's what I would do.
I'm sorry that I can't answer your question about the two programs you linked to. I'd need to have tried them to offer any opinion.
QUOTE
I only have a demo of Microsoft office on my computer which I have never used. I think I will quarantine the suspicious file and delete the office demo from my machine
That's what I would do.
I'm sorry that I can't answer your question about the two programs you linked to. I'd need to have tried them to offer any opinion.
Hi Chris,
I definitely don't have the program then, I don't even think the computer cost $800.00 :-)
Thanks again and take care,
John
QUOTE
Hi John...Visual Studio costs $799, so I think you'd know if it was installed.
I definitely don't have the program then, I don't even think the computer cost $800.00 :-)
Thanks again and take care,
John
Hi HKEd,
Sorry I called you Chris in my last post, I think I got you confused with "Ironbender" AKA Chris.
Anyway, thanks again for your help,
John
Sorry I called you Chris in my last post, I think I got you confused with "Ironbender" AKA Chris.
Anyway, thanks again for your help,
John
No worries, Fred...I mean John.
As always, you're welcome for the help.
As always, you're welcome for the help.
Hi HKEd,
After checking the site you gave me on the host file, it looks like my host file was hijacked even though I had it locked down with spybot search and destroy. The altfarm.mediaplex site was indeeed in the host file. I checked my Windows defender log and it noted the changes to the host file, but somehow, the hijacker bypassed Defender and I was not even alerted that the change took place. When I changed the host file myself, defender did note my attempt though :-)
I have attached two host files named "host_before_change" and "host_after_change". The "before change" file is what the file looked like when it was hijacked. The "after change" file is what the file looked like after I edited it. Everything there looked suspicious, so I just pasted 127.0.0.1 before all the suspicious website names in order to block them. Does it look like I did the right thing ?
Regarding the last site in the host file "global.msads.net" which appears to have been entered by spybot search and destroy, the funny thing about that entry is that even though it is blocked in the host file, when I paste it into my browser, it takes me to a Microsoft webpage :-)
I may also use the host file from the site you gave me as it seems that it blocks many bad sites, I can also add the bad sites from my host file to it.
Do you know of any program that can lock the host file down real good so that it can't be changed by a hijacker ?
If I right click on the host file, then go to Properties, Attributes, then Advanced, it has an option to "Encrypt contents to secure data". Would checking that option offer more protection to prevent the host file from being changed by a hijacker ?
Thanks again,
John
After checking the site you gave me on the host file, it looks like my host file was hijacked even though I had it locked down with spybot search and destroy. The altfarm.mediaplex site was indeeed in the host file. I checked my Windows defender log and it noted the changes to the host file, but somehow, the hijacker bypassed Defender and I was not even alerted that the change took place. When I changed the host file myself, defender did note my attempt though :-)
I have attached two host files named "host_before_change" and "host_after_change". The "before change" file is what the file looked like when it was hijacked. The "after change" file is what the file looked like after I edited it. Everything there looked suspicious, so I just pasted 127.0.0.1 before all the suspicious website names in order to block them. Does it look like I did the right thing ?
Regarding the last site in the host file "global.msads.net" which appears to have been entered by spybot search and destroy, the funny thing about that entry is that even though it is blocked in the host file, when I paste it into my browser, it takes me to a Microsoft webpage :-)
I may also use the host file from the site you gave me as it seems that it blocks many bad sites, I can also add the bad sites from my host file to it.
Do you know of any program that can lock the host file down real good so that it can't be changed by a hijacker ?
If I right click on the host file, then go to Properties, Attributes, then Advanced, it has an option to "Encrypt contents to secure data". Would checking that option offer more protection to prevent the host file from being changed by a hijacker ?
Thanks again,
John
Hi John...no attachments. What types of files are they - TXT, DOC? Only certain file types can be uploaded to this forum. If you like, you can zip them and email them to me. My email address is in my profile.
global.msads.net is indeed an MS site - MS aren't above spying. It's related to MSN Messenger. I have it blocked in my Hosts file thus:
127.0.0.1 global.msads.net
The site doesn't load for me.
Spybot S&D has a setting to protect the Hosts file from changes:
I'm sure you're aware of the above, but I'll post it as I have it to hand.
Don't get too complicated with this by encrypting the file. Set the 'Read-only' attribute once you have the final Hosts file in place. That means it can't be written to and essentially locks it down tight. (Unless, that is, the hijack includes code to remove the Read-only attribute - unlikely, but you never know). WinPatrol is one program that claims to lock the Hosts file, but I'm not familiar with it and can't say if it's worth the $30 they charge.
global.msads.net is indeed an MS site - MS aren't above spying. It's related to MSN Messenger. I have it blocked in my Hosts file thus:
127.0.0.1 global.msads.net
The site doesn't load for me.
Spybot S&D has a setting to protect the Hosts file from changes:
QUOTE
1. Click "Mode", selecting "Advanced Mode".
2. Click "Tools" in the left pane.
3. Click "IE tweaks" in the right pane.
4. Check "Lock Hosts file read-only as protection against hijackers".
Note that even with this tip it is still possible for some spyware and adware to unlock the hosts file for modification.
2. Click "Tools" in the left pane.
3. Click "IE tweaks" in the right pane.
4. Check "Lock Hosts file read-only as protection against hijackers".
Note that even with this tip it is still possible for some spyware and adware to unlock the hosts file for modification.
I'm sure you're aware of the above, but I'll post it as I have it to hand.
Don't get too complicated with this by encrypting the file. Set the 'Read-only' attribute once you have the final Hosts file in place. That means it can't be written to and essentially locks it down tight. (Unless, that is, the hijack includes code to remove the Read-only attribute - unlikely, but you never know). WinPatrol is one program that claims to lock the Hosts file, but I'm not familiar with it and can't say if it's worth the $30 they charge.
Hi HKEd,
I have attached the host files to this message in zip format.
I don't think I blocked anything legitimate. Someone else may see something in my hijacked host file that they may also want to block.
I might give the host file at the MVP site a try, it seems fairly comprehensive, and they will email an updated one to you every so often.
I never edited a host file before but it's great to be able to block any site that you want or are having trouble with.
Apparently, when I got hijacked by this altfarm.mediaplex thing, it changed the read only status of the host file, and then also bypassed Windows Defender at the same time. That almost sounds like something a trojan would do.
I just wish there were some way to really secure the host file so programs cannot change the read only status and then modify the file.
Thanks again for the tip, I now have another line of defense against spyware.
John
I have attached the host files to this message in zip format.
I don't think I blocked anything legitimate. Someone else may see something in my hijacked host file that they may also want to block.
I might give the host file at the MVP site a try, it seems fairly comprehensive, and they will email an updated one to you every so often.
I never edited a host file before but it's great to be able to block any site that you want or are having trouble with.
Apparently, when I got hijacked by this altfarm.mediaplex thing, it changed the read only status of the host file, and then also bypassed Windows Defender at the same time. That almost sounds like something a trojan would do.
I just wish there were some way to really secure the host file so programs cannot change the read only status and then modify the file.
Thanks again for the tip, I now have another line of defense against spyware.
John
Hi John...the files you sent appear to be copies of Hosts.sam. This is a sample file and is not used by Windows. The Hosts file should have no extention. If you use Search for Hosts, you'll see Hosts, Hosts.bak and Hosts.sam.
Use the MVPS file. It's very comprehensive. Mine is 504K in size. It blocks just about everything out there. Only problem is, it blocks many banner ads on sites. Sometimes, on legitimate sites, I like to see banners. They occasionally have things I might like, and banners support many free sites.
Use the MVPS file. It's very comprehensive. Mine is 504K in size. It blocks just about everything out there. Only problem is, it blocks many banner ads on sites. Sometimes, on legitimate sites, I like to see banners. They occasionally have things I might like, and banners support many free sites.
Hi HKEd,
I did not see any extensions on the files I uploaded. The file was in...
C:\windows\system32\drivers\etc
The original host file I renamed "before change" which was the hijacked file, and then I copied the file, renamed it to "after change" and then edited the file myself to block the bad sites.
There is one file in the "etc" folder that has the .sam extension but that's not the file I used.
If you open the file it says at the top that it is a sample file, but spybot search and destroy modified the file, so spybot must have thought it was the real host file. The spyware also modified the file so it too must have thought it was a real file. I also tested it and it does seem to block the sites that I want to block. Still, it does not make sense that it would say sample file when you open it, but windows does appear to be using it. There was nothing else in the "etc" folder that resembled a host file.
Anyway, I will go ahead and use the MVP file.
Take care,
John
I did not see any extensions on the files I uploaded. The file was in...
C:\windows\system32\drivers\etc
The original host file I renamed "before change" which was the hijacked file, and then I copied the file, renamed it to "after change" and then edited the file myself to block the bad sites.
There is one file in the "etc" folder that has the .sam extension but that's not the file I used.
If you open the file it says at the top that it is a sample file, but spybot search and destroy modified the file, so spybot must have thought it was the real host file. The spyware also modified the file so it too must have thought it was a real file. I also tested it and it does seem to block the sites that I want to block. Still, it does not make sense that it would say sample file when you open it, but windows does appear to be using it. There was nothing else in the "etc" folder that resembled a host file.
Anyway, I will go ahead and use the MVP file.
Take care,
John
Hi John...in Tools > Folder Options > View tab, is 'Show hidden files and folders' checked? Also, 'Hide extensions for known file types' unchecked?
Attached is what shows in the Search window on my system.
Attached is what shows in the Search window on my system.
Hi HKEd,
Yes, that's the way I have things set up.
You basically have what I have. I just used the hosts file located in C:\windows\system32\drivers\etc (it just said "hosts" with no other writing or extension given, just like line # 4 of your jpg screen capture ).
I did not see any extension on the hosts file, but when I open it, it says at the top that it is a sample file, and yet, windows is using the file because the sites in the file are indeed blocked :-)
I downloaded the zip file which I uploaded to this site and I did not see any extension on the hosts files. The hosts files in the zip file I uploaded were being used by my system, because the sites were being blocked. the files that I uploaded were the same as line # 4 of your screen capture.
I looked at the original hosts file on another XP comptuer, it had no extension & did not have any sites listed in the file, but when the file was opened in notepad, at the top of the file, it to said it was a sample file and it was also located in C:\windows\system32\drivers\etc.
I guess it does not matter since the file is being used by windows and the sites are being blocked, but it seems strange that you see extensions on the files I uploaded and I do not. Is it possible that you got my files mixed up with something else ?
Thanks
John
QUOTE
Hi John...in Tools > Folder Options > View tab, is 'Show hidden files and folders' checked? Also, 'Hide extensions for known file types' unchecked?
Yes, that's the way I have things set up.
QUOTE
Attached is what shows in the Search window on my system.
You basically have what I have. I just used the hosts file located in C:\windows\system32\drivers\etc (it just said "hosts" with no other writing or extension given, just like line # 4 of your jpg screen capture ).
I did not see any extension on the hosts file, but when I open it, it says at the top that it is a sample file, and yet, windows is using the file because the sites in the file are indeed blocked :-)
I downloaded the zip file which I uploaded to this site and I did not see any extension on the hosts files. The hosts files in the zip file I uploaded were being used by my system, because the sites were being blocked. the files that I uploaded were the same as line # 4 of your screen capture.
I looked at the original hosts file on another XP comptuer, it had no extension & did not have any sites listed in the file, but when the file was opened in notepad, at the top of the file, it to said it was a sample file and it was also located in C:\windows\system32\drivers\etc.
I guess it does not matter since the file is being used by windows and the sites are being blocked, but it seems strange that you see extensions on the files I uploaded and I do not. Is it possible that you got my files mixed up with something else ?
Thanks
John
I didn't see extensions on the files you uploaded, John. Didn't mean to imply I did. It's just that the text at the top is the same as Hosts.sam. I guess Windows will use the Hosts file as long as it doesn't have a file extension, regardless of the text in the header.
I've used the MVPS file for so long, I forget what the original Hosts looked like.
I've used the MVPS file for so long, I forget what the original Hosts looked like.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.