paul3vanz

Calling all security experts... Basically, with our bank (HSBC UK), when you access the Internet Banking in Internet Explorer 8, the login page goes through ok, with SSL enabled and the green address bar, until the page that requests the random digits from the security code and my date of birth. If the security software that our bank recommends (Trusteer Rapport) is enabled, when you submit the page, the next page contains a broken HSBC page and the rapport log shows "IP adress 116.125.172.233 doesn't match HSBC". It appears that Rapport tries to intervene, but fails... The page URL then turns to hxxp://fred6rer.net/1/2/portal/5ee2aa71870dada9032b520ce9728047.php?id=65940D2548A7316FD91C8C91A1E2F4E8&u=aHR0cHM6Ly93d3cuaHNiYy5jby51ay8xLzIvO2pzZXNzaW9uaWQ9MDAwMF9CM0N4S09DNTlPSWpSeldZaGVrUVYyOjE0ZXQ1bTh0Mztqc2Vzc2lvbmlkPTAwMDBfQjNDeEtPQzU5T0lqUnpXWWhla1FWMjoxNGV0NW04dDM/aWR2X2NtZD1pZHYuQ3VzdG9tZXJNaWdyYXRpb24= This is obviously a phishing attempt, especially when looking at the domain more closely, reveals that the primary name server of fred6rer.net is NS1.ZZ8NS.COM, which is registered with DOTNAME KOREA CORP (http://www.dotname.co.kr) http://reports.internic.net/cgi/whois?whois_nic=fred6rer.net&type=domain http://reports.internic.net/cgi/whois?whois_nic=ZZ8NS.COM&type=domain if Rapport is disabled and you try to log in (using made-up login details), after entering the digits from the security code and date of birth, the following page is a replica of the HSBC site, but with a phishing message... It states that the digits you entered weren't recognised and asks you to enter the full security code in the box provided. This page shows the URL as hsbc.co.uk, starting with https:// but there is no padlock or green address bar. This only occurs on Internet Explorer, not Firefox. With Firefox, when you try to log in (with incorrect details), the final stage of the login just states that the details were incorrect, which is the correct thing that should happen. I then wanted to see if this affected other banks, so I tried going to another bank (Lloyds TSB - which we are not customers with) and a similar thing happens, the login page asks first for random digits and the SSL shows the green bar to show the site is safe, but when you submit that page, it asks for you memorable place, phone banking security code and date of birth. I am using Avira Antivirus, Spybot, Malwarebytes Antimalware and I've just installed Windows Defender. They say they have removed everything they found, but this still happens. I ran HijackThis and I can't see anything untoward. I ran LSPFix as I read that LSPs can intercept traffic. I want to know how can malware do this , while still show a valid URL for the bank and why is it only in Internet Explorer. Don't LSPs affect all browsers? I am going to format the hard drive and reinstall Windows, but I just want to get to the bottom of how this malware is working. hijackthis.log.txt

Seems like it did affect everyone lol: http://www.pocket-lint.co.uk/news/news.pht...g-malware.phtml http://www.making-the-web.com/2009/01/31/g...stops-searches/ It's fixed now and only lasted for around half an hour, which explains why it did it on my laptop but not my main computer, i must have noticed on my laptop a few minutes before they fixed the bug and checked my main computer after they fixed it. It's quite scary to think that Google can stop working. How on earth will I find the answer to the most trivial rubbish that pops into my head?

It's Internet Explorer 7, the green star/tick is AVG Antivirus Free. It supposedly reports bad sites. Google is now working alright for me. Bizarre!

I don't know whether this is happening to anyone else, but every link on Google Search results warns that it may 'harm my computer'. Here's what I get: (Note: I couldn't resist by searching for this hehe)