Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ebay/paypal/aol Phishing.


  • Please log in to reply
10 replies to this topic

#1 Da Salmon

Da Salmon

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 07 May 2008 - 10:45 AM

Hello!

I am new here, and heard you guys could help get rid of my problem. I have been an avid Ebay user for some time, but I seem to have gotten a virus or something from who knows where. It sends me to a phising site asking for all of my information if I try to log into Ebay/Paypal/AOL. I'm too scared to try to log into my bank. After I did some research I think I could have "Spy-Agent.ba"(as labeled by McAfee) as that's the first result in google I got when I searched for the URL the fake page was sending me to. I did manage to find a trick to get around the redirection: If you enter nothing in the log in/password you then can log in on the NEXT page ebay/paypal takes you to as the virus doesn't realize it's the same thing. What's even more annoying is that this virus(or god forbid another one) is stopping me from downloading anything. The download just automatically closes. I can get around that by right click, and saving target as.

So can you guys help me? I've tried running trend micro's housecall and AVG by grisoft, but neither has removed whatever is causing this. =(

BC AdBot (Login to Remove)

 


#2 Da Salmon

Da Salmon
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 07 May 2008 - 11:01 AM

Here is a print screen of the redirected phishing page:

http://i301.photobucket.com/albums/nn80/Da...raudpage1-1.jpg

http://i301.photobucket.com/albums/nn80/Da...raudpage2-2.jpg

#3 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:11:01 AM

Posted 07 May 2008 - 04:32 PM

hi and welcom :thumbsup: can you just clarify so we know what is going on a bit better;

are you running both macaffe AND avg antivirus programs on there simultaneously?

if so you will be open TO infections as the accepted maxim on any computer is to have ONE installed antivirus program only
please clarify for us?

#4 Da Salmon

Da Salmon
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 07 May 2008 - 07:42 PM

Actually I'm not running McAfee at all, as that was just the google result for the possible definition of the virus based on the URL I was being redirected to.

The only anti-virus program I am running right now is the trend micro one, as AVG didn't detect anything.

Trend Micro did find this though: TROJ_Generic.ADV

I am removing it right now with trend micro... :thumbsup:


I'll see if this resolves my problem and get back in a minute!

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:01 AM

Posted 07 May 2008 - 07:47 PM

Are you running XP??
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Da Salmon

Da Salmon
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 07 May 2008 - 08:02 PM

Yes I am.

After I removed that trojan with trend micro I have been logging into ebay/paypal/aol without being redirected to that fake page.

I hope that virus had no way of stealing my passwords... although I wouldn't think so.

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:01 AM

Posted 07 May 2008 - 08:39 PM

Unfortunately it did. I not trying to scare you but this is our best recommendation.

Spy-Agent.ba is a trojan which attempts to steal confidential account information (banking, email, etc.)

http://vil.nai.com/vil/content/v_139621.htm

One or more of the identified infections is related to a nasty Backdoor Trojan. Backdoors are very dangerous because they use advanced techniques as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Remote attackers use backdoor Trojans and rootkits as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

Although the rootkit has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the rootkit has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Please read When should I re-format? and ""Reformatting the computer or troubleshooting; which is best?"..

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 Da Salmon

Da Salmon
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 07 May 2008 - 09:26 PM

While I did not find Spy-Agent.ba on my computer with trend micro, I am currently rescanning.
Spy-Agent.ba is just what came up from the first google search result when I searched for the fake page's URL.

Trend Micro did find this though: TROJ_Generic.ADV
I have removed it, but the rescan is currently showing 19 new problems, although before it was only 9.
I don't know what the threats are yet, as I have to wait for the scan to end. (A full scan takes a whopping 5 hours)

I really don't want to reformat as I'd be losing almost a TB of information, and 90% of it is very important.

So there is no way to detect the problem, and remove it?

I guess I'll have to change the passwords if I can go over to my dad's this weekend, but I don't know what I'll do since I have to come back here to do all my work and log in with those new ones that the virus may resteal.

I live pretty much in the middle of nowhere, and I don't have another computer to run my online business from. I spend around 8 hours a day working from home, and I can't reformat as that would just ruin me.

EDIT: Also the phishing pages are no longer occuring at all.

Edited by Da Salmon, 07 May 2008 - 09:37 PM.


#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:01 AM

Posted 07 May 2008 - 10:03 PM

Spy-Agent.ba is just what came up from the first google search

Ok that's good than you do not have it in your system.
Run this to get the other.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Acan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 Da Salmon

Da Salmon
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 07 May 2008 - 10:12 PM

Ok, I will do this as soon as trend micro finishes it's scan.

Thanks you've all been really helpful!
I will get back to you guys with the results as soon as the scan is done.

#11 Da Salmon

Da Salmon
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:01 AM

Posted 09 May 2008 - 06:32 AM

I removed 4 things that appeared to be adware with Malwarebyte's Anti-Malware.

Here's the log:

------------------------------------
Malwarebytes' Anti-Malware 1.12
Database version: 730

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 360585
Time elapsed: 1 hour(s), 54 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{0b0a76e7-ade1-41f4-b157-559605721b3a} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{50da37bb-7083-4fa7-80cf-de4cdb634166} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b1e22eb8-2ae8-4e8e-96ae-74f2a1764533} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{bdbebf18-7615-4971-9ac3-bd6ffb7ad6c1} (Adware.WebDir) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
----------------------------------------

Edited by Da Salmon, 09 May 2008 - 06:32 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users