Posted 10 May 2008 - 02:33 AM
OK, I did run the ComboFix exe in great hopes (I will not post the log as it is clear that is an invitation-only thing to do). I will mention that the problem is still with me after ComboFix ran successfully and I then rebooted. The problem involves only paypal that I can tell - but I don't have many money sites I use. I use ebay rarely and will not even try it at this point. I discovered the problem while trying to pay on a website with paypal 3 nights ago - something I do not normally do. I've combed the net and not found any current info on what looked to be pharming and now appears to be a trojan from something I installed or a virus I picked up from inadvertenly viewed spam in the last month or so. I would appreciate any expert help on this malware.
Description: I surf paypal.com -- it returns the login page as HTTPS. The source of the page matches that on computers that are fine. Fiddler shows the page contents really came from paypal's various IPs (including the main site, the paypalobjects site and the creepy Omniture site).
But once you click the logon button on the main page, the postback actually returns (from 220.127.116.11 according to Fiddler), a page that says:
We have noticed an increasing fraudulent activity recently. In order to provide your security and protect you from fraudsters we have introduced a new system of identification that will help us to avoid any kind of fraud or unauthorised access.
Please enter as more information as possible to provide your complete identification and to activate all the features of the new system."
It goes on to request your DOB, SSN, CC and EXP, PIN, Checking account... I've seen this very page around the Internet as phishing. But there hasn't been an email involved, and I am typing the url into IE myself.
Then I'm guessing it's capturing keyboard, because the delete key stops functioning well, and Fiddler shows it phoning home on HTTPS to these urls:
Once the login button is clicked and the bogus page returned, the SSL posts to those 4 urls don't stop until a reboot. Post-boot, it all begins again -- but only after the login to paypal is attempted again.
I've stopped all unnecessary services, removed all the programs I can find that I added in the last month or so, removed Sun Java and other things that were around longer than a month or so... I also deleted every cache, cookie, history... everything there is an option to delete (many times)...nothing has worked. I can't see anything out of the ordinary on TaskMgr, so I think it's hijacked something in the kernel.
On the surreptitious HTTPS activity, IE 7.0 can't block it. XP Firewall can't block it. McAfee Total protection can't block it. (McAfee can't even make it through a scan on my C drive without crashing.... it is OK on the other computers).
And no matter how many times I remove it there is a Proxy setting (shown on IE connections tab under LAN) that comes back to local machine (127.0.0.1) on 8888. I tried changing the port -- it changes it back. The computers here all have the same gateway and no other ones have that proxy.
When I tracert Paypal before the thing starts, I get a nice normal tracert out my gateway and quite a few hops over to Paypal -- matching the tracert on uninfected machines. Once the thing gets going a tracert to paypal.com then shows "Tracing to ... 18.104.22.168.. and a single entry saying Destination host unreachable".... it didn't make it out of my machine.
Also the first night I saw it was updating the hosts file because of the timestamp on the file. It kept removing whatever it put there so the file always looked clean (had just the one localhost entry in it). I set the readonly bit and rebooted - but the virus kept on trucking - never updating the hosts timetamp again though.
And ipconfig /displaydns shows the bogus paypal in it. flushdns does not stop it.
I also tried borrowing wininet and winhttp from a non-infected machine - no difference.
This is XP Pro SP3 with IE 7.0 -- up-to-date with Windows Updates. (I had the problem with IE 6.0 three nights ago, so I upgraded to IE 7.0, and the problem stayed with me).
Thanks in advance. I will have patience since I can see you are all busy, and I cancelled the paypal account from another computer.