Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Paypal Hijacked By A Trojan

  • This topic is locked This topic is locked
4 replies to this topic

#1 northwiz


  • Members
  • 5 posts
  • Local time:07:25 PM

Posted 10 May 2008 - 02:33 AM

OK, I did run the ComboFix exe in great hopes (I will not post the log as it is clear that is an invitation-only thing to do). I will mention that the problem is still with me after ComboFix ran successfully and I then rebooted. The problem involves only paypal that I can tell - but I don't have many money sites I use. I use ebay rarely and will not even try it at this point. I discovered the problem while trying to pay on a website with paypal 3 nights ago - something I do not normally do. I've combed the net and not found any current info on what looked to be pharming and now appears to be a trojan from something I installed or a virus I picked up from inadvertenly viewed spam in the last month or so. I would appreciate any expert help on this malware.
Thanks, Cyndi

Description: I surf paypal.com -- it returns the login page as HTTPS. The source of the page matches that on computers that are fine. Fiddler shows the page contents really came from paypal's various IPs (including the main site, the paypalobjects site and the creepy Omniture site).

But once you click the logon button on the main page, the postback actually returns (from according to Fiddler), a page that says:

We have noticed an increasing fraudulent activity recently. In order to provide your security and protect you from fraudsters we have introduced a new system of identification that will help us to avoid any kind of fraud or unauthorised access.
Please enter as more information as possible to provide your complete identification and to activate all the features of the new system."

It goes on to request your DOB, SSN, CC and EXP, PIN, Checking account... I've seen this very page around the Internet as phishing. But there hasn't been an email involved, and I am typing the url into IE myself.

Then I'm guessing it's capturing keyboard, because the delete key stops functioning well, and Fiddler shows it phoning home on HTTPS to these urls:


Once the login button is clicked and the bogus page returned, the SSL posts to those 4 urls don't stop until a reboot. Post-boot, it all begins again -- but only after the login to paypal is attempted again.

I've stopped all unnecessary services, removed all the programs I can find that I added in the last month or so, removed Sun Java and other things that were around longer than a month or so... I also deleted every cache, cookie, history... everything there is an option to delete (many times)...nothing has worked. I can't see anything out of the ordinary on TaskMgr, so I think it's hijacked something in the kernel.

On the surreptitious HTTPS activity, IE 7.0 can't block it. XP Firewall can't block it. McAfee Total protection can't block it. (McAfee can't even make it through a scan on my C drive without crashing.... it is OK on the other computers).

And no matter how many times I remove it there is a Proxy setting (shown on IE connections tab under LAN) that comes back to local machine ( on 8888. I tried changing the port -- it changes it back. The computers here all have the same gateway and no other ones have that proxy.

When I tracert Paypal before the thing starts, I get a nice normal tracert out my gateway and quite a few hops over to Paypal -- matching the tracert on uninfected machines. Once the thing gets going a tracert to paypal.com then shows "Tracing to ... and a single entry saying Destination host unreachable".... it didn't make it out of my machine.

Also the first night I saw it was updating the hosts file because of the timestamp on the file. It kept removing whatever it put there so the file always looked clean (had just the one localhost entry in it). I set the readonly bit and rebooted - but the virus kept on trucking - never updating the hosts timetamp again though.

And ipconfig /displaydns shows the bogus paypal in it. flushdns does not stop it.

I also tried borrowing wininet and winhttp from a non-infected machine - no difference.

This is XP Pro SP3 with IE 7.0 -- up-to-date with Windows Updates. (I had the problem with IE 6.0 three nights ago, so I upgraded to IE 7.0, and the problem stayed with me).

Thanks in advance. I will have patience since I can see you are all busy, and I cancelled the paypal account from another computer.

BC AdBot (Login to Remove)


#2 northwiz

  • Topic Starter

  • Members
  • 5 posts
  • Local time:07:25 PM

Posted 10 May 2008 - 03:34 AM

It's McAfee that was hijacked?! After seeing the log showed the DisableMonitoring in the McAfeeAntivirus and McAfeeFirewall of Security Center, I tried deleting the keys -- they kept coming back. I tried individually and Firewall would stay deleted after I restarted the service - and then the virus behavior stopped (I got thru to Paypal telling me invalid logon). But when same is done to McAfee Antivirus (delete the key and restart McShield service) the key comes back... to both! Whereas if I delete the key and don't restart the service, it stays deleted (but the change is not observed). I disabled all 4 McAfee services, turned on the Windows XP Firewall ... and paypal is no longer hijacked. However, something is still phoning home with a vengeance to the 4 odd site urls. And unfortunately the catchme log and the quarantine folder are devoid of any problems.

#3 ruby1


    a forum member

  • Members
  • 2,375 posts
  • Local time:01:25 AM

Posted 10 May 2008 - 06:36 AM

from what you have said, my strong suggestion would be to SHUT this computer from the internet and only use one you KNOW to be clean

if you do HAVE a keylogger infection on the computer you can assume ALL your security ON that computer has been compromised; if you do any banking, have passwords ect on there assume them to be stolen and inform anyone you have dealing with that you may BE the victim of identity theft and change them using a KNOWN CLEAN computer

as to the Combofix? may one ask who suggested you even USE it as it is ( as the Disclaimer states ) NOT for private use and you may be merely fortunate that your computer DID reboot

what damage may have been done TO it from running that tool unrequested remains to be seen

do you have your Computer cd and licence key to hand as you MAY need to do a complete wipe off and reinstall OD windows if it IS a keylogger on there

#4 paperclip57


  • Members
  • 52 posts
  • Gender:Male
  • Local time:08:25 PM

Posted 10 May 2008 - 08:20 PM

You could try a hijackthis log but there is no way to be sure your computer is 100% clean.

do you have your Computer cd and licence key to hand as you MAY need to do a complete wipe off and reinstall OD windows

This would be the best thing to do.

Edited by paperclip57, 10 May 2008 - 08:22 PM.

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 37,046 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:25 PM

Posted 10 May 2008 - 09:09 PM

Hello northwiz and welcome to BC,

I see that you have an HJT log posted here: http://www.bleepingcomputer.com/forums/t/146198/trojan-hijacked-paypal-and-accessing-internet/ Because you have this log posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users