Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Hijacked Paypal And Accessing Internet


  • This topic is locked This topic is locked
4 replies to this topic

#1 northwiz

northwiz

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 10 May 2008 - 02:01 PM

I posted over here: http://www.bleepingcomputer.com/forums/t/146122/paypal-hijacked-by-a-trojan/ but apparently that was wrong - sorry. I found this site from googling my problem which pointed me to ComboFix which pointed me here.

So now I have instead tried DSS/Hijack this and posted it below. The Kapersky scanner install failed at the very end - I will try again.

To reiterate the problem (see original at topic 146122 which has the text of the bogus web page):

1) I type Paypal.com into IE 7.0 (this started a few days ago with IE 6.0, so I upgraded). The Paypal login button takes me to a page from another server (66.240.234.4), and the page asks for identity and financial information. The login page itself comes from paypal servers and compares OK with other machines here that are not hijacked. View source (even from IE dev toolbar) shows the form action is correctly showing a url beginning with paypal. The only hijacked url seems to begin with: //www.paypal.com/us/cgi-bin/webscr?cmd=_login-submit&..etc

2) Fiddler shows something doing HTTPS GETS pretty frquently against these domains - the first two do not DNS resolve and stop right away - the other two mostly get 500 and 0 response, with occasional 200 : rtsforme.com, suseform.com, firkan.com, kctfdiij.com. A response/reply looks like this:

GET /4CC89AA67808A9FE5CF49/d1Bg6x4XJlRh/kYuF+oAgxIhF1yqVcI1tEtTLFWqxXEAAJB+r6cjYlOrJLtCujUmIFfQuw11AuVxrhbLA HTTP/1.1
Host: firkan.com
Pragma: no-cache

reply to 200:
HTTP/1.1 200 OK
Server: nginx/0.5.32
Date: Sun, 11 May 2008 01:46:41 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.1.6
Content-Length: 24
okc 11t=0&gpd=300


All the GETs look the same and being HTTPS don't have much info. Replies on 500 error look like this:
HTTP/1.1 500 Internal Server Error
Server: nginx/0.5.32
Date: Sun, 11 May 2008 01:48:31 GMT
Content-Type: text/html
Content-Length: 383
Connection: close
The page is temporarily unavailable (that has the usual HTML around it)

And replies on what fiddler shows as HTTP status zero are zero bytes long - not even a header.

I thought I had to surf the bogus PayPal page to have those HTTPS GETS start, but instead I just have to wait some time after startup.

3) The hosts file had been being updated (but updates then removed so I couldn't see what) and setting readonly stopped that but did not stop the problem.

4) Mcafee total access could not stop it and also crashes on the scan (can scan My Documents, but hasn't succeeded on whole computer or C drive). Since the DisableMonitoring was repeatedly being set in the registry, I stopped all McAfee services and turned XP Firewall on. Firewall seemed at first to work but it didn't really. I have exceptions all unchecked. Windows Security Center has all of the "alert me"s turned on.

5) No matter how many times I remove it there is a Proxy setting that comes back to local machine (127.0.0.1) on 8888. I tried changing the port -- it changes it back. This is likely why when I tracert Paypal before the thing starts, I get a nice normal tracert out my gateway and quite a few hops over to Paypal -- matching the tracert on uninfected machines. Once the thing gets going a tracert to paypal.com then shows "Tracing to ... 66.211.168.65.. and a single entry saying Destination host unreachable".... it didn't make it out of my machine.

And ipconfig /displaydns shows the bogus paypal in it. flushdns does not stop the virus trying to phone home. I also tried borrowing wininet and winhttp from a non-infected machine - no difference.

On the 8888, netstat shows:

TCP edmontonxp:8888 edmontonxp:0 LISTENING
TCP edmontonxp:8888 localhost:2620 TIME_WAIT
TCP edmontonxp:8888 localhost:2622 TIME_WAIT
TCP edmontonxp:8888 localhost:2627 TIME_WAIT
...etc. Currently going on for about 25 or 30 of them up through port 2738.

6) The delete key on the keyboard starts failing most of the time.


In the log below - I should explain a few things: the "xxx" at the end of DLL and EXEs in the registries Current Version/Run was done by me -- I added that early on to see if I could stop it - the only survivor is ctfmon.exe.
And in trusted sites and DPF, realpage.com is my work.
And recently-created folder kbd was created by me moving 4 files out of System32 that were not shown on another computer's System32, all prefixed with kbd*.

Thanks for any expert help you can offer. The Paypal account is cancelled now and I am not doing anything on the problem computer other than DSS and such. I deleted all cookies, cache, etc. several times. But before I resort to burning this machine I would really like to know what this is so I don't end up with it again.
Cyndi/Cathy

------------------------------
Deckard's System Scanner v20071014.68
Run by cathy on 2008-05-10 12:52:25
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as cathy.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52:28 PM, on 5/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\cathy\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\cathy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE Developer Toolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exexxxx"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dllxxx,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exexxx /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dllxxxx,NvTaskbarInit
O4 - HKLM\..\Run: [MVS Splash] "C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exexxx"
O4 - HKLM\..\Run: [McAfee Managed Services Tray] "C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exexxx"
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6173\SiteAdvxxxx.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9xxxx.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon4149.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescommxxx.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.realpage.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {4AEF8AEE-3DE8-4B69-8B6E-6353B6C59B50} (RealPage Web Objects) - http://onesite.realpage.com/coreglobal/Rea...ab/Realpage.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1210282556500
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4149 bytes

-- Files created between 2008-04-10 and 2008-05-10 -----------------------------

2008-05-10 11:48:18 0 d-------- C:\Program Files\Trend Micro
2008-05-10 11:42:57 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-10 11:42:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-10 02:43:14 0 d-------- C:\kbd
2008-05-10 01:18:46 68096 --a------ C:\WINDOWS\zip.exe
2008-05-10 01:18:46 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-10 01:18:46 161792 --a------ C:\WINDOWS\swreg.exe
2008-05-10 01:18:46 98816 --a------ C:\WINDOWS\sed.exe
2008-05-10 01:18:46 80412 --a------ C:\WINDOWS\grep.exe
2008-05-10 01:18:46 73728 --a------ C:\WINDOWS\fdsv.exe
2008-05-10 01:18:45 212480 --a------ C:\WINDOWS\swxcacls.exe
2008-05-10 01:18:45 136704 --a------ C:\WINDOWS\swsc.exe
2008-05-09 21:59:45 0 d-------- C:\WINDOWS\SxsCaPendDel
2008-05-09 21:55:50 0 d-------- C:\WINDOWS\system32\appmgmt
2008-05-09 19:39:36 0 d-------- C:\Program Files\Microsoft
2008-05-09 18:23:22 272316 --a------ C:\WINDOWS\system32\WinDifs Calgary vs EdmontonXP
2008-05-09 18:00:04 42256 --a------ C:\WINDOWS\system32\GUTILS.DLL
2008-05-09 17:59:45 89360 --a------ C:\WINDOWS\system32\WINDIFF.EXE
2008-05-08 21:19:04 0 d-------- C:\Documents and Settings\larry\Application Data\Macromedia
2008-05-08 21:19:04 0 d-------- C:\Documents and Settings\larry\Application Data\Adobe
2008-05-08 21:18:47 0 d-------- C:\Documents and Settings\larry\Application Data\Google
2008-05-08 21:16:56 0 d-------- C:\Documents and Settings\larry\Application Data\SiteAdvisor
2008-05-08 21:16:32 0 d-------- C:\Documents and Settings\larry\Application Data\Identities
2008-05-08 21:16:04 0 d--h----- C:\Documents and Settings\larry\Templates
2008-05-08 21:16:04 0 dr------- C:\Documents and Settings\larry\Start Menu
2008-05-08 21:16:04 0 dr-h----- C:\Documents and Settings\larry\SendTo
2008-05-08 21:16:04 0 dr-h----- C:\Documents and Settings\larry\Recent
2008-05-08 21:16:04 0 d--h----- C:\Documents and Settings\larry\PrintHood
2008-05-08 21:16:04 1048576 --ah----- C:\Documents and Settings\larry\NTUSER.DAT
2008-05-08 21:16:04 0 d--h----- C:\Documents and Settings\larry\NetHood
2008-05-08 21:16:04 0 dr------- C:\Documents and Settings\larry\My Documents
2008-05-08 21:16:04 0 d--h----- C:\Documents and Settings\larry\Local Settings
2008-05-08 21:16:04 0 dr------- C:\Documents and Settings\larry\Favorites
2008-05-08 21:16:04 0 d-------- C:\Documents and Settings\larry\Desktop
2008-05-08 21:16:04 0 d--hs---- C:\Documents and Settings\larry\Cookies
2008-05-08 21:16:04 0 dr-h----- C:\Documents and Settings\larry\Application Data
2008-05-08 21:16:04 0 d---s---- C:\Documents and Settings\larry\Application Data\Microsoft
2008-05-08 17:57:52 0 d-------- C:\WINDOWS\Prefetch
2008-05-08 17:03:13 0 d-------- C:\WINDOWS\system32\scripting
2008-05-08 17:03:13 0 d-------- C:\WINDOWS\l2schemas
2008-05-08 17:03:12 0 d-------- C:\WINDOWS\system32\en
2008-05-08 17:03:12 0 d-------- C:\WINDOWS\system32\bits
2008-05-08 17:01:27 0 d-------- C:\WINDOWS\ServicePackFiles
2008-05-08 17:00:12 0 d-------- C:\WINDOWS\network diagnostic
2008-05-08 16:41:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-05-08 16:40:36 0 d-------- C:\WINDOWS\system32\PreInstall
2008-05-08 16:40:34 0 d--h----- C:\WINDOWS\$hf_mig$
2008-05-08 16:36:17 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-05-08 00:54:17 0 d--hs---- C:\WINDOWS\CSC
2008-05-08 00:01:34 0 d-------- C:\Program Files\Fiddler2
2008-05-07 17:31:14 0 d-------- C:\Documents and Settings\NetworkService\Desktop
2008-05-07 17:31:14 0 d-------- C:\Documents and Settings\NetworkService\Application Data\SiteAdvisor
2008-05-02 17:01:52 0 d-------- C:\Program Files\Microsoft SQL Server
2008-05-02 17:01:29 0 d-------- C:\Program Files\Microsoft Device Emulator
2008-05-02 17:01:19 0 d-------- C:\Program Files\Microsoft SQL Server 2005 Mobile Edition
2008-05-02 16:55:39 0 d-------- C:\Program Files\MSBuild
2008-05-02 16:47:32 0 d-------- C:\WINDOWS\Symbols
2008-05-02 16:47:32 0 d-------- C:\Program Files\HTML Help Workshop
2008-05-02 16:47:32 0 d-------- C:\Program Files\Common Files\Merge Modules
2008-05-02 16:47:32 0 d-------- C:\Program Files\Common Files\Business Objects
2008-05-02 16:47:32 0 d-------- C:\Program Files\CE Remote Tools
2008-05-02 16:47:32 0 d-------- C:\Documents and Settings\All Users\Application Data\PreEmptive Solutions
2008-05-02 16:20:13 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-05-02 16:20:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-02 16:10:38 0 d-------- C:\WebStatus
2008-04-27 11:54:23 0 d-------- C:\Documents and Settings\cathy\Application Data\WinRAR
2008-04-26 22:51:34 0 d-------- C:\Program Files\SLUDGE
2008-04-26 17:42:31 0 d--h----- C:\WINDOWS\PIF
2008-04-26 17:34:12 0 d-------- C:\mugen
2008-04-12 22:02:35 0 d-------- C:\Documents and Settings\cathy\Application Data\Google
2008-04-12 22:01:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-04-12 22:01:10 0 d-------- C:\Program Files\Google


-- Find3M Report ---------------------------------------------------------------

2008-05-10 12:05:01 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-09 21:59:35 0 d-------- C:\Program Files\Common Files
2008-05-09 21:57:27 0 d-------- C:\Program Files\Java
2008-05-08 17:03:31 0 d-------- C:\Program Files\Messenger
2008-05-08 17:03:12 0 d-------- C:\Program Files\Movie Maker
2008-05-08 17:01:15 0 d-------- C:\Program Files\Windows NT
2008-05-02 17:03:02 0 d-------- C:\Program Files\Microsoft.NET
2008-04-13 19:12:05 314880 --a------ C:\WINDOWS\system32\scesrv.dll
2008-03-13 17:55:44 0 d-------- C:\Documents and Settings\cathy\Application Data\Sun


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exexxxx" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dllxxx" []
"nwiz"="nwiz.exexxx /install" []
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dllxxxx" []
"MVS Splash"="C:\Program Files\McAfee\Managed VirusScan\Agent\Splash.exexxx" []
"McAfee Managed Services Tray"="C:\Program Files\McAfee\Managed VirusScan\Agent\StartMyagtTry.exexxx" []
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6173\SiteAdvxxxx.exe" []
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9xxxx.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmonxxxxx.exe" []
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescommxxx.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc




-- End of Deckard's System Scanner: finished at 2008-05-10 12:54:05 ------------

Edited by KoanYorel, 10 May 2008 - 02:21 PM.
To disable hot link URL above


BC AdBot (Login to Remove)

 


m

#2 northwiz

northwiz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 11 May 2008 - 12:29 PM

Additional info:

- The port 8888 was a red herring - when I was seeing that I had fiddler running - that must be how Fiddler works.

- I have stopped any internal machine from reporting to firkan etc. at the router by filtering 5 IPs:

71.6.154.3
66.207.161.210
66.240.234.4
65.55.192.126
207.46.16.243

So the hijacker is now receiving 502 errors (connection actively refused) to every GET. And fiddler shows no other unexpected activity, nor does the firewall log in XP.

Thanks!

#3 northwiz

northwiz
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:33 PM

Posted 14 May 2008 - 06:14 PM

I pretty much got there. To stop the paypal hijacking I also added a firewall block of 71.6.150.1 up through 71.6.154.1

Then I read the wonderful tutorials here (see tab at top) and found TCPView. It told me the culprit was services.exe, which I realized was only facilitating connections for something else.

The paypal hijacking may or may not be related to the constant attempts to communicate. I found that something was running through all the ports in the vicinity of 10xx to 3xxx and trying to talk (showing SYN_SENT, not LISTENING) to fc71543.aspadmin.net and 66.207.161.210. It didn't begin till 5 or more minutes after a boot, so it may have been that the other endpoint was finding me.

Which leads me to -- it was Rasman (which seems to be for making remote calls to your computer)! That's a service that should not be up. Not knowing that then, by process of elimination I determined it had a corollary to the problem. There is even a Microsoft KB for addressing the rasman problem: KB911280 here: http://www.microsoft.com/downloads/details...;displaylang=en which is titled "Security Update for Windows XP (KB911280)". Even though when I first noticed the problem I had upgraded to SP3 for XP2, the bad rasmans.dll was still on my machine in Windows\System32 instead of the good one from the KB (either the good one is not in SP3 or the virii stopped it from getting replaced when I installed SP3). The bad rasmans.dll is bad in that it lets itself be exploited. I won't ever know if the new one is good enough though, because I have the Rasman service (long title "Remote Access Connection Manager") permanently disabled.

And now TCPView shows no more chattering with the bad IPs or anything else suspicious. And with the firewall blocking the range of IPs that hijack Paypal, that problem is gone too. Also, my keyboard is working OK again. It was not just the Delete Key - it was also all keys which need CTRL (CTRL+C, CTRL+V, CTRL+Z, etc.). And it was only failing in IE 7.0. But now it's not. So it may all tie together as a trojan that was exploiting Rasman to try to send all my keystrokes away somewhere.

I still need to reinstall Windows XP all the way up through all Windows Updates. Then I won't put any sensitive info here on this machine for quite a while without watching TCPView and Fiddler. And I don't know quite how this thing (or two things?) got onto the machine. But I really appreciate the Tutorials and the pointer to TCPView.

I thought it best to leave this conclusion here for anyone searching in the future.
Thanks to all!

Editing to add:
I did retry Kaspersky -- it could never fully install. I tried several other trials and online scanners (Zone Alarm, PC Doctor, a few more) since MacAfee had let me down. And many could not complete their scans. The others found nothing wrong at all with my system.

Edited by northwiz, 14 May 2008 - 06:18 PM.


#4 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:33 PM

Posted 02 June 2008 - 07:18 AM

Hello,

You might want to save this page on your favorites, so you can find it again when you return.

Welcome to the Bleeping Computer Malware Removal Forum, sorry for the delay in responding, but the amount of people posting with infected computers is through the roof and we sometimes can't get to logs as fast as we would like to.

If you have not resolved this issue and still need assistance, post a HJT log as your system may have changed since your original post.

Thanks for your patience. :thumbsup:
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#5 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:33 PM

Posted 09 June 2008 - 05:39 PM

Due to inactivity this thread has been closed to prevent others with similar problems posting to it.
If you need it re-opened please PM a member of the moderating team with a link to your thread.

Thanks
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users