Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Paypal/ebay Hijack


  • Please log in to reply
20 replies to this topic

#1 browncom

browncom

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 02 October 2008 - 10:21 PM

Whenever I browse to PayPal or Ebay and attempt to login (No, I am not clicking from a phishing email link) I get what appears to be a hijack page immediately after entering my user name and password. Below is what the headline reads and the page also has data entry for name, addresss, PIN, Credit card number, mothers maiden, etc. Basically, all of the stuff you would never provide.

================
Attention !!! Secure form

We have noticed an increasing fraudulent activity recently. In order to provide your security and protect you from fraudsters we have introduced a new system of identification that will help us to avoid any kind of fraud or unauthorised access.
================

It does appear to be on a secure site. Here is the URL in the IE browser when the suspect page appears on PayPal.
https://www.paypal.com/us/cgi-bin/webscr?cm...65d984db31b77c2

The webpage below claims it is a DLL that attaches itself to IE and is not detectable by antivirus programs.
http://www.activeboard.com/forum.spark?for...p;commentPage=0

When I try to use Firefox to browse to PayPal the site gives me an error message.
======================
Sorry your last action could not be completed

If you were making a purchase or sending money, we recommend that you check both your PayPal account and your email for a transaction confirmation during the next day.

If you came to this page from another website, please return to that site (don't use your browser's Back button) and restart your activity.

If you came from PayPal's website, click the PayPal logo in the upper-left corner to return to our home page and restart your activity. You might have to log in again.
======================

Another use of this forum posted the same issue: http://www.bleepingcomputer.com/forums/t/157528/we-have-noticed-an-increasing-fraudulent-activity-recently/

I have run several virus programs but to no avail.

Help is appreciated.

BC AdBot (Login to Remove)

 


m

#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:12 PM

Posted 02 October 2008 - 10:30 PM

Try this scan for starters:

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 browncom

browncom
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 06 October 2008 - 08:23 PM

Thanks for the assistance. See log below. The PayPal site issues are still occuring.

================================

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\ADMIN\Application Data\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\ADMIN\Application Data\AdwareAlert\Log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\ADMIN\Application Data\AdwareAlert\Settings (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\baidu\bar (Adware.Cinmus) -> Quarantined and deleted successfully.
C:\Program Files\baidu\bar\BDBar_tmp (Adware.Cinmus) -> Quarantined and deleted successfully.
C:\Program Files\baidu\bar\BDBar_tmp\img (Adware.Cinmus) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\ADMIN\Application Data\AdwareAlert\rs.dat (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\ADMIN\Application Data\AdwareAlert\Log\2008 Jul 27 - 06_54_31 PM_421.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\ADMIN\Application Data\AdwareAlert\Log\2008 Jul 27 - 10_26_36 AM_304.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\ADMIN\Application Data\AdwareAlert\Log\2008 Jul 27 - 12_11_23 PM_531.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\ADMIN\Application Data\AdwareAlert\Log\2008 Jul 28 - 03_00_00 AM_234.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\ADMIN\Application Data\AdwareAlert\Log\2008 Jul 29 - 03_00_00 AM_266.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\ADMIN\Application Data\AdwareAlert\Log\2008 Jul 29 - 06_58_04 PM_015.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\ADMIN\Application Data\AdwareAlert\Settings\ScanResults.pie (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Program Files\baidu\bar\BDBar_tmp\baidubar.dat (Adware.Cinmus) -> Quarantined and deleted successfully.
C:\Program Files\baidu\bar\BDBar_tmp\img\imglist.bmp (Adware.Cinmus) -> Quarantined and deleted successfully.
C:\Program Files\baidu\bar\BDBar_tmp\img\logo.bmp (Adware.Cinmus) -> Quarantined and deleted successfully.
C:\Documents and Settings\ADMIN\~.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job (Trojan.Downloader) -> Quarantined and deleted successfully.

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:12 PM

Posted 06 October 2008 - 08:46 PM

Reboot your computer, run the full scan and post a new log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 browncom

browncom
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 08 October 2008 - 12:08 AM

Here it is....still having same issues.

==============
Malwarebytes' Anti-Malware 1.28
Database version: 1134
Windows 5.1.2600 Service Pack 3

10/8/2008 12:04:42 AM
mbam-log-2008-10-08 (00-04-42).txt

Scan type: Quick Scan
Objects scanned: 64024
Time elapsed: 6 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 browncom

browncom
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 08 October 2008 - 12:09 AM

Oops, I just noticed you said run a FULL scan. I'll run that and post the logs shortly. Thanks.

#7 browncom

browncom
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 08 October 2008 - 08:36 AM

Here is the full scan log.

========
Malwarebytes' Anti-Malware 1.28
Database version: 1134
Windows 5.1.2600 Service Pack 3

10/8/2008 8:31:25 AM
mbam-log-2008-10-08 (08-31-25).txt

Scan type: Full Scan (C:\|)
Objects scanned: 234942
Time elapsed: 1 hour(s), 21 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:12 PM

Posted 08 October 2008 - 04:07 PM

Are you still having problems?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 browncom

browncom
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 08 October 2008 - 08:44 PM

Yes, same problem with the hijack page on PayPal.

See screenshot attached. Posted Image

#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:12 PM

Posted 08 October 2008 - 08:46 PM

Download HostsXpert - Hosts File Manager
  • Extract (unzip) HostsXpert.zip to a a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to start the program.
  • When the program opens, click the "Restore MS Hosts File" button in the left pane.
  • Click "Make Hosts Writable?" (if available).
  • Click "Restore Microsoft's Hosts file" when prompted and then click "OK".
  • Exit Hoster when done.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#11 browncom

browncom
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 09 October 2008 - 09:34 PM

I did check my host file previously but I tried this software anyway. I am still getting the same hijack page.

Any other recommendations?

Thanks for the assistance so far.

#12 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,571 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:12 PM

Posted 09 October 2008 - 09:37 PM

Try this scan:

http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#13 browncom

browncom
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 11 October 2008 - 12:15 AM

I tried SDFIX but have the same hijack page on PayPal and other sites like Ebay.

#14 browncom

browncom
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 17 October 2008 - 11:24 PM

Hello,

Does anyone have any ideas on how to remedy this issue?

#15 browncom

browncom
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:12 PM

Posted 26 October 2008 - 04:03 PM

BUMP..

Hello,

Does anyone have any ideas on how to remedy this issue?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users