Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

EBay sign in being redirected/ Moved


  • This topic is locked This topic is locked
6 replies to this topic

#1 brad c

brad c

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 28 March 2009 - 09:41 PM

Help

When logging into Ebay I am being redirected to a page that is asking for all kind of personal information. I am not using a phishing link from some email.


The link that I am being redirected to is

<hxxps://signin.ebay.com/ws/eBayISAPI.dll?co_partnerid=2&siteid=0&UsingSSL=1>


My AV does not detect a problem Norton Corporate 10.1


Tried running Malwaredbytes and DrWeb CureIt but have not had any luck getting this resolved


Here’s the output of DrWeb

try[1].php;C:\Documents and Settings\Brad\Local Settings\Temporary Internet Files\Content.IE5\O7USD2G4;Trojan.Packed.2355;Incurable.Moved.;
Dc400.tmp;C:\RECYCLER\S-1-5-21-1343024091-813497703-839522115-1003;Trojan.Packed.2355;Incurable.Moved.;
A0213790.exe;C:\System Volume Information\_restore{FCE95526-9FCF-4635-B68C-0F83F894A3DA}\RP1665;Program.mIRC.616;Incurable.Deleted.;
try[1].php;K:\Data\Brad\Local Settings\Temporary Internet Files\Content.IE5\O7USD2G4;Trojan.Packed.2355;Incurable.Moved.;



Not sure here to go from here and desperately looking for some advice


Thanks
brad


Edited by Orange Blossom, 11 February 2013 - 12:40 AM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,807 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:50 PM

Posted 28 March 2009 - 10:08 PM

Hello brad c and welcome to BC :thumbsup:

As the above entries are from a Dr. Web Cureit log. I am shifting this topic from the specialized HiJack This forum to the Am I Infected forum.

PLEASE DO NOT NOW POST LOGS unless a log is specifically requested.

As for the link you posted, I just now logged into ebay myself, and I see the same redirection link. In my case, that redirection is blocked because I use NoScript with Firefox.

That said, I don't know what the contents of the Dr. Web log means. Someone with more knowledge than I will have to address that.

Orange Blossom :flowers:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:50 PM

Posted 28 March 2009 - 11:28 PM

Let's do a few things...

Let's flush system restore. We can fall back on this point if needed.

Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Next: Please update and rerun Malwarebytes posting its fresh log.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#4 brad c

brad c
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 29 March 2009 - 02:07 AM

Cleaned up restore points and ran full scan with up to date definitions for Malwarebytes

Log File

Malwarebytes' Anti-Malware 1.35
Database version: 1913
Windows 5.1.2600 Service Pack 3

3/29/2009 2:00:24 AM
mbam-log-2009-03-29 (02-00-24).txt

Scan type: Full Scan (C:\|F:\|K:\|)
Objects scanned: 262937
Time elapsed: 1 hour(s), 50 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




When attempting to sign into ebay I'm redirected to

https://signin.ebay.com/ws/eBayISAPI.dll?Si...amp;_trksid=m37


I tried using Chrome browser and it works correctly


Scary Stuff

#5 brad c

brad c
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 29 March 2009 - 01:37 PM

Today I took a look at the MBR and did find an issue here

I used a utlitilty that can be found mbr.exe

http://www2.gmer.net/mbr/mbr.exe

output
C:\Temp>mbr.exe
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
MBR rootkit code detected !
malicious code @ sector 0xdf8f900 size 0x1c2 !
copy of MBR has been found in sector 62 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.



I then ran mbr.exe -f and the out put was


C:\Temp>mbr.exe -f
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
MBR rootkit code detected !
malicious code @ sector 0xdf8f900 size 0x1c2 !
copy of MBR has been found in sector 62 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
original MBR restored successfully !

C:\Temp>mbr
Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK



I reboot but am still having an issues with Ebay

#6 rigel

rigel

    FD-BC


  • BC Advisor
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:50 PM

Posted 29 March 2009 - 02:58 PM

This is a very nasty infection. From the information given, we need to transfer you to the HJT forum.

Please follow this guide from step (6). Post a HJT log to the HJT forum and a Team member will be along to help you as soon as possible. You may wish to post a link back to this topic to see what was discussed thus far.

If you need any help with the guide, please let me know. Best wishes - you are in good hands...

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,807 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:50 PM

Posted 29 March 2009 - 04:45 PM

Hello brad c,

Now that you have a log posted here: http://www.bleepingcomputer.com/forums/t/215066/ebay-being-redirected-at-sign-in/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users