Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ebay is asking for personal info; such as: S.S. number, Credit cards, ATM pins...


  • Please log in to reply
14 replies to this topic

#1 1684zach

1684zach

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 22 January 2010 - 03:49 PM

I use Firefox for most things; but have IE and Safari. I can log on ebay with Safari, but not the others. After I log in I get sent to a page asking for all my credit cards, ATM, PINs, Social Security and name and address. This will often cause Firefox to crash when I get sent to this page. The whole computer began to run VERY slow after the first time I was sent to this webpage. Any Ideas?? Thanks, -Zach

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:42 PM

Posted 22 January 2010 - 04:23 PM

It's possible that you have an infected Master Boot Record so lets check it to be sure.

Please download mbr.exe and save it to your desktop <- (Important!).
  • Double-click on mbr.exe and allow the mbr.sys driver to load if asked.
  • A black DOS window will open and quickly disappear. This is normal.
  • A log file named mbr.log will be created and saved on your desktop.
  • Copy and paste the results of the mbr.log in your next reply.
Please download SystemScan and save it to your desktop.
  • Be aware that the file name will be randomly generated (i.e. sys95769.exe) to deceive malware which may attempt to disabled it.
  • If any installed security tools (anti-virus) detects the file as malware or suspicious while downloading or attempting to run, ignore the alert.
  • Double-click on sys*****.exe to start the tool.
  • A read before proceeding disclaimer will appear.
  • Uncheck <- Unflag the checkbox to disable updates! next to the version number at the top.
  • After reading, check the box I have read and agree. Please let me...proceed!, then click the Proceed button.
  • When SystemScan opens, click the "Unselect all" button.
  • Important: Under "Make your choice and than click...", check the boxes next to:
    • PC accounts
  • Everything else should be unchecked.
  • Click "Scan Now".
  • Another warning box will appear. Please follow the instructions and click Ok.
  • Please be patient while the scan is in progress.
  • Systemscan will scan your computer and create a folder named suspectfile on the Desktop to save its report.
  • When the scan is complete, Notepad will automatically open a log file named report.txt with the results.
  • Copy and paste the contents of report.txt in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 1684zach

1684zach
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 24 January 2010 - 12:30 AM

I know this is terrible, but I am not sure how to get them to save on my desktop? I am trying to figure this out now. If you know how, and can direct me; that would be greatly appreciated. Thanks, -Zach

#4 1684zach

1684zach
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 24 January 2010 - 12:45 AM

Ok, I figured out how to save to my desktop using IE instead of Firefox. But, I can't get the "Systemscan" to run. I have it downloaded and saved t my desktop, but when I try to run it, it doesn't do anything.

Here are the MBR results:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x86d0b308
NDIS: Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller -> SendCompleteHandler -> 0x85f58330
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0950A600
malicious code @ sector 0x0950A603 !
PE file found in sector at 0x0950A619 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.




Thanks, -Zach

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:42 PM

Posted 24 January 2010 - 08:28 AM

First, open Windows Explorer and rename the C:\mbr.log to C:\mbrold.txt <- if the extension does not show, you need to Reconfigure Windows to show hidden file extensions for known file types.

Make sure mbr.exe is placed in the root directory, usually C:\ <- (Important!).
Then go to Posted Image > Run..., and in the Open dialog box, type: cmd
press Ok.
The command prompt needs to be at the root directory (C:\>_). To do that, type: cd \
press Enter.
At the command prompt C:\>_, type: mbr.exe -f
(make sure you have a space before the e and the -f)
press Enter.
At the command prompt, type: exit
press Enter.

A new report will be created at C:\mbr.log. Please copy and paste the results in your next reply.

-- If you're not sure how to use the command prompt, please refer to this guide: Introduction to the Command Prompt
-- Vista users can refer to these instructions to open a command prompt
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 1684zach

1684zach
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 24 January 2010 - 10:53 AM

Here ar the results of the new location for the C:<mbr.exe


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x86e6c450
NDIS: Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller -> SendCompleteHandler -> 0x85fda330
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0950A600
malicious code @ sector 0x0950A603 !
PE file found in sector at 0x0950A619 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
original MBR restored successfully !


Hopefully I am doing all this correctly?
Thanks, -Zach

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:42 PM

Posted 24 January 2010 - 01:18 PM

Your log indicates: original MBR restored successfully !...that's a good sign.

Now we need to confirm the results.
Restart the computer <- Important! (otherwise the next report may falsely show the infection as still present)
Then run mbr.exe the same way you did the first time.
It will create a new mbr.log.
Copy and paste the results in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 1684zach

1684zach
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 24 January 2010 - 04:29 PM

Here are the latest mbr.exe log results:




Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0950A600
malicious code @ sector 0x0950A603 !
PE file found in sector at 0x0950A619 !


Thanks, -Zach

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:42 PM

Posted 24 January 2010 - 04:38 PM

How is your computer running now?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 1684zach

1684zach
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 24 January 2010 - 04:55 PM

Much better!! I just checked to see if I can log on to my ebay account (last time I tried was when everything went downhill and messed up), Works great now! Thank you very much! -Zach

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:42 PM

Posted 24 January 2010 - 06:56 PM

You're welcome.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Posted Image > Run... and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.

Tips to protect yourself against malware and reduce the potential for re-infection:

Keep Windows and Internet Explorer current with all critical updates from Microsoft which will patch many of the security holes through which attackers can gain access to your computer. If you're not sure how to do this, see Microsoft Update helps keep your computer current.

Avoid gaming sites, porn sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs (i.e. Limewire, eMule, uTorrent). They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Malicious worms, backdoor Trojans IRCBots, and rootkits spread across P2P file sharing networks, gaming, porn and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans, and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. Porn sites can lead to the Trojan.Mebroot MBR rootkit and other dangerous malware. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.Beware of Rogue Security software as they are one of the most common sources of malware infection. They infect machines by using social engineering and scams to trick a user into spending money to buy a an application which claims to remove malware. For more specific information on how these types of rogue programs and infections install themselves, read:Keeping Autorun enabled on USB (pen, thumb, jump) and other removable drives has become a significant security risk as they are one of the most common infection vectors for malware which can transfer the infection to your computer. To learn more about this risk, please read:Many security experts recommend you disable Autorun asap as a method of prevention. Microsoft recommends doing the same.

...Disabling Autorun functionality can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a CD-ROM device, USB device, network shares, or other media containing a file system with an Autorun.inf file...

Microsoft Security Advisory (967940): Update for Windows Autorun
How to Maximize the Malware Protection of Your Removable Drives

Other related reading sources:• Finally, if you need to replace your anti-virus, firewall or need a reliable anti-malware scanner please refer to:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Pi4

Pi4

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 16 February 2010 - 12:32 AM

I get the same results with mbr.exe but I am afraid of the "malicious code"
Is this message OK?
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0950A600
malicious code @ sector 0x0950A603 !
PE file found in sector at 0x0950A619 !



What does this mean?

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:42 PM

Posted 16 February 2010 - 08:07 AM

Welcome to BC Pi4

If the log results say both say both the user & kernel MBR are OK, its not considered an active MBR infection even if it indicates detected hooks/malicious code. If the output showed the following...then you would need to be concerned about an infection.

MBR rootkit code detected !
MBR rootkit infection detected !
Use: "mbr.exe -f" to fix.,

The presence of malicious code and a PE file in sectors indicates that there was an infection but it has been cleaned and the MBR has been restored successfully. Mebroot overwrites the MBR of the hard disk and uses rootkit techniques to hide itself. The installer of the rootkit writes the content of a malicious kernel driver to the last sectors of the disk, and then modifies several sectors to include sector 0 (MBR). According to gmer, fixmbr restores only sector 0 (MBR). As such, mbr.exe will always show all sectors that were related to Mebroot even after the infection is removed. These leftovers cannot be restored without knowing what information actually belonged there and probably would require a disk editor to fix.

If you have further issues or problems you would like to discuss, please start your own topic. Doing that will help to avoid the confusion that often occurs when trying to help two or more members at the same time in the same thread. Even if your problem is similar to the original poster's problem, the solution could be different based on the kind of hardware, software, system requirements, etc. you are using and the presence of other malware. Further, posting for assistance in someone else's topic is not considered proper forum etiquette.

Thanks for your cooperation.
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 Pi4

Pi4

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 16 February 2010 - 12:38 PM

Thanks for your fast reply. I posted here because I am getting exactly the same output from mbr.exe as the person who started the topic. I am sorry if I offended anybody and I apologize.

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:42 PM

Posted 16 February 2010 - 01:04 PM

No offense taken. You are new here so I'm just trying to help you get accustom to how things work in order to get yourself individual assistance when its needed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users