Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Craigslist auto posting bot using my IP and got into gmail chat


  • Please log in to reply
16 replies to this topic

#1 kranklebird

kranklebird

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 23 November 2013 - 07:30 PM

Three days ago  woke up after falling asleep with the computer on and the ( "ungetriddable" ) built-in Web Developer console was wide open and I'm sitting there watching Craigslist ad posts go up at a rate of about 2-4 per minute.  Within the dialogue in the console was noted my gmail chat username!  (although there were no posts being created under my craigslist username, so my account never got any attention).  It seemed like it was using gmail chat and probably my IP address?  

 

It was pretty hilarious watching this on the screen!   

 

I tried to post a screen shot here but don't seem to know how but might be able to upload them to  a hosting site if you need them?.

 

So I did some research and here are the steps I took:

1)  Changed my password

2)  Typed in about:config , and changed all items related to the Firefox Web Dev tool to: false.  They've remained that way since.

 

However, when I log into my Craigslist account, it still appears there is something left over because I land at a https://post.craigslist.org/etc...  white Craigslist page that says "Page Not Found - There is Nothing here - No web page for this address - 404 Error" instead of the "my account" page.  Yet when I then simply click a my account bookmark on the toolbar I AM logged in and at the my account page.  So some program appears to be still controlling the browser or left a redirect behind or something.  

 

Today I noticed the Microsoft "CustomDestinations" folder appearing suddenly live in the "My Recent Places" folder, and it has about 10 files in it with long randomly generated (capital letters...like encrypted) descriptions.

 

In addition, in Firefox AdwCleaner is not being able to get rid of:

C:\Users\Miguel\AppData\Roaming\Mozilla\Firefox\Profiles\hkge4f7.default\prefs.js

 

(Window all-in-one repair tool apparently didn't take it out either.  I had this tool from a month ago when you guys save my computer thanks again.)

(I also ran Junkware Removal Tool 2 days ago and I think it found a couple things, which I'll post below if I can find the text doc it created.)

 

Lastly, when I'm in gmail, there are certain emails that I keep in labels beneath the inbox (which is kind of like folders in other email programs) except the past two days at times when I go to reference them, some times they are not there!!   Could this be related to the Cl posting bot?  I kind of doubt it but am unsure because what it's doing is odd.  I think it might be that the gmail label functions are tricky.  In addition, if I delete an email in "Drafts" maybe a replica of it is disappearing in the respective label (folder)?  I'm going to post in a gmail forum for some guidance, but thought I should post here too in case it's related to a virus, since I know whatever got into the machine cracked my password.

 

So here's the text doc from AdwCleaner which I just ran.

 

# AdwCleaner v3.012 - Report created 23/11/2013 at 17:38:58
# Updated 11/11/2013 by Xplode
# Operating System : Windows 7 Starter Service Pack 1 (32 bits)
# Username : Miguel - MIGUEL-PC
# Running from : C:\Users\Miguel\Downloads\AdwCleaner.exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v10.0.9200.16736
 
 
-\\ Mozilla Firefox v25.0 (en-US)
 
[ File : C:\Users\Miguel\AppData\Roaming\Mozilla\Firefox\Profiles\hkge4f7y.default\prefs.js ]
 
 
-\\ Google Chrome v31.0.1650.57
 
[ File : C:\Users\Miguel\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [2019 octets] - [30/09/2013 10:03:35]
AdwCleaner[R1].txt - [866 octets] - [01/10/2013 03:04:14]
AdwCleaner[R2].txt - [984 octets] - [01/10/2013 11:52:43]
AdwCleaner[R3].txt - [1196 octets] - [27/10/2013 12:18:05]
AdwCleaner[R4].txt - [1769 octets] - [22/11/2013 08:49:21]
AdwCleaner[R5].txt - [1496 octets] - [23/11/2013 15:18:29]
AdwCleaner[R6].txt - [1616 octets] - [23/11/2013 15:27:52]
AdwCleaner[R7].txt - [1177 octets] - [23/11/2013 17:38:58]
AdwCleaner[S0].txt - [2116 octets] - [30/09/2013 10:06:39]
AdwCleaner[S1].txt - [926 octets] - [01/10/2013 03:08:58]
AdwCleaner[S2].txt - [1044 octets] - [01/10/2013 11:55:11]
AdwCleaner[S3].txt - [1266 octets] - [27/10/2013 12:22:58]
AdwCleaner[S4].txt - [1869 octets] - [22/11/2013 08:53:01]
AdwCleaner[S5].txt - [1557 octets] - [23/11/2013 15:21:38]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R7].txt - [1596 octets] ##########
 
 

 

 

 

 



BC AdBot (Login to Remove)

 


#2 kranklebird

kranklebird
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 23 November 2013 - 07:31 PM

Here's the JRT text content:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Windows 7 Starter x86
Ran by Miguel on Thu 11/21/2013 at 10:10:46.45
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\backupstack_rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\backupstack_rasmancs
 
 
 
~~~ Files
 
Successfully deleted: [File] C:\windows\System32\Tasks\launchapp
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\ProgramData\apn"
 
 
 
~~~ FireFox
 
Successfully deleted the following from C:\Users\Miguel\AppData\Roaming\mozilla\firefox\profiles\hkge4f7y.default\prefs.js
 
user_pref("samfind.social.notused", "100zakladok,2linkme,2tag,7live7,a1webmarks,addio,adifni,aero,allmyfaves,allvoices,amazon,aollifestream,aolmail,arto,aviary,baang,baidu,bal
Emptied folder: C:\Users\Miguel\AppData\Roaming\mozilla\firefox\profiles\hkge4f7y.default\minidumps [3 files]
 
 
 
~~~ Chrome
 
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Policies\Google [Blacklisted Policy]
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 11/21/2013 at 10:17:32.47
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


#3 kranklebird

kranklebird
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 23 November 2013 - 07:35 PM

Here's a SpyBot Search & Destroy log from just now:

 

Search results from Spybot - Search & Destroy
 
11/23/2013 7:33:51 PM
Scan took 01:24:55.
16 items found.
 
Statcounter: [SBI $8E73A7FB] Tracking cookie (Firefox: Miguel (default)) (Browser: Cookie, nothing done)
  
 
Internet Explorer: [SBI $0BC7B918] User agent (Registry Change, nothing done)
  HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
 
Internet Explorer: [SBI $0BC7B918] User agent (Registry Change, nothing done)
  HKEY_USERS\PE_C_DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
 
Internet Explorer: [SBI $0BC7B918] User agent (Registry Change, nothing done)
  HKEY_USERS\S-1-5-21-1534654107-1975338722-3026849631-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
 
Internet Explorer: [SBI $0BC7B918] User agent (Registry Change, nothing done)
  HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
 
MS Management Console: [SBI $ECD50EAD] Recent command list (Registry Key, nothing done)
  HKEY_USERS\PE_C_DEFAULT\Software\Microsoft\Microsoft Management Console\Recent File List
 
MS Direct3D: [SBI $C2A44980] Most recent application (Registry Change, nothing done)
  HKEY_USERS\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication\Name
 
MS Direct3D: [SBI $C2A44980] Most recent application (Registry Change, nothing done)
  HKEY_USERS\PE_C_DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication\Name
 
MS Direct3D: [SBI $C2A44980] Most recent application (Registry Change, nothing done)
  HKEY_USERS\S-1-5-21-1534654107-1975338722-3026849631-1000\Software\Microsoft\Direct3D\MostRecentApplication\Name
 
MS Direct3D: [SBI $C2A44980] Most recent application (Registry Change, nothing done)
  HKEY_USERS\S-1-5-18\Software\Microsoft\Direct3D\MostRecentApplication\Name
 
Windows.OpenWith: [SBI $63036C95] Open with list - .CAB extension (Registry Key, nothing done)
  HKEY_USERS\PE_C_DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CAB\OpenWithList
 
Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry Key, nothing done)
  HKEY_USERS\PE_C_DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
 
Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry Key, nothing done)
  HKEY_USERS\S-1-5-21-1534654107-1975338722-3026849631-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
 
Cache: [SBI $49804B54] Browser: Cache (2) (Browser: Cache, nothing done)
  
 
History: [SBI $49804B54] Browser: History (2) (Browser: History, nothing done)
  
 
Cookie: [SBI $49804B54] Browser: Cookie (51) (Browser: Cookie, nothing done)
  
 
 
--- Spybot - Search & Destroy version: 2.1.18.131  DLL (build: 20130516) ---
 
2013-05-16 blindman.exe (2.1.18.151)
2013-05-16 explorer.exe (2.1.18.177)
2013-05-16 SDBootCD.exe (2.1.18.109)
2013-05-16 SDCleaner.exe (2.1.18.110)
2013-05-16 SDDelFile.exe (2.1.18.94)
2013-06-18 SDDisableProxy.exe
2013-05-16 SDFiles.exe (2.1.18.135)
2013-03-20 SDFileScanHelper.exe (2.1.16.1)
2013-05-16 SDFSSvc.exe (2.1.18.208)
2013-05-16 SDHookHelper.exe (2.1.18.2)
2013-05-16 SDHookInst32.exe (2.1.18.2)
2013-05-16 SDImmunize.exe (2.1.18.130)
2013-05-16 SDLogReport.exe (2.1.18.107)
2013-05-16 SDOnAccess.exe (2.1.18.4)
2013-05-16 SDPESetup.exe (2.1.18.3)
2013-05-16 SDPEStart.exe (2.1.18.86)
2013-05-16 SDPhoneScan.exe (2.1.18.28)
2013-05-16 SDPRE.exe (2.1.18.22)
2013-05-16 SDPrepPos.exe (2.1.18.10)
2013-05-16 SDQuarantine.exe (2.1.18.103)
2013-05-16 SDRootAlyzer.exe (2.1.18.116)
2013-05-16 SDSBIEdit.exe (2.1.18.39)
2013-05-16 SDScan.exe (2.1.18.177)
2013-05-16 SDScript.exe (2.1.18.53)
2013-05-16 SDSettings.exe (2.1.18.136)
2013-05-16 SDShell.exe (2.1.18.2)
2013-05-16 SDShred.exe (2.1.18.107)
2013-05-16 SDSysRepair.exe (2.1.18.101)
2013-05-16 SDTools.exe (2.1.18.150)
2013-07-25 SDTray.exe (2.1.21.129)
2013-05-16 SDUpdate.exe (2.1.18.91)
2013-05-16 SDUpdSvc.exe (2.1.18.76)
2013-07-10 SDWelcome.exe (2.1.21.129)
2013-05-15 SDWSCSvc.exe (2.1.18.2)
2013-06-19 spybotsd2-translation-frx.exe
2013-11-23 unins000.exe (51.1052.0.0)
1999-12-02 xcacls.exe
2012-08-23 borlndmm.dll (10.0.2288.42451)
2012-09-05 DelZip190.dll (1.9.0.107)
2012-09-10 libeay32.dll (1.0.0.4)
2012-09-10 libssl32.dll (1.0.0.4)
2013-05-16 SDAdvancedCheckLibrary.dll (2.1.18.98)
2013-05-16 SDAV.dll
2013-05-16 SDECon32.dll (2.1.18.113)
2013-04-05 SDEvents.dll (2.1.16.2)
2013-05-16 SDFileScanLibrary.dll (2.1.18.12)
2013-05-16 SDHook32.dll (2.1.18.2)
2013-05-16 SDImmunizeLibrary.dll (2.1.18.2)
2013-05-16 SDLicense.dll (2.1.18.0)
2013-05-16 SDLists.dll (2.1.18.4)
2013-05-16 SDResources.dll (2.1.18.7)
2013-05-16 SDScanLibrary.dll (2.1.18.131)
2013-05-16 SDTasks.dll (2.1.18.15)
2013-05-16 SDWinLogon.dll (2.1.18.0)
2012-08-23 sqlite3.dll
2012-09-10 ssleay32.dll (1.0.0.4)
2013-05-16 Tools.dll (2.1.18.36)
2013-11-12 Includes\Adware.sbi (*)
2013-11-19 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2012-11-14 Includes\Dialer.sbi (*)
2012-11-14 Includes\DialerC.sbi (*)
2012-11-14 Includes\HeavyDuty.sbi (*)
2012-11-14 Includes\Hijackers.sbi (*)
2012-11-14 Includes\HijackersC.sbi (*)
2013-10-16 Includes\iPhone.sbi (*)
2013-06-25 Includes\Keyloggers.sbi (*)
2013-10-29 Includes\KeyloggersC.sbi (*)
2013-05-29 Includes\Malware.sbi (*)
2013-11-19 Includes\MalwareC.sbi (*)
2012-11-14 Includes\PUPS.sbi (*)
2013-11-19 Includes\PUPSC.sbi (*)
2012-11-14 Includes\Security.sbi (*)
2013-10-29 Includes\SecurityC.sbi (*)
2013-05-22 Includes\Spyware.sbi (*)
2013-08-06 Includes\SpywareC.sbi (*)
2011-06-07 Includes\Tracks.sbi (*)
2012-11-19 Includes\Tracks.uti (*)
2013-01-16 Includes\Trojans.sbi (*)
2013-05-13 Includes\TrojansC-02.sbi (*)
2013-11-19 Includes\TrojansC-03.sbi (*)
2013-10-22 Includes\TrojansC-04.sbi (*)
2013-05-08 Includes\TrojansC-05.sbi (*)
2013-08-06 Includes\TrojansC.sbi (*)


#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:03:10 PM

Posted 23 November 2013 - 07:56 PM

Malwarebytes Anti-Malware
 

Please download Malwarebytes Anti-Malware
and save it to your desktop.

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.



#5 kranklebird

kranklebird
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 24 November 2013 - 05:07 AM

It didn't find anything:

 

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2013.11.24.02
 
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 10.0.9200.16736
Miguel :: MIGUEL-PC [administrator]
 
11/24/2013 2:10:56 AM
mbam-log-2013-11-24 (02-10-56).txt
 
Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 299395
Time elapsed: 2 hour(s), 54 minute(s), 56 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
(end)


#6 kranklebird

kranklebird
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 25 November 2013 - 12:52 AM

Is there another program I should run then?



#7 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:03:10 PM

Posted 25 November 2013 - 05:42 AM

Please download TDSSKiller exe version to your desktop.
Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.

Click on Change Parameters and click Detect TDLFS File System.
    Click the Start Scan button.
    Do not use the computer during the scan
    If the scan completes with nothing found, click Close to exit.
    If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
    A TDSSKiller text file would be saved in Local Disk C.
    Copy and paste the contents of that file in your next reply.



#8 kranklebird

kranklebird
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 26 November 2013 - 04:14 PM

Thank you, but TDSSKiller didn't find anything.  (There's no log created with this app.)

 

Do you know which utility app gets rid of:

 

C:\Users\Miguel\AppData\Roaming\Mozilla\Firefox\Profiles\hkge4f7.default\prefs.js

 

Happy Holidays! :)



#9 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:03:10 PM

Posted 26 November 2013 - 07:55 PM

the prefs.js file is a file that is for preferences and other settings.

#10 kranklebird

kranklebird
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 27 November 2013 - 09:37 AM

Ok thanks but why is AdwCleaner seeing it as the only thing to remove and then saying it needs to be restarted for changes to take effect and then when I restart and immediately run AdwCleaner, it's still there?



#11 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:03:10 PM

Posted 27 November 2013 - 07:26 PM

Probably because thats how it resets Firefox back to default values, but that file is clean.

#12 kranklebird

kranklebird
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 27 November 2013 - 11:58 PM

Ok thank you then.

 

Am I finished or should I run other stuff?



#13 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:03:10 PM

Posted 28 November 2013 - 06:35 AM

I would consider your PC as cleaned and just watch it for the next couple of days.

#14 kranklebird

kranklebird
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 02 December 2013 - 09:34 AM

Ok thank you.  When I log into Craigslist through a different browser than Firefox, I don't land at the strange "landing page" described initially.  Instead I arrive at my account page which is how it's supposed to happen.  So in Firefox there's still something left over from the virus. 



#15 kranklebird

kranklebird
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:11:10 AM

Posted 05 December 2013 - 09:46 PM

Could someone look at this when you get a chance.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users