Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Started with eBay Phishing screen, but it's worse...


  • Please log in to reply
9 replies to this topic

#1 bcgator

bcgator

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 21 January 2016 - 02:51 PM

Hi all, first-time poster, hoping for some guidance and help.

 

I thought I'd seen every eBay Phishing tactic invented, but yesterday I started getting a "you are locked out" screen directly from eBay's home page.  Right from www.ebay.com I'd get the screen telling me I'm locked out and asking for SSN, email, etc.  I knew it wasn't right so I didn't fill it in.   But started hunting to see why it was happening.

 

Found the following two entries in Task Manager:

 

RSA1017109707.dll

Backup1017109707.exe

 

I didn't write down the full paths, but one of them was in a folder titled "Crypto".  I unchecked them, did a reboot and from there started getting blue screen crashes repeatedly.   The eBay lockout screen became permanent - couldn't log in to eBay through any browser.

 

Tried all of the following:

- Malwarebytes, wouldn't even install, nothing happens upon executing file

- Microsoft Security Essentials, wouldn't install either

- Trojan Hunter installed but found nothing

- Spyhunter 4.0 installed but found only a bunch of adware cookies, nothing that seems deadly

- Adwcleaner wouldn't install

- nothing from Kaspersky will install, the root kit cleaner, virus cleaner, can't even create the safety boot disc

- Microsoft Defender does run, but finds nothing

- Roguekiller won't install

 

Did a System Restore, first back to 1/19/16 which removed the above .dll and .exe entries from Task Manager permanently.   But blue screens won't stop, still can't log into eBay.

 

Did another System Restore, back to 1/13/16, still can't log into eBay, still can't install any additional Malware removal tools, still can't install Malwarebytes.  Inability to install anything tells me that I'm still infected, but I don't know what to try next.  Really thought a System Restore would have cured it.

 

What's odd is that I know I saw the Crypto folder name in the file path of the above .dll, but there has been no ransom, and none of the extensions on my files have been altered.  

 

What's next step, if I know something isn't right, but can't install any helpful tools, and the ones I do install find nothing?   I'm getting emotionally prepared for reformat, but that's last resort.  Thanks in advance!


Edited by bcgator, 21 January 2016 - 03:09 PM.


BC AdBot (Login to Remove)

 


#2 bcgator

bcgator
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 21 January 2016 - 06:39 PM

Never mind folks, I'm reformatting.  Can't keep the computer up - blue screens are killing me.  Impossible to diagnose anything when your'e constantly rebooting and starting over.  I got a screen capture of the eBay phishing screen that started this disaster - if there's a way to attach it I'd be glad to post it for everyone.   I know that phishing scams are a dime a dozen, but this one is different - it actually replaces eBay's home page, and is triggered directly from eBay's home page, and it almost seems like it punished me for not putting in my SSN.  That's when the blue screen happens, right after you close out the phishing window.  Just vicious.



#3 bcgator

bcgator
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 21 January 2016 - 07:33 PM

Follow-up, upon reboot, but before reformat, decided to go into the registry to try and see if I could locate any references to "crypto".  As soon as I hit "find", blue screen.  Maybe coincidence, but I swear it seems like the virus knows when I'm trying to find it or eliminate it.  



#4 PuReinSAniTY

PuReinSAniTY

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:in a basement
  • Local time:10:24 AM

Posted 21 January 2016 - 10:34 PM

If you decide not to reformat I can offer some assistance


they call me te java mayster


#5 bcgator

bcgator
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 21 January 2016 - 10:42 PM

Thanks for the response, Dude.  I am reformatting now, but for the sake of learning something from this what would have been the course of action?  Or, what tool may have worked that I might have overlooked?



#6 PuReinSAniTY

PuReinSAniTY

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:in a basement
  • Local time:10:24 AM

Posted 21 January 2016 - 11:59 PM

Well, first of all we would try to run the scanners in safe mode and see what they found, than we would try to remove the folder crypto and take course from there, as this can go either way i would have to let you experience with my instructions to help take course of action. Hope all goes well with the reformat


Edited by awesomecooldude101, 22 January 2016 - 12:00 AM.

they call me te java mayster


#7 bcgator

bcgator
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 22 January 2016 - 12:12 AM

I didn't mention it in my first post, but I did most, if not all, of the scans (or attempted malware removal tool installations) in Safe Mode.   The crypto folder was removed during the System Restore.  I don't know if any registry entries were left, though, as I couldn't search the registry without getting the blue screen.



#8 PuReinSAniTY

PuReinSAniTY

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:in a basement
  • Local time:10:24 AM

Posted 22 January 2016 - 12:23 AM

Ahhh Ok then, well since I'm just a member I would of had to direct you to the Trojan, virus, spyware removal part of the forum so the more experience Malware removers would have you run FRST and post a log and then diagnose from there


Edited by awesomecooldude101, 22 January 2016 - 12:24 AM.

they call me te java mayster


#9 bcgator

bcgator
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:54 PM

Posted 22 January 2016 - 12:49 AM

I appreciate the help and input, I'm trying to learn as much as I can from this episode in case it happens again.  I've dealt with viruses and malware before, but this one just kicked my butt.  Thank you again for the help, I'm going to google FRST so I'm familiar with it for future knowledge.



#10 PuReinSAniTY

PuReinSAniTY

  • Members
  • 432 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:in a basement
  • Local time:10:24 AM

Posted 22 January 2016 - 12:59 AM

Your welcome


they call me te java mayster





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users