Possible virus from Ebay?

In December had a buyer make a purchase but after a few days of "pending" payment from PayPal, I wondered about the payment so I contacted PayPal.  They stated there was no payment pending.  Buyer contacts me and asked that I accept his payment.  To make a long story short, when he went to make payment, he said he got some type of error....and it resulted in payment going to a different email. 

Today I went to check on the auction (see if he cancelled it) and status was unchanged so I went to another window.  When I returned to the Ebay page, it said my Flash player was out of date.  I closed the webpage then went to my Control Panel where I clicked on Flash and update.  Lo and Behold, my flash player is current. 

I go back to Ebay and while I'm trying to figure out what to do, the page closes.  When I open another page, I go to Selling, the Sold and notice the URL is no longer https but http and the page mentions something about beta.  I wonder if I had gotten infected then recalled a few days ago I had gotten some warning about porn on my system and being reported, yada yada.  Dang page didn't want to shut down so had to use Alt, Ctl, Del.  Maybe the two are connected, I don't know.  Then after this deal with Ebay, get the porn thing again. 

After closing, I decided to restore my system to before the auction then came here to make sure my system is not infected and maybe find out where the infection came from if it is.

I have Win 7, IE11, and Chrome Version 63.0.3239.84 (Official Build) (64-bit) and use both CCleaner and Malwarebytes Anti-Malware on a regular basis.  Also I use Sandboxie.

I am not one to download stuff but do play some online games (Travian, FOE, Wartune, etc)

I would greatly appreciate someone helping me with this system so I don't have that question mark in the back of my mind whenever I'm online.

Thanks.

Phoe:
 
to the Bleeping Computer Am I infected? What do I do? Forum.  My name is Phil.  Since you have restored your computer back to a point in time before you were aware of any infections, let's run some standard scans to make sure that there is nothing nefarious lurking in your computer.
 
.
 
ESET Online Scanner using Internet Explorer:

Note: You will need to disable your currently installed Anti-Virus, how to do so can be found here.

• Download esetsmartinstaller_enu.exe and save it to your Desktop.
• Double click the icon.
• Check YES, I accept the Terms of Use.
• Click the Start button.
• Accept any security warnings from your browser.
• Then select: "Enable detection of potentially unwanted applications" - Yes.
• Click Advanced settings.
• Check the following items.

Enable detection of potentially unwanted applications
Remove found threats
Scan archives
Scan for potentially unsafe applications
Enable Anti-Stealth technology

• Click Change next to Current scan targets:
• Place a check mark in any additional drive you wish to scan then click OK.
• Click Start.
• ESET will then download updates and begin scanning your computer.
• If no threats are found simply click Uninstall application on close and hit Finish.
• If threats are found click List of found threats.
• Click Export to text file.
• Save the file on your Desktop as ESET.txt.
• Click Back.
• Check Uninstall application on close and Delete quarantined files.
• Click Finish.
• Close the ESET Online Scanner window.
• Copy and paste the contents of ESET.txt into your reply, if any threats were detected.

Don't forget to re-enable your antivirus when finished!

.

Please run a Malwarebytes Anti-Malware scan for me.

• Please download Malwarebytes to your Desktop.
• Double-click mb3-setup-{version}.exe and follow the prompts to install the program.
• Then click Finish.
• Next, please go to "Settings", "Protection", and turn on "Scan for rootkits", if it is not "On."
• Ensure that under "Potential Threat Protection", both switches are set to "Always Detect PUPs/PUMs (recommended).
• Then scroll to the bottom of that page and ensure that "Automatic Quarantine" is turned "On."
• Once the program has fully updated, select Scan Now on the Dashboard. Or select the Threat Scan from the Scan menu.
• If an update of the definitions is available, it will be downloaded and installed before the scan commences.
• When the scan is complete, make sure that all Threats are selected, and click Remove Selected.
• Restart your computer when prompted to do so.

The Scan log is available through History ->Application logs. Please copy and paste the contents of the log into your next reply.

.

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

• Vista/Windows 7/8/10 users right-click and select Run As Administrator
• The tool will start to update the database, please wait for it to complete the update.
• Click on I Agree button.
• Click on the Scan button.
• AdwCleaner will begin its scan ... please be patient as the scan may take some time to complete.
• After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
• The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, then make sure that you uncheck it before running the "Clean" process.
• A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
• After the scan has finished ...
• Uncheck any PUP and adware applications that you want to keep.

If you are unsure about one or more of the detected programs, then please copy and paste the scan log, with your questions, and I will provide you with advice about those files.
The Scan logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
Do not follow the remaining "Clean" instructions until directed to do so by me, if you have any questions about one or more of the detections.
If you have no questions about any of the detections, then please proceed to the "Clean" steps below.

• Then click on the Clean button.
• Press OK when asked to close all programs and follow the onscreen prompts.
• Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
• After rebooting, a logfile report (AdwCleaner[C#].txt) will open automatically (where the largest value of # represents the most recent report).
• Please copy and paste the contents of that logfile into your next reply.
• A copy of that logfile will also be saved in the C:\AdwCleaner folder.

.

Thank you and have a great day.

Regards,
-Phil

Edited by garioch7, 07 January 2018 - 01:00 PM.

Hi Phil,

Okay, something bad is still here.  I didn't do anything with the last scan as I think I had used ADWCleaner once before and after it cleaned, I couldn't connect to the internet!  So, hopefully, you can check out what they want to delete.

MALWAREBYTES:

-Log Details-
Scan Date: 1/7/18
Scan Time: 3:13 PM
Log File: 4bb80f28-f3e7-11e7-9e78-902b34342d24.json
Administrator: Yes

-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.3645
License: Trial

-System Information-
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: PC-PC\PC

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 274392
Threats Detected: 0
(No malicious items detected)
Threats Quarantined: 0
(No malicious items detected)
Time Elapsed: 2 min, 28 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 0
(No malicious items detected)

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 0
(No malicious items detected)

File: 0
(No malicious items detected)

Physical Sector: 0
(No malicious items detected)

(end)

MALWAREBYES ADWCLEANER:

# AdwCleaner 7.0.6.0 - Logfile created on Sun Jan 07 20:31:21 2018
# Updated on 2017/21/12 by Malwarebytes
# Database: 01-05-2018.1
# Running on Windows 7 Ultimate (X64)
# Mode: scan
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

PUP.Optional.Legacy, SCBackService

***** [ Folders ] *****

No malicious folders found.

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious WMI found.

***** [ Shortcuts ] *****

No malicious shortcuts found.

***** [ Tasks ] *****

No malicious tasks found.

***** [ Registry ] *****

PUP.Optional.Legacy, [Value] - HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | {21FA44EF-376D-4D53-9B0F-8A89D3229068}
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\CLSID\{0DEC13F0-5C8C-4147-8329-6CDFAD9755B7}
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\CLSID\{0E5680D1-BF44-4929-94AF-FD30D784AD1D}
PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0E5680D1-BF44-4929-94AF-FD30D784AD1D}
PUP.Optional.Legacy, [Key] - HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{0E5680D1-BF44-4929-94AF-FD30D784AD1D}
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\CLSID\{0F3DC9E0-C459-4A40-BCF8-747BD9322E10}
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\TypeLib\{4E8E0178-00EF-413D-9324-E7B3E31572E3}
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\CLSID\{5E97F0FA-3B44-4634-A87E-8B0D5CFD6365}
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{80ED3EBC-CC05-4336-ABCC-295798855718}
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\AppID\{82A5CE4D-AF0C-45B6-8AF8-75625BE6A08D}
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\CLSID\{951F5841-FD1E-4F1D-8607-67B174DBD753}
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\TypeLib\{A1A533A8-E106-422B-AE29-D0025269AF83}
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\TypeLib\{B1759D04-0EF9-472A-B5C3-C774997B5321}
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\AppID\{B2B7E0CD-E169-43B3-A233-E129610EE314}
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\CLSID\{D1CCB0CC-DA45-4797-93D3-DEE7A13F8177}
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\CLSID\{DCE24E28-D8EF-49BE-BC01-A1DD3B58FCE3}
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\CLSID\{E4F7F1A5-490E-4884-A9E3-CBD6A25749E1}
PUP.Optional.Legacy, [Key] - HKLM\SOFTWARE\Classes\CLSID\{FFE66D00-A56A-4F7F-81D7-4A28C5816D6C}

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries.

*************************

C:/AdwCleaner/AdwCleaner[C0].txt - [1134 B] - [2018/1/7 20:26:29]
C:/AdwCleaner/AdwCleaner[S0].txt - [3133 B] - [2018/1/7 20:22:54]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt ##########         

Phoe:

Thank you for the Malwarebytes and AdwCleaner logs.  AdwCleaner found some browser extension PUPS (Potentially Unwanted Programs).  Personally, I would remove them, but it is your computer. If you are worried about removing those items, then just leave them.  There is nothing really malicious there.

I am interested in what the ESET scan turned up?  Did you run it?  If not, please run it.  It does a very thorough virus and malware scan.

You said something is "bad."  What is bad?  I need more information to be able to help you.  Please provide the details of any error messages or the symptoms that your computer is exhibiting that are causing you concern.

Thank you and have a great day.

Regards,

-Phil

Hey Phil,

I thought SCBackService was some type of back door but seems it is a win file!  So, guess it wasn't bad.

Couldn't find any file for ESET so ran the scan again and I guess it doesn't put out a file when it is done?  Seems I cannot attach a pic of what it said (no threats found).  First time it ran, I thought it found 3 temp files in Sandboxie.  I don't empty the Sandboxie as often as I should and it often nags me about it.  LOL

I think something must be at Ebay as I was looking at some cotton fabric...each one I would open in a new window (to easily compare) and one was shut down by ADW.  I closed the window then opened a new one but the second time, it seemed fine.  This happened on two different auction pages.  I will be back on Ebay later today and will let you know if anything happens.

Phoe:

Thank you for your post.  ESET does not produce a log file if there are no detections.

I am not sure what "ADW" is?  Would you explain?  Is it a pop-up blocker or adware blocker?  In the malware world, "ADW" is sometimes used for the AdwCleaner app from Malwarebytes, but it does not offer real-time protection, so it should not be shutting any pages.

I will await your further response.  We could research each of the AdwCleaner detections, which were BHOs if your problems persist because one or more of the BHOs could be responsible for what you are seeing.

Thank you and have a great day.

Regards,

-Phil

Hi Phil,

My mistake -- you are correct.  It wasn't ADW but Malwarebytes that restricted access to the Ebay page.  Naturally I'll be back there as that one particular seller has some fabrics I am interested in.  If the page changes or whatever, I'll let you know.

I had time to research Splashtop.  I did this after I checked the registry and found the keys must be embedded in other registry keys.  Seems Splashtop is some type of remote access -- something I really don't need.  So, all the keys are now gone.

I ran all the programs again and looks like there's nothing bad lurking in my system!

Thank you so much for your help.  If that porn ad pops up again when I'm on Ebay or the page reroutes to another site, I will drop you a line.

Until then, have a wonderful day (it's a nice sunny day here)!

{{Hugs}}

Phoe:
 
Thank you for your post.  I am glad that all of the scans are coming back clean now.
 
Personally, if Malwarebytes Premium is blocking/warning about access to that seller's page, I would be cautious.  You could submit the URL, assuming you go there again, to VirusTotal, select the "URL" tab, paste the URL, and then request a fresh scan.  I am on the Malwarebytes Forums daily, and they do have some "false positives", but usually there is a good reason why they are blocking the site/page.  If you think that the block is a "false positive", based on the VirusTotal scan results, you could post the URL in the Malwarebytes website "False Positives" Forum and ask them why they are blocking it?  They will either remove the block or explain why, information that you can then convey to the seller because he or she might be totally unaware.  They probably will most certainly want to know that Malwarebytes is blocking their page/site.

It may not be the seller who is knowingly hosting anything malicious, but if someone with a website or web page(s) is not using good website malware protection, hackers could compromise the website or the page, unknown to the owner.  On my own website, I use SiteLock to protect any visitors, and myself, from my site becoming infected by hackers.  There are many other such products.

If you have further issues, please don't hesitate to post here again.  Unlike the Virus, Trojan, Spyware and Malware Removal Logs Forum here, we don't lock down resolved or stale topics in this Forum, so you could just post again, and I will get a notification.

It was pleasure to assist you.  Thank you for choosing Bleeping Computer to assist you with your computer issues.  Please stay SAFE out there in cyberspace.  It can be a dangerous place.

Here in Cape Breton, Nova Scotia, it is cloudy and cold (-1 degree Celsius, or about 30 degrees Fahrenheit).  So enjoy your warm weather.  We will have to wait for spring in these parts.  There is ice in the bay as a result of the temperatures last week being unusually cold (-15 degrees Celsius or 0 degrees Fahrenheit), with a really good wind chills from the strong north winds making it feel considerably colder (-27 degrees Celsius, which I think is getting close to -20 F).

Have a great day, oh, and thank you for the {{Hugs}}!   It is really nice to be appreciated.

Regards,

-Phil

Okay, I did not know that different issues could be posted under the same topic! 

1)  Can you help me figure out why my system seems to be so sluggish? 

2)  How do I know if my system's memory has to be in pairs

3)  How can I check if a memory stick is bad without pulling apart the pc?

Last Friday the weather was so warm that on the way home I had the AC on!  Wednesday I cancelled an appointment as the weather was stating it would be snowing around noon (my appointment time) and roads would be bad.  At noon, I took my dobe outside for a potty break and while there was no snow, we had frozen rain...even my shoes were sticking to the walk way!  A few hours later it was snowing so I threw some salt on the driveway (outside the fence) down to the mailbox.  Today the roads looked clear so I'm guessing the roads in town are better.  My Dobe will be sad when the snow is gone as she not only loves to run in it but also to eat the snow.  I wouldn't be surprised to see her do a dog angel.  ha ha ha

I'll give you one guess what site I was on when I get a message saying my Flash was out of date (and wanting to download) from https: //noh6dashpazierangin.net (plus a bunch of numbers).  I close the window then go into the control panel and check for Flash update.  Says I have version 28.0.0.137 (current).  This time, however, I was on the Ebay search page looking at results and not on any sellers' page.  I go back and do the same search, but the update Flash does not come back.  I think this is the 2nd or 3rd time I've gotten a message about updating Flash  so I'm guessing it wasn't a Flash update site.

Phoe:
 
Thank you for your posts.  I am reasonably satisfied that malware is not responsible for any sluggishness that your computer may be exhibiting.  Computers do slow down as more and more files are created, deleted, and modified.  Programs become increasingly complex and therefore more computer resources are required.  Temporary files accumulate, and hardware components themselves could be starting to fail.  There are a multitude of possible explanations.
 
I would recommend that, because this is a "Security" Forum, that you post your system sluggishness question in the "Windows 7" Forum here at Bleeping Computer, and memory stick questions in the "Internal Hardware" Forum.  There are very knowledgeable people in those Forums who can assist you with those non-security issues.
 
The site that you linked to is not an official Adobe Flash Player update site.  See the VirusTotal analysis of the URL you provided at this link.
 
If you haven't already considered it, you might want to install uBlock Origin extension in your browser.  I use it on both of my computers.  Also, if you do not have an anti-malware product with real-time protection, you might want to consider purchasing one to increase your online security.  Personally, I use Malwarebytes Premium, but there are other very excellent products available as well.  You might want to review this article by quietman7, one of the foremost computer security experts here at Bleeping Computer.
 
Thank you and have a great weekend.
 
Regards,
-Phil
 
PS: We had two major snow falls this week.  It is very white here in Port Hood!