PDA

View Full Version : Paypal compromised, virus? HJT log



ewok
02-14-2010, 08:54 PM
So I got an recipt email from paypal saying I had made a 50 euro payment to some 'Global Communication Networks Ltd'. Got a 2nd email from paypal saying that 'We have reason to believe that your account was accessed by a third party'. Then a third saying that I had received a refund. So as far as I know I didn't lose any money.

Not really sure how this happened, nothing else that I'm aware of was compromised.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:43:45 PM, on 2/14/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
Z:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O13 - Gopher Prefix:
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 2966 bytes

shifty
02-14-2010, 11:29 PM
Dude, please first tell me that you're not so stupid that you have zero antivirus. In our day and time, that's utter and complete suicide and there is absoltuely no logical excuse NOT to use it.

If you're not, then how WOULD you know if you got infected with anything? "Not really sure how this happened". Bad surfing practices? Bad computing practices? Kinda like having sex with hookers without a condom?

I'd run MalwareBytes. Install Antivir Free edition. Scan completely with both. Fix anything they find. Run ComboFix.

ewok
02-15-2010, 12:00 AM
I just reformatted the other day, have not downloaded anything besides things like itunes, skype, firefox, and I've never caught a virus before so I wasn't too concerned.

Ran MalwareBytes, it didn't find anything. Running Avira now and I'll let you know if that finds anything.

shifty
02-15-2010, 12:16 AM
K

Are you sure those weren't phishing emails?

Have you changed your Paypal password yet?

Have you looked at your Paypal history to see if the transaction really happened?

ewok
02-15-2010, 12:26 AM
I logged into paypal and I get a

Security Measures

We are currently performing regular maintenance of our security measures. Your account has been randomly selected for this maintenance, and you will now be taken through a series of identity verification pages.

Protecting the security of your PayPal account is our primary concern, and we apologize for any inconvenience this may cause.'

and it wants me to verify my bank account. I can't seem to access any parts of my account until I verify my bank account.

I'm pretty sure its not a phish. The mails are coming from service@paypal.com

ewok
02-15-2010, 12:31 AM
Avira didn't find anything. It's possible that I logged into my paypal on my mom's laptop(and I have no idea what's on there), running anti virus on that now too.


Avira AntiVir Personal
Report file date: Sunday, February 14, 2010 22:42

Scanning for 1753507 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows Vista
Windows version : (plain) [6.1.7600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : KYLE-PC

Version information:
BUILD.DAT : 9.0.0.415 21609 Bytes 11/8/2009 10:00:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 10/13/2009 19:26:33
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 18:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 19:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 18:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 15:35:52
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 06:41:11
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 06:41:17
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 06:41:19
VBASE004.VDF : 7.10.3.76 2048 Bytes 1/26/2010 06:41:19
VBASE005.VDF : 7.10.3.77 2048 Bytes 1/26/2010 06:41:19
VBASE006.VDF : 7.10.3.78 2048 Bytes 1/26/2010 06:41:20
VBASE007.VDF : 7.10.3.79 2048 Bytes 1/26/2010 06:41:20
VBASE008.VDF : 7.10.3.80 2048 Bytes 1/26/2010 06:41:20
VBASE009.VDF : 7.10.3.81 2048 Bytes 1/26/2010 06:41:20
VBASE010.VDF : 7.10.3.82 2048 Bytes 1/26/2010 06:41:20
VBASE011.VDF : 7.10.3.83 2048 Bytes 1/26/2010 06:41:20
VBASE012.VDF : 7.10.3.84 2048 Bytes 1/26/2010 06:41:20
VBASE013.VDF : 7.10.3.85 2048 Bytes 1/26/2010 06:41:20
VBASE014.VDF : 7.10.3.122 172544 Bytes 1/29/2010 06:41:21
VBASE015.VDF : 7.10.3.149 79872 Bytes 2/1/2010 06:41:22
VBASE016.VDF : 7.10.3.174 68608 Bytes 2/3/2010 06:41:22
VBASE017.VDF : 7.10.3.199 76800 Bytes 2/4/2010 06:41:23
VBASE018.VDF : 7.10.3.222 64512 Bytes 2/5/2010 06:41:23
VBASE019.VDF : 7.10.3.243 75776 Bytes 2/8/2010 06:41:24
VBASE020.VDF : 7.10.4.6 81920 Bytes 2/9/2010 06:41:24
VBASE021.VDF : 7.10.4.30 78848 Bytes 2/11/2010 06:41:25
VBASE022.VDF : 7.10.4.31 2048 Bytes 2/11/2010 06:41:25
VBASE023.VDF : 7.10.4.32 2048 Bytes 2/11/2010 06:41:25
VBASE024.VDF : 7.10.4.33 2048 Bytes 2/11/2010 06:41:25
VBASE025.VDF : 7.10.4.34 2048 Bytes 2/11/2010 06:41:25
VBASE026.VDF : 7.10.4.35 2048 Bytes 2/11/2010 06:41:25
VBASE027.VDF : 7.10.4.36 2048 Bytes 2/11/2010 06:41:26
VBASE028.VDF : 7.10.4.37 2048 Bytes 2/11/2010 06:41:26
VBASE029.VDF : 7.10.4.38 2048 Bytes 2/11/2010 06:41:26
VBASE030.VDF : 7.10.4.39 2048 Bytes 2/11/2010 06:41:26
VBASE031.VDF : 7.10.4.46 98816 Bytes 2/14/2010 06:41:26
Engineversion : 8.2.1.170
AEVDF.DLL : 8.1.1.3 106868 Bytes 2/15/2010 06:41:34
AESCRIPT.DLL : 8.1.3.15 827771 Bytes 2/15/2010 06:41:33
AESCN.DLL : 8.1.4.0 127348 Bytes 2/15/2010 06:41:32
AESBX.DLL : 8.1.1.1 246132 Bytes 11/8/2009 15:38:44
AERDL.DLL : 8.1.4.2 479602 Bytes 2/15/2010 06:41:32
AEPACK.DLL : 8.2.0.8 426357 Bytes 2/15/2010 06:41:31
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 11/8/2009 15:38:38
AEHEUR.DLL : 8.1.1.5 2326901 Bytes 2/15/2010 06:41:31
AEHELP.DLL : 8.1.10.0 237942 Bytes 2/15/2010 06:41:28
AEGEN.DLL : 8.1.1.86 369012 Bytes 2/15/2010 06:41:28
AEEMU.DLL : 8.1.1.0 393587 Bytes 11/8/2009 15:38:26
AECORE.DLL : 8.1.11.1 184694 Bytes 2/15/2010 06:41:27
AEBB.DLL : 8.1.0.3 53618 Bytes 11/8/2009 15:38:20
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 16:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 8/26/2009 23:14:02
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 22:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 18:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 23:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 18:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 23:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 16:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 18:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 23:39:58
RCTEXT.DLL : 9.0.73.0 86785 Bytes 10/13/2009 20:25:47

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, D:, E:, Z:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Sunday, February 14, 2010 22:42

Starting search for hidden objects.
'14023' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'TrustedInstaller.exe' - '1' Module(s) have been scanned
Scan process 'msiexec.exe' - '1' Module(s) have been scanned
Scan process 'Xfire.exe' - '1' Module(s) have been scanned
Scan process 'Wow.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'Ventrilo.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'wmpnetwk.exe' - '1' Module(s) have been scanned
Scan process 'SearchIndexer.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'dwm.exe' - '1' Module(s) have been scanned
Scan process 'taskhost.exe' - '1' Module(s) have been scanned
Scan process 'atieclxx.exe' - '1' Module(s) have been scanned
Scan process 'mscorsvw.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'WUDFHost.exe' - '1' Module(s) have been scanned
Scan process 'sppsvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'CTAudSvc.exe' - '1' Module(s) have been scanned
Scan process 'audiodg.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'atiesrxx.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsm.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'wininit.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
48 processes with 48 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!
Master boot sector HD3
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!
Boot sector 'E:\'
[INFO] No virus was found!
Boot sector 'Z:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '16' files ).


Starting the file scan:

Begin scan in 'C:\' <OS>
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
Begin scan in 'D:\' <Fraps>
Begin scan in 'E:\' <RECOVERY>
Begin scan in 'Z:\' <Baracoot>


End of the scan: Sunday, February 14, 2010 23:22
Used time: 40:22 Minute(s)

The scan has been done completely.

18296 Scanned directories
172032 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
172030 Files not concerned
799 Archives were scanned
2 Warnings
2 Notes
14023 Objects were scanned with rootkit scan
0 Hidden objects were found

shifty
02-15-2010, 02:07 AM
OK, the big good thing is:

- 0 Hidden Objects found.

ALWAYS watch for hidden objects search locating something. This is a huge indicator of rootkits (hidden files).

It is easy to hijack your HOSTS file and redirect you to another site which LOOKS like Paypal. Always go to https://www.paypal.com (with httpS), and make sure their security cert is legit. This is usually done by double-clicking the gold padlock lock icon in your browser of choice.

But yeah, check your mom's computer. And check that security certificate for Paypal before entering personal data. Check your bank account too.

shifty
02-15-2010, 02:08 AM
Also, install, update and run a full scan with MalwareBytes.

ewok
02-15-2010, 12:43 PM
nothing found on either computers, not sure how this could have happened. maybe a mistake on paypal's part

shifty
02-15-2010, 02:13 PM
I would still change your passwords and check your Paypal transaction history.

Also, go download and run GMER to check for rootkits on both systems.

shifty
02-15-2010, 02:13 PM
I would still change your passwords and check your Paypal transaction history.

Also, go download and run GMER to check for rootkits on both systems.

shifty
02-15-2010, 02:15 PM
Oh and if you have en eBay account check it also to make sure it isn't hijacked and change the password. Just in case =)

ewok
02-19-2010, 01:27 AM
oh, that anti virus minimized my game in a match tonight. >_<

shifty
02-19-2010, 01:32 AM
hehehehe

there was a thread explaining how to make that 'not happen' a few weeks back.

Ninjahedge
02-19-2010, 08:39 AM
I think it only does that with certain games (I don't know why and what makes one different from the other when they all can be alt-tabbed. Any clue what the callout is to get a program to minimize that would only be used by some proggies?)

Shift, was that solution listed here in the help section?

shifty
02-19-2010, 11:44 AM
the update cycle is a scheduled thing. Open the Avira console, under the Administration section, choose Scheduler, find the Daily Update item, right-click it, choose Edit Job, and on the "when to schedule this job" section, choose Daily from the dropdown, and set the time for when you are NOT in game, but your computer will DEFINITELY be on. UNcheck "Repeat job if time is expired" so it doesn't just randomly pop up on you later after that time. That way you still get updates, but only at that specific time.

Cerwin_Vega
02-20-2010, 10:20 PM
This will help disable the pop ups.

http://tinyurl.com/mwb5u8