Announcement

Collapse
No announcement yet.

Paypal compromised, virus? HJT log

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Paypal compromised, virus? HJT log

    So I got an recipt email from paypal saying I had made a 50 euro payment to some 'Global Communication Networks Ltd'. Got a 2nd email from paypal saying that 'We have reason to believe that your account was accessed by a third party'. Then a third saying that I had received a refund. So as far as I know I didn't lose any money.

    Not really sure how this happened, nothing else that I'm aware of was compromised.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:43:45 PM, on 2/14/2010
    Platform: Unknown Windows (WinNT 6.01.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16385)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    Z:\Program Files\Ventrilo\Ventrilo.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Windows\system32\DllHost.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
    O13 - Gopher Prefix:
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
    O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

    --
    End of file - 2966 bytes

  • #2
    Dude, please first tell me that you're not so stupid that you have zero antivirus. In our day and time, that's utter and complete suicide and there is absoltuely no logical excuse NOT to use it.

    If you're not, then how WOULD you know if you got infected with anything? "Not really sure how this happened". Bad surfing practices? Bad computing practices? Kinda like having sex with hookers without a condom?

    I'd run MalwareBytes. Install Antivir Free edition. Scan completely with both. Fix anything they find. Run ComboFix.
    Originally posted by Ranshackle
    I like Hasselhoff's ass better.

    Comment


    • #3
      I just reformatted the other day, have not downloaded anything besides things like itunes, skype, firefox, and I've never caught a virus before so I wasn't too concerned.

      Ran MalwareBytes, it didn't find anything. Running Avira now and I'll let you know if that finds anything.

      Comment


      • #4
        K

        Are you sure those weren't phishing emails?

        Have you changed your Paypal password yet?

        Have you looked at your Paypal history to see if the transaction really happened?
        Originally posted by Ranshackle
        I like Hasselhoff's ass better.

        Comment


        • #5
          I logged into paypal and I get a

          Security Measures

          We are currently performing regular maintenance of our security measures. Your account has been randomly selected for this maintenance, and you will now be taken through a series of identity verification pages.

          Protecting the security of your PayPal account is our primary concern, and we apologize for any inconvenience this may cause.'

          and it wants me to verify my bank account. I can't seem to access any parts of my account until I verify my bank account.

          I'm pretty sure its not a phish. The mails are coming from service@paypal.com

          Comment


          • #6
            Avira didn't find anything. It's possible that I logged into my paypal on my mom's laptop(and I have no idea what's on there), running anti virus on that now too.

            Avira AntiVir Personal
            Report file date: Sunday, February 14, 2010 22:42

            Scanning for 1753507 virus strains and unwanted programs.

            Licensee : Avira AntiVir Personal - FREE Antivirus
            Serial number : 0000149996-ADJIE-0000001
            Platform : Windows Vista
            Windows version : (plain) [6.1.7600]
            Boot mode : Normally booted
            Username : SYSTEM
            Computer name : KYLE-PC

            Version information:
            BUILD.DAT : 9.0.0.415 21609 Bytes 11/8/2009 10:00:00
            AVSCAN.EXE : 9.0.3.10 466689 Bytes 10/13/2009 19:26:33
            AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 18:58:24
            LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 19:35:49
            LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 18:58:52
            VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 15:35:52
            VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 06:41:11
            VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 06:41:17
            VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 06:41:19
            VBASE004.VDF : 7.10.3.76 2048 Bytes 1/26/2010 06:41:19
            VBASE005.VDF : 7.10.3.77 2048 Bytes 1/26/2010 06:41:19
            VBASE006.VDF : 7.10.3.78 2048 Bytes 1/26/2010 06:41:20
            VBASE007.VDF : 7.10.3.79 2048 Bytes 1/26/2010 06:41:20
            VBASE008.VDF : 7.10.3.80 2048 Bytes 1/26/2010 06:41:20
            VBASE009.VDF : 7.10.3.81 2048 Bytes 1/26/2010 06:41:20
            VBASE010.VDF : 7.10.3.82 2048 Bytes 1/26/2010 06:41:20
            VBASE011.VDF : 7.10.3.83 2048 Bytes 1/26/2010 06:41:20
            VBASE012.VDF : 7.10.3.84 2048 Bytes 1/26/2010 06:41:20
            VBASE013.VDF : 7.10.3.85 2048 Bytes 1/26/2010 06:41:20
            VBASE014.VDF : 7.10.3.122 172544 Bytes 1/29/2010 06:41:21
            VBASE015.VDF : 7.10.3.149 79872 Bytes 2/1/2010 06:41:22
            VBASE016.VDF : 7.10.3.174 68608 Bytes 2/3/2010 06:41:22
            VBASE017.VDF : 7.10.3.199 76800 Bytes 2/4/2010 06:41:23
            VBASE018.VDF : 7.10.3.222 64512 Bytes 2/5/2010 06:41:23
            VBASE019.VDF : 7.10.3.243 75776 Bytes 2/8/2010 06:41:24
            VBASE020.VDF : 7.10.4.6 81920 Bytes 2/9/2010 06:41:24
            VBASE021.VDF : 7.10.4.30 78848 Bytes 2/11/2010 06:41:25
            VBASE022.VDF : 7.10.4.31 2048 Bytes 2/11/2010 06:41:25
            VBASE023.VDF : 7.10.4.32 2048 Bytes 2/11/2010 06:41:25
            VBASE024.VDF : 7.10.4.33 2048 Bytes 2/11/2010 06:41:25
            VBASE025.VDF : 7.10.4.34 2048 Bytes 2/11/2010 06:41:25
            VBASE026.VDF : 7.10.4.35 2048 Bytes 2/11/2010 06:41:25
            VBASE027.VDF : 7.10.4.36 2048 Bytes 2/11/2010 06:41:26
            VBASE028.VDF : 7.10.4.37 2048 Bytes 2/11/2010 06:41:26
            VBASE029.VDF : 7.10.4.38 2048 Bytes 2/11/2010 06:41:26
            VBASE030.VDF : 7.10.4.39 2048 Bytes 2/11/2010 06:41:26
            VBASE031.VDF : 7.10.4.46 98816 Bytes 2/14/2010 06:41:26
            Engineversion : 8.2.1.170
            AEVDF.DLL : 8.1.1.3 106868 Bytes 2/15/2010 06:41:34
            AESCRIPT.DLL : 8.1.3.15 827771 Bytes 2/15/2010 06:41:33
            AESCN.DLL : 8.1.4.0 127348 Bytes 2/15/2010 06:41:32
            AESBX.DLL : 8.1.1.1 246132 Bytes 11/8/2009 15:38:44
            AERDL.DLL : 8.1.4.2 479602 Bytes 2/15/2010 06:41:32
            AEPACK.DLL : 8.2.0.8 426357 Bytes 2/15/2010 06:41:31
            AEOFFICE.DLL : 8.1.0.38 196987 Bytes 11/8/2009 15:38:38
            AEHEUR.DLL : 8.1.1.5 2326901 Bytes 2/15/2010 06:41:31
            AEHELP.DLL : 8.1.10.0 237942 Bytes 2/15/2010 06:41:28
            AEGEN.DLL : 8.1.1.86 369012 Bytes 2/15/2010 06:41:28
            AEEMU.DLL : 8.1.1.0 393587 Bytes 11/8/2009 15:38:26
            AECORE.DLL : 8.1.11.1 184694 Bytes 2/15/2010 06:41:27
            AEBB.DLL : 8.1.0.3 53618 Bytes 11/8/2009 15:38:20
            AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 16:47:59
            AVPREF.DLL : 9.0.3.0 44289 Bytes 8/26/2009 23:14:02
            AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 22:34:28
            AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 18:32:09
            AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 23:05:41
            AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 18:37:08
            SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 23:03:49
            SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 16:21:33
            NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 18:32:10
            RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 23:39:58
            RCTEXT.DLL : 9.0.73.0 86785 Bytes 10/13/2009 20:25:47

            Configuration settings for the scan:
            Jobname.............................: Complete system scan
            Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
            Logging.............................: low
            Primary action......................: interactive
            Secondary action....................: ignore
            Scan master boot sector.............: on
            Scan boot sector....................: on
            Boot sectors........................: C:, D:, E:, Z:,
            Process scan........................: on
            Scan registry.......................: on
            Search for rootkits.................: on
            Integrity checking of system files..: off
            Scan all files......................: All files
            Scan archives.......................: on
            Recursion depth.....................: 20
            Smart extensions....................: on
            Macro heuristic.....................: on
            File heuristic......................: medium

            Start of the scan: Sunday, February 14, 2010 22:42

            Starting search for hidden objects.
            '14023' objects were checked, '0' hidden objects were found.

            The scan of running processes will be started
            Scan process 'avscan.exe' - '1' Module(s) have been scanned
            Scan process 'avscan.exe' - '1' Module(s) have been scanned
            Scan process 'svchost.exe' - '1' Module(s) have been scanned
            Scan process 'avcenter.exe' - '1' Module(s) have been scanned
            Scan process 'avcenter.exe' - '1' Module(s) have been scanned
            Scan process 'avgnt.exe' - '1' Module(s) have been scanned
            Scan process 'sched.exe' - '1' Module(s) have been scanned
            Scan process 'avguard.exe' - '1' Module(s) have been scanned
            Scan process 'TrustedInstaller.exe' - '1' Module(s) have been scanned
            Scan process 'msiexec.exe' - '1' Module(s) have been scanned
            Scan process 'Xfire.exe' - '1' Module(s) have been scanned
            Scan process 'Wow.exe' - '1' Module(s) have been scanned
            Scan process 'firefox.exe' - '1' Module(s) have been scanned
            Scan process 'svchost.exe' - '1' Module(s) have been scanned
            Scan process 'Ventrilo.exe' - '1' Module(s) have been scanned
            Scan process 'svchost.exe' - '1' Module(s) have been scanned
            Scan process 'wmpnetwk.exe' - '1' Module(s) have been scanned
            Scan process 'SearchIndexer.exe' - '1' Module(s) have been scanned
            Scan process 'explorer.exe' - '1' Module(s) have been scanned
            Scan process 'dwm.exe' - '1' Module(s) have been scanned
            Scan process 'taskhost.exe' - '1' Module(s) have been scanned
            Scan process 'atieclxx.exe' - '1' Module(s) have been scanned
            Scan process 'mscorsvw.exe' - '1' Module(s) have been scanned
            Scan process 'svchost.exe' - '1' Module(s) have been scanned
            Scan process 'WUDFHost.exe' - '1' Module(s) have been scanned
            Scan process 'sppsvc.exe' - '1' Module(s) have been scanned
            Scan process 'svchost.exe' - '1' Module(s) have been scanned
            Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
            Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
            Scan process 'svchost.exe' - '1' Module(s) have been scanned
            Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
            Scan process 'svchost.exe' - '1' Module(s) have been scanned
            Scan process 'svchost.exe' - '1' Module(s) have been scanned
            Scan process 'CTAudSvc.exe' - '1' Module(s) have been scanned
            Scan process 'audiodg.exe' - '0' Module(s) have been scanned
            Scan process 'svchost.exe' - '1' Module(s) have been scanned
            Scan process 'svchost.exe' - '1' Module(s) have been scanned
            Scan process 'svchost.exe' - '1' Module(s) have been scanned
            Scan process 'atiesrxx.exe' - '1' Module(s) have been scanned
            Scan process 'svchost.exe' - '1' Module(s) have been scanned
            Scan process 'svchost.exe' - '1' Module(s) have been scanned
            Scan process 'lsm.exe' - '1' Module(s) have been scanned
            Scan process 'lsass.exe' - '1' Module(s) have been scanned
            Scan process 'services.exe' - '1' Module(s) have been scanned
            Scan process 'winlogon.exe' - '1' Module(s) have been scanned
            Scan process 'csrss.exe' - '1' Module(s) have been scanned
            Scan process 'wininit.exe' - '1' Module(s) have been scanned
            Scan process 'csrss.exe' - '1' Module(s) have been scanned
            Scan process 'smss.exe' - '1' Module(s) have been scanned
            48 processes with 48 modules were scanned

            Starting master boot sector scan:
            Master boot sector HD0
            [INFO] No virus was found!
            Master boot sector HD1
            [INFO] No virus was found!
            Master boot sector HD2
            [INFO] No virus was found!
            Master boot sector HD3
            [INFO] No virus was found!

            Start scanning boot sectors:
            Boot sector 'C:\'
            [INFO] No virus was found!
            Boot sector 'D:\'
            [INFO] No virus was found!
            Boot sector 'E:\'
            [INFO] No virus was found!
            Boot sector 'Z:\'
            [INFO] No virus was found!

            Starting to scan executable files (registry).
            The registry was scanned ( '16' files ).


            Starting the file scan:

            Begin scan in 'C:\' <OS>
            C:\hiberfil.sys
            [WARNING] The file could not be opened!
            [NOTE] This file is a Windows system file.
            [NOTE] This file cannot be opened for scanning.
            C:\pagefile.sys
            [WARNING] The file could not be opened!
            [NOTE] This file is a Windows system file.
            [NOTE] This file cannot be opened for scanning.
            Begin scan in 'D:\' <Fraps>
            Begin scan in 'E:\' <RECOVERY>
            Begin scan in 'Z:\' <Baracoot>


            End of the scan: Sunday, February 14, 2010 23:22
            Used time: 40:22 Minute(s)

            The scan has been done completely.

            18296 Scanned directories
            172032 Files were scanned
            0 Viruses and/or unwanted programs were found
            0 Files were classified as suspicious
            0 files were deleted
            0 Viruses and unwanted programs were repaired
            0 Files were moved to quarantine
            0 Files were renamed
            2 Files cannot be scanned
            172030 Files not concerned
            799 Archives were scanned
            2 Warnings
            2 Notes
            14023 Objects were scanned with rootkit scan
            0 Hidden objects were found

            Comment


            • #7
              OK, the big good thing is:

              - 0 Hidden Objects found.

              ALWAYS watch for hidden objects search locating something. This is a huge indicator of rootkits (hidden files).

              It is easy to hijack your HOSTS file and redirect you to another site which LOOKS like Paypal. Always go to https://www.paypal.com (with httpS), and make sure their security cert is legit. This is usually done by double-clicking the gold padlock lock icon in your browser of choice.

              But yeah, check your mom's computer. And check that security certificate for Paypal before entering personal data. Check your bank account too.
              Originally posted by Ranshackle
              I like Hasselhoff's ass better.

              Comment


              • #8
                Also, install, update and run a full scan with MalwareBytes.
                Originally posted by Ranshackle
                I like Hasselhoff's ass better.

                Comment


                • #9
                  nothing found on either computers, not sure how this could have happened. maybe a mistake on paypal's part

                  Comment


                  • #10
                    I would still change your passwords and check your Paypal transaction history.

                    Also, go download and run GMER to check for rootkits on both systems.
                    Originally posted by Ranshackle
                    I like Hasselhoff's ass better.

                    Comment


                    • #11
                      I would still change your passwords and check your Paypal transaction history.

                      Also, go download and run GMER to check for rootkits on both systems.
                      Originally posted by Ranshackle
                      I like Hasselhoff's ass better.

                      Comment


                      • #12
                        Oh and if you have en eBay account check it also to make sure it isn't hijacked and change the password. Just in case =)
                        Originally posted by Ranshackle
                        I like Hasselhoff's ass better.

                        Comment


                        • #13
                          oh, that anti virus minimized my game in a match tonight. >_<

                          Comment


                          • #14
                            hehehehe

                            there was a thread explaining how to make that 'not happen' a few weeks back.
                            Originally posted by Ranshackle
                            I like Hasselhoff's ass better.

                            Comment


                            • #15
                              I think it only does that with certain games (I don't know why and what makes one different from the other when they all can be alt-tabbed. Any clue what the callout is to get a program to minimize that would only be used by some proggies?)

                              Shift, was that solution listed here in the help section?

                              Comment

                              Working...
                              X