Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Paypal compromised, virus? HJT log

  1. #1

    Default Paypal compromised, virus? HJT log

    So I got an recipt email from paypal saying I had made a 50 euro payment to some 'Global Communication Networks Ltd'. Got a 2nd email from paypal saying that 'We have reason to believe that your account was accessed by a third party'. Then a third saying that I had received a refund. So as far as I know I didn't lose any money.

    Not really sure how this happened, nothing else that I'm aware of was compromised.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:43:45 PM, on 2/14/2010
    Platform: Unknown Windows (WinNT 6.01.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16385)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    Z:\Program Files\Ventrilo\Ventrilo.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Windows\system32\DllHost.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
    O13 - Gopher Prefix:
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
    O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

    --
    End of file - 2966 bytes

  2. #2

    Default

    Dude, please first tell me that you're not so stupid that you have zero antivirus. In our day and time, that's utter and complete suicide and there is absoltuely no logical excuse NOT to use it.

    If you're not, then how WOULD you know if you got infected with anything? "Not really sure how this happened". Bad surfing practices? Bad computing practices? Kinda like having sex with hookers without a condom?

    I'd run MalwareBytes. Install Antivir Free edition. Scan completely with both. Fix anything they find. Run ComboFix.
    Quote Originally Posted by Ranshackle
    I like Hasselhoff's ass better.

  3. #3

    Default

    I just reformatted the other day, have not downloaded anything besides things like itunes, skype, firefox, and I've never caught a virus before so I wasn't too concerned.

    Ran MalwareBytes, it didn't find anything. Running Avira now and I'll let you know if that finds anything.

  4. #4

    Default

    K

    Are you sure those weren't phishing emails?

    Have you changed your Paypal password yet?

    Have you looked at your Paypal history to see if the transaction really happened?
    Quote Originally Posted by Ranshackle
    I like Hasselhoff's ass better.

  5. #5

    Default

    I logged into paypal and I get a

    Security Measures

    We are currently performing regular maintenance of our security measures. Your account has been randomly selected for this maintenance, and you will now be taken through a series of identity verification pages.

    Protecting the security of your PayPal account is our primary concern, and we apologize for any inconvenience this may cause.'

    and it wants me to verify my bank account. I can't seem to access any parts of my account until I verify my bank account.

    I'm pretty sure its not a phish. The mails are coming from service@paypal.com

  6. #6

    Default

    Avira didn't find anything. It's possible that I logged into my paypal on my mom's laptop(and I have no idea what's on there), running anti virus on that now too.

    Avira AntiVir Personal
    Report file date: Sunday, February 14, 2010 22:42

    Scanning for 1753507 virus strains and unwanted programs.

    Licensee : Avira AntiVir Personal - FREE Antivirus
    Serial number : 0000149996-ADJIE-0000001
    Platform : Windows Vista
    Windows version : (plain) [6.1.7600]
    Boot mode : Normally booted
    Username : SYSTEM
    Computer name : KYLE-PC

    Version information:
    BUILD.DAT : 9.0.0.415 21609 Bytes 11/8/2009 10:00:00
    AVSCAN.EXE : 9.0.3.10 466689 Bytes 10/13/2009 19:26:33
    AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 18:58:24
    LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 19:35:49
    LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 18:58:52
    VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 15:35:52
    VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 06:41:11
    VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 06:41:17
    VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 06:41:19
    VBASE004.VDF : 7.10.3.76 2048 Bytes 1/26/2010 06:41:19
    VBASE005.VDF : 7.10.3.77 2048 Bytes 1/26/2010 06:41:19
    VBASE006.VDF : 7.10.3.78 2048 Bytes 1/26/2010 06:41:20
    VBASE007.VDF : 7.10.3.79 2048 Bytes 1/26/2010 06:41:20
    VBASE008.VDF : 7.10.3.80 2048 Bytes 1/26/2010 06:41:20
    VBASE009.VDF : 7.10.3.81 2048 Bytes 1/26/2010 06:41:20
    VBASE010.VDF : 7.10.3.82 2048 Bytes 1/26/2010 06:41:20
    VBASE011.VDF : 7.10.3.83 2048 Bytes 1/26/2010 06:41:20
    VBASE012.VDF : 7.10.3.84 2048 Bytes 1/26/2010 06:41:20
    VBASE013.VDF : 7.10.3.85 2048 Bytes 1/26/2010 06:41:20
    VBASE014.VDF : 7.10.3.122 172544 Bytes 1/29/2010 06:41:21
    VBASE015.VDF : 7.10.3.149 79872 Bytes 2/1/2010 06:41:22
    VBASE016.VDF : 7.10.3.174 68608 Bytes 2/3/2010 06:41:22
    VBASE017.VDF : 7.10.3.199 76800 Bytes 2/4/2010 06:41:23
    VBASE018.VDF : 7.10.3.222 64512 Bytes 2/5/2010 06:41:23
    VBASE019.VDF : 7.10.3.243 75776 Bytes 2/8/2010 06:41:24
    VBASE020.VDF : 7.10.4.6 81920 Bytes 2/9/2010 06:41:24
    VBASE021.VDF : 7.10.4.30 78848 Bytes 2/11/2010 06:41:25
    VBASE022.VDF : 7.10.4.31 2048 Bytes 2/11/2010 06:41:25
    VBASE023.VDF : 7.10.4.32 2048 Bytes 2/11/2010 06:41:25
    VBASE024.VDF : 7.10.4.33 2048 Bytes 2/11/2010 06:41:25
    VBASE025.VDF : 7.10.4.34 2048 Bytes 2/11/2010 06:41:25
    VBASE026.VDF : 7.10.4.35 2048 Bytes 2/11/2010 06:41:25
    VBASE027.VDF : 7.10.4.36 2048 Bytes 2/11/2010 06:41:26
    VBASE028.VDF : 7.10.4.37 2048 Bytes 2/11/2010 06:41:26
    VBASE029.VDF : 7.10.4.38 2048 Bytes 2/11/2010 06:41:26
    VBASE030.VDF : 7.10.4.39 2048 Bytes 2/11/2010 06:41:26
    VBASE031.VDF : 7.10.4.46 98816 Bytes 2/14/2010 06:41:26
    Engineversion : 8.2.1.170
    AEVDF.DLL : 8.1.1.3 106868 Bytes 2/15/2010 06:41:34
    AESCRIPT.DLL : 8.1.3.15 827771 Bytes 2/15/2010 06:41:33
    AESCN.DLL : 8.1.4.0 127348 Bytes 2/15/2010 06:41:32
    AESBX.DLL : 8.1.1.1 246132 Bytes 11/8/2009 15:38:44
    AERDL.DLL : 8.1.4.2 479602 Bytes 2/15/2010 06:41:32
    AEPACK.DLL : 8.2.0.8 426357 Bytes 2/15/2010 06:41:31
    AEOFFICE.DLL : 8.1.0.38 196987 Bytes 11/8/2009 15:38:38
    AEHEUR.DLL : 8.1.1.5 2326901 Bytes 2/15/2010 06:41:31
    AEHELP.DLL : 8.1.10.0 237942 Bytes 2/15/2010 06:41:28
    AEGEN.DLL : 8.1.1.86 369012 Bytes 2/15/2010 06:41:28
    AEEMU.DLL : 8.1.1.0 393587 Bytes 11/8/2009 15:38:26
    AECORE.DLL : 8.1.11.1 184694 Bytes 2/15/2010 06:41:27
    AEBB.DLL : 8.1.0.3 53618 Bytes 11/8/2009 15:38:20
    AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 16:47:59
    AVPREF.DLL : 9.0.3.0 44289 Bytes 8/26/2009 23:14:02
    AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 22:34:28
    AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 18:32:09
    AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 23:05:41
    AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 18:37:08
    SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 23:03:49
    SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 16:21:33
    NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 18:32:10
    RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 23:39:58
    RCTEXT.DLL : 9.0.73.0 86785 Bytes 10/13/2009 20:25:47

    Configuration settings for the scan:
    Jobname.............................: Complete system scan
    Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
    Logging.............................: low
    Primary action......................: interactive
    Secondary action....................: ignore
    Scan master boot sector.............: on
    Scan boot sector....................: on
    Boot sectors........................: C:, D:, E:, Z:,
    Process scan........................: on
    Scan registry.......................: on
    Search for rootkits.................: on
    Integrity checking of system files..: off
    Scan all files......................: All files
    Scan archives.......................: on
    Recursion depth.....................: 20
    Smart extensions....................: on
    Macro heuristic.....................: on
    File heuristic......................: medium

    Start of the scan: Sunday, February 14, 2010 22:42

    Starting search for hidden objects.
    '14023' objects were checked, '0' hidden objects were found.

    The scan of running processes will be started
    Scan process 'avscan.exe' - '1' Module(s) have been scanned
    Scan process 'avscan.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'avcenter.exe' - '1' Module(s) have been scanned
    Scan process 'avcenter.exe' - '1' Module(s) have been scanned
    Scan process 'avgnt.exe' - '1' Module(s) have been scanned
    Scan process 'sched.exe' - '1' Module(s) have been scanned
    Scan process 'avguard.exe' - '1' Module(s) have been scanned
    Scan process 'TrustedInstaller.exe' - '1' Module(s) have been scanned
    Scan process 'msiexec.exe' - '1' Module(s) have been scanned
    Scan process 'Xfire.exe' - '1' Module(s) have been scanned
    Scan process 'Wow.exe' - '1' Module(s) have been scanned
    Scan process 'firefox.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'Ventrilo.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'wmpnetwk.exe' - '1' Module(s) have been scanned
    Scan process 'SearchIndexer.exe' - '1' Module(s) have been scanned
    Scan process 'explorer.exe' - '1' Module(s) have been scanned
    Scan process 'dwm.exe' - '1' Module(s) have been scanned
    Scan process 'taskhost.exe' - '1' Module(s) have been scanned
    Scan process 'atieclxx.exe' - '1' Module(s) have been scanned
    Scan process 'mscorsvw.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'WUDFHost.exe' - '1' Module(s) have been scanned
    Scan process 'sppsvc.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
    Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'CTAudSvc.exe' - '1' Module(s) have been scanned
    Scan process 'audiodg.exe' - '0' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'atiesrxx.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'lsm.exe' - '1' Module(s) have been scanned
    Scan process 'lsass.exe' - '1' Module(s) have been scanned
    Scan process 'services.exe' - '1' Module(s) have been scanned
    Scan process 'winlogon.exe' - '1' Module(s) have been scanned
    Scan process 'csrss.exe' - '1' Module(s) have been scanned
    Scan process 'wininit.exe' - '1' Module(s) have been scanned
    Scan process 'csrss.exe' - '1' Module(s) have been scanned
    Scan process 'smss.exe' - '1' Module(s) have been scanned
    48 processes with 48 modules were scanned

    Starting master boot sector scan:
    Master boot sector HD0
    [INFO] No virus was found!
    Master boot sector HD1
    [INFO] No virus was found!
    Master boot sector HD2
    [INFO] No virus was found!
    Master boot sector HD3
    [INFO] No virus was found!

    Start scanning boot sectors:
    Boot sector 'C:\'
    [INFO] No virus was found!
    Boot sector 'D:\'
    [INFO] No virus was found!
    Boot sector 'E:\'
    [INFO] No virus was found!
    Boot sector 'Z:\'
    [INFO] No virus was found!

    Starting to scan executable files (registry).
    The registry was scanned ( '16' files ).


    Starting the file scan:

    Begin scan in 'C:\' <OS>
    C:\hiberfil.sys
    [WARNING] The file could not be opened!
    [NOTE] This file is a Windows system file.
    [NOTE] This file cannot be opened for scanning.
    C:\pagefile.sys
    [WARNING] The file could not be opened!
    [NOTE] This file is a Windows system file.
    [NOTE] This file cannot be opened for scanning.
    Begin scan in 'D:\' <Fraps>
    Begin scan in 'E:\' <RECOVERY>
    Begin scan in 'Z:\' <Baracoot>


    End of the scan: Sunday, February 14, 2010 23:22
    Used time: 40:22 Minute(s)

    The scan has been done completely.

    18296 Scanned directories
    172032 Files were scanned
    0 Viruses and/or unwanted programs were found
    0 Files were classified as suspicious
    0 files were deleted
    0 Viruses and unwanted programs were repaired
    0 Files were moved to quarantine
    0 Files were renamed
    2 Files cannot be scanned
    172030 Files not concerned
    799 Archives were scanned
    2 Warnings
    2 Notes
    14023 Objects were scanned with rootkit scan
    0 Hidden objects were found

  7. #7

    Default

    OK, the big good thing is:

    - 0 Hidden Objects found.

    ALWAYS watch for hidden objects search locating something. This is a huge indicator of rootkits (hidden files).

    It is easy to hijack your HOSTS file and redirect you to another site which LOOKS like Paypal. Always go to https://www.paypal.com (with httpS), and make sure their security cert is legit. This is usually done by double-clicking the gold padlock lock icon in your browser of choice.

    But yeah, check your mom's computer. And check that security certificate for Paypal before entering personal data. Check your bank account too.
    Quote Originally Posted by Ranshackle
    I like Hasselhoff's ass better.

  8. #8

    Default

    Also, install, update and run a full scan with MalwareBytes.
    Quote Originally Posted by Ranshackle
    I like Hasselhoff's ass better.

  9. #9

    Default

    nothing found on either computers, not sure how this could have happened. maybe a mistake on paypal's part

  10. #10

    Default

    I would still change your passwords and check your Paypal transaction history.

    Also, go download and run GMER to check for rootkits on both systems.
    Quote Originally Posted by Ranshackle
    I like Hasselhoff's ass better.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •