Redirect to eBay phishing page - possible MBR rootkit infection

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by MadMonkeyMojo, Feb 8, 2010.

  1. MadMonkeyMojo

    MadMonkeyMojo Private E-2

    After eBay login name and password are entered, I am taken to a page which asks for name, password, credit card info and credit card PIN. This happens in IE8 as well as Firefox. Those are the only 2 browsers I use.

    The computer seems to run a little slow, but I haven't noticed any other signs of infection other than the redirect from eBay. I haven' tried any other secure sites, such as banking, etc.

    This is the URL it redirects to: https://signin.ebay.com/ws/eBayISAPI.dll?co_partnerId=2&siteid=0&UsingSSL=1 (After checking this link, it's not the exact page I'm taken to. The page I'm taken to has fields to enter credit card information, mother's maiden name, PIN number, etc.) However, this is the URL in my address bar when that page is open.

    I did notice at the end of the Combo-Fix log it says "possible MBR rootkit infection."

    All my logs from the scans described in the READ ME FIRST post are attached (3 on this post, 2 on the next).

    Thanks in advance for any help.
     

    Attached Files:

    Last edited: Feb 8, 2010
  2. MadMonkeyMojo

    MadMonkeyMojo Private E-2

    Other logs ...
     

    Attached Files:

  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    You have a master boot record (MBR) infection.

    We will need to boot to the Recovery Console ( you installed it while you installed ComboFix) to remove this infection. Note if you cannot boot to the Recovery Console you installed with ComboFix or if it fails to remove the infection, you will need your Windows XP boot CD.

    Now boot to the Recovery Console and run the fixmbr to clear a Master Boot Record infection that you have.

    You can read the below to help you do this:

    http://support.microsoft.com/kb/307654


    After running the fixmbr command and boot back to normal mode, continue with the below.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll (file missing)
    O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll (file missing)
    O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll (file missing)

    After clicking Fix, exit HJT.

    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  4. MadMonkeyMojo

    MadMonkeyMojo Private E-2

    Hi chaslang, thanks so much for helping me.

    I followed your instructions and the 2 logs are attached to this post.

    I attempted to log in to eBay after completing the steps you gave me. I am still being redirected to a phishing page; however, it's a different page now. The first one asked for all the personal information, now I'm taken to a page that gives me a message about changing my security settings and logging in again.

    I verified by the URL in the address bar on the initial login attempt that I was on a real eBay page. After putting in the login information and attempting to log in to eBay, the URL in the address bar switches to what I assume is the bogus URL. I must say I'm assuming this is a bad URL because of the information I can find regarding eBay phishing scams. Also, this does not happen on my other computer, only this one.

    Again, thanks so much for your help! I hope these logs look better this time and you can help me get rid of this redirect problem.
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    According to your logs, the MBR infection was removed and there don't appear to be any other infections. Try the below.

    Click Start > Run and type in cmd
    • Click OK.
    • This will open a command prompt.
    • Type or copy and paste the following line in the command window:
      ipconfig /flushdns
    • Hit Enter
    • Exit the command window


    Now let's flush the Java Cache
    • Click Start > Settings > Control Panel
    • Double click the Java icon (be patient, it may take a while to open)
    • Now click the General tab and under the Temporary Internet File area
    • Click the Settings button and then click the Delete Files... button.
    • In the next popup click OK.
    If you have multiple Java plugin icons in Control Panel follow the above to clear all their caches.


    Now let's flush the FireFox Cache
    To flush your FireFox Cache:
    • click Tools
    • select Options
    • select Privacy
    • in the section labeled Private Data click Clear Now
    Now let's flush the Internet Explorer Cache
    To flush your Internet Explorer Cache:
    • click Tools
    • Internet Options
    • Now on the General tab and click Delete Files and select Delete all Offline content too
    • Click OK.
    • When it finishes Click OK.
    Now run Ccleaner!

    Some infections have been know to infect router hardware. If you have a router hooked up then follow the instructions for your hardware and reset it to factory default settings. Normally there is a recessed push button type switch that needs to be held down for some number of seconds to do this. After resetting to factory defaults on your router, you will need to reconfigure the router for your network if you have made any changes to the default network setup.



    Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\User\Local Settings\temp

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  6. MadMonkeyMojo

    MadMonkeyMojo Private E-2

    Hi chaslang

    The log you requested is attached.

    I am still redirected after signing in on eBay using IE, but no longer with Firefox. I know the obvious suggestion would be to use Firefox, but I really don't like the idea of this redirect problem remaining on my computer. My wife uses this computer for online shopping, etc., so I'd like to get rid of this.

    I've done quite a bit of reading regarding this problem and found someone who had success using a program called Dr. Web Cureit. Is that something I should try? I won't do anything until you give the go ahead.

    Thanks
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You could give it a try since it does help fix various problems. Note that it is going to have a bunch of false detections about tools from ComboFix and MGtools including process.exe.

    However before running Dr. Web, first try the below two fixes.

    1) Go to TDSSKiller and Download TDSSKiller.zip to your Desktop
    • Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
    • Click Start > Run and copy/paste the following bold command into Run box and hit Enter.
    "%userprofile%\Desktop\TDSSKiller.exe" -v
    • Follow the instructions to type in "delete" when it asks you what to do when if finds something.
    • When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply. (See: HOW TO: Attach Items To Your Post )

    2) Run IE8 and then disable all of your add-ons. Click Tools, Manage Add-ons. Then select each one and click Disable. Then close ALL IE windows and then restart IE. See if you still have a problem. If not, slowly enable them to see if you can find the cause.
     
  8. MadMonkeyMojo

    MadMonkeyMojo Private E-2

    The TDSSKiller log is attached.

    Turned off all add-ons and tried eBay, still redirected. This really doesn't make any sense. Before the MBR infection was cleared, I was redirected to a page asking for the credit card info, PIN, etc. Once the MBR infection was cleared, I'm still redirected, but just to a different page.

    I searched the web address I'm redirected to in Google and there are lots of hits regarding this problem, but no real solutions. I have logged into eBay with the exact same login information on another desktop on the same network and also a laptop and it logs in as it should with no redirect, so there is something lurking in this machine.

    I tried the Dr. Web Cureit program, but all it does is cause my computer to restart. This happens in safe mode and regular mode.
     

    Attached Files:

  9. MadMonkeyMojo

    MadMonkeyMojo Private E-2

    A little more info...

    I ran mbr.exe and got this:

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    kernel: MBR read successfully
    user & kernel MBR OK
    copy of MBR has been found in sector 0x012A14C00
    malicious code @ sector 0x012A14C03 !
    PE file found in sector at 0x012A14C19 !
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That is in agreement with my assessment since your MBR infection was removed. Let's make sure it did not come back but I doubt it.



    Now download HostsXpert and then follow the below steps.
    • Unzip HostsXpert.zip
    • It will create a folder named HostsXpert in whatever folder you extract it to.
    • Run HostsXpert.exe by double clicking on it.
    • Click the Make Writeable? button. (if you only see a Make Read-Only selection, it is already writeable so skip this button).
    • Click Restore Microsoft's Hosts File and then click OK.
    • Click the X to exit the program


    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


    Now attach the below log:
    • C:\MGlogs.zip

    Also I want to see the below log:

    Click Start > Run and type in cmd
    • Click OK.
    • This will open a command prompt.
    • Type or copy and paste the following line in the command window:
      ipconfig /flushdns > C:\dnslist.txt
    • Hit Enter
    • Exit the command window
    • Attach the C:\dnslist.txt to your next message.

    Are you 100% sure it is not just a valid page. Does this still only happen with IE and not FireFox? Are you sure that you have disabled ALL add-ons to IE?
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not a problem. This is normal to see after having an MBR infection. fixmbr just repairs sector 0 which kills the active part of the infection.
     
  12. MadMonkeyMojo

    MadMonkeyMojo Private E-2

    Hi chaslang

    The logs you requested are attached.

    I disabled all add-ons; checked multiple times.

    This only happens with IE and not FireFox. It happend with FireFox as well initially, but after the MBR infection was cleared, it only happens in IE. The page I was redirected to initially in IE and FireFox was a different page.

    Am I 100% sure? I'm starting to wonder, but this is a link to the Google search results of the URL of the page I am directed to. What's strange is this is the same URL I was redirected to initially, the one to the page where it asked for all the information, but it's a different page now. http://www.google.com/#hl=en&source=hp&q=https%3A%2F%2Fsignin.ebay.com%2Fws%2FeBayISAPI.dll%3Fco_partnerId%3D2%26siteid%3D0%26UsingSSL%3D1&btnG=Google+Search&aq=f&aqi=&oq=&fp=a048890d3c90c6fc
     

    Attached Files:

  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay then there must be something else hiding that is not showing up in the logs. Many of the logs are data/time stamp dependent and some malware can modify dates of their files to be much older than when they were saved on the PC. This would cause them not to show in these quick type scans. We will have to use a couple of more comprehensive scanners. Since you could not run Dr.Web Curit, let's try the below. Run each, one at a time and attach the logs.

    Using ESET's Online Scanner
    Using BitDefender Online Scan
    Trend Micro Housecall
     
  14. MadMonkeyMojo

    MadMonkeyMojo Private E-2

    The ESET log is attached. BitDefender didn't give me the option to save the log as a .txt file, only .html log. It didn't find anything.

    I didn't see anywhere to generate a log for the TrendMicro scan. It found a file called CRYP XED-16. I used TrendMicro to "fix" it.

    I was able to finally run a Dr. WebCureit express scan in safe mode; it didn't find anything.

    Tried eBay again, same thing. I noticed something else that seems a little strange. At the eBay login page, all you have to do is click in the signin name box and it autopopulates the name and password. The box to remember this info is not ticked and my wife said she never chose an option to remember name/password. This happens even after a cleaning with CCleaner and ATF Cleaner. This does NOT happen in Firefox.

    I'm almost to the point of reinstalling Windows, but my wife works on this computer and has thousands of autokeys and spellchecker entries for MS Word. I formatted the HD once before and thought I had the correct files to reinstall her auto entries for Word, but it did not work and she wasn't real pleased with having to re-enter them all. I'm trying to avoid reinstalling Windows.
     

    Attached Files:

  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    See if you can run it in normal bootmode.

    If that does not help, uninstall Windows Internet Explorer 8 and then reboot your PC. Now see if you still have the same problem with IE7 which should remain.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below log:
    • C:\MGlogs.zip
     
  16. MadMonkeyMojo

    MadMonkeyMojo Private E-2

    The log you requested is attached.

    Ran Dr. WebCureit in normal mode; it found nothing.

    My wife has to have IE8 on this computer as she works remotely through Citrix and the IT guys at her work said she needs it to be compatible with their end.

    Maybe uninstall IE8, see what happens, then reinstall it?
     

    Attached Files:

  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    My point is that you must uninstall it to see if it is somehow infected. No I did not want you to reinstall it immediately because I wanted to check your logs and see the effects after it had been uninstalled. If you believe that this redirect is still malware then you should not be trusting this PC to be using it for work especially with a potentially (unknown as of yet) infected IE8.

    In 100% of all previous ( and more occurring everyday ) cases with eBay or other financial type phishing scams ocurring due to an MBR infection, they have been fixed by running fixmbr and deleting the bad files if still necessary. Thus it would seem you have something else going on especially since you say it changed after running fixmbr. I even had you empty all caches where something could possible hang around to cause a problem like this and that had no effect. Thus, if uninstalling IE8 has no effect and then reinstalling it also has no effect, you will be looking at a reinstall unless you wish to rerun all of the previous steps first just to be sure nothing was skipped.


    By the way, when you access eBay, are you going to it via a saved link or by typing the www.ebay.com into the address bar? If using a link of any kind, try physically typing into the address bar instead and see what happens.
     
    Last edited: Feb 18, 2010
  18. MadMonkeyMojo

    MadMonkeyMojo Private E-2

    I am clean!!

    I unistalled IE8, then ran a complete scan with Dr. WebCureIt in regular mode. It found 2 files, A0058337.exe and A0058419.exe and called them Tool.prockill. I deleted these 2 files.

    I Googled tool.prockill and found Smitfraudfix to be the suggested answer.

    I rebooted, then ran Smitfraudfix. According to the log, it deleted a couple of things.

    Rebooted and everything ran smooth. No re-direct at eBay or any other site.

    I really appreciate your help and time, chaslang. Should I run the malware scans you gave me one more time, just to make sure everything is okay?

    Again, I really appreciate your help. :)
     
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    False detections. Tool.prockill is just a false detection of process.exe which is used by MGtools, ComboFix and many other tools. It is just a DOS based task manager type program and has nothing to do with any problems you were having. And the A00xxxxx.exe files are just System Restore copies of the file and also are not problems. In addition, Dr.Web CureIt can not remove anything in System Restore anyway. Nothing can. You have to disable system restore to remove restore points.

    Not true. SmitFraud even uses process.exe

    Attach the log so we can see what it removed.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds