My ebay account was hacked....

polkadot

This morning, my ebay account was hacked.The culprit had changed my password,email address and username.I got to speak to a consultant at Ebay and discovered then that the culprit was in the process of changing my contact details too.

My password was a "strong one" but only used 1 caps and 2 letters...Ive now changed it to one I cant even remember and I changed my Paypal password too....

The thing now is this:I know I have *some sort* of firewall and virus checker,but Ive never really paid attention because DH is in IT and I normally let him just deal with it.He's been REALLY busy at work and every time Ive asked him to check my pc he says he doesnt have time.

I recently downloaded some photoediting software and since then have had some scanner thingy run each time I turn my pc on.I cant remember what its called and I dont know where to look for it on my pc.

I want to make sure my pc is safe without relying on DH.Please help?

Margey

The same happened to my stepdad and now he has lost trust in Ebay, your firewall can't protect you from people hacking your ebay account. I think that is unlucky. Try speaking to Ebay aagaian to see if there is a way that you can protect your account details etc. It seemd mad that they have hacked your account and then they are changing your details!
Good luck

RussJK

I think this password checker is a good guide to strength:
http://rumkin.com/tools/password/passchk.php

What does it say for your old password? and for your new one?

I've begun to change the way I think about passwords, and now go for phrases rather than silly, hard to remember things like b0r304ifer91A.

Change your password for your email and paypal as well. Write it down on paper if you're reasonably sure no one will read it.

Otherwise check for Malware to see if the compromise was from your PC:
Malwarebytes Quick scan http://www.malwarebytes.org/mbam-download.php (post a log)
Hitmanpro quick scan (http://www.surfright.nl/en/hitmanpro)
Post a HijackThis log (guide here http://www.users.on.net/~russ/hjt)

Hammyman

polkadot wrote: »

I recently downloaded some photoediting software and since then have had some scanner thingy run each time I turn my pc on.I cant remember what its called and I dont know where to look for it on my pc.

I want to make sure my pc is safe without relying on DH.Please help?

What photo editing software was it and what site did you get it from?

Aidy

You might have been phished? E-mail purporting to be from E-Bay asking you to log on, change some settings etc. the mail will be made to look like its from e-bay, but usually it won't have your name within it. You then go to a fake e-bay site where your details are collected and used on the real site.

these are very common and often do work if you read it quickly and action it with what they asked?

polkadot

Hammyman wrote: »

What photo editing software was it and what site did you get it from?

I cant remember what site it was but the programme was Page Plus (sorry,its not photo editing-its a publisher type thing.)I cant remember what site it came from but I do remember seeing 2 download buttons and then realising that I had clicked the download button on one of those "side bar ad thingys".I tried to cancel but I had already started to install when I realised what I had done.

Aidy wrote: »

You might have been phished? E-mail purporting to be from E-Bay asking you to log on, change some settings etc. the mail will be made to look like its from e-bay, but usually it won't have your name within it. You then go to a fake e-bay site where your details are collected and used on the real site.

these are very common and often do work if you read it quickly and action it with what they asked?

I didnt think so because with DH always in my ear I never click on links in emails from Ebay,Paypal or my bank (I do on comping sites though:o)...but just when I read your post I thought "could be" because I opened an email the other day claiming to be from ebay saying a dispute had been opened against me for non payment.When I logged into Ebay via a new tab this was obviously not the case...so now I wonder if this might have been where I slipped.

RussJK wrote: »

I think this password checker is a good guide to strength:
http://rumkin.com/tools/password/passchk.php

What does it say for your old password? and for your new one?

I've begun to change the way I think about passwords, and now go for phrases rather than silly, hard to remember things like b0r304ifer91A.

Change your password for your email and paypal as well. Write it down on paper if you're reasonably sure no one will read it.

Otherwise check for Malware to see if the compromise was from your PC:
Malwarebytes Quick scan http://www.malwarebytes.org/mbam-download.php (post a log)
Hitmanpro quick scan (http://www.surfright.nl/en/hitmanpro)
Post a HijackThis log (guide here http://www.users.on.net/~russ/hjt)

thank you for those links-I will go and do those things now...am I correct in understanding that I use all three of those-follow instructions and post results back on this thread or do I start a new one?

RussJK

Yes do each one at a time, then post your results. Malwarebytes will give a log file to post, IIRC Hitmanpro doesn't make any logs but just let me know broadly if it finds a trojan or rootkit, etc.

If you clicked on the link provided in the phishing email, then the compromise could have been from that - re-reading your post, you suggest that you went to eBay without using the link? If the latter is true, the phishing email won't be an issue.

You might find the website you downloaded Page Plus from in your browsing history.

polkadot

Russ is this what you want from the Malware bites? [URL="c:%5CUsers%5CMrsPolkadot%5CAppData%5CRoaming%5CSammsoft%5CARO%5CVersion%202011%5CAROscanlog.xml"]C:\Users\MrsPolkadot\AppData\Roaming\Sammsoft\ARO\Version 2011\AROscanlog.xml[/URL]

Ive only run it-Ive not followed anymore instructions.Its all greek to me but even so it looks scary.

polkadot

Hitman said:Malicious software was detected.Close all applications and click next to remove the malicious software.During removal certain programs may terminate unexpectedly.

Then theres an entry: “softonic Downloader for light image resize.exe (I think this might be the site where Page plus came from) Which says Malware with an option to delete.
Then rspsetup_softonic_728_90.exe and My funcards.exe which both say the same thing.
Then there is FSViewerSetup42.exe which says suspicious with an option to delete.


Again-Ive not yet hit next (thought Id wait for you)

polkadot

And this is Hijack this:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 15:05:05, on 12/10/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
C:\Program Files (x86)\GamesBar\SearchEngineProtection.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Users\MrsPolkadot\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Ask.com\Updater\Updater.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE
C:\Users\MrsPolkadot\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.iplay.com/?o=shp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
R3 - URLSearchHook: Serif PagePlus Toolbar - {1f32b6ba-1806-4e09-b750-3d61209f70f5} - C:\Program Files (x86)\Serif_PagePlus\prxtbSer0.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Serif PagePlus - {1f32b6ba-1806-4e09-b750-3d61209f70f5} - C:\Program Files (x86)\Serif_PagePlus\prxtbSer0.dll
O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: GamesBarBHO Class - {CB0D163C-E9F4-4236-9496-0597E24B23A5} - C:\Program Files (x86)\GamesBar\2.0.1.55\oberontb.dll
O2 - BHO: Bing Bar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" (file missing)
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Bing Bar - {8dcb7100-df86-4384-8842-8fa844297b3f} - "C:\Program Files (x86)\Microsoft\BingBar\BingExt.dll" (file missing)
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: GamesBar - {6F282B65-56BF-4BD1-A8B2-A4449A05863D} - C:\Program Files (x86)\GamesBar\2.0.1.55\oberontb.dll
O3 - Toolbar: Serif PagePlus Toolbar - {1f32b6ba-1806-4e09-b750-3d61209f70f5} - C:\Program Files (x86)\Serif_PagePlus\prxtbSer0.dll
O3 - Toolbar: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files (x86)\ConduitEngine\prxConduitEngin.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [ApnUpdater] "C:\Program Files (x86)\Ask.com\Updater\Updater.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AutoStartNPSAgent] C:\Program Files (x86)\Samsung\Samsung New PC Studio\NPSAgent.exe
O4 - HKCU\..\Run: [KiesHelper] C:\Program Files (x86)\Samsung\Kies\KiesHelper.exe /s
O4 - HKCU\..\Run: [KiesTrayAgent] C:\Program Files (x86)\Samsung\Kies\KiesTrayAgent.exe
O4 - HKCU\..\Run: [KiesPDLR] C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe
O4 - HKCU\..\Run: [SearchEngineProtection] C:\Program Files (x86)\Gamesbar\SearchEngineProtection.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [AROReminder] C:\Program Files (x86)\ARO 2011\aro.exe -rem
O4 - Startup: Dropbox.lnk = MrsPolkadot\AppData\Roaming\Dropbox\bin\Dropbox.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
O9 - Extra button: (no name) - {1A93C934-025B-4c3a-B38E-9654A7003239} - C:\Program Files (x86)\GamesBar\2.0.1.55\oberontb.dll
O9 - Extra 'Tools' menuitem: GamesBar - {1A93C934-025B-4c3a-B38E-9654A7003239} - C:\Program Files (x86)\GamesBar\2.0.1.55\oberontb.dll
O9 - Extra button: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files (x86)\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 11527 bytes

macman

I'm struggling to see what (if any) actual AV program you have installed amidst that lot.
You have various manual scanners (Spybot, AdAware, etc) but nothing that runs automatically in the background.
Please can you tell us?