Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Paypal Identity Theft - Please Help Check out my computer

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Paypal Identity Theft - Please Help Check out my computer

Unread postby rachel_trevarthen » December 5th, 2008, 4:05 pm

Hi There,
I have been a victim of Paypal identity theft. I have had items bought without my authorisation and money (a significant sum) taken out of my bank account. Attached is my HijackThis log. I require the following urgently (please note I am on a GAP year travelling and have irregular internet access but I will be on the move again in 5 days so I would really appreciate it if someone can look into the problem before then).
- removal of P2P
- I have not been provided with recovery disks for my computer
- I believe my current anti virus software includes a firewall (Norton)
If you can let me know ASAP what is required to protect my computer I would really appreciate it. What little money I have for travelling I really need to protect!
Here is the log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:53:39 AM, on 12/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Asus\EeePC ACPI\AsTray.exe
C:\Program Files\Asus\EeePC ACPI\AsAcpiSvr.exe
C:\Program Files\Elantech\ETDCtrl.exe
C:\Program Files\Norton SystemWorks Basic Edition\NswUiTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\igfxext.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
D:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com.au/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program

Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -

C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program

Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program

Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Beta - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program

Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar Beta - {21FA44EF-376D-4D53-9B0F-8A89D3229068} -

C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AsusTray] C:\Program Files\Asus\EeePC ACPI\AsTray.exe
O4 - HKLM\..\Run: [AsusACPIServer] C:\Program Files\Asus\EeePC ACPI\AsAcpiSvr.exe
O4 - HKLM\..\Run: [ETDWare] C:\Program Files\Elantech\ETDCtrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [NSWosCheck] "C:\Program Files\Norton SystemWorks Basic

Edition\osCheck.exe"
O4 - HKLM\..\Run: [NswUiTray] C:\Program Files\Norton SystemWorks Basic

Edition\NswUiTray.exe
O4 - Global Startup: AutoRun OSCleaner.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live

Toolbar\msntb.dll/search.htm
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program

Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} -

C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program

Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) -

http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) -

https://webdl.symantec.com/activex/symdlmgr.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -

C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program

Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program

Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation -

C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation -

C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner -

C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 5842 bytes
rachel_trevarthen
Active Member
 
Posts: 2
Joined: December 5th, 2008, 3:47 pm
Advertisement
Register to Remove

PLEASE HELP- COMPUTER IN CRITICAL HARDWARE SPACE CONDITION

Unread postby rachel_trevarthen » December 14th, 2008, 10:16 am

I have a small Asus laptop that I bought for travelling purposes. I have recently been a victim of Paypal identity fraud, due, I think to viruses invading my computer. I have posted on the forum with my Hijack this log and outlined the issues that I have and no one has replied. I am from Australia and currently travelling in Spain and I really need some advice from someone who speaks English to rectify my computers problems as I am concerned that the virus is still active and I may have a key log tracker. I cannot, not use my computer as it is an essential communication device. I have a problem with critical disk shortage space and this is preventing my from downloading all new virus updates and isleaving my computer more at risk. I have taken all of the pictures/music off my harddrive so that is not the problem, the problem is that my computer is small 0.99GB RAM and it is already running Skype, Works and Internet Explorer as well as Norton Anti Virus which is about its capacity. I really, really need some advice and help - I have no one I can take the computer to in Spain and I would really appreciate if someone could contact me on this forum or on *********** as to what I can do to rectify.
Thanks in Advance

Edit: Email address removed

Orac
rachel_trevarthen
Active Member
 
Posts: 2
Joined: December 5th, 2008, 3:47 pm

Re: Paypal Identity Theft - Please Help Check out my computer

Unread postby NonSuch » December 14th, 2008, 5:23 pm

I have merged your two topics together for the sake of clarity. I am sorry you have waited so long for a reply. As you have probably noticed, we are quite busy as are most other help sites.

I hate to be the bearer of bad news but it is very likely, based on the PayPal theft, that your system may be afflicted with a backdoor trojan. Backdoor trojans are the most dangerous and most widespread type of trojan. Backdoor trojans provide the author or "master" of the trojan with remote "administration" of victim machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, backdoor trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer and more.

Unfortunately, due to the lack of space on your system's hard drive, which results in the inability for you to download and update programs that would be needed for any attempt at a complete and accurate diagnosis, your options are extremely narrow; therefore, we can only advise a reformat/restoration of your system to clear it of the existing malware.

I would counsel you to keep this computer disconnected from the Internet until it has been restored. If you are still performing banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Do not attempt to make any password changes from the infected computer as the new passwords would very likely be instantly compromised by the malware still on your system. If you do not have access to a known clean computer, then you will have to make the password changes after you have restored your system.

Although you do not have restoration media, your system likely has a restore partition. If so, when you start up your system, you should see an indication on the screen of which key, or combination of keys, to depress in order to initiate a destructive restoration (most likely the F9 key) which will eliminate all personal data and return the machine to its initial factory state.

There is some information on the restore process at the below link that may be helpful:

http://wiki.eeeuser.com/explain:f9_restore

I am sorry that we do not have a more positive solution for you.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California

Re: Paypal Identity Theft - Please Help Check out my computer

Unread postby NonSuch » December 20th, 2008, 6:00 pm

Due to lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 52 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware