Trojan horse alert when accessing PayPal Website

[cottonball]

pieren,

My apology for the delay. Sunday...

The RogueKiller report does not show malware, the Hosts file is OK, and there are no Domain Name System (DNS) hijacks showing where malware has an override on your computer's TCP/IP configuration to point at an undesirable DNS server.

Had a quick glance at the FRST report, and do not see anything there, but, will take a closer look.

Press on with using the program on Post #12, Temporary File Cleaner, and then do a Boot Time Scan with avast! to make sure malware can’t load itself into system memory:

Start the avast! user interface
In the left column, click: Scan Computer
Under Scan Computer, click: Boot-time Scan
In the next prompt, select: All harddisks
Click the orange bars on the Heuristics sensitivity, and set to: High
Check: Scan for Potentially Unwanted Programs
Check: Compressed (packed) archived files
Click: Schedule Now
Restart the computer.

If anything is found during the boot scan the prompts are self explanatory, follow their advice.
When done, please post the Scan Log, or, post a screenshot of the results:
http://www.sevenforums.com/tutorials/9733-screenshots-files-upload-post-seven-forums.html



Next, follow up with the free version of Malwarebytes : Malwarebytes Anti-Malware removes malware including viruses, spyware, worms and trojans, plus it protects your computer
Save to the Desktop.

Double-click the downloaded file to run MBAM.

When the installation begins, follow the series of setup wizard prompts pressing Next, and on the last prompt, press: Install
When done with this phase, press: Finish

MBAM automatically starts and takes you to the main console and to the Scanner tab.
On the Scanner tab:
Select: Perform Quick Scan

Click: Scan

When the scan is finished, a message box shows: The scan completed successfully. ..etc.

If anything is found, click Show Results to display all objects found.
Click OK to close the message box and continue with the removal process.
Make sure that everything is checked, and click: Remove Selected

When removal is completed, a report opens in Notepad.
(The log is automatically saved and can also be viewed by clicking the Logs tab).

If anything is found, please copy/paste the contents of the MBAM report and provide in your reply.


Also, post back on whether you are still getting the Bankfraud-BBE [Trj] notice.

 

[derekimo]

Just an FYI when installing Malwarebytes,

Make sure to uncheck the box to start the trial of the pro version at the last screen.

 

[cottonball]

Thanks, derekimo!

Not sure whether that entry was present the last time I installed MBAM.

Thanks for bringing it up to our attention.

 

[derekimo]

You're welcome.

 

[King Arthur]

According to the topic regarding this at the Avast forums, it would appear this was a false positive from Avast. However, I'd still err on the side of caution to be on the safe side and run a few scans if you're unsure.

 

[cottonball]

I'd still err on the side of caution to be on the safe side and run a few scans

Excellent point, King Arthur!

It is an interesting thread, and also points to vulnerabilities in Internet Explorer.

While running scans, it would be a good idea to include the following:

Security Check:
http://screen317.spywareinfoforum.org/
Save to your Desktop.
Double-click: SecurityCheck.exe
Follow the onscreen instructions inside the black box.
When done, a Notepad report opens automatically, called: checkup.txt

Pay attention to the items identified in red.
SecurityCheck may produce some false warnings, but it is a good idea to check its entries anyway.

 

[Lady Fitzgerald]

According to the topic regarding this at the Avast forums, it would appear this was a false positive from Avast. However, I'd still err on the side of caution to be on the safe side and run a few scans if you're unsure.

False positive my Aunt Fanny! Someting is definitely going on and either no one really knows what is going on or they don't want to admit fault. I first detected and removed the trojan with SAS, then got it again before Avast finally detected it on a scan and started blocking it when going into PayPal. When I checked today, I was no longer getting the block popup. What's curious is PayPal notified me by email that I needed to update my password a couple, three days ago. Not trusting a link in an email, I went directly to the site and, when I tried to log in, I again was told I needed to update my password. Supposedly, PayPal was doing this with everyone and was requiring more secure passwords. I've already changed my passwords and usernames for my bank accounts, etc. and I'm going to my credit union tomorrow to block the card PayPal is using and both get a new one and open a debit account (no credit to draw against that way) strictly for internet purchases and add money only when making purchases.

I've already run various scans several times and I'm running Avast again right now. I'll run MBAM Pro and SAS free after that.

 

[Jacee]

Good going Lady Fitzgerald!!
I've never seen an account (that I frequent) to send an e-mail asking me to update my password!

This is a 'phishing' e-mail to gather more information.

 

[Lady Fitzgerald]

Good going Lady Fitzgerald!!
I've never seen an account (that I frequent) to send an e-mail asking me to update my password!

This is a 'phishing' e-mail to gather more information.

I have, although it's rare (and I still don't trust links in emails). And the fact that I got the same message when I went to PayPal directly instead of via the link suggests that this one was legitimate.

I've finished my scans and I'm still clean.

 

[King Arthur]

I haven't gotten any email to change passwords on PayPal and I'm unaware if I've been asked to change my password, but I'm playing it safe and trying to avoid going to PayPal's website until all of this subsides.

 

[pieren]

I don't get anymore the popup alert from Avast when opening PayPal website.

Probably it was a false positive