Home  |  About  | Last |  Submit  |  Contact
AllQuests.com



Previous Question:  computer problems  Virus SpywareNext Question:  Problem with Symantec LiveUpdate  Virus Spyware
Question compromised computer ( DELL Virus Spyware )
Updated: 2008-07-20 07:30:51 (21)
compromised computer

Hi,
Our computer has been compromised. Someone stole our credit card info and changed our ebay email and began using it to bid on items. Where do we go from here to get this stop the accessing of information off of our computer. We don't know how to get it clean. Thanks for any info.
Debby

Answers: compromised computer ( DELL Virus Spyware )
compromised computer

If you haven't done so already, contact eBay and your credit card company immediately, to cancel your existing account numbers & e-mails, and set-up replacement accounts.
My suggestion is for you to generate and post a HiJackThis log, in the HJT forum.This may reveal what's lurking on your system, and the experts there may be able to help you remove it.
(Not everything shows up in HJT logs, but the helpers there will be able to suggest other diagnostic tools, as necessary.)
Download the latest version of Trend Micro's HiJackThis (HJT)[version 2.0.2] installer from
Save it to your Desktop.
Double-click on the HJTInstall.exe file you just downloaded, andclick on theInstall button, to installHJT in thesuggested/defaultfolder,
C:\Program Files\Trend Micro\HijackThis
( As part of the installation, a shortcut to the HJT program will be placed on your Desktop, andanother shortcut in your START menu [for easy-access tousing HJT in the future ---
you only need to run the program again, but not the installer ] ).
After installation, HJT will automatically open and start running.
[If this isyourfirst time running HJT, please read and accept the EULA (End-User License Agreement)]
Click on Do a System Scan and Save a LogFile

This will automatically open NotePad

Copy the entire file from NotePad: EDIT/SelectAll, EDIT/Copy

Thengo to the forum dedicated for HiJack This logs (**NOT** back here), and PASTE the results there:

http://forums.us.dell.com/supportforums/board?board.id=si_hijack

Be sure to include a detailed description of any problems/errors/warnings you are encountering.

Also, pleaseindicate the steps you've already taken, if any, in terms of running anti-malware scanners or malware removal tools.

When you submit your HJT log, please make sure the box under your text which shows "Automatically convert carriage returns to HTML line breaks" is checked, or yourlog may not format correctly... it should consist of separate/readable lines, not one large "jumble".

Hopefully, one of the HJT experts will get to it as quickly as possible.

WARNING: HiJack This is a VERY POWERFUL tool. While it's completely safe for you to download, generate, and post your log (as described above), you should*NOT*attempt to do anything else (in particular, do NOT use it to delete/fix any entries) until you are advised to do so by a forum expert!!Improper use of this tool can severely damage your system.



Message Edited by ky331 on 08-30-2007 07:23 PM
ky331

compromised computer

Thank you. I wasn't sure HJT would be able to detect anything. Ebay was the one that contacted us and let us know our account was compromised. We have changed our credit card number but are afraid to use the new number on our computer until we are sure that it is clean. The credit card was compromised in June and ebay just happened today. Not sure if they are connected but the credit card company said they are pretty sure the number was hacked off our computer. We thought it was a one time thing but now believe someone is continuing to access our computer. Thanks again for the advice. We will post a HJT log and see if they can help.
Debby

mc41

compromised computer

I can't guarantee things will show up in HJT.... there can be "hidden" items, like "rootkits"...
it's possible that you were hit with a "keylogger" --- a program that monitors your keystrokes (which of course would include credit card numbers and e-mail addresses), and then transmits them to a hacker who'll "steal your identity".
and there are also RATS -- Remote Access Trojans --- which can give the hacker complete access to, and control of, your PC.
the HJT helpers will determine what, if anything, shows up in the log... and if they don't see anything with HJT, they will then move on to other tools.
until you're sure you're safe, it's wise to be VERY careful what you're doing on your PCs... do NOT make any credit card transactions or inquiries... likewise, for bank accounts... doNOTtype-in your Social Security number anywhere... and be very careful what you do with your e-mail accounts.
while it's possible the "leak" came from your PC, you also have to consider alternatives:
at home, it's wise to have a paper shredder, before tossing "sensitive" information into the garbage.
and you need to be aware if bills, credit-card statements, and bank statements, that were expected in the mail, don't arrive on time---- sometimes, crooks will steal your mail to obtain information.
there are 3 national credit bureaus that keep consumer records. each person is allowed to obtain, free of charge, a credit report from each of the 3 bureaus, once a year. You can find more information here:
since your PC may be compromised, you can click on their phone link, to obtain the toll-free numbers.
if you haven't already checked into your report, I would suggest you order one now, one (from a second bureau) in 4 months, and then the third one in 8 months. you can then repeat this process annually, so you'll always haveupdated information every 4 months.
if any report shows actual fraud, I believe you can obtain the others free, immediately... check into it.


Message Edited by ky331 on 08-31-2007 08:22 AM
ky331

compromised computer

Are you *sure* it was ebay that contacted you? Emails that look like they come from ebay, but do not, are commonly used for phishing. See this.
ddeerrff

compromised computer

Thank you. Yes, I'm sure it was ebay. They suspended our account for suspicious activity and I chatted live with an ebay representative. They were aware of the problem before I was and were already working on it. We had received strikes against us for non payment and they removed those. Someone had changed our email address from another computer.
I have posted our HJT report on the HJT forum and they have already responded. From a clean computer we have changed passwords to important accounts. They suggested we backup the computer wipe it clean and re-install as we could never be sure our computer is clean without doing this.
Thank you for the info about identity theft and checking our credit report. I plan on notifying all banks to watch our accounts. I really appreciate the responses as I was scared that we could have been totally compromised and do not want that nightmare. The credit card was bad enough.
Thanks again.
Debby

mc41

compromised computer

I'm following your HJT thread, so I see what's being suggested there.
I hope this won't be considered interference with them, but I would like to pose a few questions for your consideration:
I noticed that MSGale pointed out that the "leak" could be elsewhere --- which I too had already mentioned above as a possibility.
You've apparently determined (or assumed??) which machine is the "infected" one? Unless you have/use only one machine, how did you make that determination?
And in going to another "clean" machine to change all your passwords, how did you determine THAT machine was really "clean"??
do you have multiple home machines? are they networked together??? --- in which case, infections might be capable of spreading from one to the other?
do you use a wireless router? if so, are your signals encrypted (WEP, WPA) ??? If you're transmitting UNencrypted signals, then any hacker driving through your neighborhood can potentially steal the transmissions....
have you accessed your ebay/credit accounts from any OTHER [public] computer systems ---- at school, at work, at the library, in a hotel ??? if so, the "leak" could have been from any of these.
And this question (use of outside PCs) is also applicable to any family members [or friends] who have knowledge of your credit card numbers and e-mail address.
I guess what I'm trying to say with all this, is that i'd hate to see you re-format the wrong machine, only to find the problem was elsewhere.
I apologize to BugBatter if any of the above is deemed "interference" on my part.


Message Edited by ky331 on 08-31-2007 09:59 AM
ky331

compromised computer

you've indicated notifying all your BANKS to alert them...
assuming you have several credit cards, you might want to alert ALL your credit card companies as well (not just the one where you had the known problem)
also, when you get your credit card report, be sure to carefully look through things... see if you find any accounts listed that don't belong to you!!!
one of the things crooks do is, once they have access to some of your information (e.g., your one credit card), they will apply for and open new credit cards, using the first as a reference... but listing a new address ("we've moved" ).... so the bills they charge-up are mailed to that phony address. and you won't find out about it until months/years later, when the credit card company puts that account into "collection", and they try to come after you.


Message Edited by ky331 on 08-31-2007 08:45 AM
ky331

compromised computer

Debbie,
I see the "squabbling" has started in your HJT thread. I don't know that the people there will necessarily see this, but I choose to respond here, rather than there, to try to keep that thread semi-clean. If anyone sees this, fine; and if not, we can just let it drop:
MSGale wrote: "I always though[t] it was bad policy to work the same problem on more than one thread".
Aside frommy directingDebbie to the HJT forum for further help--- which in fact is one ofthe most commontasks performed here in the virus/spyware forum---I don't know that you can really assert that I'm "working the same problem" here in this thread. I am offering no suggestions as to how to interprether HJT log, nor what should be done in terms of that log. Yes, I am talking to her about contacting banks, credit card companies, and credit bureaus... and advising her about the potential perils of identity theft [having been a victim myself, albeit not via a computer]. That's a matter of common sense, and urgency, which does not in any way impact BugBatter's analysis/advice of the HJT log, nor of what to do with/about Debbie's computer. So I reiterate, Idon't believe I'm "working the same problem" here.
I believe that my pointing out that not everything will appear in an HJT log... first in message 2 above, and then clarified/expanded upon in message 4 --- that there are various categories of items that can hide themselves [and citing examples of such categories] --- does not in any way interfere with BugBatter's analysis/advice. To the contrary: since this is a public forum, it in fact serves to help inform/educate the general public about what HJT can, and cannot, "see".
Yes, I will concede that I reluctantly and apologetically RE-addressed the question/concern that the "leak" could have come from elsewhere. Emphasis on the "RE": Iwas the one whostarted discussion of potential leak sources in message 4 above, initially posted on08-30-2007 at 11:04 PM , before BugBatter even offered her first analysis/reply in the HJT forum at 11:35 PM. As such, Ibelieveit was within mypurview to continue with and elaborate upon this matter here. Even so, I still felt compelled to "apologize" to BB for doing so.


Message Edited by ky331 on 08-31-2007 06:31 PM
ky331

compromised computer

Hi Ky331,
I have been gone all day at work and came back to all the discussion. To answer your questions:
Idid assumeit was the machine I use all the time. The other machines have not been on ebay in over a year and I thought the information came off of my computer.
Our machines are not networked but there is a router in the house. I don't know if the router is encrypted, but I'm assuming that if I don't know then it probably isn't. We live in a very rural area and I haveserious doubts that someone drove by and stole our transmissions.
I used a publiccomputer in June but did not use my credit card on itnor did I access ebay and no one else in the family purchased anything or got on ebayover a public computer.
We burn all of our paper info. We do not put it in the trash. After our mail was stolen a few years back, we got a locked mailbox and never mail anything out from it.
The credit card company was the one that suggested the card info was stolen over the internet. Charges were made from Brazil and Idaho. I had taken a trip to Hawaii at the end of April, beginning of May and that is where I thought it was stolen because the charges showed up in early June. I thought it was stolen at either the hotel or rental car company as those were the only two places I used the card. The guy in the fraud department was pretty sure that it did not happen there. I have to believe that he knows what he is talking about since he probably sees a lot of this happening.
Ebay just happened yesterday morning. Would such activity normally be two months apart? I don't know. Maybe this is just what we are seeing and other activity is going on without our knowledge (scary thought).
Maybe these are two separate incidents of clicking on the wrong thing and we were only compromised on those occasions and our computer really does not have someone lurking on it. But, I don't know for sure. I am scared of the consequences of not protecting our information.
I very much appreciate the helpful information that you have given me regarding who to contact to make sure my identity isn't stolen.
I recognize bugbatter as someone who has helped me before and did a very thorough job. I appologize for causing any problems between the two forums. I am not anxious to reformat, but unless it can be determined that someone is not accessing my computer, I guess that is what I will have to do.
Thank you for caring enough to make suggestions about other possiblities.
Debby

mc41

compromised computer

Debbie,
rest assured that you are not causing any problems between this and the other forum.Keep in mind that youwent to HJT based on my suggestion here. I am familiar with most of the current helpers there, and have been working "along-side" some of them for several years now.BugBatter is a highly-trained, skilled, and knowledgeable person --I don't know that you could be in better hands.
I see that you have given careful thought to my questions --- and that alone means my effortshere have served an important purpose.
You wrote: "Maybe this is just what we are seeing and other activity is going on without our knowledge (scary thought)". Alas, that is the very nature of the beast.
In my case, it would appear that a crooked employee at "Bank X" accessed records there to re-open and upgrade a credit card that I had closed years earlier. He/she also changed my address, from a US location to one in Canada. And when I found out about it, and contacted the credit card company, they didn't want to talk to me --- claiming the real/current "me" was the one living in Canada! In fact, if THAT one had phoned the card company, to request an increase in "his" credit line, I'm sure they would have quickly obliged him! It can take a great deal of effort, over many months [sometimes even years], and sometimes at great expense, to restore one's stolen identity.
However you decide to proceed --- in terms of your computer, and in terms of legal action ---
I certainly wish you the best of luck.

ky331

compromised computer

Thank you.
Debby

mc41

compromised computer

Hi,
Our computer has been compromised. Someone stole our credit card info and changed our ebay email and began using it to bid on items. Where do we go from here to get this stop the accessing of information off of our computer. We don't know how to get it clean. Thanks for any info.
Debby

mc41

compromised computer

If you haven't done so already, contact eBay and your credit card company immediately, to cancel your existing account numbers & e-mails, and set-up replacement accounts.
My suggestion is for you to generate and post a HiJackThis log, in the HJT forum.This may reveal what's lurking on your system, and the experts there may be able to help you remove it.
(Not everything shows up in HJT logs, but the helpers there will be able to suggest other diagnostic tools, as necessary.)
Download the latest version of Trend Micro's HiJackThis (HJT)[version 2.0.2] installer from
Save it to your Desktop.
Double-click on the HJTInstall.exe file you just downloaded, andclick on theInstall button, to installHJT in thesuggested/defaultfolder,
C:\Program Files\Trend Micro\HijackThis
( As part of the installation, a shortcut to the HJT program will be placed on your Desktop, andanother shortcut in your START menu [for easy-access tousing HJT in the future ---
you only need to run the program again, but not the installer ] ).
After installation, HJT will automatically open and start running.
[If this isyourfirst time running HJT, please read and accept the EULA (End-User License Agreement)]
Click on Do a System Scan and Save a LogFile

This will automatically open NotePad

Copy the entire file from NotePad: EDIT/SelectAll, EDIT/Copy

Thengo to the forum dedicated for HiJack This logs (**NOT** back here), and PASTE the results there:

http://forums.us.dell.com/supportforums/board?board.id=si_hijack

Be sure to include a detailed description of any problems/errors/warnings you are encountering.

Also, pleaseindicate the steps you've already taken, if any, in terms of running anti-malware scanners or malware removal tools.

When you submit your HJT log, please make sure the box under your text which shows "Automatically convert carriage returns to HTML line breaks" is checked, or yourlog may not format correctly... it should consist of separate/readable lines, not one large "jumble".

Hopefully, one of the HJT experts will get to it as quickly as possible.

WARNING: HiJack This is a VERY POWERFUL tool. While it's completely safe for you to download, generate, and post your log (as described above), you should*NOT*attempt to do anything else (in particular, do NOT use it to delete/fix any entries) until you are advised to do so by a forum expert!!Improper use of this tool can severely damage your system.



Message Edited by ky331 on 08-30-2007 07:23 PM
ky331

compromised computer

Thank you. I wasn't sure HJT would be able to detect anything. Ebay was the one that contacted us and let us know our account was compromised. We have changed our credit card number but are afraid to use the new number on our computer until we are sure that it is clean. The credit card was compromised in June and ebay just happened today. Not sure if they are connected but the credit card company said they are pretty sure the number was hacked off our computer. We thought it was a one time thing but now believe someone is continuing to access our computer. Thanks again for the advice. We will post a HJT log and see if they can help.
Debby

mc41

compromised computer

I can't guarantee things will show up in HJT.... there can be "hidden" items, like "rootkits"...
it's possible that you were hit with a "keylogger" --- a program that monitors your keystrokes (which of course would include credit card numbers and e-mail addresses), and then transmits them to a hacker who'll "steal your identity".
and there are also RATS -- Remote Access Trojans --- which can give the hacker complete access to, and control of, your PC.
the HJT helpers will determine what, if anything, shows up in the log... and if they don't see anything with HJT, they will then move on to other tools.
until you're sure you're safe, it's wise to be VERY careful what you're doing on your PCs... do NOT make any credit card transactions or inquiries... likewise, for bank accounts... doNOTtype-in your Social Security number anywhere... and be very careful what you do with your e-mail accounts.
while it's possible the "leak" came from your PC, you also have to consider alternatives:
at home, it's wise to have a paper shredder, before tossing "sensitive" information into the garbage.
and you need to be aware if bills, credit-card statements, and bank statements, that were expected in the mail, don't arrive on time---- sometimes, crooks will steal your mail to obtain information.
there are 3 national credit bureaus that keep consumer records. each person is allowed to obtain, free of charge, a credit report from each of the 3 bureaus, once a year. You can find more information here:
since your PC may be compromised, you can click on their phone link, to obtain the toll-free numbers.
if you haven't already checked into your report, I would suggest you order one now, one (from a second bureau) in 4 months, and then the third one in 8 months. you can then repeat this process annually, so you'll always haveupdated information every 4 months.
if any report shows actual fraud, I believe you can obtain the others free, immediately... check into it.


Message Edited by ky331 on 08-31-2007 08:22 AM
ky331

compromised computer

Are you *sure* it was ebay that contacted you? Emails that look like they come from ebay, but do not, are commonly used for phishing. See this.
ddeerrff

compromised computer

Thank you. Yes, I'm sure it was ebay. They suspended our account for suspicious activity and I chatted live with an ebay representative. They were aware of the problem before I was and were already working on it. We had received strikes against us for non payment and they removed those. Someone had changed our email address from another computer.
I have posted our HJT report on the HJT forum and they have already responded. From a clean computer we have changed passwords to important accounts. They suggested we backup the computer wipe it clean and re-install as we could never be sure our computer is clean without doing this.
Thank you for the info about identity theft and checking our credit report. I plan on notifying all banks to watch our accounts. I really appreciate the responses as I was scared that we could have been totally compromised and do not want that nightmare. The credit card was bad enough.
Thanks again.
Debby

mc41

compromised computer

I'm following your HJT thread, so I see what's being suggested there.
I hope this won't be considered interference with them, but I would like to pose a few questions for your consideration:
I noticed that MSGale pointed out that the "leak" could be elsewhere --- which I too had already mentioned above as a possibility.
You've apparently determined (or assumed??) which machine is the "infected" one? Unless you have/use only one machine, how did you make that determination?
And in going to another "clean" machine to change all your passwords, how did you determine THAT machine was really "clean"??
do you have multiple home machines? are they networked together??? --- in which case, infections might be capable of spreading from one to the other?
do you use a wireless router? if so, are your signals encrypted (WEP, WPA) ??? If you're transmitting UNencrypted signals, then any hacker driving through your neighborhood can potentially steal the transmissions....
have you accessed your ebay/credit accounts from any OTHER [public] computer systems ---- at school, at work, at the library, in a hotel ??? if so, the "leak" could have been from any of these.
And this question (use of outside PCs) is also applicable to any family members [or friends] who have knowledge of your credit card numbers and e-mail address.
I guess what I'm trying to say with all this, is that i'd hate to see you re-format the wrong machine, only to find the problem was elsewhere.
I apologize to BugBatter if any of the above is deemed "interference" on my part.


Message Edited by ky331 on 08-31-2007 09:59 AM
ky331

compromised computer

you've indicated notifying all your BANKS to alert them...
assuming you have several credit cards, you might want to alert ALL your credit card companies as well (not just the one where you had the known problem)
also, when you get your credit card report, be sure to carefully look through things... see if you find any accounts listed that don't belong to you!!!
one of the things crooks do is, once they have access to some of your information (e.g., your one credit card), they will apply for and open new credit cards, using the first as a reference... but listing a new address ("we've moved" ).... so the bills they charge-up are mailed to that phony address. and you won't find out about it until months/years later, when the credit card company puts that account into "collection", and they try to come after you.


Message Edited by ky331 on 08-31-2007 08:45 AM
ky331

compromised computer

Debbie,
I see the "squabbling" has started in your HJT thread. I don't know that the people there will necessarily see this, but I choose to respond here, rather than there, to try to keep that thread semi-clean. If anyone sees this, fine; and if not, we can just let it drop:
MSGale wrote: "I always though[t] it was bad policy to work the same problem on more than one thread".
Aside frommy directingDebbie to the HJT forum for further help--- which in fact is one ofthe most commontasks performed here in the virus/spyware forum---I don't know that you can really assert that I'm "working the same problem" here in this thread. I am offering no suggestions as to how to interprether HJT log, nor what should be done in terms of that log. Yes, I am talking to her about contacting banks, credit card companies, and credit bureaus... and advising her about the potential perils of identity theft [having been a victim myself, albeit not via a computer]. That's a matter of common sense, and urgency, which does not in any way impact BugBatter's analysis/advice of the HJT log, nor of what to do with/about Debbie's computer. So I reiterate, Idon't believe I'm "working the same problem" here.
I believe that my pointing out that not everything will appear in an HJT log... first in message 2 above, and then clarified/expanded upon in message 4 --- that there are various categories of items that can hide themselves [and citing examples of such categories] --- does not in any way interfere with BugBatter's analysis/advice. To the contrary: since this is a public forum, it in fact serves to help inform/educate the general public about what HJT can, and cannot, "see".
Yes, I will concede that I reluctantly and apologetically RE-addressed the question/concern that the "leak" could have come from elsewhere. Emphasis on the "RE": Iwas the one whostarted discussion of potential leak sources in message 4 above, initially posted on08-30-2007 at 11:04 PM , before BugBatter even offered her first analysis/reply in the HJT forum at 11:35 PM. As such, Ibelieveit was within mypurview to continue with and elaborate upon this matter here. Even so, I still felt compelled to "apologize" to BB for doing so.


Message Edited by ky331 on 08-31-2007 06:31 PM
ky331

compromised computer

Hi Ky331,
I have been gone all day at work and came back to all the discussion. To answer your questions:
Idid assumeit was the machine I use all the time. The other machines have not been on ebay in over a year and I thought the information came off of my computer.
Our machines are not networked but there is a router in the house. I don't know if the router is encrypted, but I'm assuming that if I don't know then it probably isn't. We live in a very rural area and I haveserious doubts that someone drove by and stole our transmissions.
I used a publiccomputer in June but did not use my credit card on itnor did I access ebay and no one else in the family purchased anything or got on ebayover a public computer.
We burn all of our paper info. We do not put it in the trash. After our mail was stolen a few years back, we got a locked mailbox and never mail anything out from it.
The credit card company was the one that suggested the card info was stolen over the internet. Charges were made from Brazil and Idaho. I had taken a trip to Hawaii at the end of April, beginning of May and that is where I thought it was stolen because the charges showed up in early June. I thought it was stolen at either the hotel or rental car company as those were the only two places I used the card. The guy in the fraud department was pretty sure that it did not happen there. I have to believe that he knows what he is talking about since he probably sees a lot of this happening.
Ebay just happened yesterday morning. Would such activity normally be two months apart? I don't know. Maybe this is just what we are seeing and other activity is going on without our knowledge (scary thought).
Maybe these are two separate incidents of clicking on the wrong thing and we were only compromised on those occasions and our computer really does not have someone lurking on it. But, I don't know for sure. I am scared of the consequences of not protecting our information.
I very much appreciate the helpful information that you have given me regarding who to contact to make sure my identity isn't stolen.
I recognize bugbatter as someone who has helped me before and did a very thorough job. I appologize for causing any problems between the two forums. I am not anxious to reformat, but unless it can be determined that someone is not accessing my computer, I guess that is what I will have to do.
Thank you for caring enough to make suggestions about other possiblities.
Debby

mc41

Previous Question:  computer problems  DELL  Virus SpywareNext Question:  Problem with Symantec LiveUpdate  DELL  Virus Spyware

- Source: compromised computer DELL Virus Spyware
- Previous Question: computer problems DELL Virus Spyware
- Next Question: Problem with Symantec LiveUpdate DELL Virus Spyware