Help! I have a browser hijacker that is only affecting eBay!

Factual Questions
1

I am having major computer problems since last night, after getting notified that I picked up a random virus while just surfing the web. I’m not an idiot – I know I didn’t download anything or open anything shady or suspicious, but my computer has slowed to a crawl ever since. I uninstalled and reinstalled Norton Antivirus, ran a complete system scan, and it found a few files that didn’t belong. I manually deleted everything it couldn’t delete automatically, and I have since updated and run Spybot and Spyware Blaster, and I’m currently running AdAware.

Scariest of all, when I try to log into eBay, I get redirected to a DANGEROUS page that looks kind of like eBay (but obviously isn’t due to the poor grammar), demanding all of my sensitive personal and financial information, including my Social Security number, credit card number, and even bank account number! I’ve been on eBay since 1999, and this has NEVER happened before. Even worse, I asked my friend to log onto MY eBay account on her computer, and she was able to with no problems, so this is some kind of localized browser hijacker just relating to eBay, just on my computer. Has ANYONE encountered this before, and how the hell can I get rid of it?

Here’s exactly what it says. From https://signin.ebay.com/ws/eBayISAPI.dll?co_partnerid=2&siteid=0&UsingSSL=1 :

We have noticed an increasing fraudulent activity recently. In order to provide your security and protect you from fraudsters we have introduced a new system of identification that will help us to avoid any kind of fraud or unauthorised access.

Please enter as more information as possible to provide your complete identification and to activate all the features of the new system.

User Information:

First name:
Last name:

Date of Birth:
–Month-- January February March April May June July August September October November December --Day-- 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Year

Social Security Number (US residents only):

Mother’s Maiden Name:
E-mail:

Card Information (ie, ATM, debit, credit card):

Card Number:
Card Expiration Date (mm/yyyy):
– 01 02 03 04 05 06 07 08 09 10 11 12 / – 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

Card CVC2:

(3 or 4 digit Signature Panel Code located on the back of your card)

ATM PIN:
Banking Account information:

Account Number:
Routing Number:

2

I ain’t clickin’ that link…

3

I tried it. It doesn’t go anywhere, as it’s not a valid page at Ebay. I think what may have happened is that something installed a hosts file on your system that’s redirecting from ebay.com. Search your computer for any files called hosts (you may need to turn on the option to search hidden files).

4

That’s what I was thinking…“Here I found this on the ground, and it smells bad, and it’s burning my hand just holding it, would you taste it so I know what it is?”

:smiley:

5

I appreciate you actually trying to help me and not being a snarky asshole. I do a lot of selling on eBay (and it is connected to my Paypal account, which is also being affected), so needless to say, I’m a little worried and not in the mood for sarcastic commentary.

Where exactly might these hosts be, and how can I search hidden files?

6

It wasn’t being snarky or sarcastic, despite the smiley. Look at how you presented that, as a malicious something on your computer that sent you to a phishing link, which you then stuck here and said “click this”.

7

I’m probably a snarky asshole, but wasn’t trying to be in this thread.

I agree with the explanation Mr Bus Guy gave.

Go to Here and get HijackThis!. Follow the directions, and post the results in their Forums (link to forums in the Download pane). They will tell you exactly what to delete to get rid of your bug.

There ya go.

8

A hosts file is a local lookup for internet addresses.

Short explanation (which probably has a few nits to be picked): everything on the internet is addressed by numeric addresses: the “Internet Protocol (IP) address”. You type in letter-based URLs. That URL is looked up on a machine (a DNS server) to find the numeric address, your browser sends a request to that numeric address, gets back a response, and displays the page.

The hosts file gives your machine a local copy of those addresses, so you don’t have to wait for the DNS server to respond back. However, it can also be used to hijack a URL. If the hosts file says ebay.com is at 123.456.7.8, your computer will go to that IP address for any ebay access, regardless of whether or not that’s really ebay’s IP.

The location of the hosts file depends on what OS (and which version) you’re running.

On windows XP:
c:\WINDOWS\system32\drivers\etc\hosts

On windows 2000:
c:\winnt\system32\drivers\etc\hosts

Or you can do a search for a file named “hosts” starting at your C: drive (no idea how it’s implemented on a Mac). When searching (at least on Windows) there’s a checkbox (may be under “advanced options”) to include hidden / system files in the search.

The hosts file is a plain text file you can open in notepad. The first column will be the IP address your machine will go to when you use the URL given in the second column.

Look for any reference to ebay in that file. If it exists, you can try removing those lines (or put a # at the beginning to comment it out) and save the file. However, if this problem is caused by a persistent virus / malware running on your system (rather than a one-time thing), that may not be enough. The file corruption may get reintroduced.

Hope that offers some smidge of help.

9

I appreciate the help, but I’m running Windows ME (go ahead and laugh), and inside C:\WINDOWS\system32\drivers, there is nothing called “etc” or “hosts.”

10

From some poking around on google, it appears that ME (and 98) has the hosts file directly in the Windows directory.

So look for the file C:\windows\HOSTS

Open it in notepad, and check for ebay references. It might be write-protected, you can change that (IIR my 98/ME history correctly) by right-clicking on the hosts file in the windows directory, going to “Properties” and unchecking the “Read only” box.

11

I suggest doing a search of the whole C: drive for any files called hosts. Just make sure to include hidden files and folders. I’m fairly sure that Windows creates a generic hosts file even in WinME, so you should find something.

I was going to suggest trying to connect to the IP address equivalent of www.ebay.com, but I can’t figure out what that is.

12

Or you could do what sciguy suggested, and look in C:\Windows.

13

I never did find the hosts.

I took Duke of Rat’s advice, ran HijackThis, and posted my log on one of the dedicated forums. Some guy helped me, and I followed his instructions as best I could. Here’s the thread in question:

http://forums.spywareinfo.com/index.php?showtopic=73946

However, I’m still having this problem with eBay, and Paypal too.

And I’m not sure if this is connected or not, but my computer is so FUBARed that I wouldn’t be surprised, but I am not able to stay logged in on any of my usual forums, or even my Hotmail account. Every time I reboot (which has been dozens of times this afternoon), I’m logged out automatically, and I usually stay logged in all the time on boards like the SDMB. I know this has to do with cookies, so is something erasing my cookies?

14

I hope they get you straightened out, it really sucks to have your rig taken over and not be able to clean it up.

15

If it is a virus, it could be bypassing your virus protection. The only way to really be sure that your hard drive is virus free is to boot from a clean boot disk and run a virus scan program from that boot disk, or remove the hard drive and have it scanned on a clean computer.

Also you never say what browser you are using. Have you tried a different web browser and see what happens? It is possible it is browser specific, especially if another browser doesn’t exhibit the same problems.

I second what Dewey Finn suggests in searching your c: drive for “hosts”. If you have a nasty piece of spyware, clearing the hosts file may not permenantly fix the problem though as the spyware might re-write the entry.

If it were me, I would start preparing for the worst and start backing up vital data because there is the possibility you will have to nuke the hard drive and reinstall from scratch

16

I should have checked back in sooner. I think I’m fine now, after following the advice here, on Something Awful’s Tech Support forum, and a random forum where people help you with your HijackThis logs. Thanks to everyone who helped or just empathized. This was pretty much a wasted afternoon as far as getting any work done on my computer, as well as a scary one, but everything is finally running smoothly and normally now.

17

Could you tell us, or link us to what you did to fix this issue, please? I’m curious… :wink:

18

I never did find that hosts file.

Since then, I ran HijackThis and posted my log on one of the dedicated forums. Some guy helped me, and I followed his instructions as best I could. Here’s the thread in question:

http://forums.spywareinfo.com/index.php?showtopic=73946

I also got some advice on the Haus of Tech Support forum on Something Awful.com:
http://forums.somethingawful.com/showthread.php?s=&threadid=1857464

19

It really should be there, somewhere. (Not that it matters much, if your system is working.)

Note that the file name is just “hosts”, without any period or file type (3 character part) behind it. Are you sure your search is looking for that?

For example, a ssearch for “hosts.’ won’t work, because there is nothing to match the ".” part of the search.