Ebay Scam?!?!?

Fixed - I Hope!!

It looks like it was the "Torpig" virus. SpyBot caught it.

After much research and help from more knowledgable people, it appears that this virus runs in memory and hijacks IE to take any web form page that you submit and redirect it to a bogus site. The really scary part is that the URL in the address bar looks like a legitimate page (i.e. the Paypal server) and not a bogus/redirected page.

Thanks for all the ideas and encouragement everyone!
 
ScottR said:
It looks like it was the "Torpig" virus. SpyBot caught it.

After much research and help from more knowledgable people, it appears that this virus runs in memory and hijacks IE to take any web form page that you submit and redirect it to a bogus site. The really scary part is that the URL in the address bar looks like a legitimate page (i.e. the Paypal server) and not a bogus/redirected page.

Thanks for all the ideas and encouragement everyone!

It would also be a good idea to delete your history. Sometimes these things can lurk.
 
ScottR said:
It looks like it was the "Torpig" virus. SpyBot caught it.

After much research and help from more knowledgable people, it appears that this virus runs in memory and hijacks IE to take any web form page that you submit and redirect it to a bogus site. The really scary part is that the URL in the address bar looks like a legitimate page (i.e. the Paypal server) and not a bogus/redirected page.

Thanks for all the ideas and encouragement everyone!

Yes, I had a bug like that also about 2 years back and it came back after 3 weeks. I had to reformat my harddrive twice to kill it. Now I run 2 spybot like programs every saturday while making my coffee.

There is an easy way to spot this. Go to the "Tools" in ie. Pull down to "Internet Options" Look what is listed as your homepage address. If it list anything change it. If it comes back then you have a ie bug. My opening page was google and I got a "CS-weblink" virus, but that would always take me to there CS-website. When I type www.google.com, it would take me to www.google.de On a side note, I only use dogpile now. Because I hate the CS-weblink/google virus. :mad:

Best of luck Scott, I hope you don't need to re-install windows twice to kill your bug..

Bugs.
 
Last edited:
toomanybugs said:
Yes, I had a bug like that also...
Best of luck Scott, I hope you don't need to re-install windows twice to kill your bug..

Bugs.

Ha, is that why your name is toomanybugs? LOL. I like your new avatar!
 
Probably was getting redirected by the hosts file which on windows xp is located in c:\windows\system32\drivers\etc folder and can be opened with notepad. The hosts file can be used to redirect sites without having to mess with the url. Say I have www.yahoo.com and I point it at my own ip number in the host file. Yahoo suddenly becomes me for the machine with the host file entry.


I'd check to make sure it doesn't have much in it. Think spybot still adds entries in the host file back to 127.0.0.1 which is a loopback to your own network card.
 
cubswin said:
Probably was getting redirected by the hosts file which on windows xp is located in c:\windows\system32\drivers\etc folder and can be opened with notepad. The hosts file can be used to redirect sites without having to mess with the url. Say I have www.yahoo.com and I point it at my own ip number in the host file. Yahoo suddenly becomes me for the machine with the host file entry.


I'd check to make sure it doesn't have much in it. Think spybot still adds entries in the host file back to 127.0.0.1 which is a loopback to your own network card.
One of the things that I checked before SpyBot found the virus was the Hosts file and it only contained the 127.0.0.1 entry. So, the virus was using some other method to redirect OR it may have written a Registry entry to point to some other file besides Hosts on the path you give above.

At this point, my Registry and Hosts look to be ok. Now I just pray that some backdoor is not sitting on my drive waiting to reinstall the virus. I will probably take the advice of several people and reload the OS when I get back from this trip.
 
Back
Top