A good friend of mine called  me when I was in DC with the family for Spring Break.   His PayPal account was busted into and checking with PayPal security, the source IP address of the transactions was his regular store IP address.  I told him to  shut down the computer until i was back in town.

When I got out to his store late Sunday afternoon, I checked the status of his antivirus software and found that the patterns were out of date by about 6 weeks, with an expired subscription.  Thats never a good sign.

I brought up Internet explorer and checked the history of where that PC had been going on the Internet and found that the history had been erased.  I asked my friend if he had erased the history and learned that he didn’t even know where the history feature of IE was located.  Another bad sign.

My favorite program for debugging computer viruses is Hijack This from Trend.  Its free, and it tells you exactly  what is happening on the PC.  Downloaing and running the software, I found a virus that not only installed a trojan horse on his computer, but, installed a proxy server for monitoring all Internet traffic from the computer to the Internet.  

I removed the viruses and the proxy server from the  PC, and downloaded the new Microsoft  Securty Essentials package from Microsoft and ripped out AVG, and another older Microsoft AV.  Doing a full system scan, there were 3 trojan horse viruses downloaded through Javascript on a web page  and  one GIF image trojan.    It would be great if Comcast high speed internet would update their technology to include a proxy server that filters malware before it is sent down to your PC.   I think that Google Postini which does offer a cloud proxy malware  virus filter only starts pricing for 100 users.  Way to big for  my friends store.

Its interesting that the criminals who commissioned this  virus figured out a way to grab my friends money.  If they had paypal’d out funds to  a receiver, he could have reversed the charges through paypal.  But, if you use your paypal account to create postage, once the package is dropped off, you can’t get a refund.  So once the  computer was compromised, the criminal got to the computer, got to paypal, printed $2600 of overnight shipping lables to russia as a PDF, grabbed them, erased the PDF, erased the history of web  sites visited and went on a mad shipping spree.

My friend also had one of those password remembering programs on his PC so that  probably helped the criminals get  into paypal.  I told him to ditch that program and figure out a new way to remember his passwords. 

I’ve been out there a few times on the weekend to check the PC’s and  haven’t seen any re-occurance of unknown software running on the PC and no new proxy servers, so I can claim the title of master virus eradactor, but, its amazing how fast a PC virus infestation can turn itself into your funds flying out the window.

The  moral of the  story is keep you AV patterns updated.