Someone Skimming My Sales With Virus?

[MarkTay]

Hello Everyone. Thank you for letting me be part of your community.  I have a strange problem that I thought someone here may be able to help me with.  I have a site where I sell contact addresses of the wealthy. 
I built a small business website using web building software in 2012. The sales had been great and I used a lot of different sites to promote the website. Then I got a virus (about a year ago) and sales plummeted.

I really believe that someone is somehow skimming sales from my website somehow now. I used to get sales everyday and now get one every three days like clockwork. It seems as though whoever is doing this is feeding me a sale every three days so that I don’t take the website down. (For those that think my sales might have just slowed here’s why I don’t think so. My site visitor amount has tripled since this started happening and my social media presence is higher than ever.)

When I go in and play with things like deleting all my cookies, clearing my DNS and hosts file, and deleting anything unusual, and clear all old emails from Gmail, I get 2 or 3 sales immediately following doing this. Then I might get one more sale later, then it reverts back to the once every 3 days scenario.  My website sales are a digital delivery that comes from a place called E-Junkie. When you click the “Buy Now” button it takes you to E-Junkie, then their interface switches to PayPal for payment. Once payment is complete, E-Junkie sends a link to the files to the buyer.  I recently added a SSL but that hasn’t helped either, though I get an extra sale now and then. I have Bitdefender as my antivirus, and scan daily with Malwarebytes, yet I never see any viruses being caught. I noticed that I have a file in task manager csrss.exe and winlogon.exe that I can’t shut down and it doesn’t have a description or user name with it, they are just blank. Could this have something to do with it? Some places say it’s a virus others say no it is not.

I really believe someone has some sort of program that goes through my computer and somehow scams my sales. I know it sounds crazy but I am sure they are, I just don't know how they are doing it, and I have no idea of where to turn. Could someone be getting in through my server ports and redirecting my sales somehow? I have tried everything to figure this out but don’t know what else to do. Does anyone have any suggestions on what to try? Any software I could try to see if I can figure this out? I have downloaded several different types of scanners to scan ports and many other things but I don’t know how to properly read them to see where the problem is. I would truly appreciate any help or ideas of what to try,   I just can’t afford hiring a security company to try to figure this out. Can anyone out there help or suggest things to try please as all my effort building my site and brand is slowly dying because of this as the money is slowly drying up.

Thank you so much for any help in advance. Kind regards, Mark Taylor

P.S. I have attached a file. The file I have attached is from when I had just http and not https. If you check the page source of the file you will see a script in the beginning. I never put that script in there. But now it is gone with the https address.

www.billionairemailinglist.com 1.htm

[MarkTay]

I also want to let you know that my ISP provider is a satilette compan called Hughesnet and that I have also been running a scanner called XArp that keeps bringing up the errors of 'SubnetFilter: source ip address lies not in your subnet' and the error 'MacFilter: incoming packet but sender mac set to our own mac address', but I can't find what this means or is caused by. Thank you again for any help with this.  Mark

[MarkTay]

Today someone called and said they bought a list from us, their credit card was charged from PayPal but no transaction was recorded on OUR PayPal account nor was there a receipt forwarded to their or our email account. Just another fishy thing I could use help figuring out. Thanks Mark

[MarkTay]

Just thought I would add the Farbar Scan results to help get any help started. Is there anyone out there that can help me? I think the most pressing thing may be the csrss.exe and winlogon.exe. There seems to be other people with these issues, but I don't want to follow you advice for those people in case mine is different. Sorry I am just impatient as I have had this problem so long. Attached are the files from the Farbar scan. Thank you for any help. Mark

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:04-10-2015
Ran by BML (administrator) on BML-PC (05-10-2015 12:06:06)
Running from C:\Users\BML\Downloads
Loaded Profiles: BML (Available Profiles: BML & Administrator & Classic .NET AppPool & DefaultAppPool)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.wireshark.org)
WYSIWYG Web Builder 10  (HKLM-x32\...\WYSIWYG_Web_Builder_10) (Version:  - )
XArp 2.2.2 (HKLM-x32\...\XArp) (Version: 2.2.2 - Christoph Mayer)

==================== Custom CLSID (Whitelisted): ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== Restore Points =========================

08-06-2015 18:01:25 Scheduled Checkpoint
16-06-2015 08:00:21 Scheduled Checkpoint
23-06-2015 08:37:53 Scheduled Checkpoint
26-06-2015 16:44:31 Removed Listware for Excel
26-06-2015 16:45:33 Removed SolarWinds Orion NetFlow Traffic Analyzer 4.1
26-06-2015 16:46:39 Removed Microsoft Silverlight
26-06-2015 16:47:33 Removed Java 8 Update 40 (64-bit)
26-06-2015 16:48:29 Removed 7-Zip 9.38 (x64 edition)
26-06-2015 16:49:31 Removed SolarWinds Orion NetFlow Traffic Analyzer 4.1
26-06-2015 18:08:01 Removed SolarWinds Orion NetFlow Traffic Analyzer 4.1
27-06-2015 11:46:47 Restore Operation
28-06-2015 11:41:11 Removed SolarWinds Orion NetFlow Traffic Analyzer 4.1
28-06-2015 11:45:19 Removed SolarWinds Orion NetFlow Traffic Analyzer 4.1
28-06-2015 12:07:03 Windows Update
28-06-2015 12:24:45 Removed HughesNet Status Meter
28-06-2015 12:26:10 Removed SolarWinds Orion NetFlow Traffic Analyzer 4.1
06-07-2015 09:20:50 Scheduled Checkpoint
11-07-2015 21:50:56 Windows Update
15-07-2015 01:21:16 Windows Update
15-07-2015 17:22:25 Windows Modules Installer
16-07-2015 04:56:38 Removed SolarWinds Orion NetFlow Traffic Analyzer 4.1
16-07-2015 11:22:19 Installed Microsoft Fix it 50267
16-07-2015 14:08:24 Installed Microsoft Fix it 50267
16-07-2015 14:21:29 Installed Microsoft Fix it 50267
23-07-2015 14:01:28 Removed SolarWinds Orion NetFlow Traffic Analyzer 4.1
23-07-2015 14:04:32 Removed SoundMAX
23-07-2015 14:58:07 Windows Modules Installer
25-07-2015 17:35:14 Windows Modules Installer
11-08-2015 13:09:58 Windows Update
11-08-2015 13:12:30 Removed SolarWinds Orion NetFlow Traffic Analyzer 4.1
11-08-2015 14:44:01 Windows Update
14-08-2015 16:29:21 Windows Update
18-08-2015 08:59:21 Windows Update
19-08-2015 19:25:33 Windows Update
23-08-2015 09:55:14 Windows Update
24-08-2015 17:32:45 Windows Update
27-08-2015 07:57:55 Windows Update
31-08-2015 16:14:30 Windows Update
04-09-2015 09:57:59 Windows Update
08-09-2015 08:50:55 Windows Update
09-09-2015 11:32:04 Windows Update
15-09-2015 08:37:36 Windows Update
19-09-2015 11:34:47 Removed SolarWinds Orion NetFlow Traffic Analyzer 4.1
19-09-2015 17:31:46 Windows Update
25-09-2015 08:13:46 Windows Update
28-09-2015 13:49:31 Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.21005
29-09-2015 08:45:43 Windows Update
02-10-2015 11:41:42 Windows Update

==================== Hosts content: ===============================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2009-07-13 21:34 - 2015-09-27 16:10 - 00000768 ____A C:\Windows\system32\Drivers\etc\hosts
127.0.0.1    localhost

==================== Scheduled Tasks (Whitelisted) =============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

Task: {31A28CD5-F72E-4E49-BC19-8A376928E01D} - System32\Tasks\CCleanerSkipUAC => C:\Program Files\CCleaner\CCleaner.exe [2015-06-01] (Piriform Ltd)
Task: {3558B46F-DCD6-46BD-9285-AEC20475B70C} - System32\Tasks\Microsoft\Windows\Application Experience\ProgramDataUpdater => Rundll32.exe invagent.dll,RunUpdate -noappraiser
Task: {8AD7D21B-0C02-4FA5-AB79-65EBFF297ACB} - System32\Tasks\Bitdefender Update Product Data_A17FD818A96743FAB28AC221BEB4B2C8 => C:\Program Files\Bitdefender\Bitdefender 2015\bdproductdata.exe [2015-09-06] (Bitdefender)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)


==================== Loaded Modules (Whitelisted) ==============

2015-09-06 12:38 - 2014-08-27 16:31 - 00265080 _____ () C:\Program Files\Bitdefender\Bitdefender 2015\txmlutil.dll
2015-09-06 12:38 - 2013-09-03 14:29 - 00101328 _____ () C:\Program Files\Bitdefender\Bitdefender 2015\bdmetrics.dll
2015-09-06 12:38 - 2015-06-22 16:24 - 00003072 _____ () C:\Program Files\Bitdefender\Bitdefender 2015\UI\accessl.ui
2015-09-06 13:13 - 2015-09-06 13:13 - 00875352 _____ () C:\Program Files\Bitdefender\Bitdefender 2015\otengines_01150_002\ashttpbr.mdl
2015-09-06 13:13 - 2015-09-06 13:13 - 00741952 _____ () C:\Program Files\Bitdefender\Bitdefender 2015\otengines_01150_002\ashttpdsp.mdl
2015-09-06 13:13 - 2015-09-06 13:13 - 02800952 _____ () C:\Program Files\Bitdefender\Bitdefender 2015\otengines_01150_002\ashttpph.mdl
2015-09-06 13:13 - 2015-09-06 13:13 - 01413024 _____ () C:\Program Files\Bitdefender\Bitdefender 2015\otengines_01150_002\ashttprbl.mdl
2015-09-06 12:38 - 2014-08-27 16:30 - 00204280 _____ () C:\Program Files\Bitdefender\Bitdefender 2015\antispam32\bdwteff\components\txmlutil.dll
2015-09-06 12:38 - 2015-04-03 16:41 - 00067808 _____ () C:\Program Files\Bitdefender\Bitdefender 2015\antispam32\bdwteff\components\bdwtxff.dll

==================== Alternate Data Streams (Whitelisted) =========

(If an entry is included in the fixlist, only the ADS will be removed.)

AlternateDataStreams: C:\Users\BML\Downloads\AdwCleaner.exe:BDU
AlternateDataStreams: C:\Users\BML\Downloads\EFRCSetup.exe:BDU
AlternateDataStreams: C:\Users\BML\Downloads\FreeViewer.exe:BDU
AlternateDataStreams: C:\Users\BML\Downloads\FRST64.exe:BDU
AlternateDataStreams: C:\Users\BML\Downloads\herdProtectScan_Setup.exe:BDU
AlternateDataStreams: C:\Users\BML\Downloads\HousecallLauncher.exe:BDU
AlternateDataStreams: C:\Users\BML\Downloads\iview438_setup.exe:BDU
AlternateDataStreams: C:\Users\BML\Downloads\iview440_setup.exe:BDU
AlternateDataStreams: C:\Users\BML\Downloads\mbae-setup-1.07.1.1015.exe:BDU
AlternateDataStreams: C:\Users\BML\Downloads\mbam-setup-2.1.6.1022.exe:BDU
AlternateDataStreams: C:\Users\BML\Downloads\mbam-setup-2.1.8.1057.exe:BDU
AlternateDataStreams: C:\Users\BML\Downloads\nmap-6.49BETA5-setup-xp.exe:BDU
AlternateDataStreams: C:\Users\BML\Downloads\regassassin-setup-1.03.exe:BDU
AlternateDataStreams: C:\Users\BML\Downloads\RogueKillerX64.exe:BDU
AlternateDataStreams: C:\Users\BML\Downloads\stickifier.exe:BDU
AlternateDataStreams: C:\Users\BML\Downloads\tdsskiller.exe:BDU
AlternateDataStreams: C:\Users\BML\Downloads\Windows-KB890830-x64-V5.25.exe:BDU
AlternateDataStreams: C:\Users\BML\Downloads\Windows-KB890830-x64-V5.27.exe:BDU
AlternateDataStreams: C:\Users\BML\Downloads\Wireshark-win64-1.12.7.exe:BDU
AlternateDataStreams: C:\Users\BML\Downloads\wsalogs.exe:BDU
AlternateDataStreams: C:\Users\BML\Downloads\xarp-2.2.2-win.exe:BDU

==================== Safe Mode (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WRkrn => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\WRSVC => ""="Service"

==================== EXE Association (Whitelisted) ===============

(If an entry is included in the fixlist, the registry item will be restored to default or removed.)


==================== Internet Explorer trusted/restricted ===============

(If an entry is included in the fixlist, it will be removed from the registry.)


==================== Other Areas ============================

(Currently there is no automatic fix for this section.)

HKU\S-1-5-21-2367491310-1093292359-300404823-1001\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 192.168.0.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 5) (ConsentPromptBehaviorUser: 3) (EnableLUA: 1)
Windows Firewall is enabled.

==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)


==================== FirewallRules (Whitelisted) ===============

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

FirewallRules: [sPPSVC-In-TCP-NoScope] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [sPPSVC-In-TCP] => (Allow) %SystemRoot%\system32\sppsvc.exe
FirewallRules: [{98AC91FF-C8FF-4FBD-B1A2-2E44DD967B74}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [{E11B3FBC-57BD-45CC-8DBE-57C1761082C4}] => (Allow) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
FirewallRules: [TCP Query User{EADF74E9-6636-4723-B52D-E5A79F04B53E}C:\program files (x86)\nmap\nmap.exe] => (Allow) C:\program files (x86)\nmap\nmap.exe
FirewallRules: [uDP Query User{F83F431B-1745-4A63-B564-4A6F348716C2}C:\program files (x86)\nmap\nmap.exe] => (Allow) C:\program files (x86)\nmap\nmap.exe
FirewallRules: [TCP Query User{BEF44207-94C5-42E7-AAD2-17518A20628E}C:\program files (x86)\nmap\nmap.exe] => (Block) C:\program files (x86)\nmap\nmap.exe
FirewallRules: [uDP Query User{624D39A0-E910-4245-9ED4-E8A1159B6E6D}C:\program files (x86)\nmap\nmap.exe] => (Block) C:\program files (x86)\nmap\nmap.exe

==================== Faulty Device Manager Devices =============

Name: WAN Miniport (IPv6)
Description: WAN Miniport (IPv6)
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: NdisWan
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: Microsoft 6to4 Adapter
Description: Microsoft 6to4 Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

Name: Teredo Tunneling Pseudo-Interface
Description: Microsoft Teredo Tunneling Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Microsoft
Service: tunnel
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (10/05/2015 09:00:01 AM) (Source: Windows Search Service) (EventID: 7010) (User: )
Description: The index cannot be initialized.

Details:
    The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (10/05/2015 09:00:01 AM) (Source: Windows Search Service) (EventID: 3058) (User: )
Description: The application cannot be initialized.

Context: Windows Application

Details:
    The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (10/05/2015 09:00:01 AM) (Source: Windows Search Service) (EventID: 3028) (User: )
Description: The gatherer object cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
    The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (10/05/2015 09:00:01 AM) (Source: Windows Search Service) (EventID: 3029) (User: )
Description: The plug-in in <Search.TripoliIndexer> cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
    Element not found.  (HRESULT : 0x80070490) (0x80070490)

Error: (10/05/2015 09:00:00 AM) (Source: Windows Search Service) (EventID: 3029) (User: )
Description: The plug-in in <Search.JetPropStore> cannot be initialized.

Context: Windows Application, SystemIndex Catalog

Details:
    The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (10/05/2015 09:00:00 AM) (Source: Windows Search Service) (EventID: 9002) (User: )
Description: The Windows Search Service cannot load the property store information.

Context: Windows Application, SystemIndex Catalog

Details:
    The content index database is corrupt.  (HRESULT : 0xc0041800) (0xc0041800)

Error: (10/05/2015 09:00:00 AM) (Source: Windows Search Service) (EventID: 7042) (User: )
Description: The Windows Search Service is being stopped because there is a problem with the indexer: The catalog is corrupt.

Details:
    The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (10/05/2015 09:00:00 AM) (Source: Windows Search Service) (EventID: 7040) (User: )
Description: The search service has detected corrupted data files in the index {id=4700}. The service will attempt to automatically correct this problem by rebuilding the index.

Details:
    The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (10/05/2015 09:00:00 AM) (Source: Windows Search Service) (EventID: 9000) (User: )
Description: The Windows Search Service cannot open the Jet property store.

Details:
    0x%08x (0xc0041800 - The content index database is corrupt.  (HRESULT : 0xc0041800))

Error: (10/05/2015 09:00:00 AM) (Source: ESENT) (EventID: 455) (User: )
Description: Windows (1180) Windows: Error -1811 occurred while opening logfile C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS00094.log.


System errors:
=============
Error: (10/05/2015 09:00:01 AM) (Source: Service Control Manager) (EventID: 7031) (User: )
Description: The Windows Search service terminated unexpectedly.  It has done this 1 time(s).  The following corrective action will be taken in 30000 milliseconds: Restart the service.

Error: (10/05/2015 09:00:01 AM) (Source: Service Control Manager) (EventID: 7024) (User: )
Description: The Windows Search service terminated with service-specific error %%-1073473535.

Error: (10/04/2015 03:04:40 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (10/04/2015 03:04:40 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (10/04/2015 03:04:39 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (10/04/2015 03:04:39 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (10/04/2015 03:04:38 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (10/03/2015 03:31:53 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (10/03/2015 03:31:52 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.

Error: (10/03/2015 03:31:50 PM) (Source: Disk) (EventID: 11) (User: )
Description: The driver detected a controller error on \Device\Harddisk1\DR1.


==================== Memory info ===========================

Processor: Intel® Core2 Duo CPU E8400 @ 3.00GHz
Percentage of memory in use: 52%
Total physical RAM: 3931.61 MB
Available physical RAM: 1859.29 MB
Total Virtual: 7861.43 MB
Available Virtual: 5605.61 MB

==================== Drives ================================

Drive c: (Windows) (Fixed) (Total:694.88 GB) (Free:571.1 GB) NTFS ==>[drive with boot components (obtained from BCD)]
Drive d: (GSP1RMCPRXFREO_EN_DVD) (CDROM) (Total:3.09 GB) (Free:0 GB) UDF

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 698.6 GB) (Disk ID: B2281CF1)
Partition 1: (Not Active) - (Size=3.8 GB) - (Type=27)
Partition 2: (Active) - (Size=694.9 GB) - (Type=07 NTFS)

==================== End of Addition.txt ============================

[David H. Lipman]

I have awaited the regular Forum Helpers to respond but since you have replied to your own thread, you may have been overlooked.  The regular Forum Helpers look for posts with Zero replies and ignore those that have replies in belief that someone is already assisting the Original Poster ( OP ).

 

The way I look at this problem is there are too many variables and multiple assumptions.

 

The variables are;  Web Server, any possible payment processors, site owner's computer(s) and unknowns.

 

You are focused on your PC being malware infected and compromised.

 

However the web server and any possible payment processors could have been compromised and they would be outside of the scope that the free service,  of this sub-forum, would provide.

 

It is also an assumption that a revenue decrease is due to nefarious actions vs. actual market responses.

 

The original post lumps everything into one topic and combines all the possibilities which overwhelm.

 

I think you must attack this from an overarching examination and break down into functional areas.  Each functional area would need its own attention by specialists in a field related to the function.

 

*  Business Model and the market

*  Web server and hosting

*  Payment processors

*  Site owner's personal computer

*  Agents of the site owner's computers