So it seems that someone got my PayPal password. I'm asking for your guys' advice because I'm actually pretty stumped on how it was stolen. I'd never fall for a phishing site or email and even If I would, I simply haven't gotten any phishing emails so I've ruled that out. The only thing I know is, I bought something with "Buy It Now" on ebay last night around 11pm. I payed it with PayPal and went to bed. This morning I found that someone had sent themselves a nice amount of money from my PayPal account. The last time I used PayPal before that was a couple weeks ago so I can only assume that this is related to last night's purchase...somehow. I thought maybe I had a trojan or something - which seems unlikely since I use Firefox and I never really download any apps or appZ But I did a full scan with Mcafee and AVG and they found nothing. I NOW have Sunbelt Firewall running and its not detecting any weird outgoing connections. Lastly, my PayPal password was unique and impossible to be guessed and pretty hard to brute-force. I checked if my local DNS had been modified - it doesn't seem to be and I can ping paypal at their real IP.

Any ideas? I'm pretty perplexed! Unless it's that guy with the binoculars across the street....

One possibility is local malware acting as a keylogger, etc. I'm guessing that this is unlikely because of FireFox and AVG, and not downloading anything.

One possibility is that the "Buy it Now" button was corrupted via Javascript in the listing. EBay still has cases where malicious users can embed Javascript in their listings to manipulate end users in various ways - generally nothing as serious as this. What is the listing #? If the listing contained malicious Javacript, it may still be present in the listing.

(Or you may PM the listing # to me if you don't want to post it publicly).

Thanks for the listing #s - the one with the high number of feedback was straightforward and had no Javascript.

The one with 128 feedback had Javascript for 2 auction helper sites : auctiva.com and sellathon.com. Everything appeared OK - the script was concerned only with trying to track the auction on the helper sites, and did not try to manipulate the Buy It Now button. I checked his other listing and the Buy It Now button took me to eBay with no hidden redirect.

There's only the wonderment that a guy with 2 active listings and 128 sales in 5 years need all this auction help - all the fluff only detracts from his listing. But otherwise, that seller and listing pass the legitimate feel test.

So, I have no answer here.

Thank you for taking the time - it's much appreciated. This is quite a puzzler - I've been thinking about it all day! Yes, the Ebay listings look pretty sanitary. Spybot, AVG, Mcafee, and Sunbelt Firewall suspect nothing on my PC. Have you heard a trojan that removes itself after it gets what it wants? Not me, usually they are pretty greedy
Even if it was a home-grown (no common signature) key logger, Sunbelt should still pick it up when it phones home. Pretty weird!