Potential security problem

[wnip]

Hi everybody, thanks for taking the time to read my question. I reformatted my computer 2 days ago because I my msn was sending links to people. I reinstalled MSN messenger 7.5 yesterday and after an hour or two it closed and said that I was signed in at another place. While my msn was still closed, a window of conversation popped up and it was one of my friend that was laughing of my nickname, which was a nicknamed I wrote several months ago. I had no other version of msn on my comuter than the 7.5 and the other messenger that popped up seemed like msn live messenger, the one you sign on without installing it. By that time I already installed AVG and it was working properly. I uninstalled msn 7.5, installed the BETA version 9 of MSN and it did the same thing. Now I could of course allow to sign me in at different computers, but I have security issues since that would allow anyone to connect to my msn without me noticing it. Now I can at least notice because my MSN closes. I run windows XP by the way. Thanks for your help!

[patndoris]

Hello and welcome to BBB! I'm not sure I understand exactly what you're asking in your post.

Version 9 beta does allow sign in from multiple computers, so obviously if you have the option to disable it (if you intend to continue with the beta version)you would want to (based on the concerns of security you have voiced.)
The latest stable version of WLM is 8.1 not 7.5. Did you try using the latest stable build?

I think the other messenger window you are referring to is Windows Messenger which is a part of XP (but is not in Vista.) If you have both WLM and Windows Messenger set to auto login, theoretically, WLM might log in first, and then Windows Messenger - but since you can't be logged in on the current versions at more than one location, the Windows Messenger could boot your connection to WLM.

I'd suggest making sure Windows Messenger is not set to run at start up. And I'd suggest using the latest stable 8.1 build of WLM since it does not allow for multiple computer login. If I read correctly, I think this will take care of your security concerns.

[David]

How to prevent Windows Messenger from running on a Windows XP-based computer

[wnip]

Thank you guys for your quick and pertinent replies. I tried as you say and I think it will work.

[wnip]

Well, It seems it didn't work. I was pretty sure it did because messenger was effectively installed on windows XP, so I unchecked the box and it was removed but it keeps on unlogging me from time to time, saying that I'm connecting throught another computer. Plus the other msn that connects me has the lamest nickname ever I had that I made to make fun of someone, it couldn't have picked another one lol. I can't access the msn window, I know that it has this nickname on the conversation windows when people come to laugh about my nickname. So, if you have other suggestions they are welcome...

[patndoris]

This sounds more and more like virus/hijacker behaviour to me.

Please run a complete scan with up to date definitions using the following:
*AVG (since you have it on but it does not necessarily mean it's set to update and scan)
*Ad-Aware
*Spy-bot
*SuperAntiSpyware

You can grab all those at Filehippo.

I strongly suggest rebooting in between if they find and clean anything. Also, please make sure you run all of these with your browser closed. I realize this limits what you can do during that time, and this will take several hours - but until we rule out nasties I'm not sure which direction to head with this.

After running all those and removing whatever they find, please download HiJackThis from Filehippo, run and save a logfile. Do not do anything as far as fixing anything at this point. Then, copy and paste the logfile and either post it or PM it to me. If you PM it may take 2-3 of them to get the full logfile sent. Do not send or post it as an attachment.

I still recommend running the latest stable build (8.1) of WLM, and disabling any third party applications you may have installed with it. But obviously, you have something going on and until we can reduce the chance it's virus related - it may be hard to track down. I'll wait to hear back from you.

[wnip]

Ok, so I ran all the programs you told me to run and here is my logfile from Hijackthis. I can't post URL since I'm a new member so I deleted them.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:31:56, on 2008-08-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dlcgcoms.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\ehome\ehtray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Windows Live\installer\WLSetupSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wisptis.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MOTIVESB.EXE
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = %s - Crawler.co m
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Googl e
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.co m
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Searc h
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = Internet Explorer Searc h
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = Search Assistan t
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Searc h
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.co m
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = Internet Explorer Searc h
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = Search Assistan t
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Barre d'outils &Crawler - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [DLCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCGtim e.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-21-839522115-2111687655-2146884803-1005\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Claude')
O4 - HKUS\S-1-5-21-839522115-2111687655-2146884803-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Claude')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe " -t (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Assistant Internet.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Service Bonjour (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Service de l'iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
--
End of file - 10717 bytes

[patndoris]

I will take a look at the HJT log, but a proper analysis takes a bit of time. I don't trust online readers - they are a good first stop, but they are not highly reliable.

Quick questions - what is your start page supposed to be and do you use any of the extra toolbars you have installed?

[patndoris]

Let me start with saying, while I'm fairly famiar with reading HJT logs, I am not an expert. If you have any question about the things I've noted, you should take the time to Google and investigate them and make an informed decision about removing them.

I'd just like to verify a couple of things:

1. You are using Comcast for your internet. I assume from what I can see you are not connecting through a proxy and the proxy entry I've noted below to remove seems to be a hijack of your browser. Please verify that before removing it. Also, you have a large number or start page, and search hook items which I have always removed completely from my own logs with no adverse affects.

2. I'm assuming you use and want to keep your Google Toolbar.

3. You choose to have Sypware Terminator and all the associated Crawler files on your machine. Most sites seem to suggest this is Adaware generating, may cause pop-ups, and tracks your online movements and you may want to consider removing it. If so, please do so thru add/remove programs and we can clear out any remaning HiJack This entries after that is done.

That said - please make sure your HJT is set to make a backup of files before fixing anything (in the configuration settings) and with your browser closed run a new scan and put a check in the following items and have HJT fix them.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = %s - Crawler.co m
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Googl e
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.co m
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Searc h
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = Internet Explorer Searc h
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = Search Assistan t
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Searc h
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.co m
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = Internet Explorer Searc h
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = Search Assistan t
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)


If you choose to remove Spyware Terminator, please uninstall it, reboot and rerun the HiJack Log and repost it - there are a large number of entries related to it and the Crawler Toolabar it installs which could potentially come out of here.

Let me know how it goes. I'm not sure if this will help your original problem or not.

[wnip]

I tried everything you said and my MSN still closes by itself often and I get messages from my contact that tells me that I sent them links that I didn't.