TheTechGuide Forum

General Category => Tech Clinic => Topic started by: Aidan on April 01, 2008, 10:05:38 PM

Title: MSN account information stolen
Post by: Aidan on April 01, 2008, 10:05:38 PM

Hello,
this question may potentially have been posed, if so, I apologize,
the problem is my account password was stolen and while I'm using the program, I get logged out and notified that my account has logged on on another computer. It's some form of spamming thing that takes over my account and spams my contacts
it's been going on on other people's msn's for a long while so it's probably well known.

will it solve my problem if I simply change my password?

Title: MSN account information stolen
Post by: JB Lee on April 01, 2008, 10:09:27 PM

If you have a keylogger then they will see what you change it to. I recommend creating a hijackthis log (http://\"http://www.thetechguide.com/forum/index.php?showtopic=22942\") and posting it for guestolo to take a look at. Once you are certain that your computer is safe, then (providing they do not know your recovery info) changing the password should be sufficient.

Title: MSN account information stolen
Post by: guestolo on April 01, 2008, 11:08:25 PM

I second what JBLee said

Title: MSN account information stolen
Post by: Aidan on April 03, 2008, 07:48:58 PM

Well the MSN website is a piece of crap, and regardless of which computer I go on, I can't seem to access a place where to change my password. Anyway, I posted the log. there are a couple things on there that I think I would get rid of but what do I know.
Thanks for taking a look at my problem and replying to this post.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:05:16 PM, on 4/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\ehome\ehSched.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\Program Files\Windows Live\Messenger\usnsvc.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ (http://\"http://www.google.ca/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ehTray] D:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-839522115-1343024091-842925246-501\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe (User 'Guest')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-21-839522115-1343024091-842925246-501 Startup: OpenOffice.org 2.3.lnk = D:\Program Files\OpenOffice.org 2.3\program\quickstart.exe (User 'Guest')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: OpenOffice.org 2.3.lnk = D:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1200795055115 (http://\"http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1200795055115\")
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab (http://\"http://www.sibelius.com/download/software/win/ActiveXPlugin.cab\")
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 5017 bytes

Title: MSN account information stolen
Post by: guestolo on April 03, 2008, 10:53:00 PM

http://www.windows-live-password-recovery....e-password.html (http://\"http://www.windows-live-password-recovery.com/change-windows-live-password.html\")

Title: MSN account information stolen
Post by: Aidan on April 04, 2008, 01:57:13 PM

sigh that's what I was talking about. I went on the site and all it does is show a loading sign and I don't get anything. I dont know what to do anymore

Title: MSN account information stolen
Post by: guestolo on April 04, 2008, 09:14:50 PM

Download [color=\"#FF0000\"]MsnCleaner_eng.zip[/color] (http://\"http://www.forospyware.com/Msncleaner/MsnCleaner_eng.zip\")[/url] from here and SAVE it to your desktop
http://www.forospyware.com/Msncleaner/MsnCleaner_eng.zip
You may have to:
(Copy/Paste the URL into the address bar or use "Save Target As")
Unzip the contents to your desktop, don't run it yet

Please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

In safe mode

• Double-click MsnCleaner.exe to run it.
  
• Click the Analyze button.
  
• A report will be created once after you finish scan.
• If it finds an infection, click the Deleted button.
  
• Now, please reboot back to normal mode.
• MsnCleaner will create a log>> C:\MsnCleaner.txt, I'll need to see it later.
  

If you have an older version of ComboFix on desktop, delete it
I need you to download this version
Download this file - Combofix.exe (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\") and save it ONLY to your desktop

Temporarily disable AVAST Anti-Virus so it won't interfere with this next fix
RIGHT CLICK the Avast icon by the clock and select
"Stop on Access Protections">>Ok the prompt

Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
By default it will save a copy to C:\Combofix.txt
I'll need to see this log later
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post the log from ComboFix along with the log from MSNCleaner

Title: MSN account information stolen
Post by: guestolo on April 26, 2008, 05:14:32 PM

Locking this topic as there has been no reply