MSN Messenger hacked

[lucille]

I believe someone I know has hacked into my msn messenger, since they have information and text that i sent only via messenger. I found out that there are "sniffer" programs that can monitor live sessions of messenger. However, my question is, how can i detect whether this happened to me? It seems that these sniffer programs only work in computers that are on the same network, which is not the case here. Any help or info would be greatly appreciated. Thanks.

[unlovedwarrior]

more info on your computer plz and the network... what makes you feel that someone has hacked your messenger info??


unlovedwarrior

[lucille]

hi thanks for your prompt reply. i have a laptop, wndows xp professional, use a wireless network at home in venezuela, connected to a local isp, i have windows live messenger 7. let me know what other info you need.

days ago my ex boyfriend send me via email some text that i had written via messenger to a friend. he claims she copied and pasted this to him via messenger. however, i checked my friend's saved message history and there is nothng of the sort. this person is very computer savvy, it's his job.

i connect to the internet in my home and he connects through a similar wireless network at home, or at work (don't know what the connection is like there).  i have, however, used my computer at his house, which means i connected to his wireless network. but, that was at least a week ago, and i didnt send the text that he picked up, until only  a few days ago. this makes me think that he didnt physically look through my computer (since he and my computer havent been in the same place since i wrote that im) but rather eavesdropped on my conversations. my question is whether this is possible, and whether i have a way to be sure this is what happened.

i hope this makes sense. thanks again.

[unlovedwarrior]

im not sure but maybe on his network there might be a log kept of the ims youve sent i know there is a log on ur computer for this. a way to test to see if he does indeed have your information is to send your friend and email with something that seems very personal maybe something that would get ur exs attentin then call ur friend and tell him what you are doing so he doesnt get confused.. and see if ur ex contacts you about it.


also dl spybot search and destroy and Ccleaner update them both and do the scans mainly spybot to see if he put a keylogger on ur computer or any other program of that type

unlovedwarrior

[chriscool9]

Yea i was going to say, A keylogger. Id recommend doing a virus scan just incase. What kind of anti virus do you have?

Chris

[JPH]

Hi lucille, welcome to Computer Hope.
Are you using encryption (WEP, WPA etc.) or any other security measures (ie MAC Address Filtering) with your wireless network at home? If not, your ex could sit outside your house with a laptop running a packet sniffer and easily capture your messenger conversations.

- JPH

[unlovedwarrior]

what kind of firewall do you have?? if any

[lucille]

hi. i just ran spybot search and destroy. by the way, nod32, spysweeper and counterspy didnt pick up on anything. but spybot found:

coolwwwsearch.svcinit (two entries: a program file and autorun settings)
win32.advertmen

is either of these a keylogger? the info the program is giving me doesnt make it clear

thanks!

[unlovedwarrior]

no those cause pop ups. as jph asked what kind of wireless encryption (WEP, WPA etc.) are you using. and easy way to tell if you have any encryption (WEP, WPA etc.) is when you get on your network at anytime did it ask you to put a key in (10- 15 character code to access the router)??

[chriscool9]

I dont think thats anything that could be logging you.
Also if you could awnser our questions it would be alot easier for us to help you:
Have you got Anti Virus if so have you done a complete Virus Scan?!
Are you using a firewall?!?!


Chris

[unlovedwarrior]

hi. i just ran spybot search and destroy. by the way, nod32, spysweeper and counterspy didnt pick up on anything. but spybot found:

coolwwwsearch.svcinit (two entries: a program file and autorun settings)
win32.advertmen

is either of these a keylogger? the info the program is giving me doesnt make it clear

thanks!

did you remove thoses??

[unlovedwarrior]

I dont think thats anything that could be logging you.
Also if you could awnser our questions it would be alot easier for us to help you:
Have you got Anti Virus if so have you done a complete Virus Scan?!
Are you using a firewall?!?!


Chris

other than the router one and windows firewall

[lucille]

unlovedwarrior, i havent removed them yet. i just did the scan. i was afraid if i remove them i would lose proof. first i just wanted to check if they had anything to do with the problem, and then if there was anything i could do to see how they have been affecting my computer, before i remove them. maybe this is not wise...this is why im here

[unlovedwarrior]

u can remove them... what antivirus do you have?? and firewall and wireless encrpytion

[lucille]

i do have antivirus, nod32, like i said. it didnt pick up anything. about the firewall, i use my sister's wireless and have sent the question to her but received no reply yet. i only have the regular windows firewall in my computer. thanks a lot for your help. i am trying my best to answer all the questions.

[unlovedwarrior]

ok

[chriscool9]

If im honest i dont think this is a P.C matter. I think that that you should talk to your friend and try and get to the bottom of it....
Maybe its just me, but thats what its looking like....


Chris

[Michael232]

i checked my friend's saved message history and there is nothng of the sort.

so, you think your msn conversation was hacked because of?

Remember that your friend's saved message history isn't more than an xml file which you can access, read, add, modify and delete information very easy with any xml editing progran, also with no editing programs of xml such as Notepad or Word.

[patio]

If im honest i dont think this is a P.C matter. I think that that you should talk to your friend and try and get to the bottom of it....
Maybe its just me, but thats what its looking like....


Chris

Very good point Chris...i agree.

[lucille]

SOLVED!

Hello everyone. I wanted to let you know that the mystery was finally solved. My ex-boyfriend came over today and confessed everything. Months ago he sent me (over email) a file that he said contained pictures. It did, but it also contained a program that collected messenger info and emailed it to him once a week. When he emailed it to me he said to change the .ese after the name, to .exe. Dummy that I am , I trusted him and opened it. I saw the pictures and I figured that was all it contained.

Unlovedwarrior, I want to thank you because your suggestion of downloading spybot did the trick. Apparently, it was the coolwwwsearch.svcinit. I installed the hacker program again just to see, and then ran spybot again, and sure enough, it found it once more. So, thank you. Even though he confessed today, your suggestion of dl spybot bought me some days of privacy. Plus, now I am much better protected should this happen to me again.

My love life may leave something to be desired, but my computer is finally safe again! Thank you all for your help and creative and prompt suggestions.

[unlovedwarrior]

im glad i could help.. i figured it was something along thoses lines cuz i didnt for my computer to see what my brothers where viewing

[Raptor]

And our noble unloved warrior saves another damsel in distress...

Run the kill, unloved!

[unlovedwarrior]

lol....

[JPH]

I hate to rain on the parade here but... :-/

CoolWebSearch is spyware/adware, more accurately it is a browser hijacker. It is custom malware that only serves the agenda of the scumbags at CoolWebSearch and their partners. Meaning it is NOT a program like your ex described that would collect messenger info and email it to him like a keylogger (see SpyBuddy and Actual Spy for example). I'm willing to bet that the CWS entries that Spybot is detecting is a totally different issue altogether. CWS.Svcint was the 12th CoolWWWSearch variant recorded in the wild (there are well over 50 variants) and there are at least 4 or 5 variants of CWS.Svcint itself. None of them, I repeat NONE of them collect messenger info and send that info to your ex's email. In other words, chances are whatever monitoring software your ex is using to monitor your conversations is NOT CoolWebSearch and is most likely still on your computer.

At the very least you should download CWShredder and run a scan to make sure that Spybot completely removed all traces of CWS. It can be very difficult to completely eradicate and has the ability to restore itself if all traces aren't removed.

Also if you want to be certain that your ex isn't still monitoring you, download HiJackThis do a scan and post the generated logfile here so that we can analyze it and make sure that nothing nasty is still running on your computer.

Just my 2 cents...

- JPH

[unlovedwarrior]

or just bust out your shiny ms cd and reformat...

[Raptor]

or just bust out your shiny ms cd and reformat...

He's picking up on Fed's sarcasm!

[unlovedwarrior]

it tends to happen when you here alot lol

[unlovedwarrior]

did she ever post a hjt log for us??

[JPH]

did she ever post a hjt log for us??

Nope. She thinks her problem is completely...

SOLVED!

[Fed]

I hope Lucille comes back, she could be sending her keystrokes to her X for years to come.

[GX1_Man]

He just likes her keystrokes.

[Raptor]

He just likes her keystrokes.

Haha..  

[lucille]

You guys ae funny. I've been away for a few days and come back to find that you've been having whole conversations about this. Well, that's cool. I appreciate the interest.

Yes, it is definitely weird that the program was listed by spybot under coolwwwsearch. iIf I open the item it actually says:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MsSystem

My ex designed this program with his friend, and MsSystem is the name he gave it. I don't know why SpyBot categorized it under CoolWWWSearch. I installed (again) the program he sent and found that MsSystem appeared in the registry. So, it seems like that's it. Then I ran SpyBot again and it got rid of it once more. He had sent me two different email attachments. I uninstalled the first program (called Photos because he had sent it together with some pics so that I wouldn't suspect). That seems to have gotten rid of it.

Needless to say, I am still concerned that there might be something else missing that I have overlooked. I will download hijackthis and post the results here, just in case. Again, thanks for your help.

[lucille]

Here's the log file generated by Hijackthis. Thanks.

[GX1_Man]

You should ALWAYS run your scans in safe mode with system restore turned off as well (in case there is something hiding in there, ready to reinfect!.  

[JPH]

Sorry, I've been away a few days.

Lucille, I don't see anything bad in your logfile unless something malicious is posing as a legitimate program. Can you please do a HJT scan in safe mode as well and post that logfile too? BTW, do you have a webcam?

I would also suggest that if you still have the file that your ex sent you, you should upload it to these two online malware scanners and post the results here if anything is detected.

http://www.virustotal.com

http://virusscan.jotti.org

[lucille]

Thanks so much for taking the time to look over the logfile, JPH. I need to figure out how to run hijackthis in safe mode. I'll post the logfile again as soon as I do.

In the meantime, I scanned one of the two files my ex sent, on virustotal.com. Here are the results. I still have the file in my computer. It's an .exe file, but I already uninstalled the program. I just kept it around so I could do things like scan it and learn more about it. Is it harming my computer to have it at all? Maybe I should copy it to a CD just in case.

Thanks again. I'll do the same with jotti.org and post results.

Oh, yes I do have a webcam.

Antivirus Version Update Result
AntiVir 7.2.0.37 11.02.2006  no virus found
Authentium 4.93.8 11.02.2006  no virus found
Avast 4.7.892.0 11.02.2006  no virus found
AVG 386 11.02.2006  no virus found
BitDefender 7.2 11.01.2006  no virus found
CAT-QuickHeal 8.00 11.02.2006  no virus found
ClamAV devel-20060426 11.02.2006  no virus found
DrWeb 4.33 11.02.2006  no virus found
eTrust-InoculateIT 23.73.43 11.02.2006  no virus found
eTrust-Vet 30.3.3174 11.02.2006  no virus found
Ewido 4.0 11.02.2006  no virus found
Fortinet 2.82.0.0 11.02.2006 suspicious
F-Prot 3.16f 11.01.2006  no virus found
F-Prot4 4.2.1.29 11.02.2006  no virus found
Ikarus 0.2.65.0 11.02.2006  no virus found
Kaspersky 4.0.2.24 11.02.2006  no virus found
McAfee 4886 11.01.2006  no virus found
Microsoft 1.1609  11.02.2006  no virus found
NOD32v2 1.1849 11.02.2006  no virus found
Norman 5.80.02 11.02.2006  no virus found
Panda 9.0.0.4 11.02.2006  no virus found
Sophos 4.10.0 10.26.2006  no virus found
TheHacker 6.0.1.111 11.02.2006  no virus found
UNA 1.83 11.01.2006 Trojan.Spy.Win32.Bancos.13F5
VBA32 3.11.1 11.01.2006 TR.Spy.Banco.FR.2.C
VirusBuster 4.3.15:9 11.02.2006 no virus found

[lucille]

These are the results for the second file:

AntiVir 7.2.0.37 11.02.2006 HEUR/Malware
Authentium 4.93.8 11.02.2006  no virus found
Avast 4.7.892.0 11.02.2006  no virus found
AVG 386 11.02.2006  no virus found
BitDefender 7.2 11.02.2006  no virus found
CAT-QuickHeal 8.00 11.02.2006  no virus found
ClamAV devel-20060426 11.02.2006  no virus found
DrWeb 4.33 11.02.2006  no virus found
eTrust-InoculateIT 23.73.43 11.02.2006  no virus found
eTrust-Vet 30.3.3174 11.02.2006  no virus found
Ewido 4.0 11.02.2006  no virus found
Fortinet 2.82.0.0 11.02.2006  no virus found
F-Prot 3.16f 11.01.2006  no virus found
F-Prot4 4.2.1.29 11.02.2006  no virus found
Ikarus 0.2.65.0 11.02.2006  no virus found
Kaspersky 4.0.2.24 11.02.2006  no virus found
McAfee 4887 11.02.2006  no virus found
Microsoft 1.1609  11.02.2006  no virus found
NOD32v2 1.1850 11.02.2006  no virus found
Norman 5.80.02 11.02.2006  no virus found
Panda 9.0.0.4 11.02.2006 Suspicious file
Sophos 4.10.0 10.26.2006  no virus found
TheHacker 6.0.1.111 11.02.2006  no virus found
UNA 1.83 11.02.2006  no virus found
VBA32 3.11.1 11.01.2006  no virus found
VirusBuster 4.3.15:9 11.02.2006 no virus found

[chriscool9]

Thanks so much for taking the time to look over the logfile, JPH. I need to figure out how to run hijackthis in safe mode. I'll post the logfile again as soon as I do.

In the meantime, I scanned one of the two files my ex sent, on virustotal.com. Here are the results. I still have the file in my computer. It's an .exe file, but I already uninstalled the program. I just kept it around so I could do things like scan it and learn more about it. Is it harming my computer to have it at all? Maybe I should copy it to a CD just in case.

Thanks again. I'll do the same with jotti.org and post results.

Oh, yes I do have a webcam.

Antivirus Version Update Result
AntiVir 7.2.0.37 11.02.2006  no virus found
Authentium 4.93.8 11.02.2006  no virus found
Avast 4.7.892.0 11.02.2006  no virus found
AVG 386 11.02.2006  no virus found
BitDefender 7.2 11.01.2006  no virus found
CAT-QuickHeal 8.00 11.02.2006  no virus found
ClamAV devel-20060426 11.02.2006  no virus found
DrWeb 4.33 11.02.2006  no virus found
eTrust-InoculateIT 23.73.43 11.02.2006  no virus found
eTrust-Vet 30.3.3174 11.02.2006  no virus found
Ewido 4.0 11.02.2006  no virus found
Fortinet 2.82.0.0 11.02.2006 suspicious
F-Prot 3.16f 11.01.2006  no virus found
F-Prot4 4.2.1.29 11.02.2006  no virus found
Ikarus 0.2.65.0 11.02.2006  no virus found
Kaspersky 4.0.2.24 11.02.2006  no virus found
McAfee 4886 11.01.2006  no virus found
Microsoft 1.1609  11.02.2006  no virus found
NOD32v2 1.1849 11.02.2006  no virus found
Norman 5.80.02 11.02.2006  no virus found
Panda 9.0.0.4 11.02.2006  no virus found
Sophos 4.10.0 10.26.2006  no virus found
TheHacker 6.0.1.111 11.02.2006  no virus found
[highlight]UNA 1.83 11.01.2006 Trojan.Spy.Win32.Bancos.13F5 [/highlight]
VBA32 3.11.1 11.01.2006 TR.Spy.Banco.FR.2.C
VirusBuster 4.3.15:9 11.02.2006 no virus found

Im no expert but that doesnt sound good.... Im sure JPH will know though. However untill he arrives ill look into it for you.


Chris

Edit: http://www.sophos.com/virusinfo/analyses/trojbancoscg.html   Look at its 'side effects'. Is the file that contains this trojan the one that you suspected?!

[JPH]

Yeah, that's a nasty one. Not only is it a keylogger/password stealer but it also installs a backdoor. It also has the ability to inject itself into other processes. There are a lot of different variants as well. Not only that but your ex has went out of his way to modify it to avoid detection, as you can see most of the scanners didn't pick up anything...including NOD32 the AV you're using. Anyway, to get into safe mode you need to tap the F8 key while your computer is booting up and then choose safe mode from the available options. Everything will look different in safe mode but don't worry that's normal. Once in safe mode also check the C:\WINDOWS\system folder for a file named "windll.dll" if it's there delete it.
As GX1_Man said, you should always run all scans in safe mode with system restore turned off. So go ahead and update all the scanners before booting into safe mode so you can do full scans with them all while you're there.

- JPH

[Fed]

How could a virus be missed by all those scans and picked up by...
Antivirus UNA (The Ukrainian National Antivirus®)  
Could it be a plot  :-?

[JPH]

How could a virus be missed by all those scans and picked up by...
Antivirus UNA (The Ukrainian National Antivirus®)  
Could it be a plot  :-?

Yeah, only that and VBA32 (VirusBlokAda) from the Republic of Belarus. The other file he sent her was also only detected by two scanners as well but not as anything specific:
AntiVir 7.2.0.37 11.02.2006 HEUR/Malware
Panda 9.0.0.4 11.02.2006 Suspicious file

[lucille]

Yes, I think it is odd that only two of the antiviruses caught it. Also, when I initially removed it from my computer, Spysweeper missed it and Spybot identified it under CoolWWWSearch.  

I wonder if this is because the software was developed by my ex and his friend. Maybe these AVs are detecting it because it behaves similarly to other spyware, but it's not exactly the same? Could this explain it?

My ex explained (not that I trust what he says, but it's information and I will use it if it proves to be helpful) that the software was developed using Visual Basic 6. The first file installs the Visual Basic "Libraries" (sorry if the terminology is wrong here; he explained this in Spanish) and the second file is what has the info to make it actually work. He said the program also works with the existing MSN libraries, and that it sits on the "port" and grabs incoming and outgoing messenger messages.

This is an image of the first file he sent, which opens up a program that installs itself in a folder called Fotos. He sent the program together with photographs, so that when I opened the folder to see the pictures the program would create a folder caled Fotos, where it would save all of the photos, and the program as well. He says that the first file is needed for it to work, but the second file is the actual spyware.

Spybot found and got rid of the second file, which installed MsSystem (that's what he named it) in the registry. Then, using Add or Remove Programs, I uninstalled the program called "Fotos" from my computer.

So, would this explain the contradictory AV findings? Should I install VBA or UNA and scan my whole computer to make sure I'm in the clear?

[unlovedwarrior]

is ur ex a programmer or just like screwing with code

[lucille]

He knows how to program. He´s a systems engineer.

I just dowloaded and ran VBA32 and it found the Banco Trojan as well as another one. I´m running it again on safe mode. How trustworthy is this antivirus? I am afraid to delete, in case of a false positive.

[lucille]

I just ran VBA32 in safe mode and it found:

AdWare.Win32.Dm.n in the location D:\j386\Apps\App07888\luregwmi.exe

TR.Spy.Banco.FR.2.C in the location C:\WINDOWS\system32\SMTP.ocx

Is it safe to delete these?
What else do I need to do to keep my computer safe?

Thanks!

[unlovedwarrior]

dont open anything that you dont trust without scanning it first.

[Fed]

I hate to say this but I'd reformat and start again. *OUCH!*
I wouldn't save anything that he has sent you.
Then go and change every password you have ever used.
Even if you rid your computer of everything he sent you, he still knows too much already.

[GX1_Man]

[highlight]I hate to say this but I'd reformat and start again. [/highlight]*OUCH!*
I wouldn't save anything that he has sent you.
Then go and change every password you have ever used.
Even if you rid your computer of everything he sent you, he still knows too much already.

Sorry, Fed. I know that does hurt you.  

[JPH]

Lucille, I don't know what you decided to do but yes it is safe for you to delete those two files. The SMTP.ocx file is the library file that your ex talked about that gives his malware the ability to e-mail information to him. I agree that reformatting and installing Windows again is the only way to be 100% certain that your computer is no longer compromised. If that simply isn't an option for you then you can still boot into safe mode and run HJT and post the logfile here and I will have a look at it for you.

- JPH