receiving malicious links on windows Live messenger

[ITwannabe]

Hi guys, I'm not sure if this is where this goes but here we go:

Approximately over the past week, I have been receiving an amount of links from my contacts on windows live messenger.

They usually follow this format: hxxp://site.com/user=<my-email>.jpg and something along the lines of 'IS THIS YOU??'

I make sure to close the conversation window with the link.
I talked to two of my friends and they both said they are receiving similiar messages.

One particular contact's account I believe to be phished as he doesn't seem to be 'himself.' As for the contacts that I receive the links from, I'm pretty sure they wouldn't be that 'gullible' to click on one, but they are being sent without their knowledge, ie right in the middle of a conversation, I will get a random link from them, and they themselves would not realise.

I did a scan with Norton and it found nothing, I also have not been experiencing any other suspicious happenings such as pop-ups or anything. I believe it is solely related to msn messenger. I am not sure even if it is anything on my computer, but I did the DDS and GMER scans and posted this thread to be safe. I will try and update to the latest version of Live tomorrow night, and see if that makes a difference.

DDS log:

DDS (Ver_09-05-14.01) - NTFSx86
Run by James at 20:31:33.14 on Mon 18/05/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.61.1033.18.2037.1354 [GMT 10:00]

AV: Norton Internet Security *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\James\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\16.5.0.135\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\16.5.0.135\IPSBHO.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\16.5.0.135\coIEPlg.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [GEST] =
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\james\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\engine\16.5.0.135\CoIEPlg.dll
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\james\applic~1\mozilla\firefox\profiles\rccxg4kw.default\
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1005000.087\SymEFA.sys [2009-3-21 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1005000.087\BHDrvx86.sys [2009-3-21 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1005000.087\cchpx86.sys [2009-3-21 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090508.002\IDSXpx86.sys [2009-5-9 276344]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\engine\16.5.0.135\ccSvcHst.exe [2009-3-21 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-25 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090517.021\NAVENG.SYS [2009-5-18 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090517.021\NAVEX15.SYS [2009-5-18 876144]
S3 kbeepm;kbeepm;c:\docume~1\james\locals~1\temp\kbeepm.sys [2008-8-20 15872]

=============== Created Last 30 ================

2009-05-18 19:48 <DIR> --d----- c:\program files\common files\Windows Live
2009-05-14 18:58 12,160 ac------ c:\windows\system32\dllcache\mouhid.sys
2009-05-14 18:58 12,160 a------- c:\windows\system32\drivers\mouhid.sys
2009-05-14 18:58 10,368 ac------ c:\windows\system32\dllcache\hidusb.sys
2009-05-14 18:58 10,368 a------- c:\windows\system32\drivers\hidusb.sys
2009-05-11 16:37 <DIR> --d----- c:\windows\pss
2009-04-18 22:58 244 a---h--- C:\sqmnoopt02.sqm
2009-04-18 22:58 232 a---h--- C:\sqmdata02.sqm

==================== Find3M ====================

2009-05-16 18:08 34 a------- c:\documents and settings\james\jagex_runescape_preferences.dat
2009-03-21 14:16 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-21 14:16 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-03-21 14:16 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-21 14:16 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-03-07 00:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-03 10:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-21 04:09 78,336 a------- c:\windows\system32\ieencode.dll

============= FINISH: 20:32:03.57 ===============

Other two logs are attached in the zip as required, thankyou.

[Ried]

Hello ITwannabe,

These links are being sent to you by your contacts - never from your MSN - to others on your contact list?

If so, it is not your machine that is infected, it is theirs. They need to take care of that right away to protect the rest of their contacts. First thing they can do is change their MSN password.

I do not see any malware, but it would be prudent to run an online scan and see if it reveals anything. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

[ITwannabe]

Hi Ried, here is the result of the Kaspersky scan:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, May 20, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, May 20, 2009 09:13:27
Records in database: 2203655
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 76717
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 01:15:03

No malware has been detected. The scan area is clean.

The selected area was scanned.

--

I've asked a few people on msn and they said they don't receive malicious links from me.

I know my contacts well and it would seem strange that they would all be fooled into clicking an msn link, or maybe they were infected by other means? I trust your judgement as you know what you're talking about. Thankyou for your help .

[Ried]

Good. All seems fine on your end.

And yes, they could have picked that up other than by clicking on a link sent to them. As I mentioned, the first they they should all do is change their passwords for MSN Messenger. They should ensure their onboard AV's are up to date and do full system scans with their AV, as well as with a good Anti-Malware program such as Spybot S&D (make sure they read the Tutorial so they understand how to update and immunize the program), or Malwarebytes Anti Malware program.

If their MSN continues to send out links to their contacts, link them to our pre-posting topic and have them post the requested logs.

[ITwannabe]

OK, thankyou for answering that, if any more happen I will notify them.

Thankyou very much .

[Ried]

You're welcome. Take care.