Yahoo Messenger Hack...Please offer help

[Andrew]

This message was posted by another user on a different forum, but deserves to be repeated here....

Posted: Sat Jan 10, 2004 9:47 am

--------------------------------------------------------------------------------
I was looking through the pages and I didnt find anything about my problem, so I am going to post a new topic and hope I dont anger anyone by doing so.... I have a BIG problem with Yahoo! Messenger and there is no place on the messenger site to ask help at. So I turn to the very smart people in the cheetachat forums for help....Maybe someone knows something about my problem.

Someone has taken the liberty of placing some file in with my messenger which allows them to have my password, my screen name and my ip address. When I logg into my yahoo messenger an instant message flashes up and dissapears before I can see what it says... And when I came back the next day after taking a file from someone, my password had been changed! So I changed it back and was looking through my archives when I saw a folder in there to someone named saucy_mitch and I opened it and saw this : usagi_dumpling_tsukino(9:31:31PM): This ID Hacked by : Magic-PS v1.42===>USER=usagi_dumpling_tsukino PASS=****** IP= ***.***.***

Of course there were no astris' it was all my private security information. Password screenname and ip address all there. So I deleted yahoo messenger and reinstalled it and I got this pop up that scrolled about 10 times across my screen saying ":Registry editing has been disabled by your administrator." Which means my computer is now linked to someone else right?

I have no idea how to stop this or fix this, and instead of reinstalling windows onto my computer, resetting factory settings and losing everything I have, I would rather find the solution to this problem. I found the website describing the hack program used on me, it is:

[color=dark-blue]URL Removed by Admin[/color]

it just describes the program this saucy_mitch used on me.
I havent been able to protect myself or any of my private information yet and I would really love someone to help me or offer my any kind of idea they have to help... So far all I have been able to think of is to place her name on ignore, and that way the instant message that is popping up when I sign on and giving her im's of my information will be stopped....but that doesnt fix my problem, and If I use a name she is not blocked on, she will have my information again, and already has my ip address.....

help...

[Andrew]

From the material listed on this malware website, it sounds like the trojan that was launched against you changed several registry settings in your computer. Unless you have a backup copy of your registry, prior to its corruption, and subsequent locking, it would appear that the only sure-fire way to fix this problem is to reformat your computer (after backing up your personal files) and reinstalling Windows.

*Don't back up any of your system files, and dont back up any of your Yahoo Messenger files. In fact, beyond audio, word, and spreadsheet files - given this program's ability to bind itself to many types of files types, I would strongly recommend backing up only critical documents that you need.*

Your computer is not "linked" to someone else's, however, until you correct what's been changed in your computer, every time you log into Yahoo messenger, this program will apparently send your ID, password, and IP address - every time.

According to their documentation their program has the following features:

1. Full UnDetectable for all AVs.
2. Added UnKnown startup hidden from MsConfig ;
3. Added Disable Task Manager in XP and 2k if victim press Ctrl+Alt+Del.. can not open TaskManager.
4. Added Disable Registry Editor (RegEdit).
5. Added Melt after install victim can not find your file after run it.
6. Added Disable Y! save password and auto login.
7. Added Disable MsConfig. victim can not open MsConfig.
8. Added auto remove older versions of MPS from victim's system.
9. Delete yahoo! Messenger Massages Archive after send logs!. victim can not find your ID in messages archive.
10. Added File Binder. you can bind any file with MPS sender. (exe) or (jpg) or (txt) or any ....
11. Added list for choose fileName After install.
12. Added choose icon for MPS creator.
13. Anti MPS can not kill this version !
14. Sender file size : 13k
15. Creator file size : 38k


Lessons learned:
(1) Never download anything from anyone that you dont know really well
(2) Never open a downloaded file that is an executable (i.e. ends with a .exe)
(3) Always have a firewall running on your computer (a good, free firewall is available at www.zonelabs.com). In this case, a firewall would have alerted you that an application was trying to transmit something, and would ask for your permission to do so.
(4) Consider another, third-party instant messenger program, that will let you IM with Yahoo, but doesnt use Yahoo Messenger - which has known vulnerabilities. Trillian (available at www.ceruleanstudios.com) is a good example
(5) Run programs like Spybot and Ad-Aware, to catch trojans, spyware and other programs that look to transmit your personal information, without your permission.
(6) While they claim that most AV programs don't see it, I would strongly suggest you have yours running, updated, and MOST IMPORTANTLY, enable the PASSWORD PROTECTION to lock the options. Another one of their hacks includes code to disable Norton Antivirus.

[Gil]

From my knowledge of trojans, those options are fairly common, for the most part. melting, disabling control alt delete, and all the like of that sort, those are even included with subseven's early versions. The only secure way to be online is to not download anything from anyone, and to use linux instead of windows. The reason I add the linux comment is that windows gives LOTS of spyware, even from seemingly trustworthy companies, and Linux distributions, they come with no spyware, and I have yet to see any spyware for that operating system. Trojan horses may be a pain, but if you can get the port number that it uses to gain access to your computer, and download the hacking program itself, you may be able to remove the file through the program. For example, if you were infected with subseven, you would find the program on the web, download it, and DO NOT RUN "SERVER" that will only infect you AGAIN. Run a port scanner, find suspicous ports, and try to connect to them using the local IP of 127.0.0.1 Once connected, there are "server options" which can allow you to remove the server, which lets the hacker in. This won't work if the server is set to have a password. Just pray that you weren't infected with one that has a password. Subseven prompts for a password when you try the proper port on a password protected server application. This information should be fairly generic between trojan horses, the server options allow the control of changing how the program starts by letting the user/hacker pick what registry file to use to start it (system registry, system.ini, unknown methods, etc etc) Good luck is all I can say. Personally, I'd reformat the hard drive if I didn't get immediate results with that.

[waywardclam]

Always always always have an up to date antivirus, firewall, and spyware checker if you are going to be using Windows. Especially if you use Outlook Express and Internet Explorer.

Never had a problem with a trojan on my machine, and all three viruses I have ever had were all caught immediately before they could do any damage or reproduce.

[Garry]

I use a dos program call Drive Image and everytime someone plays with my computer or I download too much garbage and my computer slows down I Just restore the image that I made of the C drive right after I reformated and reinstalled all the base programs.

I have my computer set to store my desktop on Drive d: and I save everything I do to a file folder on my desktop

That way when I restore the image file it only over writes drive c: leaving my Drive D desktop intact

Thas worked well for me for 5 years and I can have my computer back up and running within 5-10 minutes of a problem

Excellent program

Drive Image by Power Quest

Ps Im not advertising for them , Im just a happy customer who tells someone who tells someone who tells someone and so on and so on and so on