Yahoo! Messenger spam

De cateva zile am primit cateva mesaje cel putin ciudate pe yahoo messenger de la persoane din lista mea de contacte.

Mesajul debuta cu un BUZZ urmat de un text in engleza ce avea la final un link. Textul si link-ul faceau reclama la medicamente de slabit si se asemanau intr-un fel cu e-mail-urile pe care le gasesc uneori in Spam.

Faptul cel mai ciudat este ca persoana respectiva nici macar nu avea PC-ul pornit, cu atat mai putin sa fie online pe yahoo messenger.

Mesajele suna cam asa:
“Sarah and Angie have both lost about 40 pounds each in just a few weeks, no diets no excercise just been taking those acai pills that Oprah had on her show. I been taking them now and lost 21 pounds in just over 2 weeks. Get them now for only five dollars at hxxp://comepeel.xxx”

“This is like a dream come true for me and my Jenny. We both are living proof that Acai pills work to lose weight quick, we both lost over 30 pounds and still losing, no diet or excercise they just burn the fat off. Get them now for only five dollars at hxxp://comerate.xxx”

“I have been taking Acai pills now for two months and already lost 34 pounds, it is the same stuff that was on oprah and cnn, Mike and Jen lost so much weight too with no diet or excersise. Get it now, its only five bucks a bottle, we are living proof that it works like magic. Get it over at http://xxxxx.com”

Inca nu am identificat cauza si de aceea am rugamintea ca atunci cand veti intalni acest comportament la unul dintre prietenii vostrii, sau vi se intampla chiar voua descarcati si rulati si acest program: http://rapidshare.com/files/204089214/RSIT.rar.html si realizati un log cu ajutorul lui.

Apoi descarcati GMer si salvati un log (folosind butonul “Save”).

Trimiteti cele trei log-uri pe adresa de e-mail: faravirusicom@gmail.com

Astfel putem lupta impreuna si obiectivul site-ului sa fie atins: faravirusi. 🙂

Administrator FaraVirusi.com
voluntar al Comodo Malware Research Team, expert Malwarebytes Anti-Malware

45 responses to “Yahoo! Messenger spam”

  1. Mikay

    Ok! te anunt in caz ca vad ceva de genul acesta;)

  2. Kashim

    Esec, cel putin la mine, din prima (daca e sa o luam logic):
    1. niciun prieten nu mi-ar vorbi in engleza ca sa faca reclama unui produs.
    2. “[…]me and my Jemmy[…]” lol sa mai incerce. Nu cunosc pe nimeni cu numele asta
    Asta nu inseamna ca unii nu ar da click imediat (uneori fara sa citeasca mesajul).

    Spune-i persoanei care ti-a trimis mesajul sa iti dea un log HJT 😛

  3. Lau

    Ce inseamna log HJT? Eu tocmai am primit un astfel de mesaj.

  4. florin

    Site-ul acela promovat e cunoscut ca fiind un spam domain , detalii aici http://www.siteadvisor.com/sites/comerate.com . E evident ca spamul se muta si pe instant messenging , posibil ca nu cumva sa fie vre-un vierme sau troian ce a infectat PC-uri si trimite aceste link-uri la toti cei din lista de messenger sau e-mail a victimei. Posibil ca acele PC-uri sa faca deja parte dintr-o retea botnet , asta e parerea mea .

  5. mihai

    Salut, am primit si eu de la mai multi mesajul asta, si radeam de restul ca au virusi . Acum paranoia imi spune ca poate am eu virus si ca doar eu vad.
    Mai jos HJT logul meu…Aceasi paranoie a vazut niste linii ciudate in log pe care e foate posibil sa nu le stiu eu . sper sa ajute 🙂

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:54:41 AM, on 3/2/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16791)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\Mihai Panait\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
    C:\Program Files\Spybot – Search & Destroy\TeaTimer.exe
    C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Mihai Panait\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Documents and Settings\Mihai Panait\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    C:\Program Files\Spybot – Search & Destroy\SpybotSD.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe
    C:\Program Files\Winamp\winamp.exe
    C:\Documents and Settings\Mihai Panait\Desktop\HiJackThis.exe

    R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 – BHO: (no name) – {02478D38-C3F9-4efb-9B51-7695ECA05670} – (no file)
    O2 – BHO: AcroIEHelperStub – {18DF081C-E8AD-4283-A596-FA578C2EBDC3} – C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 – BHO: Spybot-S&D IE Protection – {53707962-6F74-2D53-2644-206D7942484F} – C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 – BHO: Java(tm) Plug-In 2 SSV Helper – {DBC80044-A445-435b-BC74-9C25C1C588A9} – C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 – BHO: JQSIEStartDetectorImpl – {E7E6F031-17CE-4C07-BC86-EABFE594F69C} – C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 – HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 – HKLM\..\Run: [SkyTel] SkyTel.EXE
    O4 – HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 – HKLM\..\Run: [egui] “C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe” /hide /waitservice
    O4 – HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 – HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 – HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 – HKLM\..\Run: [SSBkgdUpdate] “C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe” -Embedding -boot
    O4 – HKLM\..\Run: [OpwareSE4] “C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe”
    O4 – HKLM\..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
    O4 – HKLM\..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
    O4 – HKLM\..\Run: [DAEMON Tools] “C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033
    O4 – HKLM\..\Run: [AdobeCS4ServiceManager] “C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe” -launchedbylogin
    O4 – HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title=”CorelDRAW Graphics Suite 12″ /date=031509 serial=DR12WEX-1504397-KTY lang=EN
    O4 – HKLM\..\RunOnce: [Malwarebytes’ Anti-Malware] C:\Program Files\Malwarebytes’ Anti-Malware\mbamgui.exe /install /silent
    O4 – HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 – HKCU\..\Run: [Google Update] “C:\Documents and Settings\Mihai Panait\Local Settings\Application Data\Google\Update\GoogleUpdate.exe” /c
    O4 – HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot – Search & Destroy\TeaTimer.exe
    O4 – HKCU\..\Run: [Yahoo! Pager] “C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE” -quiet
    O4 – Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
    O9 – Extra button: (no name) – {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} – C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 – Extra ‘Tools’ menuitem: Spybot – Search & Destroy Configuration – {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} – C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 – Extra button: (no name) – {e2e2dd38-d088-4134-82b7-f2ba38496583} – C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 – Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 – {e2e2dd38-d088-4134-82b7-f2ba38496583} – C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 – Extra button: Yahoo! Messenger – {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} – C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 – Extra ‘Tools’ menuitem: Yahoo! Messenger – {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} – C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 – Extra button: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
    O9 – Extra ‘Tools’ menuitem: Windows Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
    O16 – DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) – http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O17 – HKLM\System\CCS\Services\Tcpip\..\{28205DF2-5902-4486-BC13-4A14BB52E232}: NameServer = 213.154.124.1 193.231.252.1
    O23 – Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) – Apple Computer, Inc. – C:\Program Files\Bonjour\mDNSResponder.exe
    O23 – Service: Eset HTTP Server (EhttpSrv) – ESET – C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
    O23 – Service: Eset Service (ekrn) – ESET – C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    O23 – Service: FLEXnet Licensing Service – Acresso Software Inc. – C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 – Service: PIXMA Extended Survey Program (IJPLMSVC) – Unknown owner – C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
    O23 – Service: Java Quick Starter (JavaQuickStarterService) – Sun Microsystems, Inc. – C:\Program Files\Java\jre6\bin\jqs.exe
    O23 – Service: NVIDIA Display Driver Service (NVSvc) – NVIDIA Corporation – C:\WINDOWS\system32\nvsvc32.exe


    End of file – 6958 bytes

  6. mihai

    Inca o chestie.
    NU am putut instala yahoo messenger 9.0 … adica il instalam fara probleme, dar cand incercam sa-l pornesc imi aparea in processes si in tray dar fereastra .. pauza…
    Am cautat si rascautat care ar fi problema, n-am gasit nimic…
    Virusi nu am gasit: am scanat cu nod32 ala nou, ala vechi , cu spybot search and destroy, cu Malwarebytes si n-am gasit nimic.. NIMIC…
    Am Vindows XP cu licenta uptatat la max (SP3 and shit)..windows nou nout.. alaltaieri l-am instalat.
    Am cautat versiuni mai vechi de mess , acum folosesc “8.0 with voice” si merge..
    Daca stie cineva care-i faza ar fi minunat daca m-ar ajuta multumesc.

  7. ricardo

    Si eu tot primesc de vreo saptamana asemenea mesaje. Am primit de la vreo 3 sau 4 amici. 2 din siteurile notate sunt:
    – lipslim.com
    – sizeday.com

    Vad ca toate sunt hostate in acelasi loc: 125.181.106.147 (undeva prin China).

  8. Apolodor

    N-ar fi posibila varianta ca virusul sa fie la cel care primeste mesajele nu la cel care pare ca le trimite? Am primit si eu mesaje de felul acesta de la vreo 4 amici.

  9. bogdanb

    salut. eu probabil am cei mai ghinionisti prieteni. am primit de la 4 dintre ei astfel de mesaje. primul a venit cam acum 1 sapt. asta e ultimul mesaj.

    “BUZZ!!!
    bogdanel bogdan: I have been taking Acai Berry now for two months and already lost 34 pounds, it is the same stuff that was on the Oprah show, Mark and Kat lost so much weight too with no diet or excersise. Get it now, its only five bucks a bottle, we are living proof that it works like magic. Get it over at http://dirkdeep.com

    o sa-i spun sa isi scaneze calcul si sa posteze aici logul de la hijack.
    bafta

  10. mihai

    super, inseamna ca sunt doar paranoic 😀

  11. Fane

    cei afectati, dupa dezinfectie trebuie sa schimbe si parola la contul yahoo.

  12. mihai

    Am prins pe unul cu virusul i-am luat logul HJT:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:19:05 PM, on 3/3/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.20733)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\OEM02Mon.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\DellTPad\Apoint.exe
    C:\WINDOWS\VM_STI.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Lion\Lion.exe
    C:\Program Files\DellTPad\ApMsgFwd.exe
    C:\Program Files\DellTPad\HidFind.exe
    C:\Program Files\DellTPad\Apntex.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    C:\WINDOWS\system32\STacSV.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Mozilla Thunderbird\thunderbird.exe
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
    C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\Yahoo!\MESSEN~1\YServer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 – HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 – HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
    R3 – URLSearchHook: Yahoo! Toolbar – {EF99BD32-C1FB-11D2-892F-0090271D4F88} – C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 – BHO: &Yahoo! Toolbar Helper – {02478D38-C3F9-4efb-9B51-7695ECA05670} – C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 – BHO: AcroIEHlprObj Class – {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} – C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 – BHO: Yahoo! IE Services Button – {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} – C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 – BHO: SSVHelper Class – {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} – C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 – BHO: AcroIEToolbarHelper Class – {AE7CD045-E861-484f-8273-0445EE161910} – C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 – Toolbar: StylerToolBar – {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} – C:\Program Files\Styler\TB\StylerTB.dll
    O3 – Toolbar: Adobe PDF – {47833539-D0C5-4125-9FA8-0819E2EAAC93} – C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 – Toolbar: Yahoo! Toolbar – {EF99BD32-C1FB-11D2-892F-0090271D4F88} – C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 – HKLM\..\Run: [OEM02Mon.exe] C:\WINDOWS\OEM02Mon.exe
    O4 – HKLM\..\Run: [egui] “C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe” /hide /waitservice
    O4 – HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 – HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 – HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 – HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
    O4 – HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE A4 Tech USB PC Camera
    O4 – HKLM\..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
    O4 – HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 – HKCU\..\Run: [Lion] C:\Program Files\Lion\Lion.exe
    O4 – HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘NETWORK SERVICE’)
    O4 – HKUS\S-1-5-20\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User ‘NETWORK SERVICE’)
    O4 – HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User ‘NETWORK SERVICE’)
    O4 – HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
    O4 – HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User ‘SYSTEM’)
    O4 – HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
    O4 – HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User ‘Default user’)
    O4 – Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O8 – Extra context menu item: Convert link target to Adobe PDF – res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 – Extra context menu item: Convert link target to existing PDF – res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 – Extra context menu item: Convert selected links to Adobe PDF – res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 – Extra context menu item: Convert selected links to existing PDF – res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 – Extra context menu item: Convert selection to Adobe PDF – res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 – Extra context menu item: Convert selection to existing PDF – res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 – Extra context menu item: Convert to Adobe PDF – res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 – Extra context menu item: Convert to existing PDF – res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 – Extra context menu item: E&xport to Microsoft Excel – res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 – Extra button: Yahoo! Services – {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} – C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 – Extra button: (no name) – {85d1f590-48f4-11d9-9669-0800200c9a66} – C:\WINDOWS\bdoscandel.exe
    O9 – Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 – {85d1f590-48f4-11d9-9669-0800200c9a66} – C:\WINDOWS\bdoscandel.exe
    O9 – Extra button: Research – {92780B25-18CC-41C8-B9BE-3C9C571A8263} – C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 – Extra button: (no name) – {e2e2dd38-d088-4134-82b7-f2ba38496583} – C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 – Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 – {e2e2dd38-d088-4134-82b7-f2ba38496583} – C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O16 – DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) – C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 – DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) – http://download.bitdefender.com/resources/scan8/oscan8.cab
    O23 – Service: Adobe LM Service – Adobe Systems – C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 – Service: Eset HTTP Server (EhttpSrv) – ESET – C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
    O23 – Service: Eset Service (ekrn) – ESET – C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    O23 – Service: ServiceLayer – Nokia. – C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
    O23 – Service: SigmaTel Audio Service (STacSV) – SigmaTel, Inc. – C:\WINDOWS\system32\STacSV.exe
    O23 – Service: Dell Wireless WLAN Tray Service (wltrysvc) – Unknown owner – C:\WINDOWS\System32\WLTRYSVC.EXE


    End of file – 7964 bytes

  13. Eugenyus

    Am cautat acum pe google despre asta si se pare ca foarte multi din lumea intreaga sufera de problema asta. Problema este ca unii primesc astfel de mesaje SPAM, altii nu.
    Ma gandesc, ca ar putea fi un fel de proces construit care este introdus cumva in programul instalat, adica in Yahoo Messenger, prin accesarea vreunei pagini la intamplare.
    Am gasit o postare care suna asa:
    “Here is the company that is selling the spamming software
    http://freqsoft.com/bodeezy
    It is interesting to see all the BIG NAMES involved with this spamming
    1) Godaddy.com provides the anonymous registration.
    2) Paypal.com is processing the payments to scammer.
    3) Wild West Domains (owned by Godaddy.com) is hosting the spammer’s site. ”

    Se pare ca sunt companii care promoveaza spam-ul.

    De asemenea am gasit si asta: “Yahoo! are o listă cu site-uri care sunt considerate spam şi o foloseşte pentru a filtra statusurile şi mesajele transmise între utilizatorii Yahoo! Messenger.”

    Se pare ca Yahoo! devine un fel de “Big Brother is Watching”.

    Eu unul inca nu am primit mesaje spam pe messenger, doar unii primesc, ceea ce ma face sa ma gandesc la faptul ca se lucreaza la sistemul spam.

  14. Edward

    Noul mesaj este:

    Howdy, I just spoke to jen and bill, and they told me to check out some pills they saw on Oprah. They said they lost 23 pounds in about amonth with them. Anyway you can find them here for only $5 http://costhave.com

    Este generat de un fisier .dll modificat al yahoo messenger. e singurul care nu are semnatura Yahoo! Inc.

  15. Edward

    libexpat.dll

  16. Edward

    Stergerea acestui dll nu e recomadata, se recomada inlocuirea lui cu o versiune originala 🙂

  17. tudor

    am incercat sa caut pt un prieten o rezolvare a problemei si am dat de :

    http://translate.google.com/translate?prev=hp&hl=en&u=http%3A%2F%2Fwww.luchoedu.org%2Fnoticias%2Fnuevo-virus-de-msn%2F&sl=es&tl=en

    cat de buna este si solutionarea acestui nene, mai ales ca acuma stim ca .dll-ul e vinovat de fapt?!

  18. Dan

    Folosesc multimess, eram conectat atat eu cat si sotia, ambii pe invizibil. Nu eram la calculator, cand m-am intors, aveam mesaj cum ca sotia fusese deconectata datorita unor probleme (nu mai era conectata pe calculatorul nostru), totusi ea aparea online la mine in lista si se trimise-se unul din mesajele de mai sus de pe contul ei. Cand am pus mana pe mous, s-a deconectat iar.
    Daca problema e de la messenger, de ce doar de pe contul ei s-a trimis spamul?

  19. tudor

    inseamna ca lucrurile stau mai rau decat ne asteptam. si msn si messenger infectate de aceeasi prostioara 🙂 mesajele sunt aceleasi, intrucat si eu am primit unul identic cu cel de care era vb in link de la cateva persoane din lista mea de mess. 🙂

  20. Adrian

    De asemenea, primesc astfel de IM-uri cu un buzz urmat de spam-message de la prieteni din a mea lista.

    Sunt de-acord cu Radu, este vorba de un worm, insa ceea ce este enigmatic este cum de toti acesti user-i au dat de acesta cam in aceeasi perioada. Ce au ei in comun? Conform listei mele, sociologic.. nimc. Trebuie sa fie ceva legat de Yahoo pages. Insa care dintre acestea?

  21. Carla

    Buna,

    o alta varianta a mesajului:

    ” BUZZ!!!
    Carla Ionita: Just wanted to give you a heads up on some cool supplements. I lost 9 pounds in a week and I only paid $5. You can see the page I found here http: / / sealmill . com “
    (am pus eu spatiile in link, pt a nu da click din greseala)

    am trimis pe email logurile solicitate.

    informatii poate utile:

    ** ma logez pe YM de pe 3 PC-uri avand:
    – unul Windows Vista home eddition
    – celelalte doua Windows XP SP3 proffesional
    toate cu licenta.
    ** astazi nu mi-am putut accesa mailul de yahoo pana nu am schimbat parola. Aparea un mesaj gen “Ups, yahoo mail didn’t load” sau cam asa ceva. Folosesc Yahoo mail beta.

    PS. o coincidenta haioasa: eu chiar am slabit cateva kg in ultimul timp iar colegii ma intrebau dimineata ce m-a apucat sa ma laud ca am slabit?! 🙂

  22. Adr.I.An

    Radu, apropo de Yahoo Messenger si ale sale vulnerabilitati.

    Am citit acum in 2009 un articol din 2007 si anume acesta: ” http://www.theregister.co.uk/2007/06/08/yahoo_bug_squashed/ ” si la ce m-am oprit a fost:

    “The vulnerability stems from a buffer overflow flaw in the messenger’s ActiveX control. Attackers could use it to remotely execute malicious code, or for other, less serious things, such forcing a user to log out of a chat or instant messaging session or crash Internet Explorer or another application. To carry out the attack, a miscreant must first prompt the victim to visit a booby-trapped website that contains specially crafted html code.”

    Ok, si atunci ma intreb: Daca nu folosim IE [Internet Explorer], vizitand acel “website that contains specially crafted html code” cu Mozilla [il recomand], Safari sau alt browser care nu foloseste ActiveX, am fi in vre-un pericol?

    Dupa a mea logica: NU.

    Si ce iarasi ma nelamureste este urmatorul fapt: Yahoo si Microsoft in ochii lumii sunt destul de dintosi unii cu altii dar Yahoo Messenger foloseste ActiveX Control, ActiveX developed by Microsoft. Interesant.

  23. TZ

    Salut! Tocmai am aflat ca mi-am inundat si eu prietenii cu mesajul acesta. Partea interesanta este ca eu nu folosesc Windows, ci Linux. In ultima vreme am folosit exclusiv Ubuntu 8.10, atat acasa cat si la servici. Nu vad cum ar putea sa imi afle parola, sistemele sunt destul de securizate. Eu vad doua posibilitati:
    1. Contul sa-mi fi fost accesat de cineva (sau de mine, dar nu imi aduc aminte) de la un calculator deja infectat.
    2. Sa fie folosita o vulnerabilitate a serverului yahoo.

  24. topa

    Ia uitati ce am gasit aici:
    I don’t think this dll (libexpat.dll) is spyware or any other malicious file since Gimp seems to need that in order to function. Gimp for Windows gimes me a error message: Gimp-2.2.exe – Unable To Locate Component This application has failed to start because libexpat.dll was not found. Re-installing the application may fix this problem.
    Sa fie de la instalarea programelului asta odata ce fol acelasi .dll?

    http://www.dll-files.com/dllindex/dll-files.shtml?libexpat

  25. raluca

    Am aflat ca trimit celor din lista mea BUZZ-uri cand nu sunt online, si nici macar nu e deschis PC-ul, asa cum ai spus si tu mai sus…Nu stiu ce sa fac…pe net nu am gasit o metoda care sa dea rezultate, sau poate gresesc eu ceva. Ai vreo sugestie? Ti-as ramane recunoscatoare. Multumesc mult. (stiu ca e o chestie destul de comuna, dar nu reusesc sa o rezolv si incepe sa ma scoata din minti )

  26. mcanti

    Ati reusit sa aflati ceva?
    Se poate scapa de problema asta doar prin schimbarea parolei?

  27. FaraVirusi.com » Spam pe Yahoo! messenger (povestea continua)

    […] pentru a primi noutatile de pe aceasta pagina.Dupa povestea mai mult sau mai putin explicabila a spam-ului cu pilulele minune de slabit, iata ca pe Yahoo! messenger a aparut o alta forma de spam in limba romana. De data aceasta face […]

  28. Fara virusi

    Salut am si eu o problema

  29. Fara virusi

    Am fost infectat cu un virus care imi da singur mass in lista de yahoo cu ceva de genu”faceboock”,cum pot rezolva problema?Daca ma poate ajuta cineva
    Ms

  30. getakiss

    as vrea sa citesc mesajele mele

  31. Doru

    Ce este recomandat in cazul in care in timp ce sunt logat pe y messenger incep la un interval neregulat de timp sa trimit spam la toata lista cu un link(din pacate acelasi link de pe care am luat virusul… totusi, in mod accidental)?

    Daca are cineva o solutie… va rog sa trimiteti raspuns

  32. Doru

    @Radu multumesc mult… fara suparare dar sper sa nu mai fie nevoie sa apelez la forum :))

Leave a Reply