Fake Yahoo Messenger popup in Yahoo mail?

[Jet]

Anyone know about this?  It appears in the lower right of the screen when in my Yahoo inbox.  It says something like: "<some ridiculous fake name> wants to add you to his Online Contacts list on Yahoo Messenger".  It has buttons for "accept" and "decline."  The first time I encountered it I clicked "decline" and got a second "are you sure?" popup.  Since then it still appears with a different name and this time I just click the X to close the popup box.  It doesn't happen often but shows up at least once per log-in.

Odd thing is that I've only encountered it in my main Yahoo account.  I have several other Yahoo mail accounts and I haven't encountered it in any of them.  Avast doesn't pick up anything when I run a scan.

Recent activity was getting hit by a virus a while back when I didn't have Avast set on a daily scan (I thought it was a default setting).  Avast caught it with the scan but since then there have been intermittent troubles, such as Firefox crashing, and I can't get into IE at all.  I'm running XP on a Dell Inspiron 1521 laptop.

I should also add that I've never used Yahoo Messenger, never even enabled it or whatever is done to set it up for use.


Thanks.

[Pondus]

Check you computer for Malware with

MBAM http://filehippo.com/download_malwarebytes_anti_malware/
update and run quick scan, click the button "remove selected" to quarantine anything found

SAS http://filehippo.com/download_superantispyware/

Are cookies really spyware and are they dangerous?
http://www.superantispyware.com/supportfaqdisplay.html?faq=26

If anything is found other than cookies you may post the scan logs here

[Jet]

Thanks Pondus, just ran MalwareByte and showed nothing.  Also ran AdAware and showed nothing either.

This popup only shows up in one of my Yahoo Mail accounts, not the others.  It doesn't appear in my Yahoo account when accessed from two other computers.  I don't even click it off now because I'm afraid it might trigger something, so it remains in the corner of the screen for however long I have Yahoo Mail open.

[Jet]

Here's the HijackThis logfile.  I have no idea how to interpret it...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:25:52 PM, on 12/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [USBToolTip] C:\PROGRA~1\Pinnacle\SHARED~1\Programs\USBTip\USBTip.exe
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5839 bytes

[DavidR]

I don't see anything obvious in your log other than your OS is out of date, SP3 has been out for well over a year and your copy of Java is also out of date, both of which leave you more vulnerable.

I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/.

I also don't see a firewall and the XP firewall doesn't provide outbound protection.

AdAware has long had its day, personally I would get rid of it and replace it with both MABM and SAS.

Have you run SAS yet ?

I don't know what version of Acrobat PDF Reader you are using but that is another big target for malware, especially if it is out of date.

[Jet]

Thank you David.

I just download SAS and it showed:

Trojan. Agent Gen-Nullo (short)
Trojan. Unknown origin (2)
and tracking cookies

All were quarantined, but still have the popup.

I will try getting the suggested updates

[DavidR]

What were the file names and locations of these files, since the detections look like they are generic (the Gen- bit) detections, it is best to investigate further.

That is me for the night, almost 2:30 a.m. here.

[Pondus]

I guess next step will be to contact yahoo
What happens if you clean your temp files?

[Jet]

Pondus, I just cleared the temp files and I don't see the popup!!  I clear the temps regularly but hadn't since running SAS a few hours ago.  Perhaps SAS quarantined the offender and clearing the cache prevented a repeat performance.

thanks again to you and David, hopefully this is the last of it...

[Jet]

AH DAMN, IT'S BACK..... 

[DavidR]

To me this is the same as spam, somehow your messenger account has got on to a list and this is the equivalent to getting spam email trying to get you do do something likely to get you in trouble as opposed to something actually on your system.

This more so when you say this doesn't effect your other accounts.

I don't use 'any' messenger service, never saw the need, so excuse my ignorance, but isn't there a setting for you to automatically deny or even block the pop-up in the message in the first place. If there isn't I wouldn't put up with that kind of restriction and possible vulnerability and it would be history, removed from my system and seeking another alternative.

[Jet]

David,
I don't use Yahoo Messenger or any messenger service either.  I've never activated or used one.  It's asking to be added to my Yahoo messenger list (which doesn't exist because I've never created one) and wants to add me to "its" Online Contacts list.

It's gotta be something on this laptop as my PC on the other side of the room can log into the same account and not get the popup.  And none of my other Yahoo accounts, viewed on either computer, get the popup.

It can be moved about the screen, I try to move it out of the way so I can read things, but it doesn't go away unless I click the little X in the corner of it.... but I'm reticent to click that X anymore cuz not sure what it's doing, maybe using my email list to send spam or something.

Can't find any reference to this on the net.  Weird....

[Pondus]

can you post a screenshot of the popup?

Shot in the dark, try this http://www.surfright.nl/en/hitmanpro

[DavidR]

So you don't have messenger installed even though you don't use it ?

When does this happen and what are you doing at the time ?
It could be a spoof pop-up that if you click add it would carry out alternative actions rather than add to a contacts list.

[Jet]

Here's the screenshot of the popup.  It shows up smaller in the lower right hand corner of the screen but it can be dragged to a larger size, which I did so you can see it better.  The first time I saw it I clicked "Decline", which opened another "are you sure?" popup.  After that it appeared on next log-in with a different phony person's name, and that time I just clicked the "X" and it went away.  But now I just leave it there without clicking anything because I'm afraid of what the clicks might be doing.

No, I've never activated Yahoo Messenger or used it.