There's a little backstory to this, so please bear with me. This is a shared computer so several people use it and I try my best to keep it secure and to teach them how to be safe. That said, the other day I received an e-mail from another person that uses this computer. It was from a yahoo account (I don't use any programs to store e-mail locally), and contained nothing other than a link (a google redirect to be exact). Under the "To:" field, was everyone on their contacts list. The link, as it turns out, takes you to a website to buy pharmaceuticals. (I opened the link if firefox with all scripts disabled.)

I told them to change their password to be safe and thought nothing else of it. Well, the next day I started getting a little paranoid so I ran a quick virus scan with AVG 8.5 Free. It found two files it identified as "Trojan horse Downloader.Generic8.CAMS". Both files were old keygens that have been on my storage drives for a few years and never before were identified as infected. One was in an archive, and I manually deleted that file from the archive. The other one, just a plain .exe I had moved to the Virus Vault. At this point I figured it was probably a simple false positive or some otherwise harmless detection.

Then, some 8 or so hours later, the Resident Shield detected a new infected file. This time it was a file in System Restore called "A002252.exe" with the same label as mentioned above. I had it moved to the vault, turned off System Restore. I downloaded Malwarebytes and ran a quick scan and it only found a registry key labled "Rogue.Multiple". I had it fix that entry. (Log saved if needed.) Then I ran my file shredder of choice (Eraser), and had it wipe the unused disk space on the drives that had infected files found, and subsequently removed.

*Important-ish part* The thing that's really concerning me at the moment is if I have some sort of keylogger on this machine and that's how that email was sent out. I honestly don't know how that email could have been made otherwise, and am rather troubled by that. This machine is used for paying bills online and such, so I'd be very concerned with the possibility of credit information being obtained by unwanted parties. I'm hoping the infection is taken care of... but I've learned never to make that assumption. So I'd like to be certain there is absolutely no malware whatsoever on this machine... until then, this machine has been placed off-limits to others and I'll only be posting here or running scans. (no matter how the others may hate me for it)

Here's my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:57:12 AM, on 11/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Rainmeter\Rainmeter.exe
C:\Program Files\UPHClean\uphclean.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - Startup: Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe
O4 - Startup: Registration .LNK = D:\Program Files\Valve\Steam\SteamApps\common\assassins creed\Register\RegistrationReminder.exe
O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bion1w59.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\bion1w59.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1209588388796
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2...15106/CTPID.cab
O20 - AppInit_DLLs: avgrsstx.dll C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 6932 bytes


I'll probably do a full thorough scan with AVG while I wait for a reply.

This post has been edited by toyotomi: Nov 1 2009, 07:02 AM

This doesn't work for me. I don't get those menu's or options. When I click on System I get the same menu as I get when I right click "My Computer" and choose Properties. There's a system restore tab, but only has the option to enable, disable and change the amount of diskspace used by System Restore.

This post has been edited by toyotomi: Nov 4 2009, 06:47 PM

Please try these instructions:

System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points
We need to set a new system restore point:

Click Start > Run > copy and paste the following into the run box:

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next.
Name it (something you'll remember) and click Create,
when the confirmation screen shows the restore point has been created click Close.

Now remove all previous Restore Points:

Click Start > Run > copy and paste the following into the run box:

cleanmgr

At the top, click on More Options tab. Click the Clean up button in the System Restore box.
Click on the Yes button.
When finished, click on Cancel button to exit.

cleanmgr gives me a window with just a dropdown box and an ok and exit button. There's no tabs nor any options pertaining to system restore.

Assuming it still works like it used to, I turned off System Restore, rebooted, turned it back on, and then created a new restore point.

Thanks for all the help SweetTech. I've just one more question for some final closure. The thing that started it all... the Yahoo email account that has been sending out spam emails unbeknownst to the owner. Is it most likely that they cracked their password (I know they weren't using a good one, but I since had them change it)? Or could they be spoofing their email address? They informed me the other day that prior to this they'd gotten the messages that sent messages couldn't be completed as though they bounced off their intended target even though they'd sent no email. So apparently it's been like that longer than I realized. I'm not sure if those messages would be generated if it were simply a case of spoofing, and doesn't solve how it was sent to their full list of contacts.

I've been trying to convince them to switch to Gmail but they're rather unwilling because they've had their current account for so long. I'm quite unsure how to proceed on this front since I'm dealing with a rather stubborn person on such matters. Is there any way to ensure the security of that account? I'm sorry if this is outside the scope of this particular forum and will ask in one of the others if you are unsure of such matters.

Thanks again for all the help.

It is quite possible that their password was cracked. When someone chooses to use a weak password the chances of having their account compromised increases significantly. Another problem that users are presented with when having an account comprimised is that it can lead to accounts on other sites being compromised because the user used the same username and password at a different site.

I'm not too familiar with e-mail spoofing. Your best bet is to post a new topic in our Browsers, Internet and email. They will be able to answer some of these questions better than I can.

I will say this:
GMail has some nice security features that they have enabled for their service. One of the most useful and important features that they have is the ability to see the last time someone logged into that account and the IP address of the computer that was used to access that account.

Another nice feature that they have is the ability for a user to use a secure connection. What that means is that instead of it being http: it is https so the connection is secured.

But these are just my views on this issue.

The tech team here at WTT is an amazing group of individuals and they can provide you with a more in-depth answer to some of your questions.
As I mentioned above your best bet is to post a new topic in our Browsers, Internet and email.
You should make sure that you include a link to this topic in the thread.

I hope that I've provided you with some of the answers to a few of your questions and I'm sorry that I can't answer some of your other questions.

Good Luck!
SweetTech.

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.