Yahoo web mail sending spam

Hi,

One of our customers has been having lots of problmes with Malware. At one point she was calling in once a week with new infections. We got her to run ccleaner & malwarebytes and every time it would appear to remove all traces of the malware and the system would be fine for a week then shewould call back with more infections. We thought it was just her clicking questionable links and visiting spurious websites but i'm not so sure now.

Her systems seems Ok at the moment (i.e a clean copy of malwarebytes finds no problems) but her yahoo web mail acount is sending out spam emails to every one in her addressbook (she is not using it through an email client only through the web portal).

It thought it may be a to run a scan with GMER and would like some help interpreting the results please.

OS: Vista sp2 32-bit

AV: Nod32 antivirus

GMER log:

---- Kernel code sections - GMER 1.0.15 ----
.rsrc C:\Windows\system32\DRIVERS\cdrom.sys entry point in ".rsrc" section [0x8E1BD014]
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\system32\wuauclt.exe[412] ntdll.dll!NtProtectVirtualMemory 776C4D34 5 Bytes JMP 000E000A
.text C:\Windows\system32\wuauclt.exe[412] ntdll.dll!NtWriteVirtualMemory 776C5674 5 Bytes JMP 000F000A
.text C:\Windows\system32\wuauclt.exe[412] ntdll.dll!KiUserExceptionDispatcher 776C5DC8 5 Bytes JMP 000D000A
.text C:\Windows\Explorer.EXE[2180] ntdll.dll!NtProtectVirtualMemory 776C4D34 5 Bytes JMP 007E000A
.text C:\Windows\Explorer.EXE[2180] ntdll.dll!NtWriteVirtualMemory 776C5674 5 Bytes JMP 007F000A
.text C:\Windows\Explorer.EXE[2180] ntdll.dll!KiUserExceptionDispatcher 776C5DC8 5 Bytes JMP 0035000A
.text C:\Windows\system32\svchost.exe[5208] ntdll.dll!NtProtectVirtualMemory 776C4D34 5 Bytes JMP 00CB000A
.text C:\Windows\system32\svchost.exe[5208] ntdll.dll!NtWriteVirtualMemory 776C5674 5 Bytes JMP 00CC000A
.text C:\Windows\system32\svchost.exe[5208] ntdll.dll!KiUserExceptionDispatcher 776C5DC8 5 Bytes JMP 00CA000A
.text C:\Windows\system32\svchost.exe[5208] ole32.dll!CoCreateInstance 76E79EA6 5 Bytes JMP 00D7000A
.text C:\Windows\system32\svchost.exe[5208] USER32.dll!GetCursorPos 77090B88 5 Bytes JMP 00DC000A
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat eamon.sys (Amon monitor/ESET)
Device -> \Driver\atapi \Device\Harddisk0\DR0 86095EE4
---- Disk sectors - GMER 1.0.15 ----
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
---- Files - GMER 1.0.15 ----
File C:\Users\Rose\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BG76QHDT\27381_595345496_2096_q[1].jpg 0 bytes
File C:\Users\Rose\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BG76QHDT\q578538430_1934[1].jpg 0 bytes
File C:\Users\Rose\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BG76QHDT\23140_100000069403815_6668_q[1].jpg 0 bytes
File C:\Users\Rose\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BG76QHDT\q675656139_8849[1].jpg 0 bytes
File C:\Windows\system32\DRIVERS\cdrom.sys suspicious modification
File C:\Windows\system32\drivers\atapi.sys suspicious modification
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002556be3045
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002556be3045 (not active ControlSet)
---- EOF - GMER 1.0.15 ----

 

Thanks for the reply.

She no longer has any signs of Malware other than the spam emails. As stated she is not using an email client she is using web based email (Yahoo mail).

Do you think it is more likely that her acount has been hacked rather than some script or something sending them when she logs in?

I would just like a little help interpreting the GMER log as i'm not to sure how to distinguish between the false positives. I can see that a few are hooks from eset nod32 so i assume they are ok. The cdrom one i guess would be from something like damon tools its just the user code sections and the jpegs in the temp files i'm not to sure about.

Any help interpreting the results would be greatly appreciated.

 

Ok I have got the user to run the program. She had trouble running it in normal mode so ran it in safe mode. Is that a problem?

I can see that it has found one infected file and replaced it. I think she may have had some kind of disc drive emulation software and that is what modified the file. Is that likely or do you think it was malicious?

With regard to her webmail sending out spam; is it possible for a rootkit/malware to do this? is it more likely that some malware she was previously infected with has grabed her username/password and given it to a a bot which is now logging in with her credentials and sending the spam? if so changing her password should solve the problem, correct?

 

Thanks for your help.

So you don't think that the infected cdrom.sys was due to Disk Emulation software?

Do you think it is more likely that her spam problem is due to an email she has in her mailbox somewhere? Dose that sort of infection work with web mail?

 

Thanks very much for your help.

I have asked the user to delete all emails that are not important to her and to change her password on a secure machine at her university.

Thanks again, I am very grateful for your assistance.