Yahoo web mail sending spam

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by d3spot, Jul 1, 2010.

  1. d3spot

    d3spot Private E-2

    Hi,

    One of our customers has been having lots of problmes with Malware. At one point she was calling in once a week with new infections. We got her to run ccleaner & malwarebytes and every time it would appear to remove all traces of the malware and the system would be fine for a week then shewould call back with more infections. We thought it was just her clicking questionable links and visiting spurious websites but i'm not so sure now.

    Her systems seems Ok at the moment (i.e a clean copy of malwarebytes finds no problems) but her yahoo web mail acount is sending out spam emails to every one in her addressbook (she is not using it through an email client only through the web portal).

    It thought it may be a to run a scan with GMER and would like some help interpreting the results please.

    OS: Vista sp2 32-bit

    AV: Nod32 antivirus

    GMER log:

    ---- Kernel code sections - GMER 1.0.15 ----
    .rsrc C:\Windows\system32\DRIVERS\cdrom.sys entry point in ".rsrc" section [0x8E1BD014]
    ---- User code sections - GMER 1.0.15 ----
    .text C:\Windows\system32\wuauclt.exe[412] ntdll.dll!NtProtectVirtualMemory 776C4D34 5 Bytes JMP 000E000A
    .text C:\Windows\system32\wuauclt.exe[412] ntdll.dll!NtWriteVirtualMemory 776C5674 5 Bytes JMP 000F000A
    .text C:\Windows\system32\wuauclt.exe[412] ntdll.dll!KiUserExceptionDispatcher 776C5DC8 5 Bytes JMP 000D000A
    .text C:\Windows\Explorer.EXE[2180] ntdll.dll!NtProtectVirtualMemory 776C4D34 5 Bytes JMP 007E000A
    .text C:\Windows\Explorer.EXE[2180] ntdll.dll!NtWriteVirtualMemory 776C5674 5 Bytes JMP 007F000A
    .text C:\Windows\Explorer.EXE[2180] ntdll.dll!KiUserExceptionDispatcher 776C5DC8 5 Bytes JMP 0035000A
    .text C:\Windows\system32\svchost.exe[5208] ntdll.dll!NtProtectVirtualMemory 776C4D34 5 Bytes JMP 00CB000A
    .text C:\Windows\system32\svchost.exe[5208] ntdll.dll!NtWriteVirtualMemory 776C5674 5 Bytes JMP 00CC000A
    .text C:\Windows\system32\svchost.exe[5208] ntdll.dll!KiUserExceptionDispatcher 776C5DC8 5 Bytes JMP 00CA000A
    .text C:\Windows\system32\svchost.exe[5208] ole32.dll!CoCreateInstance 76E79EA6 5 Bytes JMP 00D7000A
    .text C:\Windows\system32\svchost.exe[5208] USER32.dll!GetCursorPos 77090B88 5 Bytes JMP 00DC000A
    ---- Devices - GMER 1.0.15 ----
    AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\fastfat \Fat eamon.sys (Amon monitor/ESET)
    Device -> \Driver\atapi \Device\Harddisk0\DR0 86095EE4
    ---- Disk sectors - GMER 1.0.15 ----
    Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
    Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
    ---- Files - GMER 1.0.15 ----
    File C:\Users\Rose\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BG76QHDT\27381_595345496_2096_q[1].jpg 0 bytes
    File C:\Users\Rose\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BG76QHDT\q578538430_1934[1].jpg 0 bytes
    File C:\Users\Rose\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BG76QHDT\23140_100000069403815_6668_q[1].jpg 0 bytes
    File C:\Users\Rose\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BG76QHDT\q675656139_8849[1].jpg 0 bytes
    File C:\Windows\system32\DRIVERS\cdrom.sys suspicious modification
    File C:\Windows\system32\drivers\atapi.sys suspicious modification
    ---- Registry - GMER 1.0.15 ----
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002556be3045
    Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002556be3045 (not active ControlSet)
    ---- EOF - GMER 1.0.15 ----
     
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    If you want us to check for malware, you need to follow these instructions:

    READ & RUN ME FIRST. Malware Removal Guide

    However, this will not remove anything malware related in her email program. As a guide:

     
  3. d3spot

    d3spot Private E-2

    Thanks for the reply.

    She no longer has any signs of Malware other than the spam emails. As stated she is not using an email client she is using web based email (Yahoo mail).

    Do you think it is more likely that her acount has been hacked rather than some script or something sending them when she logs in?

    I would just like a little help interpreting the GMER log as i'm not to sure how to distinguish between the false positives. I can see that a few are hooks from eset nod32 so i assume they are ok. The cdrom one i guess would be from something like damon tools its just the user code sections and the jpegs in the temp files i'm not to sure about.

    Any help interpreting the results would be greatly appreciated.
     
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please run this:
    * Please download TDSSKiller to your Desktop
    * Extract its contents to your Desktop so that you have TDSSKiller.exe directly on your Desktop and not in any subfolder of the Desktop.
    * Click Start > Run and copy/paste the following bold command into Run box and hit Enter.

    "%userprofile%\Desktop\TDSSKiller.exe" -v

    * Follow the instructions to type in "delete" when it asks you what to do when if finds something.
    * When done, a log file should be created on your C: drive named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run. Please attach this log to your next reply.
     
  5. d3spot

    d3spot Private E-2

    Ok I have got the user to run the program. She had trouble running it in normal mode so ran it in safe mode. Is that a problem?

    I can see that it has found one infected file and replaced it. I think she may have had some kind of disc drive emulation software and that is what modified the file. Is that likely or do you think it was malicious?

    With regard to her webmail sending out spam; is it possible for a rootkit/malware to do this? is it more likely that some malware she was previously infected with has grabed her username/password and given it to a a bot which is now logging in with her credentials and sending the spam? if so changing her password should solve the problem, correct?
     

    Attached Files:

  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    It is always best to use another computer to change passwords. However, as stated, she needs to find the malicious email that is causing the spam and remove it. She can always just remove all the items in her in box. It would also be a good idea to add this as a contact:
    aaa@aaa.com.

    It looks like the file found by Tddskiller should have fixed any redirects she may have been having.

    Otherwise, if the only thing that is still an issue is the emails, my advice still holds with the addition of removing all the contacts and abandoning that account.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.


    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    10. After doing the above, you should work thru the below link:

     
  7. d3spot

    d3spot Private E-2

    Thanks for your help.

    So you don't think that the infected cdrom.sys was due to Disk Emulation software?

    Do you think it is more likely that her spam problem is due to an email she has in her mailbox somewhere? Dose that sort of infection work with web mail?
     
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    No.
    Yes, it is in her web mail account. The only way to deal with that is to manually find and remove it.
     
  9. d3spot

    d3spot Private E-2

    Thanks very much for your help.

    I have asked the user to delete all emails that are not important to her and to change her password on a secure machine at her university.

    Thanks again, I am very grateful for your assistance.
     
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome. Safe surfing!! :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds