Windows – Virus / Malware: Explorer window with strange user logged into Hotmail

hotmailmalwareviruswindows xpwindows-explorer

Possible Duplicate:
What to do if my computer is infected by a virus or a malware?

I was looking into a PC, the user of which had complained that he couldn't connect to the internet and that the PC was experiencing random restarts.

The PC runs WinXP SP3. On examination, I found that the Wireless Zero Configuration service was stopped. I enabled that and the internet was back on(The pc connected through wifi). Then I started firefox and browsed to gmail.com. I did not launch any other program, except for a few explorer windows.

It was then I noticed a window had popped up(it was not a pop up). It had the explorer folder icon and instead of explorer folder contents, it showed a hotmail page, with a user named "Homer Stinson" logged in. The titlebar was empty and there were no toolbars. I asked the client whether this was his email id, which he said it was not. I opened task manager, which did not show this explorer window in it's Application tab. I switched back to the 'rogue' window and found that the hotmail settings page was now open, which later changed to the hotmail edit profile page for the same user. I was not clicking anything. Then suddenly the window closed.

I checked the autorun locations, fired up a Malwarebytes Anti Malware scan which gave a relatively clean result. The system also had an updated installation of AVG.

I don't want a solution for this virus(?) problem. I asked this here because I wanted to know if somebody has come across something similar. What kind of malware can this be?

The user had not seen a similar window before and I should have taken screenshots.

(PS:Homer Stinson is an imaginary name. I searched for the other real name with some relevant keywords but could not come up with a virus/malware discussion post.)

UPDATE:

When I checked the PC later a DEP error had popped up closing which restarted the PC.
dep

(dep error dialog, courtesy google images)

UPDATE 2:

The next day, I found the same strange email registration window, multiple times, each time registering an email id on AOL, Hotmail or Yahoo (My guess, since there was no address bar). One such screenshot is attached.

strange email registration

I could interact with the page, like clicking on links and entering text. I tried entering some text when the other 'user' was typing nad moved control to a normal textbox, when the other 'user' was typing in the password field(the password which I saw was random characters). The other 'user' meanwhile continued with the registration, although I didn't notice the 'user' filling in the captcha, and so I cannot say whether the 'other' was a real person or a bot.

I ran AVG, Malwarebytes and Spybot scans and got some adware, registry errors and Hosts file redirection errors.Malwarebytes could not fix the hosts file issue.I checked the hosts file manually and found it to OK(it contained the default comments and 127.0.0.1 line.) Malwarebytes still gave the same hosts file redirection error on rescanning.

I could fix the DEP issue by adding the AlwaysOff switch to the System Startup line, but the email registration windows had me worried.

I ran active ports and found that explorer.exe was talking to a remote ip. Screenshot follows.

active ports explorer.exe talking to remote yahoo ip

Even after killing explorer.exe and restarting it, it would still connect to remote ips, all of which resolved to .mail..yahoo.* domain names.

I also remember that the Windows Firewall/ICS service was disabled and would not start.

Since the pc had a backup of documents, I proceeded with a OS reinstall, however I would like to know what kind of malware was I facing?

Has anybody come across a similar problem? Any info will be appreciated.

PS: Please feel free to edit the question for clarity.

Best Answer

  • More info an that pop1 address http://www.robtex.com/dns/pop1.plus.mail.vip.sp2.yahoo.com.html

    Yes its a winlogon.exe virus

    No need to reinstall.

    Follow the order given below to properly disinfect your PC

    1.) Make a boot AV disc then boot from the disc and scan the hard drive, remove any infections it finds, I prefer the Kaspersky disc myself. The New 2010 Kaspersky disc can update the AV dat files if you are connected to the internet at the time of scan and is suggested to update before the scan.

    http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/

    2.) Then: Install free MBAM, run the program and go to the Update tab and update it, then go to the Scanner Tab and do a quick scan, select and remove anything it finds.

    http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

    3.) When MBAM is done install SAS free version, run a quick scan, remove what it automatically selects. http://www.superantispyware.com/download.html

    These last 2 are not AV softwares like Norton, they are on demand scanners that only scan for nasties when you run the program and will not interfere with your installed AV, these can be run once a day or week to ensure you are not infected. Be sure you update them before each daily-weekly scan.

    .

  • Related Question