Virus / Malware: Explorer window with strange user logged into Hotmail

Question

Possible Duplicate:
What to do if my computer is infected by a virus or a malware?

I was looking into a PC, the user of which had complained that he couldn't connect to the internet and that the PC was experiencing random restarts.

The PC runs WinXP SP3. On examination, I found that the Wireless Zero Configuration service was stopped. I enabled that and the internet was back on(The pc connected through wifi). Then I started firefox and browsed to gmail.com. I did not launch any other program, except for a few explorer windows.

It was then I noticed a window had popped up(it was not a pop up). It had the explorer folder icon and instead of explorer folder contents, it showed a hotmail page, with a user named "Homer Stinson" logged in. The titlebar was empty and there were no toolbars. I asked the client whether this was his email id, which he said it was not. I opened task manager, which did not show this explorer window in it's Application tab. I switched back to the 'rogue' window and found that the hotmail settings page was now open, which later changed to the hotmail edit profile page for the same user. I was not clicking anything. Then suddenly the window closed.

I checked the autorun locations, fired up a Malwarebytes Anti Malware scan which gave a relatively clean result. The system also had an updated installation of AVG.

I don't want a solution for this virus(?) problem. I asked this here because I wanted to know if somebody has come across something similar. What kind of malware can this be?

The user had not seen a similar window before and I should have taken screenshots.

(PS:Homer Stinson is an imaginary name. I searched for the other real name with some relevant keywords but could not come up with a virus/malware discussion post.)

UPDATE:

When I checked the PC later a DEP error had popped up closing which restarted the PC.

(dep error dialog, courtesy google images)

UPDATE 2:

The next day, I found the same strange email registration window, multiple times, each time registering an email id on AOL, Hotmail or Yahoo (My guess, since there was no address bar). One such screenshot is attached.

I could interact with the page, like clicking on links and entering text. I tried entering some text when the other 'user' was typing nad moved control to a normal textbox, when the other 'user' was typing in the password field(the password which I saw was random characters). The other 'user' meanwhile continued with the registration, although I didn't notice the 'user' filling in the captcha, and so I cannot say whether the 'other' was a real person or a bot.

I ran AVG, Malwarebytes and Spybot scans and got some adware, registry errors and Hosts file redirection errors.Malwarebytes could not fix the hosts file issue.I checked the hosts file manually and found it to OK(it contained the default comments and 127.0.0.1 line.) Malwarebytes still gave the same hosts file redirection error on rescanning.

I could fix the DEP issue by adding the AlwaysOff switch to the System Startup line, but the email registration windows had me worried.

I ran active ports and found that explorer.exe was talking to a remote ip. Screenshot follows.

Even after killing explorer.exe and restarting it, it would still connect to remote ips, all of which resolved to .mail..yahoo.* domain names.

I also remember that the Windows Firewall/ICS service was disabled and would not start.

Since the pc had a backup of documents, I proceeded with a OS reinstall, however I would like to know what kind of malware was I facing?

Has anybody come across a similar problem? Any info will be appreciated.

PS: Please feel free to edit the question for clarity.

Answer 1

More info an that pop1 address http://www.robtex.com/dns/pop1.plus.mail.vip.sp2.yahoo.com.html

Yes its a winlogon.exe virus

No need to reinstall.

Follow the order given below to properly disinfect your PC

1.) Make a boot AV disc then boot from the disc and scan the hard drive, remove any infections it finds, I prefer the Kaspersky disc myself. The New 2010 Kaspersky disc can update the AV dat files if you are connected to the internet at the time of scan and is suggested to update before the scan.

http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/

2.) Then: Install free MBAM, run the program and go to the Update tab and update it, then go to the Scanner Tab and do a quick scan, select and remove anything it finds.

http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

3.) When MBAM is done install SAS free version, run a quick scan, remove what it automatically selects. http://www.superantispyware.com/download.html

These last 2 are not AV softwares like Norton, they are on demand scanners that only scan for nasties when you run the program and will not interfere with your installed AV, these can be run once a day or week to ensure you are not infected. Be sure you update them before each daily-weekly scan.

.

Answer 2

Do you have any kind of remote management software such as LogMeIn installed? If this is a company computer, then you should talk to your IT dept about it and find out what they do.

Answer 3

Detective work :

• There are at least 6 people with the name "Homer Stinson" in the United States. So this might be a real name.
• The strange email window is the AOL WebMail Sign Up, so the virus is in the process of creating a new AOL WebMail account.
• The server pop1.plus.mail.vip.sp2.yahoo.com is a Yahoo! mail server. The virus is probably doing the same thing over there too.

The virus may create new accounts to spam, or trying by brute force to detect names of existing accounts. It is probably a part of some spamming bot.

From the fact that you have so many symptoms I would guess that your virus is actually a trojan, and may have brought with it some "friends". I have heard of cases where dozens of viruses were installed because of a single trojan infection.

The computer may be so heavily infected by now that it might be next to impossible to find out where the infection began. If you are still curious, you can use several of the online antivirus services to scan the computer, making a list of all found viruses. Download also several boot CDs of known antivirus products and run them from outside of Windows. For a clean sweep, use also Spybot S&D and Lavasoft Ad-Aware.

The only solution is to format all hard disks and reinstall Windows. This computer is beyond recovery. Your effort to track down the virus may not be worth your spent time.

Answer 4

I don't technically believe the question was answered like you wanted. What this was, quite simply, was a bit of botnet malware. A botnet is a group of computers infected with malware, which work together to do some task, be it malicious or otherwise. What that code was doing, or person quite possibly, was using the computer as a legitimate front to create mass amounts of Accounts on various websites. Most likely, whoever was in control of the Botnet, had more than just that pc working for him. If it wasnt a botnet type deal, then you quite simply had some guy using that computer as a sort of proxy, to hide what he was doing, and make these created accounts look legitimate. The malware it self is actually pretty simple really. He used some sort of phishing scam to get the software onto the computer, and the software was set up to prevent the PC from seeing it, or doing anything about it. The window that popped up was basically a tour de force, look at me, look what i can do. none of that was actually necessary for this type of thing.