Possible Duplicate:
What to do if my computer is infected by a virus or a malware?
I was looking into a PC, the user of which had complained that he couldn't connect to the internet and that the PC was experiencing random restarts.
The PC runs WinXP SP3. On examination, I found that the Wireless Zero Configuration service was stopped. I enabled that and the internet was back on(The pc connected through wifi). Then I started firefox and browsed to gmail.com. I did not launch any other program, except for a few explorer windows.
It was then I noticed a window had popped up(it was not a pop up). It had the explorer folder icon and instead of explorer folder contents, it showed a hotmail page, with a user named "Homer Stinson" logged in. The titlebar was empty and there were no toolbars. I asked the client whether this was his email id, which he said it was not. I opened task manager, which did not show this explorer window in it's Application tab. I switched back to the 'rogue' window and found that the hotmail settings page was now open, which later changed to the hotmail edit profile page for the same user. I was not clicking anything. Then suddenly the window closed.
I checked the autorun locations, fired up a Malwarebytes Anti Malware scan which gave a relatively clean result. The system also had an updated installation of AVG.
I don't want a solution for this virus(?) problem. I asked this here because I wanted to know if somebody has come across something similar. What kind of malware can this be?
The user had not seen a similar window before and I should have taken screenshots.
(PS:Homer Stinson is an imaginary name. I searched for the other real name with some relevant keywords but could not come up with a virus/malware discussion post.)
UPDATE:
When I checked the PC later a DEP error had popped up closing which restarted the PC.
(dep error dialog, courtesy google images)
UPDATE 2:
The next day, I found the same strange email registration window, multiple times, each time registering an email id on AOL, Hotmail or Yahoo (My guess, since there was no address bar). One such screenshot is attached.
I could interact with the page, like clicking on links and entering text. I tried entering some text when the other 'user' was typing nad moved control to a normal textbox, when the other 'user' was typing in the password field(the password which I saw was random characters). The other 'user' meanwhile continued with the registration, although I didn't notice the 'user' filling in the captcha, and so I cannot say whether the 'other' was a real person or a bot.
I ran AVG, Malwarebytes and Spybot scans and got some adware, registry errors and Hosts file redirection errors.Malwarebytes could not fix the hosts file issue.I checked the hosts file manually and found it to OK(it contained the default comments and 127.0.0.1 line.) Malwarebytes still gave the same hosts file redirection error on rescanning.
I could fix the DEP issue by adding the AlwaysOff switch to the System Startup line, but the email registration windows had me worried.
I ran active ports and found that explorer.exe was talking to a remote ip. Screenshot follows.
Even after killing explorer.exe and restarting it, it would still connect to remote ips, all of which resolved to .mail..yahoo.* domain names.
I also remember that the Windows Firewall/ICS service was disabled and would not start.
Since the pc had a backup of documents, I proceeded with a OS reinstall, however I would like to know what kind of malware was I facing?
Has anybody come across a similar problem? Any info will be appreciated.
PS: Please feel free to edit the question for clarity.