Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser hijacked, autoemailed tons of ppl in Outlook Express


  • Please log in to reply
1 reply to this topic

#1 teiresias

teiresias

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 04 February 2009 - 10:46 PM

A few minutes ago Firefox informed me that a new update was available for one of my add-ons, either Download Helper or Download Statusbar (can't remember which and can't find any history/info on installation/etc. of add-ons anywhere), so I installed it as the popup seemed legit and I wasn't on any shady sites. Immediately the page changed to www.lulwot.com (I'm sure of the spelling), which had a very loud video with flashing bright colors playing, and Outlook Express opened window after window attempting to send email after email through Hotmail (I don't know if it succeeded or not). The process was called msnim in Task Manager, but they popped up so fast and kept coming that I couldn't stop them or Firefox, so I hit the power button on my computer.

I rebooted it in Safe Mode w/o internet access and have been running scans - Spybot S&D, Rogue Remover, and CWShredder have all come out clean, and I'm currently running AVG Antivirus. I did notice I have a O18 protocol 'msnim' (C:\PROGRA~1\MSNMES~1\msgrap~1.dll) according to HijackThis (along with a 'livecall' protocol with the same file and path), but that's been there for a long time before this incident.

Does anyone have any information about this attack, what kind of malware it is, if my computer is infected or if this was a one-time thing, and what I should do about it? I'd really appreciate your help.

BC AdBot (Login to Remove)

 


#2 teiresias

teiresias
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:02 PM

Posted 05 February 2009 - 10:37 AM

AVG came back clean, am running Stinger. Still in safe mode. I forgot to mention I have XP Prof. SP2, and that the www.lulwot.com thing was a sort of popup in a new window rather than a new tab or taking over one of the two previously-existing tabs; it popped up a window that wasn't maximized. It would be nice to know, from the symptoms, exactly what type (rootkit, dialer, trojan, virus, etc.) of malware it was to access Outlook Express like that, but I'm unfamiliar with all the malware terminology.

After Stinger finishes I'll reboot it in normal mode and report back whether anything seems suspicious / overtly different. Would appreciate any tips or feedback, though.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users