Posted 06 August 2007 - 01:57 PM
This one is hard to describe, but I'll bet someone else has seen it. When I turned on my PC yesterday, Windows seems to start ok. The XP logo came up, but then a command window (square box with a blue top border) popped up with an unintelligible character in the title border, and another unintelligible character inside the box. The Close Window X in the upper right hand cornber would not close it and I could not use CRTL-ALT-DEL to stop it. The only option available is to select an OK button in the box which then seems to allow Windows to load properly.
I noticed immediately that it changed all my desktop icons to .LNK files and they all looked different. I immediately ran a Norton Virus scan but it found nothing. After researching on the web for LNK file problems/viruses I looked in my file associations listing and saw that the EXE file association had been deleted, and that the LNK entry did not have Shortcut associated. I made these changes and the icons now look normal, but when I try to access them to run almost any application I get an Access Denied error.
I called Norton's help line (at $100 cost) and they told me to log out and log back in as Administrator. The system would not allow me to do that and, after an hour of other failures, Norton told me to call the PC mfr (emachines/Gateway) to find out how to obtain the Administrator password. With the PC mfr's help I downloaded a file from www.loginrecovery.com and was able to capture the login passwords, but they look to be in hex.
I used LoginRecovery's web site to convert the first password and it seemed to work. However, when I tried to input and convert the second password, the web site asked me for a password (their site requires an email address, but a password is optional). I had not initially entered one and could no longer convert any more codes.
Therefore, since I did not enter a password on the web site and am locked out of my Admininstrator actions I think this virus is a password hijacker where the virus captures passwords (existing or newly entered) and substitutes it own hidden password.
Here are the password strings from the LoginRecovery program:
Can anyone help me convert these (you can do it on LoginRecovery's web site for free)? Is anyone familiar with this problem?