Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

User account missing from start up


  • Please log in to reply
14 replies to this topic

#1 CWD1127

CWD1127

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:14 AM

Posted 12 April 2010 - 06:56 PM

Running Windows XP Pro with all latest critical updates.
Wireless Modem run with Netgear NETGEAR WG311v3 Smart Wizard
McAfee Enterprise Anti-Virus 8.5.01 Scanned, found nothing. (Must use Enterprise on home computer due to work requirements)
Ran Ad-aware which found 2 Win32.Adware.BHO, 1 Win32.Adware.Coupons, 3 Win32.Backdoor.Agent Malware. Ad-aware quarantined all of the incidents.

What happened:
Well, it all started when I was on Facebook and everything froze. Rebooted to Safe Mode, shut down and started again. When I started it, McAfee was enabled for a few seconds, but then on-access scan was disabled.
Went into McAffee - I could enable everything except the on-access scan. It was grayed out.
Turned off wireless (not the modem - just the internal connection through Netgear.)

Ran McAfee again. Stil nothing.
Rebooted - now I couldn't re-connect. Clicked on Netgear shortcut and nothing. Program wouldn't load.

Husband took over!

He uninstalled and reloaded Netgear; got internet working again. Rebooted and both user accounts came up in Windows.
Shut down for the evening.
(False sense of security, no pun intended)

Turned it on this morning - only my user access again, although Mcaffee and Netgear appear to be working fine. That's when I ran Adaware and found the malware that Adaware quarantined.

Additional info: At somepoint last night, I noticed a program in the add remove programs list called simply "<" that is .80 MB. No other information about this program.

What more info can I give? This happened once before. I was fighting with Norton Anti-Virus at the time - it was really hanging up the computer. I finally completely uninstalled it (using their instructions on Norton website). All the user account access' came back after I uninstalled Norton. At that time I had copied all his files and renamed a user account for him, but that did nothing - still couldn't get more than my user account. We have the same level of access: administrator. His user account was still in Explorer on the Local Drive and all his files were there (same as now).

Nothing else seems to be happening - the computer is working well, boots up fairly quickly (much more quickly than when I was running Norton).

Thanks so much.

PS. I have always been cautious about opening anything, I delete all emails with forwards no matter what they are. My suspicion is that it came through yahoo chat.

Edited by CWD1127, 12 April 2010 - 07:01 PM.


BC AdBot (Login to Remove)

 


#2 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:14 AM

Posted 12 April 2010 - 11:06 PM

Hi and Welcome to BleepingComputer,

I would start out by doing a scan with Malwarebytes...

It can be downloaded from...

http://www.malwarebytes.org/mbam.php

Scroll down to where you see the button "Download Free Version"

Double-click on mbam-setup.exe to install the application. (If it will not download, install, or open after installation, change the name of it to whatever you want and change the .exe extension to .bat or .com or .pif or scr and then double click on it to run.)

When the installation begins, follow the prompts and do not make any changes to default settings. When installation has finished, make sure you leave both of these checked:

Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware

Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.

Make sure the "Perform Quick Scan" option is selected. Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.

When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found". Click OK to close the message box and continue with the removal process.


After running that scan, post the complete log of the results here and then download, install, update and run a quick scan with SuperAntiSpyware and post the complete log of the results here. This scan may take some time to complete so please be patient.

This is also free and can be downloaded from SuperAntiSpyware.com, just click on the button that says "Free Edition Download"

If it will not download, install, or open after installation, change the name of it to whatever you want and change the .exe extension to .bat or .com or .pif or scr and then double click on it to run.

Allow both programs to remove whatever they find and if they tell you that you need to reboot your computer to complete the removal process, reboot into normal Windows.

Edited by Stang777, 12 April 2010 - 11:11 PM.


#3 CWD1127

CWD1127
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:14 AM

Posted 14 April 2010 - 02:30 PM

Thanks for getting back to me so quickly.

Here are the two logs. I had no problems running either program.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3988

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

4/14/2010 11:26:47 AM
mbam-log-2010-04-14 (11-26-47).txt

Scan type: Quick scan
Objects scanned: 139547
Time elapsed: 13 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{42f2c9ba-614f-47c0-b3e3-ecfd34eed658} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.TryMedia) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft update (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/14/2010 at 12:10 PM

Application Version : 4.35.1002

Core Rules Database Version : 4805
Trace Rules Database Version: 2617

Scan type : Quick Scan
Total Scan Time : 00:27:32

Memory items scanned : 468
Memory threats detected : 0
Registry items scanned : 744
Registry threats detected : 5
File items scanned : 16071
File threats detected : 4

Adware.Tracking Cookie
C:\Documents and Settings\Cecelia\Cookies\cecelia@insightexpressai[1].txt
C:\Documents and Settings\George\Cookies\george@atdmt[2].txt

Registry Cleaner Trial
HKCR\Install.Install
HKCR\Install.Install\CLSID
HKCR\Install.Install\CurVer
HKCR\Install.Install.1
HKCR\Install.Install.1\CLSID

Trojan.Agent/Gen-Zbot
C:\DOCUMENTS AND SETTINGS\GEORGE\MY DOCUMENTS\DEVEL301\DEVEL301\ARCHIVE\IMPORT\IMPORT.EXE
C:\DOCUMENTS AND SETTINGS\GEORGE.HYPERDELL\MY DOCUMENTS\DEVEL301\DEVEL301\ARCHIVE\IMPORT\IMPORT.EXE

#4 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:14 AM

Posted 14 April 2010 - 08:33 PM

You are welcome but I have some bad news for you about the backdoor.bot.....

Posted ImageBackdoor Threat

IMPORTANT NOTE: Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still attempt to clean this machine but I can't guarantee that it will be 100% secure afterwards. Let us know what you decide to do.


Btw, I have been advised that it is best when formatting to remove viruses to use a formatting utility instead of using the formatting function from the Windows disk. The formatting utilities like Killdisk will write zeros to the disk to ensure all data is erased and the Windows disk formatting does not do that.

If you want to go ahead with the cleaning process, unfortunately, you are going to have to wait for someone else, like someone on staff, to come along and help you with that as I am not qualified to help clean up that type of infection.

Post back and let us know if you want to continue and hopefully someone else will be along soon to get you cleaned up.

I wish you good luck with this

#5 CWD1127

CWD1127
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:14 AM

Posted 14 April 2010 - 11:15 PM

Uhg. I feel sick to my stomach. I wonder how long it has been there. Wireless disabled immediately.

Thank you.

Could you please look at these logs from my laptop? I can use this in place of the desktop.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3988

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

4/14/2010 12:56:51 PM
mbam-log-2010-04-14 (12-56-51).txt

Scan type: Quick scan
Objects scanned: 112707
Time elapsed: 17 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/14/2010 at 02:15 PM

Application Version : 4.35.1002

Core Rules Database Version : 4805
Trace Rules Database Version: 2617

Scan type : Quick Scan
Total Scan Time : 01:08:31

Memory items scanned : 709
Memory threats detected : 0
Registry items scanned : 586
Registry threats detected : 1
File items scanned : 38019
File threats detected : 0

Adware.Gamevance
HKU\S-1-5-21-2876608432-483462828-314405990-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BEAC7DC8-E106-4C6A-931E-5A42E7362883}

#6 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:14 AM

Posted 15 April 2010 - 01:28 AM

You are welcome but I am sorry I had to tell you something that made you feel so bad.

The logs from your laptop look fine to me. I really do not know much about Gamevance other than it is used by games to deliver advertising. I don't think I would want it on my system but it isn't one, as far as I know, that you should be too concerned about. I don't think it is going to do anything bad to your system or with your info but if you no longer play those games, then you might as well let it be removed. The PopCap entries are not anything I would be concerned about either. I see those ones were deleted but if you use games from PopCap they will probably be reinstalled but they are not going to do anything bad to your system or with your info either so your laptop seems to fine.

Let us know if you want to try to clean the desktop or not.

Again, I am sorry I had to give you such bad news. :thumbsup:

#7 CWD1127

CWD1127
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:14 AM

Posted 15 April 2010 - 08:03 PM

Thanks - we are not sure yet what we will do. Considering just getting a new hard drive. One piece of advice that I got was to reformat the current drive a minimum of five times.

Is this virus just in the programs and O/S or would it have infected the documents, for instance, Word, XP....

#8 CWD1127

CWD1127
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:14 AM

Posted 05 May 2010 - 06:04 PM

One more questions about this problem....

We have decided to just get a new hard drive. The question is how does this trojan spread? Can I save my document files (Word, Excel, Powerpoint, etc.) safely?

Thanks!

#9 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:14 AM

Posted 05 May 2010 - 07:29 PM

Hi,

I am sorry I didn't answer the question in your previous post before. I do not believe you should have to format the drive that many especially times if you use a program to do it that writes zeros to the drive during the format like Killdisk or Dban.

Your documents should be fine to use. I am not certain what all files this particular virus infects but I would not use any .exe, .scr, .html, or .bat files and I would be a little careful about .mp3 files although those should be safe as long as they were obtained through trusted sources and have been scanned with your antivirus programs.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:14 AM

Posted 05 May 2010 - 10:50 PM

Hello you are running an outdated version of MBAM and SAS.

First run TFC by OT
Please download TFC by Old Timer and save it to your desktop.
alternate download link
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.


Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

SAS:
Open SUPER from icon and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.


NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:14 AM

Posted 06 May 2010 - 12:44 AM

Hi Boopme, I am just wondering, were those program outdated at the time that they were ran, three weeks ago?

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:14 AM

Posted 06 May 2010 - 02:27 PM

No I don't believe so. But there are complete new engines on the software so we get a new set of logs.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:12:14 AM

Posted 06 May 2010 - 02:44 PM

Thank you Boopme

#14 CWD1127

CWD1127
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:14 AM

Posted 10 May 2010 - 08:35 PM

Boopme - is this necessary since we are installing a new hard drive? Thanks!

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:02:14 AM

Posted 10 May 2010 - 08:55 PM

No, I was thinking that if you were to clean it you may not be replacing it. So in the future just remember to always update anu tool prior to scanning.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users