Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Thank you dear nephew


  • This topic is locked This topic is locked
18 replies to this topic

#1 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,364 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:05:02 PM

Posted 10 August 2013 - 09:11 AM

Last Wednesday my nephew stayed with us for the day.  I allowed him to use my computer.  While he was busy online I did my yard work.  Didn't think anything about it until I started the computer Friday morning.  After booting I immediately noticed that there was a new admin account, I now have my account "Daniel" and the added Administrator.  I opened that account to find most of my desktop icons missing, the theme had been changed, my address book in Thunderbird was empty.  The computer looked like Windows had just been installed.  I started running scans at this point, AVG 2013 was up to date and didn't find anything.  The same with supperantispyware.  I updated Malwarebyes and ran a quick scan which found 27 objects!  I tried to run Eset's online scan and it wouldn't finish the scan.  I downloaded RKill and tried again, it didn't finish again.

 

My computer is a custom build, if you need any information on this I'll provide a Speccy log.  My computer specs can be seen in my profile.

I'm running Windows 7 SP1, to the best of my knowledge it is up to date.

 

Edited to add omitted pertinent information:

 

After running Malwarbytes the added admin account returned to normal appearances.  I reboot and chose my admin account and everything was normal.  While in my account the added admin account doesn't show up in the user accounts, but both accounts show in the added account.  When I click on the added account the option to delete this account is present.

 

One other things I noticed is that when I right click on the start orb and click on Open Windows Explorer it opens with a limited amount of  options in the Libraries.  The option to open the C: drive is among the missing options.  

 

Here is the Malwarebytes log.

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.08.09.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16635
Administrator :: DANIEL-PC [administrator]

8/9/2013 7:09:24 AM
mbam-log-2013-08-09 (07-09-24).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 271857
Time elapsed: 6 minute(s), 54 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 2
HKLM\SOFTWARE\Mozilla\Firefox\Extensions\{C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD} (PUP.Optional.SweetPacks) -> Data:  -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Mozilla\Firefox\Extensions|{C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD} (PUP.Optional.SweetPacks) -> Data: C:\Program Files\Updater By SweetPacks\Firefox -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 25
C:\Users\Daniel\AppData\Local\Temp\dlLogic.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Daniel\AppData\Local\Temp\ToolbarHelper.exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Daniel\AppData\Local\Temp\UpdUninstall.exe (PUP.Optional.Amonetize) -> Quarantined and deleted successfully.
C:\Users\Daniel\AppData\Local\Temp\42B5144C-BAB0-7891-A100-056DD979C8B1\Latest\BabMaint.exe (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.
C:\Users\Daniel\AppData\Local\Temp\42B5144C-BAB0-7891-A100-056DD979C8B1\Latest\ccp.exe (PUP.Babylon.A) -> Quarantined and deleted successfully.
C:\Users\Daniel\AppData\Local\Temp\42B5144C-BAB0-7891-A100-056DD979C8B1\Latest\MyDeltaTB.exe (PUP.Optional.Delta) -> Quarantined and deleted successfully.
C:\Users\Daniel\AppData\Local\Temp\42B5144C-BAB0-7891-A100-056DD979C8B1\Latest\Setup.exe (PUP.Optional.Babylon.A) -> Quarantined and deleted successfully.
C:\Users\Daniel\AppData\Local\Temp\is357113909\DeltaTB.exe (PUP.Optional.Delta.A) -> Quarantined and deleted successfully.
C:\Users\Daniel\AppData\Local\Temp\is357113909\Setup-D502DD2B71B5.exe (Trojan.PUP.WebCake.A) -> Quarantined and deleted successfully.
C:\Users\Daniel\Downloads\7ZipSetup-cKu2Nwb.exe (PUP.Optional.Somoto) -> Quarantined and deleted successfully.
C:\Users\Daniel\Downloads\CustomizableSetup.exe (PUP.Optional.Inbox) -> Quarantined and deleted successfully.
C:\Users\Daniel\Downloads\Download.exe (PUP.Optional.Installex) -> Quarantined and deleted successfully.
C:\Users\Daniel\Downloads\Java Runtime Environment (JRE) 7 (64 bits) (1).exe (PUP.Optional.Solimba) -> Quarantined and deleted successfully.
C:\Users\Daniel\Downloads\Java Runtime Environment (JRE) 7 (64 bits).exe (PUP.Optional.Solimba) -> Quarantined and deleted successfully.
C:\Users\Daniel\Downloads\movie1080p.mkv.zip (Trojan.Agent.rfz) -> Quarantined and deleted successfully.
C:\Users\Daniel\Downloads\SoftonicDownloader_for_anydvd-hd.exe (PUP.Optional.Softonic) -> Quarantined and deleted successfully.
C:\Users\Daniel\Downloads\SoftonicDownloader_for_clonecd.exe (PUP.Optional.Softonic) -> Quarantined and deleted successfully.
C:\Users\Daniel\Downloads\SoftonicDownloader_for_dvdfab-dvd-copy.exe (PUP.Optional.Softonic) -> Quarantined and deleted successfully.
C:\Users\Daniel\Downloads\SoftonicDownloader_for_dvdfab.exe (PUP.Optional.Softonic) -> Quarantined and deleted successfully.
C:\Users\Daniel\Downloads\video_hd.zip (Malware.Packer.RRE) -> Quarantined and deleted successfully.
C:\Users\Daniel\Downloads\ZipPerformerSetup.exe (PUP.Optional.InstallBrain) -> Quarantined and deleted successfully.
C:\Users\Daniel\Local Settings\Temporary Internet Files\Content.IE5\H2EIIYT8\checktbexist[1].exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Daniel\Local Settings\Temporary Internet Files\Content.IE5\H2EIIYT8\WhiteSmoke_New[1].exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.
C:\Users\Daniel\Local Settings\Temporary Internet Files\Content.IE5\RXV07XG6\setup__155[1] (PUP.Optional.Amonetize) -> Quarantined and deleted successfully.
C:\Users\Daniel\Local Settings\Temporary Internet Files\Content.IE5\RXV07XG6\statisticsstub[1].exe (PUP.Optional.Conduit.A) -> Quarantined and deleted successfully.

(end) 

 

DDS log

 

DDS (Ver_2012-11-20.01) - NTFS_AMD64 
Internet Explorer: 10.0.9200.16635
Run by Daniel at 10:11:05 on 2013-08-10
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.2815.1184 [GMT -7:00]
.
AV: AVG AntiVirus 2013 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG AntiVirus 2013 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2013\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2013\avgcsrva.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe
C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe
C:\Program Files (x86)\NETGEAR Genie\bin\NETGEARGenieDaemon64.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\SOUNDMAN.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\AVG\AVG2013\avgnsa.exe
C:\Program Files (x86)\AVG\AVG2013\avgemca.exe
C:\Program Files (x86)\AVG\AVG2013\avgui.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files (x86)\AVG\AVG2013\avgcsrva.exe
C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\SOUNDMAN.EXE
C:\Program Files (x86)\NETGEAR Genie\bin\NETGEARGenie.exe
C:\Program Files (x86)\AVG\AVG2013\avgui.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files (x86)\OpenOffice.org 3\program\soffice.bin
C:\Program Files (x86)\NETGEAR Genie\bin\genie2_tray.exe
C:\Windows\splwow64.exe
C:\Program Files (x86)\KeyNote\keynote.exe
C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit = userinit.exe,
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
uRun: [NETGEARGenie] "C:\Program Files (x86)\NETGEAR Genie\bin\NETGEARGenie.exe" -mini -redirect
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY
StartupFolder: C:\Users\Daniel\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\OPENOF~1.LNK - C:\Program Files (x86)\OpenOffice.org 3\program\quickstart.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoActiveDesktop = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:0
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableLUA = dword:0
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{B8F5A2FC-B9A1-4CF3-A884-3EEB0F8A203B} : DHCPNameServer = 192.168.1.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\BelarcAdvisor\System\BAVoilaX.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "C:\Program Files (x86)\Google\Chrome\Application\28.0.1500.95\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
x64-Run: [SoundMan] SOUNDMAN.EXE
x64-Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Daniel\AppData\Roaming\Mozilla\Firefox\Profiles\4s2rogdv.default\
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.153\npGoogleUpdate3.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.20513.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: C:\Program Files (x86)\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHA;AVGIDSHA;C:\Windows\System32\drivers\avgidsha.sys [2013-7-20 71480]
R0 Avgloga;AVG Logging Driver;C:\Windows\System32\drivers\avgloga.sys [2013-7-20 311608]
R0 Avgmfx64;AVG Mini-Filter Resident Anti-Virus Shield;C:\Windows\System32\drivers\avgmfx64.sys [2013-7-1 116536]
R0 Avgrkx64;AVG Anti-Rootkit Driver;C:\Windows\System32\drivers\avgrkx64.sys [2013-7-10 45880]
R1 AVGIDSDriver;AVGIDSDriver;C:\Windows\System32\drivers\avgidsdrivera.sys [2013-7-20 246072]
R1 Avgldx64;AVG AVI Loader Driver;C:\Windows\System32\drivers\avgldx64.sys [2013-7-20 206648]
R1 Avgtdia;AVG TDI Driver;C:\Windows\System32\drivers\avgtdia.sys [2013-3-21 240952]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys [2011-7-22 14928]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\saskutil64.sys [2011-7-12 12368]
R2 !SASCORE;SAS Core Service;C:\Program Files\SUPERAntiSpyware\SASCore64.exe [2012-7-11 140672]
R2 AVGIDSAgent;AVGIDSAgent;C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe [2013-7-4 4939312]
R2 avgwd;AVG WatchDog;C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe [2013-7-23 283136]
R2 NETGEARGenieDaemon;NETGEARGenieDaemon;C:\Program Files (x86)\NETGEAR Genie\bin\NETGEARGenieDaemon64.exe [2013-4-7 232192]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2013-3-14 383264]
R3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;C:\Windows\System32\drivers\RTL8192su.sys [2010-11-25 694888]
R3 USTOR2K;USB Mass Storage Windows Driver;C:\Windows\System32\drivers\ustor2k.sys [2013-6-27 52224]
S1 BIOS;BIOS;C:\Windows\System32\drivers\BIOS64.sys [2003-6-7 7168]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2013-4-19 19456]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2013-4-19 57856]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-12-1 1255736]
S4 ADExchange;ArcSoft Exchange Service;C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe --> C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe [?]
.
=============== Created Last 30 ================
.
2013-08-02 01:14:06 -------- d-----w- C:\Windows\System32\MRT
2013-07-24 15:45:58 -------- d-----w- C:\Program Files (x86)\iYogi Support Dock
2013-07-20 14:56:46 -------- d-----w- C:\ProgramData\WildTangent
2013-07-20 14:56:46 -------- d-----w- C:\Program Files (x86)\WildGames
2013-07-20 14:56:37 -------- d-----w- C:\Users\Daniel\AppData\Roaming\WildTangent
2013-07-20 08:51:00 311608 ----a-w- C:\Windows\System32\drivers\avgloga.sys
2013-07-20 08:50:56 71480 ----a-w- C:\Windows\System32\drivers\avgidsha.sys
2013-07-20 08:50:56 246072 ----a-w- C:\Windows\System32\drivers\avgidsdrivera.sys
2013-07-20 08:50:50 206648 ----a-w- C:\Windows\System32\drivers\avgldx64.sys
2013-07-18 15:05:14 -------- d-----w- C:\Program Files\Speccy
2013-07-12 00:32:59 1084928 ----a-w- C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll
2013-07-12 00:32:57 1767936 ----a-w- C:\Windows\SysWow64\wininet.dll
2013-07-12 00:32:56 2241024 ----a-w- C:\Windows\System32\wininet.dll
.
==================== Find3M  ====================
.
2013-07-23 22:37:46 96784 ----a-w- C:\Windows\SysWow64\packet.dll
2013-07-23 22:37:46 369168 ----a-w- C:\Windows\System32\wpcap.dll
2013-07-23 22:37:46 35344 ----a-w- C:\Windows\System32\drivers\npf.sys
2013-07-23 22:37:46 281104 ----a-w- C:\Windows\SysWow64\wpcap.dll
2013-07-23 22:37:46 106000 ----a-w- C:\Windows\System32\packet.dll
2013-07-10 08:32:38 45880 ----a-w- C:\Windows\System32\drivers\avgrkx64.sys
2013-07-01 08:45:28 116536 ----a-w- C:\Windows\System32\drivers\avgmfx64.sys
2013-06-27 16:08:41 52224 ----a-w- C:\Windows\System32\drivers\ustor2k.sys
2013-06-27 16:08:41 2572288 ----a-w- C:\Windows\System32\GeneIcon.dll
2013-06-27 16:08:41 147456 ----a-w- C:\Windows\SysWow64\ustor.dll
2013-06-27 13:16:13 173 ----a-w- C:\Windows\DeleteOnReboot.bat
2013-06-11 23:43:00 2877440 ----a-w- C:\Windows\SysWow64\jscript9.dll
2013-06-11 23:42:58 61440 ----a-w- C:\Windows\SysWow64\iesetup.dll
2013-06-11 23:42:58 109056 ----a-w- C:\Windows\SysWow64\iesysprep.dll
2013-06-11 23:25:16 3958784 ----a-w- C:\Windows\System32\jscript9.dll
2013-06-11 23:25:13 67072 ----a-w- C:\Windows\System32\iesetup.dll
2013-06-11 23:25:13 136704 ----a-w- C:\Windows\System32\iesysprep.dll
2013-06-11 22:51:45 71680 ----a-w- C:\Windows\SysWow64\RegisterIEPKEYs.exe
2013-06-11 22:50:58 89600 ----a-w- C:\Windows\System32\RegisterIEPKEYs.exe
2013-06-07 03:22:18 2706432 ----a-w- C:\Windows\System32\mshtml.tlb
2013-06-07 02:37:52 2706432 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2013-06-05 03:34:27 3153920 ----a-w- C:\Windows\System32\win32k.sys
2013-06-04 06:00:13 624128 ----a-w- C:\Windows\System32\qedit.dll
2013-06-04 04:53:07 509440 ----a-w- C:\Windows\SysWow64\qedit.dll
2013-05-23 02:24:59 92160 ----a-w- C:\Windows\System32\SetIEInstalledDate.exe
2013-05-23 02:24:59 48640 ----a-w- C:\Windows\System32\mshtmler.dll
2013-05-23 02:24:58 77312 ----a-w- C:\Windows\System32\tdc.ocx
2013-05-13 05:51:01 184320 ----a-w- C:\Windows\System32\cryptsvc.dll
2013-05-13 05:51:00 1464320 ----a-w- C:\Windows\System32\crypt32.dll
2013-05-13 05:51:00 139776 ----a-w- C:\Windows\System32\cryptnet.dll
2013-05-13 05:50:40 52224 ----a-w- C:\Windows\System32\certenc.dll
2013-05-13 04:45:55 140288 ----a-w- C:\Windows\SysWow64\cryptsvc.dll
2013-05-13 04:45:55 1160192 ----a-w- C:\Windows\SysWow64\crypt32.dll
2013-05-13 04:45:55 103936 ----a-w- C:\Windows\SysWow64\cryptnet.dll
2013-05-13 03:43:55 1192448 ----a-w- C:\Windows\System32\certutil.exe
2013-05-13 03:08:10 903168 ----a-w- C:\Windows\SysWow64\certutil.exe
2013-05-13 03:08:06 43008 ----a-w- C:\Windows\SysWow64\certenc.dll
.
============= FINISH: 10:11:38.40 ===============

Edited by dc3, 10 August 2013 - 12:25 PM.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:02 AM

Posted 15 August 2013 - 06:20 AM

Hi,

this sounds a lot like a corrupted user profile for me, have you checked if you're using a temporary profile when logging in? Are you able to log into that administrator account?
The stuff showing in the DDS log and the MBAM log are toolbars, addons and other annoying stuff that install themselves if you don't untick them. I wouldn't expect them to cause your user profile to show up the way it does.

regards
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 dc3

dc3

    Bleeping Treehugger

  • Topic Starter

  • Members
  • 30,364 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:05:02 PM

Posted 15 August 2013 - 07:57 AM

Hi myrti,

 

One of the odd things about this is that I ran AdwCleaner just the previous week and hadn't downloaded anything since then.  My wife is not computer literate and downloaded a couple of games which had third party software.  I ran AdwCleaner on her computer and was impressed enough that I ran it on mine.

 

I can log into the other administrator account, but I cannot delete the account.  I installed Windows 7 last December, after the installation I only had one user account, an administrator account with my computer's name on the account.  Now there are two administrator accounts, the original with my name and the new one titled Administrator, there are no guest or temporary accounts. 

 

Prior to this second administrator account showing up my computer would boot straight to my administrator account, now it boots to two icons for the two different accounts.  I can log into either account at this point.

 

I've never even heard of anything like this occurring.

 

Thank you for responding, I truly appreciate your time.

 

Dan


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:02 AM

Posted 15 August 2013 - 08:04 AM

Hi,

have you checked if your account is still an admin account or if has been changed to restricted?
When you log into your account, where does %userprofile% point you?

Did you ask your nephew what he did? (I'm sure he didn't do anything, right? :whistle:)

regards
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 dc3

dc3

    Bleeping Treehugger

  • Topic Starter

  • Members
  • 30,364 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:05:02 PM

Posted 15 August 2013 - 08:26 AM

My account is still recognized as an administrator account.

 

%userprofile% points me to my original account.

 

The nephew told me that he only did a little web surfing.  I immediately looked into the history and found that it had been cleared.  Nope... he didn't do anything.  


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:02 AM

Posted 15 August 2013 - 08:48 AM

Of course he didn't. :lol:

Could you open regedit and go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Can you check what keys are available there? Is there one with a .bak extension?

regards
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 dc3

dc3

    Bleeping Treehugger

  • Topic Starter

  • Members
  • 30,364 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:05:02 PM

Posted 15 August 2013 - 08:58 AM

A picture being worth a thousand words...

 

profiles_zps506bd9c7.png


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:02 AM

Posted 15 August 2013 - 09:06 AM

Hi,

hmm. no bak. That's unfortunate. Do you still have all your user data in your userprofile? Or is everything gone?

regards
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 dc3

dc3

    Bleeping Treehugger

  • Topic Starter

  • Members
  • 30,364 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:05:02 PM

Posted 15 August 2013 - 09:24 AM

Hi,

 

Everything in my profile is as it should be.

 

Dan


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:02 AM

Posted 15 August 2013 - 09:25 AM

Hi,

so you recovered your start menu and thunderbird data or are "just" the documents still in "my documents"? Is anything on your desktop?

regards
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 dc3

dc3

    Bleeping Treehugger

  • Topic Starter

  • Members
  • 30,364 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:05:02 PM

Posted 15 August 2013 - 09:42 AM

The first time I booted after my nephew had used the computer it booted directly to the new administrator account which has a different desktop theme which incidentally changed back to the previous theme after changing it .  After running Malwarebytes I rebooted and found the new administrator account and my administrator account to choose from.  When I booted into my account everything was as it was previously, I didn't lose anything.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:02 AM

Posted 15 August 2013 - 09:48 AM

Oh, ok. I thought we were trying to recover your lost account settings. That's why I was searching high and low for "broken" or "disabled" accounts. :lol: I'm about to head out, I'll check out the administrator account ocne I'm back home. If my memory doesn't fool me though, the administrator account is present and simply hidden in normal bootup on win7. You would see it in safe mode, for example.

Your logs so far are clean. I would like you to run a scan with aswmbr though, to be sure:
Please download aswMBR ( 4.5MB ) to your desktop.
  • Double click the aswMBR.exe icon, and click Run.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Click the Scan button to start the scan.
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.
regards
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 dc3

dc3

    Bleeping Treehugger

  • Topic Starter

  • Members
  • 30,364 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:05:02 PM

Posted 15 August 2013 - 01:00 PM

I'm back myrti, sorry it took so long.  My download speed normally is 15Kb/s, this download ran at 1,500B/s.  Then discovered that the log will not open in Open Office and had to download Word Perfect.

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-08-15 09:09:45
-----------------------------
09:09:45.666    OS Version: Windows x64 6.1.7601 Service Pack 1
09:09:45.666    Number of processors: 1 586 0x2F02
09:09:45.666    ComputerName: DANIEL-PC  UserName: Daniel
09:09:46.557    Initialize success
09:11:27.658    AVAST engine defs: 13081500
09:21:26.814    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
09:21:26.830    Disk 0 Vendor: Maxtor_6B200R0 BAH41BM0 Size: 194481MB BusType: 3
09:21:26.955    Disk 0 MBR read successfully
09:21:26.955    Disk 0 MBR scan
09:21:26.955    Disk 0 Windows 7 default MBR code
09:21:26.970    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 2048
09:21:26.970    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       194379 MB offset 206848
09:21:27.017    Disk 0 scanning C:\Windows\system32\drivers
09:21:39.205    Service scanning
09:22:20.643    Modules scanning
09:22:20.659    Disk 0 trace - called modules:
09:22:20.674    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys 
09:22:20.690    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8002dc5240]
09:22:21.344    3 CLASSPNP.SYS[fffff8800194343f] -> nt!IofCallDriver -> [0xfffffa8002b79520]
09:22:21.351    5 ACPI.sys[fffff88000f3c7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8002b75680]
09:22:22.688    AVAST engine scan C:\Windows
09:22:25.063    AVAST engine scan C:\Windows\system32
09:26:04.958    AVAST engine scan C:\Windows\system32\drivers
09:26:20.654    AVAST engine scan C:\Users\Daniel
09:30:53.122    AVAST engine scan C:\ProgramData
09:32:16.309    Scan finished successfully
09:33:57.012    Disk 0 MBR has been saved successfully to "C:\Users\Daniel\Downloads\MBR.dat"
09:33:57.028    The log file has been saved successfully to "C:\Users\Daniel\Downloads\aswMBR log.txt"
 
Kindest regards,
 
Dan

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#14 dc3

dc3

    Bleeping Treehugger

  • Topic Starter

  • Members
  • 30,364 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:05:02 PM

Posted 15 August 2013 - 02:23 PM

Hi myrti,

 

I got curious and did a little reading, I found that Windows 7 hides the default Administrator account.  To see if this was what I have been seeing it ran net user administrator /active:no, the second administrator account no longer appears in the user accounts.  Now I'm really curious to discover what made this file visible.  I will run the net user administrator /active:yes command so that this is back to the way it was found and wait for your suggestions.

 

Dan


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,768 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:02:02 AM

Posted 15 August 2013 - 02:43 PM

Hi,

 

yes that was what I was expecting to be the case. What caused it, i can not tell you. If I figure something out, I'll let you know. :)

 

Your logs are clean, so I don't think you have to worry about malware. It might be a program activating the account.

 

regards

myrti


is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users