Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Password expiration not able to disable then trojan now cannot boot up

  • Please log in to reply
1 reply to this topic

#1 abvp


  • Members
  • 1 posts
  • Local time:02:21 AM

Posted 27 January 2014 - 07:14 PM

Back in November I ended up with the FBI impersonator virus/malware thing on my laptop.  I immediately took it to the tech and he removed it.
A few weeks later I started getting pop ups telling me my password was going to expire and to change it.  I have never used a password on any machine.  I do not want to use a password.  I didn't know what it was.  Then the countdown was over and I was locked out of the laptop.  It kept demanding that I reset the password and having the screen.  It finally let me in after a while, but I don't know why.  I didn't even have a password.
I found the username "tech" under the user accounts when I got back on and struggled but deleted it from the user account section.  I thought that fixed it.  Now I discover that when I get on my computer for all of these months that all that I did was going to this tech account still and not to my own account.
Saturday I started getting this messages again telling me that my password was about to expire, so I didn't fix it after all.  I posted on another message board asking for help disabling the password expiration, and I was sent to a link to download a zip file and ended up with something called filewhiz and a Trojan instead.  Malewarebytes got these off eventually.
I was also advised by another site before the filewhiz and Trojan fiasco to do a search for  wimic and put in UserAccount where PasswordExpires=TRUE set PasswordExpires=FALSE

That's what it told me to put in the wmic. The laptop stopped rebooting in normal mode after that.  Now it only operates in safe mode, and only limited at that.
It still gives me the count down message about the password expiring too, so doing that did not get rid of the problem.  I had this laptop for about a year and half before the FBI impersonator got on there after a google search and I had never once had anything to do with password issues or messages before that.  My username already indicates that I don't even have a password. 
I have had ESET scan and remove some iframe viruses and Trojans and malewarebytes did too.  Now I am getting clean scans but my laptop still will not boot up in anything other than safemode.  Not only that, but there is still the "tech" account thing and everything is going to that other account that the technician put on there.  I want it off there and I want my machine to be normal again.
I have Windows 7 64 bit. 
The other support site had me doing all sorts of stuff and the machine got worse.  I don't know why.  A friend on another, non computer message board sent me here and said you all are pretty good.  Please, help?

Edit: Moved topic from Windows 7 to the more appropriate forum.~ Animal

BC AdBot (Login to Remove)


#2 noknojon


  • Banned
  • 10,871 posts
  • Gender:Not Telling
  • Local time:05:21 PM

Posted 28 January 2014 - 05:22 PM

The other support site had me doing all sorts of stuff and the machine got worse.  I don't know why.  A friend on another, non computer message board sent me here and said you all are pretty good

As this is a preliminary area only and you are convinced that there is a decent infection already installed, do you wish to run these few basic scans or repost in the main Malware removal area ??


Basically the "repair person" created a new account to attempt removal of the infection, then they did not remove their tools or account used during their process.


My normal post to you would be this, to look for and remove basic minor hidden infections.

The first few are to gather information, then the others are basic cleaning tools.


Please run these tools in the order that they are listed.

First -

Download Screen317 Security Check and save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Please post the contents of that document.
Note:: If any security program requests permission to access the Internet, allow it to do so.



Next -

Please download MiniToolBox to desktop to run it.
Checkmark following boxes:

* List content of Hosts
* Flush DNS
* Report IE Proxy Settings
* Reset IE Proxy Settings
* Report FF Proxy Settings
* Reset FF Proxy Settings
* List last 10 Event Viewer log
* List Installed Programs
* List Devices (do NOT change any settings here)
* List Users, Partitions and Memory size
Note: When using "Reset FF Proxy Settings" option Firefox should be closed.
Click Go and Copy / Paste the result. (result.txt)


Next -

Please post a snapshot with Speccy for more system details -
How to Publish a snapshot with Speccy <<-- Full Directions (only post the link)


Next -

Please download and run RKill by Grinler.

A black DOS box will briefly flash and then disappear.
This is normal and indicates the tool ran successfully.

At most the tool will run for about 2 minutes

Post the log back here


Important: Do not reboot your computer until you complete the next step.


* Please download AdwCleaner by Xplode and save to your Desktop.
* Double-click on AdwCleaner.exe to run the tool.
* Vista/Windows 7/8 users right-click and select Run As Administrator.
* Click on the Scan button (only once)
* AdwCleaner will begin...be patient as the scan may take some time to complete.
* After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.

* Check that there are no programs that you wiss to keep, or post the R0.txt log here for review
* NOW - Click on the Clean button (only once)
* Press OK when asked to close all programs and follow the onscreen prompts.
* Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
* After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
* Copy and paste the contents of that logfile in your next reply.
* A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.


Next -

If you have Malwarebytes' Anti-Malware installed, Update it and run a Full Scan -

OR -

Download Malwarebytes' Anti-Malware Free (aka MBAM): to your desktop.
- Do not accept the Free Trial Version at this time -
* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer if requested.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt


Next -

Download Malwarebytes Anti-Rootkit (A.K.A. MBAR) from HERE

  • Unzip the contents to a folder in a convenient location. (usually desktop)
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain.
  • If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder..... mbar-log.txt and system-log.txt




Next -

I would like you to use the ESET OnlineScanner -
This is best done with Internet Explorer, as it uses ActineX  with the scan
How-ever alternate directions are left for thise that will not use Internet Explorer
Please read and follow How To Temporarily Disable Your Anti-virus during the scan.
1 / Hold down Control (Ctrl) key and click on This Link to open ESET OnlineScan in a new window.
2 / Click the ESETOnliner Scanner button.
3 / For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
3.1 - / Click on This Link to download theExternal ESET Smart Installer.
3.2 - / Save it to your desktop.
4 / Double click on the  icon on your desktop.
5 / Check "YES, I accept the Terms of Use."
5 / Click the Start button.
6 / Accept any security warnings from your browser.
7 / Under scan settings, check "Scan Archives" and "Remove found threats"
8 / Click Advanced settings and select the following:
* Scan potentially unwanted applications
* Scan for potentially unsafe applications
* Enable Anti-Stealth technology
9 / ESET will then download updates for itself, install itself, and begin scanning your computer.

* Please be patient as this will take some time.*
10 / When the scan completes, click List Threats
11 / Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
12 / Click the Back button.
13 / Click the Finish button.
NOTE:Sometimes if ESET finds no infections it will not create a log.


Finish With -

Clear Cache/Temp Files
Download TFC by OldTimer to your desktop
• Please double-click TFC.exe to run it.
• For Vista, Win 7 / 8 right-click on the file and choose Run As Administrator).
• It will close all programs when run, so make sure you have saved all your work before you begin.
• Click the Start button to begin the process.
• Once it's finished it may reboot your machine.
• If it does not, please manually reboot the machine yourself to ensure a complete clean.

No log is produced or expected from this -



Thank You -

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users