TechSpot

Help.. New user installed on my computer

By darla
Oct 3, 2006
  1. I recently visited a website and contracted some type of hacktool virus. Norton said it saw it, but I can't find out the name of it. It also it could not delete it. I booted into safe mode and ran the programs suggested on this site, and now that same mysterious "user" appears on the new virus software, the Spyware program and another program of mine requiring a password. I suspect a keylogger. I took a screen shot of the security pages showing the users of those programs. Has anyone seen anything like this?
    I did see in the Norton logs a reference to ordinaryrobot(dot)net. Don't go there, just tell me what happened to my machine and is it now unsafe to use for any purpose involving a password.
    Screenshots attached:
     

    Attached Files:

  2. darla

    darla TS Rookie Topic Starter

    My hijack log

    Here is the hijack log. Is the lsass.exe in system32 the problem?
     

    Attached Files:

  3. N3051M

    N3051M TS Evangelist Posts: 2,115

    Rename HiJackThis.exe to HiJackThis1991.exe and then follow these instructions before posting a new one.
     
  4. darla

    darla TS Rookie Topic Starter

    I did rename it that already. My file name shows a date. Been there done that already.
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    It`s the actual HijackThis.exe file you need to rename to HijackThis1991.exe. See these instructions HERE.

    However, before posting a fresh HJT log, go here and download and run the sysclean package from HERE. Be sure to read the instructions carefully. you might also want to download and run the Rootkit Revealer.

    If you do have a rootkit infection, I must warn you that you may have to consider a reformat and reinstall. This is because some rootkits can`t be removed by any other means.

    Post a fresh HJT log, only after doing the above and let me know if you`re still having problems.

    Regards Howard :wave: :wave:

    This thread is for the use of darla only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. darla

    darla TS Rookie Topic Starter

    Honest I really did rename the file to the name suggested. I really did read all your instructions before I posted. I am just trying to get a little help here. Mainly the first question I asked: Has anyone ever seen another user added to a system by a virus? It appears to have taken control of my anti virus software to turn it off and allow the virus in.
    Just forget about the hijack log. Somebody please comment on the first question.
    I think it is truly scary that one can contract something like this from simply visiting a website or message board. Anyone else had any experiences like this?
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes you did rename it, but you ran the HijackThis.exe file instead of the renamed HijackThis1991.exe I suggest you delete HijackThis.exe to avoid any confusion.

    There are many possible causes of your problems, all of them are nasty.

    As I`ve already said. If you have a rootkit infection, you should follow the instructions I gave you.

    As for the unidentified user account, try and delete it. Go to control panel and double click user accounts. Click on the unidentifed account and try and delete it. If it won`t let you delete it, try from safe mode.

    If you can`t or don`t want to follow instructions, there`s not a lot I can do to help you.

    Regards Howard :)

    This thread is for the use of darla only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. N3051M

    N3051M TS Evangelist Posts: 2,115

    i haven't heard about one creating another user account but i also haven't seen everything.. and like howard says, try to delete it first..

    although viruses and other nasties bypassing/disabling the AV software etc i have heard of....

    please just humor us and rescan using the hijackthis1991.exe program again and post..
     
  9. darla

    darla TS Rookie Topic Starter

    New hard drive, new log, still unknown users

    Installed a completely new hard drive, installed the ORIGINAL windows from disc which came with computer, installed AVG and ran, ran Hijackthis1991, and still showing unknown users in certain programs.

    Logfile of HijackThis v1.99.1
    Scan saved at 4:39:55 PM, on 10/12/2006
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
    C:\Program Files\HijackThis1991\HijackThis.exe

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean as a whistle.

    If you`ve installed NETframework, it does create another user account and this is normal. See HERE.

    Regards Howard :)

    This thread is for the use of darla only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. darla

    darla TS Rookie Topic Starter

    Thanks, Howard, for being patient with me.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...