Help.. New user installed on my computer

[darla]

I recently visited a website and contracted some type of hacktool virus. Norton said it saw it, but I can't find out the name of it. It also it could not delete it. I booted into safe mode and ran the programs suggested on this site, and now that same mysterious "user" appears on the new virus software, the Spyware program and another program of mine requiring a password. I suspect a keylogger. I took a screen shot of the security pages showing the users of those programs. Has anyone seen anything like this?
I did see in the Norton logs a reference to ordinaryrobot(dot)net. Don't go there, just tell me what happened to my machine and is it now unsafe to use for any purpose involving a password.
Screenshots attached:

 

[darla]

My hijack log

Here is the hijack log. Is the lsass.exe in system32 the problem?

 

[N3051M]

Rename HiJackThis.exe to HiJackThis1991.exe and then follow these instructions before posting a new one.

 

[darla]

I did rename it that already. My file name shows a date. Been there done that already.

 

[howard_hopkinso]

Hello and welcome to Techspot.

It`s the actual HijackThis.exe file you need to rename to HijackThis1991.exe. See these instructions HERE.

However, before posting a fresh HJT log, go here and download and run the sysclean package from HERE. Be sure to read the instructions carefully. you might also want to download and run the Rootkit Revealer.

If you do have a rootkit infection, I must warn you that you may have to consider a reformat and reinstall. This is because some rootkits can`t be removed by any other means.

Post a fresh HJT log, only after doing the above and let me know if you`re still having problems.

Regards Howard :wave: :wave:

This thread is for the use of darla only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[darla]

Honest I really did rename the file to the name suggested. I really did read all your instructions before I posted. I am just trying to get a little help here. Mainly the first question I asked: Has anyone ever seen another user added to a system by a virus? It appears to have taken control of my anti virus software to turn it off and allow the virus in.
Just forget about the hijack log. Somebody please comment on the first question.
I think it is truly scary that one can contract something like this from simply visiting a website or message board. Anyone else had any experiences like this?

 

[howard_hopkinso]

Yes you did rename it, but you ran the HijackThis.exe file instead of the renamed HijackThis1991.exe I suggest you delete HijackThis.exe to avoid any confusion.

There are many possible causes of your problems, all of them are nasty.

As I`ve already said. If you have a rootkit infection, you should follow the instructions I gave you.

As for the unidentified user account, try and delete it. Go to control panel and double click user accounts. Click on the unidentifed account and try and delete it. If it won`t let you delete it, try from safe mode.

If you can`t or don`t want to follow instructions, there`s not a lot I can do to help you.

Regards Howard

This thread is for the use of darla only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[N3051M]

Honest I really did rename the file to the name suggested. I really did read all your instructions before I posted. I am just trying to get a little help here. Mainly the first question I asked: Has anyone ever seen another user added to a system by a virus? It appears to have taken control of my anti virus software to turn it off and allow the virus in.
Just forget about the hijack log. Somebody please comment on the first question.
I think it is truly scary that one can contract something like this from simply visiting a website or message board. Anyone else had any experiences like this?

i haven't heard about one creating another user account but i also haven't seen everything.. and like howard says, try to delete it first..

although viruses and other nasties bypassing/disabling the AV software etc i have heard of....

please just humor us and rescan using the hijackthis1991.exe program again and post..

 

[darla]

New hard drive, new log, still unknown users

Installed a completely new hard drive, installed the ORIGINAL windows from disc which came with computer, installed AVG and ran, ran Hijackthis1991, and still showing unknown users in certain programs.

Logfile of HijackThis v1.99.1
Scan saved at 4:39:55 PM, on 10/12/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\HijackThis1991\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe

 

[howard_hopkinso]

Your HJT log is clean as a whistle.

If you`ve installed NETframework, it does create another user account and this is normal. See HERE.

Regards Howard

This thread is for the use of darla only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[darla]

Thanks, Howard, for being patient with me.