Invisible Administrator?

Discussion in 'Malware Help (A Specialist Will Reply)' started by Talt, Jan 12, 2007.

  1. Talt

    Talt Private E-2

    I like helping out local friends and neighbors at cleaning their computer problems up as it keeps me learning new things but I'm not a computer programmer in anyway shape or form. I only use other company's software to find the problems and remove the nasty buggers as they are found (hopefully not having to do many manual procedures). Well today I came across a new one for me that I was hoping you all could lead me in the right direction on.

    The computer I looked at today had the ussual trojans, malware and such with 1 key logger. Using various programs like Ewido, SuperAntiSpyware, Pestpatrol, PcCillan and various other this computer looked crystal clean but I went to install Microsoft's Baseline Security Analyzer 2 to give it another angle to check from. When I tried to install it, it said this area was used by another folder and couldn't install???? Not even an option to overwrite??? So I went into Explorer with show all hidden files and folders selected and there was no file named as such. So I tried installing this program under a different file path with the same result and still got the same. So I gave up and instead installed Microsoft's Baseline Security Analyzer 1 and it installed without a hitch but after running it I found 1 thing I didn't like. It said there was more than 2 administrators on this computer. I immediately went to the control panel under user accounts and there was 1 and only 1. It was Dayle (administrator). No other active accounts at all. So I went back into Baseline Security Analyzer and clicked results for more than 2 administrators and here was the result:

    Administrator
    S #### ### ### ####
    Dayle

    Administrator is normal. Obviously Dayle is normal. But the S with all the numbers behind it is not nor is not being allowed to install Microsoft's Baseline Security Analyzer 2 for the above reason and I have no idea on how to proceed from here. Can anyone point me in the right direction to get this figured out please.

    Thanks in advance for any reasonable reply's.
     
    Talt, Jan 12, 2007
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Welcome to Majorgeeks!

    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.
    • Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
    • Make sure you check version numbers and get all updates.
    • Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
    • After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
    Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.
    • When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
      • CounterSpy
      • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
      • Bitdefender - from step 6
      • Panda Scan - from step 6
      • runkeys.txt - the log from GetRunKey.bat
      • newfiles.txt - the log from ShowNew.bat
      • HijackThis
    NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!
     
    TimW, Jan 12, 2007
    #2
  3. Talt

    Talt Private E-2

    I was able to do the scans in safe mode without any problems and SpyBot did find quite a few things. I just finished with the Panda scan so I am posting the first 3 reports now and will continue as per instructions to the best of my ability.
     

    Attached Files:

    Talt, Jan 13, 2007
    #3
  4. Talt

    Talt Private E-2

    Problems are still present so here are the GetRunKey and ShowNew logs. I will be doing the Hijack this log next.
     

    Attached Files:

    Talt, Jan 13, 2007
    #4
  5. Talt

    Talt Private E-2

    Attatched is the HijackThis log. Does anybody see anything on here that shouldn't be. Appreciate any help on this in getting the last pieces of crud that couldn't be removed that were in the previous logs.
     

    Attached Files:

    Talt, Jan 13, 2007
    #5
  6. Talt

    Talt Private E-2

    Another thing that I was wondering on this computer is that PcCillan keeps popping up a window saying that 10 unknown computers are currently connected to this computer. I'm not familiar with PcCillan but what exactly does this mean and should I list these as not trusted. It says something about one should find out and list each as trusted or not trusted,,,thnx for that one. How would one do that.

    Also Microsoft Baseline Security Analyzer 2 still won't install on this PC as it states that area of the computer is being used by another folder,,,what's up with that, I don't have problems with that program any where else.

    And Microsoft Baseline Security Analyzer 1 is still saying that there is a 3rd administrator with the name (S ### ## #### #####) yet I can not find that administrator anywhere on this computer. Can someone make any sense of that?
     
    Talt, Jan 13, 2007
    #6
  7. Talt

    Talt Private E-2

    Just so anyone who cares knows, I was able to follow the entire instructions in order and perform operations as per instructions.

    Thnx in advance for any insite on any remaining problems or any insite on any questions I had.

    Thnx, and goodnite now!!
     
    Talt, Jan 14, 2007
    #7
  8. Talt

    Talt Private E-2

    Ok, so the PcCillan question. Forget it, I now understand it as a normal function of the program that was never finished so disregard that one.
     
    Talt, Jan 14, 2007
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I don't think the problems you described are due to malware, but let's fix what I see first.

    Did you download and install Microsoft's Remote Desktop Connection 6.0? See this: http://support.microsoft.com/?kbid=925876

    Make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O9 - Extra button: Enjoy It - {47055D63-DFCD-11d3-8406-00500445A7D1} - C:\WINDOWS\System32\windialup\3413[1]\dial.exe (file missing)
    O9 - Extra 'Tools' menuitem: Enjoy It - {47055D63-DFCD-11d3-8406-00500445A7D1} - C:\WINDOWS\System32\windialup\3413[1]\dial.exe (file missing)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete    :
    C:\WINDOWS\System32\windialup <--- the whole folder

    Now run Ccleaner.

    Now attach the below new logs and tell me how the above steps went.
    1. ShowNew
    2. HJT


    Make sure you tell me how things are working now!
     
    chaslang, Jan 14, 2007
    #9
  10. Talt

    Talt Private E-2

    Well I did what you recommended but the only thing that was still on this computer was:
    03 - Toolbar: (no name) - {BA52B914-B692....ect...

    so removed that one but the rest were gone. Last time I was here on this computer I noticed that a part of PC-cillan was turned off which was a protection against malware and spyware. I'm guessing it may have taken care of the rest on it's own in the last 2 days.

    Really the computer is running pretty good now and I thank you for the response and taking the time to look at the logs for this computer. Attatched is the requested 2 logs.

    Oh, and as for installing Microsoft's Remote Desktop Connection 6.0 in the paste it is possible but we are not positive on that as this computer was owned by another family member last year.

    Thnx again.
     

    Attached Files:

    Talt, Jan 15, 2007
    #10
  11. Talt

    Talt Private E-2

    What a brain fart. I totally forgot to check and see if Microsoft's Remote Desktop Connection 6.0 was installed on that computer. I'll have to check next time I stop over there.
     
    Talt, Jan 15, 2007
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You attached a HijackThis log from safe boot mode which is not what we need. They are not useful. Please attach one from normal boot mode and without MSconfig being used. However, I don't really expect that it will show any problems.

    Are you still seeing that other administrator account?
     
    Last edited: Jan 15, 2007
    chaslang, Jan 15, 2007
    #12
  13. Talt

    Talt Private E-2

    Okay, here are the 2 log files done in normal start mode not in safe mode.

    As far as the extra administrator, yes it's still there but I'm starting to believe more and more that it does have something to do with remote assistance. I have learned that the previous owner had some remote assistance done in the past. The Microsoft program you referred to is not on this computer but I'm assuming their are several such programs companies use that could leave this remnant in the computer.

    Unless you see anything else I think I'll leave well enough alone for now as the computer is running good.

    Thnx again,
    Peace
     

    Attached Files:

    Talt, Jan 16, 2007
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It will not show in Add/Remove programs if that is how you are trying to determine that it is on the computer or not. It is not installed like other software. It is built-in as part of Windows during while running the patch from Microsoft to add it. It is on the PC because I did see files from it. It is not a problem, but the reason I asked was due to the potential that it was use for remote administration and the possibility of having a user ID for it.

    No! There is nothing else to do but you should do the below, if you are not having any other malware problems, it is time to do our final steps:

    1. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    2. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    3. After doing the above, you should work thru the below link:
     
    chaslang, Jan 17, 2007
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds