Unwanted login screen with new 'Adminestrator' user

Your logs are not showing any signs of this trojan!

• Did you already try any steps to fix things on your own?
• Did you try deleting the Adminestrator account?
  • If so, did it come back after a reboot?
  • If not, please delete the account and then see what happens upon reboot.
• Please uninstall CounterSpy which you said did not find anything and run this Running AVG Anti-Spyware attach the log.
• Look for the below files and tell me if you find any of them:
  • C:\int_rem.bat
  • C:\WINDOWS\9129837.exe
  • C:\abcdefg.bat
  • C:\WINDOWS\new_drv.sys
  • c:\sample.exe

Due to the nature of the infection(s) you have, I must give you the below warning.

Please take this information seriously because your security is at risk.


The computer is infected by a trojan that has Backdoor functionality. This gives intruders complete control of your computer, logging key strokes, stealing information, etc.

You are strongly advised to do the following immediately!:

• Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.
• Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
• From a clean computer, change *all* of your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

Because of this trojan’s backdoor functionality, your PC is very likely compromised and there is no way to be sure that the current installation can ever be trusted again even after removing any malware that may exist. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you make a more informed decision, please read the following articles:

• Danger: Remote Access Trojans.
• When should I re-format? How should I reinstall?
• How Do I Handle Possible Identify Theft, Internet Fraud and Credit Card Fraud?

If you have any questions, please feel free to ask.

Let us know how you would like to proceed. If you decide you would like to just clean this PC, we can continue on that course of action.

 

Click Start and select Control Panel. In Control Panel double click User Accounts. Select the bad account, then choose Delete the account. On the next window tell it to Delete Files.

Confirm any prompts about the deletion.

Then reboot and make sure that it does not come back. Let me know what happens.

Remember what I warned about your security. It may have been compromised. You need to verify with your financial institutions that no illegal activity has been occurring.

 

Yes! Did you read the list that I have in message number 3. It was one of the possible files I listed.

Not really. Using longer and better passwords provides greater protection. A more hardened password should contain all of the below:

• be at least 8 characters in length
• contain a mixture of bot lower case and upper case characters
• contain at least 1 number
• contain at least 1 special character (if allowed. Someplaces my not allow it).
• and not be anything easily guessed about you or another family member

Example (just a an example):

BigDog0307!

Anything that you downloaded or ran from anywhere could have been infected. Sites that you accessed could have run active x scripts on your PC via your brower. Malware does not just come via attachments in emails.

Read thru each tab in the below links to get more info on this trojan and you will see why I keep reminding you to take my warning seriously:

http://www.sophos.com/security/analyses/trojhiloadd.html
http://research.sunbelt-software.co...name=Trojan-PSW.Win32.Small.bs&threatid=53465

Based on your logs and the fact that it has not reappeared yes. But you still need to pay attention to my warning.

 

You're welcome. I would like to run one more scan just as a safety precaution.

Please download Blacklight Beta

• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please attach the BlackLight log.


Then if you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!