Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Virus Creating multiple User accout

02 Aug 2013   #1

Windwos 7 64-bit
 
 
Virus Creating multiple User accout

A few days back when i turned on my PC an other user account was created,When i log off there is another user account along with mine with name "Other User" it has its own Username and password ,I cannot how to access it
I still have my administrator privileges so i tried deleting that account through manage account but the account does not appear on the list.
I also tried looking through User folder but all i can see is my account folder and and another folder named public
i noticed this virus when a window started to popup upon start up on the screen- have attached and image of it
It haven't made any serious damage to my PC or deleted any files.
I traced the location of the file which was poping up the window on startup It was found in C:\Windwos\SysWOW64\connect.exe I deleted the exe
The file had an icon with look like - Refer the image posted
I Have set an password for the account now but i still can't seem to delete this other user account. I'm a bit scared that this is going to cause further harm to my PC. Please help
The virus caused my comp to get 2 BSOD until i have removed it



Attached Thumbnails
Virus Creating multiple User accout-user-folder.jpg  
Attached Images
  
My System SpecsSystem Spec
.

02 Aug 2013   #2

Windows 7 Ultimate 32-Bit & Windows 7 Ultimate 64-Bit
 
 

Run Farbar Recovery Scan Tool


64-Bit Version OS Farbar Recovery Scan Tool x64 <===== Download Link

Drag the FRST64.exe from the Downloads folder to your Desktop

Right click on FRST64.exe and choose

When the tool opens click Yes on the disclaimer window .

Press Scan button.

FRST will let you know when the scan is complete and has written the FRST.txt to file

Note   Note
The first time Farbar Recovery Scan Tool is run, it makes also another log Addition.txt


Please upload both logs in your reply.(FRST.txt and Addition.txt)

FRST.txt and Addition.txt will be on the Desktop

Upload a File
Click on the Go Advanced button under the Message box . Scroll down to Additional Options then click on Manage Attachments in the Attach Files sections . Click the Browse button locate the file then click on the Open button . In the Upload File from your Computer section click on the Upload button . Wait until it finishes uploading then close the window . Then click Submit Reply .
My System SpecsSystem Spec
02 Aug 2013   #3

Windwos 7 64-bit
 
 

FRST.txt and Addition.txt


Attached Files
File Type: txt FRST.txt (25.8 KB, 3 views)
File Type: txt Addition.txt (23.6 KB, 1 views)
My System SpecsSystem Spec
.


02 Aug 2013   #4

Windows 7 Ultimate 32-Bit & Windows 7 Ultimate 64-Bit
 
 

AdwCleaner

Click here AdwCleaner

Click on Download Now button

Save to the Desktop

Right-click on AdwCleaner.exe and choose

Click on Delete and confirm the prompt.



Your computer will be rebooted automatically. A text file will open after the restart.

Upload the log : The log file is at C:\AdwCleaner[Sn].txt


Download Junkware Removal Toolkit

Click here Junkware Removal Tool to download

Drag the JRT.exe from the Downloads folder to your Desktop

Right click JRT.exe and choose

Once done upload the JRT.txt file

Run Malwarebytes

Download Link MalwareBytes

When the installation is done uncheck Enable free trial of Malwarebytes (see image below )



Update the definitions and do a full scan

On the Scanner tab:
Make sure the "Perform Full Scan" option is selected.
Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.

Logs :
  • AdwCleaner[Sn].txt
  • JRT.txt
  • MBAM log
My System SpecsSystem Spec
02 Aug 2013   #5

Windwos 7 64-bit
 
 

AdwCleaner[Sn].txt
JRT.txt
MBAM log


Attached Files
File Type: txt AdwCleaner[S1].txt (8.8 KB, 3 views)
File Type: txt JRT.txt (939 Bytes, 5 views)
File Type: txt mbam-log-2013-08-03 (01-39-49).txt (8.4 KB, 6 views)
My System SpecsSystem Spec
02 Aug 2013   #6

Windows 7 Ultimate 32-Bit & Windows 7 Ultimate 64-Bit
 
 

Please download MGADiag and save it to your desktop.

Double click icon on your desktop.

Click on the button

Click on the button

Paste the log inside the box . Highlight all of the text then code wrap in between [CODE][/CODE] by pressing on the # icon on the top .
My System SpecsSystem Spec
02 Aug 2013   #7
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Run-time error '401';
Can't show non-modal from when modal form is displayed <----This is a 'visual basic' error. Some program you're trying to run?

arabblogs ... IP is 141.101.116.32 Do you recognize it? It shows Camaros
IP Location: United Kingdom London Cloudflare Cdn Network ASN: AS13335 CLOUDFLARENET - CloudFlare, Inc.
My System SpecsSystem Spec
02 Aug 2013   #8

Windows 7 Pro. 64/SP-1
 
 

I found this. Very interesting.
AS13335 CLOUDFLARENET - CloudFlare, Inc.

MalwareURL
My System SpecsSystem Spec
03 Aug 2013   #9

Windwos 7 64-bit
 
 

Code:
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-XH43B-4D63W-XVQ3J
Windows Product Key Hash: BHstjOJAd4fKhxKNdwAYRXMLM5k=
Windows Product ID: 00426-069-0452712-86096
Windows Product ID Type: 5
Windows License Type: Retail
Windows OS version: 6.1.7601.2.00010100.1.0.001
ID: {05AD280D-4700-4668-BABE-7D564AF6193B}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Ultimate
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.130318-1533
TTS Error: 
Validation Diagnostic: 
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 103 Blocked VLK
Microsoft Office Enterprise 2007 - 103 Blocked VLK
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{05AD280D-4700-4668-BABE-7D564AF6193B}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.001</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-XVQ3J</PKey><PID>00426-069-0452712-86096</PID><PIDType>5</PIDType><SID>S-1-5-21-3148864694-4287931572-2495901781</SID><SYSTEM><Manufacturer>Gigabyte Technology Co., Ltd.</Manufacturer><Model>To be filled by O.E.M.</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>F13</Version><SMBIOSVersion major="2" minor="7"/><Date>20130227000000.000000+000</Date></BIOS><HWID>8CDE3407018400FE</HWID><UserLCID>4009</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>India Standard Time(GMT+05:30)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>103</Result><Products><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>103</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>ACD7202654E586</Val><Hash>fFic3JgCreGGRxyF8uMWB4R4Jcg=</Hash><Pid>89388-707-1528066-65084</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="103"/><App Id="16" Version="12" Result="103"/><App Id="18" Version="12" Result="103"/><App Id="19" Version="12" Result="103"/><App Id="1A" Version="12" Result="103"/><App Id="1B" Version="12" Result="103"/><App Id="44" Version="12" Result="103"/><App Id="A1" Version="12" Result="103"/><App Id="BA" Version="12" Result="103"/></Applications></Office></Software></GenuineResults>  

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.1.7601.17514

Name: Windows(R) 7, Ultimate edition
Description: Windows Operating System - Windows(R) 7, RETAIL channel
Activation ID: a0cde89c-3304-4157-b61c-c8ad785d1fad
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00426-00172-069-045271-00-1041-7601.0000-1482013
Installation ID: 019945846195859710294805441652396951311583909650462635
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: XVQ3J
License Status: Licensed
Remaining Windows rearm count: 3
Trusted time: 03-08-2013 12:01:25

Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: N/A
HealthStatus: 0x0000000000000000
Event Time Stamp: N/A
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:


HWID Data-->
HWID Hash Current: NAAAAAEABAABAAEAAAACAAAAAgABAAEA6GEIBagYYBoWUpSWdLjexTa6Olv0AT5nVtSWYw==

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes, but no SLIC table
Windows marker version: N/A
OEMID and OEMTableID Consistent: N/A
BIOS Information: 
  ACPI Table Name	OEMID Value	OEMTableID Value
  APIC			ALASKA		A M I
  FACP			ALASKA		A M I
  HPET			ALASKA		A M I
  MCFG					
  SSDT			IdeRef		IdeTable
  SSDT			IdeRef		IdeTable
  SSDT			IdeRef		IdeTable
  DMAR			INTEL 		SNB
My System SpecsSystem Spec
03 Aug 2013   #10

Windwos 7 64-bit
 
 

I haven't Installed Visual basic on my PC, The latest app that i installed was Tunngle and i'm pretty sure the virus came that way when i joined a network, How ever it was undetected by my antivirus.
And it had created an additional user account, None of the above Programs have helped me remove this other user account so far.
Since i still have my admin privilages is there anyway that i can unhide it form my manage account page Through Cmd command or somthing
My System SpecsSystem Spec
Reply

 Virus Creating multiple User accout




Thread Tools



Similar help and support threads for2: Virus Creating multiple User accout
Thread Forum
Strange Virus: Constantly creating new user accounts System Security
Solved Creating and Configuring New User Account General Discussion
Virus constantly creating new user accounts System Security
Creating & managing a new user General Discussion
Solved Creating a New User Account Similar to an Existing User Account Performance & Maintenance
Creating User General Discussion
Creating user with SeSecurityPrivilege System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 05:33 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33