Virus Creating multiple User accout

Page 1 of 3 123 LastLast

  1. Slash97
    Posts : 9
    Windwos 7 64-bit
       New #1

    Virus Creating multiple User accout


    A few days back when i turned on my PC an other user account was created,When i log off there is another user account along with mine with name "Other User" it has its own Username and password ,I cannot how to access it
    I still have my administrator privileges so i tried deleting that account through manage account but the account does not appear on the list.
    I also tried looking through User folder but all i can see is my account folder and and another folder named public
    i noticed this virus when a window started to popup upon start up on the screen- have attached and image of it
    It haven't made any serious damage to my PC or deleted any files.
    I traced the location of the file which was poping up the window on startup It was found in C:\Windwos\SysWOW64\connect.exe I deleted the exe
    The file had an icon with look like - Refer the image posted
    I Have set an password for the account now but i still can't seem to delete this other user account. I'm a bit scared that this is going to cause further harm to my PC. Please help
    The virus caused my comp to get 2 BSOD until i have removed it
    Attached Thumbnails Attached Thumbnails Virus Creating multiple User accout-user-folder.jpg   Virus Creating multiple User accout-start-up-popup-window.jpg   Virus Creating multiple User accout-icon.png  
      My Computer
    Quote Quote

  3. VistaKing
    Posts : 6,830
    Windows 7 Ultimate 32-Bit & Windows 7 Ultimate 64-Bit
       New #2

    Run Farbar Recovery Scan Tool


    64-Bit Version OS Farbar Recovery Scan Tool x64 <===== Download Link

    Drag the FRST64.exe from the Downloads folder to your Desktop

    Right click on FRST64.exe and choose

    When the tool opens click Yes on the disclaimer window .

    Press Scan button.

    FRST will let you know when the scan is complete and has written the FRST.txt to file

       Note
    The first time Farbar Recovery Scan Tool is run, it makes also another log Addition.txt


    Please upload both logs in your reply.(FRST.txt and Addition.txt)

    FRST.txt and Addition.txt will be on the Desktop

    Upload a File
    Click on the Go Advanced button under the Message box . Scroll down to Additional Options then click on Manage Attachments in the Attach Files sections . Click the Browse button locate the file then click on the Open button . In the Upload File from your Computer section click on the Upload button . Wait until it finishes uploading then close the window . Then click Submit Reply .
      My Computer
    Quote Quote

  4. Slash97
    Posts : 9
    Windwos 7 64-bit
    Thread Starter
       New #3

    FRST.txt and Addition.txt
    Virus Creating multiple User accout Attached Files
      My Computer
    Quote Quote

  6. VistaKing
    Posts : 6,830
    Windows 7 Ultimate 32-Bit & Windows 7 Ultimate 64-Bit
       New #4

    AdwCleaner

    Click here AdwCleaner

    Click on Download Now button

    Save to the Desktop

    Right-click on AdwCleaner.exe and choose

    Click on Delete and confirm the prompt.



    Your computer will be rebooted automatically. A text file will open after the restart.

    Upload the log : The log file is at C:\AdwCleaner[Sn].txt


    Download Junkware Removal Toolkit

    Click here Junkware Removal Tool to download

    Drag the JRT.exe from the Downloads folder to your Desktop

    Right click JRT.exe and choose

    Once done upload the JRT.txt file

    Run Malwarebytes

    Download Link MalwareBytes

    When the installation is done uncheck Enable free trial of Malwarebytes (see image below )



    Update the definitions and do a full scan

    On the Scanner tab:
    Make sure the "Perform Full Scan" option is selected.
    Then click on the Scan button.
    If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
    The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
    When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    Click OK to close the message box and continue with the removal process.
    Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
    Make sure that everything is checked, and click Remove Selected.
    When removal is completed, a log report will open in Notepad.
    The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    Copy and paste the contents of that report in your next reply and exit MBAM.

    Logs :
    • AdwCleaner[Sn].txt
    • JRT.txt
    • MBAM log
      My Computer
    Quote Quote

  7. Slash97
    Posts : 9
    Windwos 7 64-bit
    Thread Starter
       New #5

    AdwCleaner[Sn].txt
    JRT.txt
    MBAM log
    Virus Creating multiple User accout Attached Files
      My Computer
    Quote Quote

  8. VistaKing
    Posts : 6,830
    Windows 7 Ultimate 32-Bit & Windows 7 Ultimate 64-Bit
       New #6

    Please download MGADiag and save it to your desktop.

    Double click icon on your desktop.

    Click on the button

    Click on the button

    Paste the log inside the box . Highlight all of the text then code wrap in between [CODE][/CODE] by pressing on the # icon on the top .
      My Computer
    Quote Quote

  10. Jacee
    Posts : 8,608
    Windows 7 Ultimate 32bit SP1
       New #7

    Run-time error '401';
    Can't show non-modal from when modal form is displayed <----This is a 'visual basic' error. Some program you're trying to run?

    arabblogs ... IP is 141.101.116.32 Do you recognize it? It shows Camaros
    IP Location: United Kingdom London Cloudflare Cdn Network ASN: AS13335 CLOUDFLARENET - CloudFlare, Inc.
      My Computer
    Quote Quote

  11. Layback Bear
    Posts : 25,847
    Windows 10 Pro. 64/ version 1709 Windows 7 Pro/64
       New #8

    I found this. Very interesting.
    AS13335 CLOUDFLARENET - CloudFlare, Inc.

    MalwareURL
      My Computer
    Quote Quote

  12. Slash97
    Posts : 9
    Windwos 7 64-bit
    Thread Starter
       New #9

    Code:
    Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-XH43B-4D63W-XVQ3J
Windows Product Key Hash: BHstjOJAd4fKhxKNdwAYRXMLM5k=
Windows Product ID: 00426-069-0452712-86096
Windows Product ID Type: 5
Windows License Type: Retail
Windows OS version: 6.1.7601.2.00010100.1.0.001
ID: {05AD280D-4700-4668-BABE-7D564AF6193B}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Ultimate
Architecture: 0x00000009
Build lab: 7601.win7sp1_gdr.130318-1533
TTS Error: 
Validation Diagnostic: 
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 103 Blocked VLK
Microsoft Office Enterprise 2007 - 103 Blocked VLK
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{05AD280D-4700-4668-BABE-7D564AF6193B}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.001</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-XVQ3J</PKey><PID>00426-069-0452712-86096</PID><PIDType>5</PIDType><SID>S-1-5-21-3148864694-4287931572-2495901781</SID><SYSTEM><Manufacturer>Gigabyte Technology Co., Ltd.</Manufacturer><Model>To be filled by O.E.M.</Model></SYSTEM><BIOS><Manufacturer>American Megatrends Inc.</Manufacturer><Version>F13</Version><SMBIOSVersion major="2" minor="7"/><Date>20130227000000.000000+000</Date></BIOS><HWID>8CDE3407018400FE</HWID><UserLCID>4009</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>India Standard Time(GMT+05:30)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification/></MachineData><Software><Office><Result>103</Result><Products><Product GUID="{90120000-0030-0000-0000-0000000FF1CE}"><LegitResult>103</LegitResult><Name>Microsoft Office Enterprise 2007</Name><Ver>12</Ver><Val>ACD7202654E586</Val><Hash>fFic3JgCreGGRxyF8uMWB4R4Jcg=</Hash><Pid>89388-707-1528066-65084</Pid><PidType>14</PidType></Product></Products><Applications><App Id="15" Version="12" Result="103"/><App Id="16" Version="12" Result="103"/><App Id="18" Version="12" Result="103"/><App Id="19" Version="12" Result="103"/><App Id="1A" Version="12" Result="103"/><App Id="1B" Version="12" Result="103"/><App Id="44" Version="12" Result="103"/><App Id="A1" Version="12" Result="103"/><App Id="BA" Version="12" Result="103"/></Applications></Office></Software></GenuineResults>  

Spsys.log Content: 0x80070002

Licensing Data-->
Software licensing service version: 6.1.7601.17514

Name: Windows(R) 7, Ultimate edition
Description: Windows Operating System - Windows(R) 7, RETAIL channel
Activation ID: a0cde89c-3304-4157-b61c-c8ad785d1fad
Application ID: 55c92734-d682-4d71-983e-d6ec3f16059f
Extended PID: 00426-00172-069-045271-00-1041-7601.0000-1482013
Installation ID: 019945846195859710294805441652396951311583909650462635
Processor Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
Machine Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
Use License URL: http://go.microsoft.com/fwlink/?LinkID=88341
Product Key Certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
Partial Product Key: XVQ3J
License Status: Licensed
Remaining Windows rearm count: 3
Trusted time: 03-08-2013 12:01:25

Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: N/A
HealthStatus: 0x0000000000000000
Event Time Stamp: N/A
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:


HWID Data-->
HWID Hash Current: NAAAAAEABAABAAEAAAACAAAAAgABAAEA6GEIBagYYBoWUpSWdLjexTa6Olv0AT5nVtSWYw==

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes, but no SLIC table
Windows marker version: N/A
OEMID and OEMTableID Consistent: N/A
BIOS Information: 
  ACPI Table Name	OEMID Value	OEMTableID Value
  APIC			ALASKA		A M I
  FACP			ALASKA		A M I
  HPET			ALASKA		A M I
  MCFG					
  SSDT			IdeRef		IdeTable
  SSDT			IdeRef		IdeTable
  SSDT			IdeRef		IdeTable
  DMAR			INTEL 		SNB
      My Computer
    Quote Quote

  13. Slash97
    Posts : 9
    Windwos 7 64-bit
    Thread Starter
       New #10

    I haven't Installed Visual basic on my PC, The latest app that i installed was Tunngle and i'm pretty sure the virus came that way when i joined a network, How ever it was undetected by my antivirus.
    And it had created an additional user account, None of the above Programs have helped me remove this other user account so far.
    Since i still have my admin privilages is there anyway that i can unhide it form my manage account page Through Cmd command or somthing
      My Computer
    Quote Quote

 
Page 1 of 3 123 LastLast

  Related Discussions
Hello, I was wondering if someone could please help me out on this. I have Windows 7 and I have been current on my updates, I have Eset Smart Security on with strict settings, and my firewall is also enabled on strict settings as well. However, I noticed that whenever I turn my computer on...
i know my problem is similar with this https://www.sevenforums.com/system-security/242161-strange-virus-constantly-creating-new-user-accounts.html since its banned to use combofix without trained supervision, so i start new thread P.S : Downloading Malwarebytes, ill update if they found something
If you create 2 partitions on a hard drive and copy a LARGE file from one partition to the other the copy is very slow with lots of head movement. I wonder if there is the same overhead/concept with an SSD? Yes I do realise an SSD is memory but I want to know if you partition an SSD and copy...
Creating User
in General Discussion

Hello all, I'm rather new to this site and didn't see my answer anywhere so I decided to post a n00b question. I've always had this problem and never have figured it out. When creating admin users, how can I make it so when User A (admin account) makes changes to their account, it doesn't make...
Hi, I notice that on Windows 7 the Administrator has SeSecurityPrivilege. I see this by starting a CMD prompt with Run As Administrator and typing: whoami /all I want to give another user (bkupuser1) the SeSecurityPrivilege. First I added the user in the Backup Operators group,...
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 09:26.
Find Us