Bug or Virus Preventing Log On

[cpazdrummer]

My sibling was browsing the internet on my adminstrator account and was kicked off by some sort of bug or virus. When i tried logging back into my account it shows a black screen with security options for firewalls and other things. If i attempt to change any settings nothing happens, and if i exit the screen it just shows the black background, no desktop or icons or anything. I was wondering if there is a way to delete my admin account from my siblings account, as his is unharmed. Or possibly a way to restart the account or wipe it, anything that will make it work again.

 

[richc46]

Can you get in safe mode?
http://www.sevenforums.com/tutorials/69585-safe-mode.html

 

[Harvey Meale]

Hi cpazdrummer,

Yes, you should try to access your machine through Safe Mode. Let us know if you're able to do so. To access Safe Mode, turn off your computer. Turn it on again, and as the manufacturer's logo is on the screen, tap F8. From the Boot Menu, select Boot In Safe Mode. Let us know if this works.

Thanks,
Harvey Meale

 

[cpazdrummer]

safe mode did actually work, thank you you two. but there are two new folders on my desktop. spam001 and troj000. that doesn't sound good. my inernet doesn't work, it comes up with a windows securty center message when i try opening it. If worse comes to worse, does anyone know how to wipe a computer? it is fairly new and i dont have any valuable files stored in it.

 

[karlsnooks]

Welcome to SevenForums.

There is an excellent tutorial for you:
http://www.sevenforums.com/tutorials/91339-ssd-hdd-optimize-windows-reinstallation.html

 

[karlsnooks]

Now here is an approach which you may want to try first.

The idea here is to use MalWareBytes to clean up your system.

After MalwareBytes cleans up your system,
then I strongly recommend removing your present anti-virus and installing Microsoft Security Essentials.

After those clean-ups and please do nothing more until you've checked the User Account Control setting.

Ok, how do you do these things:
VIRUS and MALWARE REMOVAL / PROTECTION
1. Download MalwareBytes. Malwarebytes Malwarebytes
2. Disconnect from the Internet.
3. Disable your present antivirus software and firewall.
4. Remove your present antivirus software and firewall.
5. Install and run the MalwareBytes Quick Scan (remove any bad guys). 3min 29secs on my laptop.
6. Reconnect to Internet.
7. Update MalwareBytes.
8. Run malwarebytes quick scan again.(remove any bad guys). 3min 38secs on my laptop.
9. Run MalwareBytes full scan. 16min 8secs on my laptop. With large,full disk ~2hours.
A. Disable your present antivirus software and firewall
B. Remove your present antivirus software
C. Download Microsoft Security Essentials.
http://www.microsoft.com/security_essentials/
D. Run Microsoft Security Essentials. Quick Scan - ~8 min on my laptop.
E. Run Microsoft Security Essentials. Full Scan - ~ 1hr 50 min on my laptop.
Now I advise you to uninstall MalwareBytes and only install again when and if you need it.
Why?, you ask. Leaving MalwareBytes installed slowed my system. AutoRuns showed MalwareBytes processes running even after exiting from MalwareBytes.

-------------------------------------
----------------------------------------------------
To make sure that User Access control is set correctly:
WIN key | type UAC | ENTER key

You will see a sliding scale. You want one position down from the very top.
OK you way out.

WIN key is the one with the wavy flag on it.

 

[Jacee]

@ cpazdrummer your computer has been compromised ..

Warning! Backdoor Trojans

These are the most dangerous, and most widespread, type of Trojan.
Backdoor Trojans provide the author or ‘master’ of the Trojan with remote ‘administration’ of victim machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer and more.

If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised.
They should be changed by using a different computer and not the infected one, if not an attacker may get the new passwords and transaction information.

Banking and credit card institutions should be notified of the possible security breech.
More info can be found below:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
How to report ID theft, fraud, drive-by installs, hijacking and malware? Security - dslreports.com
When should I re-format? How should I reinstall?
When should I re-format? How should I reinstall? Security - dslreports.com
If you choose to format and reinstall see this link for instructions:
Windows: reformat and reinstall - Cyberwalker.com

 

[karlsnooks]

cpazdrummer,
If you decide on the clean the disk and reinstall approach, then
the link I gave previously covers precisely this case.

This is the way that I install myself when I deem such to be necessary.

I'll repeat the link:
http://www.sevenforums.com/tutorials/91339-ssd-hdd-optimize-windows-reinstallation.html

 

[cpazdrummer]

awesome. thank you karl, i will defenitley try those in the next couple days and let you know how it worked out. Thank you again!

 

[dranfu]

After following Jacee's and karlsnooks advice, I would recommend either running a Anti Virus Live Boot CD, to scan for viruses while your OS is not running. This way, the virus cannot use any of its built in defenses to hide.

Otherwise, I would recommend a fresh install. Truth is, safe-mode is no longer a fail safe way to scan for and eliminate viruses. Take a note of this:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal

This is the registry key that contains a listing of services that will boot up when you log into safe mode. It is a trivial matter for a virus to add an entry here, so that it too is running even in safe-mode. Virtumonde was known for doing this, probably one the first, too.

And although there are many great Anti Virus programs, the more popular a program is, the less effective it becomes, as virus writers quickly become aware of a programs popularity, and start writing code to look for these programs, and deal with them accordingly.

Note this quote from an article on Virtumonde:

Vundo inserts registry entries to suppress Windows warnings about the disabling of firewall, antivirus, and the Automatic Updates service, disables the Automatic Updates service and quickly re-disables it if manually re-enabled, and attacks Malwarebytes' Anti-Malware, Spybot Search & Destroy, Lavasoft Ad-Aware, HijackThis, and several other malware removal tools.

Also, Take a look at this, if you find that hard to believe:

 BOOL IsAnubis()
{

    if (IsFileInFolder("C:\\InsideTm\\") == 1)
    {
       detected = 1;
       return 1;
    }
    
    else if(IsFileNameEqualThis("C:\\sample.exe"))
    {
       detected = 1;
       return 1;
    }
    
    else if(IsUsername("user") == 1)
    {
        detected = 1;
        return 1;
    }
    
    return 0;
}

BOOL IsTE()
{
     
    if(IsUsername("UserName") == 1)
    {
        detected = 1;
        return 1;
    }
    
    return 0;
}

BOOL IsSandbox()
{
     
    if(IsUsername("USER") == 1)
    {
        detected = 1;
        return 1;
    }
    
    return 0;
}

BOOL IsJB()
{
    
    if(IsProcessRunning("joeboxserver.exe") == 1 || IsProcessRunning("joeboxcontrol.exe") == 1)
    {
        detected = 1;
        return 1;
    }
    
    return 0;           
}    

BOOL IsNorman()
{
     
    if(IsUsername("currentuser") == 1 || IsUsername("CurrentUser") == 1)
    {
        detected = 1;
        return 1;
    }
    
    return 0;
}

BOOL IsWireShark()
{
     
    if(IsProcessRunning("wireshark.exe") == 1)
    {
       detected = 1;
       return 1;
    }
    
    return 0;
}

BOOL IsKaspersky()
{
     
    if(IsProcessRunning("avp.exe") == 1)
    {
        detected = 1;
        return 1;
    }
    
    return 0;
}


BOOL IsID() //Sunbelt & Sandboxie included
{
         
    if(GetModuleHandle("api_log.dll") || GetModuleHandle("dir_watch.dll"))
    {
        detected = 1;
        return 1;
    }
    
    else if(IsProcessRunning("sniff_hit.exe") == 1 || IsProcessRunning("sysAnalyzer.exe") == 1)
    {
        detected = 1;
        return 1;
    }
    
    return 0;
}  

BOOL IsSunbelt()
{
     
    if(GetModuleHandle("pstorec.dll"))
    {
        detected = 1;
        return 1;
    }
    
    else if(IsFolderExist("C:\\analysis") == 1)
    {
        detected = 1;
        return 1;
    }
    
    return 0;
}

BOOL IsSandboxie()
{
     
    if(GetModuleHandle("SbieDll.dll"))
    {
        detected = 1;
        return 1;
    }
    
    return 0;
}

BOOL IsVPC() //steve10120
{
  HMODULE dll = LoadLibrary("C:\\vmcheck.dll");
  
  if(dll == NULL)
  {
      return 0;
  }

  BOOL (WINAPI *fnIsRunningInsideVirtualMachine)() = (BOOL (WINAPI *)()) GetProcAddress(dll, "IsRunningInsideVirtualMachine");

  BOOL retValue = FALSE;

  if(fnIsRunningInsideVirtualMachine != NULL)
  {                                                                  
      retValue = fnIsRunningInsideVirtualMachine();
      FreeLibrary(dll);
      detected = 1;
      return 1;
  }

  FreeLibrary(dll);
    
  return 0;
}

This code comes from here: [C++] Anti-Anubis, WireShark, Norman etc. . I suggest using Firefox with no-script enabled if you visit that site. The code has functions that look for various network analysis tools, various anti virus tools, and also sandbox applications. This is virus writing 101.

The truth is, most user's are not going to be aware when their AV has been attacked, or disabled, or tricked. And it is nothing new to look for a popular Anti Malware program and to hide, disable, or trick that program once it's detected. If you don't have valuable files that you want to save, and if you don't want to spend the time analyzing the behavior of processes and services on your PC, and pouring through network packet captures, it would make more sense just to re-image the PC, so that you know the virus is gone.

And I don't say that to bash Malwarebytes, which is an excellent program, and one of my personal favorites. But if it's not a hassle to do a fresh install, then you really should, because at least you know you're 100% safe. Or at least 99.999999999999999% safe

 

[xarden]

If worse comes to worse, does anyone know how to wipe a computer? it is fairly new and i dont have any valuable files stored in it.

Given that its new with no valuable stuff, my vote would be to wipe and start again.