Strange Virus: Constantly creating new user accounts

[Jimmyman]

Hello, I was wondering if someone could please help me out on this. I have Windows 7 and I have been current on my updates, I have Eset Smart Security on with strict settings, and my firewall is also enabled on strict settings as well.

However, I noticed that whenever I turn my computer on there's a new user account. It's a standard user account and I keep deleting them once I'm in Windows but they keep going back everytime I restart Windows, and they always have a different name like vfdfaswww (not exactly like this) or something similar and they're always standard accounts.

I've checked my processes and any irregular network activity as well but there's nothing suspicious going on. I don't know what this virus is doing though and if it is keylogging me, is spyware or something, and it's really bothering me.

Any help would be appreciated. Thanks for reading.

 

[HonorGamer]

Hello Jimmyman, Welcome to SF!

Give this a shot:

Do a full scan of your system using: Microsoft Security Essentials - Free Antivirus for Windows

Afterwards: Malwarebytes : Free anti-malware download

If nothing pops up for both of those,

try: http://www.sevenforums.com/tutorials/166445-windows-defender-offline.html

 

[Golden]

Hi,

Some software create user accounts to update themselves (NVidia is an example). can you post the exact name of the next account it creates and post it here, so we can look at it?

Regards,
Golden

 

[Jimmyman]

Okay, scanning with Microsoft Security Essentials and Malwarebytes now. I didn't copy down the exact name of the last standard account username but the first one was vfeuuzvxqqe. Thanks for responding guys.

 

[Golden]

Hi,

Mmm. When did you first notice this? Did it correspond to an installation of a particular software?

Regards,
golden

 

[Jimmyman]

I first noticed it yesterday. I think it tries to hide itself though so that you don't really notice it. I installed, updated, and ran the Microsoft Security Essentials and Malware bytes. The MSE didn't find anything suspicious, but the Malware bytes found 5 files. They are:

Spyware.Password C:\Windows\System32\ALZZip.BIN
Trojan.Agent.CK C:\Users\Jimmy\AppData\Local\Temp\~nsu.tmp\Bu_.exe
Spyware.Password C:\Windows\System32\ALZALZ.BIN
Trojan.Agent.CK C:\Users\Jimmy\AppData\Local\Temp\~nsu.tmp\Au_.exe
Affiliate.Downloader C:\Users\Jimmy\Downloads\Codec-V.exe

I got Malware bytes to quarantine them, and then I deleted them from there. However, I do notice that whenever I restart Windows now I get the error that for Malware bytes the cleanup.dll specified module cannot be found. However, Malware bytes works fine and says I'm protected while in Windows. Do any of you guys know how to fix this or is it nothing really to worry about? Also, is there any way of knowing if the malware stole any passwords or anything, or is that kind of hard to tell?

Thanks for all the help this far, especially with Malware bytes! I can't believe ESET and MSE didn't pick the spyware password viruses up though. Those are pretty nasty viruses! They should definitely be getting picked up, especially because they're in system32 and they're bin files!

 

[HonorGamer]

To fix that error, just try and reinstall malware bytes. But yes that would be hard to tell. I think near impossible, But I am no expert so don't take my word for it.

Did you try windows defender online?

-Justin

 

[Jimmyman]

I'm trying Windows defender online now. I don't think it'll catch anything because I scanned with Windows defender too along with MSE and ESET and none of them found it. That's why I'm so surprised. I just can't believe they'd let something like that get away. MB is the best though. I think I'm going to use it from now on and get the premium version too!

 

[HonorGamer]

Sorry i meant Windows Defender Offline lol sorry. Have you had any crashes since you removed those viruses?

 

[Jimmyman]

I haven't had too many crashes. The most common was a BSOD saying athrx.sys but I've had that one before and I fixed it by rolling back the wireless network adapter driver to the one before Windows update. The problem still occurs though strangely with a new user being created everytime I restart Windows, even though I think I got rid of the virus. Maybe I should scan my whole system?

 

[HonorGamer]

Always scan the whole system.

Post up the latest crash files.

-Justin

 

[Jimmyman]

Okay, I'll scan the whole system then. It'll take awhile but I'll post back ASAP. Where do you find the crash files in Windows?

 

[HonorGamer]

Follow these instructions: http://www.sevenforums.com/crashes-debugging/96879-blue-screen-death-bsod-posting-instructions.html

-Justin

 

[Golden]

Spyware.Password C:\Windows\System32\ALZZip.BIN
Trojan.Agent.CK C:\Users\Jimmy\AppData\Local\Temp\~nsu.tmp\Bu_.exe
Spyware.Password C:\Windows\System32\ALZALZ.BIN
Trojan.Agent.CK C:\Users\Jimmy\AppData\Local\Temp\~nsu.tmp\Au_.exe
Affiliate.Downloader C:\Users\Jimmy\Downloads\Codec-V.exe

Hi,

Unfortunately, I suspect these are indeed malware that steal information (I know Spyware.Password.GenX does) from your computer. However, I'm going to seek a more experienced opinion from Jacee.

What you need to do right now is the following:

1. On a different known safe computer, change all login passwords for accounts that you accessed via your computer, including forums, email accounts and banking accounts.

2. Do a complete scan, using Windows Defender Offline, of your computer. Be sure to note down the exact names of any malware it finds, and post those back here.

Please look out for Jacee's reply, and follow her instructions to the letter.

Regards,
Golden

 

[Jimmyman]

Okay, I'm scanning the whole system with MB and I'm running the SF Diag Tool v4 at the same time, but for some reason it's going really slow and saying I don't have permissions or something like that to access some files.

I'm downloading and installing Windows Defender Offline now on my USB stick. Also, I will change all of my important login passwords such as my bank passwords, email accounts, and forum passwords. I don't think that the virus took much of the data (I may be wrong) because I did have eset running and there didn't seem to be any suspicious activity, although I did realize my computer was on for a few hours just a while ago connected to an unsecure network and with no firewall on a high speed internet connection, so that was kind of my fault but I had no idea that eset or some other program (or the virus) had disabled my firewall. The virus was even trying to mess up MB and disable the modules.

I will wait for Jacee's reply and see what she has to say. The actual Windows Defender on my computer, MSE, and Eset didn't do anything though! That is what is still really surprising me. Why would they let my computer get taken over like that? I thought these were the best programs around! I guess I was wrong! Only MB really noticed anything and tried to fix it. Maybe Norton would've found something, I don't know. I guess I'd have to install it as well and scan my computer with it too. Maybe this is a new variation of the virus or something.

Thanks for all the help so far everyone.

 

[Jacee]

Please download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and save it to your desktop.
Save any unsaved work. TFC will close ALL open programs including your browser!
Using Vista/Windows 7 right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

Next, I'd like you to scan your machine with ESET OnlineScan

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
2. Click the
   
   button.
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. Click on
      
      to download the ESET Smart Installer. Save it to your desktop.
   2. Double click on the
      
      icon on your desktop.
4. Check
   
5. Click the
   
   button.
6. Accept any security warnings from your browser.
7. Check
   
8. Push the Start button.
9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
10. When the scan completes, push
    
11. Push
    
    , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
12. Push the
    
    button.
13. Push
    

 

[Jimmyman]

Okay, I finished a full Malware bytes scan and Eset scan. Both of them come up with nothing. I also ran the TFC program before the Eset scan and still nothing. It all comes back clean, even when I scanned my computer with the offline Windows defender program.

However, whenever I restart the computer a new standard user account is still created, even when I delete it. Eset, MSE, the Windows firewall, and malware bytes aren't detecting anything, and I still see no strange processes in task manager or any suspicious network activity. In fact, the standard user accounts that keep getting created are still created even when I'm disconnected from the internet.

Any suggestions? I was thinking that it might be some sort of rogue registry script or something but I'm not sure. Thanks for all the help so far.

 

[Layback Bear]

Jimmyman you have some good people working with you but I do have a question.
Are you scanning with more than one program at a time. Like MSE and MAB at the same time? This is very interesting I will just keep watching.

 

[Jimmyman]

Sometimes I scan with more than one program at a time, but I try not to too much because it slows down the computer a lot and it might miss the virus too if there's too much going on with the computer. I'm gonna try Spyware doctor now and then later on Norton.

I don't know why this virus isn't coming up though. It's like it's hiding somewhere and is not being scanned, or is a new virus or something so the virus scanners don't identify it, or it's just some script that the anti-virus programs don't think is a virus so they don't identify it and delete it. It doesn't seem to be doing anything though, which is the weirdest thing about it.

I think I might try repairing my windows installation. Maybe that'll fix the problem.

 

[Layback Bear]

I don't want to step on anybody toes but I recommend holding off on doing those things until Jacee get back to you. When you are infected IMO its best to run one scan program at a time and don't use the computer for anything else. I would keep the infected computer off of the net until fixed unless you have been instructed to use a online scan. This infection can be in more that one location and move around or reload if you use your computer. Unplug everything from your computer that you don't need to do this cleaning. Happy computing will return. The Defender on you computer is not the same as Windows Defender offline. Did you ever run Windows Defender offline completed?