[Solved] unknown user log ins

[covertwinner]

hello I am new to your forums. Please can you help. I am not sure if this is the right place to ask but here goes ..... I am super novice, using windows xp on a desktop pc. Right now I am on my Xbox to get help. My PC seems to have a second unknown user trying to sign into my PC remotely while I am usinhg it. 2 days ago I read here in forums to help (post about malware, get rogue fix (had to skip no such program is around now) combofix malwarebytes atf cleaner I followed what I could. It did not stop so I passworded user log ins. Today they still try log in user when I am on Net. Pop up for change user aand tower warning beeps. I have always run scotty watchdog avg superantispyware and malwarebytes. This program or user got in with those active. Thank you for reading.

[KenB]

Hi and welcome to ExTS

 

I will ask one of our security experts to advise you further.

Do NOT run any software ( Combofix etc ) without the direction of our security experts.

 

Is your router using WPA2 security ? In other words do you need a password to initially access it or is it un-secured ?

Is your network key [ password ] ( assuming you have one ) easily guessed ?

[Starbuck]

Hi covertwinner

 

Sorry but this totally confuses me.

 

My PC seems to have a second unknown user trying to sign into my PC remotely while I am usinhg it.

Please explain this..... how do you know? what symptons are evidant?

 

so I passworded user log ins

A little late as this should always be the first thing you do when starting a new user account.

 

Pop up for change user aand tower warning beeps.

Why would you get tower warning beeps?

A warning beep from your system is just that.... a warning of possible hardware problems.

 

First thing:

Please answer the question fron KenB:

Is your router using WPA2 security ? In other words do you need a password to initially access it or is it un-secured ?

Also what type of router are you using?

 

Did you actually run MBAM and Combofix?

If so, please post the reports:

 

MBAM:

Start Malwarebytes AntiMalware.

Click on the logs tab.

The logs are date stamped ... double click on the log that showed the infection items.

 

http://img.photobucket.com/albums/v708/starbuck50/new/mbamlog.png

 

It'll open in notepad.

 

Please copy/paste the report in your next reply.

 

Combofix:

The report (combofix.txt) can be found on your system at this location:

C:\ComboFix.txt

 

Please copy and paste the report in your next reply as well.

 

Thanks

[covertwinner]

I have network password on it was preset by virginmedia my provider for wifi but my pc tower (the device affected) i have hard wired with no clue on protection, Sorry

[Starbuck]

Ok.

A password is only required for a WiFi connection.

If you have connected the PC using an ethernet cable (hard wired) you won't need to enter a password.

So anyone else trying to use your connection will need the password (network key).

 

Did you find the 2 reports i asked for?

MBAM and Combofix?

[covertwinner]

I am the only user only desktop. The problem started when a pop up appeared along with tower beeps I click cancel as soon as this pops up everytime as it is a windows pop up (seems to be to change settings or user account (says tabs, grey box, name of my pc etc etc)) The first time it happened I suddenly had more than one account/user log in available for windows. Then new one was called USER. After running what scans I could following a guide here (most proved impossible for lack of knowledge on my part (combofix and rogue links did not work) and the pop up scaring me into continuing to use PC long enough to search programs needed) , there remained just one user log in available, so I then passworded that (so to log into windows I have to enter password now) hoping this would block more access? The 'event' also happens same in safe mode and with only one user account. Router is an all in one Virgin Media super Hub. As for scans - I tried with combofix but could not as this pop up was making things happen on my pc so I had to shut down (even from safe mode) I am too cautious to allow a scan to run for a long period while this event is happening (assuming someone is trying to take control of my PC) sorry I am novice so don't know enough to well, you know.. and a bit freaked out by it all, Virgin said it was secure server when we joined and with the protection I have running I assumed this could not happen. I am about to disconect internet from tower to run full scan of malwarebytes so I can post report here, quick scan shows no infection.

[KenB]

I have network password on it was preset by virginmedia

Is this the one on the back of the router ?

 

If somebody tried to connect with a wireless laptop for the first time would they need to input this network key ?

[Starbuck]

Ok let's try a couple of scans and see what we get back.

 

Step 1

Download RogueKiller and save it to your desktop.

• Close all running programs.
  
• Double click RogueKiller icon to run the program
  Vista/Win7 users should right click the icon and select Run as Administrator.
  
• Wait for the Prescan to finish.
  
• Now click the Scan button.
  
• Please copy and paste the report in your next reply.

A copy of the RKreport.txt can be found on your desktop.

 

Note:

If RogueKiller is blocked, do not hesitate to try running it again.

If it still fails to run, right click on the downloaded icon and select 'Rename'.....rename it to winlogon and try again.

 

 

Step 2

• Download OTL to your desktop.
  right click on the link and select 'Save Link/Target As'.
   
  if you have problems, try this download link:
  OTL
  
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  
• When the window appears, underneath Output at the top change it to Minimal Output.
  
• Check the boxes beside LOP Check and Purity Check

.

 

.

http://img.photobucket.com/albums/v708/starbuck50/new/Otllatest.png

 

Now copy the lines in bold below.

 

netsvcs

msconfig

%SYSTEMDRIVE%\*.*

%systemroot%\system32\Spool\prtprocs\w32x86\*.dll

%systemroot%\*. /mp /s

%systemroot%\system32\*.dll /lockedfiles

%systemroot%\Tasks\*.job /lockedfiles

%systemroot%\system32\drivers\*.sys /lockedfiles

%systemroot%\system32\*.exe /lockedfiles

%systemroot%\System32\config\*.sav

%PROGRAMFILES%\*

%USERPROFILE%\..|smtmp;true;true;true /FP

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU

hklm\software\clients\startmenuinternet|command /rs

hklm\software\clients\startmenuinternet|command /64 /rs

CREATERESTOREPOINT

 

• right click in the Custom Scans/Fixes window (under the blue bar) and choose Paste.
   
  http://img.photobucket.com/albums/v708/starbuck50/new%20forum/scan-fix.png
  .
  
• Click the Run Scan button.
   
  http://img.photobucket.com/albums/v708/starbuck50/runscan.png
   
  
• Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them with your next reply.

 

 

in your next reply, please submit:

RogueKiller.txt

and both reports from OTL.

 

if the reports are too large, you will have to post them over multiple posts.

 

Thanks

[covertwinner]

Hello everyone, Sorry for taking so much time to get back to you all. I would like to thank everyone who helped me and let you all know that all is well now. It took a bit of time to get it fixed but apparently it was my keyboard at fault good news: (as no-one was trying to hack me) i broke my old one and thought it would be ok to use an even older one i just had lying about but no no no this was my down fall lol (i did say i had/have no idea about pc's) but i got a new one and it's all going well (for now haha) but if it had not been for this forum i would never have worked this out (only after the scans did i know it was not a hack) so thank you all again as i would of probably giving-up and lost a perfectly good pc

[KenB]

Hi

 

Thanks for the feedback.

A faulty keyboard causing all of your problems !!

 

Good luck with the new one :)