User account inexplicably messed up (Win XP SP3) - Malware problem?

Discussion in 'other security issues & news' started by 06Dolphin_Spirit, Sep 16, 2009.

Thread Status:
Not open for further replies.
  1. 06Dolphin_Spirit

    06Dolphin_Spirit Registered Member

    Joined:
    Sep 16, 2009
    Posts:
    17
    Hi there everybody.
    Due to the nature of the issue, I struggled a lot to pick a section to post (still not sure if this is the correct one). Also, please, bare with me, this post may read as long and ... dull, but I'm not that tech savvy and I could really use some help. Finally, I’m not a native English speaker and trying my best to make this as comprehensive as possible.

    My brother is the sole user of his Laptop, so his user account has Admin rights and is password protected. A couple of weeks back, Windows didn't recognize him and wouldn’t let him log in with his user name. Instead he was able to log in as "User1" (pre-displayed in the username field) and his own (user/ admin) password.
    As this issue struck me as really weird and being the more computer savvy of the two), I decided to take a look.
    Status is as following:
    1. The only two accounts are his (Admin rights) and Guest (disabled).
    2. There is no folder under "Documents and Settings" with his (account/ user) name. Instead there are 2 folders named "User1" and "User1.XX" – XX stands for sth I’m not sure I should post.
    3. Task Manager shows "User1" to be the active user (I logged in as that). But, right clicking on "Start" & "Explore" takes you to Start Menu of "User1.XX".
    4. The Screen Saver is also password protected. When getting out of that, the message reads as following: “This computer is locked. Only the user USER-ST\User1 (**) or an administrator can unlock this computer” – ** stands for my brother’s Username (original account).
    5. In the Registry and the according entries, DefaultUserName has the 1st name of the above as its entry and DefaultDomainName the 2nd one.
    6. I used Secunia PSI to apply all needed patches and then ran: Super Antispyware/ Free Edition (Full Scan), Malewarebytes' Anti-Malware/ Free Edition (Full Scan), Spybot S&D, Trojan Remover/ Trial, MRT (Full Scan), VundoFix, RootAlyzer, GMER - all latest versions & with updated DB (where applicable). They all came out clean. I also tried RUBotted for a couple of days which also found nth.
    7. I searched the Internet, but couldn’t find anything that applies to this issue (apparently no one had this problem or they knew how to fix it).
    8. Laptop (older Compaq model) runs Win XP SP3 (IE7) with all the latest patches and Kaspersky Internet Security 7 with updated DB and fully functional – my brother ran a full scan which also found nth.
    9. I installed Windows Defender and SpywareBlaster, after installing Firefox 3.5.2 with some privacy/ security add-ons.

    A computer tech guy I know said that Windows sometimes do this sort of thing for no apparent reason – I find it hard to accept that as the answer.

    So, is this a virus/ malware related problem? I've read that some malware can hide themselves from protection/ cleaning tools - could it be sth like that? In any case, can it be fixed?
    I’ll have the Laptop only until this evening (time is GMT +3), but I could get it back over the weekend if the time frame’s too short. Anyway, any explanations/ advice to deal with the issue in will be highly appreciated. Thanks in advance for your time & help.
     
  2. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    If I read this right, your brother has access to admin account, or one of them?

    type this into Start/Run: control userpasswords2

    That should give you control over the other user accounts.
     
  3. 06Dolphin_Spirit

    06Dolphin_Spirit Registered Member

    Joined:
    Sep 16, 2009
    Posts:
    17
    Thanks for the response.
    Yes, my brother has one of the admin accounts (the other one being the default one).

    I did what you suggested and it results in showing this User1 account (beside the default Admin), while my brother's original account name doesn't show up.
    In Properties/General Tab my brother's name is listed under "User1".
    Does this mean it's the same and one account?

    Now, what?
    Can I just rename the account? How will this affect the folders in Documents and Settings and the entries in registry?


    One more thing I just noticed (I don't know if it's important): The field "password of User1" in Properties/General Tab is grayed out, can't access it.
     
  4. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    If you click Administrator (should be first on user list) you can reset the default password - click Reset Password (it will simply ask for new password and not need old one) which should give you back control of the accounts.
     
  5. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    BTW, dont delete accounts, if say your brothers account was hijacked, for whatever reason, anything he created on that account will be lost. It's best to try and reclaim them from whatever has taken control.
     
  6. 06Dolphin_Spirit

    06Dolphin_Spirit Registered Member

    Joined:
    Sep 16, 2009
    Posts:
    17
    Hi & thanks again.
    I reset the password of the Administrator, loged off and tried to log in as Administrator. It's not working, I get a message saying that I can't log in as Administrator because of some restrictions of the account (doesn't say what, though).

    Any suggestions?
     
  7. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    That is strange. I would imagine this is something pretty complicated screwing your accounts (maybe malware).

    Hang around with this thread and maybe somebody can suggest something else. But I would think about recovering anything on the drive you want and then reformat. If you are locked out of your own computer ... best start again.

    Search through forum for file recovery tips. Me I use http://www.recuva.com/ on a boot disk. It allows greater access if you are locked out, like in this scenario.
     
  8. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    BTW, try logging into admin account in safe mode.
     
  9. 06Dolphin_Spirit

    06Dolphin_Spirit Registered Member

    Joined:
    Sep 16, 2009
    Posts:
    17
    Well, if you can only log in as a particular user, I'd say it's a little more than strange.
    If it is malware, why do all these tools not detect it? I've even run the online ESET scanner (nth there either).

    Ok, latest update. I tried to access safe mode, but when I press F8 the machine makes a terrible bleeping noise and the screen stays black. Releasing the key, it goes on loading Windows.

    But I noticed sth else: just before loading the 1st screen of Win (the black one with the logo & the progress bar), there's a message about Acronis Recovery Manager, accessable with one of the F keys.
    Should I try it?

    Thanks for your time.
     
  10. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    It depends on how old the Acronis images are. But yeah if you can get Acronis to work (and you have an image done before this hassle) it's probably going to be easiest.

    As they don't allow hijack logs to be posted on this forum, it's worth visiting bleepingcomputer.com, they can help with very deeply hidden malware. They will probably advise you to run combofix and post a log which should show anything hidden.

    Good guide here https://www.wilderssecurity.com/showpost.php?p=1533481&postcount=3
     
  11. 06Dolphin_Spirit

    06Dolphin_Spirit Registered Member

    Joined:
    Sep 16, 2009
    Posts:
    17
    Thanks so much for your time and help, will follow your advice for the other forum.
    If this thing results into anything interesting or of general use, I'll post back.

    Have a nice evening.
     
  12. Keyboard_Commando

    Keyboard_Commando Registered Member

    Joined:
    Mar 6, 2009
    Posts:
    690
    Yep, if if you find anything post back, be interesting to know what it is - if anything is found.

    Good luck.
     
  13. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    First, Welcome to Wilders Security Forums.....

    In the Microsoft Windows Registry make sure that the keyboard that you want to use at the Microsoft Windows Log On Screen exists the correct language value.

    In the Microsoft Windows Registry Navigate to:

    HKEY_USERS\.DEFAULT\Keyboard Layout\Preload\

    In the right pane look for: "ab (Default)" under the Name column. The value in the Data Column must be: "(value not set)"
    In the right pane look for: "ab1" under the Name Column. The value in the Data Column must match the language of the keyboard in use.

    If more than one "ab" exists under the Name Column set the Value of "ab1" in the Data Column to match the language of the keyboard.
    Note that "ab1" is the Default keyboard that will be used on the Microsoft Windows Log On Screen
    .

    To find the language of the keyboard navigate to:
    START/Control Panel/Regional and Language Options/Languages (Tab)/Details (Button)/Settings (Tab)/


    Valid values for the "ab1" Data Column Value:
    00000402 = "Bulgarian"
    0000041a = "Croatian"
    00000405 = "Czech"
    00000406 = "Danish"
    00000813 = "Dutch (Belgian)"
    00000413 = "Dutch (Standard)"
    00000409 = "English (American)"
    00000c09 = "English (Australian)"
    00000809 = "English (British)"
    00001009 = "English (Canadian)"
    00001809 = "English (Irish)"
    00001409 = "English (New Zealand)"
    0000040b = "Finnish"
    0000080c = "French (Belgian)"
    00000c0c = "French (Canadian)"
    0000040c = "French (Standard)"
    0000100c = "French (Swiss)"
    00000c07 = "German (Austrian)"
    00000407 = "German (Standard)"
    00000807 = "German (Swiss)"
    00000408 = "Greek"
    0000040d = "Hebrew"
    0000040e = "Hungarian"
    0000040f = "Icelandic"
    00000410 = "Italian (Standard)"
    00000810 = "Italian (Swiss)"
    00000414 = "Norwegian (Bokmal)"
    00000814 = "Norwegian (Nynorsk)"
    00000415 = "Polish"
    00000416 = "Portuguese (Brazil)"
    00000816 = "Portuguese (Portugal)"
    00000418 = "Romanian"
    00000419 = "Russian"
    0000041b = "Slovak"
    00000424 = "Slovenian"
    0000080a = "Spanish (Mexican)"
    00000c0a = "Spanish (Modern Sort)"
    0000040a = "Spanish (Traditional Sort)"
    0000041d = "Swedish"
    0000041f = "Turkish"

    This also applies to Microsoft Windows XP:
    http://support.microsoft.com/kb/138354


    HKEY1952
     
Loading...
Thread Status:
Not open for further replies.