"Other User" Virus?

[Adam444]

The mother-in-law has a Dell Inspiron 530s running Vista (32 bit).  I get a call yesterday that AVG has popped a message about a "threat detected".  Before I get over there to look things over, she's got a new problem.

Any attempt to boot goes to a "other user" login screen.  Go into advanced start-up options and safe mode, repair, and last known good all go to the same "other user" login.  She doesn't have any discs and I can't get into the Dell recovery partition either (which, based on my reading, seems to indicate a farkled MBR).

Any suggestions beside ordered recovery discs from Dell?  I'm thinking about connecting the drive to another machine and scanning it.  At least I should be able to get any files off of it.

[zep516]

Hi Adam444,

I'm looking for a solution but not having much luck,

I have never seen anyone recover from the "other user" login screen  issue, have you Googled it ? Just to see.  other user login screen vista

You could save or get you data this way too.
http://www.geekstogo.com/forum/topic/274691-use-puppy-linux-live-cd-to-recover-your-data/

Lets see what others have to offer too.

Joe

[Adam444]

Oh, I've Googled and Googled and Googled.  There doesn't seem to be much of a consensus as how to fix it.

I'm curious (for my own knowledge) if it is an actual virus or a corruption of the O/S caused by a virus (remember she did have an AVG alert prior to this happening).  Or just random bad luck!

I don't have a copy of Vista so she's going to have to get a disc from Dell.  She's not going to be too happy about that.  She loves her computer!

Thanks!

[zep516]

I think it could be either one, corruption of the main user account, or a misguided virus. Do you have any idea what AVG saw on the alert and what avg was able to do with it ? I'm thinking not.

You could also consider downloading Malwarebytes from a good computer to a Flash / thumb drive, insert that into the bad computer and see what happens.       http://www.malwarebytes.org/products/malwarebytes_free/

Here's something else to consider too.
http://www.avg.com/us-en/226386

[Corrine]

Hi, Adam444.

I suggest you start by downloading Windows Defender Offline and run it on your mother-in-law's computer.    It does not matter if your computer is 32-bit or 64-bit however, you will need to select the correct version for her computer.

Please scan your computer with Windows Defender Offline.  The download and FAQ's are available here:  What is Windows Defender Offline?.  In addition, I have a tutorial at Setting Up the Microsoft Standalone System Sweeper Beta, Now Windows Defender Offline.

Please note what Windows Defender Offline finds and removes in your next reply along with the requested logs at in Log Posting Instructions.

Note:  If unsuccessful with Windows Defender Offline, try the Download Kaspersky Rescue Disk 10.

[winchester73]

What happens if you try to perform a Clean Boot:  http://support.microsoft.com/kb/929135

If no joy, I'd run System File Check (SFC) scans and checks if it helps:  http://support.microsoft.com/kb/310747

[Adam444]

I can't get into Windows so from what I'm reading a clean boot nor SFC would be an option.

[Adam444]

Corrine,

Interesting I couldn't burn a Windows Defender disc.  I tried whatever the first option was and then an .iso, neither would boot.  The AVG and Kaspersky discs work fine.

I did get Windows Defender on a flash drive and that works.  So we'll start there and see what happens.

Thanks!

[Adam444]

Ran Windows Defender from a flash drive and it found 17 threats.  A few Java exploits, Sirefef trojan, and Kuluoz trojan.  I saw a reference to a UPS package email so I'm thinking this might have started with a fake email that delivered the trojan.

Just to be extra safe, I'm going to run the AVG and Kaspersky scans as well.

Thanks!

[Corrine]

After you run the other scans, Adam444, please post the requested logs so we can see where things stand.

[Adam444]

Now Kaspersky is coming up with rootkit pihar.c (and still scanning).  How does both Microsoft and AVG miss that?

From a little bit of reading on the subject pihar seems difficult to remove.  Why me.  :shock:

[Corrine]

Detection is only as good as definitions and definitions depend on submissions and internal testing by the vendor.  Vendors also have different names so what one vendor calls something may actually be the same thing named differently by another vendor.

Please note that it may not be able to safely recover your mother-in-law's computer.  Also, trojans like Kuluoz are back doors that steal information.  As described by Microsoft, Kuluoz, for example, looks for files used by the browsers Firefox and Opera that may contain user names and passwords. It also looks for document files and spreadsheets, which it packs into an archive file. It sends the browser files and the archive file to a remote server.  If the machine is recovered, it will be imperative that passwords for any online banking, credit card or similar be changed.

[Adam444]

Fortunately my MIL doesn't use the computer for ANY kind of financial/banking/bill paying so we're in luck there.  I don't think she's ever bought anything online.  I will have her change passwords for her email, etc.

Right now I'm running a second Kaspersky scan, and nothing has turned up.  Maybe I'll try Microsoft again just to double check.  I'm just curious if I will be able to get back into Windows.  If not, I'll back up whatever data files seem appropriate and then try to get into the recovery partition.

Thanks!

[Adam444]

To give everyone an update, I found the original Dell recovery disk.  Managed to do a "repair" and got into safe mode but not the regular Windows desktop, which just caused the computer to reboot.  Tried a few recovery set points as well but no dice.

I finally gave up and did a clean install of Windows.  Now I'm downloading 107 updates.  Which, at some point, will be followed by SP1, presumably more updates, SP2 and more updates.  At this point in time I really, really dislike Windows.  :(

And the MIL has a relatively slow DSL connection.  :cry:

[Corrine]

Thanks for letting us know, Adam444.