virus: vista admin password...

A virus seems to have taken control of my administrator account password on this computer. I can still access the 'guest' account on this machine but obviously I cannot run any new software on it or access any of the material saved under the administrator account... and I need some of that material.

Every time I attempt to log on to my administrator account (yes... I am using the correct password, fonts etc.) it tells me that the password is incorrect.

I noticed I may have had this virus yesterday when I attempted to delete some software I had downloaded (it would not let me download it). I backed up some files (but could not make a password reset disk) and ran a full system check using AVAST and McAfee. Neither noted any threats on my system, however, after turning off the computer and trying to log on again, I am unable to log on as an administrator.

Can anyone talk me through the specifics of using safe mode which may help? Obviously, as I'm on the guest account, as mentioned above I cannot download and run any new software and, as I no longer have administator privileges on this machine, I cannot change or remove the password using the control panel options.

Has anyone else suffered this virus? How did you fix it?? Thanks.

Hello,

I am willing to help you with this. The first thing to do is remove the password so we can remove this (virus??). If you can access Safe Mode, click Start and click on Control Panel. Under Classic View, double click on user Accounts. Then remove the password for your account. If you cannot do this, or cannot access Safe Mode, I will help you to reset your password in a much more complex manor.

Also, download and run two small, free programs if you can access Safe Mode.

Malwarebytes Anti-Malware. Probably the best program for removing viruses without any clever knowledge, but offers no prevention, so do not use instead of anti-virus, but as well as. Malwarebytes Run a full scan.

HiJackThis. Run a scan generating a log file, and then save and upload the log file here. HiJackThis makes no distinction between good and bad, so do NOTHING before we tell you. HijackThis - Trend Micro USA

Also, if this is a virus, removal could be complex. If you are not comfortable, follow these instructions and consult a friend. DO NOT do anything by yourself in terms of the virus removal except run scans. DO remove anything found on Malwarebytes and your normal Anti-virus, just do not do anything with HiJackThis until instructed and in particular, DO NOT run Combo Fix.

Richard

Hi Richard:

I cannot change or remove any passwords or alter user accounts via the control panel in safe mode. That requires administrator password - and the problem is that it does not accept the password.

Also, I have tried to download the malware software. I can download it but cannot run it - again, that requires administrator password... and that is not being accepted.... the same is true for any other software which I am required to download and run.

Any other ideas>

maxxxman said:

Any other ideas>

Click to expand...

I thought this would be a problem and not work, but I do have some other ideas!

Hi maxxxman,

HACKING IS ILLEGAL AND WRONG! IF THIS IS NOT YOUR COMPUTER, DO NOT FOLLOW THESE INSTRUCTIONS! Go to: Offline NT Password & Registry Editor and click “Bootdisk” at the top. Scroll down to about half-way to the download page. Download the latest CD release and extract the zip file.

Install the HP tool included with this post, start it, and select a blank memory stick. Make sure ALL data is backed up, as the memory stick will be wiped. Select FAT and type a Voulume name if you wish.

Once you have formatted your memory stick, copy everything from the zip file onto it, boot into it (you may have to change your BIOS settings) and then follow the instructions in the walkthrough provided by the site. I have included a copy of this walkthrough as a Word document. I have also listed a summary of which buttons to press. Follow these instructions exactly. This will work from NT to Windows 7, and so some options do not apply to Vista, and you will do much damage in running them.

Here is the summary (and included at the bottom of the document) :

· Enter
· Select Windows partion using numbers then enter
· Enter
· 1 then enter
· 1 then enter again
· Enter account name then enter
· 1 then enter
· ! then enter
· q then enter
· y then enter
· n then enter

I would recommend following the walkthrough, and only using the summary to check you have not missed a step. I would recommend printing off the walkthrough, though you could have it on another computer screen.

If you still have problems, just post back. This will completely remove the Admin (or whatever account you select) password, so if it works go back into Normal Mode, Safe Mode will not help and is just annoying. Then follow my previous instructions on Malwarebytes and HiJackThis.

Richard

P.S: Sorry, on a work computer so cannot upload the .exe file, but here is a link to one I uploaded for a previous case: www.vistax64.com/attachments/general-discussion/18659d1268250885-unlock-password-hp-bootable-media.exe

Right click on it and "Save as" or "Save Target as", but if that is not working, here is another thread to download it from. Very sorry about this, and follow my updated instructions here, NOT the old instructions at this other thread: www.vistax64.com/general-discussion/272308-forgot-admin-password.html

"PS: Sorry, on a work computer so cannot upload the .exe file, but here is a link to one I uploaded for a previous case: http://http://www.vistax64.com/attac...able-media.exe

Right click on it and "Save as" or "Save Target as", but if that is not working, here is another thread to download it from. Very sorry about this, and follow my updated instructions here, NOT the old instructions at this other thread: http://http://www.vistax64.com/gener...-password.html "

Hi Richard....
Neither of the above links are working to provide me with the HP tool. The rest sounds like it might work, but without that tool...

Sorry, I was not clear. Just left click on the second link to get to another thread and download the attachment normally. It is not completely required, you can format your Memory stick to FAT with the other options as default in Windows and it will still work. Sorry again,

Richard

EDIT: There was an error, but now both links should be fixed. Sorry about that. You can also now left click on both links, Save as is NOT required.

Hi,

The above links were just faulty because of the address: http://http://
In either case I cannot run the software (requires admin passwrod). Am currently formatting the usb stick using windows default as FAT and will be attempting the reboot when I get time.

For some reason I COULD download and run Hijackthis on the guest account, so with any luck the Hijackthis logfile will be attached to this message. Perhaps you can find something informative in it... Hope to hear from you and thanks for everything so far.

(have pasted logfile below... if not attached)

Trend Micro HijackThis v2.0.4
Scan saved at 11:51:04, on 23/04/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Logitech\SetPoint\LU\LULnchr.exe
C:\Program Files\Logitech\SetPoint\LU\LogitechUpdate.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10e.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\Users\Mariya\Documents\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Dell Start Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Dell Start Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Wisdom-soft toolbar - {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Program Files\Wisdom-soft\tbWisd.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Wisdom-soft toolbar - {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Program Files\Wisdom-soft\tbWisd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Wisdom-soft toolbar - {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Program Files\Wisdom-soft\tbWisd.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [Dell DataSafe Online] "C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe" /m
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Startup: Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/VistaMSNPUplden-gb.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate1c9acac2acf3200) (gupdate1c9acac2acf3200) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 13140 bytes

Hello,

As you have worked out, it was because of the http:\\http:\\ This is because in Firefox (my normal browser), when adding a link, the http:\\ is already in the text box, so when I paste in a link, this is replaced, not resulting in a problem. However, when in Internet Explorer (as at work today), the drop down http:\\ is auto added, and so I did not need to add the http:\\ at the front of the link as in Firefox, else select other from the drop down. Anyway, good luck with the formatting.

Your HiJackThis log shows nothing absolutely horrendous, but one small bit of malware that you should remove, called the AskBar. It is not too bad, and if you want it, then fine, but I would never have it on my computer, it is slightly dodgy.

I know you may not be able to follow this because you do not have Admin privileges at the moment. This can wait, and has not caused your problem If you want to remove it, then navigate to: %program_files%\AskBar\ and run unins000.exe. Then Rerun HiJackThis without generating a log file and if any of the following entries are still remaining, check the box next to them and click Fixed Checked. be very careful to get the correct check boxes.

Restart your computer. For full manual uninstall instruction for this program (not required, just for interest) see here. Note, do not install the anti-spyware program, it is just another piece of junk, but the manual removal instructions are good. AntiSpyware - Remove AskBar

If you want to keep this, then by all means do, however there are two more thing to do in HiJackThis. Run a new scan without generating a log file and check the following entry and click Fix Checked.

This is not a virus, just an empty link, so it is just old junk that should be removed. now please re-run HiJackThis generating a log file and upload it here. Good luck with the password reset, and after this is done, run a full scan with Malwarebytes Anti-Malware.

Richard

I have tried, as you suggested, using hijackThis to fix the checked box for this empty file.

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

I have attempted twice, restarting the computer, but the file will not be deleted (I have not copied the logfile here... but I can do if you think it will help). I think need to run HijackThis as an administrator in order to do successfully delete this file.

A warning notice also appears when I run HijackThis saying

'For some reason your system denied access to the Hosts file. If any hijacked domains are in thsi file HijackThis may NOT be able to fix this.'

This is probably because I am running it on the guest account.

This post is just to keep you updated. I will attempt the rebooting idea when able - I am just wary of horrible things happening to the machine and not being able to enter either the addmin OR guest accounts if something goes wrong...

Regards
M

Hello,

Thanks for the update. You should try to run HiJackThis as an Administrator, but if that entry still reappears, just ignore it, some entries do that.

Richard

Another update: Trying to boot from the usb stick to sort out the password problem, all I get is a 'No bootable partition in table' message. As far as I can tell, I have extracted and copied all the boot files to the usb stick. I cannot burn the same files to a cd to make a boot cd, as I have no cd iso burner on the guest account and cannot install one (requires admin password). Any idea what I am doing wrong?

You can try to use a boot scanner to scan for viruses.

Use the avg rescue cd: AVG Rescue CD Cleans Your Infected Windows PC - Anti-Virus - Lifehacker

It is basically a disc that you boot into which you can scan your hard drive without running any windows programs.

Download the ISO, then burn it to a cd, then make sure you are connected to the internet through an ethernet wire, then put the cd in and restart your computer (if the cd doesnt boot, change your BIOS boot order).

If prompted to update, update from the internet (which is why i recommended to connect through an ethernet wire).

Have you a mate that could download & burn to disc for you.

maxx you can use the "diskpart" command to make your usb stick bootable
A Description of the Diskpart Command-Line Utility, Walkthrough: Create a Custom Windows PE Image
if vistas built-in burnin app isnt working you should be able to burn the cd/dvd from the command prompt natively using dvdburn.exe/cdburn.exe from the windows server 2003 resource kit

After removing the virus and you still dont have the password, use ophcrack:


Download and use ophcrack to crack windows passwords: Ophcrack

How to use ophcrack: Ophcrack Password Recovery - How to Recover Passwords Using Ophcrack LiveCD - Password Crack

Only use it on your own computer or on another person's computer with permission!!

Update:
With your help - thanks so much all who posted on the forum - I have successfully overcome the problem: a win32/cryptor virus that had 'control' of the admin account password on this machine.

The process: (thanks to Theog): I used a friend's computer to create the required CDs as the guest account (or maybe my computer) was having trouble accessing USBs to make them bootable....

Having burned Ophcrack, AVG Rescue CD and then Offline NT password and Registry Account Editor onto CDs...

Thanks to Katokato: I booted from the AVG Rescue CD. It found win32/cryptor and isolated it. I ran Ophcrack but that could not crack the password. I ran it twice but it came up with 'not found' for the password.

Huge thanks to Niemiro who originally posted to assist me: Ophcrack having failed, I followed your instructions (now that I could boot off the NT CD rather than USB stick) and disabled the admin password. From there I could enter the account, install and run hijackthis and I am currently running malwarebytes.

It's good to have everything back again!

Thank you very much for reporting back, and I am really glad it is all working now

The Group Policy service failed the logon. Access is denied

My Vista laptop, when I try to log into my accounts, a message comes up which reads: The Group Policy Client Service failed the logon.
Access is denied. How can I get around this? I am the owner and legitimate buyer of this computer from a reputable company.

Did you mess around with the Registry? If you did then recover from the back up If not then try a system Restore.

Hope this helps,
Josh