My log in for XP has mysteriously changed. Need some advice.

Computer illiterate person here. I'll try to explain this to the best of my abilities.

I'm running Win XP home version. When I turn on my computer, normally I see my name and the icon I've chosen and I log in by clicking on it.
No one but me uses this computer. All of a sudden, a second icon is showing up, with a name and the ADMIN title next to it. If I try clicking on it, it asks for a password. I've never set a password on this computer because I'm the only one in the house who knows how to turn it on, let alone use it.

Anyone have any idea of why this has happened all of a sudden? I need to know if I should be worrying. Well, I am already. I don't like it when strange things happen on the computer. :scared: Any and all help/suggestions will be most appreciated.

It's my understanding the registry would need to be tweaked to show the administrator account on the Welcome screen.

I doubt any human intruder would have done this, computer hackers are not that social, so that just leaves it up to some kind of nefarious software running on your computer. So the best thing to do is a full disk can for viruses, IMO.

Will make it three and see what turns up. YIKES!

Thank you for the reply! :)

Any other suggestions? Anyone? HELP! LOL?

I'm running the latest version of Norton Anti-Virus software. I'm happy with it. So don't want to change it.

BUT, what else can I get that will find what Norton can't?

I cleaned up everything, deleted old stuff, ran a Norton update, ran another scan, rebooted and the darned ADMIN icon is still there, asking for my password!

One thing. I was on Photobucket.com and NewspaperArchive.com Tuesday night. My computer was being bombarded by 'Trojan.adclicker' the whole time I was on those two sites. I use NewspaperArchive a lot and that has never happened before. But I haven't been on Photobucket in ages. So I'm wondering if something happened then. ??? Remember, computer illiterate.

Checked the history on Norton. It says that yesterday afternoon, atsxyzd.sys made 74 modifications to my computer.
Says that yesterday evening, otaxyzd.sys made 31 modifications to my computer. I have no clue what any of this means.
Norton says they were detected, the risk is low, and no action is required. ????

May I repeat...HELP! LOL.

if it let that trojan on my system. Are you sure you are happy with norton? Well if you are i can't help. Sorry.

I think I wrote that the trojan was trying to get in. Norton blocked it every time. :)

yet Norton successfully blocked it? I am not familiar with that level of protection. How does it work?

I have software you don't approve of. So you are rude to me? I'll respond to the other posters.

Thanks.

For finding nasties on an infected machine. Not my estimation, but that of a lot of organizations that run exhaustive tests on such things. On top of that, Nortom uses about 25% of your computer's performance just idling, doing nothing. It really is a big performance hit, especially on relatively low-performance machines.

I would suggest you google "Norton Removal Tool", download it and get it out of there. No shit. The Norton of today is not the Norton of the past. Symantec has really screwed it up.

There is plenty of Free alternatives out there, albeit not a suite, that do a far better job of protecting your machine. AVG Free, Avast, AVG Anti-Spyware, Spybot Search & Destroy, SpywareBlaster, Super AntiSpyware, and others. I redcommend all of them far more than I recommend anything named "Norton". There is also a program called "PeerGuardian" I highly recommend. For firewalls, there are a number of free alternatives. I do not recommend Zone Alarm. They seem to have screwed that one up rather badly.

while I still have Norton on here? I ask because I want to be able to get comfortable with any new software before taking out Norton.
I'm not kidding, this stuff scares me when I have to 'play' around with the computer, whether it be hardware or software. I'm just not comfortable doing this stuff. I'm always so afraid that I'm going to hit one wrong button and POOF, there goes the whole system.
(Actually did that the first time I had a computer, way back in 1995. Found a teenager who fixed it for me. LOL.)

I SO appreciate your reply and all of your suggestions. Please let me know what you think about adding some of the software you recommended, but keeping Norton till my learning curve is sufficient.

Antivirus programs do not play well with each other. Spyware programs , no problem but AV you can really only have one. And Norton sucks big time.

And now I know where to start. But don't be surprised to see me back in here, asking more questions. LOL!

on DU with a computer. This group has given me great advice, including how to remove Norton. The Norton thing was easy...really. Installing AVG is easy too. Print this thread so you'll have all the info and go for it!

I bet I win! ;)

I DO trust the gang in here. They have given me good advice in the past. I'm taking notes right now, so I'll do things in the correct order. :)

(and I'll qualify this first by saying I'm sort of naive about how the account settings work...)

After some Windows updates, I also noticed a new Admin account, for the (I think) .net something or other. I'm not clear on the details but at some point I needed to install (?) asp.net - and I'm thinking somehow that's when that happend???

I really should spend some time understanding accounts/permissions etc (and good concise links anyone?)

You'd literally have to come over to my house to help me to be able to do what you wrote about! LOL. I am THAT dumb when it comes to computers.

But I DO appreciate the reply! I learn every time I come into this forum. Even if I am afraid to DO anything. ;)

Don't you use the "Windows Update" feature to make sure you get all the security updates? That's what I was talking about (mostly).

Installing the asp.net thing I think happened when I needed to sign up my son's Xbox Live account (I think! Just don't remember what/when it happened). You know how, when you try to do something on a website and you get a prompt like "You need to have Flash installed for this feature" (or Java, or asp.net, or whatever). That's all.

But maybe this is a good time for you to learn some basics? If you're interested and have the time -- this corner of DU is incredibly helpful for that purpose.

being the cause of the changed log in screen. Definitely .net and .asp, as I had a changed log in a while back caused by installation.

I wouldn't be too quick to call trojan or malware. More likely to be a change caused by a windows update.

Remembering I don't know what the heck I'm doing. ;)

just before I turn off my computer whenever there are updates.

The last time I remember getting any updates was over two weeks ago. And this thing just happened a day ago. But what you are saying makes sense.
(Even to me and I don't know what I'm talking about! LOL.)

I do come in here and read, even when I don't have problems. I need to take some computer classes. That would really help. But right now, I'm the 24/7 caregiver for my parents, aged 88 and 90. So not much chance of having free time to go to school right now.

I do know someone locally who might be able to lend me a hand to see how to fix this problem. I wouldn't know where to start. :scared:
Sure hope I don't need to change anything on here. It's going to ask me for a password and I don't have one. But IT doesn't have one because I never gave it one. So ?????? lol? :crazy:

what happens if you try to log onto the admin account and just don't enter anything for the password? If it's a benign account, and you didn't create it, and you don't ever remember assigning a password, then the password is most likely blank, which means you should be able to log into it. I'll have to recheck the OP to see if you tried that already...

I'm trying to remember if I went past clicking on the icon when it asked for the password. LOL. I was so shocked to see the darned thing there to being with!

Will be back shortly to add to this and let you know what it does.

I do know for sure that I NEVER set up a password for it. Like I said earlier, I'm the only one who 'sort of' ;) knows how to use a computer in my house, and no one else is ever here, so there was no need for a password. Ok, will be back in a bit! :)

Good, made it back in time to edit.

Alright, it won't let me in. I click on the icon, it asks for a password and refuses to let me in. I just keeps asking for a password.
Now THAT is NOT nice! LOL?

There are several sites I Googled with instructions on how to turn/off Administrator on the Welcome Screen.

Here is one of them:
http://howto.redcomputer.net/windows/administrator_account.php

It still seems likely some nefarious software turned it on. I'm not sure, it's just a guess. Perhaps Norton did not consider the problem serious enough to detect. So you can just turn the Administrator account off on the Welcome screen and life will be back to normal.

BTW, I assumed you meant the 'Administrator' account was showing up, not the 'Admin' account. If it were an account called Admin then that would be different. An account called ADMIN would need to be manually created by someone -- I think -- unless Home Edition is different.

This is what I see -

IUSER_Admin

And below that is my normal icon and my name - which was the ONLY thing I ever saw until a few days ago.

So, based on that, now what? Same advice that you wrote, or different?

I DO appreciate the help. You have NO idea. :) :) :)

It looks like there are quite a few posts on the topic:
http://www.google.com/search?q=IUSER_Admin

This one seems to have the best answer:
http://answers.yahoo.com/question/index?qid=20080902164014AAlvQ6X

To follow these instructions, you will need to boot into Safe Mode.

Here is what someone else says:




These instructions contain something that is entire new to me, the part where MS apparently told someone to "hit start then run. in the box type control userpasswords2.. thats control then the space bar then userpasswords2."

I'm going to try this myself after posting this, just to see what "control userpasswords2" really does.

I underestimated the uniqueness of your problem. It's very interesting.

Entire post is here:

http://malwareremoval.com/forum/viewtopic.php?f=11&t=34408&sid=810eaf0e9cc3294299ced01e8868a137

After I read what you wrote, I started looking at a lot of the Google sites. And this is what I found and if this is true, I'm in big trouble.
If this is really what I have to do, I'll have to pay someone to do it. It's WAY over my head. And that means no computer for at least a week.
Sigh. Will wait for your reply. Thank you! And thank you for doing the searching. I REALLY appreciate it.
Dem



BACKDOOR TROJAN

Your computer has multiple infections, including a BACKDOOR TROJAN. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

You are strongly advised to do the following:

* Disconnect the computer from the Internet and from any networked computers until it is cleaned.
* Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
* Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all youraccount numbers.
* From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).


Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, if you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so.

To help you understand more, please take some time to read the following articles:

What are Remote Access Trojans and why are they dangerous
How do I respond to a possible identity theft and how do I prevent it
When should do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups

Should you have any questions please feel free to ask.

Please let us know what you have decided to do in your next post.

I think this is more prevalent than what some people think these days.

The above advice sounds good.

It's up to you, you can delete the extra account and scan using another AV program to make sure nothing was left behind. Or, you can reformat and reinstall Windows.

Personally, I don't think it's a big deal to reformat the computer. If you don't have the Windows CD, a lot of PC's sold today let you reformat and reinstall without the CD. The OS installer is kept on a second 'recovery partition' that you can get into by hitting a certain function key on bootup, depending on the computer.

I think both Dell and Compaq have recovery partitions, and other brands may have it too. It will probably say when you boot up what key to press to access the recovery partition if you have one.

It's better to be safe. Just be sure to save your important files, put them on a CD if you have a CD writer. It's good to have a backup anyway. Then scan the CD for viruses before copying the files back.

I guess my only question is what brand of PC do you have, then maybe I can lookup whether it has a recovery partition. But if you have the Windows CD then that shouldn't matter, you can just use the CD. Just make sure you have the XP key too!!!

a local computer store. I have an external hard drive back-up and everything I couldn't stand to lose is on it.

I downloaded Spybot and it found a ton of stuff. But when I rebooted, IUSER_Admin is still there, driving me NUTS!

I'm going to have to take the computer to the store where I bought it and have them do all the things that were in the previous post. This is way over my head. AAAAARRRGGGGGGG.

I don't do any banking/paying bills online. I do purchase things online once in a while. I don't store any account info on my computer. I don't store my passwords on my computer. The only thing I've purchased online since this thing showed up on my computer was Spybot.

So I don't know how worried I need to be about the financial things/passwords, although I can easily go to another computer and change all of them.

What does scare me is using any credit card online while this thing is on my computer. If a site is 'secure,' can a hacker still get the info?
I don't know any of these things. I think my computer 'education' is about to be ramped up. lol? :scared:

That it is time to save what you can in the way of documents and settings, reformat and reinstall the operating system. There is a point of diminishing returns to recovering from massive malware infections, and my gut tells me you are beyond that point by leaps and bounds. With all that you have on there, I think that you initially got a "downloader" trojan, which once it installs itself, then reaches out and invites a whole metric shitload of other nasties into your machine and installs them. There is no telling what is on there and what it is doing when you aren't watching it, because a lot of these will, after your computer is on, online but inactive for a while, start sending personal information to servers in China and Russia, sending out spam, sending nasty programs to other infected computers and generally pissing in the potted palms of the InterT00bZ.

Take it to a shop and tell them you want settings and documents rescued, where possible, a format and a reinstall. Also, you want Norton the hell out of there and a real Virus killer, like AVG commercial version or Avast commercial version on there. In your case, AVG would be the best for you. It costs for the commercial version, but it is effective and simple to use.

Then come back here, let us know this has been done, and we will tell you what to do to make things even more secure.

One more thing: If you are using Internet Explorer and Outlook/Outlook Express, that must cease. They are both near-criminally insecure. Use Firefox as your browser and Thunderbird as your POP3/IMAP email client. You can still, if you must, use the IE rendering engine through Firefox, with a Firefox extension called "IETab". But you will not need to use it a lot.

Seriously.

In the time it took me to type that, I could have her docs and settings backed up, the install disk in her CDROM and the machine rebooting for a format & reinstall. I could have the machine back to her in 2-3 days, better, faster and more secure than she has ever had it. I could, for a small investment, have her setup with a REAL backup scheme that would COMPLETELY preclude her ever having these problems go this way again.

When I get done with a computer, my people never, ever have a recurrence of serious infections. Ever. They never lose things, either. I have it all down to a science, and I do it with approx. 90% free programs. I can do it with 100% free programs, too. Plus the get a computer that, with a few simple moves, stays in top performing condition. Hell, many of those folks even get me logging in remotely to service their machines, when they need it. And I fix their problems, every stinking time.

I also fix the horrendous abortions of others in the computer service industry, all the time. The staggering amount of incompetence and and stupidity born of greed that goes out on new computers is a sin and should be a crime. I fix THAT all the time as well. In fact, much of what I do is fix the mistakes of others, that and educate users.

Case in point: Today, I ran into an old, dear and much-loved friend. She has a new business: she makes women's toiletries from the milk of the Nubian Dwarf Goats she raises herself. This is class stuff she makes. Very good, crying out for the high end of the market. She does not have an e-commerce site. The last she had...well, those guys should be in jail for how they ripped her off for thousands, then fucked it up, then tried to steal her domain names. They are still out there, doing business under a new name. She is gun-shy to a fault. I can set her up with Dreamhost, for her servers, for $7.95/month on a 3-yr contract, and build her a Joomla/Virtuemart e-commerce presence for thousands less. And it will rock out with its cock out, too. But she has been traumatised and it is gonna take some time for her to regain her trust in the process and ANYONE who does this web stuff. All because some pricks just have no personal integrity whatsoever, and sold her, for thousands, an e-commerce solution based upon a roll-it-yourself templating engine. And that doesn't even account for what they charged her for SEO and didn't come close to delivering.

In the meantime, after all this, I still don't have a job, save teaching a little Joomla class, and cannot find one. I can't even get an interview. Yet I still find myself fixing the manifold fuckups of others who make a great yearly salary with benefits and can afford three meals a day.

You know, I really do understand why, occasionally, some poor, beleaguered soul at the end of his rope grabs the family fowling piece and goes out and starts shooting everyone and everything that crosses his path. Not that I am anywhere near that point, mind you. But I do DEEPLY understand the motivation.

And then, I think: "God. I really HATE this fucking piece-of-shit country."

fixing this computer. I'm series!!111!

Ohdearlord, do I hear you.

Since we're sharing stories ... well, we are *now* anyway. :)

When I worked at Cox, there were eleven others who worked in my office. In time, all eleven of them either had me work on their computers or build them a new one. Without exception, they asked me to do it because some "professional" had either fucked up their machine or tried to sell them a bill of goods they were thankfully intelligent enough to know was bogus. As one example, the first guy who asked me to look at his machine (he'd been listening to me talk to another co-worker about building my daughter a machine for Christmas) had first gone to the Geek Squad and gotten an estimate. Their "estimate" was based on a new machine entirely. I looked at it and was able to salvage most of his parts, reducing his cost from around a thousand dollars to about two hundred. His experience is what got others in the office wanting me to help them.

So, I did. And I enjoyed it, because that's what I like doing, but I couldn't have made a living off it.

The reason for that is that few really value service. Even these people, these people who had had salespeople galore try to convince them their problems couldn't be fixed without investing in something "new" didn't put a true value on service. They would always ask me, "How much do the parts cost?" and when I'd answer honestly, that's what they'd give me, plus twenty bucks or a home-cooked meal perhaps. I realized their version of saving money simply meant they thought they could use my labor and avoid the Geek Squad. They didn't understand that the Geek Squad was lying to them, trying to sell them something.

So, I've never gone into it for a living. I've flirted with it. I asked for advice about it not too long ago, but I've never gone there. I make my living doing other things, things I generally don't like doing, but which at least pay me enough so I can pay rent and buy food. My real talents with technology aren't valued. If I'm not a salesman (and I'm not), I have no place.

That's the primary reason I left Cox too. I'm not a salesman. I did my job damn well, but the powers that be changed my job so that selling (selling shit people didn't need or want) was a requirement, the primary requirement.

and will follow what you said to the exact letter.

I only use Firefox. So I did one thing right. lol? (can you hear me whimpering?) I don't use Outlook Express. I'm using AOL's free version of email right now as I just left dial-up and got high speed last month. (I live where there was nothing BUT dial-up until a few months ago.) So I'll change that too. I will need help finding this "Thunderbird" email. I've never even heard of it and don't know what POP3/IMAP means.

One thing just rang a bell. When you wrote about "downloader" just now. Norton found and removed??? a "downloader" on the 4th. It SAYS it removed it. When I ran Spybot today, it showed 'downloader' too. Spybot now says I have 196 items quarantined. But I don't know what is safe to remove.

I do believe I'm in the middle of a big, old mess. (Sort of like McCain.) Only mine will be a lot easier to fix. (One way or another!)

Right now, I'm not going to worry about the money involved in getting this fixed. So if that isn't a problem, would the commercial version of AVG be better? Or will the free version be enough?

And once the computer is up and running again, I'll be back in here to find out what more all of you suggest so that this won't happen again.
AAAAARRRGGGGGGGG!

The computer shop isn't open till Monday. So tomorrow I'll be going to another computer and will change all of my passwords.

One big question now before I log out and shut this poor baby down. Could someone tell me how to find/set up this Thunderbird email account? If I can do that from another computer, I can work on that in the meantime as well. At least I could be doing something while the shop is working on the computer. And I can still come in here and post in the meantime too. Thank goodness.

I'll check back here one more time before I shut everything down and see if this post has a reply.

And I THANK everyone from the bottom of my heart for helping me.

Dem

Same developers.

Maybe TS (above) can do a remote fix for you? I'd trust him so much more than just about anybody else (I mean, of people not on DU - there's plenty of people here I trust!).

Now I have to go check out my other computer that had the other admin log in thing, now I'm scared, lol

ps: i'm in No. Cal but still not close enough to come over and help, lol

Just change your passwords after all this is resolved. Personal info gets stolen all the time. Banks have fraud protection if it were to escalate to that. Balances should be checked regularly anyway, to make sure there is no funny business.

Although any of us could remote into your PC and try to clean it up, you should have received a Windows XP CD or some way of reinstalling the OS. So the best thing is to take it in to the seller.

I wish I knew how, and after this, I'm determined to learn. You are all going to be SO sick of me. I'm going to be in here asking questions all the time. LOL.

As long as I don't use MY computer, it should be OK to change my passwords from another computer, yes?
Or should I just wait until I get mine back from the shop? I was getting ready to do that right now.

I called my bank last night and they are setting up a new account. And I did an online purchase for my Mom about a week ago, so we called that credit card company and they are doing the same.

I still haven't been able to reach the three credit reporting agencies. I went through a nightmare last night with their phone 'services.' They should all be shot for putting people through hell on the phone.
You cannot reach a 'live' person at all. I couldn't do a thing over the phone. Kept telling me to go to their web sites. Yeah, my computer has been hacked, that is why I'm trying to reach them by PHONE!
Yep, they should be shot. Point blank range. ;)

Alright, will wait for replies and will see what else I can do on here in the meantime.

Thanks for your help. MOST appreciated!!! :)

I am on another computer as I write this. Mine is shut down. Unplugged. Unable to reach the Internets.
Oh, I hate this. AAARRRGGG. :mad:

I sure hope your computer didn't get hit as well. We can all just consider me the idiot who knew nothing, got hit hard, and shared, so everyone else gets to prepare so it doesn't happen to them. lol?

No. Cal. Aw, come on. Move south. I need the help! ;)
(Nah, I wouldn't wish So. Cal on anyone. I'd much rather be in No. Cal myself. I was at one time. Dumb me, I moved back down here!)

Speaking of dumb, another question. After what you wrote, I checked Thunderbird. So now I know what it is and where to get it. Thank you, by the way! So now I need to get a new email account. A lot of folks I know use gmail and they seem happy with it. Would that be a good way to go, or ????

I'll check back later and see if there are any replies about email accounts.

Ok, I'm off to change all my passwords. That should only take a few hours.
(Trying to call the 'big three' credit reporting companies should be a job for people who are in jail for murder. I thought Dell customer service was bad. hahaha.)

This is SO much fun! :sarcasm:

(living in so cal I mean, lol!) no, kidding, I mean about changing passwords and contacting everybody, UGH and then some!

I used to live down there, why do you think I'm up here? :D So much coooooooler.

OK email - do you use an email account from your ISP? If so, you can use that with Thunderbird. You'll have to check (or start a thread here, I'm sure someone will know) whether you can get gmail using Thunderbird - there may be a plug in (?)

I still haven't checked my other puter, although I'll be shocked if it has anything cuz I've recently run all the scans on it, included a very deep rootkit scan - I think mine is a valid case where some windows update did something. But I'll be checking as soon as I hook it up again.

One of these years, I'll get myself back up north. (Fingers crossed.) ;)

When I got my new ISP, I didn't want to change my email addresses, so I just kept the free AOL email.
(Now, don't everyone pile up on me for that one at the same time. I have to breathe at the bottom of this pile! LOL.) I can have the broadband company swing by and set up their email program for me. They have to do it at the house, no big deal.

My concern is that I don't want to have to change email addresses a third time and my living situation could change and then I'd be switching ISP's and on and on and on. So if I can use Gmail or something like that, it would be better for me.
So if anyone knows, please post a reply here. I'll get to a computer every day this week, one way or another, so I can check in and see what everyone has to say. :)

If it's best to go with the email of my ISP, I'll do it. I just want to do what is safest so this doesn't happen again. :)

Administrator is an ID that is normally disabled when you create your own account. It exists,but typically will not show without a registry change.

if you want it to disappear again, click start->run and type Regedit

traverse down to find the following path:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

Click on Administrator and change the value from a 1 to a 0.

It's a downloader that caused the registry changes. I had a ton of them when I ran Spybot. Computer is infected, so even if I get rid of IUSER_Admin, the computer is still sick. I've read all over the Internets that people have been hit with this and every time they fix the admin account, it comes right back. It's part of the spyware. It's a pain in the ^%$#@! LOL?

But hey, I'm learning a lot. Very quickly, I might add. ;)

What I'm thinking is that the amount of time (and $$ they'll charge you) is probably more than it would cost to just buy a new hard drive and do a fresh install of everything.

Are they planning to clean or just wipe the drive and reinstall everything?

How old is the drive? It's not a bad idea to replace hard drives periodically anyway.

Since you're west coast, I'd be willing to try to talk you through some of this via phone, if you want to learn how to do some things. If so, PM me.