Possible Hack and User Account

Hello, I don't know if this is the correct section to post this but I will anyways.

A customer of mine seems to have been hacked from what I could tell but scans with Avira AntiVir latest Version, Malware Bytes Latest and Threat Fire latest come up clean.

The reason I say hack is that his user account was locked out. An account called Support was the only thing showing up on the welcome screen. I tried to get in with the Administrator account and that had a password added and that never did have one.

What fixed everything was a Linux boot CD which loads a text based option menu and I was able to restore his account again with Admin Privileges and I disabled Support. So, does this sound like a hack?

He would never do this to himself and he says no one uses the machine but him. No virus, spyware or Rootkits found.

I must mention one last thing. I took the Support account and renamed it to test. I also gave it a password. It is still disabled. I try to delete it though and get an error message that the account name is not a member of the local group.

I really want to delete this. Does anyone have a method of doing this? The machine is still working well for now.


Mike

 

Mike, you don't say what operating system this is but I found this on the MS website. I hope it's helpful

Mitch

 

Sorry should have mentioned that. He is on XP Pro SP-3

 

The same thing occurred today. His user account is disabled and on the welcome screen it shows an account called support and you need a password to long on. I feel he has a rootkit . Right now I have the disc out of the machine and I am scanning with 3 different Anti-Rootkit programs.

This is not normal, that is for sure. I have to use a special Linux cd which allows me to enable his account and set him to admin again outside of Windows. Once I am in, I cannot delete this Support account. It says error not part of local group.

 

This is far beyond my allowable expertise. Since the system has SP3 the link I provided above probably doesn't apply. Hopefully someone with the necessary qualifications will jump in here or you can try posting in the Malware and Virus Removal forum

 

The problem is still going but it is not the login screen anymore. I have shutdown and started up the machine 10 times today and I always get to the login screen with his user account.

The problem now is the antivirus programs I put in are having their guards disabled and then the update module is corrupt. This happened with Avira and MSE. Something hidden is breaking these programs unfortunately.

So let me ask you this. I want to wipe out the partitions, format the disk and install everything again. I will backup everything first.

Anyhow if a Virus or Rootkit embedded itself deep in the system or file system and if I wipe the partitions and format will the virus be gone for good?

That is all I want to know. This is the first time I have come across this problem before. I have dealt with all manners of Virus, etc. This is new and has stummped me. A Google search did not produce any results for 'User Account Named Support'


Mike

 

I think you should do as Arie suggests. My concern is if whatever is causing your problem is hidden in a file you backup you would be in a pickle. I am sure a Nuke and Pave would take care of the problem. But why not let the Malware Experts give it a whirl.

Mitch

 

The problem is I have done scans with 2 different anti-virus, 4 anti-spyware and several anti-rootkits and they all show clean.

So posting the logs would do no good. What is Nuke and Pave?

 

OK I know what it means now. Did not understand the Lingo

 

My fault, I should have been clearer. Dispite what the "logs" show, the Analysts may see something in the logs requested at the top of the malware forum.

 

Hi flynempire
Everyday Rootkits are getting harder and harder to detect, Everyday they find ways to hide from RootKit scanners.
Scanners are always one step behind the RootKit inventors.
Only a "trained malware specialist" will be able to find and remove the RootKit.

Geri

 

Flynempire, if you haven't already go to the malware section. Those guys know what they are doing and exactly what to look for.