Strange - WLM not remembering my sign-in info

[zlatan]

Quote:

Originally Posted by patndoris

Sounds more and more like a malware problem. I'd like to do a couple things really quickly before moving on.

1. Can you please open AVG and tell me the last time the definitions updated, and the date of the last scan.
2. Also, please look in the AVG history, in the virus vault, and delete anything that might be in there.
3. Please look in your Start/Programs and verify Malwarebytes does show as an installed program (even if it won't run.)

Don't try to run anything just yet. Just let me know what you find.

Edit: I'm glad you got SAS to load and update. It's a long scan but remove anything it finds. Then reboot your system and see if you are able to login to WLM. I'd also suggest verifying that AVG has been updating and running.

Unfortunately I don´t have time to perform Ful Scan and I choose to perform Custom scan and results are following





Regarding AVG



As you say boss,virus vault is emptied

Malwarebytes is regularly installed,and is showed when I choose Start-All Programs,and is also located in Program Files and with desktop icon but wherever located in PC,exe file of this program are not useful.

[zlatan]

It seems that this rootkit which is stoping these programs to run is removed and now I can open Malwarebytes.Just to see is there anything dangerous I run Quick Scan in Malwarebytes and results are following



Someting interesting.In same time while Malwerebytes was doing scan AVG also sound alert.He founds this



In time while i posting this I get warning from Malwarebytes that selected items are successfully quarantined and deleted and I also emptied Virus vault in AVG with virus mentioned above.

I will restart PC soon and we will see what will happen.

[patndoris]

I'm currently doing malware removal training and as they've not released me into the wild to help people on my own yet, I'm afraid I can't do any in-depth assistance with regard to specifics found on your system. I can however, help you run the initial cleanup tools, and point you in the right direction to make sure the bad stuff is removed.

First, after ensuring the definitions are updated, please run another Quick Scan with Malwarebytes to ensure nothing is found after a reboot. Some malware will reappear and try to reinfect your machine. (If it happens let me know.)

Then, run ATF Cleaner. This is just an executable that will clean every imaginable cache and temp file you've got. (Be sure you know your online passwords as saved passwords may be cleared out in some cases.) It is normal after running this that the first few reboots will be slower than normal.

I can see from your screenshot that AVG was not scanning daily. That may have been due to the malware on your machine, but it would be good to ensure that you have daily scans set up to run to better protect your machine.

After rescanning, I might suggest your take the additional step of running a Hijack This log and posting it in the forums at What the Tech to have it reviewed and make sure there is nothing else lingering on your machine. If you do, I'd also suggest posting copies of the SAS and MBAM logfiles so they can see what has already been removed. If the machine is running well at this point - then this is completely up to you but if it were me I would let them take a look at it. There are some infections that even after cleaning can present additional concerns and they would be able to give you guidance on anything you may need to know as well as for additional security measures to help protect your machine in the future.

Whew! All that said - if your machine seems free of malware and seems to be performing better, go ahead and give WLM another try and let me know if your sign in data is now being remembered. I'll be anxiously waiting to hear if it seems to be fixed now!! *crosses fingers*

[zlatan]

Man this is getting boring and annoying.

I restarted PC,and choosed Full scan both wit SuperAntySpyware and Malwarebytes,and they founded NOTHING!

Malwarebytes' Anti-Malware 1.36
Database version: 1989
Windows 5.1.2600 Service Pack 3
16.4.2009 22:44:23
mbam-log-2009-04-16 (22-44-23).txt
Scan type: Full Scan (C:\|)
Objects scanned: 127306
Time elapsed: 59 minute(s), 50 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com - AntiAdware, AntiSpyware, AntiMalware!
Generated 04/16/2009 at 09:42 PM
Application Version : 4.26.1000
Core Rules Database Version : 3846
Trace Rules Database Version: 1801
Scan type : Complete Scan
Total Scan Time : 00:28:16
Memory items scanned : 431
Memory threats detected : 0
Registry items scanned : 5660
Registry threats detected : 0
File items scanned : 16397
File threats detected : 0


But I must say,this is very strange,during scan with SAS,AVG sounds alert and warns me about virus Win32/Cryptor,,but SAS alone found nothing.On precisesecurity.com I found this infos:

Win32/Cryptor is a trojan/virus that can download and install additional malware on to the computer. Computers can acquire Win32/Cryptor by visiting malicious websites or downloading and installing software with embedded trojan.
Aliases:
-
Risk Level: Low
File Size: Varies
Affected System: Windows

(yeah right,as I didn´t know this already)



I must admit,it seems pretty strange that many many people on net recommends Malwarebytes for removing this parasite but Malwarebytes even can´t to find them.

I reinstalled WLM to previous version but problem is not solved,and this issue with losing password and username remains.

As I see now I have only one option,to try this program (A..smotehing cleaner) in safe mode which should delete all temp files,but this part with losing remembered passwords concerns me.

Regarding this virus I googled little bit and I am amazed which problems cause this bugger,from denying internet connections to shuting down Windows,thanks to God nothing of mentioned happened in my case.

I want you to know that I´m very very grateful to your help,although sincerely still I can´t see results of your help.

[patndoris]

Some infections can be very difficult to remove. From what I've been able to find Win32/Cryptor seems to be a problem for many people in the recent weeks, many are being notified by AVG and it can require a bit of effort to get removed appropriately. It appears from many descriptions this infection regenerates itself.

I cannot guarantee removing it will fix your WLM problem, but obviously it can cause problems of many different kinds so it is certainly suspect as a possible cause. It's also a trojan that you definitely don't want on your machine or you risk other security software not being able to function (as well as the other problems it can cause) which will put your system at further risk.

I'm afraid I'm unable to offer detailed advice on removal of this threat, or I jeopardize my continued training in malware removal. I can only give you my strongest recommendation that you post a HijackThis logfile along with the the information as you've provided here (from MBAM, AVG and SAS) to either the What The Tech or GeeksToGo forums. Either one can offer you the highest level of assistance on how to remove the problem appropriately.

Unfortunately, as long as we know there is malware on your machine, it's unlikely we'll be able to pinpoint and/or resolve the WLM problem. The malware can affect so many things we can't know if it is the cause or not until it's gone. I appreciate your patience. As for ATF Cleaner, I understand the concerns and I'd hold off until someone can give you more detailed advice on cleaning off Cryptor. ATF is NOT anti-virus or malware removal software an it's not going to remove the root problem.

It's quite possible after cleaning your WLM will come right. If not, we'll attack the problem from a different angle. Please let me know how it goes removing Cryptor. If I can be of any help in the mean time please let me know.

[Philip]

Have you tried using online scanners? Eset (makers of NOD32) has one, and so does Trend Micro. When performing an online scan, it's advisable to disable your AVG temporarily. Good luck.

[zlatan]

ESET scanner finded nothing and Trend Micro scanner is Out of Service


Service Unavailable - Fail to connectService Unavailable

The server is temporarily unable to service your request. Please try again later. Reference #6.1c33287c.1240001598.8c0404c

thanks for advice

[zlatan]

It seems that this problem is somehow solved and is related with User Accounts in Windows XP (at least I think that)

I´ve made new profile,run WLM entered my informations,then choose sign out and restarted machine.Next time when I run WLM password and username was already there and it wasn´ necessery to enter them again.

I suppose that next step would be to copy some datas from this new account to usual old but which data and from where I dont´ want to think


Seeing how you guys are willing to help I would like to hear is there any antivirus that shows not only name of the virus and path to infected files during scan but also his location in system registry ,if is there any ( HKEY_LOCAL_MACHINE...),as I could see this is not case in AVG free 8.0,which I currently use.

I had some problems with viruses (better say malware) before and for me deleting it from the registry was most reliable and simpliest solution.

[patndoris]

You could have some kind of corruption or issue with the original user account and WLM that is true. Since you seem to have solved the immediate problem them I guess that's good to go.

As for AV - all I've ever used is AVG free so I can't offer up any opinions on other anti-virus options.

[customkramer]

I have tried everything I could think of, including associating my email addy with .Net in user accounts. I have heard you can create a new account but, I am not going to do that just to get around a serious bug in WLM! That's crazy! Microsoft should adress this issue since I have seen ALOT of people are having this same problem! I use Yahoo Mess as well and NO problems whatsoever.