?
Solved

Different Windows login screen - normal or virus/keylogger?

Posted on 2014-11-21
7
Medium Priority
?
393 Views
Last Modified: 2014-12-07
I have a PC at work that has recently been infected with some malware. I've cleaned up the malware (well scans at least come up clean), but the login screen below seems to persist. I haven't seen this before. Is this a normal Windows login screen (and if so, how do I change it back), or is this related to some virus/malware issue?

login
0
Comment
Question by:ruhkus
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 16

Expert Comment

by:Carol Chisholm
ID: 40458189
Not normal.
I would recommend a complete rebuild of the machine.
0
 
LVL 8

Assisted Solution

by:Sean Scissors
Sean Scissors earned 2000 total points
ID: 40458231
Before doing anything too drastic I would suggest trying to boot into safe mode. From there run the System File Checker to see if it can figure out what system file seemingly is infected. Let us know the results and we can go from there.

To run the System file checker go to "Run" and type cmd and then right click and "Run As Administrator". In the command prompt simply type "sfc /scannow" without the quotes.

My guess is that your system got infected with a keylogger so I wouldn't type my password in unless in safe mode. Also take note if in safe mode the login screen looks how it should or if it looks the same as the infected screen. My thoughts are it will look normal and some virus/keylogger won't run in safe mode.
0
 

Expert Comment

by:aznetworks_net
ID: 40458337
I agree with the other experts. Also, I suggest to remove the system from the network immediately (if not already done) before continuing with any further troubleshooting.
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
LVL 92

Expert Comment

by:nobus
ID: 40459070
since this is a leftover, try running these - if you want to try to clean it up :
http://www.malwarebytes.org/mbam.php                         MBAM
http://majorgeeks.com/RogueKiller_d6983.html                  Roguekiller

but i agree a fresh install is the ONLY sure way to have a clean system
0
 
LVL 70

Expert Comment

by:Merete
ID: 40459082
I'd like to point out that your machine is at work>>I have a PC at work
Check with your systems administrators if any of them have performed any services on your machine. Possibly the account was created by them since you are at work
0
 

Accepted Solution

by:
ruhkus earned 0 total points
ID: 40476236
So it turns out that it's actually not malicious, but related to HP security software that came pre-installed on the machine. A link on another site showed instructions on how to remove the settings in the HP software, and it booted up normally once that change was made.
0
 

Author Closing Comment

by:ruhkus
ID: 40485319
While the solution was not related to malicious software, Sean Scissors provided good information that I had not previously tried (sfc)
0

Featured Post

Need protection from advanced malware attacks?

Look no further than WatchGuard's Total Security Suite, providing defense in depth against today's most headlining attacks like Petya 2.0 and WannaCry. Keep your organization out of the news with protection from known and unknown threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Curious about the latest ransomware attack? Check out our timeline of events surrounding the spread of this new virus along with tips on how to mitigate the damage.
Let's recap what we learned from yesterday's Skyport Systems webinar.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question