Link to home
Create AccountLog in
Avatar of Scott Thompson
Scott ThompsonFlag for United States of America

asked on

Other User After Computer Hacked

Hello all!

This is one that I can't wrap my head around.  A client brought in a computer that is having the Other User issue.  Backstory on it, she was having trouble on the computer, and instead of calling us, she clicked on a link.  Then clicked on another, and so forth, until she had a guy connected to her computer.  Now, she can't log into the computer.

It is running Windows 10.  The computer boots up normally, and comes up to a screen to enter username and password with Other User displayed at the top.  It also has at the bottom listed that if I wish to switch DOMAIN, to type in the domain first, or to log into the PC locally.  So, I figured that the hacker just changed her to be setup to a domain.  This is not the case.

I can boot the system to Safe Mode with Command Prompt and it loads in.  From there I have verified that the computer is on WORKGROUP, and that the user "PCS Customer" is an Administrator with no password.  I have even tried adding a password to the account, but when I boot normally, I cannot login.

After about 1 minute on the logon screen, the computer will reboot itself.  I have also tried changing utilman.exe to cmd.exe and accessing net user on the logon screen, but it comes back with error code 1722, The RPC Server is unavailable.  If I try to start the service, it says it is already started.

What can I do from here?
ASKER CERTIFIED SOLUTION
Avatar of Russ Suter
Russ Suter

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of Scott Thompson

ASKER

Hello,

Thank you for the suggestions.  I do know that reloading, or wipe and reload is an option, but I always avoid that IF possible.  I did find a couple of things in the RunOnce and Run registry.  I would upload them, but my Flash Drive died...  one was related to RSTRUI.exe (System Restore).  The other two used cmd.exe for some process with OneDrive.

I'm uploading a picture that shows the main logon screen.  You will see the internet is disabled and the power button is not functioning correctly.

User generated image
Oh, note.  Typing in the password and hitting enter has no effect, as if it just ignores you.
"I do know that reloading, or wipe and reload is an option, but I always avoid that IF possible." - everybody knows and everybody tries, sure. But not many succeed in the end.
If you feel expert enough to judge and clean it, fine. if not: it is hardly possible to transmit that expertise in a forum thread.
Avatar of Russ Suter
Russ Suter

I tend to go the other direction. The bottom line is that since you don't know exactly what was done you have no way of being certain your cleaning efforts will be 100% successful. Starting from a clean OS install is the only guarantee that your system is not compromised.
But that is not the other direction, but the same :) There are very few people that are able to says with confidence "I cleaned it", that was my point and that's why I also discourage him from trying.
Yeah, I don't know why people fail for the scams so often, especially good customers of ours that call us when they have an issue.  We tell them if someone is going to take over their computer, or you get a warning message on the screen and don't know what to do, just call us.  But of course, it's only AFTER it's to this point.

What suggestions should I take from here?  Oh, I tried to take it back 5 days, and that failed also.
The scammers are maquerading as "Authoritative support" representative of the product with which users have issues and often pop-up first in the search.
...
I too prefer to fix the issue rather than reinstall, but under these circumstances and it sounds you've already spend quite some time on the issue.
Depending on the complexity and time, you have to decide how much time you want to allocate to the repair going in, after which reinstall...... Depending on where your install media is and the installation destination (HDD or SSD) a reinstall could take an hour or .....

Sounds like the winlogon might have been messed with, msgina.dll ..........
going through borwser history could help trace back what links were clicked, but do you need that information to fix the system?
Should I attempt to replace winlogon.exe with an older version in the winsxs folder?  I don't know what the msgina.dll file is...
msgina.dll is/was the logon interface i.e. when username/password are s...

it might be shgina.dll on windows 7
......
but the logon process is messed up, the winlogon.exe is likely not it,

Presumably, you are trying your fixes with that system off the network.
you could try HKLM\software\microsoft\windows NT\currentversion\winlogon\
and set the default username/password with autoadmin logon\...

With the situation at hand, you will never know whether there is a time "crap" planted on the system i.e. keylogger set to be installed at some time in the future, etc. that would compromise the user's information making.......

While I am as curios as the next person to try and figure out what was done ..
I too would copy the data from the old system, advise the user to update all her password/security question to something else with ..... especially if they were stored on the system in a file........
and would reinstall the OS and copy data files after scanning.

If you have a similar system, use a separate drive, or virualize this system and load it within hyper-v to .......
Have done this type before, but it will allow the user to have a system more secure in the knowledge that there are no remnants of .....
No luck yet.  I've pulled the drive and am scanning with Avast.  I did change in the winlogon the Default Domain to blank and the DefaultUserName to PCS Customer
Scott, it seems you don't know where to look for an infection. We would do this offline, anyway.
Boot another system from USB (windows 2 Go for example) and use autoruns.exe (a free diagnostic tool from microsoft) to read the autostarts of that system that is now offline. That is a way to look at it that would truely work.
But I bet, if you see what autoruns reports (huge amounts of entries), you will soon realize it's over your head. And then you'll reailize that a clean installation is the better way.
And for the next time, set up image backups. You can rollback to that clean images in less than an hour, problem solved.
I booted into Safe Mode with Command Prompt and ran autoruns.  I'm uploading the TXT file.  It looks a little messy.  There are a couple things in Yellow, but off hand I don't see anything too bad.  There is a file not found on the LSA Providers.  Livessp.  Perhaps someone sees something I don't.
NancyAutoruns.txt
No, don't boot into safe mode. Boot another system and let autoruns judge that installation when its not running, so slave its drive to it or better, boot windows2Go from USB and run autoruns there. Autoruns has a function to judge offline system drives.
Let me know if you understood that.
PS: and save in the autoruns format, not as text.
Okay, will do.
Ran Autoruns offline.  Uploading file.  By the way, here is a picture of the system booted normally.

User generated image
Also worth mentioning, even I try to abort the shutdown, it will not let me.  Error 1115 if I remember right.
NancyAutoruns.zip
How much time and effort have you spent fixing this problem vs. how much you would have spent backing up data and reformatting the drive?

I'm not trying to be a smart ass here, I am genuinely interested in your progress. Was it worth the effort? I've been through these kind of exercises before and found that sometimes even if it took more time than a clean slate approach would have the extra time was worth it for the knowledge gained.
It's alright, Russ.  I tend to not give up because it helps me in future problems that I get in.  I don't know how many times it has ended up being worthwhile to learn how to fix the issue versus reloading, and the time and effort I save to future customers because of the learned knowledge.  That being said, I have also backed up their data.  I'm hoping to not have to reload it, but it seems like I might be reaching that point soon.  Any other suggestions people have?  it is just weird.  If I could even figure out a way to prevent the system from auto shutting down, maybe I could go from there.
For me the real challenge you're facing is that these changes were affected by a human. At least with malware there is a predictable, repeatable pattern that you can backtrack and (sometimes) reverse. With a person poking around in there who knows what they did?

As an extension of that... what methods do you have to ensure that even though the system appears to be fixed that there still isn't some sort of back door lurking around in there? I just wouldn't trust that PC ever again.
I looked at the logfile and I am surprised I cannot find anything suspicious. Of course there could be entries that only pretend to be microsoft files but aren't, but that is rather unlikely.
Did you do an offline virus scan by now?
Update; I ran sfc /scannow offline on another computer.  No integrity violations were found.  Still a mystery as to why it's having issues...
Even though wipe and reload may be the best solution, and would probably be what I would recommend to other people, for this system I did a Reset your PC.  I booted off a Windows 10 USB and reset the PC, since the option was not available directly from the hard drive.  Her files are still there and the system is up and running again!  I do not see any trace of fowl play and feel the system will be usable again, though I will let the customer know if they have any lingering troubles to let me know right away.  Thank you for your help!
Reset is as good, it leaves no components active.