Please check my logs after recovery from iuser_admin account & malware.

Private CF · Sep 13, 2008

I followed all instructions included in "Read & Run First" and "XP Removal Procedures". I also removed the malicious account "IUSER_admin" and it hasn't returned. My machine appears to be clean so far; however since this one seemed to be nasty, especially with the backdoor creation of a user account, I would be grateful it you would review my attached logs and tell me If it looks to be fully clean. Thanks.

Here is some additional information in case it is helpful: Once NOD32 started alerting, the damage was already done. The IUSER_admin account had been created and other symptoms such as random audio playing and multiple websites opening started. NOD32 found frequent threats...mostly win32/...varients. During cleanup, Spybot S&D reported that it couldn't fix 3 items tagged as "WildTangent". I think "win32/bagle.gen.zip" may have been related to these. They may have been cleaned during the other scans.

Anyway, It seems to be clean so far but I would appreciate a review of my logs.

Also, I plan to uninstall Adaware and SpywareBlaster and go with either SuperAntiSpyware or Malwarebytes if it's not recommended to use both. What do you recommend?

Thanks for your help.

Private CF · Sep 13, 2008

Attached is my 4th log. Thanks.

TimW · Sep 14, 2008

You look pretty good.....let's just do a few things:

Run this: Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Open notepad and copy and paste the following text in the quote box into the window:

sc stop seiuctol
sc delete seiuctol
Click to expand...

Save this as fix.bat
Choose to save as all files.
Doubleclick fix.bat and let the program run.
A small black dos window will flash, this is normal.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_CURRENT_USER\Software\Kazaa]
[-HKEY_LOCAL_MACHINE\SOFTWARE\knight]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-
Click to expand...

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now re-run ComboFix and attach the new log.

Private CF · Sep 14, 2008

Hi Tim, I really appreciate your help.

The registry changes were successful and I attached the new combofix log as instructed.

I'm curious...What was left after the initial cleaning procedure and what did the fix.bat and registry changes do?

Also, I plan to uninstall Adaware and SpywareBlaster and go with either SuperAntiSpyware or Malwarebytes if it's not recommended to use both. What do you recommend?

Any idea why this particular malware, especially whatever created the IUSER_Admin account, was only detected by NOD32 after damage was already done?

Thanks again.

TimW · Sep 14, 2008

You had two fake security drivers which we stopped and deleted.

The reg patch was just to clean out some crud that Combo does to your system.

As to why one av finds things and others don't is just a matter of the source programmers keeping up with the new attacks...some can respond faster than others....a good reason to keep your systems updated.

If you are not having any other malware problems, it is time to do our final steps:

We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significan amount of resources ( except a little disk space ) until you run a scan.

If we used Pocket Killbox during your cleanup, do the below

* Run Pocket Killbox and select File, Cleanup, Delete All Backups

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete the C:\combo-fix folder from combofix.

If we had you run Avenger, you can delete all files related to Avenger now.

If we had you run RenV.exe, you can delete it and the Log.txt file on your Desktop.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Click to expand...

Private CF · Sep 18, 2008

"The reg patch was just to clean out some crud that Combo does to your system."

Tim.....with this in mind, since you had me run combofix again after this reg patch, should I run the reg patch again without running combofix so that the system is cleaned post combofix?

Private CF · Sep 18, 2008

Also, is there any reason not to update winXP all the way to sp3?

TimW · Sep 18, 2008

You should be fine.....make a restore point and go ahead and download sp3.

Log in or Sign up

Please check my logs after recovery from iuser_admin account & malware.

Private CF Private E-2

Attached Files:

saslog.txt

mbam-log-2008-09-12 (16-46-17).txt

combofixlog.txt

Private CF Private E-2

Attached Files:

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Private CF Private E-2

Attached Files:

combofixlog-9-14.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Private CF Private E-2

Private CF Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member