Jump to content

win32 user added virus plaguing me

Effelove

By Effelove
in Resolved Malware Removal Logs

 Share

Recommended Posts

Effelove

Effelove

Posted
Posted

I have been having such  hard time now for 3 months on my computer.  The win32 virus user added is probably to blame.  This computer has made several visits to repair techs, and after continued problems I bought a new hard Drive and a new operating system. I have a backup computer that is also infected.  I had hoped these measures would wipe out whatever has been making me miserable and no such luck. I have spent more money than would be believed and I am no better off today than I was 3 months ago.  I woke up this morning ready to go to war.  I feel I have been in a boxing match with someone on my system for a long time.  Yesterday webroot detected 3 occurances of the win32 user added (2 on the spooler) and I had a remote session with a geek squad agent who restored my computer to default values andran an mri and said voila, its gone.  But the cycle has been, in 2 days the virus will start to be detected again by webroot.  I am sure the virus is still active and here.  Thank you for any assistance you can give me.  I tried to paste the results of FRST but I am unable to so I am attaching the files.

 

 

 

FRST.txt

Addition.txt

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Hello and post-32477-1261866970.gif

 

P2P/Piracy Warning:

 

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

1.Download Malwarebytes Anti-Rootkit from this link:

 

 http://www.malwarebytes.org/products/mbar/

 

2. Unzip the File to a convenient location. (Recommend the Desktop)

3. Open the folder where the contents were unzipped to run mbar.exe

 

Image1.png

 

4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

 

mbarwm.png

 

5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

 

6. The following image opens, select Next.

 

Image2.png

 

7. The following image opens, select Update

 

Image3.png

 

8. When the update completes select Next.

 

Image4.png

 

9. In the following window ensure "Targets" are ticked. Then select "Scan"

 

Image5.png

 

10. If an infection is found select the "Cleanup Button" to remove threats, Reboot if prompted. Wait while the system shuts down and the cleanup process is performed.

 

MBAntiRKcleanA.png

 

11. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click "Cleanup Button" once more and repeat the process.

12. If no threats were found you will see the following image, Select Exit:

 

Image6.png

 

13. Verify that your system is now running normally, making sure that the following items are functional:

 


      Internet access
      Windows Update
      Windows Firewall

 

14.  If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included within Malwarebytes Anti-Rootkit folder.

 

15. Select "Y" from your Keyboard, tap Enter.

 

16. The fix will be applied, select any key to Exit.

 

17. Let me know how your system now responds. Copy and paste the two following logs from the mbar folder:

 

System - log

Mbar - log   Date and time of scan will also be shown

 

Thanks,

 

Kevin...

Link to post
Share on other sites
Effelove

Effelove

Posted
  • Author
Posted

My maintenance center said my memory card reader needed to be installed and directed me to a realtek website. I downloaded the driver, extracted all and the maintenance center is still advising me to install the driver.  It is possible tht it was not installed in the right place.  I found no specific instructions for that.  I am currently trying to install 2 updates that refused to install yesterday and then I will report back.

Link to post
Share on other sites
Effelove

Effelove

Posted
  • Author
Posted

I have 3 missing updates and I windows updates is installing them but it has been 0% completed for about 20 minutes now.  I do not think the driver for my memory card reader was installed properly because the message to fix still showed until I clicked on archive the message.  (which maybe I should not have done).  I do have internet access, but as of last evening it was shutting off intermittently.  This morning it took "an unusually long time".

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

svchost.exe is a system file, it can also be a malicious file depending where it is running from. As the one listed in the log you post is running from System32 folder I would expect that to be ok. Usually malicious entries would run from a different folder.

 

The other entry "mbamscheduler.exe" is also ok, is part of Malwarebytes.....

 

The logs you post from FRST and MBAR are clean so we have found nothing malicious upto now.... I see several ceated files in the minidump folder from recent crashes, maybe your system suffers with a driver issue.

 

Continue with the following:

 

Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/

 


Quit all running programs.
For Windows XP, double-click to start.
For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
Read and accept the EULA (End User Licene Agreement)
Click Scan to scan the system.
When the scan completes select "Report" save to desktop. Close the program > Don't Fix anything!
Post back the report which should be located on your desktop.

 

Next,

 

Zip up and attach the following folder to next reply: C:\Windows\Minidump

 

Kevin

Link to post
Share on other sites
Effelove

Effelove

Posted
  • Author
Posted

I also wanted to add that my event viewer is showing over 5000 errors, warnings etc all within the past 24 hours.  Many instances of "updatus user trying to query the existence of a blank password for an accnt". And  many DCOM got error 1086 trying to start the service netprofm with arguments unavailable to run the server.  2 warnings just moments ago from the source "search", task category "gatherer"  that read "the update cannot be started because all of the content sources were excluded by site path rules , or removed from the index configuration. HR result 0x80040d0d.  Not sure if this is relevant, but thought I would mention it since I see so many warnings in the event viewer.

Link to post
Share on other sites
Effelove

Effelove

Posted
  • Author
Posted

I am having problems with zipping up the minidump folder.  It said I do not have the proper permissions during one try, another attempt said the folders are empty but they clearly are not.  The minidump file was created yesterday and there are 3 files with a total of 867 kb.  When I try to zip it says file not found or no read permission.

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

RogueKiller log is clean, no obvious malware....

 

Can you attach zipped up minidump folder as per reply #10...

 

Next,

 

Do you rcognize the listed accounts?

 

 

Administrator (S-1-5-21-334689231-357098936-2762105243-500 -> Administrator - Disabled - Status: Degraded)
Guest (S-1-5-21-334689231-357098936-2762105243-501 -> Limited - Disabled - Status: Degraded)
Rita (S-1-5-21-334689231-357098936-2762105243-1001 -> Administrator - Enabled - Status: OK) => C:\Users\Rita
Steel (S-1-5-21-334689231-357098936-2762105243-1003 -> Limited - Enabled - Status: OK) => C:\Users\Steel
UpdatusUser (S-1-5-21-334689231-357098936-2762105243-1002 -> Limited - Enabled - Status: OK) => C:\Users\UpdatusUser

 

Next,

 

Please download VEW by Vino Rosso  from HERE and save it to your Desktop.

  • Double-click VEW.exe. to start, Vista and Windows 7/8 users Right Click and select "Run as Administrator"
  • Under 'Select log to query...check the boxes for both Application and System.
  • Under 'Select type to list... select both Error and Critical.
  • Click the radio button for 'Number of events...Type 10 in the 1 to 20 box.
  • Then click the Run button.
  • Notepad will open with the output log. It will take a couple of minutes to generate the log, please be patient.

 
Please post the Output log in your next reply.
 

 

 

Kevin...

 

***Edit***

 

We cross posted I`ve just noticed your subsequent reply regarding minidump folder. Navaigate to C:\Windows right click on this folder :- Minidump and select Copy

 

Close out explorer, right click on empty space on DESKTOP and then select Paste

 

Right click on the saved file > select > send to > compressed (zipped) folder. The zipped folder will be saved to the Dessktop. Attach to next reply...

Link to post
Share on other sites
Effelove

Effelove

Posted
  • Author
Posted

I have tried over and over but access is denied.  This might sound strange but I would like to try and explain these weird occurances on my computer which has been going on for a very long time.  We live in a rural area and ordinarily we do not pick up any other wifi signals.  It used to be that the only one that we would see was our own.  There is a wifi signal that displays on my computer and it seems to only appear when I am doing something like I am today, trying to free my computer of any problems.  The wifi is named dumprat.  I have tried to look for it on other devices and I have never seen the signal on any other computer, or phone, or on my ipod.  It only shows up here.  That and the wifi named hidden network.  I have noticed major lag when dumprat is visible, been disconnected from my wifi when it is visible, prevented from downloading av programs and zone alarm, and in general things like losing admin rights seem to follow dumprat being shown as an available wifi network.  Often times when I click on my list of available networks and see dumprat he will only appear for a split second before disappearing.  Its as if he is seeing what I am doing and trying to duck and hide from me.   I know this sounds bizarre and paranoid.  I know it is not at all unusual to see other wifi signals.  But these 2 unprotected networks are not typical in the way they suddenly appear and disappear and I find it odd that when I try to scout out the source of them I can not pick them up on any other device but for this laptop. I have driven around where I live trying to find the source of dumprat and have never been able to detect it.  Please don't think me nuts, I just feel strongly that dumprat has something to do with my computer problems.

Link to post
Share on other sites
Effelove

Effelove

Posted
  • Author
Posted

I had my guest account turned off so if it is being used that should not be the case.  Updatus user- no idea what that is.  As for steel, that is a local accnt that I made to try and stay off of an admin account to protect my computer.  Rita is the admin account I am currently on.

Link to post
Share on other sites
Effelove

Effelove

Posted
  • Author
Posted

Sorry this information comes in bits and pieces...  Hidden network is showing on my computer at the moment ( I know a hidden network is someone just blocking their ssid and not ordinarily anything to worry about ).  In my list of available options hidden network has the box for connect automatically checked on it.  This has been the case for a very long time as well.  I can uncheck the box, but the moment I leave the page and then look at it again it is always checked.  I have tried to find a way to right click and chose forget this network but that option is not available and there is no record of hidden network shown in my list of saved wifi connections.  It seems I am stuck with hidden network and the box checked for connect automatically. :(

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

If you have successfully copied the minidump folder "Right Click" directly on to that folder then Select > send to > compressed (zipped) folder. The zipped folder should be saved on your Desktop. Attach the zipped folder to next reply....

 

The accounts I queried are ok and safe. The first one "Administartor" is a built in hidden account and as shown is "Disabled" The next three you are aware of. The final account "UpdatusUser" is created for nVIDIA Drivers and used to update your drivers.

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Download Farbar Service Scanner from here: http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/ and run it on the computer with the issue.

Make sure the following options are checked:

 


Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender

 


Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.