Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Iuser_admin Problem


  • Please log in to reply
5 replies to this topic

#1 eotamot

eotamot

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 19 September 2008 - 02:03 AM

Ok 9/4/08 I turned on pc and there was another user that I did not createname (IUSER_Admin). I deleted it several times for it to just come back. I have been over the last few days doing steps located on this page http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/ but when I got to step 6, the application downloaded but would not run it says the file is not a valid win32 application. Ok, so what should I do now. Also, I use Panda internet security 08 and it updates fine but does not find anything, then when I went to the panda web site and done the online scan from there it finds something. I do not know if this has anything to do with anything. I have emailed Panda like 15 times about everything that has been going on since the 4th and I only recieved one reply telling me they thought it was something named "smitfraud" and that it was harmless and to remove it I would need to go to a pc tec and have them check out the system. Also, all of these applications that have been downloaded and used from topic 34773, do I need to unistall them now? Well So I decided to try to correct things by using info on this website. Some other info, if it helps, winXP is what I am running. I am not that computer savy so any help is much appreciated. Thanks.

Edited by KoanYorel, 19 September 2008 - 09:15 AM.
Moved to AII forum from HJT for assistance


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:03 PM

Posted 22 September 2008 - 10:30 AM

The HJT Team members are all volunteers who contribute to helping members as time permits but currently there is a backup and you may have to wait for assistance. However, we may be able to assist you here and resolve this issue without having to post a log so lets try that first.

The Not a valid Win32 application error message can be caused by a number of possibilities to include malware.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 eotamot

eotamot
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 23 September 2008 - 12:05 AM

Malwarebytes' Anti-Malware 1.28
Database version: 1196
Windows 5.1.2600 Service Pack 3

9/23/2008 1:03:35 AM
mbam-log-2008-09-23 (01-03-35).txt

Scan type: Quick Scan
Objects scanned: 23278
Time elapsed: 6 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:03 PM

Posted 23 September 2008 - 09:00 AM

There seems to be an increase in the number of reports about this infection. Since MBAM did not find anything that means we need to investigate further to identify the malware related files so its probably best to post a hijackthis log in the HijackThis Logs and Malware Removal forum, NOT here. Since you already ready the Prep Guide, there is no need to repeat the steps. Just go directly to the HJT forum and post your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 eotamot

eotamot
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 24 September 2008 - 01:05 AM

Hi this is my original post on 9/19- original post link http://www.bleepingcomputer.com/forums/ind...;hl=IUSER_Admin

Ok 9/4/08 I turned on pc and there was another user that I did not createname (IUSER_Admin). I deleted it several times for it to just come back. I have been over the last few days doing steps located on this page http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/ but when I got to step 6, the application downloaded but would not run it says the file is not a valid win32 application. Ok, so what should I do now. Also, I use Panda internet security 08 and it updates fine but does not find anything, then when I went to the panda web site and done the online scan from there it finds something. I do not know if this has anything to do with anything. I have emailed Panda like 15 times about everything that has been going on since the 4th and I only recieved one reply telling me they thought it was something named "smitfraud" and that it was harmless and to remove it I would need to go to a pc tec and have them check out the system. Also, all of these applications that have been downloaded and used from topic 34773, do I need to unistall them now? Well So I decided to try to correct things by using info on this website. Some other info, if it helps, winXP is what I am running. I am not that computer savy so any help is much appreciated. Thanks.


Ok I have done what was said to do in the reply to original post. But While running spybot it continues to find the same thing every time I run it. I click fix problem and the next time I run it it finds the exact same thing. Here is info about that.

Win32.Delf.rtk: [SBI $3898DFCC] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\roytctm

Win32.Delf.rtk: [SBI $E47F11F3] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\roytctm

Win32.Delf.rtk: [SBI $C2C0258A] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\roytctm

Win32.Delf.rtk: [SBI $68C12074] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\soxpeca

Win32.Delf.rtk: [SBI $B426EE4B] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\soxpeca

Win32.Delf.rtk: [SBI $9299DA32] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\soxpeca

Win32.Delf.rtk: [SBI $D7F84781] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdydowkc

Win32.Delf.rtk: [SBI $F3FA5EED] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tdydowkc

Win32.Delf.rtk: [SBI $2CB34E58] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\tdydowkc

Ok so here are my questions. I have noticed in some of the hjt logs posted there is personal info, like name of pc or owner name, how to I keep from posting this information, and is there anything else in the hjt log that could be an identity problem? I have tried to change user information for my pc and in certain areas it displays all old users(like for documents) that have been created for this pc.

Thanks ahead of time for any help on this problem. I never did get the stinger to download right. Until I hear from someone about what spybot keeps finding & about the pc I.D info I will not download hjt.

Edited by KoanYorel, 24 September 2008 - 08:31 AM.
Post nerged with original thread because no HJT LOG


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:03 PM

Posted 24 September 2008 - 12:15 PM

After downloading HijackThis and creating your log, just edit out the personal information you do not want it to show. After doing that, then post your log.

You may find entries like this, so just type in <user name> where yours belongs like I did in the example below.

C:\Documents and Settings\<user name>\Desktop\
C:\Documents and Settings\<user name>\My Documents\

Those entries found by Spybot look to be rootkit related and that program is not equipped to deal with them. Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is a hidden piece of malware which has not been detected that protects files (which have been detected) and registry keys so they cannot be permanently deleted. Disinfection will probably require the use of more powerful tools than we recommend in this forum.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users