Is this a new virus?
September 12, 2008 5:42 PM   Subscribe

Suddenly I have an IUSER_Admin icon showing up on my PC without me setting it up, and other problems as well. Virus?

New icon for an admin account, printers wiped out, default internet page changes to another language (chinese?), running everything very, very slowly, my VPN client is dead and other error messages. I have McAffee and use SpyBot but am not catching anything. To our knowledge, we have not downloaded anything or visited any odd websites.

Google shows some recent hits for this but not a lot of help. I was able to delete the admin account in safe mode but that is it. Default site continues to change back and can not VPN in to work. So obviously there is still something on here.

What next? Reimage? What is the best way to do that?

Other error message: C:\windows\wftadil6_0809060.dll specified module could not be found
posted by maxg94 to Computers & Internet (9 answers total) 5 users marked this as a favorite
 
Response by poster: Also the computer will play music or commercials(?) when not online or in use.
posted by maxg94 at 5:45 PM on September 12, 2008 [1 favorite]


You probably have spyware that SpyBot is not catching (it won't catch everything). Unfortunately, Windows is not very secure even if you have these kinds of software packages installed.

You can try to do some triage, but the best long-term course of action is to back up your files, reformat the hard drive and reinstall/re-patch Windows from scratch.
posted by Blazecock Pileon at 6:28 PM on September 12, 2008


It definitely sounds like "nuke it from orbit" time.
posted by Class Goat at 6:39 PM on September 12, 2008


Or not. Your choice.

By the way, McAfee is garbage.
posted by flabdablet at 7:02 PM on September 12, 2008


You're toast. Get your data off and go with Class Goat's entry.
posted by a3matrix at 7:21 PM on September 12, 2008


Or not. Your choice.
posted by flabdablet at 7:40 PM on September 12, 2008


Also, I recommend that you consider this and this before cleaning your computer by whatever means.
posted by flabdablet at 7:49 PM on September 12, 2008


This is from my friend Kevin, as he does this for a living. We're both part of a group that answers computer questions for free via e-mail. He's basically canned this answer, and sends it out whenever someone e-mails in with virus troubles. I have followed these instructions myself to clean up many computers, and they work flawlessly. Kevin's canned response follows:

"Here's my instruction sheet for cleaning up massive infections. I've answered these questions so often I just save it as a canned answer and alter it when needed. I do this stuff for a living, BTW.

Go to a clean machine and download the following programs and save to a flash drive or CD:

ComboFix from http://www.bleepingcomputer.com/combofix/how-to-use-combofix
SmitfraudFix from http://www.bleepingcomputer.com/files/smitfraudfix.php
SDFix from http://www.bleepingcomputer.com/resources/link252.html
AntiRootkit from http://research.pandasecurity.com/archive/Panda-AntiRootkit-Released.aspx
Ad-Aware from http://www.lavasoftusa.com/products/ad_aware_free.php
Spybot from http://www.safer-networking.org/en/download/index.html
Anti-Malware from http://www.malwarebytes.org/mbam.php
HijackThis from http://www.bleepingcomputer.com/files/hijackthis.php
WinsockFix from http://www.softpedia.com/get/Tweak/Network-Tweak/WinSockFix.shtml

Go to the infected machine and boot into Safe Mode. Once to the desktop the first step is to turn off System Restore. To do this right click on My Computer and choose Properties. When the Properties box comes up click the System Restore tab and check the box at the top to turn off system restore on all drives. Click Apply and OK and then restart the PC, again into Safe Mode.

Once to the desktop insert the media containing your tools and copy ComboFix, SDFix and SmitfraudFix to the desktop. Run SmitfraudFix and choose option 2 from the text menu. When prompted say yes to clean the registry.

Once the first program finishes run ComboFix. This one will most likely reboot the PC before it can clean all the items but whatever it does just leave it alone until it shows you the log file. Reboot the PC again into Safe Mode if needed and run SDFix.

One that finishes reboot the PC again into Normal mode and copy the Panda AntiRootkit to the desktop and run it. Update it and if it finds anything remove all the entries on the list. If you have a Rootkit reboot the PC and run Panda again, and keep doing that sequence over and over until it finds nothing.

Once Panda shows clean reboot to Normal mode and install Ad-Aware, Spybot and Anti-Malware. Update each one, then reboot again into Safe Mode. Run each of the three programs back to back, once again removing everything they find.

When you have all that done, reboot into normal mode, update the antivirus program and do a full system scan. If there’s not one on the PC or if it’s expired you can get good free ones by searching Google for “AVG free” or “Avast free”. If you want better protection against spyware as well as viruses I suggest products from either Panda or Kaspersky.

HijackThis is up to you. If you want a little help to verify that the machine is actually clean you can copy HJT to the desktop once you've finished all the cleanings and rebooted to normal, run it and save a log file and send it to me as an attachment. I'll look through this and give further advice if needed.

The final item, WinsockFix, is there in case you lose the connection to the Internet at any point during the process. Some malware alters the TCP/IP stack to better monitor all online activity and removing it will sometimes damage the socket files. Run this program to rebuild the entire network structure and get back online, then pick up where you left off.
posted by deezil at 7:20 AM on September 13, 2008 [51 favorites]


Our desktop has had the very same issues, complete with random music and commercials. My husband is in the process right now of reformatting and reinstalling. We couldn't fix it, sorry to say.
posted by chiababe at 2:50 PM on September 13, 2008


« Older Which is better, an extra rinse or the dryer?   |   What's the best P2P direct connect software for... Newer »
This thread is closed to new comments.