Help! What The Heck Is Iuser_admin[INACTIVE]

[Delta_Momof3]

I have done several things to get this Iuser_admin off my computer....I don't know what it is but I please it is some type of Trojan virus/infection or whatever. I feel like I'm being watched or something..... How does it create its own screen name on my computer and in Administrative Account where to it can go through all of my files...

Things that are happening:

I hear clicking sound on my computer

Running Slow at times

Sounds coming from speaker and I know I'm not doing it

I use Mozilla Firefox but the clicking sounds like IE browser

Help! Please!

My Trojan Log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:09:01 AM, on 9/7/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\mabidwe.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\noytcyr.exe

C:\WINDOWS\system32\roxtctm.exe

C:\WINDOWS\system32\roytctm.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\Spyware Doctor\pctsAuxs.exe

C:\Program Files\Spyware Doctor\pctsSvc.exe

C:\WINDOWS\system32\sobicyt.exe

C:\WINDOWS\system32\sotpeca.exe

C:\WINDOWS\system32\soxpeca.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\tdxdowkc.exe

C:\WINDOWS\system32\tdydowkc.exe

C:\WINDOWS\system32\wsldoekd.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Spyware Doctor\pctsTray.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\Twain_32\CA561A\SnapDetect.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mystart.incredimail.com/english/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.....;/www.yahoo.com

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [DVDTray] C:\Program Files\Ahead\ODD Toolkit\DVDTray.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\RunOnce: [symPCCheckup] "C:\WINDOWS\system32\Adobe\Shockwave 11\symcheckupstub.exe" /task /reboot

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - Global Startup: Icatch(VI) SnapDetect.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...tup1.0.1.0.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/downlo...BundleId=23100

O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj02.custhelp.com/8102-b4.....;/java/RntX.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C9090B03-BACB-4158-AAC4-BC39AF6FD3E9}: NameServer = 12.25.240.9,69.60.160.196

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: afinding Service (afinding) - Unknown owner - C:\WINDOWS\system32\AFinding.exe (file missing)

O23 - Service: afisicx Manages messages (afisicx) - Unknown owner - C:\WINDOWS\system32\afisicx.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: mabidwe Service (mabidwe) - Unknown owner - C:\WINDOWS\system32\mabidwe.exe

O23 - Service: macidwe Service (macidwe) - Unknown owner - C:\WINDOWS\system32\macidwe.exe (file missing)

O23 - Service: nobicyt Service (nobicyt) - Unknown owner - C:\WINDOWS\system32\Nobicyt.exe (file missing)

O23 - Service: noxtcyr Portable Media Serial Service (noxtcyr) - Unknown owner - C:\WINDOWS\system32\noxtcyr.exe (file missing)

O23 - Service: noytcyr Service (noytcyr) - Unknown owner - C:\WINDOWS\system32\noytcyr.exe

O23 - Service: routing Service (routing) - Unknown owner - C:\WINDOWS\system32\routing.exe (file missing)

O23 - Service: roxtctm Manages messages (roxtctm) - Unknown owner - C:\WINDOWS\system32\roxtctm.exe

O23 - Service: roytctm Service (roytctm) - Unknown owner - C:\WINDOWS\system32\roytctm.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

O23 - Service: sobicyt Service (sobicyt) - Unknown owner - C:\WINDOWS\system32\sobicyt.exe

O23 - Service: sotpeca Corporation inc. (sotpeca) - Unknown owner - C:\WINDOWS\system32\sotpeca.exe

O23 - Service: soxpeca Service (soxpeca) - Unknown owner - C:\WINDOWS\system32\soxpeca.exe

O23 - Service: tdxdowkc Service (tdxdowkc) - Unknown owner - C:\WINDOWS\system32\tdxdowkc.exe

O23 - Service: tdydowkc Service (tdydowkc) - Unknown owner - C:\WINDOWS\system32\tdydowkc.exe

O23 - Service: wserving Service (wserving) - Unknown owner - C:\WINDOWS\system32\WServing.exe (file missing)

O23 - Service: wsldoekd Corporation inc. (wsldoekd) - Unknown owner - C:\WINDOWS\system32\wsldoekd.exe

--

End of file - 8341 bytes

Things that I have done:

Went into Safe Mode

Click Run

Types: control userpasswords2

screen comes up

I remove Iuser-Admin account and even changed password to see

what the heck maybe going on...

I removed the account

logged out

restarted my Pc

but it still comes back

(I got the above from another source who claimed they called Microsoft and was able to get Iuser _admin off and gone) It's still recreating itself on my PC.. What is this?? Please Help...

[Delta_Momof3]

Can anyone help me PLEASE

[sarahw]

Hi,

Welcome to the site

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

I want you to show hidden files. There are instructions HERE to help you do this.

You should have Administrator rights to perform the fixes. Some of the instructions I give may need to be printed or saved for reference during the fix. Some of the fix will be done in Safe Mode so you will be unable to access this thread at that time.

Please dont use any of the tools without specific instructions. Some of them are dangerous (and could leave your computer in worse condition that it is when infected) if used incorrectly.

These instructions should be read first, then followed. If you do not understand something, don't be afraid to ask, or see if I'm on chat.

[sarahw]

Hi,

Can you please have your threads at other sites closed. You only need to start one topic, starting multiple threads wastes peoples time if you are being helped elsewhere.

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
  
• Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  C:\WINDOWS\system32\wsldoekd.exe
  C:\WINDOWS\system32\WServing.exe
  C:\WINDOWS\system32\tdydowkc.exe
  C:\WINDOWS\system32\soxpeca.exe
  C:\WINDOWS\system32\sotpeca.exe
  C:\WINDOWS\system32\roytctm.exe
  C:\WINDOWS\system32\roxtctm.exe
  C:\WINDOWS\system32\noytcyr.exe
  C:\WINDOWS\system32\noxtcyr.exe
  C:\WINDOWS\system32\Nobicyt.exe
  C:\WINDOWS\system32\mabidwe.exe
  C:\WINDOWS\system32\macidwe.exe
  C:\WINDOWS\system32\afisicx.exe
  C:\WINDOWS\system32\AFinding.exe

  
  

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  
• Click the red Moveit! button.
  
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  
• Close OTMoveIt2
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

In your reply, post a fresh Hijack This log and the OTMoveIt2 log.