I am so very frustrated. I work full time, and I go to school full time, so I have a very limited amount of time, but I spent the whole day trying to get rid of this Win.Useradded trojan. Webroot did not even discover that I had it until I ran rkill, malware bytes, then ad-aware and then hijackthis. Now my computer is not responding (I do not have permission to reinstall internet explorer 10). I am locked out of doing so many things. Files are missing. I am at my wits end! I have a Windows 7 system, so I am guessing I have whatever Microsoft was trying to prevent everyone from getting. Well, too late. PLEASE HELP ME! Anyone! Soon for both my computer's sake, my 2 online classes sake, my calculus class, and my physics course (which I have to complete homework online) and finally for my own sake (seriously, everything is falling apart in my life and this is just one more thing).
It has disabled Microsoft Security Essentials. 
Any time I run Webroot and Webroot finds anything I go to remove the files and I get the blue screen of death. HELP ME PLEASE!
Here is the webroot log..   
SecureAnywhere Scan Log (Version v8.0.2.155)
Log saved at Wed 2013-08-28 08:03:51
Windows 7 Service Pack 1 (Build 7601) 64bit (Hostname: JASON-PC - Local IP:
Scan Started: Wed 2013-08-28 01:15:04
Files Scanned: 41607
Malicious Files: 0
Duration: 8m 35s
Some legitimate files are not included in this log
[g] [MD5: 0B88593111C74518E64333BF75AF6CEC] [Flags: 00010000.8776]
[g] [MD5: 5D2DCC6E7C82DC2B7B958FBC1A4D4F16] [Flags: 00010000.8749]
[g] [MD5: FB13EC15CC4B0B4285FAD31F044DA8DC] [Flags: 00010000.8766]
[g] [MD5: 0339795434F7AA5F4A1DBCBF75EEF318] [Flags: 00010000.8715]
[g] [MD5: B414DDD14FAE108E7C9B08685465E4C4] [Flags: 00010000.8740]
[g] [MD5: 33555414E42A61FAED101318E6B75405] [Flags: 00000000.8984]
[g] [MD5: EE2DFCFFF8C412486E9F52BFC6703949] [Flags: 00010000.8760]
[g] [MD5: 48593A07948A0350ABFEE1FA1EF69ADD] [Flags: 00000000.8972]
[g] [MD5: 107D11CF8B8899D4B8C8CBA168BFACCE] [Flags: 00010000.8689]
[g] [MD5: 65184A3C32A6070490DE70D5A733A462] [Flags: 00010000.8771]
[g] [MD5: 1747ADCFCD27FDF4E3309A92C7416724] [Flags: 00000000.8953]
[g] [MD5: 4E3C2076382ACDEE509DB0252E4548E6] [Flags: 00000000.8982]
[g] [MD5: AD6068F031DE0EAD24620507349B07C4] [Flags: 00000000.8694]
[g] [MD5: 4D1D22CADC98E50E1122013550161E6A] [Flags: 00010000.8777]
[g] [MD5: 9453EE1B17436C2E60F7E77371C375B6] [Flags: 00010000.8780]
[g] [MD5: BF33F8448F0EEE8596D2F2C838DEAB86] [Flags: 00010000.8732]
[g] [MD5: 7AB116F010080C525242EFF483564648] [Flags: 00010000.8738]
[g] c:windowssyswow64wpcap.dll [MD5: 4633B298D57014627831CCAC89A2C50B] [Flags: 40001000.167]
[g] [MD5: DC505953795C68DEB21BF51A33D704FA] [Flags: 00010000.8754]
[g] [MD5: EBB4F4D28EBAC046AC8DDC6A8CF3A088] [Flags: 00000000.9003]
[g] [MD5: 8EAE0F1605BCECB4BDE941BB7DC6619F] [Flags: 00010000.8783]
[g] [MD5: ACCD75CF3DE644A1C7799396A9ABD93E] [Flags: 00000000.8985]
[g] [MD5: 423E96FC3ED112184675B6DAF13D99CA] [Flags: 00010000.8703]
[g] [MD5: 2775936AD5EFC6B67B05FF69BC963481] [Flags: 00010000.8709]
[g] [MD5: 9674D3D9D4582F702E93CB7B12CA66AB] [Flags: 00010000.8692]
[g] [MD5: 69313294C5FF9A2B3FA4151EE1075376] [Flags: 00000000.8959]
[g] [MD5: 7EF03EC4DCD5E65EAA1F568A838E7210] [Flags: 00010000.8750]
[g] [MD5: 0F61B5F7AFE512E55E1873FDE3530AD4] [Flags: 00010000.8718]
[g] [MD5: C610A503A78145D415D5BF585AC89B81] [Flags: 00000000.8725]
[g] [MD5: DE28E1865EB66803E4D24EE4A371E92C] [Flags: 00010000.8773]
[g] [MD5: BA5825935DCD2B829AE8E5BE8CE70804] [Flags: 00000000.8958]
[g] [MD5: 4FD693D4B9AA64EE32BAA9B8D9956ACF] [Flags: 00000000.7950]
[g] [MD5: 4D76CD44AF6DEFDB9DF6D508A2501403] [Flags: 00000000.8996]
[g] [MD5: 3FE7DE02865642F330A52E6476B19C82] [Flags: 00010000.8756]
[g] [MD5: A4F118281034EBD884E592F7BE11D8CC] [Flags: 00010000.8743]
[g] [MD5: 4E0BC39B8657D25FA8F4B7F5A10A39DF] [Flags: 00010000.8759]
[g] [MD5: A55EF174CEF67878A560233EC446127E] [Flags: 00010000.8678]
[g] [MD5: E4E0BF346E151E238DFD9306B4B1E8DE] [Flags: 00010000.7945]
[g] [MD5: 05ED6EFA035352B8A615E2426BF3E0E5] [Flags: 00010000.8729]
[g] [MD5: AE387670A2CCC08D1E9823ECBE3356AC] [Flags: 00010000.8690]
[g] c:windowssysnativesbbd.exe [MD5: D95CD9B1BB27B748864DC4914B1ACF05] [Flags: 40011000.1268]
[g] [MD5: 8B8B417C4B405833C5B6F61C5B102321] [Flags: 00010000.8739]
[g] c:usersjasondesktopmbarmbar.exe [MD5: 60CEFABAC2C573B266B567534CE7567E] [Flags: 10001000.8919]
[g] c:windowssystem32wlanutil.dll [MD5: 7F1B4C6FF3B85F9ADF74055187B8A22C] [Flags: 00010000.5267]
[g] c:windowssyswow64rowseui.dll [MD5: F977BE7B8C5462087374364EAFB3C15B] [Flags: 00000000.8765]
[g] c:windowssystem32sisvc.dll [MD5: D54BFDF3E0C953F823B3D0BFE4732528] [Flags: 40010000.69]
[g] c:program filesmicrosoft silverlight5.1.20513.0agcp.exe [MD5: 955AC84C750226D85C1A3FC554D32136] [Flags: 00011000.8098]
[g] c:windowssystem32driversswenum.sys [MD5: D01EC09B6711A5F8E7E6564A4D0FBC90] [Flags: 40011000.152]
[g] c:windowssystem32sspisrv.dll [MD5: 3A0CE5FE781708CD6ABD55313607EC8B] [Flags: 00010000.7901]
[g] c:windowssystem32cscapi.dll [MD5: 1BF0CB861A48FEB1638228760750F3CB] [Flags: 40010000.98]
[g] c:windowssyswow64cryptbase.dll [MD5: F08F6FCD09F9BE94C37ACC1B344685FF] [Flags: 40000000.105]
[g] c:windowssystem32driverswdcsam64.sys [MD5: A3D04EBF5227886029B4532F20D026F7] [Flags: 40010000.205]
[g] c:windowssyswow64drprov.dll [MD5: D6692338B985D4A0CA52B828314D897D] [Flags: 00000000.4689]
[g] c:windowssyswow64api-ms-win-downlevel-shlwapi-l2-1-0.dll [MD5: 007863E45F25AA47A4C30D0930BBFD85] [Flags: 40000000.157]
[g] c:windowssystem32api-ms-win-downlevel-ole32-l1-1-0.dll [MD5: 0E6FBF19D9DFBB77316C23DF91F8A101] [Flags: 40010000.225]
[g] c:windowssystem32api-ms-win-downlevel-normaliz-l1-1-0.dll [MD5: 64A4AB126E24FD3F58EBE64852773DB5] [Flags: 40010000.27]
[g] c:windowssystem32drivershecix64.sys [MD5: B6AC71AAA2B10848F57FC49D55A651AF] [Flags: 40011000.153]
[g] c:windowssystem32samcli.dll [MD5: FC51229C7D4AFA0D6F186133728B95AB] [Flags: 40010000.257]
[g] c:program files (x86)ad-aware antivirussbamsvcps.dll [MD5: E92F9A1CAF8369D541DA870B683A33D6] [Flags: 00001000.8604]
[g] c:windowssyswow64secur32.dll [MD5: A113AFEED3159A1ED52D78CB0226006D] [Flags: 40000000.96]
[g] c:windowssyswow64dhcpcsvc6.dll [MD5: 81F6C1AE23B1C493D9E996C3103915D7] [Flags: 40000000.156]
[g] c:windowssystem32wwapi.dll [MD5: 62C7AACC746C9723468A8F2169ED3E85] [Flags: 00010000.5590]
[g] c:program filesmicrosoft [MD5: 50DE141AD5811118ECF215F23E5AEFFD] [Flags: 00010000.8458]
[g] c:windowssyswow64imgutil.dll [MD5: B96C13B5C85AC4240FE95DE115945D59] [Flags: 40000000.524]
[g] c:windowssystem32
dpgrouppolicyextension.dll [MD5: E9A0777DCA9148157E0EF9B71D7DE353] [Flags: 40010000.522]
[g] c:windowssystem32dhcpcsvc.dll [MD5: F568F7C08458D69E4FCD8675BBB107E4] [Flags: 40010000.293]
[g] c:windowssystem32shacct.dll [MD5: 4E9C2DB10F7E6AE91BF761139D4B745B] [Flags: 40010000.419]
[g] c:program files (x86)common filesadobearm1.0armsvc.exe [MD5: ADDA5E1951B90D3D23C56D3CF0622ADC] [Flags: 40001000.365]
[g] c:windowssystem32smartcardcredentialprovider.dll [MD5: CA2985996BB49924B677113DF95CFEA7] [Flags: 40010000.376]
[g] c:windowssyswow64imagehlp.dll [MD5: B2DB6ABA2E292235749B80A9C3DFA867] [Flags: 40000000.318]
[g] c:windowssystem32hhsetup.dll [MD5: 818BD0499A21CD095D13318598B214DE] [Flags: 00010000.5327]
[g] c:program files (x86)
ealdownloadercodecsavcm.dll [MD5: 2958F78F2AF54F085F17E7898207E3E3] [Flags: 00000000.4766]
[g] c:windowssystem32 absvc.dll [MD5: E3C61FD7B7C2557E1F1B0B4CEC713585] [Flags: 40010000.362]
[g] c:windowssystem32iphlpapi.dll [MD5: 2B81776DA02017A37FE26C662827470E] [Flags: 40010000.395]
[g] c:windowssystem32msvcp100.dll [MD5: BC83108B18756547013ED443B8CDB31B] [Flags: 40001000.320]
[g] c:windowssystem32httpapi.dll [MD5: BCEA9AB347E53BC03B2E36BE0B8BA0EF] [Flags: 00010000.4710]
[g] c:windowssyswow64cfgmgr32.dll [MD5: F436E847FA799ECD75AD8C313673F450] [Flags: 40000000.476]
[g] c:windowssyswow64msiexec.exe [MD5: EEE470F2A771FC0B543BDEEF74FCECA0] [Flags: 40100000.466]
[g] c:windowssyswow64xmllite.dll [MD5: EDF2A5E96BEC469DA3F64E9BDD386111] [Flags: 40000000.407]
[g] c:windowssystem32igfxsrvc.dll [MD5: C8598917640A816C9C5C3E30FE8A8204] [Flags: 40010000.437]
[g] c:windowssyswow64wldap32.dll [MD5: A8BB45F9ECAD993461E0FEF8E2A99152] [Flags: 40000000.404]
[g] c:windowssystem32dfscli.dll [MD5: 1369DF1AA12A11876B41627099923EDB] [Flags: 00010400.4975]
[g] c:windowssystem32cdd.dll [MD5: 943F527DF79E6B400104341AA7023C75] [Flags: 00010000.7935]
[g] c:windowsmicrosoft.netframeworkv4.0.30319lssorting.dll [MD5: A8F8A187BCA7C1DEE5638AD2997595EE] [Flags: 00001000.7868]
[g] c:windowssystem32lodctr.exe [MD5: EB003E38CC60BB0BA70A1CAD0259C4A3] [Flags: 00110000.4701]
[g] c:windowssystem32es.dll [MD5: 4166F82BE4D24938977DD1746BE9B8A0] [Flags: 40010000.284]
[g] c:windowssystem32scardsvr.dll [MD5: 9B7395789E3791A3B6D000FE6F8B131E] [Flags: 40010000.473]
[g] c:windowssyswow64wevtapi.dll [MD5: 82C089EA2A3EEFADF3588EA71E8BDADA] [Flags: 40000000.451]
[g] c:windowssystem32slwga.dll [MD5: B6D6886149573278CBA6ABD44C4317F5] [Flags: 00010000.4837]
[g] c:usersjasonappdata
oamingdropboxindropboxext.19.dll [MD5: 8106983F4D5C609A6211A28F70AD2946] [Flags: 00001000.5600]
[g] c:windowssystem32profsvc.dll [MD5: 53E83F1F6CF9D62F32801CF66D8352A8] [Flags: 40010000.377]
[g] c:windowssystem32etsh.exe [MD5: 637982A421D0133DCEAA0D1490D1DC9C] [Flags: 00010000.8476]
[g] c:windowssystem32spfileq.dll [MD5: 198803E5E93E29967DFB0BCFD0186151] [Flags: 00010000.4688]
[g] [MD5: 5CD7A9A5AFBC0D41EA538009C3D7BE2B] [Flags: 00000000.8966]
[g] c:windowsmicrosoft.netframework64v4.0.30319gen.exe [MD5: 1ABC37A6E61C143903F409359C3E61EE] [Flags: 00111000.4698]
[g] c:windowssystem32kernelbase.dll [MD5: 1F56F209585F350A5666E3CC7931FD67] [Flags: 40010000.458]
[g] c:program files (x86)internet explorerieshims.dll [MD5: AC96DF89129E17B80D79193CEF831BA8] [Flags: 00000400.5016]
[g] c:windowssystem32ci.dll [MD5: FEB91B4DA0D540865260A33838654FA3] [Flags: 00010000.8487]
[g] c:windowssyswow64mmdevapi.dll [MD5: 243974EC02F7AE49E4179C54624143AB] [Flags: 40000000.663]
[g] c:program files (x86)ad-aware antivirussbhips.dll [MD5: 414F0C81BC69D2BF7216B0A5432DBA7F] [Flags: 40001000.435]
[g] [MD5: 7C028EF825E27A979CDB4EEC122F750D] [Flags: 00000000.8989]
[g] c:windowssyswow64wbemcomn.dll [MD5: 704314FD398C81D5F342CAA5DF7B7F21] [Flags: 40000000.607]
[g] c:windowssyswow64davclnt.dll [MD5: 284B59D7B56FC76C80E622AB856B1FAB] [Flags: 40000000.721]
[g] c:windowswinsxsx86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9amsvcr80.dll [MD5: C9564CF4976E7E96B4052737AA2492B4] [Flags: 40001000.622]
[g] c:windowssystem32shdocvw.dll [MD5: 22A0AE97360C1B146FDD9AA55AC0E989] [Flags: 40010000.735]
[g] c:windowssystem32 askcomp.dll [MD5: 6DC4A7242F565C9E9C9CCC7BB0FA75C7] [Flags: 00010000.5578]
[g] [MD5: B5BD343C6C93459F75E5E6CBD9DBD657] [Flags: 00000000.8981]
[g] c:windowssyswow64msxml6.dll [MD5: EAADD6E47ED2A7003ACE1793B98CF63F] [Flags: 40000000.745]
[g] c:windowssystem32dnsapi.dll [MD5: 492D07D79E7024CA310867B526D9636D] [Flags: 40010000.776]
[g] [MD5: 0F297EBC24F481296D26F07D4E1744CC] [Flags: 00010000.8700]
[g] c:windowssyswow64msxml3.dll [MD5: 21D3A18769EC2C4E56756D04E989A221] [Flags: 40000000.627]
[g] c:windowssystem32wlanapi.dll [MD5: 357BE883C5236BFC7341CB9E82308908] [Flags: 00010000.5266]
[g] c:windowssystem32igdumdx32.dll [MD5: C679F9E548ECB2E75A2879A3AACB6104] [Flags: 40000000.569]
[g] c:windowssystem32schannel.dll [MD5: B7D42CB36C08FA017E73FF2433CD7287] [Flags: 40010000.660]
[g] c:windowssystem32wlanhlp.dll [MD5: E4FCA0F99A41E460C84016DEFD31E6EF] [Flags: 00010000.5583]
[g] c:program files (x86)
pbgrecorderapp.dll [MD5: D01BE97235CDF477551050A5B003FFA5] [Flags: 00000000.4756]
[g] c:windowsmicrosoft.netframework64v4.0.30319lssorting.dll [MD5: 4E2F590AE5FA7A767170BF8C2A0DB0FB] [Flags: 00011000.4707]
[g] c:program files (x86)
ealdownloaderpluginszipf3260.dll [MD5: 021AF660B114E8463490FFB97564485B] [Flags: 40000000.602]

36 replies

Userlevel 7
The 52 infected files are actually good files, these werent removed as they were mostly system files. If you want my advise I would re-enable whatever was disabled, uninstall all security products and reinstall WSA. We would be happy to connect to your PC to have a look. My shift has finished but one of my US based colleagues would be happy to help out.
I cannot even do a system restore. 
windows live was installed on my computer. probably when I installed microsoft office. that does not mean I have an account or ever used it. I appreciate the help guys, but obviously I messed things up here and you guys seem to think I am crazy. I will take it from here and try and fix it myself. Thank you anyway.
that would be great. if someone could connect to my computer and help, I would be elated. 
Userlevel 7
Jason, I updated your support case to note that you'd like a remote session.  One of the threat researchers should see that, or worst case, Rakanisheu will be back tomorrow.
On the MS Live thing, I'm not alone in my understanding of that credential:
I restored those system files and ad-aware caught the threat: Optimum Installer (fs) as soon as I did. file name:setup.exe.
Userlevel 7
Just FYI, Optimum Installer is low-grade general adware, it doesn't mess with core functionality. It will perform stuff that is extremely annoying, but will generally not limit any legitimate function. Still made by terrible people, though.
Webroot's core protection is for files attempting to execute, so if it's just sitting on your disk then it's normal it would not be detected.
So one of the other ways that I know that I have a virus, it has reinstalled 4 additional usb "virtual" drives on my computer. Whenever I go into my device manager I am able to disable these or uninstall them, but they eventually come back if I have not gotten them with a malware program. I am telling you and everyone who has helped me today, whatever is on my computer is not gone. Webroot is not finding it. Internet explorer 10 won't reinstall. I cannot uninstall Webroot to reinstall it. Etc.
Userlevel 7
Could you post a screenshot? I'm not sure what you're referring to as a "virtual drive," but things like the USB controllers are going to reinstall themselves to keep your USB ports functional. You might have a lot of entries for "USB Root Hub" or "USB Composite Device." Knowing the name of what you're referencing would be helpful in explaining what it is and what it does.
Userlevel 7
These virutal drives you speak of - those are empty USB-based media card readers. One of your anti-virus tools probably edited the "Folder Options" in Windows, which unchecked "Hide empty drives in the Computer folder."
"Uninstalling" the drives from Device Manager just removes them until PnP picks them up again and reinstall them for you.
This is native Windows functionality on all computers, though most users are never aware of this option. Windows XP had a problem where media card readers would introduce 5 or more "Drives" in My Computer that were always empty when not in use. Microsoft developed the option to hide them to clean up the Computer view.
These days malware has financial motivations rather than the academic/childish viruses in the past. They are either extremely quiet, in order to steal your data, or attempt to lock you out of everything in order to extort money out of you. There are exceptions, but if something was messing with you, there would be an address to wire money to in order to "Fix" it.
Extremely aggressive actions against infections on computers can often cause more damage than the infection themselves unless you are working with experts like those at BleepingComputers. Removing a virus manually is always surgery - you're always operating a few pixels away from damaging core functionality. This is why I encourage people to wait for Webroot personnel to attend to their problem. Removing things manually also means that Webroot's journaling feature and rollback won't be activated, which would probably leave users with a cleaner machine than purely manual interventions. And I'm saying this as someone who was, for reasons I won't get into, forced to fight and remove these kinds of infections daily for an hour or more. But even so, I now rely on Webroot's rollback functionality before I ever do anything else to a machine. Luckily it's extremely rare I have to do so now.
Userlevel 7
I am in the office now and will be for the next 5-6 hours or so if you need a connection.