Malware issues - Windows 7

Jeas · 05 Dec 2011

I just lent my computer to my brother, and it came back with a "windows 7 security" malware. I don't understand how it got through, but I guess that doesn't fully matter as much as getting rid of this. I ran malware bytes, the free version, and it said it removed the files, but when I restarted my computer, 4 error codes came up:

Windows cannot find 'C:\Windows\System32\igfxtray.exe'. Make sure you typed the name correctly, and then try again.

Windows cannot find 'C:\Windows\System32\kdcmd.exe'. Make sure you typed the name correctly, and then try again.

Windows cannot find 'C:\Windows\System32\igfxtrayTiltWheelMouse.exe'. Make sure you typed the name correctly, and then try again.

Windows cannot find 'C:\Windows\System32\igfxpers.exe'. Make sure you typed the name correctly, and then try again.

Now, when I tried to close these, it re-boots the malware. If it matters, the file doesn't appear to be "real" in the sense that my computer works mostly fine without it, and the icon is a red circle with an X in it.
The only other thing I noticed was, I tried to load up a program that accesses locally stored data (HoldemManager fwiw) and I am unable to load it up, getting the message:
"The following error occurred when trying to open the database: Unable to read data from transport connection: An existing connection was forcibly closed by the remote host."

Please help, you're my only hope! (Starwars reference)

Corazon · 05 Dec 2011

Welcome to SevenForums!

Do you have a restore point from before you let your brother have the computer? See if you can go back to it and then perform another full scan with Malwarebytes.

Which antivirus software do you have running? What exactly did you find during the scan?

Most importantly: find out what it is your brother did with the machine. He was obviously careless with it - humans are still the main reason systems get infected.

marsmimar · 05 Dec 2011

Hello Jeas and welcome to Seven Forums.

First, my usual disclaimer: I'm not an expert at anything! :)

Never, ever lend your computer to your brother again!

I'd suggest making a copy of the free Microsoft Standalone System Sweeper. Run the full scan and see if that doesn't help.

https://www.sevenforums.com/tutorials...m-sweeper.html

You could also try the free Hitman Pro as yet another malware scanner.

Hitman Pro 3 - SurfRight

igfxtray is a process which allows you to access the Intel 81x series Graphics configuration and diagnostic application for the Intel graphics chipset. This program is a non-essential system process, and is installed for ease of use via the desktop tray. You could uninstall them if you want to. Since I'm not an expert at anything I'm not sure if you can download clean copies from the Intel website.

http://downloadcenter.intel.com/Sear...59&FamilyId=39

And not to sound like I'm preaching, but this is a good example of why a system image is so important. If a machine gets corrupted by malware or anything else, a system image can get the machine up and running to a known clean condition in minutes.

Corazon · 05 Dec 2011

marsmimar said:

Never, ever lend your computer to your brother again!

I was actually making a point of not saying it so bluntly - but, yeah. LOL.

Jacee · 05 Dec 2011

Can you post the .txt log that Malwarebytes produced? (copy and paste in next reply)

Jeas · 05 Dec 2011

Malwarebytes' Anti-Malware 1.51.2.1300
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Database version: 8311

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

04/12/2011 9:20:04 PM
mbam-log-2011-12-04 (21-20-04).txt

Scan type: Quick scan
Objects scanned: 190348
Time elapsed: 5 minute(s), 13 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
c:\Users\Eric\AppData\Roaming\Dyumi\loafm.exe (Trojan.Agent) -> 4064 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{D15595C0-510F-6754-D6D4-8567D012C361} (Trojan.Agent) -> Value: {D15595C0-510F-6754-D6D4-8567D012C361} -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\Eric\AppData\Roaming\Dyumi\loafm.exe (Trojan.Agent) -> Quarantined and deleted successfully.

The above it the log from the scan. I'm about to try the other malware removal programs posted in this thread.

He won't tell me or admit it was him that got the malware, so I'm not 100% sure, but I agree with you guys that I'm never lending it to him again.

Jacee · 06 Dec 2011

I'd like you to scan your machine with ESET OnlineScan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
1. Click on to download the ESET Smart Installer. Save it to your desktop.
2. Double click on the icon on your desktop.
Check
Click the button.
Accept any security warnings from your browser.
Check
Push the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the button.
Push