Need help with 9129837.exe malware among others

Discussion in 'Malware Help (A Specialist Will Reply)' started by DougHeffernan, Aug 31, 2009.

  1. DougHeffernan

    DougHeffernan Private E-2

    Last night while looking for a solutions manual on torrentreactor.com (I rarely use torrents, so just my luck) I got malware alert from Avast for wpv881251594352.exe (located in \WINDOWS\Temp), then almost immediately another for 9129837.exe (in C:\WINDOWS). About 15 min later I got another for ger.exe (in \WINDOWS\System32). They were all quarantined successfully. I also noticed later on after switching to Normal Startup that there was a ikowin32.exe in the Startup folder in the Start menu.

    I then ran a full Spybot scan and it found 9129837 and fixed that. Then I found this site and did everything in the Read Me.

    Notes:
    -I didn't have any previous malware in Add/Remove
    -When I ran CCleaner, I also ran the registry cleaner like the "Basic computer maintenance" thread said. It found 334 fixes. I wish there was a log for it but there's none available, but I do have the backup file.
    -My AV software is Avast 4.8 and firewall is ZoneAlarm
    -I changed to Normal Startup mode in MSConfig. I wish I had learned about this earlier. For the 6 years I've had this PC, it's been in selective startup and that's why I have so many improperly uninstalled programs with stray keys.
    -However, switching to Normal Startup resulted in even more sluggish startup and overall slower performance. At startup I get a RUNDLL box saying "specified module could not be found" referring to Deadaim.ocm, an add-on to AIM from years ago. See the print screen of the task manager for all the unwanted processes. Before and After. Notice the 100% CPU usage at startup in the After.

    -SAS found 3 threats
    -Malwarebytes found the ikowin32.exe malware I mentioned above
    -ComboFix said Norton AV was running and could interfere, but then it did the scan anyway. I don't even use Norton AV anymore so that's weird. There are some Norton-related startup items after switching to Normal so that may be it.
    -RootRepeal only found one thing: C:\hyberfil.sys. It takes up .99GB. Please tell me what this is and if it's needed.
    -MGtools created 4 folders (Qoobox, cmdcons, RECYCLER, MGtools) and 2 files (cmldr, Boot.bak). Again, please let me know if these are necessary to keep.

    So to conclude, I only know that 9129837 has been fixed. The other two you will have to check for.

    I would also like some help in cleaning up my startup process. Please recommend some things.

    Let me know if you need a HijackThis log or Spybot system startup log

    Thanks in advance for your help
     
    DougHeffernan, Aug 31, 2009
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    If you wish us to check your system, you need to attach the requested logs:
    SAS
    MBAM
    ComboFix
    RootRepeal
    C:\MGLogs.zip
     
    TimW, Sep 4, 2009
    #2
  3. DougHeffernan

    DougHeffernan Private E-2

    Attached Files:

    DougHeffernan, Sep 5, 2009
    #3
  4. DougHeffernan

    DougHeffernan Private E-2

    You'll find C:\MGLogs.zip in this post
     

    Attached Files:

    DougHeffernan, Sep 5, 2009
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    It looks like the scans took care of most of the infection. Let's just do a little cleaning.

    Please give the Norton Removal Tool (SymNRT) a run > reboot your machine and then run it again for good measure.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now use windows explorer to find and delete;
    C:\WINDOWS\Fwibikayisu.dat

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Sep 9, 2009
    #5
  6. DougHeffernan

    DougHeffernan Private E-2

    Sorry for the late response. I just forgot about this thread.

    I did everything you listed and I got the successful registry merge message. I've attached the MGlog you asked for.

    Somehow, hidden files are now showing even though they were off before these changes. File extensions are also showing. Other folder options may have changed also, but I'm not sure. How did this happen, and can I change it back to hide hidden files?

    Also, can you please explain the following from the OP:
    "-MGtools created 4 folders (Qoobox, cmdcons, RECYCLER, MGtools) and 2 files (cmldr, Boot.bak). Again, please let me know if these are necessary to keep."

    FYI, I mentioned in the OP that I was getting a RUNDLL message at startup about Deadaim.ocm. I no longer get this so I'm assuming the changes fixed that.

    Everything else is running fine except for the usual sluggishness that comes with never having reformatted the PC since I got it in 2003.

    Thanks for your help.
     

    Attached Files:

    DougHeffernan, Oct 26, 2009
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs are clean. However, I strongly advise you to cleanup your Desktop. Remove everything but links to run programs. Do not download and save programs here and definitely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving large files here like you are doing.

    The files you mention are system files that running MGTools allowed to be visible. They will go away when you run these final instructions;

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real-time protection. They are useful as backup scanners.They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore ato create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    TimW, Oct 30, 2009
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds