TechSpot

Post-trojan bollocks

By Parakirby
Aug 27, 2008
  1. So I received a trojan somehow and after running a slew of different anti-spyware, adaware, and virus software, my computer reverted back to semi-normal. The trojan in question infested my SYSTEM32 folder, which made it difficult to remove. In any case, AVS managed to get it out, in the end. While the trojan's effects are gone for the most part (No more changing wallpaper, no more blocking of random internet sites) my computer is running slow. Well, that's not entirely true; programs run fine (I'm a gamer, really) but the process of opening files, turning on, etc. takes quite some time.

    HijackThis report attached.
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    There are two things you need to address now. You are running both Mcafee antivirus and AVG. Since you have the full Mcafee Suite, uninstall AVG.
    Secondly, the Java is way out of date. You will fix the current entries in HijackThis. Then you need to install the current version which is V6u7 here:
    http://www.java.com/en/download/manual.jsp

    Please re-open HiJackThis and scan.**Check the boxes next to all the entries listed below.
    Now close all windows other than HiJackThis, then click Fix Checked.**Close HiJackThis*and*reboot into Safe Mode

    Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):
    Please note any other programs that you don't recognize in that list in your next response.

    Go to the Control Panel> Administrative Tools> Services. Right click on
    Set the Startup to Disabled and Stop the Service.
    Reboot into Normal Mode, run HijackThis again and post the log.
     
  3. Parakirby

    Parakirby TS Rookie Topic Starter

    Actually, I'm pretty certain that McAfee is not the full version. In fact it might be about four years old. (Got it with the computer) And woaholyjesus it's way out of date.

    But you're the boss, off AVS goes.

    Also, you made me find that Notepad file that opens up every time I boot up, thanks! That was really irritating me. Apparently it was Indigo Prophecy, so.

    Anyway, this is just a quick post before I reboot into safe mode.

    Edit:
    Alright, apparently the older versions of Java cannot be uninstalled in Safe Mode, and it was already stopped/disabled, I suppose by HijackThis.

    On a side note it's now going crazy faster. Thanks!
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The following are the programs and processes you show for McAfee:
    Be sure the subscription is up to date. I see you updated Java. Good. You should be able to uninstall the old Java versions in Add/Remove Programs in Normal Mode.

    I'll go over the rest of new log in the morning- wanted to tel you to be sure about McAfee being current.
     
  5. Parakirby

    Parakirby TS Rookie Topic Starter

    My subscription totally isn't up to date. I'll get to working on that.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    This is a priority!
     
  7. Parakirby

    Parakirby TS Rookie Topic Starter

    I'll buy a new subscription once my classes are done for today.
     
  8. Parakirby

    Parakirby TS Rookie Topic Starter

    Gonna uninstall McAfee and install Symantec EndPoint Protection AntiVirus, since my college provides it for free. Anything I should take note of?
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Yes. You are already in jeopardy as you don't have an up to date AV. Download the Symantec product and SAVE to your desktop. Run HijackThis again and check all of the McAfee process. Check on Fix, close and boot into Safe Mode.

    Go to Work Offline> Add/Remove Programs> uninstall the McAfee entries.
    Run the Symantec install from the setup saved to the desktop.

    You will most likely still have McAfree files left and need to run the uninstaller for the program. Make sure no McAfee process are on the Startup menu, go here and download the uninstaller: http://tinyurl.com/6docj4

    Go back online and reboot. Immediately update the Symantec program and do a full system scan. Advise of the results.
     
  10. Parakirby

    Parakirby TS Rookie Topic Starter

    Argh, crap. I caught Antivirus XP 2008... Thankfully Malwarebyte is still on.

    I took my desktop off the internet now and am using my laptop to transfer the install data to it via a flash drive. For some reason my desktop couldn't download the antivirus software.
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, well part of the reason is the missing current antivirus. It is not uncommon to see two antivirus programs in a log. When we do, we tell the user to decide which they want to keep and uninstall the other. It did not occur to me at all that your McAfee might not be current with all the process that were loading!

    So, now you start over. It would be best if you ran all the cleaning programs set up here:
    http://www.techspot.com/vb/post645589-1.html

    Then attach the logs. Whatever else you do, make sure you are running a current, updates antivirus program! Antivirus XP 2008 (and 2009) is hitting a lot of people.
     
  12. Parakirby

    Parakirby TS Rookie Topic Starter

    I actually did some research and apparently the Sym whatsit antivirus thing doesn't protect users against Antivirus XP! According to the message boards, it 'simply doesn't catch it'. On top of that, installing it on my laptop produces an error... So I installed AVS since it's so highly praised by my peers.

    In any case, I gotta go through my files AGAIN and get rid of the trojan's after effects. Fuuun.
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Not fun at all- especially on a holiday weekend! But Antivirus 2008 and 2009 is getting into a lot of systems- even those with current protection!
     
  14. Parakirby

    Parakirby TS Rookie Topic Starter

    Right, Here's what I did after I contracted Antivirus XP:
    Ran Malwarebyte's program, got rid of the main thing (Desktop)
    Switched internet to laptop from desktop
    Transferred Symantec install from laptop to desktop
    Installed Symantec on desktop; AVS on laptop (Sym refuses to work on laptop)
    Went to safe mode, removed McAfee and ran HijackThis to find undesirable programs (such as oemian.exe or some such, which, after googled, turned out to 'be a sign of malware') with desktop
    Re-scanned both computers using Malwarebyte and AVS to find them clean
    Switched internet from laptop to desktop, booted up, finding some things running slowly but it's definitely better than not loading at all.
    Running HijackThis as I post.

    Edit:
    oembios.exe is back, which isn't a good sign.

    Really, thank you so much for your help. I've had this computer for almost five years now and suffice to say I've grown attached. As frightening as this fact may seem, I've never wiped the HD and never upgraded it (aside from the RAM).

    Edit x2:
    And this is not nearly as big a problem and you probably won't have much knowledge of this as you do malware, but whenever I try to run legit copies of TF2 or HL2: EP1 or anything that uses the HL2 engine and isn't HL2 I get an error message about shaderapidx9.dll. D'you know where I could get help with that? Apparently Steam Customer Service isn't very good with handling this sorta thing.

    Edit x3:
    Symantec found it hiding on my system as 29.tmp in C:/WINDOWS/SYSTEM32, somewhere.
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Trend Micro has directions for removing the oembios file in the Registry:
    http://www.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_ZBOT.WL&VSect=Sn

    Follow that. Then Reopen HijackThis and check the following is it is still there:
    Check Fix, close HijackThis and boot into Safe Mode:
    Disable this Service: DSBrokerService and Stop the Service

    See if that gets rid of it.
     
  16. Parakirby

    Parakirby TS Rookie Topic Starter

    It looks like Sym took care of oembios, so I'll run Hijack now...
    Hijack didn't find oembios, so I just cancelled brkrsvc.exe.

    Rebooting.
     
  17. Parakirby

    Parakirby TS Rookie Topic Starter

    Hmm, DSBrokerService didn't have a stop option... Ah well. My computer's better than it was before, at this point (Although I have no firewalls now (admittedly the McAfee one was horribly outdated); I'll go check Downloads.com for one) and it runs better than ever.

    ...Well okay it IS five years old. Better than before, at least!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...