Post-trojan bollocks

Status
Not open for further replies.
P

Parakirby

Posts: 11   +0
So I received a trojan somehow and after running a slew of different anti-spyware, adaware, and virus software, my computer reverted back to semi-normal. The trojan in question infested my SYSTEM32 folder, which made it difficult to remove. In any case, AVS managed to get it out, in the end. While the trojan's effects are gone for the most part (No more changing wallpaper, no more blocking of random internet sites) my computer is running slow. Well, that's not entirely true; programs run fine (I'm a gamer, really) but the process of opening files, turning on, etc. takes quite some time.

HijackThis report attached.
 
There are two things you need to address now. You are running both Mcafee antivirus and AVG. Since you have the full Mcafee Suite, uninstall AVG.
Secondly, the Java is way out of date. You will fix the current entries in HijackThis. Then you need to install the current version which is V6u7 here:
https://www.techspot.com/downloads/6463-java-se.html

Please re-open HiJackThis and scan.**Check the boxes next to all the entries listed below.
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe,
4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) for real player
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Ben\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
(Related to IMVU 3D messenger has been known to cause problems and, unless it is something you really want to keep, should also be removed using the Control Panel's Add/Remove Programs.)

O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Click to expand...
Now close all windows other than HiJackThis, then click Fix Checked.**Close HiJackThis*and*reboot into Safe Mode

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
Click to expand...
Please note any other programs that you don't recognize in that list in your next response.

Go to the Control Panel> Administrative Tools> Services. Right click on
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Click to expand...
Set the Startup to Disabled and Stop the Service.
Reboot into Normal Mode, run HijackThis again and post the log.
 
Actually, I'm pretty certain that McAfee is not the full version. In fact it might be about four years old. (Got it with the computer) And woaholyjesus it's way out of date.

But you're the boss, off AVS goes.

Also, you made me find that Notepad file that opens up every time I boot up, thanks! That was really irritating me. Apparently it was Indigo Prophecy, so.

Anyway, this is just a quick post before I reboot into safe mode.

Edit:
Alright, apparently the older versions of Java cannot be uninstalled in Safe Mode, and it was already stopped/disabled, I suppose by HijackThis.

On a side note it's now going crazy faster. Thanks!
 
The following are the programs and processes you show for McAfee:
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
Click to expand...

Be sure the subscription is up to date. I see you updated Java. Good. You should be able to uninstall the old Java versions in Add/Remove Programs in Normal Mode.

I'll go over the rest of new log in the morning- wanted to tel you to be sure about McAfee being current.
 
Gonna uninstall McAfee and install Symantec EndPoint Protection AntiVirus, since my college provides it for free. Anything I should take note of?
 
Anything I should take note of?
Click to expand...
Yes. You are already in jeopardy as you don't have an up to date AV. Download the Symantec product and SAVE to your desktop. Run HijackThis again and check all of the McAfee process. Check on Fix, close and boot into Safe Mode.

Go to Work Offline> Add/Remove Programs> uninstall the McAfee entries.
Run the Symantec install from the setup saved to the desktop.

You will most likely still have McAfree files left and need to run the uninstaller for the program. Make sure no McAfee process are on the Startup menu, go here and download the uninstaller: http://tinyurl.com/6docj4

Go back online and reboot. Immediately update the Symantec program and do a full system scan. Advise of the results.
 
Argh, crap. I caught Antivirus XP 2008... Thankfully Malwarebyte is still on.

I took my desktop off the internet now and am using my laptop to transfer the install data to it via a flash drive. For some reason my desktop couldn't download the antivirus software.
 
Okay, well part of the reason is the missing current antivirus. It is not uncommon to see two antivirus programs in a log. When we do, we tell the user to decide which they want to keep and uninstall the other. It did not occur to me at all that your McAfee might not be current with all the process that were loading!

So, now you start over. It would be best if you ran all the cleaning programs set up here:
https://www.techspot.com/vb/post645589-1.html

Then attach the logs. Whatever else you do, make sure you are running a current, updates antivirus program! Antivirus XP 2008 (and 2009) is hitting a lot of people.
 
I actually did some research and apparently the Sym whatsit antivirus thing doesn't protect users against Antivirus XP! According to the message boards, it 'simply doesn't catch it'. On top of that, installing it on my laptop produces an error... So I installed AVS since it's so highly praised by my peers.

In any case, I gotta go through my files AGAIN and get rid of the trojan's after effects. Fuuun.
 
Not fun at all- especially on a holiday weekend! But Antivirus 2008 and 2009 is getting into a lot of systems- even those with current protection!
 
Right, Here's what I did after I contracted Antivirus XP:
Ran Malwarebyte's program, got rid of the main thing (Desktop)
Switched internet to laptop from desktop
Transferred Symantec install from laptop to desktop
Installed Symantec on desktop; AVS on laptop (Sym refuses to work on laptop)
Went to safe mode, removed McAfee and ran HijackThis to find undesirable programs (such as oemian.exe or some such, which, after googled, turned out to 'be a sign of malware') with desktop
Re-scanned both computers using Malwarebyte and AVS to find them clean
Switched internet from laptop to desktop, booted up, finding some things running slowly but it's definitely better than not loading at all.
Running HijackThis as I post.

Edit:
oembios.exe is back, which isn't a good sign.

Really, thank you so much for your help. I've had this computer for almost five years now and suffice to say I've grown attached. As frightening as this fact may seem, I've never wiped the HD and never upgraded it (aside from the RAM).

Edit x2:
And this is not nearly as big a problem and you probably won't have much knowledge of this as you do malware, but whenever I try to run legit copies of TF2 or HL2: EP1 or anything that uses the HL2 engine and isn't HL2 I get an error message about shaderapidx9.dll. D'you know where I could get help with that? Apparently Steam Customer Service isn't very good with handling this sorta thing.

Edit x3:
Symantec found it hiding on my system as 29.tmp in C:/WINDOWS/SYSTEM32, somewhere.
 
Trend Micro has directions for removing the oembios file in the Registry:
http://www.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_ZBOT.WL&VSect=Sn

Follow that. Then Reopen HijackThis and check the following is it is still there:
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\oembios.exe,
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
Click to expand...

Check Fix, close HijackThis and boot into Safe Mode:
Disable this Service: DSBrokerService and Stop the Service

See if that gets rid of it.
 
It looks like Sym took care of oembios, so I'll run Hijack now...
Hijack didn't find oembios, so I just cancelled brkrsvc.exe.

Rebooting.
 
Hmm, DSBrokerService didn't have a stop option... Ah well. My computer's better than it was before, at this point (Although I have no firewalls now (admittedly the McAfee one was horribly outdated); I'll go check Downloads.com for one) and it runs better than ever.

...Well okay it IS five years old. Better than before, at least!
 
Status
Not open for further replies.

Similar threads

Ivan Franco
  • Locked
The best password managers
2
Replies
39
Views
8K
ttrtilley
T
Matthew DeCarlo
Weekend tech reading: Hobbyist drones go registration-free, Monoprice ships $200 3D printer,...
Replies
5
Views
1K
Skjorn
Skjorn
C
  • Locked
Solved FedEx email Trojan, please help!
Replies
19
Views
3K
Jay Pfoutz
Jay Pfoutz

Latest posts

Back