VIRUS? oembios.exe in system32 PLEASE HELP

  xdustyx 20:24 07 May 2009

My computer has been running really slow and when i looked in my security centre i noticed that my windows firewall was turned off. I guessed there might be some kind of virus on it, i ran malwarebytes anti-malware and during the scan AVG popped up and said there was a threat detected.
It found: Trojan horseAgent2.GKP in: C/WINDOWS/system32/oembios.exe
I moved the file to the virus vault.
ALSO during the same malwarebytes scan AVG found 2 other viruses:
Trojan horseAgent2.GKP - C\system volume information\_restore
Trojan horseAgent2.GKP - C\Documents and settings\Local settings\Temp\wJQs.exe
I moved both to the virus vault same as the first one.
After trying to find some info on this virus, i read that it can infect other things on the computer... some advice was to do a Hijackthis scan and let someone take a look who maybe be able to help (please)
I did notice that alot of people were concerned about something showing up on their logs, and i have the same thing on mine & don't know what to do OR even if there's something wrong. What's bothering me after i did the scan with trendmicro hijackthis is this:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe
Could someone PLEASE take a look at my log and help me? It's really worrying me.
Many many thanks :)

  VoG II 20:33 07 May 2009

You should post your HJT log here click here

  phono 20:55 07 May 2009

Have a look at click here is this similar?

  xdustyx 21:45 07 May 2009

Hi VoG & phono... THANKYOU for replying :)
I've just posted my log there VoG (thankyou) i hope someone can have a look for me.

Yes phono it does look similar BUT where malwarebytes deletes it on reboot on the link you gave me to look at, MY malwarebytes didn't even pick it up. I only noticed it after i did the hijackjthis scan.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\oembios.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\oembios.exe -> Delete on reboot.

That was from the post i looked at from the link.
I've re-run malwarebytes and it still didn't pick it up, but it's there on the hijackthis log... so i'm very confused now :(

  phono 21:56 07 May 2009

Have you downloaded the latest updates for Malwarebytes? Also try running a full scan as opposed to a quick scan.

  MAT ALAN 22:18 07 May 2009

I've re-run malwarebytes and it still didn't pick it up

thats because you have a variant sat in your "system volume info files" you will need to turn off system restore to be rid of that...

click here

the link may help...

  xdustyx 00:41 08 May 2009

Hi phono, yes i did update Malwarebytes and i also ran a full scan :(
Hi Mat Alan, what i can't understand is why did malwarebytes find it in other peoples scans and remove it, but it's not finding it in mine? Isn't it the same thing?

Here's what was found in mine:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\oembios.exe

Here's what malwarebytes found on someone elses scan:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\oembios.exe -> Delete on reboot.

Will turning system restore get rid of it?
I apologise for asking so many questions, but it's really scaring me what i've read about it.
Thankyou :)

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Galaxy Note 8 vs iPhone X

This is what design agencies will look like in 2032

How to update iOS on iPhone or iPad

WhatsApp : comment lire vos messages sans que l’expéditeur le sache