shassar

So McAfee is shot down. It was fine before I disabled it because some of those scanning programs needed it to be disabled. Windows Defender is also off, which it says it doesn't exist anymore when I try to restart the service. All services on McAfee are running.

Well I have one issue now. McAfee Antivirus real scan keeps turning off. I keep hitting on, it immediately turns back off. That is not normal.

Thanks again, I will try to figure out why my Action Center is all off. I might reinstall Windows because I know nothing can be 100% disinfected once a computer gets infected. But I figured I should attempt any clean up first before reinstalling because I heard remnant viruses can still come back on a freshly new installed OS. Sadly we just put a new hard disk on this laptop because the other one got a mechanical problem as it was in my backpack on the plane. I will let you know if something funny pops up in the meantime.

Gringo, I get an error when I try to Run ComboFix /Uninstall. It says it does not exist. I did run it from a Flash drive... maybe that's why? Also I noticed the script you gave me it's titled C:\FRST.exe. I used FRST from a flash drive, (Drive E). Does it matter? Last, should I be concerned with the RogueKiller's report: ¤¤¤ Registry Entries : 3 ¤¤¤ [RUN][sUSP PATH] HKCU\[...]\Policies\Explorer\Run : KB2485155 ("C:\Users\user\AppData\Local\KB2485155\KB2485155.exe") [x] -> DELETED [HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0) [HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0) I see the words REPLACED. That concern's me. I will go on and remove the rest of the tools now.

Yes. Is there anything else I need to do to ensure the eradication of any suspicious malware and viruses?

If I click on "Customize notification icons" it takes me to the other one "Select which icons and notifications appear on the taskbar". Action Center is no longer there.

Gringo, The shield icon of the virus is gone!!! So, for sure it means I do not have that other virus anymore, correct? Also, the notification area is still grayed out.

In case you didn't see my previous posts, I tried again. Nothing changed. I guess we should just focus on eliminating whatever Eset found first.

Sorry, I wish I could edit my posts. The repository file is magically back after I deleted it.

Ok, I had to stop Windows Management services again and the repository file has been deleted. I rebooted the computer... however the virus icon (brown shield is still there), action center is still grayed out. Anyways, anything I need to do with those 4 affected files Eset found?

Yes I stopped both services.... Want to try it again?

Wow.... those Cnet files..... Actually that's a document folder I threw in on my desktop when I was borrowing the flash drive from my uncle.... I needed that flash drive a few days ago to give them a big file. I didn't want to delete his stuff so I put that folder on my desktop. But I never opened it to look at it. Don't tell me that is the cause of all this mess...

By the way I cannot delete the repository file. It says: This action cannot be complete. The file or it's components are open and in use.

Gringo, here is the log from Eset: C:\FRST\Quarantine\KB2485155\KB2485155.exe a variant of Win32/Kryptik.BAHW trojan C:\Users\user\Desktop\Documents\camcorder\cnet2_photostudiodarkroom2_retail_intro_all_exe.exe a variant of Win32/InstallCore.D application C:\Users\user\Desktop\Documents\camcorder\cnet2_video_converter_setup_exe.exe a variant of Win32/InstallCore.D application C:\Users\user\Downloads\Setup.exe a variant of Win32/Adware.iBryte.G application

Ok thanks, I will do that as soon as Eset is done because I don't want to boot the computer now. It's still scanning, it has found 3 applications and a trojan.

You mean delete all those 5 there?

Here is another image by what I mean by Action Center grayed out. I am borrowing my aunt's laptop in the meantime too. Her Action Center flag is on the system tray working properly.

Gringo, I deleted those two files you mentioned via hijack this. While the Eset scanner is running, can you explain why I see an icon (The brown Shield) called 474E.tmp? I recognize that shield image from the virus (System Care Antivirus).... How do I get rid of that? Also my Security Center is grayed to OFF on my taskbar, meaning I cannot enable it to On and have it on my system tray like I used to.

Here is the hijack list log: Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 10:03:51 PM, on 5/7/2013 Platform: Windows 7 (WinNT 6.00.3504) MSIE: Internet Explorer v9.00 (9.00.8112.16476) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Windows\system32\taskhost.exe C:\Windows\System32\igfxtray.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Intel\WiMAX\Bin\WiMAXCU.exe C:\Program Files\Synaptics\SynTP\SynTPHelper.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files\Common Files\McAfee\Platform\mcuicnt.exe C:\Windows\system32\taskeng.exe c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe E:\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: HP Network Check Helper - {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} - C:\Program Files\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll (file missing) O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [synTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [intelWirelessWiMAX] "C:\Program Files\Intel\WiMAX\Bin\WiMAXCU.exe" /tasktray /nosplash O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [mcpltui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: @C:\Program Files\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll,-103 - {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe (file missing) O9 - Extra 'Tools' menuitem: @C:\Program Files\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll,-102 - {25510184-5A38-4A99-B273-DCA8EEF6CD08} - C:\Program Files\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\NCLauncherFromIE.exe (file missing) O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O18 - Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\PROGRA~1\mcafee\msc\mcsniepl.dll O23 - Service: McAfee Application Installer Cleanup (0081071367976838) (0081071367976838mcinstcleanup) - McAfee, Inc. - C:\Windows\TEMP\008107~1.EXE O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Intel® PROSet/Wireless WiMAX Red Bend Device Management Service (DMAgent) - Red Bend Ltd. - C:\Program Files\Intel\WiMAX\Bin\DMAgent.exe O23 - Service: McAfee Home Network (HomeNetSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe O23 - Service: HP Service (hpsrv) - Hewlett-Packard Company - C:\Windows\system32\Hpservice.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe O23 - Service: McAfee Personal Firewall (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe O23 - Service: McAfee Platform Services (mcpltsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe O23 - Service: McAfee Anti-Malware Core (mfecore) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\AMCore\mcshield.exe O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Windows\system32\mfevtps.exe O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe O23 - Service: Validity VCS Fingerprint Service (vcsFPService) - Validity Sensors, Inc. - C:\Windows\system32\vcsFPService.exe O23 - Service: Intel® PROSet/Wireless WiMAX Service (WiMAXAppSrv) - Intel® Corporation - C:\Program Files\Intel\WiMAX\Bin\AppSrv.exe -- End of file - 6769 bytes

Gringo, MBAM found 0 Malware. Here is the log: Malwarebytes Anti-Malware (Trial) 1.75.0.1300 www.malwarebytes.org Database version: v2013.05.07.10 Windows 7 x86 NTFS Internet Explorer 9.0.8112.16421 user :: SHABNAM [administrator] Protection: Enabled 5/7/2013 4:14:55 PM mbam-log-2013-05-07 (16-14-55).txt Scan type: Full scan (C:\|) Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 312478 Time elapsed: 2 hour(s), 15 minute(s), 31 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)

Gringo, I removed Java 7 Update 17. Here is the log from CCleaner. Do I need to Update Malwarebytes before scanning?

Here is the log: 32 Bit HP CIO Components Installer Adobe AIR Adobe Download Assistant Adobe Flash Player 11 ActiveX Adobe Flash Player 11 Plugin Adobe Reader XI (11.0.02) Apple Application Support Apple Mobile Device Support Apple Software Update Bonjour Google Talk Plugin HP Customer Experience Enhancements HP Photosmart D110 All-In-One Driver 14.0 Rel. 7 HP Product Detection Intel PROSet Wireless Intel® PROSet/Wireless WiMAX Software iTunes Java 7 Update 17 Java Auto Updater McAfee AntiVirus Plus Microsoft Office 2007 Service Pack 3 (SP3) Microsoft Office Excel MUI (English) 2007 Microsoft Office Home and Student 2007 Microsoft Office OneNote MUI (English) 2007 Microsoft Office PowerPoint MUI (English) 2007 Microsoft Office Proof (English) 2007 Microsoft Office Proof (French) 2007 Microsoft Office Proof (Spanish) 2007 Microsoft Office Proofing (English) 2007 Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3) Microsoft Office Shared MUI (English) 2007 Microsoft Office Shared Setup Metadata MUI (English) 2007 Microsoft Office Word MUI (English) 2007 Mozilla Firefox 20.0.1 (x86 en-US) Mozilla Maintenance Service Network PS_AIO_07_D110_SW_Min Scan Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition Security Update for Microsoft Office 2007 suites (KB2687499) 32-Bit Edition Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition Shared C Run-time for x86 Skype™ 6.3 Synaptics Pointing Device Driver Toolbox Update for 2007 Microsoft Office System (KB967642) Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition Validity Sensors DDK

Gringo, I was browsing some of the topics here and now I feel paranoid about my computer. I pay my bills online etc, and I want to make sure I am not hacked or anything. Can you please let me know about this based on the logs I am displaying here? I have also spent some time and locked both wireless's in our house with WPA2. They were open before because we didn't know if the two routers would have a problem communicating and to provide internet. So far so good.

I restarted the computer, Notepad opens fine now. Do I need to do anymore additional cleaning to ensure I am 100% free from the infection?

Gringo, I had no problems running this script. So far my computer looks the same, meaning I open programs. The only problem I have is when I click on Notepad on the infected computer I get the following error: C:\Windows|system32\notepad.exe Illegal Operation attempted on a registry key that has been marked for deletion. I know this was mentioned on your last post in which I rebooted the computer in order to drag that script on ComboFix which it worked. I was just testing to see of the program works on it's own normally, which it's not.