Hi. After finding it mysterious that several trojans tried to get into my computer and that MalwareBytes hasn’t been updated, and that Avast had been generating BSOD every time I tried running it, I decided to uninstall and and then reinstall it and update it (MalwareBytes, that is). After running the scan it found two objects, both of which it said that it quarantined. However, I’m afraid that traces of it may still be in my system. I shall post the two things I found.

HKCR.exe\shell\open\command|(Hijack.ExeFile)

HKLM\SOFTWARE\clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command|(Hijack.StartMenuInternet)

What must I do to rid myself of these monstrosities?

To start with these are registry entries, on there own they are inert in these registry keys there would or should be a command to point to a different file.

Can you post the fill MBAM log.

Have you tried scheduling a boot-time scan ?

Could you tell me how to bring it up? I’m using a different laptop right now than the one that was infected, and the infected one is currently running another MalwareBytes scan.

Open MBAM main Scanner window and click the Log tab, select the relevant log and double click it, copy and paste the contents of the log into your next post. Or when you double click on the log it opens in notepad you can select save as, that will show you where the file is located, you can find and attach that to your post.

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.14.05

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.19222
Eric :: YUGGOTH [administrator]

8/14/2012 10:30:15 AM
mbam-log-2012-08-14 (10-30-15).txt

Scan type: Full scan (C:|D:|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 430322
Time elapsed: 2 hour(s), 19 minute(s), 59 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCR.exe\shell\open\command| (Hijack.ExeFile) → Data: “C:\Users\Eric\AppData\Local\hcx.exe” -a “%1” %* → Quarantined and deleted successfully.

Registry Data Items Detected: 1
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command| (Hijack.StartMenuInternet) → Bad: (“C:\Users\Eric\AppData\Local\hcx.exe” -a “C:\Program Files\Internet Explorer\iexplore.exe”) Good: (iexplore.exe) → Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

As an additional note, my battery icon is no longer on the taskbar. What does this mean?

someone stole your battery ;D

try a reboot…or have you already done that ?

I will, eventually. Right now my main concern is with trying to make sure that whatever the heck was in my system is gone.

On an additional note, I found something strange while going through my network connections. In addition to “YUGGOTH”, the name of my system, and RENEE-PC, my mother’s, there was something called NELARINA. I don’t know if it is relevant or not, but when it disappeared from the Network page, my internet connection suddenly died. So far it is staying away, but I have no clue when it will be back. Might it be related to my current problems?

Should I delete the items currently in quarantine?

not yet…there is no rush to do that

Clean, Quarantine, or Delete?
http://antivirus.about.com/b/2007/03/11/clean-quarantine-or-delete.htm

I chose to delete them. Currently, I’ve been able to solve all of the problems I was encountering. I still want to know all I can about the things that were in my ocmputer, however.

From the registry keys in the MBAM log, this is the Bad File, “C:\Users\Eric\AppData\Local\hcx.exe” that is the one that the registry keys are trying to substitute for iexplore.exe and the launching of .exe files (this would no doubt inject some code into each launched .exe file.

Check the the physical presence of this file “C:\Users\Eric\AppData\Local\hcx.exe” ?
The AppData folder and its sub-folders may be hidden. Change the windows explorer > Tools > Folder Options > View tab, and check the ‘Show Hidden Files and Folders’ option.

Okay, thank you. What should I do if the stuff is still there?

I suspect that it won’t be there as I would have expected MBAM to have reported it too or you are likely to be experiencing other malware symptoms. But if it is present check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here, post the URL in the Address bar of the VT results page.

If multiple scanners detect this file as malware - Send the sample/s to avast as a Undetected Malware:
Open the chest and right click in the Chest and select Add, navigate to where you have the sample and add it to the chest (see image). Once in the chest, right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update. Note: manually adding to the chest doesn’t remove them from the original location, so they still have to be dealt with in that location.