Csrss.exe error - laptop running slow - restricted perms on running AVG

Inactive
By kgrant66
Mar 26, 2011
Topic Status:
Not open for further replies.
  1. Before the "blocked startup programs" popup starts an error stating a temp csrss.exe file cannot be found and needs to be deleted from the registry. When running AVG 2011 (free dwnld) it won't run due to "restricted" permissions. The laptop running Vista is extremely slow online and maneuvering around files and such. I ran Malwarebytes and the log found no viruses. Luckily I am still able to get online via Firefox. What do I do now?
    MBAM Log:
    Malwarebytes' Anti-Malware 1.28
    Database version: 1180
    Windows 6.0.6002 Service Pack 2

    3/26/2011 1:35:25 PM
    mbam-log-2011-03-26 (13-35-25).txt

    Scan type: Quick Scan
    Objects scanned: 44700
    Time elapsed: 14 minute(s), 6 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Did you add Active to this thread?? That is a setting the helpers do when picking up a thread.

    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
  3. kgrant66

    kgrant66 Newcomer, in training Topic Starter Posts: 36

    Sorry, yes I put thread "active". First time posting in 3 years and don't remember that feature....was there to click on...

    I will follow all the steps you posted. Firefox isn't working on that computer today, so I have to transfer all the downloads to a thumb drive from another computer. Will post logs as soon as I can get them.

    Tried to do Step 1: 3/4th way through install of Avira AntiVir software the popup "Restrictions" came up stating "This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator". I clicked "OK" and then it let the install finish. Clicked "Finish" and nothing happened. Double clicked Avira shortcut created on desktop...and get the same restrictions error. The Anvira program started a minute after error popup and then ran a little after clicking "ok", then stopped and disappeared from the desktop.
    Does this need fixed before going to step 2?
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    A note: The thread isn't Active until Broni or I pick it up and put it on Active Status. That let's the other one of us know the thread is being handled. You're lucky- I saw 'Active' but no replies so I checked. If you had use a couple of posts to paste in logs and made it Active, no one would be working on it!!

    Did you already have an antivirus program on the system? If so, you do not need to install Avira or Avast.

    Skip doing a scan with Avira. Try logging on under the Administrator account. Continue with the steps.
  5. kgrant66

    kgrant66 Newcomer, in training Topic Starter Posts: 36

    AVG 2011 is installed on this laptop. AVG errored out in the under the user login. That is the only reason I installed Anvira. Anvira didn't work either under the user account, so I did as you said...logged in as administrator and Anvira ran and found viruses in the user folder and quaranteened them. Every step was run under administrator. TFC finally ran successfully. The Logs for MBAM, GMER, and DDS are below. I tried to login on the user account to get online (via Verizon air card) and that won't even attempt to connect anymore..get an error. I am all for re-installing Verizon and Firefox later after all of this is cleaned up.

    MBAM:
    Malwarebytes' Anti-Malware 1.28
    Database version: 1180
    Windows 6.0.6002 Service Pack 2

    3/28/2011 9:31:33 PM
    mbam-log-2011-03-28 (21-31-33).txt

    Scan type: Quick Scan
    Objects scanned: 44950
    Time elapsed: 4 minute(s), 24 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
    **************************************************************************************************(GMER.log)
    GMER 1.0.15.15570 - http://www.gmer.net
    Rootkit quick scan 2011-03-28 21:36:04
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9120822AS rev.3.CDD
    Running: tpojb69w.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\pxldrpoc.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\tdx \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    ---- EOF - GMER 1.0.15 ----
    ****************************************************************************************************
    Attach.log
    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_11-03-05.01)
    .
    Microsoft® Windows Vista™ Home Basic
    Boot Device: \Device\HarddiskVolume3
    Install Date: 7/20/2008 8:29:35 PM
    System Uptime: 3/28/2011 5:52:58 AM (16 hours ago)
    .
    Motherboard: Dell Inc. | | 0UW744
    Processor: Mobile AMD Sempron(tm) Processor 3500+ | Socket M2/S1G1 | 1800/200mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 102 GiB total, 52.454 GiB free.
    D: is FIXED (NTFS) - 10 GiB total, 6.715 GiB free.
    E: is CDROM ()
    F: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP463: 3/11/2011 8:05:49 PM - Windows Update
    RP464: 3/13/2011 1:00:25 AM - Scheduled Checkpoint
    RP465: 3/14/2011 12:00:27 AM - Scheduled Checkpoint
    RP466: 3/15/2011 9:34:00 PM - Windows Update
    RP467: 3/20/2011 9:35:18 PM - Windows Update
    RP470: 3/23/2011 10:46:12 AM - Scheduled Checkpoint
    RP471: 3/23/2011 3:16:20 PM - Windows Update
    RP472: 3/23/2011 3:59:39 PM - Installed AVG 2011
    RP473: 3/23/2011 4:01:39 PM - Installed AVG 2011
    RP474: 3/24/2011 6:46:22 PM - Windows Update
    RP475: 3/26/2011 4:06:28 PM - Scheduled Checkpoint
    RP476: 3/28/2011 2:26:25 AM - Scheduled Checkpoint
    .
    ==== Installed Programs ======================
    .
    .
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.3.1
    Adobe Shockwave Player 11.5
    Ask Toolbar
    AVG 2011
    Avira AntiVir Personal - Free Antivirus
    Bejeweled Blitz
    Dell Resource CD
    Face Theme
    Google Updater
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Java Auto Updater
    Java(TM) 6 Update 21
    LimeWire 5.5.16
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft LifeCam
    Microsoft Office Professional Edition 2003
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mobile Broadband Drivers
    Mozilla Firefox (3.6.3)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    OGA Notifier 2.0.0048.0
    PowerDVD
    Roxio Creator Audio
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Drag-to-Disc
    Roxio Express Labeler
    Roxio MyDVD DE
    Roxio Update Manager
    ScanSoft OmniPage SE 4.0
    ScanSoft PaperPort 10
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Sonic Activation Module
    Uniblue RegistryBooster
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    VZAccess Manager
    Xerox Phaser 3200MFP
    Yahoo! Browser Services
    Yahoo! Install Manager
    Yahoo! Internet Mail
    Yahoo! Messenger
    Yahoo! Software Update
    Yahoo! Toolbar
    .
    ==== Event Viewer Messages From Past Week ========
    .
    3/28/2011 5:59:57 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WSearch service.
    3/28/2011 5:55:21 AM, Error: Service Control Manager [7000] - The DgiVecp service failed to start due to the following error: The system cannot find the device specified.
    3/27/2011 9:10:22 PM, Error: EventLog [6008] - The previous system shutdown at 9:07:34 PM on 3/27/2011 was unexpected.
    3/26/2011 12:48:32 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
    3/26/2011 12:48:29 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
    3/26/2011 12:48:19 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Avgldx86 Avgmfx86 Avgtdix DfsC NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr tdx Wanarpv6
    3/26/2011 12:48:19 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    3/26/2011 12:48:19 PM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    3/26/2011 12:48:19 PM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
    3/26/2011 12:48:19 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    3/26/2011 12:48:19 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
    3/26/2011 12:48:19 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    3/26/2011 12:48:19 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
    3/26/2011 12:48:19 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
    3/26/2011 12:48:19 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    3/26/2011 12:48:19 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    3/26/2011 12:48:19 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    3/26/2011 12:48:19 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
    3/26/2011 12:48:19 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
    3/26/2011 12:47:52 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
    3/26/2011 12:47:52 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
    3/26/2011 12:47:48 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    3/26/2011 12:47:38 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
    3/26/2011 12:47:14 PM, Error: EventLog [6008] - The previous system shutdown at 12:44:37 PM on 3/26/2011 was unexpected.
    3/23/2011 9:59:29 PM, Error: EventLog [6008] - The previous system shutdown at 9:56:37 PM on 3/23/2011 was unexpected.
    3/23/2011 7:36:07 PM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
    3/23/2011 7:36:07 PM, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).
    3/23/2011 11:37:17 AM, Error: EventLog [6008] - The previous system shutdown at 11:35:46 AM on 3/23/2011 was unexpected.
    3/23/2011 11:32:54 AM, Error: EventLog [6008] - The previous system shutdown at 11:31:34 AM on 3/23/2011 was unexpected.
    3/21/2011 5:21:37 AM, Error: EventLog [6008] - The previous system shutdown at 11:08:21 PM on 3/20/2011 was unexpected.
    .
    ==== End Of File ===========================
    *******************************************************************************************************
    DDS log:
    .
    DDS (Ver_11-03-05.01) - NTFSx86
    Run by Administrator at 21:37:20.34 on Mon 03/28/2011
    Internet Explorer: 8.0.6001.19019
    Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.893.250 [GMT -5:00]
    .
    AV: AntiVir Desktop *Enabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
    SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: AntiVir Desktop *Enabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Program Files\Microsoft LifeCam\MSCamS32.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Windows\system32\WUDFHost.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\Dwm.exe
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Windows\Xerox\PanelMgr\SSMMgr.exe
    C:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe
    C:\Windows\vVX3000.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
    C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\Program Files\AVG\AVG10\avgchsvx.exe
    C:\Program Files\AVG\AVG10\avgrsx.exe
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\Windows\system32\NOTEPAD.EXE
    C:\Users\Al\Desktop\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe
    .
    ============== Pseudo HJT Report ===============
    .
    mStart Page = hxxp://www.startsearcher.com
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
    BHO: Facetheme: {66d8fba6-d90f-40a9-ac55-84896f79ca69} - c:\program files\object\bho_project.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
    TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
    mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [Xerox PanelMgr] c:\windows\xerox\panelmgr\SSMMgr.exe /autorun
    mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
    mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
    mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
    mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
    mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
    mRun: [VX3000] c:\windows\vVX3000.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: ConsentPromptBehaviorUser = 2 (0x2)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} - hxxp://activex.camfrogweb.com/advanced/2.0.2.3/cfweb_activex.camfrogweb.com-advanced-2.0.2.3_instmodule.exe
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    IFEO: image file execution options - svchost.exe
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath -
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-3-27 61960]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 123472]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 30288]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 27216]
    .
    =============== Created Last 30 ================
    .
    2011-03-28 11:02:14 -------- d-----w- c:\users\admini~1\appdata\roaming\Malwarebytes
    2011-03-28 02:37:19 -------- d-----w- c:\users\admini~1\appdata\roaming\Avira
    2011-03-28 02:32:55 -------- d-----w- c:\users\admini~1\appdata\roaming\AVG10
    2011-03-28 02:31:26 -------- d-----w- c:\users\admini~1\appdata\local\PowerDVD DX
    2011-03-27 19:46:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-03-27 19:46:05 -------- d-----w- c:\program files\Avira
    2011-03-27 19:46:05 -------- d-----w- c:\progra~2\Avira
    2011-03-26 17:00:17 -------- dc-h--w- c:\progra~2\{AB2D8F2E-F7AD-4446-A11A-50D846B2CF2A}
    2011-03-26 16:35:09 -------- d-----w- c:\program files\Uniblue
    2011-03-23 22:03:25 -------- d--h--w- C:\$AVG
    2011-03-23 21:17:08 -------- d--h--w- c:\progra~2\Common Files
    2011-03-23 21:16:36 -------- d-----w- c:\progra~2\AVG Security Toolbar
    2011-03-23 21:13:36 -------- d-----w- c:\windows\system32\drivers\AVG
    2011-03-23 21:13:36 -------- d-----w- c:\progra~2\AVG10
    2011-03-23 21:00:34 -------- d-----w- c:\program files\AVG
    2011-03-23 20:38:19 -------- d-----w- c:\progra~2\MFAData
    2011-03-23 20:33:14 797696 ----a-w- c:\windows\system32\FntCache.dll
    2011-03-23 20:33:14 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-03-23 20:33:14 1068544 ----a-w- c:\windows\system32\DWrite.dll
    2011-03-23 20:18:53 5943120 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{7f04accc-ddc4-46ec-95a0-1bee2c429733}\mpengine.dll
    2011-03-21 03:31:09 -------- d-----w- c:\progra~2\pAbHkCb18101
    2011-03-09 01:02:20 429056 ----a-w- c:\windows\system32\EncDec.dll
    2011-03-09 01:02:19 322560 ----a-w- c:\windows\system32\sbe.dll
    2011-03-09 01:02:19 177664 ----a-w- c:\windows\system32\mpg2splt.ax
    2011-03-09 01:02:19 153088 ----a-w- c:\windows\system32\sbeio.dll
    2011-03-09 01:02:15 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-03-09 01:02:15 2067968 ----a-w- c:\windows\system32\mstscax.dll
    2011-03-06 13:29:34 -------- d-sh--w- c:\windows\system32\%APPDATA%
    .
    ==================== Find3M ====================
    .
    2011-02-02 23:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
    2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
    2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
    2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
    2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
    2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
    2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
    2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
    2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
    2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
    2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
    2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
    2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
    2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
    2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
    2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
    2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
    2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
    2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
    2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
    2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
    2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
    2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
    2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
    2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:57:01 2039808 ----a-w- c:\windows\system32\win32k.sys
    .
    ============= FINISH: 21:39:09.17 ===============
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please handle the following as Directed:
    • Ask Toolbar>> (Bundled adware) Uninstall
    • LimeWire 5.5.16> Recommend uninstall file shring program:>> See information on P2P Warning to help you better understand these dangers
    • Uniblue RegistryBooster> Uninstall. We do not recommend using any Registry cleaner
    • Java(TM) 6 Update 21> Update to current v6u24: Check hereJava Updates Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
    • Mozilla Firefox (3.6.3)> Update to current v3.6.19 ir v4 in Tools> Update
    =================================================
    Multiple amtivirus programs: Now running processes for both AVG and Avira. One of these needs to be uninstalled now.
    NOTE: I will have you run Combofix and that requires you to uninstall AVG and I will give you a way to easily do that. I suggest you use the App Remover now to remove AVG. Leave Avira on while we're working. The if you want to reinstall AVG when we finish, okay.

    Download AppRemover and save to the desktop]
    How to Use AppRemover to Remove a Complete Security Application
    1. Double click the setup on the desktop> click Next
    2. Select “Remove Security Application”
    3. Let scan finish to determine security apps
    4. A screen like below will appear:
      http://www.appremover.com/about/chooseuninstall.gif/image_preview[/img[*] Click on [b]Next[/b] after choice has been made
      [*] Check the AVG program you want to uninstall
      [*] After uninstall shows complete, follow online prompts to Exit the program.[/list]
      ===========================================
      [b]Download Combofix from [url=http://www.bleepingcomputer.com/download/anti-virus/combofix]HERE[/url] or [url=http://www.forospyware.com/sUBs/ComboFix.exe]HERE[/b][/url] and save to the desktop[list]
      [*]Double click combofix.exe & follow the prompts.
      [*] ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      [b]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.[/b]
      [*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
      [*]Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [*]Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [img]http://img.photobucket.com/albums/v706/ried7/whatnext.png
    5. .Click on Yes, to continue scanning for malware
    6. .If Combofix asks you to update the program, allow
    7. .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    8. .Close any open browsers.
    9. .Double click combofix.exe[​IMG] & follow the prompts to run.
    10. When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    =====================================
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
    10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
    11. Re-enable your Antivirus software.
      NOTE: If you forget to copy to the clipboard you can find the log here:
      C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    =================================================
    I will have you check your Services next. It looks like some of the 'Dependencies' aren't running.
    =================================
    Regarding csrss.exe: The legitimate process is for Windows Client/Server Runtime Server Subsystem and it is located in the C:\Windows\System32 folder. The malware csrss.exe process can be a virus, spyware, trojan or worm and will be located elsewhere. It is found with Nimda.E
    ========================================
    Do you know what either of the following are?
    c:\progra~2\pAbHkCb18101
    C:\Windows\vVX3000.exe

    =======================================
    Sorry for delay- internet went missing yesterday PM.
  7. kgrant66

    kgrant66 Newcomer, in training Topic Starter Posts: 36

    Do you want the "contents" of the file ComboFix.txt pasted in here or the file itself? I attached the file since the output was so large.

    Eset Online log:
    C:\Qoobox\Quarantine\C\Users\Al\AppData\Roaming\dwm.exe.vir
    a variant of Win32/Kryptik.LZI trojan
    C:\Qoobox\Quarantine\C\Users\Al\AppData\Roaming\Microsoft\conhost.exe.vir a variant of Win32/Kryptik.LZI trojan

    Nimda.E is mentioned in your post, but I don't know what it is...do I download it?
    Mentioned checking services...going to assume that is in Task Manager...what am I looking for? Do you want a list of "Stopped processes"?

    I don't know what c:progra~2\pAbHkCb180101 is, but the C:\Windows\vVX3000.exe is the Microsoft Lifecam Device Application my brother installed (it's in the startup, but I don't think he uses it anymore). Lifecam is real annoying on startup. Do I delete or uninstall those?

    This is a side question- the "ir" in the Mozilla Firefox Line in the first section of instruction...that's a United Kingdom English term...are you originally from England? Just wondering. :)

    Attached Files:

  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Qoobox is where Combofix sends the files it quarantines. The files are no longer active in the system.

    What you attached is correct- it's the log generated by the Combofix scan. But it must be pasted in to the reply.

    http://www.techspot.com/vb/topic58138.html

    Nimda Worm >>Google is your friend:

    What you see in the Task Manager is a list of processes that are running. Services are found in the Computer Management Console here: We're not ready for that yet. I'll give you a good reference sitw to help you set the Services and Dependencie
    Click on start> Run> type in services.msc

    Some of the Services need to be set on Automatic Startup Type. Some can be set on Manual. Some can be Disabled. Some Services "depend" on other Services to be running in order for them to run. This is know as their Dependency.

    Example:
    3/26/2011 12:48:19 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
    In order for NLA to run, it's Dependency has to be running. One of them is the NSIS. Dependencies Must be set to either Manual or Automatic- or NLS can't start.
    [/QUOTE]

    Please paste the Combofix log in your next reply.
  9. kgrant66

    kgrant66 Newcomer, in training Topic Starter Posts: 36

    Here is the ComboFix.txt file. Really do appreciate all the help you are giving!

    ComboFix 11-03-23.04 - Administrator 03/30/2011 18:40:52.1.1 - x86
    Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.893.433 [GMT -5:00]
    Running from: c:\users\Al\Downloads\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    SP: AntiVir Desktop *Disabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    - REDUCED FUNCTIONALITY MODE -
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\Object\bho_project.dll
    c:\users\Al\AppData\Roaming\dwm.exe
    c:\users\Al\AppData\Roaming\Internet Security Suite
    c:\users\Al\AppData\Roaming\Internet Security Suite\Instructions.ini
    c:\users\Al\AppData\Roaming\Microsoft\conhost.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-30 )))))))))))))))))))))))))))))))
    .
    .
    2011-03-30 23:42 . 2011-03-30 23:42 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-03-30 23:42 . 2011-03-30 23:42 -------- d-----w- c:\users\Al\AppData\Local\temp
    2011-03-28 02:27 . 2011-03-28 02:30 -------- d-----w- c:\users\Administrator
    2011-03-27 19:46 . 2011-03-04 21:11 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-03-27 19:46 . 2011-03-04 19:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-03-27 19:46 . 2011-03-27 19:46 -------- d-----w- c:\programdata\Avira
    2011-03-27 19:46 . 2011-03-27 19:46 -------- d-----w- c:\program files\Avira
    2011-03-26 16:35 . 2011-03-26 16:35 -------- d-----w- c:\users\Al\AppData\Roaming\Uniblue
    2011-03-26 16:34 . 2011-03-26 16:34 -------- d-----w- c:\users\Al\AppData\Local\PackageAware
    2011-03-23 22:03 . 2011-03-23 22:03 -------- d-----w- C:\$AVG
    2011-03-23 21:48 . 2011-03-23 21:48 -------- d-----w- c:\users\Al\AppData\Local\AVG Security Toolbar
    2011-03-23 21:21 . 2011-03-23 21:21 -------- d-----w- c:\users\Al\AppData\Roaming\AVG10
    2011-03-23 21:17 . 2011-03-23 21:17 -------- d--h--w- c:\programdata\Common Files
    2011-03-23 21:13 . 2011-03-30 23:08 -------- d-----w- c:\windows\system32\drivers\AVG
    2011-03-23 20:33 . 2011-02-22 14:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-03-23 20:33 . 2011-02-22 13:33 1068544 ----a-w- c:\windows\system32\DWrite.dll
    2011-03-23 20:33 . 2011-02-22 13:33 797696 ----a-w- c:\windows\system32\FntCache.dll
    2011-03-23 20:18 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7F04ACCC-DDC4-46EC-95A0-1BEE2C429733}\mpengine.dll
    2011-03-23 20:05 . 2011-03-23 20:05 -------- d-----w- c:\users\Al\AppData\Local\Mozilla
    2011-03-21 03:31 . 2011-03-23 22:03 -------- d-----w- c:\programdata\pAbHkCb18101
    2011-03-09 01:02 . 2010-12-29 18:28 429056 ----a-w- c:\windows\system32\EncDec.dll
    2011-03-09 01:02 . 2010-12-29 18:28 322560 ----a-w- c:\windows\system32\sbe.dll
    2011-03-09 01:02 . 2010-12-29 18:28 153088 ----a-w- c:\windows\system32\sbeio.dll
    2011-03-09 01:02 . 2010-12-29 18:26 177664 ----a-w- c:\windows\system32\mpg2splt.ax
    2011-03-09 01:02 . 2010-12-17 15:45 2067968 ----a-w- c:\windows\system32\mstscax.dll
    2011-03-09 01:02 . 2010-12-17 13:54 677888 ----a-w- c:\windows\system32\mstsc.exe
    2011-03-06 13:29 . 2011-03-06 13:29 -------- d-sh--w- c:\windows\system32\%APPDATA%
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-02 23:11 . 2009-10-03 13:49 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-01-20 16:37 . 2011-02-10 00:39 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
    2011-01-20 16:08 . 2011-02-10 00:39 478720 ----a-w- c:\windows\system32\dxgi.dll
    2011-01-20 16:08 . 2011-02-10 00:39 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
    2011-01-20 16:08 . 2011-02-10 00:39 160768 ----a-w- c:\windows\system32\d3d10_1.dll
    2011-01-20 16:08 . 2011-02-10 00:39 1029120 ----a-w- c:\windows\system32\d3d10.dll
    2011-01-20 16:08 . 2011-02-10 00:39 189952 ----a-w- c:\windows\system32\d3d10core.dll
    2011-01-20 16:07 . 2011-02-10 00:39 37376 ----a-w- c:\windows\system32\cdd.dll
    2011-01-20 16:07 . 2011-02-10 00:39 258048 ----a-w- c:\windows\system32\winspool.drv
    2011-01-20 16:07 . 2011-02-10 00:39 586240 ----a-w- c:\windows\system32\stobject.dll
    2011-01-20 16:06 . 2011-02-10 00:39 2873344 ----a-w- c:\windows\system32\mf.dll
    2011-01-20 16:06 . 2011-02-10 00:39 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
    2011-01-20 16:04 . 2011-02-10 00:39 209920 ----a-w- c:\windows\system32\mfplat.dll
    2011-01-20 16:04 . 2011-02-10 00:39 98816 ----a-w- c:\windows\system32\mfps.dll
    2011-01-20 14:28 . 2011-02-10 00:39 1554432 ----a-w- c:\windows\system32\xpsservices.dll
    2011-01-20 14:27 . 2011-02-10 00:39 876032 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-01-20 14:26 . 2011-02-10 00:39 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
    2011-01-20 14:25 . 2011-02-10 00:39 847360 ----a-w- c:\windows\system32\OpcServices.dll
    2011-01-20 14:24 . 2011-02-10 00:39 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
    2011-01-20 14:15 . 2011-02-10 00:39 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
    2011-01-20 14:14 . 2011-02-10 00:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
    2011-01-20 14:14 . 2011-02-10 00:39 302592 ----a-w- c:\windows\system32\mfmp4src.dll
    2011-01-20 14:14 . 2011-02-10 00:39 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
    2011-01-20 14:12 . 2011-02-10 00:39 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
    2011-01-20 14:11 . 2011-02-10 00:39 486400 ----a-w- c:\windows\system32\d3d10level9.dll
    2011-01-20 13:47 . 2011-02-10 00:39 683008 ----a-w- c:\windows\system32\d2d1.dll
    2011-01-08 08:47 . 2011-02-10 00:37 34304 ----a-w- c:\windows\system32\atmlib.dll
    2011-01-08 06:28 . 2011-02-10 00:37 292352 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:57 . 2011-02-10 00:40 2039808 ----a-w- c:\windows\system32\win32k.sys
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
    "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
    "Xerox PanelMgr"="c:\windows\Xerox\PanelMgr\SSMMgr.exe" [2007-07-16 524288]
    "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
    "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2006-10-20 36864]
    "IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2006-10-20 40960]
    "OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-27 69632]
    "LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-01-12 275800]
    "VX3000"="c:\windows\vVX3000.exe" [2006-12-05 707360]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorUser"= 2 (0x2)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 samhidb;samhidb;c:\windows\system32\drivers\samhidb.sys [x]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-03-04 135336]
    S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [2007-02-13 5120]
    S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\DRIVERS\nwusbser2.sys [2007-04-19 99200]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-03-30 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-08 02:01]
    .
    2011-03-30 c:\windows\Tasks\User_Feed_Synchronization-{3BA8EF8A-C04D-42BB-A881-5AFE7B37C649}.job
    - c:\windows\system32\msfeedssync.exe [2011-02-10 04:47]
    .
    .
    ------- Supplementary Scan -------
    .
    mStart Page = hxxp://www.startsearcher.com
    DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} - hxxp://activex.camfrogweb.com/advanced/2.0.2.3/cfweb_activex.camfrogweb.com-advanced-2.0.2.3_instmodule.exe
    FF - ProfilePath - c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ypcj2hs7.default\
    FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - c:\program files\Mozilla Firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-30 18:42
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-2372562597-3575386028-1687983716-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,46,13,9e,b0,5a,cc,2a,4e,80,ef,b6,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,46,13,9e,b0,5a,cc,2a,4e,80,ef,b6,\
    .
    [HKEY_USERS\S-1-5-21-2372562597-3575386028-1687983716-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"
    .
    [HKEY_USERS\S-1-5-21-2372562597-3575386028-1687983716-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"
    .
    [HKEY_USERS\S-1-5-21-2372562597-3575386028-1687983716-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"
    .
    [HKEY_USERS\S-1-5-21-2372562597-3575386028-1687983716-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"
    .
    [HKEY_USERS\S-1-5-21-2372562597-3575386028-1687983716-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3392)
    c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll
    .
    Completion time: 2011-03-30 18:45:59
    ComboFix-quarantined-files.txt 2011-03-30 23:45
    .
    Pre-Run: 56,588,144,640 bytes free
    Post-Run: 56,334,286,848 bytes free
    .
    - - End Of File - - A7C79DAE6A5B1FB8134E2D73D6947915
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    If you notice at the top of the Combofix log, it says: Reduced Functionality Mode Please review the following to determine the cause:

    Running in Reduced Functionality Mode
    Windows Vista has the following kinds of reduced functionality mode:
    1. Out-of-grace reduced functionality mode:
      On a retail copy of Windows Vista
      [o] You do not activate Windows Vista within 30 days after you install Windows Vista.
      [o] You do not reactivate Windows Vista within three days after you replace a major hardware component in the computer.
      On an original equipment manufacturer (OEM) copy of Windows Vista
      [o] You do not activate Windows Vista within three days after you change the OEM motherboard, or the originally manufactured motherboard, to a non-OEM motherboard.
      [o] Non-genuine reduced functionality mode
    2. Non-genuine reduced functionality mode
      [o]The Windows Genuine Advantage (WGA) program detects a blocked product key or a counterfeit product key.
      (Note The WGA program is a Microsoft service that detects whether you have an authentic version of Vista. A product key is a unique software-based key that is used to identify a product as an original.)
      [o] The WGA program detects incorrect activation binary files or modified activation binary files.
      (Note A binary file is a computer file that contains encoded data for storage and processing purposes.)
      [o] Windows Vista is in out-of-grace reduced functionality mode.
    Courtesy Microsoft: http://support.microsoft.com/kb/925582
  11. kgrant66

    kgrant66 Newcomer, in training Topic Starter Posts: 36

    Don't know what happened to my reply I posted several days ago, so here it goes again...

    The Vista on the laptop is authentic. It came with the Dell Laptop. None of the scenarios mentioned seem to fit as to "why" the software ran in "reduced functionality mode". No hardware was put in or replaced on the laptop. All the antivirus and cleanup software ran so far has been run under "administrater login" because the regular user login "Al" still isn't working properly (errors and won't connect to the internet).

    1. Can the laptop still be fixed with the log provided?
    2. How else can I make the laptop run in full mode?
    3. What is the next step if we can't make the software run in "full functionality mode"?
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, I'm going to have you back up:
    Current Malwarebytes' Anti-Malware version 1.50.1 Database version: 6173
    You ran Malwarebytes' Anti-Malware 1.28 Database version: 1180

    I don't know where you got this outdated Mbam- it's not what we have in out link and as you can see, the database is so far out of date that it will not have any of the current malware in it.

    Please go to Add/Remove Programs and uninstall the Malwarebytes you now have. Delete the log and any other process for it on your desktop.

    Download and update and run a new scan:>>
    [​IMG]
    Malwarebytes' Anti-Malware
    • Please download Malwarebytes' Anti-Malware from from HERE
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      [o] Update Malwarebytes' Anti-Malware
      [o] and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform Quick scan, then click Scan.
      * When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach this log with your reply
      [o] If you accidentally close it, the log file is saved here and will be named like this:
      [o] C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    ========================
    You have this set: Start Page = hxxp://www.startsearcher.com
    Please go to this site and follow the steps and screen shots for removing it:
    http://www.pchelpsoft.com/trends/startsearcher-removal/
    =========================================
    This is all you show for Firefox which is probably why it wasn't working:
    It's puzzling because I don't see a home page set for Firefox. You have a profile set up in the Combofix log, but no homepage, no search page. So I'm going to set up the default pages with script after I get the new Combofix log.
    Bottom line: can you use Firefox? What do you have set for the homepage?
    =====================================
    I'd like you to uninstall the Combofix that is no installed. Then download again and scan- let's see how it comes out:

    Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    ==========================================
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    ====================================
    Nothing that you do intentionally makes Combofix run in Reduced Functionality. Reviewing these current logs I note:
    1. "restricted" permissions.> This means that either what you are doing requires you to d it through the Administrator's account and you are logged on under a different user account.
    2. Or that you do not have 'ownership' of the file.

    You mentioned that Al's account doesn't work? Please describe the errors.

    In answer to your 3 questions: x3 "I don't know"! 2 of the scans aren't good. There is a permission problem. One account can't be used. And other than the outdated Mbam, I don't know why this is happening! I think you 'panicked at the csrss.ex3 problem and handled it incorrectly in the beginning.

    I am also wondering what settings you have for this: IFEO: image file execution options - svchost.exe. I do not see any corresponding entry for the Registry.
  13. kgrant66

    kgrant66 Newcomer, in training Topic Starter Posts: 36

    MBAM - updated software and ran great - removed a lot of files. Log is too large, so see end of it on next post!
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org Database version: 6312
    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.19019 4/8/2011 10:34:13 AM
    mbam-log-2011-04-08 (10-34-13).txt
    Scan type: Quick scan
    Objects scanned: 162155
    Time elapsed: 8 minute(s), 45 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 298
    Registry Values Infected: 1
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\AppID\GamevanceText.DLL (Adware.GameVance) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\amon9x.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntispywarXP2009.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPro_2010.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiVirus_Pro.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apimonitor.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arr.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashBug.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashCnsnt.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashLogV.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashPopWz.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashServ.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashSkPcc.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashUpd.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswChLic.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswRunDll.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atcon.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atro55en.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atwatch.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aupdate.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autotrace.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\av360.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avciman.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcc32.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcmgr.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgdumpx.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgiproxy.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgserv.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgsrmax.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkservice.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avltmain.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avmcdlg.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avupgsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwin.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwsc.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwupsrv.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxmonitornt.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\b.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bargains.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdfvwiz.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdmcon.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BDSurvey.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\beagle.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bidef.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bipcp.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bisp.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blss.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bootwarn.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bpc.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brastk.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bs120.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bundle.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\c.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccevtmgr.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cdp.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfgwiz.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfpconfg.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfpupdat.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clean.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cleanpc.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd32.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmesys.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmon016.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpf9x206.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\crashrep.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cssconfg.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cssurf.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cv.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cwntdwmo.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\datemanager.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defalert.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defwatch.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\deputy.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllcache.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllreg.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dop.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dpfsetup.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\driverctrl.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drweb32.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\efpeadm.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ent.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanv95.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\etrustcipe.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\exantivirus-cnet.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\expert.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fact.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fih32.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fixcfg.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fnrb32.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\frmwrk32.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav530wtbyb.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gator.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbmenu.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbpoll.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gmt.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardgui.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hbinst.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\History.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hotactio.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htlog.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hwpe.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hxiul.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Identity.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iedll.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ifw2000.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\infus.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\init.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install[2].exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install[4].exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\intdel.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\istsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jdbgmrg.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavlite40eng.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kazza.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-pf-213-en-win.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-wrp-421-en-win.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldnetmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpromenu.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\licmgr.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loader.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lockdown.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsetup.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luinit.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MalwareRemoval.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcmnhdlr.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshell.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcupdate.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsshld.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfin32.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfweng3.02d30.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mgavrte.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mgui.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmod.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpfagent.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mrflux.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msa.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msblast.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msccn32.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msdos.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mslaugh.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmsgri32.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mssmmc32.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvxd.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mwatch.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navap.navapsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navstub.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ncinst4.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\neomonitor.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netarmor.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netinfo.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netscanpro.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netutils.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npf40_tw_98_nt_me_2k.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nprotect.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npssvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nstask32.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nt.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntvdm.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nui.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nwinst4.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nwtool16.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OAhlp.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oasrv.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oaview.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onsrvr.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ostronet.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpostinstall.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ozn695m5.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\patch.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavprsrv.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcip10117_0.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsAuxs.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsSvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PC_Antispyware2010.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pdsetup.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\periscope.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pf2.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pgmonitr.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\platin.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\poproxy.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portdetective.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerscan.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pptbc.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prizesurfer.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prmvr.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\processmonitor.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\programauditor.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSANCU.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSANToManager.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pspf.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\purge.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qh.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Quick Heal.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav8win32eng.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rb32.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\realmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rescue32.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rscdwld.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtvscn95.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SafetyKeeper.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Save.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveDefense.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\savenow.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sc.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secureveteran.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SecurityFighter.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setloadorder.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup_flowprotector_us.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sh.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shield.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\showbehind.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smart.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smrtdefp.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smss32.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\soap.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SoftSafeness.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spf.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolcv.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spywarexpguard.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srexe.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ss3edit.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ssg_4104.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\start.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\supftrl.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\supporter5.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchostc.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svshost.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symproxysvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\system.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sysupd.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taumon.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds-3.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tfak.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tgbob.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\titaninxp.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trjscan.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trojantrap3.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tsadbot.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tvmd.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\updat.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbcmserv.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbust.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbwinntw.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vfsetup.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\virusmdpersonalfirewall.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VisthLic.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vnlan300.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpc32.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpfw30s.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsched.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmain.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vswin9xe.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vswinperse.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\W3asbas.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\watchdog.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webtrap.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wimmun32.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\win32.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winactive.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windll32.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windows Police Pro.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wininetd.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogin.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winppr32.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winservn.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winstart.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wintsk32.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wkufind.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wnt.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wrctrl.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscfxas.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscfxfw.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wupdater.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wyvernworksfirewall.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpf202en.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapsetup3001.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonalm2601.exe (Security.Hijack) -> Quarantined and deleted successfully.
  14. kgrant66

    kgrant66 Newcomer, in training Topic Starter Posts: 36

    (MBAM LOG Continued:)

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~2.exe (Security.Hijack) -> Quarantined and deleted successfully.
    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhclq8j0ec7v (Rogue.AntiVirusXP) ->
    Value: rhclq8j0ec7v -> Quarantined and deleted successfully.
    Registry Data Items Infected:
    HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) ->
    Bad: (http://findgala.com/?&uid=2164&q={searchTerms})
    Good: (http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}) ->
    Quarantined and deleted successfully.HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) ->
    Bad: (http://findgala.com/?&uid=2164&q={searchTerms})
    Good: (http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}) ->
    Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    //////////Uninstalled ComboFix, then reinstalled a newly pulled in "exe".///
    Ran it logged in as Administrater./////////////
    Does CombFix always start off saying that It's "Preparing to Run", then "Acess Denied Administrater perimissions
    are needed..." and then runs anyway? That's what it did. Anyway here is the log:

    ComboFix 11-04-07.08 - Administrator 04/08/2011 12:27:18.1.1 - x86
    Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.893.381 [GMT -5:00]
    Running from: c:\users\Administrator\Downloads\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
    SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
    c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
    c:\windows\system32\spool\prtprocs\w32x86\BiCProNT.dll
    c:\windows\system32\spool\prtprocs\w32x86\BiMProNT.dll
    .
    ----- BITS: Possible infected sites -----
    .
    hxxp://xp.yimg.com
    .
    ((((((((((((((((((((((((( Files Created from 2011-03-08 to 2011-04-08 )))))))))))))))))))))))))))))))
    .
    .
    2011-04-08 17:37 . 2011-04-08 17:37 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
    2011-04-08 17:37 . 2011-04-08 17:37 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-04-08 17:37 . 2011-04-08 17:37 -------- d-----w- c:\users\Al\AppData\Local\temp
    2011-04-08 14:15 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-04-08 14:15 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-04-08 14:15 . 2011-04-08 14:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-03-31 03:59 . 2011-03-31 03:59 -------- d-----w- c:\program files\Common Files\Java
    2011-03-31 03:58 . 2011-03-31 03:58 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2011-03-31 00:25 . 2011-03-31 00:25 -------- d-----w- c:\program files\ESET
    2011-03-28 02:27 . 2011-03-28 02:30 -------- d-----w- c:\users\Administrator
    2011-03-27 19:46 . 2011-03-04 21:11 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-03-27 19:46 . 2011-03-04 19:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-03-27 19:46 . 2011-03-27 19:46 -------- d-----w- c:\programdata\Avira
    2011-03-27 19:46 . 2011-03-27 19:46 -------- d-----w- c:\program files\Avira
    2011-03-26 16:35 . 2011-03-26 16:35 -------- d-----w- c:\users\Al\AppData\Roaming\Uniblue
    2011-03-26 16:34 . 2011-03-26 16:34 -------- d-----w- c:\users\Al\AppData\Local\PackageAware
    2011-03-23 22:03 . 2011-03-23 22:03 -------- d-----w- C:\$AVG
    2011-03-23 21:48 . 2011-03-23 21:48 -------- d-----w- c:\users\Al\AppData\Local\AVG Security Toolbar
    2011-03-23 21:21 . 2011-03-23 21:21 -------- d-----w- c:\users\Al\AppData\Roaming\AVG10
    2011-03-23 21:17 . 2011-03-23 21:17 -------- d--h--w- c:\programdata\Common Files
    2011-03-23 21:13 . 2011-03-30 23:08 -------- d-----w- c:\windows\system32\drivers\AVG
    2011-03-23 20:33 . 2011-02-22 14:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
    2011-03-23 20:33 . 2011-02-22 13:33 1068544 ----a-w- c:\windows\system32\DWrite.dll
    2011-03-23 20:33 . 2011-02-22 13:33 797696 ----a-w- c:\windows\system32\FntCache.dll
    2011-03-23 20:18 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7F04ACCC-DDC4-46EC-95A0-1BEE2C429733}\mpengine.dll
    2011-03-23 20:05 . 2011-03-23 20:05 -------- d-----w- c:\users\Al\AppData\Local\Mozilla
    2011-03-21 03:31 . 2011-03-23 22:03 -------- d-----w- c:\programdata\pAbHkCb18101
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-03-31 03:57 . 2010-09-22 02:34 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2011-02-02 23:11 . 2009-10-03 13:49 222080 ------w- c:\windows\system32\MpSigStub.exe
    2011-01-20 16:37 . 2011-02-10 00:39 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
    2011-01-20 16:08 . 2011-02-10 00:39 478720 ----a-w- c:\windows\system32\dxgi.dll
    2011-01-20 16:08 . 2011-02-10 00:39 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
    2011-01-20 16:08 . 2011-02-10 00:39 160768 ----a-w- c:\windows\system32\d3d10_1.dll
    2011-01-20 16:08 . 2011-02-10 00:39 1029120 ----a-w- c:\windows\system32\d3d10.dll
    2011-01-20 16:08 . 2011-02-10 00:39 189952 ----a-w- c:\windows\system32\d3d10core.dll
    2011-01-20 16:07 . 2011-02-10 00:39 37376 ----a-w- c:\windows\system32\cdd.dll
    2011-01-20 16:07 . 2011-02-10 00:39 258048 ----a-w- c:\windows\system32\winspool.drv
    2011-01-20 16:07 . 2011-02-10 00:39 586240 ----a-w- c:\windows\system32\stobject.dll
    2011-01-20 16:06 . 2011-02-10 00:39 2873344 ----a-w- c:\windows\system32\mf.dll
    2011-01-20 16:06 . 2011-02-10 00:39 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
    2011-01-20 16:04 . 2011-02-10 00:39 209920 ----a-w- c:\windows\system32\mfplat.dll
    2011-01-20 16:04 . 2011-02-10 00:39 98816 ----a-w- c:\windows\system32\mfps.dll
    2011-01-20 14:28 . 2011-02-10 00:39 1554432 ----a-w- c:\windows\system32\xpsservices.dll
    2011-01-20 14:27 . 2011-02-10 00:39 876032 ----a-w- c:\windows\system32\XpsPrint.dll
    2011-01-20 14:26 . 2011-02-10 00:39 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
    2011-01-20 14:25 . 2011-02-10 00:39 847360 ----a-w- c:\windows\system32\OpcServices.dll
    2011-01-20 14:24 . 2011-02-10 00:39 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
    2011-01-20 14:15 . 2011-02-10 00:39 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
    2011-01-20 14:14 . 2011-02-10 00:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
    2011-01-20 14:14 . 2011-02-10 00:39 302592 ----a-w- c:\windows\system32\mfmp4src.dll
    2011-01-20 14:14 . 2011-02-10 00:39 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
    2011-01-20 14:12 . 2011-02-10 00:39 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
    2011-01-20 14:11 . 2011-02-10 00:39 486400 ----a-w- c:\windows\system32\d3d10level9.dll
    2011-01-20 13:47 . 2011-02-10 00:39 683008 ----a-w- c:\windows\system32\d2d1.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
    "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
    "Xerox PanelMgr"="c:\windows\Xerox\PanelMgr\SSMMgr.exe" [2007-07-16 524288]
    "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
    "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2006-10-20 36864]
    "IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2006-10-20 40960]
    "OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-27 69632]
    "LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-01-12 275800]
    "VX3000"="c:\windows\vVX3000.exe" [2006-12-05 707360]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorUser"= 2 (0x2)
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
    .
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R3 samhidb;samhidb;c:\windows\system32\drivers\samhidb.sys [x]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-03-04 135336]
    S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [2007-02-13 5120]
    S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\DRIVERS\nwusbser2.sys [2007-04-19 99200]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-04-08 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-08 02:01]
    .
    2011-04-08 c:\windows\Tasks\User_Feed_Synchronization-{3BA8EF8A-C04D-42BB-A881-5AFE7B37C649}.job
    - c:\windows\system32\msfeedssync.exe [2011-02-10 04:47]
    .
    .
    ------- Supplementary Scan -------
    .
    mStart Page = hxxp://www.startsearcher.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    TCP: {02717118-A864-41BA-8A17-6195807879FC} = 69.78.96.14 66.174.92.14
    DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} - hxxp://activex.camfrogweb.com/advanced/2.0.2.3/cfweb_activex.camfrogweb.com-advanced-2.0.2.3_instmodule.exe
    FF - ProfilePath - c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ypcj2hs7.default\
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-04-08 12:38
    Windows 6.0.6002 Service Pack 2 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-2372562597-3575386028-1687983716-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,46,13,9e,b0,5a,cc,2a,4e,80,ef,b6,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,46,13,9e,b0,5a,cc,2a,4e,80,ef,b6,\
    .
    [HKEY_USERS\S-1-5-21-2372562597-3575386028-1687983716-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"
    .
    [HKEY_USERS\S-1-5-21-2372562597-3575386028-1687983716-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"
    .
    [HKEY_USERS\S-1-5-21-2372562597-3575386028-1687983716-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"
    .
    [HKEY_USERS\S-1-5-21-2372562597-3575386028-1687983716-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"
    .
    [HKEY_USERS\S-1-5-21-2372562597-3575386028-1687983716-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(3520)
    c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll
    c:\windows\system32\ieframe.dll
    .
    Completion time: 2011-04-08 12:41:42
    ComboFix-quarantined-files.txt 2011-04-08 17:41
    ComboFix2.txt 2011-03-30 23:46
    .
    Pre-Run: 56,224,145,408 bytes free
    Post-Run: 56,210,952,192 bytes free
    .
    - - End Of File - - F03BF378AB7ECDA32D79B785B1ADB7EB


    Guess we should address one thing at a time. I will double check and get all the errors if they still exist at
    this point for the other login "Al" User and let you know if I can get on Firefox now. A lot was cleaned up with
    that StartSearcher help steps.
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You have a Smart Engine malware infection. The updated Malwarebytes did a good job of quarantining 300 Registry entries from it. But I'd like you to run the following scan then update and run a Full Scan with Malwarebytes.

    Step One:Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one
    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.com
    • Rkill.scr
    • Rkill.pif
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.
    (A tip: If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by Smart Engine when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again.)

    Step Two: Update Mbam> On the Scanner tab, make sure the the Perform full scan option is selected

    Step Three: Access, Delete, Replace Hosts files
    Please download the following batch file and save it to your desktop: Hostsperm.bat
    • Double-click on the hostsperm.bat file that is now on your desktop. If Windows asks if you if you are sure you want to run it, please allow it to run.
      [o]Once it starts you will see a small black window that opens, then goes away. This is normal. You should now be able to access your HOSTS file.
    • We now need to delete the C:\Windows\System32\Drivers\etc\HOSTS file.
    • Once it is deleted, download the following HOSTS file that corresponds to your version of Windows and save it in the C:\Windows\System32\Drivers\etc folder.
      [o]Windows Vista HOSTS File Download Link
    • If the contents of the HOSTS file opens in your browser when you click on the link, then right-click the link and select:
      [o]Save Target As if in Internet Explorer
      [o] Save Link Asif in Firefox, to download the file.
    • Your Windows HOSTS file should now be back to the default one from when Windows was first installed.
    • Now reboot your computer.
    ================================================
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    Please paste both the new Mbam log and the HijackThis log in your next reply.
    =====================================
    Don't act on any errors or alerts you receive. Check the screen shot HERE for examples you might be seeing. Clicking on the first image will show you 6 additional images from this rogue.
  16. kgrant66

    kgrant66 Newcomer, in training Topic Starter Posts: 36

    MBAM log:
    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6329

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.19019

    4/11/2011 6:31:39 AM
    mbam-log-2011-04-11 (06-31-39).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 321344
    Time elapsed: 1 hour(s), 56 minute(s), 3 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\Qoobox\quarantine\C\Users\Al\AppData\Roaming\dwm.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Qoobox\quarantine\C\Users\Al\AppData\Roaming\microsoft\conhost.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 6:39:37 AM, on 4/12/2011
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.19019)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\Dwm.exe
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Windows\Xerox\PanelMgr\SSMMgr.exe
    C:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe
    C:\Windows\vVX3000.exe
    C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
    C:\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsearcher.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: YTNavAssist.YTNavAssistPlugin Class - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTNavAssist.dll
    O1 - Hosts: ::1 localhost
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
    O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [Xerox PanelMgr] C:\Windows\Xerox\PanelMgr\SSMMgr.exe /autorun
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
    O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
    O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
    O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
    O4 - HKLM\..\Run: [VX3000] C:\Windows\vVX3000.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} - http://activex.camfrogweb.com/advan...amfrogweb.com-advanced-2.0.2.3_instmodule.exe
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

    --
    End of file - 6405 bytes


    I did not see any errors or alerts in Administrator login that you described at the end of your last post.
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay- looks good- nothing new! Are you having any of the original malware related problems now?

    I would like to mention that you don't need to have the printer/scanner processes start on boot. To print, click on File> Print. To use other features, open the program when you need it and choose what you want.

    Best kick Adobe Reader 9.0 up a notch: Visit this Adobe Reader site . Uninstall any earlier updates as they are vulnerabilities.

    Make sure Java is current: Check this site .Java Updates . Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

    Let me know if problems have been resolved and I'll have you remove the cleaning tools.
  18. kgrant66

    kgrant66 Newcomer, in training Topic Starter Posts: 36

    I don't have any Malware popups or virus issues. I still have these errors, but not in the Administrator account, just the User "Al", short for Allen.

    Error#1 - on login to user account "Al", popup comes up right away-
    "Could not load or run C:\Users\Al\AppData\Local\Temp\csrss.exe specified in the registry. Make sure the files exists on your computer or remove reference to it in the registry."
    How do I remove this popup? How do I modify and delete it out of the registry?

    Error#2 - Windows popup stating "Windows has blocked some startup programs".
    Error#3 - User "Al" when logged in still cannot get online with IE nor Firefox. There is a "Proxy Server error". I can only get online using administrator login.

    Other than these three issues I originally had..the laptop runs really fast now!
    Still need help.
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Did you ever do this? Because starchaser is still on the system:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsearcher.com

    1. Open Firefox
    2. Type about:config In the address bar> enter. A warning page will pop up indicating that you may void your warranty, you are entering the advanced settings area and to only continue if you are sure of what you are doing. If you're comfortable proceeding, click "I'll be careful, I promise!"
    3. Find the filter box and search for: startsearcher
    4. You may see multiple entries come up. . Each of these basic Firefox settings has had its value overwritten by startsearcher, so you need to reset each of them.
    5. To reset, right click on each of the rows and select 'Reset' from the list of options.
      [​IMG]
      You should see startsearcher disappear from the value field and default Firefox values return.
    6. The next time you start Firefox, StartSearcher.com should be gone.
    Additional images on the site I referenced.
    ========================================
    Did you run RKill?
    Did you replace the Host files?
  20. kgrant66

    kgrant66 Newcomer, in training Topic Starter Posts: 36

    1. The Startsearcher.com reference in your post points to "InternetExplorer", which I do NOT use. I use Firefox. The clean up process was done on Firefox several times to set everything back to "default" under "administrator login". I cannot get "about:config" to work for InternetExplorer to clean that StartSearcher reference up. I could only logon to the internet with administrater login at this point.

    I also ran this "about:config" cleanup again in Firefox under "Al Login" and it still didn't make a difference, couldn't connect to internet. I kept getting "Proxy server not found" errors. So, today I played around in Firefox 4.0 under "Options; Advanced;Network;Settings" and checked "No proxy" and now I can get online via Firefox under the "Al login". This is the only thing that works. If this is not correct, then please tell me what is correct that "will work" and how do I clean up Internet Explorer for the StartSearcher.com issue?
    2. Rkill was ran per your instructions - ran under only "administrator login". The download worked, the DOS box came open, ran and disappeared per your instructions and left a log. Here are the contents of the log.
    ********************************************************************
    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 04/10/2011 at 23:00:42.
    Operating System: Windows Vista (TM) Home Basic


    Processes terminated by Rkill or while it was running:

    Rkill completed on 04/10/2011 at 23:01:20.
    *****************************************************************************
    3. The host file was replaced per your steps.(download hostsperm.bat file and ran; deleted old host file; downloaded correct host file and saved it in C:\Windows\System32\Drivers\etc directory, then rebooted.) Then I downloaded and ran HijackThis and sent all the logs requested.

    4. I still don't know how to fix the registry popup for the "missing csrss.exe "described in my last posting.

    Please advise. :)
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    This is a Worm or possible keylogger. I am concerned about the notices of Restrictions you have been getting, the running of Combofix in Reduce Functionality Mode. I'm not sure if someone of the users has set restrictions on the system or if a user has installed a key logger.

    I mentioned this earlier:
    You will need to check the location of csrss.exe:

    First:
    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    Second:
    Click on Start> Search> Files & Folders:
    Before putting the search term in, do the following:
    Show Hidden Folders/Files
    • Go to Tools > Folder Options.
    • Select the View tab.
    • Scroll down to Hidden files and folders.
    • Select Show hidden files and folders.
    • Uncheck Hide extensions of known file types.
    • Uncheck when prompted.
    • Click OK.

    Now put csrss.exe in the 'all or part of the file name' box> Click on Search.
    Look at the 'In Folder section. If this entry is listed in Windows\System32 folder Leave it alone.

    If you see csrss.exe in a temp folder do a right click> Delete. Do not double click on it

    Reset Hidden/System Files & Folders

    Come back and let me know the results. Are you the Administrator? What account setting does 'Al" have?
    ===================================================
    I'd like to get rid of starsearcher:
    Launch Internet Explorer> Go to any site of your choice- you're going to use it s the homepage in IE
    Then click on Tools> Internet Options> General tab> Homepage section> Click on 'use current'> Apply> OK. Close IE

    Either do a Disc Cleanup or run TFC to remove the site. Use Windows Explorer to find and remove any Cookie related to starsearcher
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.