Inactive Csrss.exe error - laptop running slow - restricted perms on running AVG

Status
Not open for further replies.

kgrant66

Posts: 35   +0
Before the "blocked startup programs" popup starts an error stating a temp csrss.exe file cannot be found and needs to be deleted from the registry. When running AVG 2011 (free dwnld) it won't run due to "restricted" permissions. The laptop running Vista is extremely slow online and maneuvering around files and such. I ran Malwarebytes and the log found no viruses. Luckily I am still able to get online via Firefox. What do I do now?
MBAM Log:
Malwarebytes' Anti-Malware 1.28
Database version: 1180
Windows 6.0.6002 Service Pack 2

3/26/2011 1:35:25 PM
mbam-log-2011-03-26 (13-35-25).txt

Scan type: Quick Scan
Objects scanned: 44700
Time elapsed: 14 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
Did you add Active to this thread?? That is a setting the helpers do when picking up a thread.

If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
 
Sorry, yes I put thread "active". First time posting in 3 years and don't remember that feature....was there to click on...

I will follow all the steps you posted. Firefox isn't working on that computer today, so I have to transfer all the downloads to a thumb drive from another computer. Will post logs as soon as I can get them.

Tried to do Step 1: 3/4th way through install of Avira AntiVir software the popup "Restrictions" came up stating "This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator". I clicked "OK" and then it let the install finish. Clicked "Finish" and nothing happened. Double clicked Avira shortcut created on desktop...and get the same restrictions error. The Anvira program started a minute after error popup and then ran a little after clicking "ok", then stopped and disappeared from the desktop.
Does this need fixed before going to step 2?
 
A note: The thread isn't Active until Broni or I pick it up and put it on Active Status. That let's the other one of us know the thread is being handled. You're lucky- I saw 'Active' but no replies so I checked. If you had use a couple of posts to paste in logs and made it Active, no one would be working on it!!

Did you already have an antivirus program on the system? If so, you do not need to install Avira or Avast.

Skip doing a scan with Avira. Try logging on under the Administrator account. Continue with the steps.
 
AVG 2011 is installed on this laptop. AVG errored out in the under the user login. That is the only reason I installed Anvira. Anvira didn't work either under the user account, so I did as you said...logged in as administrator and Anvira ran and found viruses in the user folder and quaranteened them. Every step was run under administrator. TFC finally ran successfully. The Logs for MBAM, GMER, and DDS are below. I tried to login on the user account to get online (via Verizon air card) and that won't even attempt to connect anymore..get an error. I am all for re-installing Verizon and Firefox later after all of this is cleaned up.

MBAM:
Malwarebytes' Anti-Malware 1.28
Database version: 1180
Windows 6.0.6002 Service Pack 2

3/28/2011 9:31:33 PM
mbam-log-2011-03-28 (21-31-33).txt

Scan type: Quick Scan
Objects scanned: 44950
Time elapsed: 4 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
**************************************************************************************************(GMER.log)
GMER 1.0.15.15570 - http://www.gmer.net
Rootkit quick scan 2011-03-28 21:36:04
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9120822AS rev.3.CDD
Running: tpojb69w.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\pxldrpoc.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\tdx \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----
****************************************************************************************************
Attach.log
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft® Windows Vista™ Home Basic
Boot Device: \Device\HarddiskVolume3
Install Date: 7/20/2008 8:29:35 PM
System Uptime: 3/28/2011 5:52:58 AM (16 hours ago)
.
Motherboard: Dell Inc. | | 0UW744
Processor: Mobile AMD Sempron(tm) Processor 3500+ | Socket M2/S1G1 | 1800/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 102 GiB total, 52.454 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 6.715 GiB free.
E: is CDROM ()
F: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP463: 3/11/2011 8:05:49 PM - Windows Update
RP464: 3/13/2011 1:00:25 AM - Scheduled Checkpoint
RP465: 3/14/2011 12:00:27 AM - Scheduled Checkpoint
RP466: 3/15/2011 9:34:00 PM - Windows Update
RP467: 3/20/2011 9:35:18 PM - Windows Update
RP470: 3/23/2011 10:46:12 AM - Scheduled Checkpoint
RP471: 3/23/2011 3:16:20 PM - Windows Update
RP472: 3/23/2011 3:59:39 PM - Installed AVG 2011
RP473: 3/23/2011 4:01:39 PM - Installed AVG 2011
RP474: 3/24/2011 6:46:22 PM - Windows Update
RP475: 3/26/2011 4:06:28 PM - Scheduled Checkpoint
RP476: 3/28/2011 2:26:25 AM - Scheduled Checkpoint
.
==== Installed Programs ======================
.
.
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.1
Adobe Shockwave Player 11.5
Ask Toolbar
AVG 2011
Avira AntiVir Personal - Free Antivirus
Bejeweled Blitz
Dell Resource CD
Face Theme
Google Updater
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Java Auto Updater
Java(TM) 6 Update 21
LimeWire 5.5.16
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft LifeCam
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mobile Broadband Drivers
Mozilla Firefox (3.6.3)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
OGA Notifier 2.0.0048.0
PowerDVD
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
ScanSoft OmniPage SE 4.0
ScanSoft PaperPort 10
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Sonic Activation Module
Uniblue RegistryBooster
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
VZAccess Manager
Xerox Phaser 3200MFP
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Software Update
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
3/28/2011 5:59:57 AM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WSearch service.
3/28/2011 5:55:21 AM, Error: Service Control Manager [7000] - The DgiVecp service failed to start due to the following error: The system cannot find the device specified.
3/27/2011 9:10:22 PM, Error: EventLog [6008] - The previous system shutdown at 9:07:34 PM on 3/27/2011 was unexpected.
3/26/2011 12:48:32 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
3/26/2011 12:48:29 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
3/26/2011 12:48:19 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Avgldx86 Avgmfx86 Avgtdix DfsC NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr tdx Wanarpv6
3/26/2011 12:48:19 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
3/26/2011 12:48:19 PM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
3/26/2011 12:48:19 PM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
3/26/2011 12:48:19 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
3/26/2011 12:48:19 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
3/26/2011 12:48:19 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
3/26/2011 12:48:19 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
3/26/2011 12:48:19 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
3/26/2011 12:48:19 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
3/26/2011 12:48:19 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
3/26/2011 12:48:19 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/26/2011 12:48:19 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
3/26/2011 12:48:19 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
3/26/2011 12:47:52 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
3/26/2011 12:47:52 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
3/26/2011 12:47:48 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/26/2011 12:47:38 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
3/26/2011 12:47:14 PM, Error: EventLog [6008] - The previous system shutdown at 12:44:37 PM on 3/26/2011 was unexpected.
3/23/2011 9:59:29 PM, Error: EventLog [6008] - The previous system shutdown at 9:56:37 PM on 3/23/2011 was unexpected.
3/23/2011 7:36:07 PM, Error: Service Control Manager [7031] - The Windows Search service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
3/23/2011 7:36:07 PM, Error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).
3/23/2011 11:37:17 AM, Error: EventLog [6008] - The previous system shutdown at 11:35:46 AM on 3/23/2011 was unexpected.
3/23/2011 11:32:54 AM, Error: EventLog [6008] - The previous system shutdown at 11:31:34 AM on 3/23/2011 was unexpected.
3/21/2011 5:21:37 AM, Error: EventLog [6008] - The previous system shutdown at 11:08:21 PM on 3/20/2011 was unexpected.
.
==== End Of File ===========================
*******************************************************************************************************
DDS log:
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Administrator at 21:37:20.34 on Mon 03/28/2011
Internet Explorer: 8.0.6001.19019
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.893.250 [GMT -5:00]
.
AV: AntiVir Desktop *Enabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AntiVir Desktop *Enabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Windows\Xerox\PanelMgr\SSMMgr.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe
C:\Windows\vVX3000.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\AVG\AVG10\avgchsvx.exe
C:\Program Files\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Users\Al\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
mStart Page = hxxp://www.startsearcher.com
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Facetheme: {66d8fba6-d90f-40a9-ac55-84896f79ca69} - c:\program files\object\bho_project.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Xerox PanelMgr] c:\windows\xerox\panelmgr\SSMMgr.exe /autorun
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 2 (0x2)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} - hxxp://activex.camfrogweb.com/advanced/2.0.2.3/cfweb_activex.camfrogweb.com-advanced-2.0.2.3_instmodule.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
IFEO: image file execution options - svchost.exe
.
================= FIREFOX ===================
.
FF - ProfilePath -
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 251728]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-12 299984]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2011-3-27 61960]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 123472]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 30288]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 27216]
.
=============== Created Last 30 ================
.
2011-03-28 11:02:14 -------- d-----w- c:\users\admini~1\appdata\roaming\Malwarebytes
2011-03-28 02:37:19 -------- d-----w- c:\users\admini~1\appdata\roaming\Avira
2011-03-28 02:32:55 -------- d-----w- c:\users\admini~1\appdata\roaming\AVG10
2011-03-28 02:31:26 -------- d-----w- c:\users\admini~1\appdata\local\PowerDVD DX
2011-03-27 19:46:07 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-03-27 19:46:05 -------- d-----w- c:\program files\Avira
2011-03-27 19:46:05 -------- d-----w- c:\progra~2\Avira
2011-03-26 17:00:17 -------- dc-h--w- c:\progra~2\{AB2D8F2E-F7AD-4446-A11A-50D846B2CF2A}
2011-03-26 16:35:09 -------- d-----w- c:\program files\Uniblue
2011-03-23 22:03:25 -------- d--h--w- C:\$AVG
2011-03-23 21:17:08 -------- d--h--w- c:\progra~2\Common Files
2011-03-23 21:16:36 -------- d-----w- c:\progra~2\AVG Security Toolbar
2011-03-23 21:13:36 -------- d-----w- c:\windows\system32\drivers\AVG
2011-03-23 21:13:36 -------- d-----w- c:\progra~2\AVG10
2011-03-23 21:00:34 -------- d-----w- c:\program files\AVG
2011-03-23 20:38:19 -------- d-----w- c:\progra~2\MFAData
2011-03-23 20:33:14 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-03-23 20:33:14 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-03-23 20:33:14 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-03-23 20:18:53 5943120 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{7f04accc-ddc4-46ec-95a0-1bee2c429733}\mpengine.dll
2011-03-21 03:31:09 -------- d-----w- c:\progra~2\pAbHkCb18101
2011-03-09 01:02:20 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-09 01:02:19 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-09 01:02:19 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-09 01:02:19 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-09 01:02:15 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-09 01:02:15 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-06 13:29:34 -------- d-sh--w- c:\windows\system32\%APPDATA%
.
==================== Find3M ====================
.
2011-02-02 23:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-20 16:08:16 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08:06 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08:06 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:08:06 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08:06 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:07:58 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07:42 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07:16 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06:38 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06:35 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04:54 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 16:04:54 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 14:28:38 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27:50 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26:30 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25:25 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24:26 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15:10 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14:03 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14:03 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12:46 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11:34 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47:51 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-08 08:47:50 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28:49 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:57:01 2039808 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 21:39:09.17 ===============
 
Please handle the following as Directed:
  • Ask Toolbar>> (Bundled adware) Uninstall
  • LimeWire 5.5.16> Recommend uninstall file shring program:>> See information on P2P Warning to help you better understand these dangers
  • Uniblue RegistryBooster> Uninstall. We do not recommend using any Registry cleaner
  • Java(TM) 6 Update 21> Update to current v6u24: Check hereJava Updates Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
  • Mozilla Firefox (3.6.3)> Update to current v3.6.19 ir v4 in Tools> Update
=================================================
Multiple amtivirus programs: Now running processes for both AVG and Avira. One of these needs to be uninstalled now.
NOTE: I will have you run Combofix and that requires you to uninstall AVG and I will give you a way to easily do that. I suggest you use the App Remover now to remove AVG. Leave Avira on while we're working. The if you want to reinstall AVG when we finish, okay.

Download AppRemover and save to the desktop]
How to Use AppRemover to Remove a Complete Security Application
  1. Double click the setup on the desktop> click Next
  2. Select “Remove Security Application”
  3. Let scan finish to determine security apps
  4. A screen like below will appear:
    https://www.techspot.com/downloads/5514-appremover.htmlabout/chooseuninstall.gif/image_preview[/img[*] Click on [b]Next[/b] after choice has been made
    [*] Check the AVG program you want to uninstall
    [*] After uninstall shows complete, follow online prompts to Exit the program.[/list]
    ===========================================
    [b]Download Combofix from [url=http://www.bleepingcomputer.com/download/anti-virus/combofix]HERE[/url] or [url=http://www.forospyware.com/sUBs/ComboFix.exe]HERE[/b][/url] and save to the desktop[list]
    [*]Double click combofix.exe & follow the prompts.
    [*] ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    [b]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.[/b]
    [*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    [*]Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    [*]Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    [img]http://img.photobucket.com/albums/v706/ried7/whatnext.png
  5. .Click on Yes, to continue scanning for malware
  6. .If Combofix asks you to update the program, allow
  7. .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  8. .Close any open browsers.
  9. .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  10. When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
=====================================
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
  10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
  11. Re-enable your Antivirus software.
    NOTE: If you forget to copy to the clipboard you can find the log here:
    C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
=================================================
I will have you check your Services next. It looks like some of the 'Dependencies' aren't running.
=================================
Regarding csrss.exe: The legitimate process is for Windows Client/Server Runtime Server Subsystem and it is located in the C:\Windows\System32 folder. The malware csrss.exe process can be a virus, spyware, trojan or worm and will be located elsewhere. It is found with Nimda.E
========================================
Do you know what either of the following are?
c:\progra~2\pAbHkCb18101
C:\Windows\vVX3000.exe

=======================================
Sorry for delay- internet went missing yesterday PM.
 
Do you want the "contents" of the file ComboFix.txt pasted in here or the file itself? I attached the file since the output was so large.

Eset Online log:
C:\Qoobox\Quarantine\C\Users\Al\AppData\Roaming\dwm.exe.vir
a variant of Win32/Kryptik.LZI trojan
C:\Qoobox\Quarantine\C\Users\Al\AppData\Roaming\Microsoft\conhost.exe.vir a variant of Win32/Kryptik.LZI trojan

Nimda.E is mentioned in your post, but I don't know what it is...do I download it?
Mentioned checking services...going to assume that is in Task Manager...what am I looking for? Do you want a list of "Stopped processes"?

I don't know what c:progra~2\pAbHkCb180101 is, but the C:\Windows\vVX3000.exe is the Microsoft Lifecam Device Application my brother installed (it's in the startup, but I don't think he uses it anymore). Lifecam is real annoying on startup. Do I delete or uninstall those?

This is a side question- the "ir" in the Mozilla Firefox Line in the first section of instruction...that's a United Kingdom English term...are you originally from England? Just wondering. :)
 

Attachments

  • ComboFix.txt
    13.8 KB · Views: 1
Eset Online log:
C:\Qoobox\Quarantine\C\Users\Al\AppData\Roaming\dwm.exe.vir
a variant of Win32/Kryptik.LZI trojan
C:\Qoobox\Quarantine\C\Users\Al\AppData\Roaming\Microsoft\conhost.exe.vir a variant of Win32/Kryptik.LZI trojan
Qoobox is where Combofix sends the files it quarantines. The files are no longer active in the system.

Do you want the "contents" of the file ComboFix.txt pasted in here or the file itself? I attached the file since the output was so large.

What you attached is correct- it's the log generated by the Combofix scan. But it must be pasted in to the reply.

Step 6: Log Handling Guidelines: Extended Guidelines
All required logs have to be PASTED. Attached logs will NOT be reviewed.
If a log or logs exceed the limit for one reply, you may use more than one reply. The above rule will be strictly enforced.
Pasted logs can be handled easier and faster by malware helper.
https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

Nimda.E is mentioned in your post, but I don't know what it is...do I download it?
Nimda Worm >>Google is your friend:

Mentioned checking services...going to assume that is in Task Manager...what am I looking for? Do you want a list of "Stopped processes"?

What you see in the Task Manager is a list of processes that are running. Services are found in the Computer Management Console here: We're not ready for that yet. I'll give you a good reference sitw to help you set the Services and Dependencie
Click on start> Run> type in services.msc

Some of the Services need to be set on Automatic Startup Type. Some can be set on Manual. Some can be Disabled. Some Services "depend" on other Services to be running in order for them to run. This is know as their Dependency.

Example:
3/26/2011 12:48:19 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
In order for NLA to run, it's Dependency has to be running. One of them is the NSIS. Dependencies Must be set to either Manual or Automatic- or NLS can't start.
[/QUOTE]

Please paste the Combofix log in your next reply.
 
Here is the ComboFix.txt file. Really do appreciate all the help you are giving!

ComboFix 11-03-23.04 - Administrator 03/30/2011 18:40:52.1.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.893.433 [GMT -5:00]
Running from: c:\users\Al\Downloads\ComboFix.exe
AV: AntiVir Desktop *Disabled/Outdated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Outdated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
- REDUCED FUNCTIONALITY MODE -
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Object\bho_project.dll
c:\users\Al\AppData\Roaming\dwm.exe
c:\users\Al\AppData\Roaming\Internet Security Suite
c:\users\Al\AppData\Roaming\Internet Security Suite\Instructions.ini
c:\users\Al\AppData\Roaming\Microsoft\conhost.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-30 )))))))))))))))))))))))))))))))
.
.
2011-03-30 23:42 . 2011-03-30 23:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-03-30 23:42 . 2011-03-30 23:42 -------- d-----w- c:\users\Al\AppData\Local\temp
2011-03-28 02:27 . 2011-03-28 02:30 -------- d-----w- c:\users\Administrator
2011-03-27 19:46 . 2011-03-04 21:11 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-03-27 19:46 . 2011-03-04 19:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-03-27 19:46 . 2011-03-27 19:46 -------- d-----w- c:\programdata\Avira
2011-03-27 19:46 . 2011-03-27 19:46 -------- d-----w- c:\program files\Avira
2011-03-26 16:35 . 2011-03-26 16:35 -------- d-----w- c:\users\Al\AppData\Roaming\Uniblue
2011-03-26 16:34 . 2011-03-26 16:34 -------- d-----w- c:\users\Al\AppData\Local\PackageAware
2011-03-23 22:03 . 2011-03-23 22:03 -------- d-----w- C:\$AVG
2011-03-23 21:48 . 2011-03-23 21:48 -------- d-----w- c:\users\Al\AppData\Local\AVG Security Toolbar
2011-03-23 21:21 . 2011-03-23 21:21 -------- d-----w- c:\users\Al\AppData\Roaming\AVG10
2011-03-23 21:17 . 2011-03-23 21:17 -------- d--h--w- c:\programdata\Common Files
2011-03-23 21:13 . 2011-03-30 23:08 -------- d-----w- c:\windows\system32\drivers\AVG
2011-03-23 20:33 . 2011-02-22 14:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-03-23 20:33 . 2011-02-22 13:33 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-03-23 20:33 . 2011-02-22 13:33 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-03-23 20:18 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7F04ACCC-DDC4-46EC-95A0-1BEE2C429733}\mpengine.dll
2011-03-23 20:05 . 2011-03-23 20:05 -------- d-----w- c:\users\Al\AppData\Local\Mozilla
2011-03-21 03:31 . 2011-03-23 22:03 -------- d-----w- c:\programdata\pAbHkCb18101
2011-03-09 01:02 . 2010-12-29 18:28 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-03-09 01:02 . 2010-12-29 18:28 322560 ----a-w- c:\windows\system32\sbe.dll
2011-03-09 01:02 . 2010-12-29 18:28 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-03-09 01:02 . 2010-12-29 18:26 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-03-09 01:02 . 2010-12-17 15:45 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-03-09 01:02 . 2010-12-17 13:54 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-03-06 13:29 . 2011-03-06 13:29 -------- d-sh--w- c:\windows\system32\%APPDATA%
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 23:11 . 2009-10-03 13:49 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-20 16:37 . 2011-02-10 00:39 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-01-20 16:08 . 2011-02-10 00:39 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08 . 2011-02-10 00:39 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08 . 2011-02-10 00:39 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08 . 2011-02-10 00:39 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:08 . 2011-02-10 00:39 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:07 . 2011-02-10 00:39 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07 . 2011-02-10 00:39 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07 . 2011-02-10 00:39 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06 . 2011-02-10 00:39 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06 . 2011-02-10 00:39 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04 . 2011-02-10 00:39 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 16:04 . 2011-02-10 00:39 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 14:28 . 2011-02-10 00:39 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27 . 2011-02-10 00:39 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26 . 2011-02-10 00:39 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25 . 2011-02-10 00:39 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24 . 2011-02-10 00:39 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15 . 2011-02-10 00:39 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14 . 2011-02-10 00:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14 . 2011-02-10 00:39 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14 . 2011-02-10 00:39 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12 . 2011-02-10 00:39 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11 . 2011-02-10 00:39 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47 . 2011-02-10 00:39 683008 ----a-w- c:\windows\system32\d2d1.dll
2011-01-08 08:47 . 2011-02-10 00:37 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-01-08 06:28 . 2011-02-10 00:37 292352 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:57 . 2011-02-10 00:40 2039808 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"Xerox PanelMgr"="c:\windows\Xerox\PanelMgr\SSMMgr.exe" [2007-07-16 524288]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2006-10-20 36864]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2006-10-20 40960]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-27 69632]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-01-12 275800]
"VX3000"="c:\windows\vVX3000.exe" [2006-12-05 707360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 samhidb;samhidb;c:\windows\system32\drivers\samhidb.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-03-04 135336]
S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [2007-02-13 5120]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\DRIVERS\nwusbser2.sys [2007-04-19 99200]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-08 02:01]
.
2011-03-30 c:\windows\Tasks\User_Feed_Synchronization-{3BA8EF8A-C04D-42BB-A881-5AFE7B37C649}.job
- c:\windows\system32\msfeedssync.exe [2011-02-10 04:47]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.startsearcher.com
DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} - hxxp://activex.camfrogweb.com/advanced/2.0.2.3/cfweb_activex.camfrogweb.com-advanced-2.0.2.3_instmodule.exe
FF - ProfilePath - c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ypcj2hs7.default\
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - c:\program files\Mozilla Firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-30 18:42
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2372562597-3575386028-1687983716-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,46,13,9e,b0,5a,cc,2a,4e,80,ef,b6,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,46,13,9e,b0,5a,cc,2a,4e,80,ef,b6,\
.
[HKEY_USERS\S-1-5-21-2372562597-3575386028-1687983716-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2372562597-3575386028-1687983716-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2372562597-3575386028-1687983716-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2372562597-3575386028-1687983716-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2372562597-3575386028-1687983716-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3392)
c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll
.
Completion time: 2011-03-30 18:45:59
ComboFix-quarantined-files.txt 2011-03-30 23:45
.
Pre-Run: 56,588,144,640 bytes free
Post-Run: 56,334,286,848 bytes free
.
- - End Of File - - A7C79DAE6A5B1FB8134E2D73D6947915
 
If you notice at the top of the Combofix log, it says: Reduced Functionality Mode Please review the following to determine the cause:

Running in Reduced Functionality Mode
Windows Vista has the following kinds of reduced functionality mode:
  1. Out-of-grace reduced functionality mode:
    On a retail copy of Windows Vista
    [o] You do not activate Windows Vista within 30 days after you install Windows Vista.
    [o] You do not reactivate Windows Vista within three days after you replace a major hardware component in the computer.
    On an original equipment manufacturer (OEM) copy of Windows Vista
    [o] You do not activate Windows Vista within three days after you change the OEM motherboard, or the originally manufactured motherboard, to a non-OEM motherboard.
    [o] Non-genuine reduced functionality mode
  2. Non-genuine reduced functionality mode
    [o]The Windows Genuine Advantage (WGA) program detects a blocked product key or a counterfeit product key.
    (Note The WGA program is a Microsoft service that detects whether you have an authentic version of Vista. A product key is a unique software-based key that is used to identify a product as an original.)
    [o] The WGA program detects incorrect activation binary files or modified activation binary files.
    (Note A binary file is a computer file that contains encoded data for storage and processing purposes.)
    [o] Windows Vista is in out-of-grace reduced functionality mode.
Courtesy Microsoft: http://support.microsoft.com/kb/925582
 
Don't know what happened to my reply I posted several days ago, so here it goes again...

The Vista on the laptop is authentic. It came with the Dell Laptop. None of the scenarios mentioned seem to fit as to "why" the software ran in "reduced functionality mode". No hardware was put in or replaced on the laptop. All the antivirus and cleanup software ran so far has been run under "administrater login" because the regular user login "Al" still isn't working properly (errors and won't connect to the internet).

1. Can the laptop still be fixed with the log provided?
2. How else can I make the laptop run in full mode?
3. What is the next step if we can't make the software run in "full functionality mode"?
 
Okay, I'm going to have you back up:
Current Malwarebytes' Anti-Malware version 1.50.1 Database version: 6173
You ran Malwarebytes' Anti-Malware 1.28 Database version: 1180

I don't know where you got this outdated Mbam- it's not what we have in out link and as you can see, the database is so far out of date that it will not have any of the current malware in it.

Please go to Add/Remove Programs and uninstall the Malwarebytes you now have. Delete the log and any other process for it on your desktop.

Download and update and run a new scan:>>
malwarebytesgc8.png

Malwarebytes' Anti-Malware
  • Please download Malwarebytes' Anti-Malware from from HERE
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    [o] Update Malwarebytes' Anti-Malware
    [o] and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please attach this log with your reply
    [o] If you accidentally close it, the log file is saved here and will be named like this:
    [o] C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
========================
You have this set: Start Page = hxxp://www.startsearcher.com
The StartSearcher.com program that causes this behaviour actually changes your browser configuration settings at the code level, so that even when you attempt to change your home page back to one you want, it keeps reverting to StartSearcher.com.
Please go to this site and follow the steps and screen shots for removing it:
http://www.pchelpsoft.com/trends/startsearcher-removal/
=========================================
This is all you show for Firefox which is probably why it wasn't working:
================= FIREFOX ===================
.
FF - ProfilePath -
Luckily I am still able to get online via Firefox.
It's puzzling because I don't see a home page set for Firefox. You have a profile set up in the Combofix log, but no homepage, no search page. So I'm going to set up the default pages with script after I get the new Combofix log.
Bottom line: can you use Firefox? What do you have set for the homepage?
=====================================
I'd like you to uninstall the Combofix that is no installed. Then download again and scan- let's see how it comes out:

Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Uninstall-1.jpg
==========================================
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
====================================
Nothing that you do intentionally makes Combofix run in Reduced Functionality. Reviewing these current logs I note:
1. "restricted" permissions.> This means that either what you are doing requires you to d it through the Administrator's account and you are logged on under a different user account.
2. Or that you do not have 'ownership' of the file.

You mentioned that Al's account doesn't work? Please describe the errors.

In answer to your 3 questions: x3 "I don't know"! 2 of the scans aren't good. There is a permission problem. One account can't be used. And other than the outdated Mbam, I don't know why this is happening! I think you 'panicked at the csrss.ex3 problem and handled it incorrectly in the beginning.

I am also wondering what settings you have for this: IFEO: image file execution options - svchost.exe. I do not see any corresponding entry for the Registry.
 
MBAM - updated software and ran great - removed a lot of files. Log is too large, so see end of it on next post!
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org Database version: 6312
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19019 4/8/2011 10:34:13 AM
mbam-log-2011-04-08 (10-34-13).txt
Scan type: Quick scan
Objects scanned: 162155
Time elapsed: 8 minute(s), 45 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 298
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\AppID\GamevanceText.DLL (Adware.GameVance) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\amon9x.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntispywarXP2009.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPro_2010.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiVirus_Pro.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apimonitor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\arr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashBug.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashCnsnt.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashLogV.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashPopWz.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashServ.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashSkPcc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashUpd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswChLic.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswRunDll.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atcon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atro55en.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atwatch.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aupdate.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autotrace.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\av360.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avciman.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcc32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcmgr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgdumpx.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgiproxy.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgserv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgsrmax.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkservice.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avltmain.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avmcdlg.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avupgsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwin.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwsc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwupsrv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxmonitornt.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\b.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bargains.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdfvwiz.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdmcon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BDSurvey.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\beagle.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bidef.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bipcp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bisp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blss.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bootwarn.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bpc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brastk.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bs120.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bundle.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\c.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccevtmgr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cdp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfgwiz.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfpconfg.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfpupdat.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clean.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cleanpc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmesys.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmon016.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpf9x206.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\crashrep.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cssconfg.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cssurf.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cwntdwmo.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\datemanager.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defalert.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defwatch.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\deputy.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllcache.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllreg.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dop.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dpfsetup.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\driverctrl.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drweb32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\efpeadm.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanv95.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\etrustcipe.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\exantivirus-cnet.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\expert.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fact.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fih32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fixcfg.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fnrb32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\frmwrk32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav530wtbyb.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gator.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbmenu.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbpoll.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gmt.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardgui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hbinst.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\History.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hotactio.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htlog.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hwpe.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hxiul.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Identity.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iedll.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ifw2000.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\infus.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\init.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install[2].exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install[4].exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\intdel.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\istsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jdbgmrg.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavlite40eng.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kazza.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-pf-213-en-win.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-wrp-421-en-win.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldnetmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpromenu.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\licmgr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loader.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lockdown.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsetup.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luinit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MalwareRemoval.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcmnhdlr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshell.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcupdate.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsshld.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfin32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfweng3.02d30.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mgavrte.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mgui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmod.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpfagent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mrflux.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msa.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msblast.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msccn32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msdos.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mslaugh.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmsgri32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mssmmc32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvxd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mwatch.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navap.navapsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navstub.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ncinst4.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\neomonitor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netarmor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netinfo.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netscanpro.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netutils.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npf40_tw_98_nt_me_2k.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nprotect.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npssvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nstask32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nt.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntvdm.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nui.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nwinst4.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nwtool16.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OAhlp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oasrv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oaview.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onsrvr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ostronet.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpostinstall.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ozn695m5.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\patch.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavprsrv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcip10117_0.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsAuxs.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsSvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PC_Antispyware2010.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pdsetup.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\periscope.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pf2.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pgmonitr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\platin.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\poproxy.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portdetective.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerscan.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pptbc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prizesurfer.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prmvr.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\processmonitor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\programauditor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSANCU.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSANToManager.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pspf.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\purge.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qh.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Quick Heal.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav8win32eng.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rb32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\realmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rescue32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rscdwld.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtvscn95.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SafetyKeeper.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Save.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveDefense.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\savenow.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secureveteran.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SecurityFighter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setloadorder.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup_flowprotector_us.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sh.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shield.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\showbehind.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smart.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smrtdefp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smss32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\soap.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SoftSafeness.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spf.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoolcv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spywarexpguard.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srexe.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ss3edit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ssg_4104.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\start.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\supftrl.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\supporter5.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchostc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svshost.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symproxysvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\system.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sysupd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taumon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds-3.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tfak.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tgbob.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\titaninxp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trjscan.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trojantrap3.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tsadbot.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tvmd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\updat.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbcmserv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbust.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbwinntw.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vfsetup.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\virusmdpersonalfirewall.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VisthLic.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vnlan300.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpc32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpfw30s.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsched.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmain.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vswin9xe.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vswinperse.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\W3asbas.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\watchdog.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webtrap.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wimmun32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\win32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winactive.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windll32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windows Police Pro.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wininetd.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winlogin.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winppr32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winservn.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winstart.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wintsk32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wkufind.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wnt.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wrctrl.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscfxas.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscfxfw.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wupdater.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wyvernworksfirewall.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpf202en.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapsetup3001.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonalm2601.exe (Security.Hijack) -> Quarantined and deleted successfully.
 
(MBAM LOG Continued:)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~2.exe (Security.Hijack) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhclq8j0ec7v (Rogue.AntiVirusXP) ->
Value: rhclq8j0ec7v -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) ->
Bad: (http://findgala.com/?&uid=2164&q={searchTerms})
Good: (http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}) ->
Quarantined and deleted successfully.HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) ->
Bad: (http://findgala.com/?&uid=2164&q={searchTerms})
Good: (http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}) ->
Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

//////////Uninstalled ComboFix, then reinstalled a newly pulled in "exe".///
Ran it logged in as Administrater./////////////
Does CombFix always start off saying that It's "Preparing to Run", then "Acess Denied Administrater perimissions
are needed..." and then runs anyway? That's what it did. Anyway here is the log:

ComboFix 11-04-07.08 - Administrator 04/08/2011 12:27:18.1.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.893.381 [GMT -5:00]
Running from: c:\users\Administrator\Downloads\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {090F9C29-64CE-6C6F-379C-5901B49A85B7}
SP: AntiVir Desktop *Disabled/Updated* {B26E7DCD-42F4-63E1-0D2C-6273CF1DCF0A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\spool\prtprocs\w32x86\BiCProNT.dll
c:\windows\system32\spool\prtprocs\w32x86\BiMProNT.dll
.
----- BITS: Possible infected sites -----
.
hxxp://xp.yimg.com
.
((((((((((((((((((((((((( Files Created from 2011-03-08 to 2011-04-08 )))))))))))))))))))))))))))))))
.
.
2011-04-08 17:37 . 2011-04-08 17:37 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-04-08 17:37 . 2011-04-08 17:37 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-08 17:37 . 2011-04-08 17:37 -------- d-----w- c:\users\Al\AppData\Local\temp
2011-04-08 14:15 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-08 14:15 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-08 14:15 . 2011-04-08 14:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-31 03:59 . 2011-03-31 03:59 -------- d-----w- c:\program files\Common Files\Java
2011-03-31 03:58 . 2011-03-31 03:58 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2011-03-31 00:25 . 2011-03-31 00:25 -------- d-----w- c:\program files\ESET
2011-03-28 02:27 . 2011-03-28 02:30 -------- d-----w- c:\users\Administrator
2011-03-27 19:46 . 2011-03-04 21:11 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-03-27 19:46 . 2011-03-04 19:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-03-27 19:46 . 2011-03-27 19:46 -------- d-----w- c:\programdata\Avira
2011-03-27 19:46 . 2011-03-27 19:46 -------- d-----w- c:\program files\Avira
2011-03-26 16:35 . 2011-03-26 16:35 -------- d-----w- c:\users\Al\AppData\Roaming\Uniblue
2011-03-26 16:34 . 2011-03-26 16:34 -------- d-----w- c:\users\Al\AppData\Local\PackageAware
2011-03-23 22:03 . 2011-03-23 22:03 -------- d-----w- C:\$AVG
2011-03-23 21:48 . 2011-03-23 21:48 -------- d-----w- c:\users\Al\AppData\Local\AVG Security Toolbar
2011-03-23 21:21 . 2011-03-23 21:21 -------- d-----w- c:\users\Al\AppData\Roaming\AVG10
2011-03-23 21:17 . 2011-03-23 21:17 -------- d--h--w- c:\programdata\Common Files
2011-03-23 21:13 . 2011-03-30 23:08 -------- d-----w- c:\windows\system32\drivers\AVG
2011-03-23 20:33 . 2011-02-22 14:13 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-03-23 20:33 . 2011-02-22 13:33 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-03-23 20:33 . 2011-02-22 13:33 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-03-23 20:18 . 2011-02-11 06:54 5943120 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7F04ACCC-DDC4-46EC-95A0-1BEE2C429733}\mpengine.dll
2011-03-23 20:05 . 2011-03-23 20:05 -------- d-----w- c:\users\Al\AppData\Local\Mozilla
2011-03-21 03:31 . 2011-03-23 22:03 -------- d-----w- c:\programdata\pAbHkCb18101
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-31 03:57 . 2010-09-22 02:34 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-02-02 23:11 . 2009-10-03 13:49 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-01-20 16:37 . 2011-02-10 00:39 638336 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2011-01-20 16:08 . 2011-02-10 00:39 478720 ----a-w- c:\windows\system32\dxgi.dll
2011-01-20 16:08 . 2011-02-10 00:39 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08 . 2011-02-10 00:39 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2011-01-20 16:08 . 2011-02-10 00:39 1029120 ----a-w- c:\windows\system32\d3d10.dll
2011-01-20 16:08 . 2011-02-10 00:39 189952 ----a-w- c:\windows\system32\d3d10core.dll
2011-01-20 16:07 . 2011-02-10 00:39 37376 ----a-w- c:\windows\system32\cdd.dll
2011-01-20 16:07 . 2011-02-10 00:39 258048 ----a-w- c:\windows\system32\winspool.drv
2011-01-20 16:07 . 2011-02-10 00:39 586240 ----a-w- c:\windows\system32\stobject.dll
2011-01-20 16:06 . 2011-02-10 00:39 2873344 ----a-w- c:\windows\system32\mf.dll
2011-01-20 16:06 . 2011-02-10 00:39 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04 . 2011-02-10 00:39 209920 ----a-w- c:\windows\system32\mfplat.dll
2011-01-20 16:04 . 2011-02-10 00:39 98816 ----a-w- c:\windows\system32\mfps.dll
2011-01-20 14:28 . 2011-02-10 00:39 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2011-01-20 14:27 . 2011-02-10 00:39 876032 ----a-w- c:\windows\system32\XpsPrint.dll
2011-01-20 14:26 . 2011-02-10 00:39 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25 . 2011-02-10 00:39 847360 ----a-w- c:\windows\system32\OpcServices.dll
2011-01-20 14:24 . 2011-02-10 00:39 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15 . 2011-02-10 00:39 979456 ----a-w- c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14 . 2011-02-10 00:39 357376 ----a-w- c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14 . 2011-02-10 00:39 302592 ----a-w- c:\windows\system32\mfmp4src.dll
2011-01-20 14:14 . 2011-02-10 00:39 261632 ----a-w- c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12 . 2011-02-10 00:39 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2011-01-20 14:11 . 2011-02-10 00:39 486400 ----a-w- c:\windows\system32\d3d10level9.dll
2011-01-20 13:47 . 2011-02-10 00:39 683008 ----a-w- c:\windows\system32\d2d1.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WindowsWelcomeCenter"="oobefldr.dll" [2009-04-11 2153472]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"Xerox PanelMgr"="c:\windows\Xerox\PanelMgr\SSMMgr.exe" [2007-07-16 524288]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2006-10-20 36864]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2006-10-20 40960]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-27 69632]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-01-12 275800]
"VX3000"="c:\windows\vVX3000.exe" [2006-12-05 707360]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 281768]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 samhidb;samhidb;c:\windows\system32\drivers\samhidb.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2011-03-04 135336]
S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [2007-02-13 5120]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\DRIVERS\nwusbser2.sys [2007-04-19 99200]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-08 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-08 02:01]
.
2011-04-08 c:\windows\Tasks\User_Feed_Synchronization-{3BA8EF8A-C04D-42BB-A881-5AFE7B37C649}.job
- c:\windows\system32\msfeedssync.exe [2011-02-10 04:47]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.startsearcher.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {02717118-A864-41BA-8A17-6195807879FC} = 69.78.96.14 66.174.92.14
DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} - hxxp://activex.camfrogweb.com/advanced/2.0.2.3/cfweb_activex.camfrogweb.com-advanced-2.0.2.3_instmodule.exe
FF - ProfilePath - c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\ypcj2hs7.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-08 12:38
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-2372562597-3575386028-1687983716-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,46,13,9e,b0,5a,cc,2a,4e,80,ef,b6,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,46,13,9e,b0,5a,cc,2a,4e,80,ef,b6,\
.
[HKEY_USERS\S-1-5-21-2372562597-3575386028-1687983716-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2372562597-3575386028-1687983716-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2372562597-3575386028-1687983716-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2372562597-3575386028-1687983716-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_USERS\S-1-5-21-2372562597-3575386028-1687983716-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(3520)
c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2011-04-08 12:41:42
ComboFix-quarantined-files.txt 2011-04-08 17:41
ComboFix2.txt 2011-03-30 23:46
.
Pre-Run: 56,224,145,408 bytes free
Post-Run: 56,210,952,192 bytes free
.
- - End Of File - - F03BF378AB7ECDA32D79B785B1ADB7EB


Guess we should address one thing at a time. I will double check and get all the errors if they still exist at
this point for the other login "Al" User and let you know if I can get on Firefox now. A lot was cleaned up with
that StartSearcher help steps.
 
You have a Smart Engine malware infection. The updated Malwarebytes did a good job of quarantining 300 Registry entries from it. But I'd like you to run the following scan then update and run a Full Scan with Malwarebytes.

Step One:Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
  • Rkill.com
  • Rkill.scr
  • Rkill.pif
  • Rkill.exe
  • Double-click on the Rkill desktop icon to run the tool.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.
(A tip: If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by Smart Engine when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again.)

Step Two: Update Mbam> On the Scanner tab, make sure the the Perform full scan option is selected

Step Three: Access, Delete, Replace Hosts files
Please download the following batch file and save it to your desktop: Hostsperm.bat
  • Double-click on the hostsperm.bat file that is now on your desktop. If Windows asks if you if you are sure you want to run it, please allow it to run.
    [o]Once it starts you will see a small black window that opens, then goes away. This is normal. You should now be able to access your HOSTS file.
  • We now need to delete the C:\Windows\System32\Drivers\etc\HOSTS file.
  • Once it is deleted, download the following HOSTS file that corresponds to your version of Windows and save it in the C:\Windows\System32\Drivers\etc folder.
    [o]Windows Vista HOSTS File Download Link
  • If the contents of the HOSTS file opens in your browser when you click on the link, then right-click the link and select:
    [o]Save Target As if in Internet Explorer
    [o] Save Link Asif in Firefox, to download the file.
  • Your Windows HOSTS file should now be back to the default one from when Windows was first installed.
  • Now reboot your computer.
================================================
Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.
  • Extract it to a directory on your hard drive called c:\HijackThis.
  • Then navigate to that directory and double-click on the hijackthis.exe file.
  • When started click on the Scan button and then the Save Log button to create a log of your information.
  • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Please paste both the new Mbam log and the HijackThis log in your next reply.
=====================================
Don't act on any errors or alerts you receive. Check the screen shot HERE for examples you might be seeing. Clicking on the first image will show you 6 additional images from this rogue.
 
MBAM log:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6329

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.19019

4/11/2011 6:31:39 AM
mbam-log-2011-04-11 (06-31-39).txt

Scan type: Full scan (C:\|)
Objects scanned: 321344
Time elapsed: 1 hour(s), 56 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Qoobox\quarantine\C\Users\Al\AppData\Roaming\dwm.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\Users\Al\AppData\Roaming\microsoft\conhost.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:39:37 AM, on 4/12/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.19019)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Windows\Xerox\PanelMgr\SSMMgr.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe
C:\Windows\vVX3000.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsearcher.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: YTNavAssist.YTNavAssistPlugin Class - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTNavAssist.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Xerox PanelMgr] C:\Windows\Xerox\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\Windows\vVX3000.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {2357B3CF-7F8D-4451-8D81-FD6097610AEE} - http://activex.camfrogweb.com/advan...amfrogweb.com-advanced-2.0.2.3_instmodule.exe
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 6405 bytes


I did not see any errors or alerts in Administrator login that you described at the end of your last post.
 
Okay- looks good- nothing new! Are you having any of the original malware related problems now?

I would like to mention that you don't need to have the printer/scanner processes start on boot. To print, click on File> Print. To use other features, open the program when you need it and choose what you want.

Best kick Adobe Reader 9.0 up a notch: Visit this Adobe Reader site . Uninstall any earlier updates as they are vulnerabilities.

Make sure Java is current: Check this site .Java Updates . Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.

Let me know if problems have been resolved and I'll have you remove the cleaning tools.
 
I don't have any Malware popups or virus issues. I still have these errors, but not in the Administrator account, just the User "Al", short for Allen.

Error#1 - on login to user account "Al", popup comes up right away-
"Could not load or run C:\Users\Al\AppData\Local\Temp\csrss.exe specified in the registry. Make sure the files exists on your computer or remove reference to it in the registry."
How do I remove this popup? How do I modify and delete it out of the registry?

Error#2 - Windows popup stating "Windows has blocked some startup programs".
Error#3 - User "Al" when logged in still cannot get online with IE nor Firefox. There is a "Proxy Server error". I can only get online using administrator login.

Other than these three issues I originally had..the laptop runs really fast now!
Still need help.
 
Did you ever do this? Because starchaser is still on the system:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startsearcher.com

You have this set: Start Page = hxxp://www.startsearcher.com:
The StartSearcher.com program that causes this behaviour actually changes your browser configuration settings at the code level, so that even when you attempt to change your home page back to one you want, it keeps reverting to StartSearcher.com.
Please go to this site and follow the steps and screen shots for removing it:
http://www.pchelpsoft.com/trends/startsearcher-removal/
  1. Open Firefox
  2. Type about:config In the address bar> enter. A warning page will pop up indicating that you may void your warranty, you are entering the advanced settings area and to only continue if you are sure of what you are doing. If you're comfortable proceeding, click "I'll be careful, I promise!"
  3. Find the filter box and search for: startsearcher
  4. You may see multiple entries come up. . Each of these basic Firefox settings has had its value overwritten by startsearcher, so you need to reset each of them.
  5. To reset, right click on each of the rows and select 'Reset' from the list of options.
    startsearcher-reset.jpg

    You should see startsearcher disappear from the value field and default Firefox values return.
  6. The next time you start Firefox, StartSearcher.com should be gone.
Additional images on the site I referenced.
========================================
Did you run RKill?
Did you replace the Host files?
 
1. The Startsearcher.com reference in your post points to "InternetExplorer", which I do NOT use. I use Firefox. The clean up process was done on Firefox several times to set everything back to "default" under "administrator login". I cannot get "about:config" to work for InternetExplorer to clean that StartSearcher reference up. I could only logon to the internet with administrater login at this point.

I also ran this "about:config" cleanup again in Firefox under "Al Login" and it still didn't make a difference, couldn't connect to internet. I kept getting "Proxy server not found" errors. So, today I played around in Firefox 4.0 under "Options; Advanced;Network;Settings" and checked "No proxy" and now I can get online via Firefox under the "Al login". This is the only thing that works. If this is not correct, then please tell me what is correct that "will work" and how do I clean up Internet Explorer for the StartSearcher.com issue?
2. Rkill was ran per your instructions - ran under only "administrator login". The download worked, the DOS box came open, ran and disappeared per your instructions and left a log. Here are the contents of the log.
********************************************************************
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 04/10/2011 at 23:00:42.
Operating System: Windows Vista (TM) Home Basic


Processes terminated by Rkill or while it was running:

Rkill completed on 04/10/2011 at 23:01:20.
*****************************************************************************
3. The host file was replaced per your steps.(download hostsperm.bat file and ran; deleted old host file; downloaded correct host file and saved it in C:\Windows\System32\Drivers\etc directory, then rebooted.) Then I downloaded and ran HijackThis and sent all the logs requested.

4. I still don't know how to fix the registry popup for the "missing csrss.exe "described in my last posting.

Please advise. :)
 
"Could not load or run C:\Users\Al\AppData\Local\Temp\csrss.exe specified in the registry. Make sure the files exists on your computer or remove reference to it in the registry."

This is a Worm or possible keylogger. I am concerned about the notices of Restrictions you have been getting, the running of Combofix in Reduce Functionality Mode. I'm not sure if someone of the users has set restrictions on the system or if a user has installed a key logger.

I mentioned this earlier:
Regarding csrss.exe: The legitimate process is for Windows Client/Server Runtime Server Subsystem and it is located in the C:\Windows\System32 folder. The malware csrss.exe process can be a virus, spyware, trojan or worm and will be located elsewhere. It is found with Nimda.E

You will need to check the location of csrss.exe:

First:
Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
Second:
Click on Start> Search> Files & Folders:
Before putting the search term in, do the following:
Show Hidden Folders/Files
  • Go to Tools > Folder Options.
  • Select the View tab.
  • Scroll down to Hidden files and folders.
  • Select Show hidden files and folders.
  • Uncheck Hide extensions of known file types.
  • Uncheck when prompted.
  • Click OK.

Now put csrss.exe in the 'all or part of the file name' box> Click on Search.
Look at the 'In Folder section. If this entry is listed in Windows\System32 folder Leave it alone.

If you see csrss.exe in a temp folder do a right click> Delete. Do not double click on it

Reset Hidden/System Files & Folders

Come back and let me know the results. Are you the Administrator? What account setting does 'Al" have?
===================================================
I'd like to get rid of starsearcher:
Launch Internet Explorer> Go to any site of your choice- you're going to use it s the homepage in IE
Then click on Tools> Internet Options> General tab> Homepage section> Click on 'use current'> Apply> OK. Close IE

Either do a Disc Cleanup or run TFC to remove the site. Use Windows Explorer to find and remove any Cookie related to starsearcher
 
Status
Not open for further replies.
Back