Boot in Safe Mode.
Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
fash.exe <<== IBIS toolbar/Hijacker
nnkjrj.exe
PowerReg Scheduler.exe
Next, run a HJT scan and place a tick-mark in the little square before (if still there):
...................................................................................................
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.emachines.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [fash] C:\WINDOWS\
fash.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\
nnkjrj.exe reg_run
O4 - Startup:
PowerReg Scheduler.exe
O8 - Extra context menu item: Add to White List - C:\Program Files\
Advanced Searchbar\addtolist.js
O8 - Extra context menu item: Delete from White List - C:\Program Files\Advanced Searchbar\delfromlist.js
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\
EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O20 - Winlogon Notify: SharedDLLs - C:\WINDOWS\system32\
wncsvc.dll
...................................................................................................
Now click on the
Fix Checked button in HJT.
When done, from between the dotted lines, delete the highlighted
bold files.
When a \
directory-name\ is
bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
Boot normal. When all OK, switch System Restore back on.