Is it possible you did not log in to your usual account in safe mode? These HJT entries remain...it also may have been Windows Defender's registry protection preventing the changes.
Windows Defender
Please disable your Windows Defender Real-time Protection, as it may hinder the removal of some entries.
- Open Windows Defender.
- Click on Tools, General Settings.
- Scroll down and uncheck Turn on real-time protection (recommended).
- After you uncheck this, click on the Save button and close Windows Defender.
Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist
(make sure you do not miss any) and click
Fix Checked
O4 - HKCU\..\Run: [test] C:\WINDOWS\system32\test.exe
O4 - HKCU\..\Run: [vmmanager] C:\WINDOWS\system32\vmmanager.exe
O4 - HKCU\..\Run: [mshtmled] C:\WINDOWS\system32\mshtmled.exe
O4 - HKCU\..\Run: [netapi32] C:\WINDOWS\system32\netapi32.exe
O4 - HKCU\..\Run: [smtpapi] C:\WINDOWS\system32\smtpapi.exe
O4 - HKCU\..\Run: [msr2cenu] C:\WINDOWS\system32\msr2cenu.exe
O4 - HKCU\..\Run: [wzcsvc] C:\WINDOWS\system32\wzcsvc.exe
O4 - HKCU\..\Run: [nvwddi] C:\WINDOWS\system32\nvwddi.exe
O4 - HKCU\..\Run: [srsvc] C:\WINDOWS\system32\srsvc.exe
---------------------------------------------------------------------------------------------
Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Also make sure there is no checkmark beside Hide file extensions for known file types
* Click Yes to confirm and then click OK.
Delete the following if they exist:
C:\WINDOWS\system32\test.exe
C:\WINDOWS\system32\vmmanager.exe
C:\WINDOWS\system32\mshtmled.exe
C:\WINDOWS\system32\netapi32.exe
C:\WINDOWS\system32\smtpapi.exe
C:\WINDOWS\system32\msr2cenu.exe
C:\WINDOWS\system32\wzcsvc.exe
C:\WINDOWS\system32\nvwddi.exe
C:\WINDOWS\system32\srsvc.exe
If they resist deletion, boot to safe mode and delete them from there.
---------------------------------------------------------------------------------------------
Establish an internet connection & perform an online scan with Internet Explorer at
Kaspersky Online Scanner
Answer Yes, when prompted to install an ActiveX component.
- The program will then begin downloading the latest definition files.
- Once the files have been downloaded click on NEXT
- Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
- Scan Options:
- Scan Archives
- Scan Mail Bases
- Click OK & have it scan My Computer
- Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
- Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan
---------------------------------------------------------------------------------------------
Open Hijack This and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here.
---------------------------------------------------------------------------------------------
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006