Okay, I’ll see what else I can find for your desktop.
Getting there.
Open HJT, run a system scan only, check mark these lines if present
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
Close all other browsers/windows, click fix, close HJT.
We will use Avenger to make those go away.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
2. Now, start The Avenger program by clicking on its icon on your desktop.
[*] Copy and paste the all the text in the above quote box into the main window…
[*]Click Execute
[*] Answer “Yes” twice when prompted.
3. The Avenger will automatically do the following:
[*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Unload”, The Avenger will actually restart your system twice.)
[*]On reboot, it will briefly open a black command window on your desktop, this is normal.
[*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
Please follow all previous instructions regarding security programs.
Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.
Copy and paste all the text in the quote box below into Notepad.
Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.
File::
C:\WINDOWS\web\related.htm
C:\WINDOWS\msa64chk.dll
Folder::
C:\WINDOWS\web\related.htm
This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.
Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall
One more for virustotal
C:\WINDOWS\system32\VBA6.DLL
Avenger results and combofix log and VT results, please
try this
right click on an empty space on the Desktop, point at “Arrange Icons by” and if “Lock Web Items on Desktop” is checked, click on it to uncheck it.