rconway

I'm seeing intermittent but frequent redirects on my search results. I've only seen these in Firefox and using Google, because that's the only browser I use and the only search engine I use.

In addition, FireFox spontaneously loads new tabs to suspicious looking websites.

I ran Spyware Doctor... no problems reported. I ran an AVG Free scan... no problems reported. I ran Malwarebytes AW... no problems reported. I've upgraded my AVG Free to version 9. The installer for AVG Free 9 told me I had to uninstall Spyware Doctor so it wouldn't conflict. I did so. I then ran AVG again. This time it said it found and removed on problem. However, the behavior remains.

Requested logs are pasted and attached. Any help would be much appreciated.






DDS (Ver_09-10-26.01) - NTFSx86
Run by Robert at 13:20:35.26 on Tue 11/03/2009
Internet Explorer: 7.0.6000.16916 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.3070.1972 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Robert\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Print Clips: {ffffffff-ff12-44c5-91ec-068e3aa1b2d7} - c:\program files\hp\smart web printing\hpswp_framework.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [OnScreenDisplay] c:\program files\hewlett-packard\hp quicktouch\HPKBDAPP.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [WAWifiMessage] c:\program files\hewlett-packard\hp wireless assistant\WiFiMsg.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: c:\windows\system32\wpclsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
AppInit_DLLs: avgrsstx.dll c:\progra~1\google\google~1\GOEC62~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\robert\appdata\roaming\mozilla\firefox\profiles\px624e3o.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg9\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-23 333192]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-23 360584]
R2 {22D78859-9CE9-4B77-BF18-AC83E81A9263};{22D78859-9CE9-4B77-BF18-AC83E81A9263};c:\program files\hp\quickplay\000.fcl [2007-12-7 39408]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-11-3 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-3 285392]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-8-27 92008]
R2 WinFLdrv;WinFLdrv;c:\windows\system32\WinFLdrv.sys [2009-9-1 10752]
S3 GoogleDesktopManager-060409-093314;Google Desktop Manager 5.9.906.4286;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-8-23 30192]

=============== Created Last 30 ================

2009-11-03 16:13:07 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-11-03 15:19:00 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2009-11-03 14:36:31 0 d--h--w- C:\$AVG
2009-11-03 14:35:58 0 d-----w- c:\programdata\avg9
2009-11-03 14:28:06 0 ----a-w- c:\windows\system32\ûˆ
2009-11-03 14:15:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-30 15:44:58 7034 ----a-w- c:\windows\system32\tmp.reg
2009-10-30 15:44:08 87552 ----a-w- c:\windows\system32\VACFix.exe
2009-10-30 15:44:08 82944 ----a-w- c:\windows\system32\IEDFix.C.exe
2009-10-30 15:44:08 82432 ----a-w- c:\windows\system32\404Fix.exe
2009-10-30 15:44:08 80384 ----a-w- c:\windows\system32\o4Patch.exe
2009-10-30 15:44:08 78336 ----a-w- c:\windows\system32\Agent.OMZ.Fix.exe
2009-10-30 15:44:07 82944 ----a-w- c:\windows\system32\IEDFix.exe
2009-10-30 15:44:07 75776 ----a-w- c:\windows\system32\WS2Fix.exe
2009-10-30 15:44:02 289144 ----a-w- c:\windows\system32\VCCLSID.exe
2009-10-30 15:43:57 79360 ----a-w- c:\windows\system32\swxcacls.exe
2009-10-30 15:43:56 51200 ----a-w- c:\windows\system32\dumphive.exe
2009-10-30 15:43:56 288417 ----a-w- c:\windows\system32\SrchSTS.exe
2009-10-30 15:43:51 135168 ----a-w- c:\windows\system32\swreg.exe
2009-10-30 15:43:46 53248 ----a-w- c:\windows\system32\Process.exe
2009-10-28 21:18:30 311296 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 21:18:29 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-10-28 21:18:28 4096 ----a-w- c:\windows\system32\msdxm.ocx
2009-10-28 21:18:28 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-10-28 21:18:27 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-16 22:37:51 3502152 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-16 22:37:51 3467864 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-16 22:37:39 428032 ----a-w- c:\windows\system32\EncDec.dll
2009-10-16 22:37:38 292352 ----a-w- c:\windows\system32\psisdecd.dll
2009-10-16 22:37:38 217088 ----a-w- c:\windows\system32\psisrndr.ax
2009-10-16 22:37:34 80896 ----a-w- c:\windows\system32\MSNP.ax
2009-10-16 22:37:34 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2009-10-16 22:37:34 1244672 ----a-w- c:\windows\system32\mcmde.dll
2009-10-16 22:37:25 68608 ----a-w- c:\windows\system32\Mpeg2Data.ax
2009-10-16 22:37:25 177152 ----a-w- c:\windows\system32\mpg2splt.ax
2009-10-16 22:37:17 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-16 22:37:14 130048 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-16 22:36:57 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-10-13 23:59:22 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-10-12 13:01:21 0 d-----w- c:\programdata\TomTom
2009-10-12 12:58:42 0 d-----w- c:\users\robert\appdata\roaming\TomTom
2009-10-12 12:58:36 0 d-----w- c:\program files\TomTom International B.V
2009-10-12 12:57:01 0 d-----w- c:\program files\TomTom HOME 2
2009-10-05 03:03:47 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-10-05 03:03:47 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-10-05 02:57:27 0 d-----w- c:\program files\iPod
2009-10-05 02:57:14 0 d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-05 02:57:14 0 d-----w- c:\program files\iTunes

==================== Find3M ====================

2009-11-03 14:36:23 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-11-03 14:36:23 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-11-03 14:36:21 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-12 14:07:54 51200 ----a-w- c:\windows\inf\infpub.dat
2009-10-12 14:07:53 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-10-05 02:35:42 86016 ----a-w- c:\windows\inf\infstor.dat
2009-09-10 18:54:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 17:38:29 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-02 01:30:26 180224 ----a-w- c:\windows\system32\WinVd32.sys
2009-09-02 01:30:20 7680 ----a-w- c:\windows\system32\WinFLsrv.exe
2009-09-02 01:30:01 10752 ----a-w- c:\windows\system32\WinFLdrv.sys
2009-09-02 01:22:11 27430 ----a-w- c:\users\robert\appdata\roaming\nvModes.dat
2009-08-30 16:46:48 3646 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-08-29 03:41:42 1686528 ----a-w- c:\windows\system32\gameux.dll
2009-08-29 03:40:31 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 23:42:52 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 23:31:54 4247552 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 14:02:34 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 13:57:38 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 13:57:36 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 13:56:05 72704 ----a-w- c:\windows\system32\admparse.dll
2009-08-27 11:24:10 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-27 09:51:45 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-08-26 07:08:36 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-26 0726 268800 ----a-w- c:\windows\system32\es.dll
2009-08-25 20:37:24 174 --sha-w- c:\program files\desktop.ini
2009-08-25 20:31:12 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-08-25 20:29:56 28672 ----a-w- c:\windows\system32\FwRemoteSvr.dll
2009-08-25 20:29:51 61440 ----a-w- c:\windows\system32\winipsec.dll
2009-08-25 20:29:46 361984 ----a-w- c:\windows\system32\IPSECSVC.DLL
2009-08-25 20:29:41 272896 ----a-w- c:\windows\system32\polstore.dll
2009-08-25 20:28:28 241152 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-08-25 20:28:23 95232 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-08-25 20:28:18 160768 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-08-25 20:25:14 704000 ----a-w- c:\windows\system32\PhotoScreensaver.scr
2009-08-25 20:25:14 356352 ----a-w- c:\windows\system32\wbem\wbemcomn.dll
2009-08-25 20:25:12 24064 ----a-w- c:\windows\system32\wtsapi32.dll
2009-08-25 20:25:09 542720 ----a-w- c:\windows\system32\sysmain.dll
2009-08-25 20:24:49 194560 ----a-w- c:\windows\system32\WebClnt.dll
2009-08-25 20:24:36 2028032 ----a-w- c:\windows\system32\win32k.sys
2009-08-25 20:24:18 156160 ----a-w- c:\windows\system32\t2embed.dll
2009-08-25 20:24:17 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-08-25 20:24:17 34304 ----a-w- c:\windows\system32\atmlib.dll
2009-08-25 20:24:17 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-08-25 20:24:17 24064 ----a-w- c:\windows\system32\lpk.dll
2009-08-25 20:24:17 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-08-25 20:23:56 376832 ----a-w- c:\windows\system32\winhttp.dll
2009-08-25 20:23:40 71680 ----a-w- c:\windows\system32\atl.dll
2009-08-25 20:23:24 297472 ----a-w- c:\windows\system32\gdi32.dll
2009-08-25 20:22:37 500736 ----a-w- c:\windows\system32\msdtcprx.dll
2009-08-25 20:22:37 30208 ----a-w- c:\windows\system32\xolehlp.dll
2009-08-25 20:22:20 156160 ----a-w- c:\windows\system32\wkssvc.dll
2009-08-25 20:22:02 36352 ----a-w- c:\windows\system32\tsgqec.dll
2009-08-25 20:22:02 1871872 ----a-w- c:\windows\system32\mstscax.dll
2009-08-25 20:22:02 116736 ----a-w- c:\windows\system32\aaclient.dll
2009-08-25 20:20:46 303616 ----a-w- c:\windows\system32\wmpeffects.dll
2009-08-25 20:20:31 2048 ----a-w- c:\windows\system32\msxml3r.dll
2009-08-25 20:20:31 1194496 ----a-w- c:\windows\system32\msxml3.dll
2009-08-25 20:19:48 356864 ----a-w- c:\windows\system32\MediaMetadataHandler.dll
2009-08-25 20:16:02 696832 ----a-w- c:\windows\system32\localspl.dll
2009-08-25 20:15:35 88576 ----a-w- c:\windows\system32\avifil32.dll
2009-08-25 20:15:35 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-08-25 20:15:35 65024 ----a-w- c:\windows\system32\avicap32.dll
2009-08-25 20:15:35 31232 ----a-w- c:\windows\system32\msvidc32.dll
2009-08-25 20:15:35 12800 ----a-w- c:\windows\system32\msrle32.dll
2009-08-25 20:15:35 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-08-25 20:14:00 2923520 ----a-w- c:\windows\explorer.exe
2009-08-24 22:10:14 24064 ----a-w- c:\windows\system32\netcfg.exe
2009-08-24 22:05:22 1793536 ----a-w- c:\windows\system32\NlsLexicons0045.dll
2009-08-24 22:05:15 1808896 ----a-w- c:\windows\system32\NlsLexicons0046.dll
2009-08-24 22:05:09 1411072 ----a-w- c:\windows\system32\NlsLexicons0047.dll
2009-08-24 22:04:21 1558016 ----a-w- c:\windows\system32\NlsLexicons0049.dll
2009-08-24 22:04:15 1236992 ----a-w- c:\windows\system32\NlsLexicons0020.dll
2009-08-24 22:04:08 1782272 ----a-w- c:\windows\system32\NlsLexicons0039.dll
2009-08-24 22:04:02 2136064 ----a-w- c:\windows\system32\NlsLexicons0021.dll
2009-08-24 22:03:52 5499904 ----a-w- c:\windows\system32\NlsLexicons0022.dll
2009-08-24 22:03:40 7964672 ----a-w- c:\windows\system32\NlsLexicons0024.dll
2009-08-24 22:03:28 5791232 ----a-w- c:\windows\system32\NlsLexicons0026.dll
2009-08-24 22:03:17 6224896 ----a-w- c:\windows\system32\NlsLexicons0027.dll
2009-08-24 22:03:07 4175872 ----a-w- c:\windows\system32\NlsLexicons0010.dll
2009-08-24 22:02:59 2466816 ----a-w- c:\windows\system32\NlsLexicons0011.dll
2009-08-24 22:02:50 4981248 ----a-w- c:\windows\system32\NlsLexicons0013.dll
2009-08-24 22:02:40 3331072 ----a-w- c:\windows\system32\NlsLexicons0018.dll
2009-08-24 22:02:30 6781440 ----a-w- c:\windows\system32\NlsLexicons0019.dll
2009-08-24 22:02:15 11722752 ----a-w- c:\windows\system32\NlsLexicons0001.dll
2009-08-24 22:02:02 4164096 ----a-w- c:\windows\system32\NlsLexicons0002.dll
2009-08-24 22:01:54 1452544 ----a-w- c:\windows\system32\NlsLexicons0003.dll
2009-08-24 22:01:40 12240896 ----a-w- c:\windows\system32\NlsLexicons0007.dll
2009-08-24 22:01:32 2644480 ----a-w- c:\windows\system32\NlsLexicons0009.dll
2009-08-24 22:01:24 3419136 ----a-w- c:\windows\system32\NlsLexicons004a.dll
2009-08-24 22:01:20 1702912 ----a-w- c:\windows\system32\NlsLexicons004b.dll
2009-08-24 22:01:12 4093440 ----a-w- c:\windows\system32\NlsLexicons004c.dll
2009-08-24 22:01:04 1972736 ----a-w- c:\windows\system32\NlsLexicons004e.dll
2009-08-24 22:00:58 4045824 ----a-w- c:\windows\system32\NlsLexicons003e.dll
2009-08-24 22:00:56 4096 ----a-w- c:\windows\system32\NlsLexicons002a.dll
2009-08-24 22:00:47 6014976 ----a-w- c:\windows\system32\NlsLexicons001a.dll
2009-08-24 22:00:34 6585856 ----a-w- c:\windows\system32\NlsLexicons001b.dll
2009-08-24 22:00:23 6346240 ----a-w- c:\windows\system32\NlsLexicons001d.dll
2009-08-24 22:00:08 9892864 ----a-w- c:\windows\system32\NlsLexicons000a.dll

============= FINISH: 13:21:46.99 ===============

Attached Files

attach.zip (3.6 KB, 1 views)

rconway

bump.... no reply 2 days. I've disabled my wireless for now to prevent any further infection, but of course this leaves me with a brick, not a laptop. Any help would be much appreciated.

rconway

Bump... no reply 5 days. Critical laptop is currently unusable for any Internet activity. Expert guidance would be really appreciated.

rconway

Man, getting these issues cleared up sure is a BUMPy road!

Ried

Hello rconway.

Our apologies for the oversight of your thread. I'd like to see a new set of logs. Run dds.scr and gmer.exe. Remember to configure gmer as follows:

• An initial scan will automatically begin.
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
• Sections
• IAT/EAT
• Drives/Partition other than Systemdrive (typically C:\)
• Show All (don't miss this one)

• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark2.txt" or it will save as a .log file which cannot be uploaded to your post.

Save it where you can easily find it, such as your desktop


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Please attach the ark2.txt in your next reply, and copy/paste the contents of the dds.txt

rconway

Ried,

Thanks for the reply. However, it appears that I've been successful in repairing the issue (for now at least!). At the advice of a friend, I un-installed AVG and installed Avast. Avast was run twice (once during boot/posting and then again via the UI.) It found and repaired several issues. Since then, the behavior has stopped entirely.

Because this was my second malware infection in six months, I'm very open to whatever advice you may have on how to prevent future infections. My laptop is a critical tool for my work, but is also used by my 2 children for schoolwork and entertainment. I suspect that my infections have arisen during usage by my children, but of course I can't prove that.

Any tips? Thanks again for the response!! Have a great day.

rconway

Whoops!!! Spoke too soon!! Moments after sending the above reply, my FireFox session spontaneously opened two new tabs, both looking for this URL:

http://www.m%£µ°u~%28��u<ëx°°lm%c2%adú±ÞÅ®ýÀܺ¾¦ece�.com/#%C3%98S%CB%86%3C%C3%BE%C3%B1%60%E2%80%A6%C5%92%E2%80%A6*A%7F%C2%AF%C3%9EJ%C3%96v$%7F%C3%85n

I'll post the logs you requested ASAP.

Ried

Okay, I'll be standing by for the next 20 minutes. :)

rconway

For the record, I'm no longer able to reproduce the Google redirect symptoms. Here are the logs:


DDS (Ver_09-10-26.01) - NTFSx86
Run by Robert at 14:27:55.98 on Sat 11/14/2009
Internet Explorer: 7.0.6000.16916 BrowserJavaVersion: 1.6.0_15
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.3070.1802 [GMT -5:00]

AV: avast! antivirus 4.8.1356 [VPS 091114-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: avast! antivirus 4.8.1356 [VPS 091114-0] *enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\rundll32.exe
C:\Windows\servicing\TrustedInstaller.exe
c:\program files\windows defender\MpCmdRun.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Robert\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Print Clips: {ffffffff-ff12-44c5-91ec-068e3aa1b2d7} - c:\program files\hp\smart web printing\hpswp_framework.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [OnScreenDisplay] c:\program files\hewlett-packard\hp quicktouch\HPKBDAPP.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [WAWifiMessage] c:\program files\hewlett-packard\hp wireless assistant\WiFiMsg.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: c:\windows\system32\wpclsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\robert\appdata\roaming\mozilla\firefox\profiles\px624e3o.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-11-10 28552]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-11 114768]
R2 {22D78859-9CE9-4B77-BF18-AC83E81A9263};{22D78859-9CE9-4B77-BF18-AC83E81A9263};c:\program files\hp\quickplay\000.fcl [2007-12-7 39408]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-11 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-11-11 53328]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-8-27 92008]
R2 WinFLdrv;WinFLdrv;c:\windows\system32\WinFLdrv.sys [2009-9-1 10752]
S3 GoogleDesktopManager-060409-093314;Google Desktop Manager 5.9.906.4286;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-8-23 30192]

=============== Created Last 30 ================

2009-11-13 03:11:44 0 ----a-w- c:\windows\system32\settings.dat
2009-11-12 03:30:24 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-11-11 03:10:46 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-11-11 03:10:28 0 d-----w- c:\program files\Panda Security
2009-11-11 01:11:14 2031104 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 01:11:08 321536 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-05 22:30:09 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-11-05 22:29:54 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-11-05 22:29:45 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-11-05 22:29:45 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-11-03 19:25:09 0 d-----w- c:\program files\CCleaner
2009-11-03 16:13:07 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-03 15:19:00 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2009-11-03 14:28:06 0 ----a-w- c:\windows\system32\ûˆ
2009-11-03 14:15:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-30 15:44:58 7034 ----a-w- c:\windows\system32\tmp.reg
2009-10-30 15:44:08 87552 ----a-w- c:\windows\system32\VACFix.exe
2009-10-30 15:44:08 82944 ----a-w- c:\windows\system32\IEDFix.C.exe
2009-10-30 15:44:08 82432 ----a-w- c:\windows\system32\404Fix.exe
2009-10-30 15:44:08 80384 ----a-w- c:\windows\system32\o4Patch.exe
2009-10-30 15:44:08 78336 ----a-w- c:\windows\system32\Agent.OMZ.Fix.exe
2009-10-30 15:44:07 82944 ----a-w- c:\windows\system32\IEDFix.exe
2009-10-30 15:44:07 75776 ----a-w- c:\windows\system32\WS2Fix.exe
2009-10-30 15:44:02 289144 ----a-w- c:\windows\system32\VCCLSID.exe
2009-10-30 15:43:57 79360 ----a-w- c:\windows\system32\swxcacls.exe
2009-10-30 15:43:56 51200 ----a-w- c:\windows\system32\dumphive.exe
2009-10-30 15:43:56 288417 ----a-w- c:\windows\system32\SrchSTS.exe
2009-10-30 15:43:51 135168 ----a-w- c:\windows\system32\swreg.exe
2009-10-30 15:43:46 53248 ----a-w- c:\windows\system32\Process.exe
2009-10-30 00:29:08 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-10-28 21:18:30 311296 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 21:18:29 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-10-28 21:18:28 4096 ----a-w- c:\windows\system32\msdxm.ocx
2009-10-28 21:18:28 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-10-28 21:18:27 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-16 22:37:51 3502152 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-16 22:37:51 3467864 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-16 22:37:39 428032 ----a-w- c:\windows\system32\EncDec.dll
2009-10-16 22:37:38 292352 ----a-w- c:\windows\system32\psisdecd.dll
2009-10-16 22:37:38 217088 ----a-w- c:\windows\system32\psisrndr.ax
2009-10-16 22:37:34 80896 ----a-w- c:\windows\system32\MSNP.ax
2009-10-16 22:37:34 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2009-10-16 22:37:34 1244672 ----a-w- c:\windows\system32\mcmde.dll
2009-10-16 22:37:25 68608 ----a-w- c:\windows\system32\Mpeg2Data.ax
2009-10-16 22:37:25 177152 ----a-w- c:\windows\system32\mpg2splt.ax
2009-10-16 22:37:17 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-16 22:37:14 130048 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-16 22:36:57 60928 ----a-w- c:\windows\system32\msasn1.dll

==================== Find3M ====================

2009-11-03 23:04:27 27430 ----a-w- c:\users\robert\appdata\roaming\nvModes.dat
2009-10-12 14:07:54 51200 ----a-w- c:\windows\inf\infpub.dat
2009-10-12 14:07:53 86016 ----a-w- c:\windows\inf\infstrng.dat
2009-10-05 02:35:42 86016 ----a-w- c:\windows\inf\infstor.dat
2009-09-10 17:38:29 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-02 01:30:26 180224 ----a-w- c:\windows\system32\WinVd32.sys
2009-09-02 01:30:20 7680 ----a-w- c:\windows\system32\WinFLsrv.exe
2009-09-02 01:30:01 10752 ----a-w- c:\windows\system32\WinFLdrv.sys
2009-08-30 16:46:48 3646 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-08-29 03:41:42 1686528 ----a-w- c:\windows\system32\gameux.dll
2009-08-29 03:40:31 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 23:42:52 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 23:31:54 4247552 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 14:02:34 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 13:57:38 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 13:57:36 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 13:56:05 72704 ----a-w- c:\windows\system32\admparse.dll
2009-08-27 11:24:10 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-27 09:51:45 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-08-26 07:08:36 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-26 0726 268800 ----a-w- c:\windows\system32\es.dll
2009-08-25 20:37:24 174 --sha-w- c:\program files\desktop.ini
2009-08-25 20:31:12 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-08-25 20:29:56 28672 ----a-w- c:\windows\system32\FwRemoteSvr.dll
2009-08-25 20:29:51 61440 ----a-w- c:\windows\system32\winipsec.dll
2009-08-25 20:29:46 361984 ----a-w- c:\windows\system32\IPSECSVC.DLL
2009-08-25 20:29:41 272896 ----a-w- c:\windows\system32\polstore.dll
2009-08-25 20:28:28 241152 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-08-25 20:28:23 95232 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-08-25 20:28:18 160768 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-08-25 20:25:14 704000 ----a-w- c:\windows\system32\PhotoScreensaver.scr
2009-08-25 20:25:14 356352 ----a-w- c:\windows\system32\wbem\wbemcomn.dll
2009-08-25 20:25:12 24064 ----a-w- c:\windows\system32\wtsapi32.dll
2009-08-25 20:25:09 542720 ----a-w- c:\windows\system32\sysmain.dll
2009-08-25 20:24:49 194560 ----a-w- c:\windows\system32\WebClnt.dll
2009-08-25 20:24:18 156160 ----a-w- c:\windows\system32\t2embed.dll
2009-08-25 20:24:17 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-08-25 20:24:17 34304 ----a-w- c:\windows\system32\atmlib.dll
2009-08-25 20:24:17 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-08-25 20:24:17 24064 ----a-w- c:\windows\system32\lpk.dll
2009-08-25 20:24:17 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-08-25 20:23:56 376832 ----a-w- c:\windows\system32\winhttp.dll
2009-08-25 20:23:40 71680 ----a-w- c:\windows\system32\atl.dll
2009-08-25 20:23:24 297472 ----a-w- c:\windows\system32\gdi32.dll
2009-08-25 20:22:37 500736 ----a-w- c:\windows\system32\msdtcprx.dll
2009-08-25 20:22:37 30208 ----a-w- c:\windows\system32\xolehlp.dll
2009-08-25 20:22:20 156160 ----a-w- c:\windows\system32\wkssvc.dll
2009-08-25 20:22:02 36352 ----a-w- c:\windows\system32\tsgqec.dll
2009-08-25 20:22:02 1871872 ----a-w- c:\windows\system32\mstscax.dll
2009-08-25 20:22:02 116736 ----a-w- c:\windows\system32\aaclient.dll
2009-08-25 20:20:46 303616 ----a-w- c:\windows\system32\wmpeffects.dll
2009-08-25 20:20:31 2048 ----a-w- c:\windows\system32\msxml3r.dll
2009-08-25 20:20:31 1194496 ----a-w- c:\windows\system32\msxml3.dll
2009-08-25 20:19:48 356864 ----a-w- c:\windows\system32\MediaMetadataHandler.dll
2009-08-25 20:16:02 696832 ----a-w- c:\windows\system32\localspl.dll
2009-08-25 20:15:35 88576 ----a-w- c:\windows\system32\avifil32.dll
2009-08-25 20:15:35 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-08-25 20:15:35 65024 ----a-w- c:\windows\system32\avicap32.dll
2009-08-25 20:15:35 31232 ----a-w- c:\windows\system32\msvidc32.dll
2009-08-25 20:15:35 12800 ----a-w- c:\windows\system32\msrle32.dll
2009-08-25 20:15:35 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-08-25 20:14:00 2923520 ----a-w- c:\windows\explorer.exe
2009-08-24 22:10:14 24064 ----a-w- c:\windows\system32\netcfg.exe
2009-08-24 22:05:22 1793536 ----a-w- c:\windows\system32\NlsLexicons0045.dll
2009-08-24 22:05:15 1808896 ----a-w- c:\windows\system32\NlsLexicons0046.dll
2009-08-24 22:05:09 1411072 ----a-w- c:\windows\system32\NlsLexicons0047.dll
2009-08-24 22:04:21 1558016 ----a-w- c:\windows\system32\NlsLexicons0049.dll
2009-08-24 22:04:15 1236992 ----a-w- c:\windows\system32\NlsLexicons0020.dll
2009-08-24 22:04:08 1782272 ----a-w- c:\windows\system32\NlsLexicons0039.dll
2009-08-24 22:04:02 2136064 ----a-w- c:\windows\system32\NlsLexicons0021.dll
2009-08-24 22:03:52 5499904 ----a-w- c:\windows\system32\NlsLexicons0022.dll
2009-08-24 22:03:40 7964672 ----a-w- c:\windows\system32\NlsLexicons0024.dll
2009-08-24 22:03:28 5791232 ----a-w- c:\windows\system32\NlsLexicons0026.dll
2009-08-24 22:03:17 6224896 ----a-w- c:\windows\system32\NlsLexicons0027.dll
2009-08-24 22:03:07 4175872 ----a-w- c:\windows\system32\NlsLexicons0010.dll
2009-08-24 22:02:59 2466816 ----a-w- c:\windows\system32\NlsLexicons0011.dll
2009-08-24 22:02:50 4981248 ----a-w- c:\windows\system32\NlsLexicons0013.dll
2009-08-24 22:02:40 3331072 ----a-w- c:\windows\system32\NlsLexicons0018.dll
2009-08-24 22:02:30 6781440 ----a-w- c:\windows\system32\NlsLexicons0019.dll
2009-08-24 22:02:15 11722752 ----a-w- c:\windows\system32\NlsLexicons0001.dll
2009-08-24 22:02:02 4164096 ----a-w- c:\windows\system32\NlsLexicons0002.dll
2009-08-24 22:01:54 1452544 ----a-w- c:\windows\system32\NlsLexicons0003.dll
2009-08-24 22:01:40 12240896 ----a-w- c:\windows\system32\NlsLexicons0007.dll
2009-08-24 22:01:32 2644480 ----a-w- c:\windows\system32\NlsLexicons0009.dll
2009-08-24 22:01:24 3419136 ----a-w- c:\windows\system32\NlsLexicons004a.dll
2009-08-24 22:01:20 1702912 ----a-w- c:\windows\system32\NlsLexicons004b.dll
2009-08-24 22:01:12 4093440 ----a-w- c:\windows\system32\NlsLexicons004c.dll
2009-08-24 22:01:04 1972736 ----a-w- c:\windows\system32\NlsLexicons004e.dll
2009-08-24 22:00:58 4045824 ----a-w- c:\windows\system32\NlsLexicons003e.dll
2009-08-24 22:00:56 4096 ----a-w- c:\windows\system32\NlsLexicons002a.dll
2009-08-24 22:00:47 6014976 ----a-w- c:\windows\system32\NlsLexicons001a.dll
2009-08-24 22:00:34 6585856 ----a-w- c:\windows\system32\NlsLexicons001b.dll
2009-08-24 22:00:23 6346240 ----a-w- c:\windows\system32\NlsLexicons001d.dll
2009-08-24 22:00:08 9892864 ----a-w- c:\windows\system32\NlsLexicons000a.dll
2009-08-24 21:59:53 6237696 ----a-w- c:\windows\system32\NlsLexicons000c.dll
2009-08-24 21:59:48 1722368 ----a-w- c:\windows\system32\NlsLexicons000d.dll
2009-08-24 21:59:39 5654528 ----a-w- c:\windows\system32\NlsLexicons000f.dll
2009-08-24 21:59:27 4616192 ----a-w- c:\windows\system32\NlsLexicons0414.dll
2009-08-24 21:59:15 5090816 ----a-w- c:\windows\system32\NlsLexicons0416.dll
2009-08-24 21:59:04 5031936 ----a-w- c:\windows\system32\NlsLexicons0816.dll

============= FINISH: 14:28:59.58 ===============

Attached Files

ark.zip (3.5 KB, 1 views)

Ried

Hi rconway,

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal.


====================================================


Double click on combofix.exe & follow the prompts.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review along with an update on system behavior.

rconway

Ried, here's the combofix log, but a new problem has emerged... I shut down Avast before running combofix as recommended. After running Combofix, I try to restart Avast, and it will not start! It keeps telling me that the skin failed to load. I downloaded a brand new skin from Avast just on the off chance that Combofix deleted a previous skin component, but none of the three Avast skins will load. And to my amazement, that means the program itself terminates! So.... here's the combofix log, but at the moment I'm without ANY antivirus, which obviously troubles me. Thank you again for your help!



ComboFix 09-11-15.01 - Robert 11/14/2009 16:11..2 - FAT32x86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.3070.1458 [GMT -5:00]
Running from: c:\users\Robert\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1356 [VPS 091114-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: avast! antivirus 4.8.1356 [VPS 091114-0] *disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1651855349-324657596-3130802181-500
c:\$recycle.bin\S-1-5-21-214664394-939779231-1676498810-500
c:\users\Robert\AppData\Roaming\.#
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\KBL.LOG
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2009-10-14 to 2009-11-14 )))))))))))))))))))))))))))))))
.

2009-11-14 21:23 . 2009-11-14 21:23 -------- d-----w- c:\users\Jacob\AppData\Local\temp
2009-11-14 21:23 . 2009-11-14 21:23 -------- d-----w- c:\users\Emilie\AppData\Local\temp
2009-11-14 21:23 . 2009-11-14 21:23 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-13 03:11 . 2009-11-13 03:11 0 ----a-w- c:\windows\system32\settings.dat
2009-11-12 03:30 . 2009-09-15 11:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-12 03:30 . 2009-09-15 11:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-12 03:30 . 2009-09-15 11:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-12 03:30 . 2009-09-15 11:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-12 03:30 . 2009-09-15 11:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-12 03:30 . 2009-09-15 11:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-12 03:30 . 2009-09-15 11:55 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-11-12 03:30 . 2009-11-12 03:30 -------- d-----w- c:\program files\Alwil Software
2009-11-12 03:11 . 2009-11-12 03:11 4096 d-----w- c:\program files\ERUNT
2009-11-11 03:10 . 2009-06-30 14:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-11-11 03:10 . 2009-11-11 03:10 -------- d-----w- c:\program files\Panda Security
2009-11-11 01:11 . 2009-08-14 14:01 2031104 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 01:11 . 2009-08-10 13:08 321536 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-07 00:12 . 2009-11-07 00:12 -------- d-----w- c:\users\Emilie\AppData\Roaming\CyberLink
2009-11-07 00:12 . 2009-11-07 00:12 -------- d-----w- c:\users\Emilie\AppData\Roaming\HP
2009-11-05 22:30 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-11-05 22:30 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-11-05 22:30 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-11-05 22:30 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-11-05 22:29 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-11-05 22:29 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-11-05 22:29 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-11-05 22:29 . 2009-08-07 00:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-11-05 22:29 . 2009-08-06 23:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-11-05 22:23 . 2009-11-05 22:23 -------- d-----w- c:\users\Emilie\AppData\Roaming\Malwarebytes
2009-11-03 19:25 . 2009-11-03 19:25 -------- d-----w- c:\program files\CCleaner
2009-11-03 16:13 . 2009-11-03 01:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-03 14:15 . 2009-11-03 14:13 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-02 20:13 . 2009-11-02 20:13 -------- d-----w- c:\users\Jacob\AppData\Roaming\Malwarebytes
2009-10-30 00:29 . 2009-10-30 00:29 2146304 ----a-w- c:\windows\system32\GPhotos.scr
2009-10-29 12:56 . 2009-10-29 12:56 -------- d-----w- c:\users\Robert\AppData\Local\Microsoft Help
2009-10-29 12:43 . 2009-10-29 12:43 4045528 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-10-28 21:18 . 2009-09-10 15:29 311296 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 21:18 . 2009-09-10 17:39 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-10-28 21:18 . 2009-09-10 17:40 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-10-28 21:18 . 2009-09-10 15:29 8147968 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-16 22:37 . 2009-08-05 14:28 3502152 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-10-16 22:37 . 2009-08-05 14:28 3467864 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-10-16 22:37 . 2009-08-31 15:16 428032 ----a-w- c:\windows\system32\EncDec.dll
2009-10-16 22:37 . 2009-08-31 15:21 292352 ----a-w- c:\windows\system32\psisdecd.dll
2009-10-16 22:37 . 2009-08-31 15:17 1244672 ----a-w- c:\windows\system32\mcmde.dll
2009-10-16 22:37 . 2009-04-02 11:50 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-16 22:37 . 2009-09-14 09:50 130048 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-16 22:36 . 2009-09-04 12:38 60928 ----a-w- c:\windows\system32\msasn1.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-11 08:19 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-11-11 08:03 . 2007-10-28 10:59 8192 d-----w- c:\programdata\Microsoft Help
2009-11-05 22:23 . 2009-09-02 00:48 76568 ----a-w- c:\users\Emilie\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-03 23:04 . 2009-08-24 12:30 27430 ----a-w- c:\users\Robert\AppData\Roaming\nvModes.dat
2009-11-03 14:35 . 2009-08-24 00:58 -------- d-----w- c:\program files\AVG
2009-11-03 14:29 . 2009-08-24 00:20 36864 d-----w- c:\program files\Spyware Doctor
2009-11-03 14:27 . 2009-08-24 00:20 -------- d-----w- c:\programdata\PC Tools
2009-11-03 14:13 . 2007-10-28 11:34 -------- d-----w- c:\program files\Java
2009-11-02 20:14 . 2009-11-02 20:14 27335 ----a-w- c:\users\Jacob\AppData\Roaming\nvModes.dat
2009-11-02 20:13 . 2009-09-02 01:18 76568 ----a-w- c:\users\Jacob\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-30 22:08 . 2009-08-24 00:42 76568 ----a-w- c:\users\Robert\AppData\Local\GDIPFONTCACHEV1.DAT
2009-10-30 19:36 . 2007-10-28 09:18 8192 d--h--w- c:\program files\InstallShield Installation Information
2009-10-30 19:36 . 2007-10-28 11:06 4096 d-----w- c:\program files\CyberLink
2009-10-29 12:44 . 2009-08-24 01:09 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-12 13:01 . 2009-10-12 13:01 -------- d-----w- c:\programdata\TomTom
2009-10-12 12:58 . 2009-10-12 12:58 -------- d-----w- c:\users\Robert\AppData\Roaming\TomTom
2009-10-12 12:58 . 2009-10-12 12:58 -------- d-----w- c:\program files\TomTom International B.V
2009-10-12 12:57 . 2009-10-12 12:57 4096 d-----w- c:\program files\TomTom HOME 2
2009-10-12 12:08 . 2009-08-24 01:54 4096 d-----w- c:\users\Robert\AppData\Roaming\Apple Computer
2009-10-05 03:03 . 2009-10-05 02:57 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-05 03:03 . 2009-10-05 02:57 4096 d-----w- c:\program files\iTunes
2009-10-05 02:57 . 2009-10-05 02:57 -------- d-----w- c:\program files\iPod
2009-10-05 02:57 . 2009-08-24 01:37 -------- d-----w- c:\program files\Common Files\Apple
2009-10-05 02:53 . 2009-10-05 02:44 4096 d-----w- c:\program files\QuickTime
2009-10-05 02:27 . 2009-10-05 02:27 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-10-04 23:24 . 2009-10-04 23:24 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-26 17:11 . 2009-08-24 02:24 -------- d-----w- c:\program files\Google
2009-09-18 01:02 . 2007-10-28 10:36 28672 d-----w- c:\program files\Microsoft Works
2009-09-16 00:40 . 2009-09-16 00:40 -------- d--h--w- c:\programdata\CanonBJ
2009-09-16 00:33 . 2009-09-16 00:33 -------- d--h--w- c:\program files\CanonBJ
2009-09-10 18:54 . 2009-08-24 01:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-08-24 01:09 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 17:38 . 2009-10-16 22:38 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-08 16:43 . 2009-09-08 16:43 27430 ----a-w- c:\users\Emilie\AppData\Roaming\nvModes.dat
2009-09-02 01:30 . 2009-09-02 01:30 180224 ----a-w- c:\windows\system32\WinVd32.sys
2009-09-02 01:30 . 2009-09-02 01:30 7680 ----a-w- c:\windows\system32\WinFLsrv.exe
2009-09-02 01:30 . 2009-09-02 01:30 10752 ----a-w- c:\windows\system32\WinFLdrv.sys
2009-08-30 16:46 . 2009-08-30 16:46 3646 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-08-29 03:41 . 2009-09-04 01:31 1686528 ----a-w- c:\windows\system32\gameux.dll
2009-08-29 03:40 . 2009-09-04 01:31 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 23:42 . 2009-08-28 23:42 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-28 23:42 . 2009-08-28 23:42 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 23:31 . 2009-09-04 01:31 4247552 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 14:02 . 2009-10-16 22:38 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 13:57 . 2009-10-16 22:38 56320 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 13:57 . 2009-10-16 22:38 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 13:56 . 2009-10-16 22:38 72704 ----a-w- c:\windows\system32\admparse.dll
2009-08-27 11:24 . 2009-10-16 22:38 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-27 09:51 . 2009-10-16 22:38 48128 ----a-w- c:\windows\system32\mshtmler.dll
2009-08-26 07:08 . 2009-08-26 07:08 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-26 07:06 . 2009-08-26 07:06 268800 ----a-w- c:\windows\system32\es.dll
2009-08-25 20:31 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-08-25 20:29 . 2009-08-25 20:29 28672 ----a-w- c:\windows\system32\FwRemoteSvr.dll
2009-08-25 20:29 . 2009-08-25 20:29 61440 ----a-w- c:\windows\system32\winipsec.dll
2009-08-25 20:29 . 2009-08-25 20:29 361984 ----a-w- c:\windows\system32\IPSECSVC.DLL
2009-08-25 20:29 . 2009-08-25 20:29 272896 ----a-w- c:\windows\system32\polstore.dll
2009-08-25 20:28 . 2009-08-25 20:28 241152 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-08-25 20:28 . 2009-08-25 20:28 95232 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-08-25 20:28 . 2009-08-25 20:28 160768 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-08-25 20:25 . 2009-08-25 20:25 704000 ----a-w- c:\windows\system32\PhotoScreensaver.scr
2009-08-25 20:25 . 2009-08-25 20:25 356352 ----a-w- c:\windows\system32\wbem\wbemcomn.dll
2009-08-25 20:25 . 2009-08-25 20:25 24064 ----a-w- c:\windows\system32\wtsapi32.dll
2009-08-25 20:25 . 2009-08-25 20:25 258232 ----a-w- c:\windows\system32\drivers\acpi.sys
2009-08-25 20:25 . 2009-08-25 20:25 20920 ----a-w- c:\windows\system32\drivers\compbatt.sys
2009-08-25 20:25 . 2009-08-25 20:25 14208 ----a-w- c:\windows\system32\drivers\CmBatt.sys
2009-08-25 20:25 . 2009-08-25 20:25 11264 ----a-w- c:\windows\system32\drivers\wmiacpi.sys
2009-08-25 20:25 . 2009-08-25 20:25 28344 ----a-w- c:\windows\system32\drivers\battc.sys
2009-08-25 20:25 . 2009-08-25 20:25 542720 ----a-w- c:\windows\system32\sysmain.dll
2009-08-25 20:24 . 2009-08-25 20:24 194560 ----a-w- c:\windows\system32\WebClnt.dll
2009-08-25 20:24 . 2009-08-25 20:24 110080 ----a-w- c:\windows\system32\drivers\mrxdav.sys
2009-08-25 20:24 . 2009-08-25 20:24 156160 ----a-w- c:\windows\system32\t2embed.dll
2009-08-25 20:24 . 2009-08-25 20:24 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-08-25 20:24 . 2009-08-25 20:24 34304 ----a-w- c:\windows\system32\atmlib.dll
2009-08-25 20:24 . 2009-08-25 20:24 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-08-25 20:24 . 2009-08-25 20:24 24064 ----a-w- c:\windows\system32\lpk.dll
2009-08-25 20:24 . 2009-08-25 20:24 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-08-25 20:23 . 2009-08-25 20:23 376832 ----a-w- c:\windows\system32\winhttp.dll
2009-08-25 20:23 . 2009-08-25 20:23 71680 ----a-w- c:\windows\system32\atl.dll
2009-08-25 20:23 . 2009-08-25 20:23 297472 ----a-w- c:\windows\system32\gdi32.dll
2009-08-25 20:23 . 2009-08-25 20:23 41984 ----a-w- c:\windows\system32\drivers\monitor.sys
2009-08-25 20:23 . 2009-08-25 20:23 1060920 ----a-w- c:\windows\system32\drivers\ntfs.sys
2009-08-25 20:22 . 2009-08-25 20:22 211456 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-08-25 20:22 . 2009-08-25 20:22 500736 ----a-w- c:\windows\system32\msdtcprx.dll
2009-08-25 20:22 . 2009-08-25 20:22 30208 ----a-w- c:\windows\system32\xolehlp.dll
2009-08-25 20:22 . 2009-08-25 20:22 156160 ----a-w- c:\windows\system32\wkssvc.dll
2009-08-25 20:22 . 2009-08-25 20:22 36352 ----a-w- c:\windows\system32\tsgqec.dll
2009-08-25 20:22 . 2009-08-25 20:22 1871872 ----a-w- c:\windows\system32\mstscax.dll
2009-08-25 20:22 . 2009-08-25 20:22 116736 ----a-w- c:\windows\system32\aaclient.dll
2009-08-25 20:20 . 2009-08-25 20:20 303616 ----a-w- c:\windows\system32\wmpeffects.dll
2009-08-25 20:20 . 2009-08-25 20:20 2048 ----a-w- c:\windows\system32\msxml3r.dll
2009-08-25 20:20 . 2009-08-25 20:20 1194496 ----a-w- c:\windows\system32\msxml3.dll
2009-08-25 20:19 . 2009-08-25 20:19 356864 ----a-w- c:\windows\system32\MediaMetadataHandler.dll
2009-08-25 20:16 . 2009-08-25 20:16 696832 ----a-w- c:\windows\system32\localspl.dll
2009-08-25 20:15 . 2009-08-25 20:15 88576 ----a-w- c:\windows\system32\avifil32.dll
2009-08-25 20:15 . 2009-08-25 20:15 82944 ----a-w- c:\windows\system32\mciavi32.dll
2009-08-25 20:15 . 2009-08-25 20:15 65024 ----a-w- c:\windows\system32\avicap32.dll
2009-08-25 20:15 . 2009-08-25 20:15 31232 ----a-w- c:\windows\system32\msvidc32.dll
2009-08-25 20:15 . 2009-08-25 20:15 12800 ----a-w- c:\windows\system32\msrle32.dll
2009-08-25 20:15 . 2009-08-25 20:15 123904 ----a-w- c:\windows\system32\msvfw32.dll
2009-08-25 20:14 . 2009-08-25 20:14 21560 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-08-24 02:25 . 2009-08-24 02:26 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-08-27 247144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-19 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-19 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-19 81920]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-17 634880]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-07-25 174616]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-10-01 181544]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-19 202032]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-10-28 1006264]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-11-03 149280]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-08-24 30192]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-08-17 4702208]

c:\users\Emilie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [11/10/2009 10:10 PM 28552]
R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [11/11/2009 10:30 PM 114768]
R2 {22D78859-9CE9-4B77-BF18-AC83E81A9263};{22D78859-9CE9-4B77-BF18-AC83E81A9263};c:\program files\HP\QuickPlay\000.fcl [12/7/2007 2:32 AM 39408]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [11/11/2009 10:30 PM 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [11/11/2009 10:30 PM 53328]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [8/27/2009 10:05 AM 92008]
R2 WinFLdrv;WinFLdrv;c:\windows\System32\WinFLdrv.sys [9/1/2009 8:30 PM 10752]
S3 GoogleDesktopManager-060409-093314;Google Desktop Manager 5.9.906.4286;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [8/23/2009 9:24 PM 30192]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113
*Deregistered* - ugliqpow
.
Contents of the 'Scheduled Tasks' folder

2009-11-03 c:\windows\Tasks\HPCeeScheduleForRobert.job
- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2007-10-28 18:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
FF - ProfilePath - c:\users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\px624e3o.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-14 16:23
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\sys_drv.dat 6024 bytes
c:\windows\system32\sys_drv_2.dat 5020 bytes
c:\users\Robert\AppData\Roaming\systemfl.$dk 990 bytes

scan completed successfully
hidden files: 3

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x8A710E07]<<
kernel: MBR read successfully
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{22D78859-9CE9-4B77-BF18-AC83E81A9263}]
"ImagePath"="\??\c:\program files\HP\QuickPlay\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2009-11-14 16:30
ComboFix-quarantined-files.txt 2009-11-14 21:29

Pre-Run: 85,367,193,600 bytes free
Post-Run: 85,368,832,000 bytes free

- - End Of File - - AAD747C601FEE90B8BDFF98B59C0D31A

Ried

To repair Avast, boot into Safe Mode

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

--------------------------------------------------------------------

Open notepad and copy/paste the entire text in the quote box below: (don't forget to copy and paste REGEDIT4)

Save the file as "fix.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files"
It should look like this:

Right click on the fix.reg and run as administrator. Choose Yes to merge/add it to the registry.

Reboot.

===========================

Are you still getting redirected? If so, please also try Google search using Internet Explorer. I need to know if this redirection occurs in both browsers.

rconway

Okay. Registry updates completed. However, I still can't run the Avast AV scanner tool itself. The exact error message says "Unknown error. Skin is not complete. Look at the following description. Skin is not loaded properly. "

However, the Avast real-time monitoring seems to be running well. To answer your question, yes, the browser redirects are still happening. Just confirmed. However, Avast real-time did its job and detected and blocked the redirect. That's useful, but of course not the desired solution.

Where do we go from here?

BTW, I'm disabling wireless in between these missives, just to prevent further infection or spreading this to others. I'm monitoring your responses on my iphone though, so I should be able to respond to you promptly.

Your support and guidance is so appreciated. Thanks once again!

Ried

This is the first I've heard of Avast skin being affected. It will take me some time to research and see if I can find out about that. In the meantime, download HostsXpert.

• Unzip HostsXpert to it's own folder.
• Run HostsXpert.exe
• Click "Restore MS Hosts file" and then click OK.
• Close HostsXpert.
• Note: If a custom Hosts file was in place, you'll have to edit those entries back in.

Are you still getting redirected?

rconway

Done, and still getting redirected. Just googled "Avast". First link from avast.com redirected me to "vafo.org" which bounced me to "juggle.com". Sigh........

Just manually checked hosts file, and it has only one entry... the localhost one.

RE: Avast.... should I try un-installing it and then re-installing it? I still have the installer in my downloads directory and the registration key in my email.

Ried

I haven't found much for that error, but any I did find, suggest Control Panel-> Programs-> Uninstall or change a program and select the Repair Install for Avast.

We'll have to keep digging for source of these redirects. Please run this online scan. It can take several hours to complete, so please be patient and allow it to run it's full course:

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

rconway

Kaspersky log follows:



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, November 15, 2009
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit (build 6000)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, November 14, 2009 22:53:43
Records in database: 3210117
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 168072
Threats found: 2
Infected objects found: 4
Suspicious objects found: 0
Scan duration: 02:12:00


File name / Threat / Threats count
C:\Users\Robert\AppData\Roaming\Thunderbird\Profiles\tamfoog9.default\Mail\pop.secureserver.net\Inbox Infected: Trojan-Downloader.HTML.Agent.km 1
C:\Users\Robert\AppData\Roaming\Thunderbird\Profiles\tamfoog9.default\Mail\pop.secureserver.net\Inbox Infected: Worm.Win32.AutoRun.prf 1
C:\Users\Robert\AppData\Roaming\Thunderbird\Profiles\tamfoog9.default\Mail\pop.secureserver.net\Trash Infected: Trojan-Downloader.HTML.Agent.km 1
C:\Users\Robert\AppData\Roaming\Thunderbird\Profiles\tamfoog9.default\Mail\pop.secureserver.net\Trash Infected: Worm.Win32.AutoRun.prf 1

Selected area has been scanned.

Ried

Download OTL to your desktop.

Double click the icon to start the tool.

Look toward the bottom of the window and you'll see a 'Custom Scans/Fixes area. Copy/paste the following bolded text into that area

%systemroot%\system32\drivers\*.sys

In the upper left corner of the window:

• Click the None button
  
• Click Run Scan.

When the scan is complete, the log will pop open in Notepad. Please attach that report to your next post.

rconway

OTL log is attached. Thanks again!

Attached Files

OTL.zip (7.0 KB, 4 views)

Ried

You do indeed, have the latest pain in the rear variant of a hijacked hard disk controller.

I have to go offline for several hours, but let's get started with what I'll need from you in order to continue.

Download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :filefind
  iastor.*

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found at on your Desktop entitled SystemLook.txt