Links in google search results get redirected / www.search-tracker.net

When doing google searches in Firefox or IE the links will get redirected when clicked on.
When the redirect is happening www.search-tracker.net appears in the bottom bar of firefox and the page displayed is wrong.
If I copy the link from the page (right click/copy link location) and paste it into the tile bar it always works correctly.
AVG does not show any issues.
Comcast cable network offers free install of McAfee security suite that I use to run.
When this issue showed up I found I could no longer do a virus scan with McAfee as the computer would reboot when the scan started.
All the management functions of McAfee worked fine but start a scan and the computer reboots.
I uninstalled McAfee and installed AVG.
AVG did one round of cleaning and now can't find anything.
I don't remember what AVG found other then tracking cookies. If it leaves a log behind that may still be around.
I have tried to install and run Malwarebytes' Anti-Malware.
It seems to install fine but will not run. Double click the icon and nothing.
I have uninstalled and reinstalled several times but nothing. Never tries to do the update either.
I have uninstalled and reinstalled Firefox but that did not help.
I just copied the the mbam.exe file to a new name and double clicked that and it started up. Cool.
I have attached the attach.txt file.
The Malwarebytes run finished. 1 Trogan.Agent was found. I have attached that log file also.
I will send this and then have Malwarebytes remove it. I will then see if Malwarebytes needs updating and will run again.
Thanks in advance for any help.
Dean

Here is the DDS log

DDS (Ver_09-06-26.01) - NTFSx86
Run by highmuck at 6:55:07.73 on Thu 07/02/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1790.889 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Lexmark Z2300 Series\ezprint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
C:\WINDOWS\system32\lxdpcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\nipalsm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\IrfanView\i_view32.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\highmuck\Desktop\Downloads\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [lxdpmon.exe] "c:\program files\lexmark z2300 series\lxdpmon.exe"
mRun: [EzPrint] "c:\program files\lexmark z2300 series\ezprint.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [nwiz] nwiz.exe /install
StartupFolder: c:\docume~1\highmuck\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\HOTSYNC.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hposol08.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/3/9/8/398422c0-8d3e-40e1-a617-af65a72a0465/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\highmuck\applic~1\mozilla\firefox\profiles\bheeegk9.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101753&gct=&gc=1&q=
FF - plugin: c:\program files\mozilla firefox\plugins\NPSFDMGR.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-24 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-24 27784]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-24 298776]
R2 lxdp_device;lxdp_device;c:\windows\system32\lxdpcoms.exe -service --> c:\windows\system32\lxdpcoms.exe -service [?]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 nidimk;nidimk;c:\windows\system32\drivers\nidimk.dll [2003-4-23 107102]
R2 nipxirmk;nipxirmk;c:\windows\system32\drivers\nipxirmk.dll [2003-4-18 36463]
S2 lxdpCATSCustConnectService;lxdpCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdpserv.exe [2009-1-15 98984]
S3 0fe11;0fe11;\??\c:\windows\system32\0fe11.sys --> c:\windows\system32\0fe11.sys [?]
S3 1333;1333;\??\c:\windows\system32\1333.sys --> c:\windows\system32\1333.sys [?]
S3 1958;1958;\??\c:\windows\system32\1958.sys --> c:\windows\system32\1958.sys [?]
S3 58cC;58cC;\??\c:\windows\system32\58cc.sys --> c:\windows\system32\58cC.sys [?]
S3 7a710;7a710;\??\c:\windows\system32\7a710.sys --> c:\windows\system32\7a710.sys [?]
S3 8224;8224;\??\c:\windows\system32\8224.sys --> c:\windows\system32\8224.sys [?]
S3 a5512;a5512;\??\c:\windows\system32\a5512.sys --> c:\windows\system32\a5512.sys [?]
S3 aa67;aa67;\??\c:\windows\system32\aa67.sys --> c:\windows\system32\aa67.sys [?]
S3 b8c2;b8c2;\??\c:\windows\system32\b8c2.sys --> c:\windows\system32\b8c2.sys [?]
S3 c35B;c35B;\??\c:\windows\system32\c35b.sys --> c:\windows\system32\c35B.sys [?]
S3 e5f6;e5f6;\??\c:\windows\system32\e5f6.sys --> c:\windows\system32\e5f6.sys [?]
S3 ee2D;ee2D;\??\c:\windows\system32\ee2d.sys --> c:\windows\system32\ee2D.sys [?]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [2007-5-30 39424]
S3 ICAM3NT5;Intel® PC Camera CS331;c:\windows\system32\drivers\ICAM3D2.SYS [2007-1-23 145184]
S3 LTower;LEGO USB Tower Driver;c:\windows\system32\drivers\LTower.sys [2004-1-22 39936]
S3 NiViPxiK;NiViPxiK;c:\windows\system32\drivers\NiViPxiK.sys [2003-6-24 17920]

=============== Created Last 30 ================

2009-06-27 20:38 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-27 20:38 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-27 20:38 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-27 20:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-27 20:33 664 a------- c:\windows\system32\d3d9caps.dat
2009-06-27 03:19 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-06-24 22:19 <DIR> --d----- c:\program files\CCleaner
2009-06-24 22:01 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-24 22:01 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-24 22:01 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-06-24 21:29 <DIR> --d----- c:\program files\Trend Micro
2009-06-22 07:03 <DIR> --d----- c:\program files\AVG
2009-06-22 07:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-06-22 06:22 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-06-21 22:03 <DIR> --d----- c:\windows\McAfee.com
2009-06-21 20:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Citrix
2009-06-21 20:38 <DIR> --d----- c:\program files\Citrix
2009-06-21 17:00 <DIR> --d----- C:\db7f2d7f595f2a47934a5802
2009-06-21 16:53 4,984 a------- c:\windows\system32\drivers\nvphy.bin
2009-06-21 01:23 <DIR> --dsh--- c:\documents and settings\highmuck\PrivacIE
2009-06-10 16:33 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-10 16:33 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-07 21:43 <DIR> --dsh--- c:\documents and settings\highmuck\IETldCache
2009-06-07 15:36 <DIR> --d----- c:\windows\ie8updates
2009-06-07 15:36 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-06-07 15:35 <DIR> -cd-h--- c:\windows\ie8
2009-06-03 16:19 <DIR> --d----- c:\program files\iPod
2009-06-03 16:19 <DIR> --d----- c:\program files\iTunes

==================== Find3M ====================

2009-06-19 07:03 34 a------- c:\documents and settings\highmuck\jagex_runescape_preferences.dat
2009-05-21 11:33 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-13 00:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-17 07:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 09:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2008-10-04 07:59 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100420081005\index.dat

============= FINISH: 6:55:24.60 ===============

Hello dchoyt,

Uninstall these old versions of Java, as they are malware magnets.
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6
Java™ SE Runtime Environment 6 Update 1


We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your AVG Antivirus before running ComboFix, as it will prevent it from running.

To disable AVG antivirus:
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: ) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.



Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Edited by SifuMike, 05 July 2009 - 12:57 PM.

Hi,
Thanks for the help.
I have removed the Java versions listed.
ComboFix will not run.
I only have 1 copy of it on the machine and it is freshly downloaded.
I disabled the resident shield in AVG.
I turned off the firewall.
ComboFix.exe is sitting in my desktop.
Neither a double click or a right click and then open will cause it to start running.
I tried renaming the file to MyComboFix.exe and xiFobmoC.exe and myplayer.exe but it still will not start.
I also rebooted my machine and it will not start.
I downloaded it a second time and tried again with no success.
Sorry,
Should I try it from Safe mode? Will it work there?
Thanks

Dean

Hello Dean,

Delete the Combofix you have on desktop.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3





--------------------------------------------------------------------

Disable your AVG antivirus, as that will stop CobmoFix from working.

Double click on Combo-Fix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt so we can continue cleaning the system.

Ok, That worked.
It claimed root kit activity found and rebooted after noting 3 files.
It then ran to completion with the following log file.
Thanks. Can you tell me the name of what it removed?
What is next.
Dean

ComboFix 09-07-04.09 - highmuck 07/05/2009 11:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1790.1340 [GMT -5:00]
Running from: c:\documents and settings\highmuck\Desktop\myfixer.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\PTEDIT.EXE
c:\windows\Installer\3749091.msi
c:\windows\Installer\WMEncoder.msi
c:\windows\kb913800.exe
c:\windows\system32\drivers\MSIVXsoxwihjpfengmqkuoswgghvwkpkhtfdi.sys
c:\windows\system32\MSIVXcount
c:\windows\system32\MSIVXmebtbiiddnmuvavyuixwqyevriwraegu.dll
c:\windows\system32\MSIVXyalcmsamwwysqvnpuiohwlwdrsxsegit.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSIVXserv.sys


((((((((((((((((((((((((( Files Created from 2009-06-05 to 2009-07-05 )))))))))))))))))))))))))))))))
.

2009-07-03 03:40 . 2009-07-03 03:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-02 12:57 . 2009-07-02 12:57 -------- d-----w- c:\documents and settings\highmuck\Application Data\Malwarebytes
2009-06-30 13:57 . 2009-06-25 03:01 2052888 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-06-28 01:38 . 2009-06-17 16:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-28 01:38 . 2009-07-02 12:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-28 01:38 . 2009-06-28 01:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-28 01:38 . 2009-06-17 16:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-28 01:33 . 2009-06-28 01:33 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-27 08:19 . 2009-07-02 08:19 -------- d--h--w- C:\$AVG8.VAULT$
2009-06-25 03:19 . 2009-06-25 03:19 -------- d-----w- c:\program files\CCleaner
2009-06-25 03:01 . 2009-06-25 03:01 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-25 03:01 . 2009-06-25 03:01 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-25 03:01 . 2009-06-25 03:01 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-25 03:01 . 2009-07-05 14:30 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-25 02:29 . 2009-06-25 02:29 -------- d-----w- c:\program files\Trend Micro
2009-06-22 12:03 . 2009-06-25 03:01 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-22 12:03 . 2009-06-22 12:03 -------- d-----w- c:\program files\AVG
2009-06-22 03:03 . 2009-06-22 03:03 -------- d-----w- c:\windows\McAfee.com
2009-06-22 01:43 . 2009-06-22 01:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix
2009-06-22 01:38 . 2009-06-22 01:38 -------- d-----w- c:\program files\Citrix
2009-06-22 01:38 . 2009-06-22 01:38 -------- d-----w- c:\documents and settings\highmuck\Local Settings\Application Data\Citrix
2009-06-21 22:00 . 2009-06-21 22:02 -------- d-----w- C:\db7f2d7f595f2a47934a5802
2009-06-21 21:53 . 2008-07-08 13:45 4984 ----a-w- c:\windows\system32\drivers\nvphy.bin
2009-06-21 06:26 . 2009-06-21 06:26 49152 ----a-r- c:\documents and settings\highmuck\Application Data\Microsoft\Installer\{FCC07EEA-FA18-4A21-9105-9666603C6885}\IconFCC07EEA1.exe
2009-06-21 06:26 . 2009-06-21 06:26 49152 ----a-r- c:\documents and settings\highmuck\Application Data\Microsoft\Installer\{FCC07EEA-FA18-4A21-9105-9666603C6885}\IconFCC07EEA.exe
2009-06-21 06:23 . 2009-06-21 06:23 -------- d-sh--w- c:\documents and settings\highmuck\PrivacIE
2009-06-21 01:22 . 2009-06-21 01:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\VCOM
2009-06-21 01:16 . 2009-06-21 01:16 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-06-14 01:45 . 2009-06-14 01:45 152576 ----a-w- c:\documents and settings\highmuck\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-10 21:33 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-10 21:33 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-08 02:43 . 2009-06-08 02:43 -------- d-sh--w- c:\documents and settings\highmuck\IETldCache
2009-06-08 01:59 . 2009-06-08 01:59 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-07 20:36 . 2009-06-07 20:36 -------- d-----w- c:\windows\ie8updates
2009-06-07 20:36 . 2009-05-12 05:11 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-06-07 20:35 . 2009-06-07 20:36 -------- dc-h--w- c:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-05 14:21 . 2007-01-13 01:55 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-07-04 19:20 . 2007-01-07 17:41 -------- d-----w- c:\program files\Java
2009-07-03 00:29 . 2008-07-02 02:01 34 ----a-w- c:\documents and settings\highmuck\jagex_runescape_preferences.dat
2009-06-23 19:55 . 2007-01-07 17:43 -------- d-----w- c:\documents and settings\highmuck\Application Data\Azureus
2009-06-23 12:11 . 2007-01-16 01:24 69424 ----a-w- c:\documents and settings\highmuck\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-22 11:58 . 2007-01-06 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-06-22 11:58 . 2007-01-06 18:03 -------- d-----w- c:\program files\McAfee
2009-06-22 01:23 . 2007-01-04 22:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-22 01:14 . 2007-02-21 00:43 -------- d-----w- c:\program files\Lavasoft
2009-06-21 07:01 . 2009-02-25 18:14 -------- d-----w- c:\program files\Pando Networks
2009-06-21 07:00 . 2007-01-11 00:56 -------- d-----w- c:\program files\Skype
2009-06-21 06:57 . 2008-12-16 01:59 -------- d-----w- c:\program files\FLAC
2009-06-20 21:16 . 2007-02-21 00:42 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-03 21:20 . 2009-06-03 21:19 -------- d-----w- c:\program files\iTunes
2009-06-03 21:19 . 2009-06-03 21:19 -------- d-----w- c:\program files\iPod
2009-06-03 21:19 . 2007-06-29 15:28 -------- d-----w- c:\program files\Common Files\Apple
2009-06-03 21:18 . 2007-01-21 22:28 -------- d-----w- c:\program files\QuickTime
2009-06-03 21:14 . 2009-06-03 21:14 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-05-21 16:33 . 2008-12-15 01:55 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-13 11:51 . 2009-05-13 11:51 45056 ----a-r- c:\documents and settings\highmuck\Application Data\Microsoft\Installer\{48E16DC7-79EC-45F1-847A-F8D3C620515E}\MapleStory.exe1_801DA03C4E824858A615529E6AFB9A78.exe
2009-05-13 11:51 . 2009-05-13 11:51 45056 ----a-r- c:\documents and settings\highmuck\Application Data\Microsoft\Installer\{48E16DC7-79EC-45F1-847A-F8D3C620515E}\MapleStory.exe_801DA03C4E824858A615529E6AFB9A78.exe
2009-05-13 11:51 . 2009-05-13 11:51 10134 ----a-r- c:\documents and settings\highmuck\Application Data\Microsoft\Installer\{48E16DC7-79EC-45F1-847A-F8D3C620515E}\ARPPRODUCTICON.exe
2009-05-13 05:15 . 2006-03-15 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 21:08 . 2009-01-02 08:40 266400 ----a-r- c:\documents and settings\highmuck\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll
2009-05-07 15:32 . 2006-03-15 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-07 12:03 . 2007-10-11 05:49 7114736 ----a-w- c:\documents and settings\highmuck\Application Data\Azureus\plugins\azemp\azmplay.exe
2009-05-07 12:02 . 2007-01-07 17:37 -------- d-----w- c:\program files\Azureus
2009-05-07 02:33 . 2009-05-07 02:33 152576 ----a-w- c:\documents and settings\highmuck\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-17 12:26 . 2006-03-15 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2006-03-15 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 576320]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 600896]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"lxdpmon.exe"="c:\program files\Lexmark Z2300 Series\lxdpmon.exe" [2008-03-27 656040]
"EzPrint"="c:\program files\Lexmark Z2300 Series\ezprint.exe" [2008-03-27 107176]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-25 1948440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2004-10-27 61952]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-09-18 1657376]

c:\documents and settings\highmuck\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Palm\HOTSYNC.EXE [2002-8-9 299008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-6-7 553021]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2009-1-13 28672]
officejet 6100.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe [2003-4-9 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-25 03:01 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Robolab 2.5.4\\Robolab254.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\lxdpcoms.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdptime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdpjswx.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Lexmark Z2300 Series\\lxdpmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdppswx.exe"=
"c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"27670:TCP"= 27670:TCP:Azureus TCP
"27670:UDP"= 27670:UDP:Azureus udp port
"58877:TCP"= 58877:TCP:*:Disabled:Pando Media Booster
"58877:UDP"= 58877:UDP:*:Disabled:Pando Media Booster

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/24/2009 10:01 PM 327688]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/24/2009 10:01 PM 298776]
R2 lxdp_device;lxdp_device;c:\windows\system32\lxdpcoms.exe -service --> c:\windows\system32\lxdpcoms.exe -service [?]
R2 nidimk;nidimk;c:\windows\system32\drivers\nidimk.dll [4/23/2003 8:15 PM 107102]
R2 nipxirmk;nipxirmk;c:\windows\system32\drivers\nipxirmk.dll [4/18/2003 1:45 PM 36463]
S2 lxdpCATSCustConnectService;lxdpCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdpserv.exe [1/15/2009 5:14 PM 98984]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;c:\windows\system32\drivers\fantom.sys [5/30/2007 4:34 PM 39424]
S3 LTower;LEGO USB Tower Driver;c:\windows\system32\drivers\LTower.sys [1/22/2004 11:15 PM 39936]
S3 NiViPxiK;NiViPxiK;c:\windows\system32\drivers\NiViPxiK.sys [6/24/2003 6:41 PM 17920]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
FF - ProfilePath - c:\documents and settings\highmuck\Application Data\Mozilla\Firefox\Profiles\bheeegk9.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101753&gct=&gc=1&q=
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-05 11:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-07-05 11:48
ComboFix-quarantined-files.txt 2009-07-05 16:48

Pre-Run: 69,383,692,288 bytes free
Post-Run: 69,436,264,448 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /fastdetect /usepmtimer /NoExecute=OptOut

247 --- E O F --- 2009-06-24 08:00

Hi dean,


You had a nasty MSIVX root kit.

Lets make sure there are no malware stragglers.

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Open the Kaspersky WebScanner
  page.
• Click on the button on the main page.
• The program will launch and fill in the Information section on the left.
• Read the "Requirements and Limitations" then press the button.
• The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
• Once the files have been downloaded, click on the ...button.
  In the scan settings make sure the following are selected:
  • Detect malicious programs of the following categories:
    Viruses, Worms, Trojan Horses, Rootkits
    Spyware, Adware, Dialers and other potentially dangerous programs
  • Scan compound files (doesn't apply to the File scan area):
    Archives
    Mail databases
    By default the above items should already be checked.
  • Click the button, if you made any changes.
• Now under the Scan section on the left:
  
  Select My Computer
  
• The program will now start and scan your system. This will run for a while, be patient and let it finish.
• Once the scan is complete, click on View scan report
• Now, click on the Save Report as button.
• In the drop down box labeled Files of type change the type to Text file.
• Save the file to your desktop.
• Copy and paste that information in your next post even if it finds nothing.

You can refer to this animation by sundavis if needed.

Edited by SifuMike, 05 July 2009 - 01:38 PM.

Hello,
That took a long time.
All the files that start with c:\Dean120\ can simply be deleted. That is a backup of an older hard disk.
Will AVG be able to clean the others? Or Mcafee?
The log file follows.
Thanks
Dean

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, July 5, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, July 05, 2009 21:12:41
Records in database: 2430157
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 236303
Threat name: 15
Infected objects: 47
Suspicious objects: 22
Duration of the scan: 06:42:39


File name / Threat name / Threats count
C:\Dean120\My Documents\Thunderbird 1.5.0.9 en-US - 2007-01-12_data.pcv Infected: Trojan-Spy.HTML.Bayfraud.jk 1
C:\Dean120\My Documents\Thunderbird 1.5.0.9 en-US - 2007-01-12_data.pcv Suspicious: Trojan-Spy.HTML.Fraud.gen 6
C:\Dean120\My Documents\Thunderbird 1.5.0.9 en-US - 2007-01-12_data.pcv Infected: Trojan-Spy.HTML.Fraud.l 2
C:\Dean120\My Documents\Thunderbird 1.5.0.9 en-US - 2007-01-12_data.pcv Infected: Trojan-Spy.HTML.Bankfraud.qb 8
C:\Dean120\My Documents\Thunderbird 1.5.0.9 en-US - 2007-01-12_data.pcv Infected: Trojan-Spy.HTML.Fiffraud.p 2
C:\Dean120\My Documents\Thunderbird 1.5.0.9 en-US - 2007-01-12_data.pcv Infected: Email-Worm.Win32.Luder.a 1
C:\Dean120\My Documents\Thunderbird 1.5.0.9 en-US - 2007-01-12_data.pcv Infected: Trojan.Win32.Small.kn 2
C:\Dean120\Program Files\Netscape\Users\hoytc001\Mail\Inbox Infected: Email-Worm.Win32.Magistr.b 1
C:\Dean120\Recovered\Program Installs\Work\vconnect.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 1
C:\Dean120\Recovered\Program Installs\Work\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 1
C:\Dean120\WINDOWS\Application Data\Mozilla\Profiles\chris\l6gynbs6.slt\Mail\getmail.thehoyts.com\Inbox Infected: Email-Worm.Win32.Magistr.b 1
C:\Dean120\WINDOWS\Application Data\Mozilla\Profiles\dchoyt\333436zv.slt\Mail\getmail.thehoyts.com\Trash Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\Dean120\WINDOWS\Application Data\Mozilla\Profiles\dchoyt\333436zv.slt\Mail\mail.citilink.com\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Dean120\WINDOWS\Application Data\Mozilla\Profiles\dchoyt\333436zv.slt\Mail\mail.citilink.com\Trash Suspicious: Trojan-Spy.HTML.Fraud.gen 3
C:\Dean120\WINDOWS\Application Data\Thunderbird\Profiles\jz9v052r.default\Mail\mail.citilink.com\Inbox Infected: Trojan-Spy.HTML.Bayfraud.jk 1
C:\Dean120\WINDOWS\Application Data\Thunderbird\Profiles\jz9v052r.default\Mail\mail.citilink.com\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Dean120\WINDOWS\Application Data\Thunderbird\Profiles\jz9v052r.default\Mail\mail.citilink.com\Inbox Infected: Trojan-Spy.HTML.Fraud.l 1
C:\Dean120\WINDOWS\Application Data\Thunderbird\Profiles\jz9v052r.default\Mail\mail.citilink.com\Inbox Infected: Trojan-Spy.HTML.Bankfraud.qb 2
C:\Dean120\WINDOWS\Application Data\Thunderbird\Profiles\jz9v052r.default\Mail\mail.citilink.com\Junk Suspicious: Trojan-Spy.HTML.Fraud.gen 3
C:\Dean120\WINDOWS\Application Data\Thunderbird\Profiles\jz9v052r.default\Mail\mail.citilink.com\Junk Infected: Trojan-Spy.HTML.Fraud.l 1
C:\Dean120\WINDOWS\Application Data\Thunderbird\Profiles\jz9v052r.default\Mail\mail.citilink.com\Junk Infected: Trojan-Spy.HTML.Bankfraud.qb 4
C:\Dean120\WINDOWS\Application Data\Thunderbird\Profiles\jz9v052r.default\Mail\mail.citilink.com\Junk Infected: Trojan-Spy.HTML.Fiffraud.p 1
C:\Dean120\WINDOWS\Application Data\Thunderbird\Profiles\jz9v052r.default\Mail\mail.citilink.com\Junk Infected: Email-Worm.Win32.Luder.a 1
C:\Dean120\WINDOWS\Application Data\Thunderbird\Profiles\jz9v052r.default\Mail\mail.citilink.com\People I Don't Know Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\Dean120\WINDOWS\Application Data\Thunderbird\Profiles\jz9v052r.default\Mail\mail.citilink.com\People I Don't Know Infected: Trojan-Spy.HTML.Bankfraud.qb 2
C:\Dean120\WINDOWS\Application Data\Thunderbird\Profiles\jz9v052r.default\Mail\mail.citilink.com\People I Don't Know Infected: Trojan.Win32.Small.kn 2
C:\Dean120\WINDOWS\Application Data\Thunderbird\Profiles\jz9v052r.default\Mail\mail.citilink.com\People I Don't Know Infected: Trojan-Spy.HTML.Fiffraud.p 1
C:\Dean120\WINDOWS\Application Data\Thunderbird\Profiles\jz9v052r.default\Mail\mail.citilink.com\People I Don't Know Infected: Trojan-Spy.HTML.Bankfraud.od 1
C:\Dean120\WINDOWS\Application Data\Thunderbird\Profiles\jz9v052r.default\Mail\mail.citilink.com\People I Don't Know Infected: Email-Worm.Win32.Luder.a 3
C:\Documents and Settings\highmuck\Application Data\Thunderbird\Profiles\hvtmpymj.default\Mail\getmail.thehoyts.com\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\highmuck\Application Data\Thunderbird\Profiles\hvtmpymj.default\Mail\getmail.thehoyts.com\Inbox Infected: Trojan.Win32.Pakes.cwv 1
C:\Documents and Settings\highmuck\Application Data\Thunderbird\Profiles\hvtmpymj.default\Mail\getmail.thehoyts.com\Inbox Infected: Trojan.Win32.Agent.sqt 1
C:\Documents and Settings\highmuck\Application Data\Thunderbird\Profiles\hvtmpymj.default\Mail\getmail.thehoyts.com\Inbox Infected: Trojan-Downloader.HTML.Agent.km 1
C:\Documents and Settings\highmuck\Application Data\Thunderbird\Profiles\hvtmpymj.default\Mail\getmail.thehoyts.com\Junk Infected: Trojan.Win32.Pakes.cwv 1
C:\Documents and Settings\highmuck\Application Data\Thunderbird\Profiles\hvtmpymj.default\Mail\getmail.thehoyts.com\Junk Infected: Trojan.Win32.Agent.sqt 1
C:\Documents and Settings\highmuck\Application Data\Thunderbird\Profiles\hvtmpymj.default\Mail\getmail.thehoyts.com\Trash Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\highmuck\Application Data\Thunderbird\Profiles\hvtmpymj.default\Mail\mail.citilink.com\People I Don't Know Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\highmuck\Application Data\Thunderbird\Profiles\hvtmpymj.default\Mail\mail.citilink.com\People I Know Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\MSIVXmebtbiiddnmuvavyuixwqyevriwraegu.dll.vir Infected: Trojan-Downloader.Win32.Small.aljf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\MSIVXyalcmsamwwysqvnpuiohwlwdrsxsegit.dll.vir Infected: Trojan.Win32.Agent2.cfxs 1

The selected area was scanned.

All the files that start with c:\Dean120\ can simply be deleted. That is a backup of an older hard disk.
Will AVG be able to clean the others? Or Mcafee?

I dont think so. Kaspersky is very through when finding suspicous files

Kaspersky is finding files within the folder, and wants to delete the entire folder.

Do you want delete the entire folder(s)?
If you delete the folder, all the files within the folder will be gone.

These are the folders it says it finds a suspeicous file(s) in.
C:\Dean120\My Documents\Thunderbird 1.5.0.9 en-US - 2007-01-12_data.pcv
C:\Dean120\Program Files\Netscape\Users\hoytc001\Mail\Inbox
C:\Dean120\WINDOWS\Application Data\Mozilla\Profiles\chris\l6gynbs6.slt\Mail\getmail.thehoyts.com\Inbox
C:\Dean120\WINDOWS\Application Data\Mozilla\Profiles\dchoyt\333436zv.slt\Mail\getmail.thehoyts.com\Trash
C:\Dean120\WINDOWS\Application Data\Mozilla\Profiles\dchoyt\333436zv.slt\Mail\mail.citilink.com\Inbox
C:\Dean120\WINDOWS\Application Data\Mozilla\Profiles\dchoyt\333436zv.slt\Mail\mail.citilink.com\Trash
C:\Dean120\WINDOWS\Application Data\Thunderbird\Profiles\jz9v052r.default\Mail\mail.citilink.com\Inbox
C:\Dean120\WINDOWS\Application Data\Thunderbird\Profiles\jz9v052r.default\Mail\mail.citilink.com\Junk
C:\Dean120\WINDOWS\Application
Data\Thunderbird\Profiles\jz9v052r.default\Mail\mail.citilink.com\People I Don't Know

C:\Documents and Settings\highmuck\Application Data\Thunderbird\Profiles\hvtmpymj.default\Mail\getmail.thehoyts.com\Inbox
C:\Documents and Settings\highmuck\Application Data\Thunderbird\Profiles\hvtmpymj.default\Mail\getmail.thehoyts.com\Trash
C:\Documents and Settings\highmuck\Application Data\Thunderbird\Profiles\hvtmpymj.default\Mail\mail.citilink.com\People I Don't Know
C:\Documents and Settings\highmuck\Application Data\Thunderbird\Profiles\hvtmpymj.default\Mail\mail.citilink.com\People I Know


Unfortunately, Kapserksy does not tell us which file (within the folder) it does not like. It is probably finding an attached file that contains a virus in the email. It is safer to delete all the attached files within each of the folders.

If you decide that you want to delete the folder (which means all the files within the folder), then I can easily write a script that will do it.

Let me know.

Edited by SifuMike, 05 July 2009 - 10:24 PM.

Hello,
I can (and have) deleted the files in the list except for the following. These are single files that contain many emails each. Is there a way to figure out which email in the file has the issue other then saving each email to a separate file?
Thanks
Dean

C:\Documents and Settings\highmuck\Application Data\Thunderbird\Profiles\hvtmpymj.default\Mail\getmail.thehoyts.com\Inbox Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\highmuck\Application Data\Thunderbird\Profiles\hvtmpymj.default\Mail\getmail.thehoyts.com\Inbox Infected: Trojan.Win32.Pakes.cwv 1
C:\Documents and Settings\highmuck\Application Data\Thunderbird\Profiles\hvtmpymj.default\Mail\getmail.thehoyts.com\Inbox Infected: Trojan.Win32.Agent.sqt 1
C:\Documents and Settings\highmuck\Application Data\Thunderbird\Profiles\hvtmpymj.default\Mail\getmail.thehoyts.com\Inbox Infected: Trojan-Downloader.HTML.Agent.km 1
C:\Documents and Settings\highmuck\Application Data\Thunderbird\Profiles\hvtmpymj.default\Mail\mail.citilink.com\People I Know Suspicious: Trojan-Spy.HTML.Fraud.gen 1

Hi,
I figured it out. There were moved/deleted messages in the file. When I compacted the mail box folder file (right click on the folder in thunderbird) and say compact they went away. So they were already deleted.
Cool. I have rerun Kapserksy on the selected files and they are now claimed to be clean.
What's next?
Thanks
Dean

Hi Dean,

Please tell me how the computer is running.

If it is running OK, then the next step is the program clean up.

Some of the system tray icons are gone but the computer seems to be working nicely now. I turned AVG back on and tried a google search. The links are no longer being redirected.
Nice job.

Thanks.
Dean

Hi Dean,

Your very welcome.

Now we will do the program clean up.

Uninstall ComboFix, go to to Start > Run & type in Combo-Fix /u
Make sure there's a space between Combo-fix and /
Then hit enter.

This will uninstall Combofix, delete any of its related folders and files (Qoobox
VundoFix Backups, Avenger, _OTM3), reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Please read and follow

Simple and easy ways to keep your computer safe and secure on the Internet as well
Groovicus' Guide to Simple PC Security to help keep yourself from becoming infected again, as well as
How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes

If you want to improve speed/system performance after malware removal, take a look here.

Thanks for the help. System works again.
I have done the Combofix clean up.
Dean

Your very welcome. I hope your computer continues to run smoothly.