Google search results redirect to random pages

Since a couple of days ago I have had issues with both my browsers IE7 and Firefox 3.6.2 where when I do a google search and click on the results it opens it in a new tab or window and takes me to a random web page.

If I click back or type the address of a site directly in the address bar it seems to work ok.

I also got a strange pop up during web browsing which I think is related. I have attached it with this post.

Hopefully one of you guys can help me out.

Cheers


DDS Logs.


DDS (Ver_10-03-17.01) - NTFSx86
Run by SMM at 21:15:39.68 on Thu 03/25/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.447.72 [GMT 11:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Documents and Settings\SMM\Local Settings\Application Data\Google\Update\1.2.183.23\GoogleCrashHandler.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\SMM\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: BHOManager Class: {474264bc-9571-47c1-85b9-780f756dc9ce} - c:\windows\system32\BHOManager.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Easy Photo Print: {9421dd08-935f-4701-a9ca-22df90ac4ea6} - c:\program files\epson software\easy photo print\EPTBL.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\nero\data\xtras\mssysmgr.exe
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [Google Update] "c:\documents and settings\smm\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [VTTimer] VTTimer.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [snpstd3] c:\windows\vsnpstd3.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
dPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\smm\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: HTLFP - {03B7A5D4-96B0-4316-95F8-072D326A58F1} -
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: vfsp - {E4CB5121-E242-11D4-8ED6-00010219EB22} -
Notify: avgrsstarter - avgrsstx.dll
SEH: ShHook Class: {a5949e07-8536-4625-a3d0-2dd83f559990} - c:\windows\system32\ShellHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\smm\applic~1\mozilla\firefox\profiles\pvkeizsa.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\smm\application data\idm\idmmzcc2\components\idmmzcc.dll
FF - plugin: c:\documents and settings\smm\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-14 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-14 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-14 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-13 298776]
R2 paldrv;paldrv;c:\windows\system32\pal_drv.sys [2009-10-13 11107]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-6-13 906520]
S3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet XP Driver;c:\windows\system32\drivers\rtl8150.SYS [2009-6-14 21504]

=============== Created Last 30 ================

2010-03-24 11:42:04 0 d-----w- c:\program files\trend micro
2010-03-24 10:21:05 0 d-sha-r- C:\cmdcons
2010-03-24 10:19:06 98816 ----a-w- c:\windows\sed.exe
2010-03-24 10:19:06 77312 ----a-w- c:\windows\MBR.exe
2010-03-24 10:19:06 261632 ----a-w- c:\windows\PEV.exe
2010-03-24 10:19:06 161792 ----a-w- c:\windows\SWREG.exe
2010-03-23 11:54:27 312320 ----a-w- C:\War Game Revised 1.3.xls
2010-03-23 07:15:45 0 d-----w- c:\windows\system32\wbem\Repository
2010-03-09 11:50:05 282112 ----a-w- C:\War Game Revised 1.1.xls
2010-03-06 06:47:35 1026433262 ----a-w- C:\The.Hurt.Locker.avi
2010-02-28 11:20:00 0 d-----w- c:\temp\1267356000390
2010-02-28 11:00:11 0 d-----w- c:\temp\1267354811343
2010-02-28 10:59:10 0 d-----w- c:\temp\1267354750125
2010-02-28 03:53:47 0 d-----w- c:\temp\1267329227656
2010-02-28 03:53:25 0 d-----w- c:\temp\1267329205562
2010-02-28 03:52:54 0 d-----w- c:\temp\1267329174000
2010-02-28 03:52:14 0 d-----w- c:\temp\1267329134281
2010-02-28 03:51:30 0 d-----w- c:\temp\1267329090203
2010-02-28 03:51:30 0 d-----w- C:\TEMP
2010-02-27 09:02:15 121344 ----a-w- C:\Wishes breakdown for March 1st - Final (Repaired).xls
2010-02-25 02:36:10 253952 ----a-w- C:\War game Round 1 results damith.xls
2010-02-25 02:36:10 132608 ----a-w- C:\Wishes breakdown for March 1st - Final.xls

==================== Find3M ====================


============= FINISH: 21:16:25.37 ===============

Hello damiths Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.



Your log shows you have installed ComboFix. If you have run it I will need the log which you can find at C:\ComboFix.txt








Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.







Thanks,



thewall

Edited by thewall, 28 March 2010 - 01:15 PM.

Hi,

Thank you so much for getting back to me.

I tried to run combofix again to get a fresh log and it said the Combofix I have is corrupted and to get a fresh copy from here. So I did and when I tried to run it I got the following Warning.

I am attaching an image of the error + the Original Combofix log that was generated when I ran it a few days ago.

I must also tell you that I am connected to the net via a wired connection and my wife logs on to our network via wireless and we both seem to have the same issue.

Also just today my wife informed me that when she browsed the web on her iphone using safari she encountered the same issue of search results being redirected ramdom pages. Is this affecting any computer that is connected to our network.

Can her Iphone get infected somehow ????

Cheers.


Combofix Log

ComboFix 10-03-23.04 - SMM 03/24/2010 23:55:57.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.447.196 [GMT 11:00]
Running from: c:\documents and settings\SMM\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-02-24 to 2010-03-24 )))))))))))))))))))))))))))))))
.

2010-03-24 11:42 . 2010-03-24 11:42 -------- d-----w- c:\program files\trend micro
2010-03-24 11:42 . 2010-03-24 11:42 -------- d-----w- C:\rsit
2010-03-24 09:59 . 2010-03-24 10:03 -------- d-----w- c:\documents and settings\SMM\Local Settings\Application Data\Temp
2010-03-24 09:58 . 2010-03-24 09:59 -------- d-----w- c:\documents and settings\SMM\Local Settings\Application Data\Deployment
2010-03-23 07:15 . 2010-03-23 07:15 -------- d-----w- c:\windows\system32\wbem\Repository
2010-02-28 11:20 . 2010-02-28 11:20 -------- d-----w- c:\temp\1267356000390
2010-02-28 11:00 . 2010-02-28 11:00 -------- d-----w- c:\temp\1267354811343
2010-02-28 10:59 . 2010-02-28 10:59 -------- d-----w- c:\temp\1267354750125
2010-02-28 03:53 . 2010-02-28 03:53 -------- d-----w- c:\temp\1267329227656
2010-02-28 03:53 . 2010-02-28 03:53 -------- d-----w- c:\temp\1267329205562
2010-02-28 03:52 . 2010-02-28 03:52 -------- d-----w- c:\temp\1267329174000
2010-02-28 03:52 . 2010-02-28 03:52 -------- d-----w- c:\temp\1267329134281
2010-02-28 03:51 . 2010-02-28 11:20 -------- d-----w- C:\TEMP
2010-02-28 03:51 . 2010-02-28 03:51 -------- d-----w- c:\temp\1267329090203

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-24 13:04 . 2009-06-15 09:41 -------- d-----w- c:\documents and settings\SMM\Application Data\DMCache
2010-03-24 11:44 . 2006-10-07 13:15 -------- d-----w- c:\program files\uTorrent
2010-03-24 09:03 . 2009-07-20 09:04 -------- d-----w- c:\program files\ABBYY FineReader 6.0 Sprint
2010-03-05 21:01 . 2009-06-15 09:41 -------- d-----w- c:\documents and settings\SMM\Application Data\IDM
2010-02-28 06:39 . 2009-06-14 09:21 -------- d-----w- c:\documents and settings\SMM\Application Data\Skype
2010-02-19 02:40 . 2010-02-19 02:40 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\TechSmith
2010-02-19 02:39 . 2008-07-26 15:29 -------- d-----w- c:\program files\TechSmith
2010-02-19 02:39 . 2008-02-15 04:11 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-18 22:18 . 2006-09-30 14:06 -------- d-----w- c:\program files\LimeWire
2010-02-18 22:15 . 2009-10-13 23:43 -------- d-----w- c:\documents and settings\SMM\Application Data\LimeWire
2010-02-07 07:39 . 2009-06-14 09:22 -------- d-----w- c:\documents and settings\SMM\Application Data\skypePM
2010-02-02 21:53 . 2010-02-02 21:53 -------- d-----w- c:\documents and settings\SMM\Application Data\EPSON
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2008-03-19 2586032]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Nero\data\Xtras\mssysmgr.exe" [2005-02-26 212992]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]
"Google Update"="c:\documents and settings\SMM\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-24 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-25 1948440]
"SoundMan"="SOUNDMAN.EXE" [2006-11-16 577536]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"VTTimer"="VTTimer.exe" [2005-12-05 53248]
"VTTrayp"="VTtrayp.exe" [2005-12-05 147456]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-04-28 570664]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-18 827392]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-04 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A5949E07-8536-4625-A3D0-2DD83F559990}"= "c:\windows\system32\ShellHook.dll" [2008-12-31 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-25 23:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\SMM\\Desktop\\BitLord.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/14/2009 3:45 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/14/2009 3:45 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/13/2009 10:54 PM 298776]
R2 paldrv;paldrv;c:\windows\system32\pal_drv.sys [10/13/2009 1:59 AM 11107]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [6/13/2009 10:54 PM 906520]
S3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet XP Driver;c:\windows\system32\drivers\rtl8150.SYS [6/14/2009 7:45 PM 21504]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMD21
*Deregistered* - klmd21

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-03-23 c:\windows\Tasks\BitLord.job
- c:\program files\BitLord\BitLord.exe [2005-05-07 00:47]

2010-03-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-746137067-1801674531-1003Core.job
- c:\documents and settings\SMM\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-24 09:59]

2010-03-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-746137067-1801674531-1003UA.job
- c:\documents and settings\SMM\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-24 09:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\SMM\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\documents and settings\SMM\Application Data\Mozilla\Firefox\Profiles\pvkeizsa.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\documents and settings\SMM\Application Data\IDM\idmmzcc2\components\idmmzcc.dll
FF - plugin: c:\documents and settings\SMM\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-25 00:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):e3,c3,d2,89,b9,a1,8d,31,fe,68,46,17,9e,eb,01,f9,8d,9e,32,72,69,
f7,47,3c,e9,37,fb,55,f5,9b,8e,9d,82,07,fb,e6,53,2b,08,d2,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{b4d604ef-0242-4201-b10c-7817af08c336}]
@Denied: (Full) (Everyone)
"Model"=dword:000000ef
"Therad"=dword:00000012
"MData"=hex(0):cb,9b,ad,ef,27,7d,29,69,f5,02,f0,76,aa,4a,f1,7c,d3,d9,67,7f,6a,
4b,7b,ad,04,7a,b1,b5,76,9b,27,47,a6,cc,f7,99,c0,1e,5f,3c,ff,de,1b,59,3f,a3,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2992)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-03-25 00:09:15
ComboFix-quarantined-files.txt 2010-03-24 13:09
ComboFix2.txt 2010-03-24 10:41

Pre-Run: 9,269,260,288 bytes free
Post-Run: 9,249,624,064 bytes free

- - End Of File - - CAD5EAB8EB379453B7B6CB533020CCC4

I should have made my instructions a little clearer. I didn't want you to run ComboFix I wanted any previous logs where you had run it. It's OK though but I still need to see the other logs. You can find them at C:\Qoobox\ComboFix(?).txt The question mark will represent a number depending on how many times it has been run as illustrated below with the oldest the highest number. If there is only one other than the one you just ran then it would be C:\Qoobox\ComboFix2.txt. If there is more than one please attach the others in your next reply and if there is only one just copy and paste it like you did the last log.

Example of how logs are numbered from previous runs:

C:\Qoobox\ComboFix2.txt
C:\Qoobox\ComboFix3.txt
C:\Qoobox\ComboFix4.txt
C :\Qoobox\ComboFix5.txt





From what you are telling me I understand your wife is going through a router but you are not....is this correct? Just to eliminate any possible issue with the router go ahead and reset it and then change your password if you have one. If not it would be a good idea to put one on it.


I have heard of the possibility of cell phones being corrupted but I haven't seen or actually read of it happening yet.


Let's take care of this and then we'll move on from here.

No worries.

Here is the ComboFix Log 2 that was in the folder you specified, there was also another log called ComboFix-quarantined-files. I'm not sure if you needed it but I have attached it after the combofix log.

Combofix Log2

ComboFix 10-03-23.03 - SMM 03/24/2010 21:24:22.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.447.266 [GMT 11:00]
Running from: c:\documents and settings\SMM\My Documents\Downloads\Programs\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\SM\Application Data\inst.exe
c:\documents and settings\SMM\Application Data\inst.exe
c:\program files\Helper
c:\recycler\S-1-5-21-1158907335-3119166678-3300950740-1003
c:\recycler\S-1-5-21-4083310058-3935041485-1381616071-1006
c:\recycler\S-1-5-21-790525478-1965331169-1801674531-1003
c:\recycler\S-1-5-21-861567501-1417001333-725345543-1003
C:\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2010-02-24 to 2010-03-24 )))))))))))))))))))))))))))))))
.

2010-03-24 09:59 . 2010-03-24 10:03 -------- d-----w- c:\documents and settings\SMM\Local Settings\Application Data\Temp
2010-03-24 09:58 . 2010-03-24 09:59 -------- d-----w- c:\documents and settings\SMM\Local Settings\Application Data\Deployment
2010-03-23 07:15 . 2010-03-23 07:15 -------- d-----w- c:\windows\system32\wbem\Repository
2010-02-28 11:20 . 2010-02-28 11:20 -------- d-----w- c:\temp\1267356000390
2010-02-28 11:00 . 2010-02-28 11:00 -------- d-----w- c:\temp\1267354811343
2010-02-28 10:59 . 2010-02-28 10:59 -------- d-----w- c:\temp\1267354750125
2010-02-28 03:53 . 2010-02-28 03:53 -------- d-----w- c:\temp\1267329227656
2010-02-28 03:53 . 2010-02-28 03:53 -------- d-----w- c:\temp\1267329205562
2010-02-28 03:52 . 2010-02-28 03:52 -------- d-----w- c:\temp\1267329174000
2010-02-28 03:52 . 2010-02-28 03:52 -------- d-----w- c:\temp\1267329134281
2010-02-28 03:51 . 2010-02-28 11:20 -------- d-----w- C:\TEMP
2010-02-28 03:51 . 2010-02-28 03:51 -------- d-----w- c:\temp\1267329090203

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-24 10:36 . 2009-06-15 09:41 -------- d-----w- c:\documents and settings\SMM\Application Data\DMCache
2010-03-24 09:03 . 2009-07-20 09:04 -------- d-----w- c:\program files\ABBYY FineReader 6.0 Sprint
2010-03-23 07:15 . 2006-10-07 13:15 -------- d-----w- c:\program files\uTorrent
2010-03-05 21:01 . 2009-06-15 09:41 -------- d-----w- c:\documents and settings\SMM\Application Data\IDM
2010-02-28 06:39 . 2009-06-14 09:21 -------- d-----w- c:\documents and settings\SMM\Application Data\Skype
2010-02-19 02:40 . 2010-02-19 02:40 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\TechSmith
2010-02-19 02:39 . 2008-07-26 15:29 -------- d-----w- c:\program files\TechSmith
2010-02-19 02:39 . 2008-02-15 04:11 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-18 22:18 . 2006-09-30 14:06 -------- d-----w- c:\program files\LimeWire
2010-02-18 22:15 . 2009-10-13 23:43 -------- d-----w- c:\documents and settings\SMM\Application Data\LimeWire
2010-02-07 07:39 . 2009-06-14 09:22 -------- d-----w- c:\documents and settings\SMM\Application Data\skypePM
2010-02-02 21:53 . 2010-02-02 21:53 -------- d-----w- c:\documents and settings\SMM\Application Data\EPSON
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2008-03-19 2586032]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Nero\data\Xtras\mssysmgr.exe" [2005-02-26 212992]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]
"Google Update"="c:\documents and settings\SMM\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-03-24 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-25 1948440]
"SoundMan"="SOUNDMAN.EXE" [2006-11-16 577536]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"VTTimer"="VTTimer.exe" [2005-12-05 53248]
"VTTrayp"="VTtrayp.exe" [2005-12-05 147456]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-04-28 570664]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-18 827392]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-04 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"EnableShellExecuteHooks"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{A5949E07-8536-4625-A3D0-2DD83F559990}"= "c:\windows\system32\ShellHook.dll" [2008-12-31 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-25 23:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\SMM\\Desktop\\BitLord.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/14/2009 3:45 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/14/2009 3:45 PM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/13/2009 10:54 PM 298776]
R2 paldrv;paldrv;c:\windows\system32\pal_drv.sys [10/13/2009 1:59 AM 11107]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [6/13/2009 10:54 PM 906520]
S3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet XP Driver;c:\windows\system32\drivers\rtl8150.SYS [6/14/2009 7:45 PM 21504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-03-23 c:\windows\Tasks\BitLord.job
- c:\program files\BitLord\BitLord.exe [2005-05-07 00:47]

2010-03-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-746137067-1801674531-1003Core.job
- c:\documents and settings\SMM\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-24 09:59]

2010-03-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-842925246-746137067-1801674531-1003UA.job
- c:\documents and settings\SMM\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-03-24 09:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\SMM\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\documents and settings\SMM\Application Data\Mozilla\Firefox\Profiles\pvkeizsa.default\
FF - component: c:\documents and settings\SMM\Application Data\IDM\idmmzcc2\components\idmmzcc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
AddRemove-NeroVision!UninstallKey - c:\windows\UNNeroVision.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-24 21:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):e3,c3,d2,89,b9,a1,8d,31,fe,68,46,17,9e,eb,01,f9,8d,9e,32,72,69,
f7,47,3c,e9,37,fb,55,f5,9b,8e,9d,82,07,fb,e6,53,2b,08,d2,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{b4d604ef-0242-4201-b10c-7817af08c336}]
@Denied: (Full) (Everyone)
"Model"=dword:000000ef
"Therad"=dword:00000012
"MData"=hex(0):cb,9b,ad,ef,27,7d,29,69,f5,02,f0,76,aa,4a,f1,7c,d3,d9,67,7f,6a,
4b,7b,ad,04,7a,b1,b5,76,9b,27,47,a6,cc,f7,99,c0,1e,5f,3c,ff,de,1b,59,3f,a3,\
.
Completion time: 2010-03-24 21:41:30
ComboFix-quarantined-files.txt 2010-03-24 10:41

Pre-Run: 6,074,658,816 bytes free
Post-Run: 9,672,388,608 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - B5D41DAC00ACA0B619E5FC1BED9D281D

==================================

ComboFix-quarantined-files
2010-03-24 10:40:45 . 2010-03-24 10:40:45 406 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-NeroVision!UninstallKey.reg.dat
2010-03-24 10:40:23 . 2010-03-24 10:40:23 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3}.reg.dat
2010-03-24 10:40:23 . 2010-03-24 10:40:23 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}.reg.dat
2010-03-24 10:31:34 . 2010-03-24 13:03:20 9,114 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-03-24 10:18:53 . 2010-03-24 12:54:28 102 ----a-w- C:\Qoobox\Quarantine\catchme.log
2009-06-14 07:54:33 . 2009-06-14 07:54:33 87,608 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\SMM\Application Data\inst.exe.vir
2008-07-16 09:46:56 . 2008-07-16 09:48:46 87,608 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\SM\Application Data\inst.exe.vir
2006-10-15 02:29:15 . 2008-05-28 11:21:22 102,912 ----a-w- C:\Qoobox\Quarantine\C\Thumbs.db.vir

Let's try a few things to see if they work and eliminate them as the redirection problem. You may have already performed the router reset from my last post.

1.) If you use a router please reset it and create a new password



2.) Please download ATF Cleaner by Atribune & save it to your desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main "Select Files to Delete" choose: Select All.
• Click the Empty Selected button.
• If you use Firefox browser click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  If you would like to keep your saved passwords, please click No at the prompt.
• If you use Opera browser click Opera at the top and choose: Select All
• Click the Empty Selected button.
  If you would like to keep your saved passwords, please click No at the prompt.
• Click Exit on the Main menu to close the program.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".



3.)To flush DNS cache in Microsoft Windows (98, 2000, XP, Vista, 7):

* Go to Start -> Run -> type in cmd
* from command prompt, type ipconfig /flushdns
* that will reset your DNS cache



4.) Please download HostsXpert 4.2

• Extract (unzip) HostsXpert.zip to a permanent folder on your hard drive such as C:\HostsXpert
• Double-click HostsXpert.exe to run the program.
• Click "Restore MS Hosts File".
• Click OK at the confirmation box.
• Click "Make Read Only".
• Click the X to exit the program.

-- Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.





After this please check to see if this has solved the problem on either machine.

Hey mate

1.) If you use a router please reset it and create a new password

Done

2.) Please download ATF Cleaner by Atribune & save it to your desktop.

Done

3.)To flush DNS cache in Microsoft Windows (98, 2000, XP, Vista, 7):

Done

4.) Please download HostsXpert 4.2

Done

--------

Ok, so now the google searches seem to be working fine.

Just some info
-before your suggestions - I was not able to do an update on AVG as in virus update. But now I can. It always said I could not connect to the AVG server which was weird.

So, is everything good? Was I under a threat of getting hacked remotely ?

Where to next?

Ps-Thanks for all your help so far !!! Really Appreciate it buddy. !!!

That sounds good. Nice to know you have control of your machine back.

I can't say for positive about the hacking but considering what you had on your machine I would say you have to consider your security as being compromised. I was going to post this last time and got to thinking so hard about the redirect it slipped by me. This is our standard speech for machines that have certain Trojans on them so keep in mind ComboFix had already identified a Trojan and removed it when you first ran the program.




One or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall





It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:



Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Open the Kaspersky WebScanner
  page.
• Click on the button on the main page.
• The program will launch and fill in the Information section on the left.
• Read the "Requirements and Limitations" then press the button.
• The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
• Once the files have been downloaded, click on the ...button.
  In the scan settings make sure the following are selected:
  • Detect malicious programs of the following categories:
    Viruses, Worms, Trojan Horses, Rootkits
    Spyware, Adware, Dialers and other potentially dangerous programs
  • Scan compound files (doesn't apply to the File scan area):
    Archives
    Mail databases
    By default the above items should already be checked.
  • Click the button, if you made any changes.
• Now under the Scan section on the left:
  
  Select My Computer
  
• The program will now start and scan your system. This will run for a while, be patient and let it finish.
• Once the scan is complete, click on View scan report
• Now, click on the Save Report as button.
• In the drop down box labeled Files of type change the type to Text file.
• Save the file to your desktop.
• Copy and paste that information in your next post.

You can refer to this animation by sundavis if needed.

Hey mate,

Bad news, I let the scan run and went out and when I came back the computer had restarted for some reason. There were some windows updates that got downloaded when the router was rebooted. Maybe thats what caused it.

Do I have to run this again ? Or can I do anything else? It had run for 5 hours and only 80 percent was done the last time.

Let's try another scan. Kaspersky can be hard to run at times depending on the system.


When you run this one uncheck where it says to remove found threats(my wording might not be exact) and let's see what if anything it turns up before we allow it to remove them.


I'd like us to scan your machine with ESET OnlineScan

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
2. Click the button.
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. Click on to download the ESET Smart Installer. Save it to your desktop.
   2. Double click on the icon on your desktop.
4. Check
5. Click the button.
6. Accept any security warnings from your browser.
7. Check
8. Push the Start button.
9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
10. When the scan completes, push
11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
12. Push the button.
13. Push

Hey Buddy,
Ran the scan this is what the report logged

ESETScan Log

C:\Documents and Settings\SCL\My Documents\mgmg1101.exe probably a variant of Win32/Adware.BPSSpywareRemover.AA application

C:\Documents and Settings\SMM\Application Data\Sun\Java\Deployment\cache\6.0\47\4934abef-59cb7282 a variant of Java/TrojanDownloader.Agent.NAC trojan

Not bad. See if you can remove the first one using Windows Explorer. You may have to unhide hidden files and folders if you don't see it. I provided instructions below. If you can't get it off manually we can do it by another means.


C:\Documents and Settings\SCL\My Documents\mgmg1101.exePlease set your system to show all files.





Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

After file is deleted:


Please set your system to hide all hidden files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders.
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.






For the other one let's clean out your Java cache. That should eliminate it.




Link to do so is here:


http://support.f-secure.com/enu/home/virus...javacache.shtml






When you are done if everything is running OK we should be able to finish up.

Hey,

Deleted the first file and Cleared Java Cache for all user accounts on this machine.


What next mate?

So just to let you know
-your suggestions have resolved the issue on my wifes laptop as well. Do I need to run any scans on that too just to make sure its not infected with anything else? If so what scan should I run.

-I know you gave me the standard reply on the back door hacking stuff, but is there a big chance of this happening ? Is there a way to tell if I am open to attack right now? or Do I have to go in for a format.

-What anti-virus software do you recommend. I'm not too keen to spend unless its necessary, right now I have AVG free - is that good enough? Do I need to add other spyware trackers etc?

If so can you recommend one?

Hope to hear from you soon.

And thanks again for all your help so far.

It wouldn't hurt to run MalwareBytes on her computer. I'll give you a link below along with instructions.

I can't make the call on the reformat for you it's just something we have to leave up to the user. I can tell you I had the same sort of thing when I first came here a few years ago and I changed all of my passwords and never have had any problems. I also can add I don't recall anyone I have ever helped who didn't reformat that came back and told me that should have but then that doesn't really say a lot.

When we finish up I'll give you some other things which can help you stay clean. The AVG is a good program but if you want I can give you links to some others that are free.



Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Just to make sure

- I am to run MalwareByte on my wifes laptop right? Or on my machine too?
- Does this mean my pc is ok for now ?