Exploit Rogue Scanner (type 991)

Alrighty,
Normally I am pretty good and removing stuff myself...but this one has me.
Basically you type something in the search, click on the link and get redirected (irritating little bugger) and then sometimes AVG pops up the Exploit Rogue Scanner warning. I have ran AVG, HiJack This, Spybot Search and Destroy, and Malwarebytes Anti malware over the last few days. And so here I am and posting my Hijack This log which the last few times I have ran it..I am not seeing anything. So maybe another set of eyes can figure this out. Also I am using Firefox.
Thanks!!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:15:57, on 1/3/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 2854 bytes

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  
• Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
  
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
  

ComboFix 10-01-04.01 - Raul 01/05/2010 16:30:49.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.134 [GMT -7]
Running from: c:\documents and settings\Raul\Desktop\Commy.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2009-12-05 to 2010-01-05 )))))))))))))))))))))))))))))))
.

2010-01-05 23:16 . 2010-01-05 23:17 -------- d-----w- C:\Commy
2010-01-04 02:47 . 2010-01-04 02:48 -------- d-----w- c:\documents and settings\Raul\SmitfraudFix
2010-01-04 01:08 . 2010-01-04 01:08 -------- d-----w- c:\documents and settings\Raul\Application Data\Malwarebytes
2010-01-04 01:08 . 2009-12-30 21:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-04 01:08 . 2010-01-04 01:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-04 01:08 . 2009-12-30 21:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-04 01:08 . 2010-01-04 01:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-26 20:06 . 2009-12-26 20:06 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2009-12-11 19:20 . 2009-12-21 15:21 2066200 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-02 01:20 . 2007-04-14 20:11 -------- d-----w- c:\documents and settings\Raul\Application Data\Corel
2010-01-02 00:07 . 2008-10-24 17:31 -------- d-----w- c:\documents and settings\Raul\Application Data\Nvu
2010-01-01 22:13 . 2007-04-14 20:11 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-01-01 18:01 . 2008-04-02 01:52 -------- d-----w- c:\documents and settings\Raul\Application Data\mIRC
2010-01-01 17:54 . 2008-04-02 01:52 -------- d-----w- c:\program files\mIRC
2009-12-31 06:04 . 2008-11-19 19:44 -------- d-----w- c:\documents and settings\Raul\Application Data\CoreFTP
2009-12-28 06:54 . 2007-05-03 03:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-17 18:35 . 2008-11-19 19:43 -------- d-----w- c:\program files\CoreFTP
2009-12-09 20:11 . 2009-11-11 07:36 -------- d-----w- c:\program files\MyDefrag v4.2.5
2009-12-04 00:08 . 2009-12-03 23:58 -------- d-----w- c:\documents and settings\Raul\Application Data\Ventrilo
2009-12-03 23:57 . 2009-12-03 23:57 -------- d-----w- c:\program files\Ventrilo
2009-12-03 23:55 . 2009-12-03 23:55 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-22 16:08 . 2009-02-16 03:47 -------- d-----w- c:\documents and settings\Raul\Application Data\Move Networks
2009-11-22 07:59 . 2009-11-22 07:59 127325 ----a-w- c:\documents and settings\Raul\Application Data\Move Networks\uninstall.exe
2009-11-22 07:59 . 2009-08-13 19:21 4187512 ----a-w- c:\documents and settings\Raul\Application Data\Move Networks\plugins\npqmp071505000011.dll
2009-11-22 07:59 . 2009-11-22 07:59 1408800 ----a-w- c:\documents and settings\Raul\Application Data\Move Networks\MoveMediaPlayerWin_071505000011.exe
2009-11-11 07:34 . 2006-12-31 23:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-29 05:38 . 2004-08-10 18:51 667136 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2004-08-10 18:51 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-10 18:51 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 05:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-10 18:51 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-10 18:51 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-10 18:51 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-10 00:04 . 2007-04-14 20:04 75784 ----a-w- c:\documents and settings\Raul\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-05-02 18:06 . 2007-04-14 20:11 88 --sh--r- c:\windows\system32\95564A8D1E.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-12-11 2043160]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-09-20 185896]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7630848]

c:\documents and settings\Raul\Start Menu\Programs\Startup\
PowerReg Scheduler.exe [2008-6-11 189952]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-12-31 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-16 17:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\Program Files\\Nvu\\nvu.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/8/2008 10:27 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/8/2008 10:27 PM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/15/2008 4:59 PM 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/15/2008 4:59 PM 297752]
R2 mviddnt;mviddnt;c:\windows\system32\drivers\MVIDDNT.SYS [6/23/2008 9:25 PM 7168]
.
Contents of the 'Scheduled Tasks' folder

2009-11-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-06-03 20:42]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
Trusted Zone: musicmatch.com\online
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
FF - ProfilePath - c:\documents and settings\Raul\Application Data\Mozilla\Firefox\Profiles\00gwhnml.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_results.php?ch_id=afex&q=
FF - plugin: c:\documents and settings\Raul\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\progra~1\SONYON~1\npsoe.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-05 16:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3016)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2010-01-05 16:57:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-05 23:57

Pre-Run: 40,493,236,224 bytes free
Post-Run: 40,580,595,712 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - EA7BE952D5409540F5786BFA82B89167

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?

Searches are not being redirected anymore. So seems to be fixed.
Thank you very much to you both!!!

One other quick question..I was reading some other folk's post on this, and noticed how you all mentioned in the end on what to use to protect yourself. Which most of it I use like Spybot Search and Destroy, AVG, CC Cleaner, HiJackthis and I run these every night. Along with using the firefox browser.
I am curious still how this Rogue got through? My best bet is that my husband had downloaded a wallpaper and where he did it at was the culprit only because the next day was when all the fun began!! (so to speak!!!)
Unfortunatly for him back when I had my own computer he was NOT allowed to touch it since he has a habit of picking up things like this.

See this page for more info about malware and prevention.