Inactive [inActive] google redirecting, websites blocked

Hello,
I am having the same issues as grayfox who started this thread. I uses rootrepeal.exe and here is the saved log from the scan. Please let me know what to do next. This is making me crazy!!
Thanks!
Lisa

ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/01/15 12:51
Program Version: Version 1.2.3.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF32B3000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B8E000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB7F58000 Size: 45056 File Visible: No
Status: -

Name: TDSSmqlt.sys
Image Path: C:\WINDOWS\system32\drivers\TDSSmqlt.sys
Address: 0xF3AB6000 Size: 73728 File Visible: -
Status: Hidden from Windows API!

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\TDSSbrsr.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\TDSSnmxh.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\TDSSoiqh.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\TDSSosvd.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\TDSSpaxt.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\TDSSriqp.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\TDSSxfum.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\0a565a09-7c91-4221-9370-6c2c859e17cb.tmp
Status: Allocation size mismatch (API: 73728, Raw: 0)

Path: C:\WINDOWS\Temp\b5011372-42f7-4ae0-aed2-6e719884cd38.tmp
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\drivers\TDSSmqlt.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temp\TDSS2d53.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temp\TDSS2d62.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log
Status: Size mismatch (API: 69256, Raw: 66112)

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\9C2KDUD8\1[1].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\9C2KDUD8\1[2].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\9C2KDUD8\1[3].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\9C2KDUD8\1[4].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\9C2KDUD8\8.5[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\9C2KDUD8\9[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\9C2KDUD8\accessories[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\9C2KDUD8\ads[3].htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\9C2KDUD8\afr[1].htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\9C2KDUD8\apparelstyle[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\9C2KDUD8\color[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\9C2KDUD8\getjs[1].aspx
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\9C2KDUD8\goodsearch_com[1].htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\9C2KDUD8\im_msn[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\9C2KDUD8\phone1[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\9C2KDUD8\progress[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\9C2KDUD8\quicksearch_btn[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\9C2KDUD8\resize_1[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\9C2KDUD8\underline[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\9C2KDUD8\vbulletin_ajax_threadrate[1].js
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\9C2KDUD8\vbulletin_quick_reply[1].js
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\9C2KDUD8\vbulletin_textedit[1].js
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\BK317CB1\imgad[1].gif
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\BK317CB1\p-01-0VIaSjnOLg[1].gif
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\BK317CB1\shopbytitle[1].gif
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\BK317CB1\s[1].gif
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\BK317CB1\vbulletin_quick_edit[1].js
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\BK317CB1\removeformat[1].gif
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\BK317CB1\m[1].gif
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\BK317CB1\6_5[1].gif
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\BK317CB1\7[1].gif
Status: Could not get file information (Error 0xc0000008)

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\BK317CB1\1[1].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\BK317CB1\1[2].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\BK317CB1\1[3].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\BK317CB1\1[4].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\BK317CB1\bluegradbg[1].png
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\BK317CB1\createlink[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\BK317CB1\customsearchbar[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\BK317CB1\quote[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\BK317CB1\rating_1[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\BK317CB1\rating_4[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I52PB5HE\10544667-4[1].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I52PB5HE\10[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I52PB5HE\1[1].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I52PB5HE\1[2].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I52PB5HE\1[3].jpg
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I52PB5HE\5_5[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I52PB5HE\6[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I52PB5HE\ads[8].htm
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I52PB5HE\apparelsize[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I52PB5HE\clear[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I52PB5HE\external[2].xml
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I52PB5HE\hpbar1[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I52PB5HE\menupop[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I52PB5HE\navdivider[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I52PB5HE\quickreply[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I52PB5HE\rating_2[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I52PB5HE\rating_5[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I52PB5HE\search_btn[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I52PB5HE\subscribe[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I52PB5HE\xs[1].gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Temporary Internet Files\Content.IE5\I52PB5HE\__utmCAQY5GAK.gif
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Compaq_Administrator\Local Settings\Application Data\Microsoft\Messenger\lisaandandre@yahoo.com\SharingMetadata\Logs\Dfsr00005.log
Status: Size mismatch (API: 280654, Raw: 280110)

Stealth Objects
-------------------
Object: Hidden Module [Name: TDSSxfum.dll]
Process: winlogon.exe (PID: 1040) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: services.exe (PID: 1092) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: lsass.exe (PID: 1104) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSoiqh.dll]
Process: svchost.exe (PID: 1280) Address: 0x00a30000 Size: 81920

Object: Hidden Module [Name: TDSSxfum.dll]
Process: svchost.exe (PID: 1280) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: svchost.exe (PID: 1436) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: svchost.exe (PID: 1556) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: svchost.exe (PID: 1672) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: svchost.exe (PID: 1828) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: Explorer.EXE (PID: 2012) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: spoolsv.exe (PID: 284) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: ehtray.exe (PID: 652) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: RTHDCPL.EXE (PID: 672) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: HPwuSchd2.exe (PID: 900) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: m3SrchMn.exe (PID: 948) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: mwsoemon.exe (PID: 968) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: avgtray.exe (PID: 1236) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: arservice.exe (PID: 248) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: avgfws8.exe (PID: 1852) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: ehRecvr.exe (PID: 480) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: ehSched.exe (PID: 756) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: iviRegMgr.exe (PID: 872) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: LSSrvc.exe (PID: 1424) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: mdm.exe (PID: 1668) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: nvsvc32.exe (PID: 3036) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: PsiService_2.exe (PID: 3080) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: svchost.exe (PID: 3184) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: mcrdsvc.exe (PID: 3612) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: dllhost.exe (PID: 2432) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: alg.exe (PID: 1484) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: ehmsas.exe (PID: 3952) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: svchost.exe (PID: 2388) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: hpsysdrv.exe (PID: 2112) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: jusched.exe (PID: 2576) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: DISCover.exe (PID: 1916) Address: 0x00c90000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: wmiprvse.exe (PID: 2736) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: DiscUpdMgr.exe (PID: 3472) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: DiscStreamHub.exe (PID: 3484) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: AcroRd32.exe (PID: 1768) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: msnmsgr.exe (PID: 1548) Address: 0x013f0000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: usnsvc.exe (PID: 1572) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: WinNews.exe (PID: 2984) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: EXCEL.EXE (PID: 144) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: AgentSvr.exe (PID: 428) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: iexplore.exe (PID: 2720) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: avgscanx.exe (PID: 2808) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: avgwdsvc.exe (PID: 2724) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: avgam.exe (PID: 2288) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: avgrsx.exe (PID: 2520) Address: 0x10000000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: avgnsx.exe (PID: 2040) Address: 0x00aa0000 Size: 126976

Object: Hidden Module [Name: TDSSxfum.dll]
Process: RootRepeal.exe (PID: 3808) Address: 0x10000000 Size: 126976

Object: Hidden Code [ETHREAD: 0x854fe6f0]
Process: System Address: 0xf3ab8d66 Size: -

 

Welcome to WindowsBBS, lisaandre!!

Please do the following:

Run RootRepeal once again
In the main program window, click the Drivers tab.
In the list of files, look for: TDSSmqlt.sys
Right-click on the file, and select: Dump File
Right-click on the file again, and select: Force Delete

Restart the computer.

Run RootRepeal again, but just select the Drivers tab
Press the Scan button and make sure that driver TDSSmqlt.sys isn't there any more.

If the file is still there, right-click on TDSSmqlt.sys again and select: Wipe File

Restart the computer, and do the RootRepeal Driver scan again to see if it is gone.

If gone, see if you can download ComboFix
Save to the Desktop <<< Important!!

• Now, close all open windows
• Double-click combofix.exe to run the program
• Follow the prompts.
  (Don't click on the window while the program is running, it may cause your system to stall.)
• CF may reboot the computer and resume running when it restarts.
• When finished, a log, ComboFix.txt, is produced.

Please provide the contents of the ComboFix.txt in your reply.

 

Hello,
Well, almost everything went well. The root repeal part worked & combofix (kitty.exe) worked until the reboot where it got hung up for a long time. I had to manually reboot. I ran combofix again and it worked so hopefully it went ok. Here is the log:

ComboFix 09-01-13.04 - Compaq_Administrator 2009-01-16 12:11:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.547 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Administrator\Desktop\kitty.exe
AV: AVG Internet Security *On-access scanning enabled* (Outdated)
FW: AVG Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\karna.dat
.
---- Previous Run -------
.
c:\documents and settings\Compaq_Administrator\Application Data\FunWebProducts
c:\program files\FunWebProducts
c:\program files\FunWebProducts\ScreenSaver\Images\011F2815.urr
c:\program files\FunWebProducts\Shared\Cache\AvatarSmallBtn.html
c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
c:\program files\FunWebProducts\Shared\Cache\FunBuddyIconBtn.html
c:\program files\FunWebProducts\Shared\Cache\MailStampBtn.html
c:\program files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
c:\program files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
c:\program files\Internet Explorer\msimg32.dll
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\2.bin\F3BKGERR.JPG
c:\program files\MyWebSearch\bar\2.bin\F3CJPEG.DLL
c:\program files\MyWebSearch\bar\2.bin\F3DTACTL.DLL
c:\program files\MyWebSearch\bar\2.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\2.bin\F3HTMLMU.DLL
c:\program files\MyWebSearch\bar\2.bin\F3HTTPCT.DLL
c:\program files\MyWebSearch\bar\2.bin\F3IMSTUB.DLL
c:\program files\MyWebSearch\bar\2.bin\F3POPSWT.DLL
c:\program files\MyWebSearch\bar\2.bin\F3PSSAVR.SCR
c:\program files\MyWebSearch\bar\2.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\2.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\2.bin\F3SCHMON.EXE
c:\program files\MyWebSearch\bar\2.bin\F3SCRCTR.DLL
c:\program files\MyWebSearch\bar\2.bin\F3SPACER.WMV
c:\program files\MyWebSearch\bar\2.bin\F3WALLPP.DAT
c:\program files\MyWebSearch\bar\2.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\2.bin\FWPBUDDY.PNG
c:\program files\MyWebSearch\bar\2.bin\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\2.bin\M3FFXTBR.MANIFEST
c:\program files\MyWebSearch\bar\2.bin\M3HIGHIN.EXE
c:\program files\MyWebSearch\bar\2.bin\M3HTML.DLL
c:\program files\MyWebSearch\bar\2.bin\M3IDLE.DLL
c:\program files\MyWebSearch\bar\2.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\2.bin\M3MEDINT.EXE
c:\program files\MyWebSearch\bar\2.bin\M3MSG.DLL
c:\program files\MyWebSearch\bar\2.bin\M3NTSTBR.JAR
c:\program files\MyWebSearch\bar\2.bin\M3NTSTBR.MANIFEST
c:\program files\MyWebSearch\bar\2.bin\M3OUTLCN.DLL
c:\program files\MyWebSearch\bar\2.bin\M3PLUGIN.DLL
c:\program files\MyWebSearch\bar\2.bin\M3SKIN.DLL
c:\program files\MyWebSearch\bar\2.bin\M3SKPLAY.EXE
c:\program files\MyWebSearch\bar\2.bin\M3SLSRCH.EXE
c:\program files\MyWebSearch\bar\2.bin\M3SRCHMN.EXE
c:\program files\MyWebSearch\bar\2.bin\MWSBAR.DLL
c:\program files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\2.bin\MWSOEPLG.DLL
c:\program files\MyWebSearch\bar\2.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\2.bin\MWSSVC.EXE
c:\program files\MyWebSearch\bar\2.bin\NPMYWEBS.DLL
c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
c:\program files\MyWebSearch\bar\Cache\00021E1D
c:\program files\MyWebSearch\bar\Cache\0004AB6F
c:\program files\MyWebSearch\bar\Cache\00869CB1.bin
c:\program files\MyWebSearch\bar\Cache\00869DEA.bin
c:\program files\MyWebSearch\bar\Cache\00869FAF.bin
c:\program files\MyWebSearch\bar\Cache\0086A01C
c:\program files\MyWebSearch\bar\Cache\00DF958C
c:\program files\MyWebSearch\bar\Cache\00DF9619.bin
c:\program files\MyWebSearch\bar\Cache\00DF96E4.bin
c:\program files\MyWebSearch\bar\Cache\00DFA328.bin
c:\program files\MyWebSearch\bar\Cache\00DFA3B5.bin
c:\program files\MyWebSearch\bar\Cache\00E1C3D6.bin
c:\program files\MyWebSearch\bar\Cache\00E1C50E.bin
c:\program files\MyWebSearch\bar\Cache\00E1C5BA.bin
c:\program files\MyWebSearch\bar\Cache\00E1C6F3.bin
c:\program files\MyWebSearch\bar\Cache\00E1C7CE.bin
c:\program files\MyWebSearch\bar\Cache\files.ini
c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files\MyWebSearch\bar\Game\CHESS.F3S
c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files\MyWebSearch\bar\History\search3
c:\program files\MyWebSearch\bar\icons\CM.ICO
c:\program files\MyWebSearch\bar\icons\MFC.ICO
c:\program files\MyWebSearch\bar\icons\PSS.ICO
c:\program files\MyWebSearch\bar\icons\SMILEY.ICO
c:\program files\MyWebSearch\bar\icons\WB.ICO
c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
c:\program files\MyWebSearch\bar\Message\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\DOG.F3S
c:\program files\MyWebSearch\bar\Notifier\FISH.F3S
c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
c:\program files\MyWebSearch\bar\Notifier\MAID.F3S
c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\MyWebSearch\bar\Settings\setting2.htm
c:\program files\MyWebSearch\bar\Settings\setting2.htm.bak
c:\program files\MyWebSearch\bar\Settings\settings.dat
c:\program files\MyWebSearch\bar\Settings\settings.dat.bak
c:\program files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\av.dat
c:\windows\system32\DelSelf.bat
c:\windows\system32\Drivers\TDSSmqlt.sys
c:\windows\system32\f3PSSavr.scr
c:\windows\system32\karna.dat
c:\windows\system32\TDSSbrsr.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoiqh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSxfum.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_TDSSSERV.SYS
-------\Service_AVG
-------\Service_MyWebSearchService
-------\Service_TDSSserv.sys
-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_TDSSSERV.SYS
-------\Service_AVG


((((((((((((((((((((((((( Files Created from 2008-12-16 to 2009-01-16 )))))))))))))))))))))))))))))))
.

2009-01-15 12:03 . 2009-01-15 12:03 <DIR> d-------- c:\documents and settings\Compaq_Administrator\DoctorWeb
2009-01-07 09:11 . 2009-01-16 12:14 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-07 09:11 . 2009-01-16 12:10 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-07 09:11 . 2009-01-16 12:10 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-01-07 09:11 . 2009-01-16 12:10 12,552 --a------ c:\windows\system32\drivers\avgrkx86.sys
2009-01-07 09:11 . 2009-01-16 12:10 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-07 09:10 . 2009-01-16 12:10 50,968 --a------ c:\windows\system32\avgfwdx.dll
2009-01-07 09:10 . 2009-01-16 12:10 29,208 --a------ c:\windows\system32\drivers\avgfwdx.sys
2009-01-07 08:46 . 2009-01-07 08:46 36,352 --a------ c:\windows\winarbs.exe
2009-01-06 12:35 . 2009-01-07 09:27 <DIR> d-------- C:\avg_updates
2009-01-06 12:35 . 2009-01-06 12:39 <DIR> d-------- C:\AVG
2009-01-05 09:20 . 2009-01-16 11:51 2,712 --a------ c:\windows\system32\TDSSpaxt.dll
2009-01-04 09:11 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2009-01-04 09:11 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\dllcache\mouhid.sys
2009-01-04 09:11 . 2008-04-13 14:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2009-01-04 09:11 . 2008-04-13 14:45 10,368 --a------ c:\windows\system32\dllcache\hidusb.sys
2008-12-18 08:16 . 2009-01-08 15:23 664 --a------ c:\windows\system32\d3d9caps.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-16 17:11 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-04 14:15 5,018 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2008-12-12 16:17 --------- d-----w c:\documents and settings\Compaq_Administrator\Application Data\Windows Live Writer
2008-12-12 15:55 --------- d-----w c:\program files\PicLensIE
2008-12-11 10:57 333,952 ------w c:\windows\system32\drivers\srv.sys
2008-10-10 14:59 57,080 -c--a-w c:\documents and settings\Compaq_Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-10-01 12:50 170 ----a-w c:\documents and settings\Compaq_Administrator\Application Data\wklnhst.dat
2008-08-25 14:56 88 --sh--r c:\documents and settings\All Users\Application Data\62F0893BAA.sys
2008-03-06 18:18 61,224 ----a-w c:\documents and settings\Compaq_Administrator\GoToAssistDownloadHelper.exe
2008-02-26 14:22 630,784 ----a-w c:\documents and settings\Compaq_Administrator\GoToAssist_chat2way__317_en.exe
2007-12-05 19:51 22 -csha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray "= "c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"Recguard "= "c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp "= "c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2007-12-18 282624]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-16 1601304]
"ftutil2 "= "ftutil2.dll" [2004-06-07 c:\windows\system32\ftutil2.dll]
"RTHDCPL "= "RTHDCPL.EXE" [2006-06-13 c:\windows\RTHDCPL.EXE]
"AlwaysReady Power Message APP "= "ARPWRMSG.EXE" [2005-08-03 c:\windows\arpwrmsg.exe]
"nwiz "= "nwiz.exe" [2006-05-09 c:\windows\system32\nwiz.exe]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-09-07 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-09-07 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-16 12:10 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001
"UpdatesDisableNotify "=dword:00000001
"AntiVirusOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\DISC\\DISCover.exe "=
"c:\\Program Files\\DISC\\DiscStreamHub.exe "=
"c:\\Program Files\\DISC\\myFTP.exe "=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"\\\\NEWHARRY\\WINNEWS\\WinNews.exe "=
"\\\\NEWHARRY\\WINNEWS\\WinNewsPromos.exe "=
"c:\\Program Files\\WINNEWS\\WinNews.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\Program Files\\HP Games\\Wheel of Fortune\\Wheel of Fortune.exe "=
"c:\\Program Files\\Corel\\DVD9\\WinDVD.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe "=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-01-07 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-07 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-07 107272]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-01-07 29208]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-16 298264]
R4 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [2009-01-16 1339600]
R4 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-17 11032]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-01-07 29208]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-MyWebSearch Plugin - c:\progra~1\MYWEBS~1\bar\2.bin\M3PLUGIN.DLL
HKLM-Run-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe
HKLM-Run-PCDrProfiler - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.goodsearch.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxdm824NTUS
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: *.trymedia.com
TCP: {D587CAF7-1043-4060-AAAD-E8F8695DA4DC} = 192.168.1.1

c:\windows\Downloaded Program Files\Intellinet_Viewer.ocx - O16 -: {03B03C66-15CB-4F16-BA86-83A55A9B0EA4}
hxxp://webcam.crowsnest-venice.com/Intellinet_Viewer.cab
c:\windows\Downloaded Program Files\Intellinet_Viewer.inf

- c:\windows\Downloaded Program Files\smsx.inf

O16 -: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://74.228.46.36/activex/AMC.cab
c:\windows\Downloaded Program Files\setup.inf

c:\windows\Downloaded Program Files\plinstll.dll - O16 -: {EAC139A9-D22D-4C29-8D1C-252BE63750F9}
hxxp://cooliris.com/shared/plinstll.cab
c:\windows\Downloaded Program Files\plinstll.inf

c:\windows\Downloaded Program Files\ReadMailU.tlb - O16 -: {FD80453F-106D-3480-9AA1-995D12DB3DBC}
hxxp://192.168.0.116/ReadMailU.cab
c:\windows\Downloaded Program Files\ReadMailU.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-16 12:15:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\arservice.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\windows\ehome\mcrdsvc.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\windows\system32\dllhost.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-16 12:17:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-16 17:17:46

Pre-Run: 176,378,183,680 bytes free
Post-Run: 176,326,017,024 bytes free

289 --- E O F --- 2009-01-14 17:16:27

 

Please open Notepad (Start > Run > in the Open field type: notepad)
Click: OK

Copy/paste all the text inside the code box below to Notepad:

Code:

File::
c:\windows\winarbs.exe
c:\windows\system32\TDSSpaxt.dll

Save as CFScript.txt <<< Important!!
Change the Save as type to: All Files
Save it to the Desktop



Referring to the screenshot above, drag CFScript.txt >>> into >>> ComboFix.exe
ComboFix runs a scan, and may reboot when it finishes. This is normal.

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

When finished, a log is produced: ComboFix.txt

~~~~

Let’s see if Kaspersky picks up any infected files. There is no option to clean/disinfect, however, we can analyze the information on the report and determine whether further action is needed.


Please close all windows, and temporarily turn off the real time scanner of your antivirus program.
Then, use Internet Explorer, and do an online scan with Kaspersky WebScanner
Click: Scan Now
Then click: Accept
The program launches and downloads the latest definition files.

• Once the files are downloaded, click on: Next
• Under select a target to scan, select: My Computer

When the scan is done, any infection is displayed.

• Click on: View scan report

To obtain the report:
Click on: Save Report As

Next, in the Save as prompt, Save in area, select: Desktop

In the File name area, use KScan, or something similar

In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save

~~~~
Also run HijackThis one more time.

~~~~
Please provide the contents of the new ComboFix log , and the Kaspersky Online Scanner report in your reply.

 

OK, here are the logs from the combofix, kaspersky & hijack this. Thank you so much for all this help. It is greatly appreciated!

COMBOFIX

ComboFix 09-01-13.04 - Compaq_Administrator 2009-01-19 8:32:24.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.557 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Administrator\Desktop\kitty.exe
Command switches used :: c:\documents and settings\Compaq_Administrator\Desktop\CFScript.txt
AV: AVG Internet Security *On-access scanning enabled* (Updated)
FW: AVG Firewall *enabled*
* Created a new restore point

FILE ::
c:\windows\system32\TDSSpaxt.dll
c:\windows\winarbs.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\TDSSpaxt.dll
c:\windows\winarbs.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_TDSSSERV.SYS
-------\Service_AVG


((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))
.

2009-01-15 12:03 . 2009-01-15 12:03 <DIR> d-------- c:\documents and settings\Compaq_Administrator\DoctorWeb
2009-01-07 09:11 . 2009-01-19 08:14 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-01-07 09:11 . 2009-01-16 12:10 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-01-07 09:11 . 2009-01-16 12:10 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-01-07 09:11 . 2009-01-16 12:10 12,552 --a------ c:\windows\system32\drivers\avgrkx86.sys
2009-01-07 09:11 . 2009-01-16 12:10 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-01-07 09:10 . 2009-01-16 12:10 50,968 --a------ c:\windows\system32\avgfwdx.dll
2009-01-07 09:10 . 2009-01-16 12:10 29,208 --a------ c:\windows\system32\drivers\avgfwdx.sys
2009-01-06 12:35 . 2009-01-07 09:27 <DIR> d-------- C:\avg_updates
2009-01-06 12:35 . 2009-01-06 12:39 <DIR> d-------- C:\AVG
2009-01-04 09:11 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2009-01-04 09:11 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\dllcache\mouhid.sys
2009-01-04 09:11 . 2008-04-13 14:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2009-01-04 09:11 . 2008-04-13 14:45 10,368 --a------ c:\windows\system32\dllcache\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-16 17:11 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-04 14:15 5,018 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2008-12-12 16:17 --------- d-----w c:\documents and settings\Compaq_Administrator\Application Data\Windows Live Writer
2008-12-12 15:55 --------- d-----w c:\program files\PicLensIE
2008-12-11 10:57 333,952 ------w c:\windows\system32\drivers\srv.sys
2008-10-10 14:59 57,080 -c--a-w c:\documents and settings\Compaq_Administrator\Application Data\GDIPFONTCACHEV1.DAT
2008-10-01 12:50 170 ----a-w c:\documents and settings\Compaq_Administrator\Application Data\wklnhst.dat
2008-08-25 14:56 88 --sh--r c:\documents and settings\All Users\Application Data\62F0893BAA.sys
2008-03-06 18:18 61,224 ----a-w c:\documents and settings\Compaq_Administrator\GoToAssistDownloadHelper.exe
2008-02-26 14:22 630,784 ----a-w c:\documents and settings\Compaq_Administrator\GoToAssist_chat2way__317_en.exe
2007-12-05 19:51 22 -csha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray "= "c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"Recguard "= "c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp "= "c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"HP Software Update "= "c:\program files\HP\HP Software Update\HPwuSchd2.exe" [2005-02-17 49152]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2007-12-18 282624]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2009-01-16 1601304]
"ftutil2 "= "ftutil2.dll" [2004-06-07 c:\windows\system32\ftutil2.dll]
"RTHDCPL "= "RTHDCPL.EXE" [2006-06-13 c:\windows\RTHDCPL.EXE]
"AlwaysReady Power Message APP "= "ARPWRMSG.EXE" [2005-08-03 c:\windows\arpwrmsg.exe]
"nwiz "= "nwiz.exe" [2006-05-09 c:\windows\system32\nwiz.exe]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-09-07 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-09-07 27136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-01-16 12:10 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001
"UpdatesDisableNotify "=dword:00000001
"AntiVirusOverride "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\DISC\\DISCover.exe "=
"c:\\Program Files\\DISC\\DiscStreamHub.exe "=
"c:\\Program Files\\DISC\\myFTP.exe "=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"\\\\NEWHARRY\\WINNEWS\\WinNews.exe "=
"\\\\NEWHARRY\\WINNEWS\\WinNewsPromos.exe "=
"c:\\Program Files\\WINNEWS\\WinNews.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=
"c:\\Program Files\\HP Games\\Wheel of Fortune\\Wheel of Fortune.exe "=
"c:\\Program Files\\Corel\\DVD9\\WinDVD.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe "=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-01-07 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-07 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-01-07 107272]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-01-07 29208]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-01-16 298264]
R4 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [2009-01-16 1339600]
R4 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-17 11032]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-01-07 29208]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxdm824NTUS
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Trusted Zone: *.trymedia.com
TCP: {D587CAF7-1043-4060-AAAD-E8F8695DA4DC} = 192.168.1.1

c:\windows\Downloaded Program Files\Intellinet_Viewer.ocx - O16 -: {03B03C66-15CB-4F16-BA86-83A55A9B0EA4}
hxxp://webcam.crowsnest-venice.com/Intellinet_Viewer.cab
c:\windows\Downloaded Program Files\Intellinet_Viewer.inf

- c:\windows\Downloaded Program Files\smsx.inf

O16 -: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://74.228.46.36/activex/AMC.cab
c:\windows\Downloaded Program Files\setup.inf

c:\windows\Downloaded Program Files\plinstll.dll - O16 -: {EAC139A9-D22D-4C29-8D1C-252BE63750F9}
hxxp://cooliris.com/shared/plinstll.cab
c:\windows\Downloaded Program Files\plinstll.inf

c:\windows\Downloaded Program Files\ReadMailU.tlb - O16 -: {FD80453F-106D-3480-9AA1-995D12DB3DBC}
hxxp://192.168.0.116/ReadMailU.cab
c:\windows\Downloaded Program Files\ReadMailU.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-19 08:36:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\arservice.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2009-01-19 8:38:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-19 13:38:24
ComboFix2.txt 2009-01-16 17:17:51

Pre-Run: 176,318,214,144 bytes free
Post-Run: 176,319,565,824 bytes free

167 --- E O F --- 2009-01-14 17:16:27


KASPERSKY

KASPERSKY ONLINE SCANNER 7 REPORT
Monday, January 19, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, January 19, 2009 12:38:39
Records in database: 1647474
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
G:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 99234
Threat name: 28
Infected objects: 38
Suspicious objects: 0
Duration of the scan: 01:53:07


File name / Threat name / Threats count
C:\Documents and Settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-2f1dd679.zip Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5286af48-409dde9b.zip Infected: Exploit.Java.Gimsh.a 1
C:\Documents and Settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-3ada5111.zip Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Compaq_Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d00d9f7-5a1d1915.zip Infected: Exploit.Java.Gimsh.a 1
C:\Program Files\Windows Live\Messenger\msimg32.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.cv 1
C:\Program Files\Windows Live\Messenger\riched20.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.cj 1
C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\msimg32.dll.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.cv 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\F3DTACTL.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.dn 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\F3HISTSW.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.eb 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\F3HTMLMU.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.cn 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\F3HTTPCT.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ed 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\F3IMSTUB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.cv 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\F3POPSWT.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.dd 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\F3PSSAVR.SCR.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.bg 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\F3RESTUB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.cj 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\F3SCRCTR.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.ck 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\F3WPHOOK.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\M3HTML.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.cj 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\M3IDLE.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ax 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\M3MSG.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.cm 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\M3OUTLCN.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.el 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\M3SKIN.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ad 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\M3SLSRCH.EXE.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.cl 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\M3SRCHMN.EXE.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ee 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.cu 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.en 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\MWSOEPLG.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.dc 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\2.bin\MWSOESTB.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.db 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.ca 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\f3PSSavr.scr.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.bg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSbrsr.dll.vir Infected: Backdoor.Win32.TDSS.asz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSoiqh.dll.vir Infected: Backdoor.Win32.TDSS.blh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSriqp.dll.vir Infected: Backdoor.Win32.TDSS.atb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSxfum.dll.vir Infected: Rootkit.Win32.TDSS.dbg 1
D:\I386\APPS\APP17678\src\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2
D:\I386\APPS\APP17678\src\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2

The selected area was scanned.


HIJACKTHIS

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58:17 AM, on 1/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\explorer.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
\Harrykovsky\winnews\WinNews.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Cooliris Plug-In for Internet Explorer - {EAEE5C74-6D0D-4aca-9232-0DA4A7B866BA} - C:\Program Files\PicLensIE\cooliris.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxdm824NTUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Launch Cooliris - {3437D640-C91A-458f-89F5-B9095EA4C28B} - C:\Program Files\PicLensIE\cooliris.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {03B03C66-15CB-4F16-BA86-83A55A9B0EA4} (Intellinet_Viewer Control) - http://webcam.crowsnest-venice.com/Intellinet_Viewer.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.stonyfield.com/coupons/scriptX/smsx.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://74.228.46.36/activex/AMC.cab
O16 - DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - http://cooliris.com/shared/plinstll.cab
O16 - DPF: {FD80453F-106D-3480-9AA1-995D12DB3DBC} (ReadMailU.Forward_Mail) - http://192.168.0.116/ReadMailU.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D587CAF7-1043-4060-AAAD-E8F8695DA4DC}: NameServer = 192.168.1.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe

--
End of file - 9003 bytes

 

For what shows in the Kaspersky report:

Clean the Java Cache Folder

We will take care of the ComboFix C:\Qoobox\Quarantine when we wrap up.

You can remove the following infected files:
C:\Program Files\Windows Live\Messenger\msimg32.dll
C:\Program Files\Windows Live\Messenger\riched20.dll

Also, on these:
D:\I386\APPS\APP17678\src\CompaqPresario_Spring06.exe D:\I386\APPS\APP17678\src\HPPavillion_Spring06.exe

If your HP computer has WeatherBug installed, and you opt to remove it, in order to avoid future problems, make sure the program is not running before uninstalling it.
If there is a WeatherBug icon in the system tray (in the lower right hand corner of the screen) right-click on it and select: "Exit WeatherBug" or "Terminate Weatherbug ".

Once the program is closed, then remove it easily from the Add or Remove Programs section of the Control Panel by following these steps:

Go to Start > Control Panel > Add or Remove Programs
In the list of currently installed programs, select:
WeatherBug
Click: Remove

~~~~
Now, please run HijackThis, Scan
Check box for:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZNxdm824NTUS

Select: Fix checked

~~~~
Let us know, are you still having malware problems?