Search Engine Result Page Hijacked

Hi, please help me get rid of the Google search result page hijack problem.

I have read previous posts on this topic with no result. Below is Fiddler log, Goored log (option 1) and combofix log. Thanks in advance for your time.
I have the same problem regardless of the browser or search engine that I use.

# Result Protocol Host URL Body Caching Content-Type Process Comments Custom
0 200 HTTP www.fiddler2.com /fiddler2/updatecheck.asp?isBeta=False 411 private text/plain fiddler:1500
1 200 HTTP clients5.google.com /complete/search?hl=en-us&q=vs&client=ie8&inputencoding=UTF-8&outputencoding=UTF-8 262 public, max-age=3600 Expires: Thu, 11 Jun 2009 07:44:55 GMT text/xml; charset=utf-8 iexplore:3876
2 200 HTTP clients5.google.com /complete/search?hl=en-us&q=vs+2&client=ie8&inputencoding=UTF-8&outputencoding=UTF-8 284 public, max-age=3600 Expires: Thu, 11 Jun 2009 07:44:56 GMT text/xml; charset=utf-8 iexplore:3876
3 200 HTTP clients5.google.com /complete/search?hl=en-us&q=vs+200&client=ie8&inputencoding=UTF-8&outputencoding=UTF-8 287 public, max-age=3600 Expires: Thu, 11 Jun 2009 07:44:56 GMT text/xml; charset=utf-8 iexplore:3876
4 200 HTTP clients5.google.com /complete/search?hl=en-us&q=vs+2008&client=ie8&inputencoding=UTF-8&outputencoding=UTF-8 296 public, max-age=3600 Expires: Thu, 11 Jun 2009 07:44:57 GMT text/xml; charset=utf-8 iexplore:3876
5 200 HTTP clients5.google.com /complete/search?hl=en-us&q=vs+2008+sp&client=ie8&inputencoding=UTF-8&outputencoding=UTF-8 291 public, max-age=3600 Expires: Thu, 11 Jun 2009 07:44:58 GMT text/xml; charset=utf-8 iexplore:3876
6 200 HTTP clients5.google.com /complete/search?hl=en-us&q=vs+2008+sp1&client=ie8&inputencoding=UTF-8&outputencoding=UTF-8 289 public, max-age=3600 Expires: Thu, 11 Jun 2009 07:44:58 GMT text/xml; charset=utf-8 iexplore:3876
7 200 HTTP www.google.com /search?q=vs+2008+sp1&rls=com.microsoft:en-us&ie=UTF-8&oe=UTF-8&startIndex=&startPage=1 7,091 private, max-age=0 Expires: -1 text/html; charset=UTF-8 iexplore:3620
8 200 HTTP id.google.com /verify/EAAAADP5G7lSJJOiMJ71_RJ8QEY.gif 43 no-cache, private, must-revalidate Expires: Fri, 01 Jan 1990 00:00:00 GMT image/gif iexplore:3620
9 204 HTTP www.google.com /csi?v=3&s=web&action=&tran=undefined&ei=7qcwSoGXJJnqtAOi-PisAw&e=17259,20525,20729,20779&rt=prt.31,ol.219,xjs.281 0 private, no-cache Expires: Wed, 17 Sep 1975 21:32:10 GMT text/html iexplore:3620
10 204 HTTP clients1.google.com /generate_204 0 text/html iexplore:3620
11 204 HTTP www.google.com /url?sa=T&source=web&ct=res&cd=1&url=http%3A%2F%2Fwww.microsoft.com%2Fdownloads%2Fdetails.aspx%3FFamilyId%3DFBEE1648-7106-44A7-9649-6D9F6D58056E&ei=7qcwSoGXJJnqtAOi-PisAw 0 no-cache, must-revalidate Expires: Fri, 01 Jan 1990 00:00:00 GMT text/html; charset=UTF-8 iexplore:3620
12 302 HTTP www.microsoft.com /downloads/details.aspx?FamilyId=FBEE1648-7106-44A7-9649-6D9F6D58056E 77 iexplore:3620
13 200 HTTP searchinternet2009.com /?q=vs%202008%20sp1 932 no-cache text/html iexplore:3620
14 302 HTTP searchinternet2009.com / 633 iexplore:3620
15 200 HTTP CONNECT urs.microsoft.com:443 0 iexplore:3620
16 302 HTTP 68.169.70.134 /go.php?c=JWCGpkrLcQB1d31heFfQCt3WCLvNiUdtpp0J53Ko5dwTWaE7DkeEnVi6mYFVUEI8vRQETWrgtLMYJKoEBmPqMPkzjKvBDASumWCXbLMj0tWiUmivksE7SYDAFtcQM0DyaapkQtbTHgQpFpI08rV3ebwF7XJLLmZQAvZO5wy1BcZgBgL18pq9IEZMLUN%2BpctdwWZ%2FCUHWACxzqG7SvOx200ANDMTkTffS8MDWvKVDxD1RBuqkQAW6X8bRGUhbDS%2BVfgASXz3BfZX2178SHWz0khZpAZRGnzAyi6D5Py0GHSS1fi8hf2bz5ryNEiaVFour1gwaDMhu%2F4MO914c%2BBG%2Bt4muDgaB6csJScnB1M6e9%2FLd1K4igN8wDP0RHMjnikBk03QwkMpBR%2F86ApMOYGwyu8fvvISP4sARDPai2qc%2BMp6kEdgpTog3v2Q%2Fvl3Z%2BfGn%2BPMXxvlc1K3isA3JZh%2Bw1GSlSH8Ah1RCLEh7%2Br76%2FZda0xETKoUIbF3NnYI4brHk%2BR%2FO4JPUdUyympatN9MUtg%3D%3D 5 text/html iexplore:3620
17 302 HTTP atl.xmlsearch.miva.com /bin/findwhat.dll?clickthrough&y=52593&x=msaymfOlKbadoVAx:edzb1mfuITAK77NK8hFS1OZgbFJm3LEUq2gBIyCKF6LmIbyfhYP7s09UUhyx8;86O9H1bwkWbTImqsSZ1O39tw5mU9kgQAZ0Od8mPd7f7afZAEkrIFD1AT;rA7Z0eV8f16HS72qFt0ZgOzMr8ADBbuT7IcursiDoPdiUIdzXiTHB3aEKQLVxCT8qVjCrebDq 463 private text/html; charset=iso-8859-1 iexplore:3620
18 302 HTTP atl.xmlsearch.miva.com /bin/findwhat.dll?clickthrough&y=52593&x=QBotjgNFk6oZtOddmeg3rK1xLPMXkBUIkyT6eyNTP6rJjhhwzQSb355pk9EnQPItZXYefmQHzeTt8y0EyzAUX82Lz6MSjYvuGyNYQP2yjxALUSdTAzgEj2gVkmoxX8PLE5rjX6MzE8UTAejEkyEUJBShIPQTU7R1Eydj36eOCPf4EmJjs2g7zPg3puMU3howZShD8OMEq:Kpn5LtUyNY8C$2k&c=DEF6B8D1%2D0079%2D404D%2DA12E%2D8B0EF3107479 203 private text/html; charset=iso-8859-1 iexplore:3620
19 301 HTTP www.ave99.com /search.php?q=vs+2008+sp1&source=campaign3_keyword_vs+2008+sp1 0 text/html iexplore:3620
20 200 HTTP www.ave99.com /search.php?q=vs+2008+sp1 4,366 text/html iexplore:3620
21 200 HTTP www.ave99.com /css/st.css 1,804 text/css iexplore:3620
22 200 HTTP www.ave99.com /css/layer.css 15,830 text/css iexplore:3620
23 200 HTTP CONNECT urs.microsoft.com:443 0 iexplore:3620
24 200 HTTP www.ave99.com /css/ie.css 0 text/css iexplore:3620
25 200 HTTP www.ave99.com /jscript/prototype.js 71,366 application/x-javascript iexplore:3620
26 200 HTTP www.ave99.com /jscript/effects.js 38,996 application/x-javascript iexplore:3620
27 200 HTTP www.ave99.com /css/box.css 991 text/css iexplore:3620
28 200 HTTP www.ave99.com /jscript/search.js 7,065 application/x-javascript iexplore:3620
29 200 HTTP www.ave99.com /jscript/lightbox.js 9,075 application/x-javascript iexplore:3620
30 200 HTTP www.ave99.com /jscript/popup.js 6,085 application/x-javascript iexplore:3620
31 200 HTTP www.ave99.com /jscript/suggest.js 14,269 application/x-javascript iexplore:3620
32 200 HTTP www.ave99.com /async_adsjs.php?nStartNumber=0&nProdNumber=42&strKeyword=vs+2008+sp1&pageType=5&bn=0 3,521 text/html iexplore:3620
33 200 HTTP www.ave99.com /images/logo_btbg.gif 873 image/gif iexplore:3620
34 200 HTTP www.ave99.com /images/left_bg.gif 140 image/gif iexplore:3620
35 200 HTTP www.ave99.com /images/loading_ok.gif 398 image/gif iexplore:3620
36 200 HTTP www.ave99.com /images/loading.gif 5,411 image/gif iexplore:3620
37 200 HTTP www.ave99.com /images/ico_pageloading.gif 7,347 image/gif iexplore:3620
38 200 HTTP www.ave99.com /images/but_view_down.gif 558 image/gif iexplore:3620
39 200 HTTP www.ave99.com /images/but_srh_down.gif 429 image/gif iexplore:3620
40 200 HTTP www.ave99.com /images/but_moreinfo_s_down.gif 445 image/gif iexplore:3620
41 200 HTTP www.ave99.com /images/but_seeit_s_down.gif 428 image/gif iexplore:3620
42 200 HTTP www.ave99.com /css/pop.css 4,890 text/css iexplore:3620
43 200 HTTP www.ave99.com /jscript/PopLib.js 94,838 application/x-javascript iexplore:3620
44 200 HTTP www.ave99.com /images/logo.gif 11,485 image/gif iexplore:3620
45 200 HTTP www.ave99.com /images/logo_bot2.gif 4,056 image/gif iexplore:3620
46 200 HTTP www.ave99.com /images/srh_middle.gif 79 image/gif iexplore:3620
47 200 HTTP www.ave99.com /images/but_srh.gif 482 image/gif iexplore:3620
48 200 HTTP www.ave99.com /images/srh_left.gif 424 image/gif iexplore:3620
49 200 HTTP www.ave99.com /images/dec_corn.gif 978 image/gif iexplore:3620
50 200 HTTP www.ave99.com /images/srh_right.gif 410 image/gif iexplore:3620
51 200 HTTP www.ave99.com /images/Icon_Favorites.gif 163 image/gif iexplore:3620
52 200 HTTP www.ave99.com /favicon.ico 1,406 image/x-icon iexplore:3620
========================================================

GooredFix v1.92 by jpshortstuff
Log created at 23:30 on 10/06/2009 running Option #1 (U5935056)
Firefox version 3.0.10 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"
=============================================================

ComboFix 09-06-10.02 - U5935056 06/10/2009 22:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2434 [GMT -7:00]
Running from: c:\downloads\Goordfix\ComboFix.exe
FW: CyberArmor Client *enabled* {E503B27E-6391-4e17-B2CA-F910AF011E23}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\Ultimate Cleaner
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\system32\Cache
c:\windows\Casino.ico
c:\windows\Free Online Dating.ico
c:\windows\Spyware Remover.ico
c:\windows\system32\42KJE738.ocx
c:\windows\system32\din.ip
c:\windows\system32\drivers\bg_bg.gif
c:\windows\system32\drivers\blank.gif
c:\windows\system32\drivers\box_1.gif
c:\windows\system32\drivers\box_2.gif
c:\windows\system32\drivers\box_3.gif
c:\windows\system32\drivers\button_buynow.gif
c:\windows\system32\drivers\button_freescan.gif
c:\windows\system32\drivers\cell_bg.gif
c:\windows\system32\drivers\cell_footer.gif
c:\windows\system32\drivers\cell_header_block.gif
c:\windows\system32\drivers\cell_header_remove.gif
c:\windows\system32\drivers\cell_header_scan.gif
c:\windows\system32\drivers\close_ico.gif
c:\windows\system32\drivers\detect.htm
c:\windows\system32\drivers\download_box.gif
c:\windows\system32\drivers\download_btn.jpg
c:\windows\system32\drivers\download_now_btn.gif
c:\windows\system32\drivers\footer_back.jpg
c:\windows\system32\drivers\header_1.gif
c:\windows\system32\drivers\header_2.gif
c:\windows\system32\drivers\header_3.gif
c:\windows\system32\drivers\header_4.gif
c:\windows\system32\drivers\header_red_bg.gif
c:\windows\system32\drivers\header_red_free_scan.gif
c:\windows\system32\drivers\header_red_free_scan_bg.gif
c:\windows\system32\drivers\header_red_protect_your_pc.gif
c:\windows\system32\drivers\icon_warning_big.gif
c:\windows\system32\drivers\infected.gif
c:\windows\system32\drivers\main_back.gif
c:\windows\system32\drivers\perfect_cleaner_box.jpg
c:\windows\system32\drivers\product_1_header.gif
c:\windows\system32\drivers\product_1_name_small.gif
c:\windows\system32\drivers\product_2_header.gif
c:\windows\system32\drivers\product_2_name_small.gif
c:\windows\system32\drivers\product_3_header.gif
c:\windows\system32\drivers\product_3_name_small.gif
c:\windows\system32\drivers\product_features.gif
c:\windows\system32\drivers\pt.htm
c:\windows\system32\drivers\rating.gif
c:\windows\system32\drivers\remove_spyware_header.gif
c:\windows\system32\drivers\s_detect.htm
c:\windows\system32\drivers\screenshot.jpg
c:\windows\system32\drivers\sep_hor.gif
c:\windows\system32\drivers\sep_vert.gif
c:\windows\system32\drivers\shadow.jpg
c:\windows\system32\drivers\shadow_bg.gif
c:\windows\system32\drivers\spacer.gif
c:\windows\system32\drivers\spy_away_box.jpg
c:\windows\system32\drivers\spyware_detected.gif
c:\windows\system32\drivers\star.gif
c:\windows\system32\drivers\star_gray.gif
c:\windows\system32\drivers\star_gray_small.gif
c:\windows\system32\drivers\star_small.gif
c:\windows\system32\drivers\style.css
c:\windows\system32\drivers\v.gif
c:\windows\system32\drivers\warning_ico.gif
c:\windows\system32\drivers\warning_icon.gif
c:\windows\system32\drivers\win_logo.gif
c:\windows\system32\drivers\x.gif
c:\windows\system32\drivers\yellow_warning_ico.gif
c:\windows\system32\gjllm.ini
c:\windows\system32\gtv_sd.bin
c:\windows\system32\rtstv.ini
c:\windows\system32\sznf.ascii

----- BITS: Possible infected sites -----

hxxp://TSHUSMIANNSMS01:80
hxxp://THUSCASANUTL02:80
.
((((((((((((((((((((((((( Files Created from 2009-05-11 to 2009-06-11 )))))))))))))))))))))))))))))))
.

2009-06-10 23:51 . 2009-06-10 23:51 -------- d-----w- c:\program files\podmena
2009-06-10 23:50 . 2009-06-10 23:50 2 ---h--w- c:\windows\ro122458.dat
2009-06-10 23:50 . 2009-06-10 23:50 175 ----a-w- C:\d45.bat
2009-06-09 22:27 . 2009-05-21 18:46 268288 ------w- c:\windows\system32\dllcache\httpext.dll
2009-06-09 22:26 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-09 22:26 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-05-20 21:48 . 2009-05-20 21:48 19423 ----a-w- c:\temp\MSNProduct.zip
2009-05-14 16:56 . 2009-05-14 16:56 18192 ----a-w- c:\documents and settings\All Users\Application Data\Screentime\Values and Attributes Screensaver\saver2.dll
2009-05-14 16:56 . 2009-05-14 16:56 34304 ----a-w- c:\documents and settings\All Users\Application Data\Screentime\Values and Attributes Screensaver\saver1.dll
2009-05-14 16:56 . 2009-05-14 16:56 218112 ----a-w- c:\windows\system32\Values and Attributes Screensaver.scr
2009-05-14 16:55 . 2009-05-14 16:56 -------- d-----w- c:\documents and settings\u5935056\Local Settings\Application Data\Screentime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-11 00:55 . 2007-08-16 05:54 -------- d-----w- c:\program files\BitComet
2009-06-10 22:11 . 2007-07-18 04:32 -------- d-----w- c:\program files\CyberArmor
2009-06-10 04:48 . 2008-02-28 01:55 176576 ----a-w- c:\windows\system32\nvModes.dat
2009-06-03 16:50 . 2008-06-01 17:15 164880 ---ha-w- c:\documents and settings\u5935056\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
2009-06-01 18:16 . 2008-11-19 19:35 27800 ----a-w- c:\documents and settings\SB-NB-09622\CustomASPNet\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-28 17:35 . 2008-08-28 07:15 -------- d-----w- c:\documents and settings\u5935056\Application Data\Winamp
2009-05-14 16:56 . 2008-04-18 15:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Screentime
2009-05-13 18:38 . 2007-07-18 08:09 -------- d-----w- c:\program files\Notepad++
2009-05-13 05:15 . 2004-08-04 16:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-13 04:39 . 2009-05-11 08:02 -------- d-----w- c:\program files\Microsoft Analysis Services
2009-05-13 04:31 . 2007-07-18 01:41 -------- d-----w- c:\program files\Microsoft SQL Server
2009-05-11 18:30 . 2007-07-18 05:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-11 08:49 . 2007-11-10 07:20 2105248 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\visualstudio\9.0\1033\ResourceCache.dll
2009-05-11 08:14 . 2008-09-05 05:15 552256 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSTAHost\SSIS_ScriptComponent\9.0\1033\ResourceCache.dll
2009-05-11 08:13 . 2008-09-05 05:15 552256 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VSTAHost\SSIS_ScriptTask\9.0\1033\ResourceCache.dll
2009-05-11 08:01 . 2009-05-11 08:01 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-05-11 07:58 . 2007-07-17 19:38 -------- d-----w- c:\program files\Microsoft.NET
2009-05-11 07:24 . 2007-07-18 23:06 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-05-11 07:11 . 2007-07-19 04:53 -------- d-----w- c:\documents and settings\All Users\Application Data\PreEmptive Solutions
2009-05-11 07:10 . 2007-07-18 05:39 -------- d-----w- c:\program files\Common Files\Merge Modules
2009-05-07 15:32 . 2004-08-04 16:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-06 16:05 . 2009-05-06 16:05 -------- d-----w- c:\program files\Microsoft Synchronization Services
2009-05-06 15:23 . 2008-02-29 20:09 -------- d-----w- c:\documents and settings\u5935056\Application Data\Download Manager
2009-04-23 16:48 . 2008-02-13 19:34 -------- d-----w- c:\documents and settings\u5935056\Application Data\webex
2009-04-22 16:17 . 2008-08-28 07:15 -------- d-----w- c:\program files\Winamp
2009-04-17 12:26 . 2004-08-04 16:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-17 07:25 . 2009-04-17 05:30 -------- d-----w- c:\documents and settings\u5935056\Application Data\dvdcss
2009-04-17 05:32 . 2009-04-17 05:29 -------- d-----w- c:\documents and settings\u5935056\Application Data\vlc
2009-04-17 05:19 . 2009-04-17 05:19 -------- d-----w- c:\program files\VideoLAN
2009-04-16 23:16 . 2009-04-16 23:16 -------- d-----w- c:\program files\CCleaner
2009-04-15 14:51 . 2004-08-04 16:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-14 22:31 . 2009-04-14 22:31 -------- d-----w- c:\program files\Common Files\Windows Live
2009-04-02 06:12 . 2009-04-02 06:12 1048576 ----a-w- c:\documents and settings\u5935056\Application Data\Mozilla\Firefox\Profiles\3t4pzool.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
2009-03-30 10:24 . 2009-03-30 10:24 2555736 ----a-w- c:\windows\system32\sqlncli10.dll
2009-03-30 10:09 . 2009-03-30 10:09 239336 ----a-w- c:\windows\system32\drivers\RsFx0103.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exex" [X]
"Google Update"="c:\documents and settings\u5935056\Local Settings\Application Data\Google\Update\GoogleUpdate.exxe" [X]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2007-05-09 106904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ONS Frontend"="wscript" [X]
"nwiz"="nwiz.exee" [X]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exex" [X]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exex" [X]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exex" [X]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exxe" [X]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exxe" [X]
"AgentUiRunKey"="c:\program files\Iron Mountain\Connected BackupPC\Agent.exex -ni -sss -e http://localhost:16386/" [X]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exex" [X]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exex" [X]
"Inventory Scan"="c:\ldclient\LDISCN32.EXE" [2004-10-13 638976]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2006-09-02 356429]
"CyberArmorHelper"="c:\progra~1\CYBERA~1\pcshelp.exe" [2008-07-19 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-17 81920]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-17 1392640]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-7-17 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2425740569-2578367765-1306412021-53574\Scripts\Logon\0\0]
"Script"=\\tsh.thomson.com\NETLOGON\software\Screensaver\TRValuesSS.vbs

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\cba\\pds.exe"=
"c:\\LDClient\\Wuser32.exe"=
"c:\\LDClient\\tmcsvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Iron Mountain\\Connected BackupPC\\Agent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:*:Disabled:Peer Name Resolution Protocol (PNRP)
"16857:TCP"= 16857:TCP:BitComet 16857 TCP
"16857:UDP"= 16857:UDP:BitComet 16857 UDP
"8085:TCP"= 8085:TCP:podmena

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 BootScreen;BootScreen;\SystemRoot\\SystemRoot\System32\drivers\vidstub.sys --> \SystemRoot\\SystemRoot\System32\drivers\vidstub.sys [?]
R1 podmenadrv;podmenadrv;c:\program files\podmena\podmena.sys [6/10/2009 4:51 PM 9472]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [12/19/2001 11:45 AM 8576]
R2 CBA8;LANDesk(R) Management Agent;c:\program files\LANDesk\Shared Files\residentAgent.exe [9/28/2004 2:27 PM 122880]
R2 CyberArmorRunService;CyberArmor Run Service;c:\program files\CyberArmor\casvc.exe [7/17/2007 9:32 PM 77824]
R2 LV_Tracker;LV_Tracker;c:\windows\system32\drivers\LV_Tracker.sys [4/24/2008 6:51 PM 45384]
R2 MsDtsServer100;SQL Server Integration Services 10.0;c:\program files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe [7/10/2008 1:22 AM 218136]
R2 MSOLAP$SQL08DEV;SQL Server Analysis Services (SQL08DEV);c:\program files\Microsoft SQL Server\MSAS10.SQL08DEV\OLAP\bin\msmdsrv.exe [3/30/2009 1:51 AM 21953896]
R2 MSSQL$SQL08DEV;SQL Server (SQL08DEV);c:\program files\Microsoft SQL Server\MSSQL10.SQL08DEV\MSSQL\Binn\sqlservr.exe [3/30/2009 3:25 AM 43010392]
R2 podmena;podmena;c:\windows\system32\svchost.exe -k podmena [8/4/2004 9:00 AM 14336]
R2 Sygman;SSA Integration Manager;c:\program files\AccessManager\Client\sygman.exe [11/3/2004 8:48 AM 126976]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\tmxpflt.sys [9/6/2006 8:27 PM 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [9/6/2006 8:27 PM 36368]
R2 Viexca2k;CyberArmor Registry Driver;c:\windows\system32\drivers\viexca2k.sys [7/17/2007 9:32 PM 21504]
R2 Viexpf2k;CyberArmor W2KDriver;c:\windows\system32\drivers\viexpf2k.sys [7/17/2007 9:32 PM 424495]
R3 BWNDIS5;BWNDIS5 NDIS Protocol Driver;c:\windows\system32\BWNDIS5.SYS [3/10/2004 5:50 PM 15744]
R3 DAPlugin;Visual Insight DA Plugin;c:\program files\AccessManager\Client\DAPlugin.exe [11/3/2004 8:56 AM 81920]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [7/17/2007 9:30 PM 24521]
S3 AgentService;AgentService;c:\program files\Iron Mountain\Connected BackupPC\AgentService.exe [4/24/2008 6:51 PM 6311936]
S3 AMBroker;Access Manager Configuration Service;c:\program files\AccessManager\Client\AMBroker.exe [11/3/2004 8:45 AM 77824]
S3 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [12/19/2006 2:21 PM 79432]
S3 Chart FX 7.0 PSS Service;Chart FX 7.0 PSS Service;c:\program files\Chart FX 7\PSS\ChartFX.PSS.Service.exe [12/3/2007 3:58 PM 83248]
S3 cmvad;Linksys Wireless-G Music Bridge Interface;c:\windows\system32\drivers\cmudaxv.sys --> c:\windows\system32\drivers\cmudaxv.sys [?]
S3 Intel Remote Control Helper;Intel Remote Control Helper;c:\windows\system32\drivers\rch.sys [2/5/2007 9:49 AM 49972]
S3 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 6:45 AM 13088]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [7/17/2007 9:30 PM 155184]
S3 ReportServer$SQL08DEV;SQL Server Reporting Services (SQL08DEV);c:\program files\Microsoft SQL Server\MSRS10.SQL08DEV\Reporting Services\ReportServer\bin\ReportingServicesService.exe [3/30/2009 2:16 AM 1113448]
S3 sp_spi_da;Visual Insight Dial Analysis;c:\program files\AccessManager\SMOC\spi_da.exe [10/15/2004 4:40 PM 81920]
S3 SQLAgent$SQL08DEV;SQL Server Agent (SQL08DEV);c:\program files\Microsoft SQL Server\MSSQL10.SQL08DEV\MSSQL\Binn\SQLAGENT.EXE [3/30/2009 3:23 AM 366936]
S3 VSPerfDrv90;Performance Tools Driver 9.0;c:\program files\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\VSPerfDrv90.sys [9/4/2007 5:53 PM 55664]
S4 MSSQLFDLauncher$SQL08DEV;SQL Full-text Filter Daemon Launcher (SQL08DEV);c:\program files\Microsoft SQL Server\MSSQL10.SQL08DEV\MSSQL\Binn\fdlauncher.exe [7/10/2008 1:15 AM 31256]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 2:49 AM 47128]
S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [3/30/2009 3:09 AM 239336]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PODMENA
*NewlyCreated* - PODMENADRV
*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
podmena REG_MULTI_SZ podmena

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 19:34]

2009-06-11 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\u5935056\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 19:34]

2007-07-24 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 20:56]

2009-06-10 c:\windows\Tasks\Remove Chart FX Temp files daily.job
- c:\program files\Chart FX 7\Util\SfxRemove.exe [1998-11-06 21:16]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NVHotkey - rundll32.exex nvHotkey.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = hxxp://my.thomson.com/
uInternet Settings,ProxyOverride = *.local
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: reachingourpeople.com\www
Trusted Zone: patchlink02
DPF: iLO 2 Remote Console Applet - hxxps://10.232.86.118/dvc.cab
DPF: iLO Remote Console Applet - hxxps://10.232.67.145/dvc.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-10 22:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1860)
c:\windows\system32\cahooknt.dll

- - - - - - - > 'lsass.exe'(1920)
c:\windows\system32\cahooknt.dll
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2009-06-11 22:39
ComboFix-quarantined-files.txt 2009-06-11 05:39

Pre-Run: 396,684,947,456 bytes free
Post-Run: 396,662,202,368 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

303 --- E O F --- 2009-03-10 00:49
============================================================