OK- let's start with this:

1. Have HJT fix:

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://clearsurfing.net/srch.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\WINDOWS\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://F:\WINDOWS\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://F:\WINDOWS\System32\qwsxp.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {E5D2AE1E-6B15-40B6-95F8-81898FD654D5} - F:\WINDOWS\System32\qwsxp.dll
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://69.50.166.214/counter/new/x.chm::/update.exe
O18 - Filter: text/html - {11A778CB-7F40-48E7-9223-8B8BE3D4C45C} - F:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5�ò"DÆR - {A1A8A07C-CE32-4791-BA1C-2EC5D55CB86F} - F:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5�ò�TÆR - {492F22A1-A110-4271-9440-ABDF7A82C581} - F:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5�òžEÆR - {F80D4AD0-2F16-4214-B9A6-352A9843D75B} - F:\WINDOWS\System32\qwsxp.dll
O18 - Filter: tœ†5�ò‰EÆR - {11A778CB-7F40-48E7-9223-8B8BE3D4C45C} - F:\WINDOWS\System32\qwsxp.dll


2. Verify that the following IP address is a valid address for your ISP's DNS server. If it isn't, remove it from the DNS server list in your network card's TCP/IP properties:

69.50.188.180


3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

- Delete the following file (and let us know if you are you are unable to locate it):
F:\WINDOWS\System32\qwsxp.dll

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders:

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

- Delete the entire content of your C:\Windows\Temp folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.

- Reboot normally.


4. Go to the following two sites and run their free online anti-virus/anti-spyware scans. Let us know the results.

http://www.pandasoftware.com/actives..._principal.htm
http://housecall.trendmicro.com/


5. Run HJT again and post a fresh log.