Need help getting Malware/Virus off

[brathbm]

I was able to run the Killbox program in Safe mode. When I got to removing the startdrv.exe program, I got a response of "PendingFileRenameOperations Registry Data has been Removed by external Process" and the system did not reboot automatically. I rebooted back into normal mode and the program was gone, but the internet connection was slow and dropping. When I rebooted back into SafeMode w/ Networking, I looked to see if the program was still gone, and it had come back! I then ran the Kaspersy scan while in SafeMode. I then tried to boot back into Normal mode. I was able to get a consistent connection, so a again ran the Kaspersy scan. I then ran a Deckard scan. I have posted all logs below.
While I had access to another computer, I tried to look up some stuff on this startdrv. It looks like it is some kind of rootkit. Any advise you can give will help. Thanks.

[jholland1964]

Please download F-Secure Blacklight:

(fsbl.exe) and save to your C:\ drive.
Open a command window by going to Start > Run and typing: cmd
Copy/paste or type the following in the command window: C:\fsbl.exe /expert
Hit "Enter" to start the program and then close the cmd box.
Accept the user agreement and click "Next".
Click "Scan".
After the scan is complete, click "Next", then "Exit".
BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
The log will have a list of all items found. Do not choose to rename any yet!
I want to see the log first because legitimate items can also be present...like "wbemtest.exe" and "tcptest.exe.
Exit Blacklight and post the contents of the log in your next reply.

After you finish with BlackLight and have the log to post, then follow these directions: Note: It appears that comboifx difficulties have been repaired so do this next;
Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here or Here to your Desktop. (I just tested this and I used the second link)

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the log from Blacklight, the log from combofix and a new HJT log.

[brathbm]

I have run the three scans. It now looks like the computer is running better. However, there still looks like there is something that is running in the background. I know that this rootkit is hard to get off. I have posted the three scans below. Thanks for looking!

[jholland1964]

BlackLight has found at least one hidden rootkit though it is possible there are/were two.
11/27/07 22:44:43 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\DRIVERS\runtime2.sys
11/27/07 22:44:43 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\DRIVERS\runtime2.sy_

Now it looks as though combofix has removed at least one of these...
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\drivers\runtime2.sys

What I would like you to do is run BlackLight again to make sure that item is gone and see if the other listings remain. Let's not worry about those 2 hidden C:\Program Files\Internet Explorer\iexplore.exe and
Hidden process: C:\Program Files\Internet Explorer\IEXPLORE.EXE for the moment.
Post the log here.
I also would like to see a new Kaspersky scan too.

[brathbm]

I have run the Blacklight program. It returned no viruses. When I reran the Kaspersky scan. A few things came up. I have posted both log files. Thanks.

[jholland1964]

Still some tough ones showing....
First of all look for C:\qoobox\
Delete that one, it is Quarantine for ComboFix. Some items showing on the Kaspersky scan are located there, you don't need that, get rid of it.

Now I would like you to run the Combofix program again and post that log.

[brathbm]

I ran the combofix again. Here is the log file.