Inactive [InActive] google links redirected, anti-spam sites blocked

I have an infection I can't get rid of. It began yesterday (1/12).
It began with google search (firefox 3.0.5) results being redirected to ad sites. Also, many links to ant-virus sites were blocked.
I searched online and found reference to a script virus causing the redirect. I searched for any suggested files but found none. I disabled scripting and the google search results are no longer being redirected, but anti-virus sites are still being blocked.

I searched for host files that might be redirecting these sites, but the only ones I found were clean.

I have McAffee with On-access scanner enabled all the time. I ran a full system scan, and it found nothing. At least four times in the past day, I have received messages about "buffer overrun blocked" by the overrun protection. The application involved was explorer.exe:VirtualProtectionEx and it referenced bo:heap. I don't know what any of that means.

I downloaded spybot and ran it against the C:\Windows. It found nothing. I'm running it against other directories right now.
I checked the registry, and looked at the "Run ", "RunOnce" keys under HKLM HKCU, but there are no odd entries that I can see.
I checked the Programs->Startup directories, nothing odd there.

I haven't installed any questionable software lately.

I ran RSIT and Hijack This. The logs are below.

Thanks for the help. This one is just kicking my butt.

[EDIT]
I ran avenger.exe and it found a "hidden" driver. After clearing that, combo fix and malaware are running. I'll update with a log when they are done.

 

RSIT Log.txt

[deleted]

 

[deleted]

 

dds.scr

[Deleted]

 

Hijack This log

So, sorry for deleting all the previous posts, they weren't really relevant in the end.

Things are good now, but I'll mention what I went through, in case it helps others.

After the above description of events...
I downloaded RSIT and attempted to run it. It crashed. I rebooted in safe mode and ran it (which ran without hijack this) and produced the log files.
I downloaded ComboFix. It would not run in normal or safe mode.
I download mbam. It would not run in normal or safe mode
I downloaded Spybot. It would only partially run in normal or safe mode.
I downloaded HiJackThis and was able to run it in normal mode and produced the log files.
I downloaded dds.scr and ran it in safe mode. I noticed in the log a reference to twex.exe which a search appeared to indicate was malware. However, I wasn't able to delete the file, and attempts to modify the registry entry (HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\UserInit) resulted in the string being reappended every time I removed, even if in safe mode.
I downloaded avenger and ran it in normal mode. It located and removed what it called a "hidden driver ".

After that was removed, I was able to run RSIT, and mbam. mbam located a small handful of problems and deleted them. However, one of the entries (HKLM\Software\Microsoft\Windows NT\Current Version\Network\UID) kept reappearing after each time mbam deleted it. Also, twex.exe was never detected by mbam nor was it's registry entry.
Any attempts to update mbam crashed. Additionally, some other auto-updaters were crashing.
I rebooted in safe mode to attempt to delete twex.exe. On a whim (and arguably not suggestible), I started killing off svchost.exe instances in the TaskManager, attempting to delete the twex registry key each time. Eventually (after 5 tries), it worked. I rebooted, deleted twex.exe, updated mbam, and ran a full scan. I know the approach is not advisable to others, so I don't suggest killing off processes like that to others.

A huge thanks to the volunteers on the board. Even though I didn't get any direct help, the advice and tools given to others was immeasurably valuable. For my own education, if someone has a suggestion on how I could have gotten rid of twex without resorting to what I did, I would appreciate it.

 

You should still run ComboFix and post the log. If it won't run, download a fresh copy and rename it prior to saving the the drive. Then try again.

 

combofix log

Good advice.

Here it is:
ComboFix 09-01-13.04 - chegarty 2009-01-14 8:30:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2031.1420 [GMT -7:00]
Running from: c:\program files\anti_virus\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\Cache

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-12-14 to 2009-01-14 )))))))))))))))))))))))))))))))
.

2009-01-13 11:26 . 2009-01-13 12:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\PrevxCSI
2009-01-13 10:45 . 2009-01-13 10:45 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-13 10:45 . 2009-01-13 10:45 <DIR> d-------- c:\documents and settings\chegarty\Application Data\Malwarebytes
2009-01-13 10:45 . 2009-01-13 10:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-13 10:45 . 2009-01-04 18:39 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-13 10:45 . 2009-01-04 18:39 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-13 08:51 . 2009-01-14 08:26 <DIR> d-------- c:\program files\anti_virus
2009-01-13 08:33 . 2009-01-14 08:36 104 --a------ c:\windows\system32\NvApps.xml
2009-01-13 08:31 . 2009-01-14 08:36 2,148 --a------ c:\windows\system32\wpa.dbl
2009-01-12 16:39 . 2009-01-12 16:40 <DIR> d-------- c:\program files\xvi32
2009-01-12 10:45 . 2009-01-13 10:29 <DIR> d--hs---- c:\windows\system32\twain32
2009-01-06 09:38 . 2009-01-06 14:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Autodesk
2009-01-06 09:37 . 2009-01-06 09:38 <DIR> d-------- c:\program files\Common Files\Autodesk Shared
2009-01-06 09:37 . 2009-01-06 09:37 <DIR> d-------- c:\program files\Autodesk
2009-01-06 09:37 . 2009-01-06 09:37 <DIR> d-------- c:\documents and settings\chegarty\Application Data\Autodesk
2009-01-06 09:33 . 2009-01-06 14:37 <DIR> d-------- c:\program files\Revit Architecture 2009
2008-12-30 10:27 . 2008-12-30 10:51 <DIR> d-------- c:\documents and settings\chegarty\Application Data\Twilight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-14 15:13 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-13 22:47 --------- d-----w c:\program files\Astaro
2009-01-13 21:10 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-12 20:04 --------- d-----w c:\documents and settings\All Users\Application Data\VMware
2009-01-12 20:00 --------- d-----w c:\documents and settings\LocalService\Application Data\VMware
2009-01-12 18:58 --------- d-----w c:\program files\Windows Media Connect 2
2009-01-09 19:25 --------- d-----w c:\program files\Scenario Toolbox
2008-12-10 16:55 --------- d-----w c:\documents and settings\chegarty\Application Data\gtk-2.0
2008-12-09 18:46 --------- d-----w c:\documents and settings\chegarty\Application Data\InterVideo
2008-12-04 20:03 --------- d-----w c:\documents and settings\chegarty\Application Data\OpenOffice.org2
2008-12-02 19:26 --------- d-----w c:\program files\Inno Setup 5
2008-12-01 04:51 --------- d-----w c:\documents and settings\chegarty\Application Data\Bundysoft
2008-11-17 15:23 --------- d-----w c:\program files\Google
2008-08-28 14:26 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082820080829\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPCheckoutOverlay]
@= "{80E008A4-EAE7-4867-AEB0-1A245F070F25} "
[HKEY_CLASSES_ROOT\CLSID\{80E008A4-EAE7-4867-AEB0-1A245F070F25}]
2007-11-20 22:25 557056 -ra------ c:\program files\Perforce\p4exp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPSyncdOverlay]
@= "{ADF262C1-E8FE-49BE-AD63-F77CD4A6CCD9} "
[HKEY_CLASSES_ROOT\CLSID\{ADF262C1-E8FE-49BE-AD63-F77CD4A6CCD9}]
2007-11-20 22:25 557056 -ra------ c:\program files\Perforce\p4exp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPUpdateOverlay]
@= "{C550CDA2-37D7-4838-A9D7-65ECB1EB5AB2} "
[HKEY_CLASSES_ROOT\CLSID\{C550CDA2-37D7-4838-A9D7-65ECB1EB5AB2}]
2007-11-20 22:25 557056 -ra------ c:\program files\Perforce\p4exp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SpybotSD TeaTimer "= "c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"msnmsgr "= "c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SDMSSplash "= "c:\program files\HP_SDMS\SDMSSplash\launcher.exe" [2006-03-10 86016]
"SetRefresh "= "c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"Recguard "= "c:\windows\Sminst\Recguard.exe" [2006-05-12 1138688]
"Scheduler "= "c:\windows\SMINST\Scheduler.exe" [2006-04-24 888832]
"ShStatEXE "= "c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"McAfeeUpdaterUI "= "c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2005-12-07 131072]
"Network Associates Error Reporting Service "= "c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NcpBudget "= "c:\program files\Astaro\Astaro Secure Client\ncpbudgt.exe" [2006-12-01 228352]
"NcpPopup "= "c:\program files\Astaro\Astaro Secure Client\ncppopup.exe" [2006-11-03 389120]
"NcpMonitor "= "c:\program files\Astaro\Astaro Secure Client\ncpmon.exe" [2007-02-16 3449856]
"CoolSwitch "= "c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"openvpn-gui "= "c:\program files\Astaro\Astaro SSL VPN Client\bin\openvpn-gui.exe" [2007-10-05 90112]
"RTHDCPL "= "RTHDCPL.EXE" [2006-07-04 c:\windows\RTHDCPL.exe]
"nwiz "= "nwiz.exe" [2008-05-16 c:\windows\system32\nwiz.exe]

c:\documents and settings\chegarty\Start Menu\Programs\Startup\
Sticky Notes.lnk - c:\program files\Sticky Notes\StickyNotes.exe [2008-07-12 200704]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2006-06-07 12:26 40448 c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
2006-04-06 21:00 434176 c:\windows\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli AsWlnPkg

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]
@=" "

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-07-22 19:42 116040 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2006-05-23 21:05 344064 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 09:47 289064 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 15:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"IviRegMgr "=2 (0x2)
"iPod Service "=3 (0x3)
"Bonjour Service "=2 (0x2)
"Ati HotKey Poller "=2 (0x2)
"Apple Mobile Device "=2 (0x2)
"PCA "=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\WINDOWS\\SMINST\\Scheduler.exe "=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Astaro\\Astaro Secure Client\\NCPMON.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2008-01-25 58464]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2006-04-06 31104]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-09-19 36608]
R3 ncplentp;ASTARO Secure Client Adapter Driver;c:\windows\system32\drivers\NCPLENTP.SYS [2008-06-17 73280]
R3 tap0901;Astaro SSL VPN Adapter;c:\windows\system32\drivers\tap0901.sys [2007-10-05 25600]
R4 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2006-02-27 14336]
R4 ncpclcfg;ncpclcfg;c:\program files\Astaro\Astaro Secure Client\ncpclcfg.exe [2008-06-17 77824]
R4 ncprwsnt;ncprwsnt;c:\program files\Astaro\Astaro Secure Client\NCPRWSNT.EXE [2008-06-17 1007616]
R4 NcpSec;NcpSec;c:\program files\Astaro\Astaro Secure Client\NCPSEC.EXE [2008-06-17 45056]
R4 rwsrsu;RwsRsu;c:\program files\Astaro\Astaro Secure Client\RWSRSU.exe [2008-06-17 258048]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ENTDRV51

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASChannel

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19fa1752-adc3-11dd-b26e-005056c00008}]
\Shell\AutoRun\command - rcaeasyrip_setup.exe
\Shell\install\command - rcaeasyrip_setup.exe
\Shell\usermanualEnglish\command - "rcaeasyrip_setup.exe" /pdf_English
\Shell\usermanualFrench\command - "rcaeasyrip_setup.exe" /pdf_French
\Shell\usermanualSpanish\command - "rcaeasyrip_setup.exe" /pdf_Spanish
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)
MSConfigStartUp-Google Update - c:\documents and settings\chegarty\Local Settings\Application Data\Google\Update\GoogleUpdate.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hp.com
uInternet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
uInternet Settings,ProxyServer = 10.10.10.1:8080
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\chegarty\Application Data\Mozilla\Firefox\Profiles\z34izich.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.foxnews.com/
FF - component: c:\documents and settings\chegarty\Application Data\Mozilla\Firefox\Profiles\z34izich.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-14 08:36:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1176)
c:\windows\system32\Ati2evxx.dll
c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll
c:\windows\system32\IfxWlxEN.dll

- - - - - - - > 'lsass.exe'(1232)
c:\windows\system32\EntApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Executive Software\DiskeeperLite\DKService.exe
c:\windows\system32\IFXSPMGT.exe
c:\windows\system32\IFXTCS.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\HPQ\IAM\Bin\asghost.exe
c:\program files\Network Associates\VirusScan\Mcshield.exe
c:\program files\Network Associates\VirusScan\VsTskMgr.exe
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\program files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
c:\program files\Common Files\Microsoft Shared\DirectX Extensions\DXDebugService.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\scardsvr.exe
c:\windows\system32\rundll32.exe
c:\program files\ProtectTools\Embedded Security Software\PSDrt.exe
c:\program files\HP\Digital Imaging\bin\hpqnrs08.exe
c:\program files\Windows Live\Messenger\usnsvc.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\windows\system32\HPZinw12.exe
.
**************************************************************************
.
Completion time: 2009-01-14 8:42:26 - machine was rebooted [chegarty]
ComboFix-quarantined-files.txt 2009-01-14 15:42:21

Pre-Run: 40,266,051,584 bytes free
Post-Run: 40,099,979,264 bytes free

237 --- E O F --- 2008-12-18 16:40:17

 

Log looks good. Did you create this folder?

c:\program files\anti_virus


Need to remove a registry entry.
Highlight and copy the contents of the code box below.

Code:

reg delete  "HKCU\software\microsoft\windows\currentversion\explorer\mountpoints2\{19fa1752-adc3-11dd-b26e-005056c00008}" /f
exit
cls

Click Start>Run and type cmd then hit enter to open a command window. Right click in the command window and select paste. The command window will close on it's own.


I recommend you now do an online scan. Do an online scan with Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Post the Kaspersky log here.

 

I did create that folder. I put a lot of the apps in it, like avenger, dds, etc.

I think that registry entry is just relevant to my mp3 player, which has a usb application it's supposed to launch when it gets plugged in (rcaeasyrip something or other). However, since I don't use it, I don't have any problem getting rid of it. I'll post the kaspersky log as soon as I get a chance to run it.