Possibly infected with a keylogger

Welcome. Thank you for using Dell Community Forums.
I am reviewing your log.
In the meantime, you can help me by doing the following:

* Have you have posted this issue on another forum? If so, please provide a link to the topic.

* If you are using any cracked software, please remove it.
Definition of cracked software:
http://en.wikipedia.org/wiki/Software_cracking

* If you are using any P2P (file sharing) programs, please remove them before we clean your computer. That includes torrents.
The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. If you have music files in those programs' folders that you want to save, please move those music files to another directory.
A list of P2P's is here: http://www.castlecops.com/t204179-P2P_programs_we_ask_that_you_remove_first.html


* If this computer belongs to someone else, do you have authority to apply the fixes we will use?

* Have you already fixed entries using HijackThis? If so, please restore all the backups and then post another log.

* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures.
Please follow all instructions in sequence. Do not, on your own, install/re-install any programs or run any fixes or scanners that you have not been instructed to use because this may cause conflicts with the tools that I am using.

* During the course of our cleanup please do not do any online work or surfing until we have verified that your system is clean.

* We may be using some specialized tools during our fix. Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, reboot.exe, ws2fix.exe, prcviewer.exe and nircmd.exe may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case.
Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them.

* I see AVG and Trend Micro Internet Security running. Which ONE are you using for anti-virus protection?

 

* If your replies do not fit in one post while we are handling your issue, please reply to yourself until all text is submitted. It may take several posts.

I look forward to your reply.

Instructions posted for this user are customized for this user only. The tools used may cause damage if used on a computer with different infections. If you think you have similar problems, please post a HijackThis log at the top of this board to start a new forum topic.

A little background info: The reason I think a keylogger might be on my pc is because I visited a website that has been known to have scripts with keyloggers. I am currently using firefox browser with noscript enabled with iframes disabled.

* Have you already fixed entries using HijackThis? If so, please restore all the backups and then post another log.

 

No I have not fixed the entries.

* I see AVG and Trend Micro Internet Security running. Which ONE are you using for anti-virus protection?

 

I use both. 

I suggest that you remove one of those anti-virus applications. (AVG may be easier to remove than Trend Micro Internet Security because TIS has more components.)

Running more than one anti-virus program can make you less secure. With more than one anti-virus program on the same computer, there is a chance for conflicts if a virus gets on the machine. Each of the anti-virus programs wants to "control" the situation and in some cases, the task of removing the virus does not get done at all.
You will also experience slowdown as each is trying to run in realtime, and you run the risk of data loss from a system crash that the instability can cause.
A better option would be to install one good anti-virus, keep it current, and use it as designed.
If a second opinion is needed, use one of the online virus scanners.

Following that,
Please download Malwarebytes' Anti-Malware from Here or Here

• Make sure you are connected to the Internet.
• Double-click on Download_mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
• Update Malwarebytes' Anti-Malware
• Launch Malwarebytes' Anti-Malware

• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
• If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
• Make sure the "Perform Quick Scan" option is selected.
• Then click on the Scan button.
• The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. :(see Note below)
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.
• Please include a fresh HijackThis log as well.
  Notes:
  
  **If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll
  
  **If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
  

Malwarebytes' Anti-Malware 1.18
Database version: 898

12:32:13 PM 6/28/2008
mbam-log-6-28-2008 (12-32-12).txt

Scan type: Quick Scan
Objects scanned: 39948
Time elapsed: 4 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

---------------------------------------

 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32:59 PM, on 6/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\DOCUME~1\Brian\LOCALS~1\Temp\clclean.0001
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\PlayOnline\SquareEnix\PlayOnlineViewer\pol.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1212454256343
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D488F2C-BCB3-4366-8336-AEE71C360E00}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{0D488F2C-BCB3-4366-8336-AEE71C360E00}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{0D488F2C-BCB3-4366-8336-AEE71C360E00}: NameServer = 192.168.1.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: dlcc_device -   - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9095 bytes

Nothing showing there. Let's try this online scan: F-Secure Online Scanner
The online scanner is on the bottom right of the page.
Direct link: http://support.f-secure.com/enu/home/ols.shtml

Follow the directions on the F-Secure page for proper Installation.

* You may receive an alert on the address bar at this point to install the ActiveX control.
* Click on that alert and then click " Install ActiveX component".
* Read the license agreement and click " Accept".
* Click " Custom Scan" and be sure the following are checked:

• Scan whole System
• 
  
• Scan all files
• Scan whole system for rootkits
• Scan whole system for spyware
• Scan inside archives
• Use advanced heuristics

* When the scan completes, click the " I want to decide item by item" button.
* For each item found, Select " Disinfect" and click " Next".

* When done, click the " Show Report" button, then copy and paste the entire report into your next reply.

Scanning Report Saturday, June 28, 2008 15:02:14 - 18:30:31

Computer name: D7RN9Q91
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\

---

Result: 1 malware found Tracking Cookie (spyware)

• System

---

StatisticsScanned:

• Files: 198618
• System: 3530
• Not scanned: 135

Actions:

• Disinfected: 0
• Renamed: 0
• Deleted: 0
• None: 1
• Submitted: 0

Files not scanned:

• xH��H

---

OptionsScanning engines:

• F-Secure USS: 2.30.0
• F-Secure Hydra: 2.8.8110, 2008-06-28
• F-Secure AVP: 7.0.171, 2008-06-27
• F-Secure Pegasus: 1.20.0, 2008-04-14
• F-Secure Blacklight: 1.0.68

Scanning options:

• Scan all files
• Scan inside archives
• Use Advanced heuristics

---

Copyright © 1998-2007 Product support | Send virus sample to F-Secure F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

That one found only one tracking cookie. I think you are in good shape.

You do have one entry that can be fixed with HijackThis. You will need to disable Teatimer first, though, so it does not interfere.
Right click the running icon of Spybot's TeaTimer, and choose Exit SpyBot S&D - Resident'.

Run HijackThis and place a checkmark next to this one:

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Close all other windows and click "Fix Checked". Close HJT and reboot.

You have Viewpoint installed. Viewpoint developed a behavioral targeting product in 2006. Viewpoint is associated with a program called viewmgr.exe and the ViewPoint Media Player.
Viewpoint is bundled with AOL, AOL Instant Messenger, Adobe Atmosphere, Netscape 7, etc and sometimes not mentioned in the license agreement. Hardware manufacturers pre-install some of these applications.
ViewPoint Toolbar will redirect your search queries and also transmits non personally identifiable information back to their servers. The Viewpoint Toolbar is listed is also classified as a threat in the CounterSpy Threat Library because it hijacks your search queries and also transmits non personally identifiable information back to their servers.
Viewpoint Manager is a media player often bundled with AIM software. Viewpoint Manager is a useless add on.

Because Viewpoint's software will track your web surfing and tailor advertisements based on the web pages you are visiting, I suggest you remove the program.
** Note: Removing Viewpoint Media Player may cause the program that bundled it to not function as intended. For AOL and AIM it is needed to use their 3D icons known as Super Buddies and for customized themes, etc.
If you wish to remove Viewpoint, end process on ViewManager in Task Manager.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

• Viewpoint
• Viewpoint Manager
• Viewpoint Media Player
• Viewpoint Toolbar
• Viewpoint Experience Technology

Then remove the Viewpoint folder in your Program Files.


Here is my standard list of simple steps that you can take to reduce the chance of infection in the future.
If you have installed Malwarebytes' Anti-Malware as part of your cleaning procedures, keep it updated and use it to scan every so often for malware, or upgrade to the paid version for realtime scanning and auto updating.

These suggestions are general prevention and are not customized for your computer. You may have already taken some of these steps, and depending on your current security, you may not need to implement all of these:

1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp

2. Please use a firewall and realtime anti-virus. Keep the anti-virus software and firewall software up to date.
Note: Zone Alarm Firewall (by Checkpoint) has a free version http://www.zonelabs.com/store/content/company/products/trial_zaFamily/trial_zaFamily.jsp?lid=home_freedownloads

3. You might consider installing Mozilla / Firefox.
http://www.mozilla.org/

4. Do not use file sharing. Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The reason for this is simple. File sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft. Even if you change those risky default settings to a safer configuration, the act of downloading files from an anonymous source greatly increases your exposure to infection. That is because the files you are downloading may actually contain a disguised threat. Many very malicious worms and trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known
vulnerabilities.

5. Before using or purchasing any Spyware/Malware protection/removal program, always check the following Rogue/Suspect Spyware Lists.
http://www.spywarewarrior.com/rogue_anti-spyware.htm
http://www.malwarebytes.org/database.php

6. If you have not already done so, you might want to install CCleaner and run it in each user's profile: http://www.ccleaner.com/
** UNcheck the option to install the Yahoo toolbar that is checked by default for the Standard version, or download the toolbar-free versions (Slim or Basic) when given the option for those.

7. Practice Safe Surfing with with TrendProtect by Trend Micro. This is not compatible with Firefox 3.0 yet.
TrendProtect is a browser plugin that assigns a safety rating to domains listed in your search engine. TrendProtect also adds a new button to your browser's toolbar area. The icon and color of the button changes to indicate whether the page currently open is safe, unsafe, trusted, or unrated, or whether it contains unwanted content.

The following color codes are used by TrendProtect to indicate the safety of each site.

Red for Warning
Yellow for Use Caution
Green for Safe
Grey for Unknown

8. You might consider installing SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
It will:
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
Block spyware/tracking cookies in Internet Explorer and Mozilla Firefox.
Restrict the actions of potentially unwanted sites in Internet Explorer.
Tutorial here: http://www.bleepingcomputer.com/forums/tutorial49.html
Periodically check for updates.

9. Here are some helpful articles:
"How did I get infected?"
http://www.bleepingcomputer.com/forums/topic2520.html

"I'm not pulling your leg, honest"
by Sandi Hardmeier
http://www.microsoft.com/windows/IE/community/columns/pulling.mspx

Let us know if we have not resolved your problem. Otherwise, you are good to go.
Happy and Safe Surfing!

Thank you, you've been lots of help.

You are most welcome. We're always glad to help.

Keyloggers usually show up in those logs, and we've scanned for rootkits as well, so it appears that you avoided infection.

Spybot may have removed that if a Spybot scan found it.

CCleaner would not have removed it unless it was in a temp folder, but if so, it's gone.

I do not recommend registry cleaners. I do not know what Eusing Free Registry Cleaner may have changed if you ran it.

The scans that we ran did not find anything. If you want to keep looking give SilentRunners a try:
RIGHT-CLICK HERE >Save Link As to download Silent Runners.

• Save it to the desktop.
• 
  
• Run Silent Runners by doubleclicking the "Silent Runners" on the icon on your desktop.
• You will receive a prompt:
  • Do you want to skip supplementary searches?click NO
• You will see a text file appear on the desktop -. Another message box will appear saying: "Silent Runners has started It's not done, let it run (It won't appear to be doing anything!)
• Once you receive the prompt All Done! The results are in a file that the tool has created You will find it in the same directory as the script or on your desktop. The log is named "Startup Programs (ComputerName) date/timestamp.txt".
• Open the text file that the tool has created .
• If you want me to check the log, copy that entire log, and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.** Note: If you have a script blocking program you may get a warning asking if you want to allow the script to run. Some will say "malicious script warning" or something to that effect. There is nothing malicious about this script, you can click to allow it to execute.

It says it exceeds 20,000 chars, so I will divide it up:

 

"Silent Runners.vbs", revision 58, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"SetDefaultMIDI" = "MIDIDef.exe" ["Creative Technology Ltd"]
"Creative Detector" = ""C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R" ["Creative Technology Ltd"]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]
"updateMgr" = "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0" ["Adobe Systems Incorporated"]
"Aim6" = "A[*[ (unwritable string)" [file not found]
"!1_ProcessGuard_Startup" = ""C:\Program Files\ProcessGuard\procguard.exe" -minimize" ["DiamondCS"]
"SUPERAntiSpyware" = "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" ["SUPERAntiSpyware.com"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ehTray" = "C:\WINDOWS\ehome\ehtray.exe" [MS]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"SigmatelSysTrayApp" = "stsystra.exe" ["SigmaTel, Inc."]
"IAAnotif" = "C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" ["Intel Corporation"]
"CTSysVol" = "C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r" ["Creative Technology Ltd"]
"ISUSPM Startup" = ""C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup" ["InstallShield Software Corporation"]
"ISUSScheduler" = ""C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start" ["InstallShield Software Corporation"]
"DLA" = "C:\WINDOWS\System32\DLA\DLACTRLW.EXE" ["Sonic Solutions"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit" [MS]
"AVG8_TRAY" = "C:\PROGRA~1\AVG\AVG8\avgtray.exe" ["AVG Technologies CZ, s.r.o."]
"DLCCCATS" = "rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16" [MS]
"UpdReg" = "C:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."]
"MBMon" = "Rundll32 CTMBHA.DLL,MBMon" [MS]
"DMXLauncher" = "C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [null data]
"!1_pgaccount" = ""C:\Program Files\ProcessGuard\pgaccount.exe"" ["DiamondCS"]
"ZoneAlarm Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "AVG Safe Search"
                   \InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgssie.dll" ["AVG Technologies CZ, s.r.o."]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Spybot-S&D IE Protection"
                   \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{5CA3D70E-1895-11CF-8E15-001234567890}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "DriveLetterAccess"
                   \InProcServer32\(Default) = "C:\WINDOWS\System32\DLA\DLASHX_W.DLL" ["Sonic Solutions"]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "SSVHelper Class"
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]
{A057A204-BACC-4D26-9990-79A187E2698E}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "AVG Security Toolbar"
                   \InProcServer32\(Default) = "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" ["AVG, Technologies CZ, s.r.o                  "]
{CA6319C0-31B7-401E-A518-A07C3DB8F777}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "CBrowserHelperObject Object"
                   \InProcServer32\(Default) = "c:\Program Files\BAE\BAE.dll" ["Dell Inc."]
{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}\(Default) = "ZoneAlarm Spy Blocker BHO"
  -> {HKLM...CLSID} = "ZoneAlarm Spy Blocker BHO"
                   \InProcServer32\(Default) = "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" ["ZoneAlarm"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> {HKLM...CLSID} = "Display Panning CPL Extension"
                   \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
  -> {HKLM...CLSID} = "DriveLetterAccess"
                   \InProcServer32\(Default) = "C:\WINDOWS\System32\DLA\DLASHX_W.DLL" ["Sonic Solutions"]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
  -> {HKLM...CLSID} = "DesktopContext Class"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
  -> {HKLM...CLSID} = "NVIDIA CPL Extension"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
  -> {HKLM...CLSID} = "Desktop Explorer"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
  -> {HKLM...CLSID} = "nView Desktop Context Menu"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG8 Shell Extension"
  -> {HKLM...CLSID} = "AVG8 Shell Extension Class"
                   \InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" = "UnlockerShellExtension"
  -> {HKLM...CLSID} = "UnlockerShellExtension"
                   \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}" = "Multiscan"
  -> {HKLM...CLSID} = "ZLAVShExt Class"
                   \InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
< > "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}" = (no title provided)
  -> {HKLM...CLSID} = "SABShellExecuteHook Class"
                   \InProcServer32\(Default) = "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" ["SuperAdBlocker.com"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
  -> {HKLM...CLSID} = "WPDShServiceObj Class"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
< > "BootExecute" = "autocheck autochk *"|"lsdelete" [null data]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
< > !SASWinLogon\DLLName = "C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]
< > dimsntfy\DLLName = "C:\WINDOWS\System32\dimsntfy.dll" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
  -> {HKLM...CLSID} = "PDF Shell Extension"
                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
  -> {HKLM...CLSID} = "AVG8 Shell Extension Class"
                   \InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
  -> {HKLM...CLSID} = "ZLAVShExt Class"
                   \InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
AVG8 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
  -> {HKLM...CLSID} = "AVG8 Shell Extension Class"
                   \InProcServer32\(Default) = "C:\Program Files\AVG\AVG8\avgse.dll" ["AVG Technologies CZ, s.r.o."]
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
  -> {HKLM...CLSID} = "MBAMShlExt Class"
                   \InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes"]
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
  -> {HKLM...CLSID} = "UnlockerShellExtension"
                   \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]
ZLAVShExt\(Default) = "{D9872D13-7651-4471-9EEE-F0A00218BEBB}"
  -> {HKLM...CLSID} = "ZLAVShExt Class"
                   \InProcServer32\(Default) = "C:\Program Files\Zone Labs\ZoneAlarm\zlavscan.dll" ["Zone Labs, LLC"]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
MBAMShlExt\(Default) = "{57CE581A-0CB6-4266-9CA0-19364C90A0B3}"
  -> {HKLM...CLSID} = "MBAMShlExt Class"
                   \InProcServer32\(Default) = "C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll" ["Malwarebytes"]
UnlockerShellExtension\(Default) = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"
  -> {HKLM...CLSID} = "UnlockerShellExtension"
                   \InProcServer32\(Default) = "C:\Program Files\Unlocker\UnlockerCOM.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoCDBurning" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}

"InstallVisualStyle" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
{unrecognized setting}

"InstallTheme" = (REG_EXPAND_SZ) C:\WINDOWS\Resources\Themes\Royale.theme
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Brian\Application Data\Mozilla\Firefox\Desktop Background.bmp"

Btw, if I had run some apps such as Spybot search and destroy, CCleaner, Eusing Free Registry Cleaner, etc. before I created the log on HijackThis, could that have changed our results searching for the keylogger? Meaning could that have somehow hindered us from finding the keylogger?

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

Corel Photo Album 6HandleCDBurningOnArrival\
"Provider" = "Corel Photo Album 6"
"InvokeProgID" = "CorelPhotoAlbumFolder"
"InvokeVerb" = "BurnCD"
HKLM\SOFTWARE\Classes\CorelPhotoAlbumFolder\shell\BurnCD\command\(Default) = "C:\PROGRA~1\Corel\CORELP~1\PHOTOA~1.EXE -burncdlaunch" ["Corel, Inc."]

Corel Photo Album 6ShowPicturesOnArrivalHandler\
"Provider" = "Corel Photo Album 6"
"InvokeProgID" = "CorelPhotoAlbumFolder"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\CorelPhotoAlbumFolder\shell\open\command\(Default) = "C:\PROGRA~1\Corel\CORELP~1\PHOTOA~1.EXE "%1"" ["Corel, Inc."]

CTPlayAudioOnArrival\
"Provider" = "@C:\Program Files\Creative\MediaSource\CTCMS.CRL,-14345"
"InvokeProgID" = "CTAutoPL.AudioCDPlayer.1"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\CTAutoPL.AudioCDPlayer.1\shell\open\command\(Default) = ""C:\Program Files\Creative\MediaSource\CTCMS.exe" /T=CLASSKEY_AudioCD IN %L PlayNow" ["Creative Technology Ltd"]

CTPlayMusicFilesOnArrival\
"Provider" = "@C:\Program Files\Creative\MediaSource\CTCMS.CRL,-14345"
"InvokeProgID" = "CTAutoPL.MusicFilesPlayer.1"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\CTAutoPL.MusicFilesPlayer.1\shell\open\command\(Default) = ""C:\Program Files\Creative\MediaSource\CTCMS.exe" /Organizer" ["Creative Technology Ltd"]

DMXPlayDVD\
"Provider" = "Dell CinePlayer"
"InvokeProgID" = "DMX.PLAYDVD"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\DMX.PLAYDVD\shell\Play\Command\(Default) = "C:\Program Files\Dell\Media Experience\DMX.exe DVD "Play %1"" [null data]

EHomeMusicDropTarget\
"Provider" = "Media Center"
"InvokeProgID" = "EHomeDropTarget.EHomeMusicDropTarget"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\EHomeDropTarget.EHomeMusicDropTarget\shell\play\DropTarget\CLSID = "{ED87EFF3-FF22-404E-B2BD-BC3841BDCB2C}"
  -> {HKLM...CLSID} = "EHomeMusicDropTarget Class"
                   \InProcServer32\(Default) = "C:\WINDOWS\eHome\ehdrop.dll" [MS]

EHomePhotosHandler\
"Provider" = "Media Center"
"InvokeProgID" = "EHomeDropTarget.EHomePhotosHandler"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\EHomeDropTarget.EHomePhotosHandler\shell\play\DropTarget\CLSID = "{4b7601c1-d292-4902-89f4-583a5ce0c535}"
  -> {HKLM...CLSID} = "EHomePhotosHandler Class"
                   \InProcServer32\(Default) = "C:\WINDOWS\eHome\ehdrop.dll" [MS]

EHomeVideoDropTarget\
"Provider" = "Media Center"
"InvokeProgID" = "EHomeDropTarget.EHomeVideoDropTarget"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\EHomeDropTarget.EHomeVideoDropTarget\shell\play\DropTarget\CLSID = "{A48E70A4-8E15-4465-9D85-CCE9E63F8AAB}"
  -> {HKLM...CLSID} = "EHomeVideoDropTarget Class"
                   \InProcServer32\(Default) = "C:\WINDOWS\eHome\ehdrop.dll" [MS]

EHomeVideosHandler\
"Provider" = "Media Center"
"InvokeProgID" = "EHomeDropTarget.EHomeVideosHandler"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\EHomeDropTarget.EHomeVideosHandler\shell\play\DropTarget\CLSID = "{4f61ec50-acef-4ae7-b4c6-b19bddc0f745}"
  -> {HKLM...CLSID} = "EHomeVideosHandler Class"
                   \InProcServer32\(Default) = "C:\WINDOWS\eHome\ehdrop.dll" [MS]

MSWPDShellNamespaceHandler\
"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"
"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"
"InitCmdLine" = " "
  -> {HKLM...CLSID} = "WPDShextAutoplay"
                   \LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

Paint Shop Pro XShowPicturesOnArrivalHandler\
"Provider" = "Corel Paint Shop Pro X"
"InvokeProgID" = "PaintShopProX.Image"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\PaintShopProX.Image\shell\open\command\(Default) = "C:\PROGRA~1\Corel\CORELP~2\PAINTS~1.EXE "%1" ["Corel, Inc."]

SonicSCAudioCDTask\
"Provider" = "Roxio RecordNow Audio"
"InvokeProgID" = "Sonic.SonicCentral"
"InvokeVerb" = "AudioCDTask"
HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\AudioCDTask\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {EBD22732-1CC3-4CD7-9A45-B8D98DA0E784}" [null data]

SonicSCCopyCD\
"Provider" = "Roxio RecordNow Copy"
"InvokeProgID" = "Sonic.SonicCentral"
"InvokeVerb" = "ExactCopyJob"
HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\ExactCopyJob\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {49B235A3-1C3E-4802-9B5C-BAFBE69A3C85}" [null data]

SonicSCCopyDisc\
"Provider" = "Roxio RecordNow Copy"
"InvokeProgID" = "Sonic.SonicCentral"
"InvokeVerb" = "ExactCopyJob"
HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\ExactCopyJob\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {49B235A3-1C3E-4802-9B5C-BAFBE69A3C85}" [null data]

SonicSCDataProject\
"Provider" = "Roxio RecordNow Data"
"InvokeProgID" = "Sonic.SonicCentral"
"InvokeVerb" = "DataGuide"
HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\DataGuide\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch Data" [null data]

SonicSCDataTask\
"Provider" = "Roxio RecordNow Data"
"InvokeProgID" = "Sonic.SonicCentral"
"InvokeVerb" = "DataTask"
HKLM\SOFTWARE\Classes\Sonic.SonicCentral\shell\DataTask\Command\(Default) = ""C:\Program Files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe" /Launch {0BAC5C34-DF45-4C0F-8D64-8E92DCCF007D}" [null data]

SonicVideoCameraArrival\
"Provider" = "Sonic Solutions"
"ProgID" = "MyDVD.MyDVDAPHandler"
"InitCmdLine" = "new"
HKLM\SOFTWARE\Classes\MyDVD.MyDVDAPHandler\CLSID\(Default) = "{3D5EF619-F606-4FAA-97C0-222B7DCA05EC}"
  -> {HKLM...CLSID} = "MyDVDAPHandler Class"
                   \LocalServer32\(Default) = "C:\PROGRA~1\Roxio\MyDVD\MyDVD.EXE -autoplay" ["Sonic Solutions"]

SonicVideoCameraArrivalDirect\
"Provider" = "Sonic Solutions"
"ProgID" = "MyDVD.MyDVDAPHandler"
"InitCmdLine" = "direct"
HKLM\SOFTWARE\Classes\MyDVD.MyDVDAPHandler\CLSID\(Default) = "{3D5EF619-F606-4FAA-97C0-222B7DCA05EC}"
  -> {HKLM...CLSID} = "MyDVDAPHandler Class"
                   \LocalServer32\(Default) = "C:\PROGRA~1\Roxio\MyDVD\MyDVD.EXE -autoplay" ["Sonic Solutions"]


Startup items in "Brian" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"Digital Line Detect" -> shortcut to: "C:\Program Files\Digital Line Detect\DLG.exe" ["BVRP Software"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{A057A204-BACC-4D26-9990-79A187E2698E}"
  -> {HKLM...CLSID} = "AVG Security Toolbar"
                   \InProcServer32\(Default) = "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" ["AVG, Technologies CZ, s.r.o                  "]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"
  -> {HKLM...CLSID} = "ZoneAlarm Spy Blocker"
                   \InProcServer32\(Default) = "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" ["ZoneAlarm"]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{A057A204-BACC-4D26-9990-79A187E2698E}" = (no title provided)
  -> {HKLM...CLSID} = "AVG Security Toolbar"
                   \InProcServer32\(Default) = "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" ["AVG, Technologies CZ, s.r.o                  "]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}" = (no title provided)
  -> {HKLM...CLSID} = "ZoneAlarm Spy Blocker"
                   \InProcServer32\(Default) = "C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL" ["ZoneAlarm"]

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{916C1EF1-CA89-4F1B-AFDA-3CA85BD0F831}\(Default) = "ZoneAlarm PopBlocker"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC}"
  -> {HKCU...CLSID} = "Java Plug-in 1.6.0_05"
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll" ["Sun Microsystems, Inc."]
  -> {HKLM...CLSID} = "Java Plug-in 1.6.0_05"
                   \InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll" ["Sun Microsystems, Inc."]

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\
"MenuText" = "Spybot - Search & Destroy Configuration"
"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"
  -> {HKLM...CLSID} = "Spybot-S&D IE Protection"
                   \InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG8 E-mail Scanner, avg8emc, "C:\PROGRA~1\AVG\AVG8\avgemc.exe" ["AVG Technologies CZ, s.r.o."]
AVG8 WatchDog, avg8wd, "C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe" ["AVG Technologies CZ, s.r.o."]
Creative Labs Licensing Service, Creative Labs Licensing Service, ""C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe"" ["Creative Labs"]
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\system32\CTsvcCDA.exe" ["Creative Technology Ltd"]
DiamondCS Process Guard Service v3.000, DCSPGSRV, ""C:\Program Files\ProcessGuard\dcsuserprot.exe"" ["DiamondCS"]
dlcc_device, dlcc_device, "C:\WINDOWS\system32\dlcccoms.exe -service" [" "]
Intel(R) Matrix Storage Event Monitor, IAANTMon, "C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe" ["Intel Corporation"]
Lavasoft Ad-Aware Service, aawservice, ""C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe"" ["Lavasoft"]
Media Center Extender Service, McrdSvc, "C:\WINDOWS\ehome\mcrdsvc.exe" [MS]
Media Center Receiver Service, ehRecvr, "C:\WINDOWS\eHome\ehRecvr.exe" [MS]
Media Center Scheduler Service, ehSched, "C:\WINDOWS\eHome\ehSched.exe" [MS]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\system32\nvsvc32.exe" ["NVIDIA Corporation"]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]


Keyboard Driver Filters:
------------------------

HKLM\SYSTEM\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = < > "ELkbd" ["Intel Corporation"]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Dell 924 Port\Driver = "dlcclmpm.DLL" [" "]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]


---------- (launch time: 2008-06-29 15:34:09)
< >: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
  took 122 seconds.
---------- (total run time: 197 seconds)

I do not see a keylogger in there.

Thanks again, now I can rest a bit easy :)