Another HJT logfile if anyone can take a look for me please!

Okay, not my machine this time, it's my friends Dell machine (XP, SP1)

Having a problem with IE, after x ammount of mins it opens a window to say it is goning to shut the system down and we can't figure out why. Tried several formats and re-installations to no avail (quite often get a problem with certain files - some ,exe and some .dll) not wanting to install

Anywat got it back online and managed to download HJT and do a scan - anything on here thats not right?

Also installed AVG and immediately it found a virus - hwclock or something which I healed. Tried to fix checked it in HJT but it's still showing.

Here's the log guys;

------------

Logfile of HijackThis v1.99.1
Scan saved at 18:07:04, on 02/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\upnpdrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Programmes and Spyware exe\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Registry Value Name] service.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [Registry Value Name] service.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B85E65F-7636-42FC-A97E-54775FEC4124}: NameServer = 194.74.65.68 194.72.9.34
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B85E65F-7636-42FC-A97E-54775FEC4124}: NameServer = 194.74.65.68 194.72.9.34
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
O23 - Service: Universal Plug and Play device driver (upnpdrv) - Unknown owner - C:\WINDOWS\System32\upnpdrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

CHeers guys!

Hi,Matt_Cowan

The first thing i need for them to do is move HijackThis to a folder
in C:\Drive like so C:\HJT

Download FindIt's.zip to your desktop.
Unzip/extract the files inside preferable to C:\ < a new folder.
http://forums.net-integration.net/in...post&id=142443

Do not run the above file just yet

Now one of these items here that i found in the logfile is
a bad Trojan so we have to make sure it is gone

Press control-alt-delete to get into the task manager and end the follow processes if they exist:
upnpdrv.exe
hwclock.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)

Make sure you can view hidden and system files: Instructions here

Then Boot to safe mode: Instructions here

Delete the following files\folders IF still present:
C:\WINDOWS\System32\hwclock.exe<---This file
C:\WINDOWS\System32\upnpdrv.exe<---This file

NOTE make sure they don't add any new passwords or change any at all
for now we have to make sure this thing is gone.

after doing the above do a reboot &

Disconnect from the internet, if you use an always on internet connection unplug it.
Let your PC be idle for 15 minutes !!
Open the folder and run the FindIt's.bat and wait for a text to open, it will take awhile be patient, post the results please.

If you get an error similar to:
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application...etc etc'
Go here and use the approprient fix for your system
http://www.tech-forums.net/computer/topic/29806.html

Then i need both a HijackThis & FindIt's logfiles

HGD

Okay, thanks HJT - I will try and get over there 2morrow if I can to sort it out if poss.

I have already put HJT programme in a folder on the desktop, is this okay, or do you need it in a C: location folder (ie: C:\HiJackThis > and have it inside there)?

The FindIt programme create a new folder to download it into yes? Not the same folder as the HJT programme no?

When we installed ZoneAlarm and rebooted, we got a pop up warning from ZA about that upnpdrv.exe and I *think* I allowed it as I ran the name through goolge and got nothing on it so thought nothing of it I might have disallowed it tho, I can't quite remember....

I will report back to you here as soon as I have been able to look at the PC and do what you told me to do

Thank you again
Matt

Hi,Matt_Cowan

I have already put HJT programme in a folder on the desktop, is this okay, or do you need it in a C: location folder (ie: C:\HiJackThis > and have it inside there)?

Well i would like it to be in C:\HJT\HijackThis.exe


The FindIt programme create a new folder to download it into yes? Not the same folder as the HJT programme no?

Yes a new folder not in same folder as HijackThis


When we installed ZoneAlarm and rebooted, we got a pop up warning from ZA about that upnpdrv.exe and I *think* I allowed it as I ran the name through goolge and got nothing on it so thought nothing of it I might have disallowed it tho, I can't quite remember....


Please open ZA have a look in Program Control see if it is listed
if so make sure it is not using Server Rights if you can remove it

now if this should happen again sometime please make a copy
of the file put in a zipfile so that you can send to someone to look at

& it's no problem see you when

HGD

Right, I have gone through and done as you said to.

UPNPDRV.EXE was running in Task Manager, athough HWCLOCK.EXE wasn't.....

Booted into safe mode (after enabling viewing of restricted and system files) and went to System32 to delete the two files you listed.

Oddly tho, neither were there!

I ran an internal search of all drives and neither were found. But I did find this file tho;

UPNPDRV.EXE-288C8A6C.pf - Location : C:\WINDOWS\Prefetch

Let it idle unconnected for 15mins, during which I ran the FindIt.bat you had me download. Here is the log from that;

Microsoft Windows XP [Version 5.1.2600]
The current date is: 03/07/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\System32\SERVICE.EXE
* UPX! C:\WINDOWS\TSC.EXE

»»»»» lagitamate file's can/will show in this section.

* UPX! C:\WINDOWS\RMAGEN~1.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is F457-88F4

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is F457-88F4

Directory of C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»».

I didn't know how to read that, but the SYSTEM.EXE bit stuck out at me as SYSTEM.EXE is constantly asking for access to the internet (through the ZA alerts)

-------

And here is a HJT logfile aswell.

Logfile of HijackThis v1.99.1
Scan saved at 16:02:21, on 03/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\System32\service.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\upnpdrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Registry Value Name] service.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\RunServices: [Registry Value Name] service.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120338301687
O17 - HKLM\System\CCS\Services\Tcpip\..\{0B85E65F-7636-42FC-A97E-54775FEC4124}: NameServer = 194.74.65.68 194.72.9.34
O17 - HKLM\System\CS1\Services\Tcpip\..\{0B85E65F-7636-42FC-A97E-54775FEC4124}: NameServer = 194.74.65.68 194.72.9.34
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Universal Plug and Play device driver (upnpdrv) - Unknown owner - C:\WINDOWS\System32\upnpdrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

-----------

Another point worth noting. UPNPDRV.EXE was found again to be running in Task Manager when I booted back into XP mode. I ended it, and it still kept reappearing. In ZA I set it to dis-allow it from accessing the internet and there was no mention of it having any server rights.

The intial problem the user had was that after x ammount of minutes online a box would pop up saying it was going to shut down the system. It has since stopped doing this, but now the problem is that half the time it will not connect to other websites (ie Google.com, Hotmail.com etc) and just comes up with PAGE EXPIRED or ERROR 404 type pages, etc...

I had to post only the log files from his PC while I could, then come home and edit this post to include all the info as it was getting increasingly difficult to get on here to post it all, which makes me think it is time related. Also, if I disconnect it, then reconnect and open a new IE window I can get on some sites for a short while....

Hi,Matt_Cowan

Hmm this thing wants to stay

first do this here

C:\WINDOWS\Prefetch, delete all files (or at least those more than 3 weeks old), reboot.

Then do this here from Safe Mode

Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

Copy the text to a Notepad file and save it to your desktop! We will need the file later.

Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

Once in Safe Mode, please run Killbox.

Select "Delete on Reboot".

Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\System32\service.exe
C:\WINDOWS\RMAGEN~1.DLL
C:\WINDOWS\System32\System.exe
UPNPDRV.EXE
C:\WINDOWS\System32\hwclock.exe

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

now before you do the reboot have a look here

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
<Entry name>
System.exe<--If there delete it

then do the reboot lit me know how it is

HGD

Okay, will do this as soon as I can get back to the PC in question THanks!

Hey,Matt_Cowan

No problem take your time we will be here

HGD

Right! I finally managed to get back on the machine at my friends house.

Eventually, I managed to do all the above that you told me to do with Killbox, etc.

Here's the logfile from HJT;

Logfile of HijackThis v1.99.1
Scan saved at 21:06:39, on 26/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\mapi32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\WINDOWS\system32\1.tmp
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{41A23376-ACB7-4C0D-82EB-E4F39D6A9D48}: NameServer = 194.72.0.114 62.6.40.162
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MAPI Mail Client (MAPI) - Unknown owner - C:\WINDOWS\System32\mapi32.exe
O23 - Service: Mouse Hardware Sync (mousehs) - Unknown owner - C:\WINDOWS\System32\mousehs.exe

This last bit here you wrote;

I couldn't find a folder in Windows called "Current Version" and a search didn't find a "system.exe." either...

By the way, it seems I still get a windows message pop up saying something is not working - last one was a system32 failure of some sorts... I wish I had the piece of mind to do a screen grab of it.