The stuff you've scanned with root kit revealer is very... uhm strange imo. Very many API mismatches in API functions of explorer. Thats not typical for normal systems. I assume you have a root kit on your system. Sorry but if it is what I think it is, you will have a hard time getting rid of that.
That means wait, this is start menu related... I first have to decode the stuff *sigh*
HKLM\S-1-5-21-860800232-1097640657-3834557708-1009\Software\Microsoft\Windows\CurrentVersion\Exp lorer\UserAssist\{large number}\Count\
the first key is UEME_UISCUT
the second key is UEME_RUNPATH
the third key is UEME_RUNPATH: Download.lnk
still looks suspicious to me...
HKLM\Software\Microsoft\Windows\CurrentVersion\
Explorer\UserAssist
It should be safe to delete the subkeys... if there is anything important it will be recreated by windows (use regedit)
the Software\Microsoft\Windows\ShellNoRoam\BagMRU \0\MRUListEx entries seem okay to me.
so do the Pins\Input\Types\ entries and the last one as well.
In your first hijackthis scan I found these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://ie.redirect.hp.com/svs/rdr?TY... io&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://ie.redirect.hp.com/svs/rdr?TY...rio&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://ie.redirect.hp.com/svs/rdr?TY... io&pf=desktop
You fixed them... was that a default value (was your PC shipped with that setting?)
if you run these 2 commands in cmd.exe and post the result... maybe its lsass that got infected.
dir C:\WINDOWS\system32\lsass.exe /a h > files.txt
notepad files.txt