mystic

Here are a couple logs Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:08:59 AM, on 3/23/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\WINDOWS\system32\pctspk.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\hkcmd.exe C:\Program Files\Intel\Intel® Active Monitor\imontray.exe C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\WINDOWS\System32\igfxtray.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe C:\Palm\hotsync.exe C:\Program Files\Napster\napster.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Outlook Express\msimn.exe C:\WINDOWS\system32\SearchProtocolHost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [iMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe O4 - HKLM\..\Run: [CTCheck] C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user') O4 - Global Startup: AutorunsDisabled O4 - Global Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file) O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: http://onecare.live.com O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1232334420343 O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe -- End of file - 6201 bytes ComboFix 09-03-22.01 - Owner 2009-03-23 21:27:30.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.243 [GMT -4:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\documents and settings\Owner\Application Data\IUpd721 c:\documents and settings\Owner\Application Data\IUpd721\Logs\scns.log c:\windows\IE4 Error Log.txt ----- BITS: Possible infected sites ----- hxxp://bgbtorlopos.com . ((((((((((((((((((((((((( Files Created from 2009-02-24 to 2009-03-24 ))))))))))))))))))))))))))))))) . 2009-03-23 21:20 . 2009-03-23 21:26 <DIR> d-------- C:\32788R22FWJFW 2009-03-23 11:08 . 2009-03-23 11:08 <DIR> d-------- c:\program files\Trend Micro 2009-03-22 22:06 . 2009-03-22 22:06 <DIR> d-------- c:\program files\CCleaner 2009-03-22 13:41 . 2009-03-22 13:41 <DIR> d-------- c:\documents and settings\Owner\DoctorWeb 2009-03-21 22:47 . 2009-03-21 22:47 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com 2009-03-21 22:19 . 2009-03-21 22:19 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard 2009-03-21 21:09 . 2009-03-21 21:09 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes 2009-03-21 21:08 . 2009-03-21 21:08 <DIR> d-------- c:\documents and settings\Administrator 2009-03-17 22:56 . 2009-03-17 22:56 29,184 --a------ C:\Find_the_value Worksheet.doc 2009-03-03 16:54 . 2009-03-03 16:54 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware 2009-03-03 16:54 . 2009-03-03 16:54 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes 2009-03-03 16:54 . 2009-03-03 16:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-03-03 16:54 . 2009-02-11 11:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys 2009-03-03 16:54 . 2009-02-11 11:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys 2009-02-28 21:13 . 2009-03-23 21:33 54,156 --ah----- c:\windows\QTFont.qfn 2009-02-28 21:13 . 2009-02-28 21:13 1,409 --a------ c:\windows\QTFont.for 2009-02-25 23:49 . 2009-02-25 23:49 <DIR> d-------- C:\Amber . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-03-23 02:08 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-03-22 13:26 --------- d-----w c:\program files\Windows Live Safety Center 2009-03-22 02:19 --------- d-----w c:\program files\SUPERAntiSpyware 2009-03-22 02:19 --------- d-----w c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com 2009-03-13 12:36 --------- d-----w c:\program files\support.com 2009-03-12 13:11 --------- d-----w c:\documents and settings\Owner\Application Data\Canon 2009-02-26 01:26 --------- d-----w c:\program files\Spybot - Search & Destroy 2009-02-12 23:19 --------- d-----w c:\program files\Free Offers from Freeze.com 2009-02-12 03:10 --------- d-----w c:\program files\MediaCoder 2009-02-12 02:42 --------- d-----w c:\documents and settings\All Users\Application Data\Winferno 2009-02-12 02:37 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion 2009-02-12 02:36 --------- d-----w c:\program files\Yahoo! 2009-02-12 02:31 --------- d-----w c:\program files\Common Files\eSellerate 2009-02-12 02:27 --------- d-----w c:\documents and settings\Owner\Application Data\Memeo 2009-02-07 00:11 --------- d-----w c:\program files\Common Files\Symantec Shared 2009-02-07 00:04 --------- d-----w c:\program files\Symantec 2009-02-06 23:48 --------- d-----w c:\program files\Norton Internet Security 2009-02-06 22:48 --------- d-----w c:\program files\Google 2009-02-06 13:40 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys 2009-02-06 13:40 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys 2009-02-02 16:51 --------- d-----w c:\documents and settings\All Users\Application Data\avg8 2009-01-31 17:48 --------- d-----w c:\documents and settings\Owner\Application Data\Windows Search 2009-01-29 21:58 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-01-29 00:30 --------- d-----w c:\program files\Napster 2009-01-26 18:43 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! 2009-01-24 04:54 --------- d-----w c:\documents and settings\Owner\Application Data\Windows Desktop Search 2009-01-24 04:53 --------- d-----w c:\program files\Windows Desktop Search 2009-01-24 04:51 --------- d-----w c:\program files\Windows Media Connect 2 . ------- Sigcheck ------- 2004-08-04 03:56 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\$NtServicePackUninstall$\userinit.exe 2008-04-13 20:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe 2009-03-19 08:42 45568 7fec627ab624b76529de4ab91f7ad600 c:\windows\system32\userinit.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352] "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2009-01-08 4363504] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-07-26 114688] "IMONTRAY"="c:\program files\Intel\Intel® Active Monitor\imontray.exe" [2002-05-03 32768] "CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-06 1601304] "IgfxTray"="c:\windows\System32\igfxtray.exe" [2002-07-26 155648] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624] c:\documents and settings\All Users\Start Menu\Programs\Startup\ HotSync Manager.lnk - c:\palm\hotsync.exe [2008-11-01 260096] c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-02-06 09:40 10520 c:\windows\system32\avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk] path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk backup=c:\windows\pss\Windows Search.lnkCommon Startup HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2006-10-25 19:58 282624 c:\program files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "SymWSC"=2 (0x2) "SymProxySvc"=2 (0x2) "SNDSrvc"=3 (0x3) "NISUM"=3 (0x3) "NISSERV"=2 (0x2) "gusvc"=3 (0x3) "WMPNetworkSvc"=3 (0x3) "Seekeen Service"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [2002-12-13 8192] R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-25 325128] R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-25 107272] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024] R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-02-06 903960] R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-06 298264] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408] S4 Seekeen Service;Seekeen Service;"c:\program files\Seekeen\seekeen.exe" "c:\program files\Seekeen\seekeen.dll" Service --> c:\program files\Seekeen\seekeen.exe [?] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1aa173f8-ba70-11dd-af8b-00045a7ff8f1}] \Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL E:\m.exe /s . Contents of the 'Scheduled Tasks' folder 2009-03-18 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 18:13] 2009-03-24 c:\windows\Tasks\PCConfidential.job - c:\program files\Winferno\PC Confidential\PCConfidential.exe [] . - - - - ORPHANS REMOVED - - - - HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe MSConfigStartUp-loaottocyessnximk - c:\windows\system32\mmkvgezxlmuitcd.dll . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html mStart Page = hxxp://www.yahoo.com uInternet Connection Wizard,ShellNext = iexplore uSearchURL,(Default) = hxxp://www.google.com/search?q=%s Trusted Zone: intuit.com\www.turbotax Trusted Zone: live.com\onecare Trusted Zone: nick.com\www DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab . ************************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-23 21:32:50 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(500) c:\program files\SUPERAntiSpyware\SASWINLO.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\CTSVCCDA.EXE c:\windows\system32\pctspk.exe c:\program files\AVG\AVG8\avgrsx.exe c:\progra~1\AVG\AVG8\avgnsx.exe c:\windows\system32\searchindexer.exe c:\program files\Intel\Intel® Active Monitor\imonNT.exe c:\program files\AVG\AVG8\avgcsrvx.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-03-23 21:36:53 - machine was rebooted ComboFix-quarantined-files.txt 2009-03-24 01:36:49 Pre-Run: 18,351,726,592 bytes free Post-Run: 18,383,704,064 bytes free 189 --- E O F --- 2009-03-14 17:16:14 Thanks for looking.....

I did the same. I do not see userinit.exe running in task manager and I do not have any other browser issues, just these two files popping up in Malwarebytes scan results. I have two suspicions. Either they are corrupted files and need to be disinfected by Combofix (or ATF Cleaner) or they could be false positives. I really can't tell. They have been known to become associated with many downloaders and viruses. I removed Virtumonde back in early January and my system ran just fine for months. Now Malwarebytes is picking up these files and lists them as Trojan.Agent. After much surfing (snooping), I've discovered this issue is prevalent. Everyone across the board has their own methodology and preferred scanners including Eset which is one I haven't run since January. I could go on and on attempting suggestions but thought I would let someone with more experience solve this for me. Funny thing is, I spent about a month and a half of cleaning this same virus off my friends's home PC and their two laptops with great sucess. I'm not sure what the issue is. I could copy the userinit.exe file from a friend's PC using the same Service Pack and replace it with Combofix or I could run Eset scanner or ATF Cleaner and see what happens but I would like someone to look at the logs first for their opinion.

I apologize for starting this thread as I see there are similar currently being addressed. I am a first-time EVER poster to anything! I just need to confirm that my system is okay. I have logs from DDS report, Attach report, Java Report, MBAM log, Hijack this. I have run Malware Bytes which found two registry files Userinit.exe that keep coming back. Have also run SuperAntiSpyware, Spybot, Dr. Web, CCleaner, OneCareLive and currently using AVG as antivirus. I understand why it is important not to use multiple software, however, I used these as "standalones" with no live protection except for AVG. Would it be possible for someone to take a look at the logs I have and tell me why I keep getting these two files back? SuperAntiSpyware only finds tracking cookies as does Spybot. Onecarelive found 8 item but was not able to fix one of them and flashed so quickly I was unable to identify which file. AVG finds no current infections. Short of going into the keys and removing or replacing the files themselves (which I don't want to do) nor am I wanting to reload Windows, I was hoping someone may be able to identify whether I am at further risk. I AM NOT currently experiencing any browser redirection and I think these two files were loaded upon a system restore. I have cleared my previous system restores except for latest which was performed following guidelines by AdvanceSetup (I believe that's the ID). I have also removed Java files/folders and performed Disk Cleaner. Will post logs if desired. Thank you.