Userinit.exe Won't Go Away

[mystic]

I apologize for starting this thread as I see there are similar currently being addressed. I am a first-time EVER poster to anything! I just need to confirm that my system is okay. I have logs from DDS report, Attach report, Java Report, MBAM log, Hijack this. I have run Malware Bytes which found two registry files Userinit.exe that keep coming back. Have also run SuperAntiSpyware, Spybot, Dr. Web, CCleaner, OneCareLive and currently using AVG as antivirus. I understand why it is important not to use multiple software, however, I used these as "standalones" with no live protection except for AVG. Would it be possible for someone to take a look at the logs I have and tell me why I keep getting these two files back? SuperAntiSpyware only finds tracking cookies as does Spybot. Onecarelive found 8 item but was not able to fix one of them and flashed so quickly I was unable to identify which file. AVG finds no current infections. Short of going into the keys and removing or replacing the files themselves (which I don't want to do) nor am I wanting to reload Windows, I was hoping someone may be able to identify whether I am at further risk. I AM NOT currently experiencing any browser redirection and I think these two files were loaded upon a system restore. I have cleared my previous system restores except for latest which was performed following guidelines by AdvanceSetup (I believe that's the ID). I have also removed Java files/folders and performed Disk Cleaner. Will post logs if desired. Thank you.

[bobbyrae]

I apologize for starting this thread as I see there are similar currently being addressed. I am a first-time EVER poster to anything! I just need to confirm that my system is okay. I have logs from DDS report, Attach report, Java Report, MBAM log, Hijack this. I have run Malware Bytes which found two registry files Userinit.exe that keep coming back.

...

What symptoms were you having? Since I seem to have the same issue with two registry entries regarding userinit.exe, I am wondering if it might even be the same spyware. In my case, I was watching the registry entries while I ran malwarebytes and tried to delete, but I saw no change. That is, the quarantine and delete operation apparently did nothing. At first I thought that the spyware was somehow restoring the entries, but now I don't think so.

[mystic]

What symptoms were you having? Since I seem to have the same issue with two registry entries regarding userinit.exe, I am wondering if it might even be the same spyware. In my case, I was watching the registry entries while I ran malwarebytes and tried to delete, but I saw no change. That is, the quarantine and delete operation apparently did nothing. At first I thought that the spyware was somehow restoring the entries, but now I don't think so.

I did the same. I do not see userinit.exe running in task manager and I do not have any other browser issues, just these two files popping up in Malwarebytes scan results. I have two suspicions. Either they are corrupted files and need to be disinfected by Combofix (or ATF Cleaner) or they could be false positives. I really can't tell. They have been known to become associated with many downloaders and viruses. I removed Virtumonde back in early January and my system ran just fine for months. Now Malwarebytes is picking up these files and lists them as Trojan.Agent. After much surfing (snooping), I've discovered this issue is prevalent. Everyone across the board has their own methodology and preferred scanners including Eset which is one I haven't run since January. I could go on and on attempting suggestions but thought I would let someone with more experience solve this for me. Funny thing is, I spent about a month and a half of cleaning this same virus off my friends's home PC and their two laptops with great sucess. I'm not sure what the issue is. I could copy the userinit.exe file from a friend's PC using the same Service Pack and replace it with Combofix or I could run Eset scanner or ATF Cleaner and see what happens but I would like someone to look at the logs first for their opinion.

[mystic]

Here are a couple logs

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:08:59 AM, on 3/23/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\WINDOWS\system32\pctspk.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\System32\igfxtray.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

C:\Palm\hotsync.exe

C:\Program Files\Napster\napster.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Outlook Express\msimn.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [iMONTRAY] C:\Program Files\Intel\Intel® Active Monitor\imontray.exe

O4 - HKLM\..\Run: [CTCheck] C:\Program Files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')

O4 - Global Startup: AutorunsDisabled

O4 - Global Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)

O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O15 - Trusted Zone: http://onecare.live.com

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase5483.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1232334420343

O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: Intel® Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel® Active Monitor\imonnt.exe

O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

--

End of file - 6201 bytes

ComboFix 09-03-22.01 - Owner 2009-03-23 21:27:30.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.243 [GMT -4:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\Owner\Application Data\IUpd721

c:\documents and settings\Owner\Application Data\IUpd721\Logs\scns.log

c:\windows\IE4 Error Log.txt

----- BITS: Possible infected sites -----

hxxp://bgbtorlopos.com

.

((((((((((((((((((((((((( Files Created from 2009-02-24 to 2009-03-24 )))))))))))))))))))))))))))))))

.

2009-03-23 21:20 . 2009-03-23 21:26 <DIR> d-------- C:\32788R22FWJFW

2009-03-23 11:08 . 2009-03-23 11:08 <DIR> d-------- c:\program files\Trend Micro

2009-03-22 22:06 . 2009-03-22 22:06 <DIR> d-------- c:\program files\CCleaner

2009-03-22 13:41 . 2009-03-22 13:41 <DIR> d-------- c:\documents and settings\Owner\DoctorWeb

2009-03-21 22:47 . 2009-03-21 22:47 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com

2009-03-21 22:19 . 2009-03-21 22:19 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard

2009-03-21 21:09 . 2009-03-21 21:09 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-03-21 21:08 . 2009-03-21 21:08 <DIR> d-------- c:\documents and settings\Administrator

2009-03-17 22:56 . 2009-03-17 22:56 29,184 --a------ C:\Find_the_value Worksheet.doc

2009-03-03 16:54 . 2009-03-03 16:54 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-03-03 16:54 . 2009-03-03 16:54 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes

2009-03-03 16:54 . 2009-03-03 16:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-03-03 16:54 . 2009-02-11 11:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-03 16:54 . 2009-02-11 11:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-02-28 21:13 . 2009-03-23 21:33 54,156 --ah----- c:\windows\QTFont.qfn

2009-02-28 21:13 . 2009-02-28 21:13 1,409 --a------ c:\windows\QTFont.for

2009-02-25 23:49 . 2009-02-25 23:49 <DIR> d-------- C:\Amber

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-23 02:08 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-03-22 13:26 --------- d-----w c:\program files\Windows Live Safety Center

2009-03-22 02:19 --------- d-----w c:\program files\SUPERAntiSpyware

2009-03-22 02:19 --------- d-----w c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com

2009-03-13 12:36 --------- d-----w c:\program files\support.com

2009-03-12 13:11 --------- d-----w c:\documents and settings\Owner\Application Data\Canon

2009-02-26 01:26 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-02-12 23:19 --------- d-----w c:\program files\Free Offers from Freeze.com

2009-02-12 03:10 --------- d-----w c:\program files\MediaCoder

2009-02-12 02:42 --------- d-----w c:\documents and settings\All Users\Application Data\Winferno

2009-02-12 02:37 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion

2009-02-12 02:36 --------- d-----w c:\program files\Yahoo!

2009-02-12 02:31 --------- d-----w c:\program files\Common Files\eSellerate

2009-02-12 02:27 --------- d-----w c:\documents and settings\Owner\Application Data\Memeo

2009-02-07 00:11 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-02-07 00:04 --------- d-----w c:\program files\Symantec

2009-02-06 23:48 --------- d-----w c:\program files\Norton Internet Security

2009-02-06 22:48 --------- d-----w c:\program files\Google

2009-02-06 13:40 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys

2009-02-06 13:40 107,272 ----a-w c:\windows\system32\drivers\avgtdix.sys

2009-02-02 16:51 --------- d-----w c:\documents and settings\All Users\Application Data\avg8

2009-01-31 17:48 --------- d-----w c:\documents and settings\Owner\Application Data\Windows Search

2009-01-29 21:58 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-01-29 00:30 --------- d-----w c:\program files\Napster

2009-01-26 18:43 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!

2009-01-24 04:54 --------- d-----w c:\documents and settings\Owner\Application Data\Windows Desktop Search

2009-01-24 04:53 --------- d-----w c:\program files\Windows Desktop Search

2009-01-24 04:51 --------- d-----w c:\program files\Windows Media Connect 2

.

------- Sigcheck -------

2004-08-04 03:56 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\$NtServicePackUninstall$\userinit.exe

2008-04-13 20:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\ServicePackFiles\i386\userinit.exe

2009-03-19 08:42 45568 7fec627ab624b76529de4ab91f7ad600 c:\windows\system32\userinit.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]

"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2009-01-08 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-07-26 114688]

"IMONTRAY"="c:\program files\Intel\Intel® Active Monitor\imontray.exe" [2002-05-03 32768]

"CTCheck"="c:\program files\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-06 1601304]

"IgfxTray"="c:\windows\System32\igfxtray.exe" [2002-07-26 155648]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

HotSync Manager.lnk - c:\palm\hotsync.exe [2008-11-01 260096]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-02-06 09:40 10520 c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk

backup=c:\windows\pss\Windows Search.lnkCommon Startup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2006-10-25 19:58 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"SymWSC"=2 (0x2)

"SymProxySvc"=2 (0x2)

"SNDSrvc"=3 (0x3)

"NISUM"=3 (0x3)

"NISSERV"=2 (0x2)

"gusvc"=3 (0x3)

"WMPNetworkSvc"=3 (0x3)

"Seekeen Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\BsStor.sys [2002-12-13 8192]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-25 325128]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-11-25 107272]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]

R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-02-06 903960]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-06 298264]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]

S4 Seekeen Service;Seekeen Service;"c:\program files\Seekeen\seekeen.exe" "c:\program files\Seekeen\seekeen.dll" Service --> c:\program files\Seekeen\seekeen.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1aa173f8-ba70-11dd-af8b-00045a7ff8f1}]

\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL E:\m.exe /s

.

Contents of the 'Scheduled Tasks' folder

2009-03-18 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 18:13]

2009-03-24 c:\windows\Tasks\PCConfidential.job

- c:\program files\Winferno\PC Confidential\PCConfidential.exe []

.

- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe

MSConfigStartUp-loaottocyessnximk - c:\windows\system32\mmkvgezxlmuitcd.dll

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uDefault_Search_URL = hxxp://www.earthlink.net/partner/more/msie/button/search.html

mStart Page = hxxp://www.yahoo.com

uInternet Connection Wizard,ShellNext = iexplore

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

Trusted Zone: intuit.com\www.turbotax

Trusted Zone: live.com\onecare

Trusted Zone: nick.com\www

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-23 21:32:50

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(500)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\CTSVCCDA.EXE

c:\windows\system32\pctspk.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

c:\windows\system32\searchindexer.exe

c:\program files\Intel\Intel® Active Monitor\imonNT.exe

c:\program files\AVG\AVG8\avgcsrvx.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-03-23 21:36:53 - machine was rebooted

ComboFix-quarantined-files.txt 2009-03-24 01:36:49

Pre-Run: 18,351,726,592 bytes free

Post-Run: 18,383,704,064 bytes free

189 --- E O F --- 2009-03-14 17:16:14

Thanks for looking.....