SpywareRemover2009 infection

I recently picked up the Rogue SpywareRemover2009. Antivir picked up a trojan and so I scanned my computer with MalwareBytes anti malware. This is the log for the first scan:

Database version _linenums:1749'>Malwarebytes' Anti-Malware 1.34Database version: 1749Windows 5.1.2600 Service Pack 327/02/2009 19:28:04mbam-log-2009-02-27 (19-28-04).txtScan type: Quick ScanObjects scanned: 74700Time elapsed: 5 minute(s), 28 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 5Registry Values Infected: 1Registry Data Items Infected: 2Folders Infected: 0Files Infected: 3Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_CLASSES_ROOT\xml.xml (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cognac (Trojan.FakeAlert) -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\msxml71.dll (Trojan.FakeAlert) -> Delete on reboot.C:\WINDOWS\system32\JcPtK2c0.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.C:\Documents and Settings\Taeshun\Local Settings\Temp\1883.exe (Trojan.FakeAlert) -> Delete on reboot.

I re-scanned again the day after and only 2 files remained, userinit.exe:

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

However, after this, the tray icon in the bottom right of a red circle with a white x remained, stating 'Warning: You have a security problem!' This was coupled with pop-ups from a website named 'skfjkhcdcsh.com' which lead to a website relating to SR2009.

After this, I scanned with SUPERantispyware twice as it allegedly solved the problem and both times it came up with a large amount of 'Trace.Known Threat Sources' all from my temporary internet files:

Memory items scanned      : 596Memory threats detected   : 0Registry items scanned    : 7214Registry threats detected : 0File items scanned        : 61000File threats detected     : 63Adware.Tracking Cookie	C:\Documents and Settings\Taeshun\Cookies\taeshun@adtrafficsolution[1].txt	C:\Documents and Settings\Taeshun\Cookies\taeshun@specificclick[1].txt	C:\Documents and Settings\Taeshun\Cookies\taeshun@promo3[2].txt	C:\Documents and Settings\Taeshun\Cookies\taeshun@bestvirusremover2009[1].txt	G:\downstairs computer\old computer hard drives\old c drive\WINDOWS\Cookies\oldtimer@finder[1].txtApplication.PowerReg Scheduler	C:\DOCUMENTS AND SETTINGS\TAESHUN\START MENU\PROGRAMS\STARTUP\POWERREG SCHEDULER V3.EXE	C:\WINDOWS\PSS\POWERREG SCHEDULER V3.EXESTARTUP	C:\WINDOWS\Prefetch\POWERREG SCHEDULER V3.EXE-039B2D94.pfTrace.Known Threat Sources	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\EHSBM5Q5\i35_icon4[1].gif	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\6GTPJ5CG\14[1].htm	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\OX6ZOXQB\i35_btn5[1].gif	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\7A0RFLG1\i35_bg-btn3[1].gif	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\EHSBM5Q5\closebutton[1].gif	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\G1QRK9QN\i35_line2[1].gif	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\9FNNDXWA\params[2].js	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\2P8M0Y1Y\spacer[1].gif	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\MPHQN6TS\settings[2].js	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\GTY38HIJ\bg[1].gif	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\45E3W5UV\i35_bg-btn1[1].gif	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\CTMV0PIN\activex[1].gif	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\7A0RFLG1\bleep2[1].gif	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\W1MNCDI3\14[1].htm	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\SHM78PIZ\i35_no_flash[1].gif	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\6GTPJ5CG\14[2].htm	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\GVXRAIRL\setcookies[2].js	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\45E3W5UV\14[2].htm	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\G1QRK9QN\14[2].htm	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\6V0ADO23\i35_icon1[1].gif	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\MPHQN6TS\rght[1].gif	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\EHSBM5Q5\5[1].htm	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\45E3W5UV\i35_btn1[1].gif	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\45E3W5UV\i35_bg1[1].gif	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\CTMV0PIN\14[1].htm	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\GVXRAIRL\i35_icon2[1].gif	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\MPHQN6TS\14[1].htm	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\OX6ZOXQB\index_new[2].js	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\6V0ADO23\14[1].htm	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\W1MNCDI3\i35_icon3[1].gif	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\SHM78PIZ\crypt[2].js	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\8DEJ8DYN\secure_installers[2].js	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\4H4Z0VWV\managers[2].js	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\K12NC9UN\5[1].htm	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\45E3W5UV\14[1].htm	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\0VUSU26P\fileslist[2].js	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\6V0ADO23\i35_spacer[1].gif	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\7A0RFLG1\14[2].htm	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\MPHQN6TS\i35_t1[1].gif	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\2P8M0Y1Y\styles[3].css	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\8DKP2345\progressbar[2].js	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\0VUSU26P\14[1].htm	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\45E3W5UV\5[1].htm	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\GVXRAIRL\down[1].gif	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\G1QRK9QN\input[1].gif	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\6GTPJ5CG\common[2].js	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\OX6ZOXQB\14[1].htm	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\OX6ZOXQB\i35_btn3[1].gif	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\W1MNCDI3\i35_line1[1].gif	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\CTMV0PIN\i35_bg-btn2[1].gif	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\7A0RFLG1\14[3].htm	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\9FNNDXWA\secstat[1].gif	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\OX6ZOXQB\bleep[1].gif	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\W1MNCDI3\14[3].htm	C:\Documents and Settings\Taeshun\Local Settings\Temporary Internet Files\Content.IE5\W1MNCDI3\14[2].htm

Somewhere along the line I also scanned with Antivir and that came up with this:

Avira AntiVir PersonalReport file date: 27 February 2009  23:33Scanning for 1270875 virus strains and unwanted programs.Licensed to:      Avira AntiVir PersonalEdition ClassicSerial number:    0000149996-ADJIE-0001Platform:         Windows XPWindows version:  (Service Pack 3)  [5.1.2600]Boot mode:        Normally bootedUsername:         SYSTEMComputer name:    PICNICVersion information:BUILD.DAT     : 8.2.0.337      16934 Bytes  18/11/2008 13:05:00AVSCAN.EXE    : 8.1.4.10      315649 Bytes  06/12/2008 09:55:07AVSCAN.DLL    : 8.1.4.0        40705 Bytes  19/07/2008 17:20:44LUKE.DLL      : 8.1.4.5       164097 Bytes  19/07/2008 17:20:47LUKERES.DLL   : 8.1.4.0        12033 Bytes  19/07/2008 17:20:47ANTIVIR0.VDF  : 7.1.0.0     15603712 Bytes  27/10/2008 17:59:07ANTIVIR1.VDF  : 7.1.2.12     3336192 Bytes  11/02/2009 12:44:39ANTIVIR2.VDF  : 7.1.2.55      248832 Bytes  20/02/2009 12:01:53ANTIVIR3.VDF  : 7.1.2.95      183808 Bytes  27/02/2009 18:11:55Engineversion : 8.2.0.98  AEVDF.DLL     : 8.1.1.0       106868 Bytes  30/01/2009 17:23:28AESCRIPT.DLL  : 8.1.1.56      352634 Bytes  27/02/2009 18:12:18AESCN.DLL     : 8.1.1.7       127347 Bytes  13/02/2009 12:44:45AERDL.DLL     : 8.1.1.3       438645 Bytes  06/11/2008 17:59:39AEPACK.DLL    : 8.1.3.8       397684 Bytes  07/02/2009 11:50:15AEOFFICE.DLL  : 8.1.0.36      196987 Bytes  27/02/2009 18:12:14AEHEUR.DLL    : 8.1.0.100    1618295 Bytes  27/02/2009 18:12:12AEHELP.DLL    : 8.1.2.2       119158 Bytes  27/02/2009 18:11:58AEGEN.DLL     : 8.1.1.22      336245 Bytes  27/02/2009 18:11:57AEEMU.DLL     : 8.1.0.9       393588 Bytes  06/11/2008 17:59:18AECORE.DLL    : 8.1.6.6       176501 Bytes  18/02/2009 10:37:33AEBB.DLL      : 8.1.0.3        53618 Bytes  06/11/2008 17:59:14AVWINLL.DLL   : 1.0.0.12       15105 Bytes  19/07/2008 17:20:45AVPREF.DLL    : 8.0.2.0        38657 Bytes  19/07/2008 17:20:44AVREP.DLL     : 8.0.0.2        98344 Bytes  09/08/2008 10:36:02AVREG.DLL     : 8.0.0.1        33537 Bytes  19/07/2008 17:20:44AVARKT.DLL    : 1.0.0.23      307457 Bytes  16/04/2008 15:48:03AVEVTLOG.DLL  : 8.0.0.16      119041 Bytes  19/07/2008 17:20:44SQLITE3.DLL   : 3.3.17.1      339968 Bytes  16/04/2008 15:48:03SMTPLIB.DLL   : 1.2.0.23       28929 Bytes  19/07/2008 17:20:47NETNT.DLL     : 8.0.0.1         7937 Bytes  16/04/2008 15:48:03RCIMAGE.DLL   : 8.0.0.51     2371841 Bytes  19/07/2008 17:20:24RCTEXT.DLL    : 8.0.52.0       86273 Bytes  19/07/2008 17:20:25Configuration settings for the scan:Jobname..........................: Complete system scanConfiguration file...............: c:\program files\antivir personaledition classic\sysscan.avpLogging..........................: lowPrimary action...................: interactiveSecondary action.................: ignoreScan master boot sector..........: onScan boot sector.................: onBoot sectors.....................: C:, G:, Process scan.....................: onScan registry....................: onSearch for rootkits..............: offScan all files...................: Intelligent file selectionScan archives....................: onRecursion depth..................: 20Smart extensions.................: onMacro heuristic..................: onFile heuristic...................: mediumStart of the scan: 27 February 2009  23:33The scan of running processes will be startedScan process 'avscan.exe' - '1' Module(s) have been scannedScan process 'avcenter.exe' - '1' Module(s) have been scannedScan process 'svchost.exe' - '1' Module(s) have been scannedScan process 'firefox.exe' - '1' Module(s) have been scannedScan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scannedScan process 'JcPtK2c0.exe' - '1' Module(s) have been scannedScan process 'ZDWlan.exe' - '1' Module(s) have been scannedScan process 'sistray.exe' - '1' Module(s) have been scannedScan process 'CCC.exe' - '1' Module(s) have been scannedScan process 'KMProcess.exe' - '1' Module(s) have been scannedScan process 'SUPERANTISPYWARE.EXE' - '1' Module(s) have been scannedScan process 'CTDetect.exe' - '1' Module(s) have been scannedScan process 'MOM.exe' - '1' Module(s) have been scannedScan process 'KMCONFIG.exe' - '1' Module(s) have been scannedScan process 'ctfmon.exe' - '1' Module(s) have been scannedScan process 'hpztsb07.exe' - '1' Module(s) have been scannedScan process 'StartAutorun.exe' - '1' Module(s) have been scannedScan process 'avgnt.exe' - '1' Module(s) have been scannedScan process 'jusched.exe' - '1' Module(s) have been scannedScan process 'AsusProb.exe' - '1' Module(s) have been scannedScan process 'SOUNDMAN.EXE' - '1' Module(s) have been scannedScan process 'explorer.exe' - '1' Module(s) have been scannedScan process 'alg.exe' - '1' Module(s) have been scannedScan process 'StarWindServiceAE.exe' - '1' Module(s) have been scannedScan process 'sqlwriter.exe' - '1' Module(s) have been scannedScan process 'RichVideo.exe' - '1' Module(s) have been scannedScan process 'NMSAccessU.exe' - '1' Module(s) have been scannedScan process 'sqlservr.exe' - '1' Module(s) have been scannedScan process 'mdm.exe' - '1' Module(s) have been scannedScan process 'jqs.exe' - '1' Module(s) have been scannedScan process 'CTSVCCDA.EXE' - '1' Module(s) have been scannedScan process 'mDNSResponder.exe' - '1' Module(s) have been scannedScan process 'ATKKBService.exe' - '1' Module(s) have been scannedScan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scannedScan process 'sched.exe' - '1' Module(s) have been scannedScan process 'avguard.exe' - '1' Module(s) have been scannedScan process 'spoolsv.exe' - '1' Module(s) have been scannedScan process 'userinit.exe' - '1' Module(s) have been scannedScan process 'svchost.exe' - '1' Module(s) have been scannedScan process 'svchost.exe' - '1' Module(s) have been scannedScan process 'ati2evxx.exe' - '1' Module(s) have been scannedScan process 'svchost.exe' - '1' Module(s) have been scannedScan process 'svchost.exe' - '1' Module(s) have been scannedScan process 'svchost.exe' - '1' Module(s) have been scannedScan process 'ati2evxx.exe' - '1' Module(s) have been scannedScan process 'lsass.exe' - '1' Module(s) have been scannedScan process 'services.exe' - '1' Module(s) have been scannedScan process 'winlogon.exe' - '1' Module(s) have been scannedScan process 'csrss.exe' - '1' Module(s) have been scannedScan process 'smss.exe' - '1' Module(s) have been scanned50 processes with 50 modules were scannedStarting master boot sector scan:Master boot sector HD0    [INFO]      No virus was found!Master boot sector HD1    [INFO]      No virus was found!Start scanning boot sectors:Boot sector 'C:\'    [INFO]      No virus was found!Boot sector 'G:\'    [INFO]      No virus was found!Starting to scan the registry.The registry was scanned ( '76' files ).Starting the file scan:Begin scan in 'C:\' <Twilight>C:\pagefile.sys    [WARNING]   The file could not be opened!C:\Program Files\3DO\Heroes 3 Complete\WoG Expansion\allinon1\wog358f.part02.rar    [0] Archive type: RAR    --> main2.wog      [WARNING]   No further files can be extracted from this archive. The archive will be closedC:\Program Files\3DO\Heroes 3 Complete\WoG Expansion\allinon1\wog358f.part04.rar    [0] Archive type: RAR    --> main3.wog      [WARNING]   No further files can be extracted from this archive. The archive will be closedC:\Program Files\3DO\Heroes 3 Complete\WoG Expansion\allinon1\wog358f.part05.rar    [0] Archive type: RAR    --> main4.wog      [WARNING]   No further files can be extracted from this archive. The archive will be closedC:\Program Files\3DO\Heroes 3 Complete\WoG Expansion\allinon1\wog358f.part06.rar    [0] Archive type: RAR    --> main5.wog      [WARNING]   No further files can be extracted from this archive. The archive will be closedC:\Program Files\3DO\Heroes 3 Complete\WoG Expansion\allinon1\wog358f.part07.rar    [0] Archive type: RAR    --> main6_optional.wog      [WARNING]   No further files can be extracted from this archive. The archive will be closedC:\Program Files\3DO\Heroes expansions (Probably useless)\Heroes 3\Expansion\allinon1.zip    [0] Archive type: ZIP      --> wog358f.part02.rar        [1] Archive type: RAR        --> main2.wog          [WARNING]   No further files can be extracted from this archive. The archive will be closed      --> wog358f.part04.rar        [1] Archive type: RAR        --> main3.wog          [WARNING]   No further files can be extracted from this archive. The archive will be closed      --> wog358f.part05.rar        [1] Archive type: RAR        --> main4.wog          [WARNING]   No further files can be extracted from this archive. The archive will be closed      --> wog358f.part06.rar        [1] Archive type: RAR        --> main5.wog          [WARNING]   No further files can be extracted from this archive. The archive will be closed      --> wog358f.part07.rar        [1] Archive type: RAR        --> main6_optional.wog          [WARNING]   No further files can be extracted from this archive. The archive will be closedC:\Program Files\Macromedia\Photoshop\Plug-Ins\Effects\Glowing Edges.8BF    [DETECTION] Is the TR/IFrame.W.6 Trojan    [NOTE]      A backup was created as '4a178ba6.qua'  ( QUARANTINE )    [NOTE]      The file was deleted!C:\WINDOWS\system32\drivers\sptd.sys    [WARNING]   The file could not be opened!Begin scan in 'G:\' <MOG>G:\System Volume Information\_restore{1BCB6D44-5B4D-4086-9193-47EFACCD58C3}\RP954\A0167222.exe    [DETECTION] Is the TR/Spy.Gampass.US Trojan    [NOTE]      A backup was created as '49d99846.qua'  ( QUARANTINE )    [NOTE]      The file was deleted!End of the scan: 28 February 2009  02:16Used time:  2:42:45 Hour(s)The scan has been done completely.  27866 Scanning directories 1171841 Files were scanned      2 viruses and/or unwanted programs were found      0 Files were classified as suspicious:      2 files were deleted      0 files were repaired      2 files were moved to quarantine      0 files were renamed      2 Files cannot be scanned 1171837 Files not concerned  15873 Archives were scanned     12 Warnings      2 Notes

So far, that is all I have done in ways of scanning. I have, however, rooted out one of the problems: userinit.exe. This process permanently runs on my computer and while it is running the popups from internet explore come up and so do the 'You have a security problem' from SR2009 itself. Thus, it was no coincidence that when I end-processed userinit.exe that they all stopped.
Relative to this, two files were changed without my knowing at exactly the same time, when I got the virus:
C:\WINDOWS\system32 userinit.exe
C:\WINDOWS\Prefetch USERINIT.EXE-30B18140.pf

Finally, here are the DDS Logs:

DDS (Ver_09-02-01.01) - NTFSx86  Run by Taeshun at 16:56:43.95 on 02/03/2009Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11Microsoft Windows XP Professional  5.1.2600.3.1252.44.1033.18.2047.1462 [GMT 0:00]AV: Norton Internet Security *On-access scanning enabled* (Updated)AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)FW: Norton Internet Security *enabled*============== Running Processes ===============C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exeC:\WINDOWS\system32\Ati2evxx.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\AntiVir PersonalEdition Classic\avguard.exeC:\Program Files\AntiVir PersonalEdition Classic\sched.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\WINDOWS\ATKKBService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\CTsvcCDA.EXEC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\Program Files\CDBurnerXP\NMSAccessU.exeC:\Program Files\Cyberlink\Shared files\RichVideo.exeC:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exeC:\Documents and Settings\Taeshun\Desktop\Scan Plox\Alcohol 120\StarWind\StarWindServiceAE.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\ASUS\Asus Probe\AsusProb.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\AntiVir PersonalEdition Classic\avgnt.exeC:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Creative\MediaSource\Detector\CTDetect.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\WINDOWS\system32\sistray.exeC:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exeC:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\System32\svchost.exe -k imgsvcC:\WINDOWS\System32\svchost.exe -k HTTPFilterC:\Documents and Settings\Taeshun\Desktop\Scan Plox\DDS\dds.scr============== Pseudo HJT Report ===============uStart Page = hxxp://www.scroogle.org/cgi-bin/scraper.htmuSearch Page = hxxp://www.google.comuSearch Bar = hxxp://www.google.com/iemDefault_Search_URL = hxxp://www.google.com/iemSearch Page = hxxp://www.google.commStart Page = hxxp://www.google.co.uk/uSearchAssistant = hxxp://www.google.com/ieuSearchURL,(Default) = hxxp://www.google.com/search?q=%smSearchAssistant = hxxp://www.google.com/ieBHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dllBHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dllBHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dllBHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No FileBHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dllBHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dllBHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dllBHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllBHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dllTB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dllTB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No FileEB: {32683183-48a0-441b-a342-7c2a440a9478} - No FileuRun: [ctfmon.exe] c:\windows\system32\ctfmon.exeuRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /RuRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_1_0uRun: [Steam] "c:\program files\steam\Steam.exe" -silentuRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exemRun: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgentmRun: [SiSUSBRG] c:\windows\SiSUSBrg.exemRun: [SoundMan] SOUNDMAN.EXEmRun: [ASUS Probe] c:\program files\asus\asus probe\AsusProb.exemRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"mRun: [RemoteControl] "c:\documents and settings\taeshun\desktop\powerdvd\PDVDServ.exe"mRun: [LanguageShortcut] "c:\documents and settings\taeshun\desktop\powerdvd\language\Language.exe"mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartupmRun: [nwiz] nwiz.exe /installmRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInitmRun: [avgnt] "c:\program files\antivir personaledition classic\avgnt.exe" /minmRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottimemRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exemRun: [StormCodec_Helper] "c:\documents and settings\taeshun\desktop\sams stuff\storm codec (real)\StormSet.exe" /S /optimRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRundRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXEdRunOnce: [RunNarrator] Narrator.exeStartupFolder: c:\documents and settings\taeshun\start menu\programs\startup\PowerReg Scheduler V3.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\utilit~1.lnk - c:\windows\system32\sistray.exeStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\zdwlan~1.lnk - c:\program files\zydas technology corporation\zydas_802.11g_utility\ZDWlan.exeIE: &Download All with FlashGet - c:\progra~1\flashget\jc_all.htmIE: &Download the file(s) in D.S.Code - c:\documents and settings\taeshun\desktop\dslite-2.07.45\dslite2\dl_text.htmlIE: &Download the file(s) in D.S.Code-File - c:\documents and settings\taeshun\desktop\dslite-2.07.45\dslite2\dl_url.htmlIE: &Download with FlashGet - c:\progra~1\flashget\jc_link.htmIE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exeIE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {F8475519-8412-4D40-A46E-692D9D04DF7F} - c:\documents and settings\taeshun\desktop\dslite-2.07.45\dslite2\DSLite.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLLDPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cabDPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cabDPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cabDPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cabDPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cabDPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cabDPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cabDPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cabDPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cabDPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cabDPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cabDPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cabDPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cabTCP: {92A57FF6-85CB-4D6A-AB0B-1DF2274424C6} = 192.168.0.1Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dllNotify: AtiExtEvent - Ati2evxx.dllSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllSEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL================= FIREFOX ===================FF - ProfilePath - c:\docume~1\taeshun\applic~1\mozilla\firefox\profiles\bqxljhwi.default\FF - prefs.js: browser.search.selectedEngine - ScroogleFF - prefs.js: browser.startup.homepage - hxxp://www.anthemro.com/forums/index.phpFF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dllFF - plugin: c:\program files\mozilla firefox\plugins\npclntax.dllFF - plugin: c:\program files\mozilla firefox\plugins\npitunes.dllFF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll============= SERVICES / DRIVERS ===============R1 avgio;avgio;c:\program files\antivir personaledition classic\avgio.sys [2007-6-2 11840]R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]R2 AntiVirScheduler;AntiVir PersonalEdition Classic Scheduler;c:\program files\antivir personaledition classic\sched.exe [2007-6-2 68865]R2 AntiVirService;AntiVir PersonalEdition Classic Guard;c:\program files\antivir personaledition classic\avguard.exe [2007-6-2 151297]R3 avgntflt;avgntflt;c:\program files\antivir personaledition classic\avgntflt.sys [2007-6-2 52032]S2 ccosm;Contrl Center of Storm Media;c:\documents and settings\taeshun\desktop\sams stuff\storm codec\stormliv.exe /asservice --> c:\documents and settings\taeshun\desktop\sams stuff\storm codec\stormliv.exe  [?]S2 IBG_gds_db;InterBase 7.5 Guardian gds_db;c:\program files\borland\interbase\bin\ibguard.exe -i "c:\program files\borland\interbase" -p gds_db --> c:\program files\borland\interbase\bin\ibguard.exe -i c:\program files\borland\InterBase [?]S2 Stormser;Stormser;c:\docume~1\taeshun\desktop\samsst~1\stormc~1\stormser.exe --> c:\docume~1\taeshun\desktop\samsst~1\stormc~1\Stormser.exe [?]S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\drivers\BRGSp50.sys [2006-3-24 20608]S3 cpuz130;cpuz130;\??\c:\docume~1\taeshun\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\taeshun\locals~1\temp\cpuz130\cpuz_x32.sys [?]S3 IBS_gds_db;InterBase 7.5 Server gds_db;c:\program files\borland\interbase\bin\ibserver.exe -i "c:\program files\borland\interbase" -p gds_db --> c:\program files\borland\interbase\bin\ibserver.exe -i c:\program files\borland\InterBase [?]S3 musbehco;musbehco;c:\docume~1\taeshun\locals~1\temp\musbehco.sys [2002-2-27 15872]S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra lite 2009.sp2\RpcAgentSrv.exe [2008-12-25 98488]S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2008-7-11 47128]S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [2008-7-10 242712]S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2008-7-11 369688]=============== Created Last 30 ================2009-02-27 19:21	77,824	a-------	c:\windows\system32\JcPtK2c0.exe2009-02-25 19:00	<DIR>	--d-----	c:\docume~1\taeshun\applic~1\GrabPro2009-02-25 15:33	1,089,593	-c------	c:\windows\system32\dllcache\ntprint.cat2009-02-11 19:46	15,504	a-------	c:\windows\system32\drivers\mbam.sys2009-02-11 19:46	38,496	a-------	c:\windows\system32\drivers\mbamswissarmy.sys2009-02-11 19:03	<DIR>	--d-----	c:\docume~1\taeshun\applic~1\Malwarebytes2009-02-11 19:02	<DIR>	--d-----	c:\docume~1\alluse~1\applic~1\Malwarebytes2009-02-06 17:28	<DIR>	--d-----	c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com2009-02-06 17:28	<DIR>	--d-----	c:\program files\SUPERAntiSpyware2009-02-06 17:28	<DIR>	--d-----	c:\docume~1\taeshun\applic~1\SUPERAntiSpyware.com2009-02-04 15:37	<DIR>	--d-----	c:\windows\system32\xlive2009-02-04 15:36	<DIR>	--d-----	c:\program files\Microsoft Games for Windows - LIVE2009-02-04 15:24	1,124,720	a-------	c:\windows\system32\D3DCompiler_34.dll2009-02-04 15:24	443,752	a-------	c:\windows\system32\d3dx10_34.dll2009-02-04 15:24	3,497,832	a-------	c:\windows\system32\d3dx9_34.dll2009-02-04 15:24	261,480	a-------	c:\windows\system32\xactengine2_7.dll2009-02-04 15:24	1,123,696	a-------	c:\windows\system32\D3DCompiler_33.dll2009-02-04 15:24	443,752	a-------	c:\windows\system32\d3dx10_33.dll2009-02-04 15:24	3,495,784	a-------	c:\windows\system32\d3dx9_33.dll2009-02-04 15:24	255,848	a-------	c:\windows\system32\xactengine2_6.dll2009-02-04 07:45	<DIR>	--d-----	c:\windows\048298C9A4D3490B9FF9AB023A9238F3.TMP==================== Find3M  ====================2009-02-27 19:21	56,832	a-------	c:\windows\system32\userinit.exe2009-01-01 13:05	21,840	a------t	c:\windows\system32\SIntfNT.dll2009-01-01 13:05	17,212	a------t	c:\windows\system32\SIntf32.dll2009-01-01 13:05	12,067	a------t	c:\windows\system32\SIntf16.dll2008-12-21 12:56	413,696	a-------	c:\windows\system32\wrap_oal.dll2008-12-21 12:56	110,592	a-------	c:\windows\system32\OpenAL32.dll2008-12-09 15:24	410,984	a-------	c:\windows\system32\deploytk.dll2008-10-17 18:05	35,008,838	a-------	c:\docume~1\alluse~1\applic~1\Storm3.exe2008-07-12 10:33	274	a-------	c:\program files\INSTALL.LOG2008-03-24 17:03	0	a-------	c:\program files\temp012007-03-07 17:46	1,207	a-------	c:\documents and settings\taeshun\scoreth095.dat============= FINISH: 16:57:22.93 ===============

(The userinit.exe process won't be running now as I ended it)

And as a side note, I didn't have either SR.exe in my processes or any of the other files/folders known to accompany SpywareRemover2009, and the red-circle-white-x in the tray is no longer present.

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again.

• Double click on RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Please post the contents of log.txt.

Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:

• Reply to this thread; do not start another!
• Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
• Do not run any other tool until instructed to do so!
• Let me know if any of the links do not work or if any of the tools do not work.
• Tell me about problems or symptoms that occur during the fix.
• Do not run any other programs or open any other windows while doing a fix.
• Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.

Thanks.

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.