Posts by DMR

Let's skip the automated log analyser; it's honestly better for us to work from your original log.

Please do the following:

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system. Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

Linkage to the current HJT .exe:

http://www.stevewolfonline.com/Downloads/DMR/DMRCA/Malware%20Utilities/

Give it a shot and keep us posted. :)

Logfile of HijackThis v1.97.7

You're running a really ancient version of HijackThis. Please download the latest version (1.99.1) from the link in my sig below and post the log that version generates.

If the netbus probes/attacks are really coming from the outside, there's not a heck of a lot you can do about it except hope that the attacker gets bored and moves on to a different range of IPs. If Norton is blocking the netbus requests, you may not be in any/much danger.

However, the fact that Norton is flagging the attempts makes it sound as though you're connecting directly to the Internet, which is a Bad Thing on a broadband connection. You should protect yourself further by installing a hardware firewall router such as those made by Linksys and Netgear.

You should post another log for a final check :)

Good idea; it definitely can't hurt.

To verify that your dial-up/Internet settings are correct, you'll need to call your ISP or see if they have the information you need posted on their web site.

IE cannot be uninstalled/reinstalled in the way other programs usually are because it is integrated into the Windows operating system itself. However, there are different methods of repairing problems; here are a few:

http://support.microsoft.com/default.aspx?scid=kb;en-us;281679
http://windowsxp.mvps.org/IEFIX.htm
http://support.microsoft.com/default.aspx?kbid=318378
http://www.theeldergeek.com/repair_ie6.htm

You should make sure that your McAfee firewall is completely disabled before continuing with other troubleshooting steps.

Other than that, I see nothing obvious in your log that would account for the browsing problem. See if the firewall is the culprit and get backk to us.

This is possible, on my lynksys the DHCP range of addresses starts at 192.168.1.100, the lynksys has IP 192.168.1.1, so 192.168.1.2 - 192.168.1.99 are available for static devices, choose any of these and that should be fine.

Right.
As long as you choose an IP address that is out of the DHCP scope of the router (but still within the same subnet, obviously), you shouldn't have an address conflict.

Glad you found LSPFix; it's a handy little repair tool, yes?

Ok, let's work on the "Googl" bit.

1. First- some general clean up:

- Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

- Delete the entire content of your C:\Windows\Temp folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let …

So you were able to roll back to a good Restore Point? Cool; glad that worked. :)

Cable select can cause problems itself ,i would set it to master and slave to make sure!!

Agreed.

mixing hp and emachine? im just asking for a piece of junk.

Definitely agreed! :mrgreen:

There is also a Default User.WINDOWS folder in Documents & Settings folder, together with other folders which I believe I didn't create. Is is safe to delete all those folders? I open the User Accounts in Control Panel but can only see three accounts namely Games, JK and Guest. I see more in Documents & Settings. Can you explain?

Has the computer ever been part of a domain (as opposed to just a workgroup)? When you set up user accounts in a domain environment, the individual user folders under Documents and Settings that get created in the process use the "dotted" naming convention that your folders have. The word before the dot in the username, and the word after the dot will be either the domain name or the name of local computer.

1. Delete the following two folders entirely; they were created as part of the infection:

C:\DOCUME~1\Yuyin\APPLIC~1\OBJCOR~1
C:\Documents and Settings\All Users.WINDOWS\Application Data\WebFunkBinTwo

2. You'll probably have to edit your Registry to get rid of the "crazywinnings" entries; they'll just keep reappearing if you don't.

- First, remove the site from your Trusted Zone:
Start Internet Explorer, click Internet Options on the Tools menu, and then click the Security tab. Click Trusted Sites, and then click Sites. Click the "crazywinnings" site, and then click Remove

- Click on the "Run..." option under your Start menu, type "regedit" (omit the quotes) in the resulting "Open:" window, and …

Great; glad we could help! :)

Now that your computer is (hopefully) clean, here are some general suggestions which should minimize your chances of future infections:

1. Use Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.

2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will greatly reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.

3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks.

4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here: http://tomcoyote.org/ieoe.php

5. Obviously-install a good anti-virus program and enable its "auto-protect" and email-scanning features.

6. Install a stand-alone firewall program such as Zone Alarm or Kerio Personal Firewall, or purchase the "Internet Security" packages offered by Symantec and McAfee.

7. None of your utilities are of much good if you don't check for updates frequently; updates for anti-spyware/anti-virus programs can be released as often as ever two or three days.

I'll need to get back to this tomorrow, as it's dinner time in my end of the world right.

In the mean time, can you pleae give us the exact make and model # of the riouter.

The above link mentions LSP's I had not heard of this term before, but it seems to relate to additions to winsock made by third party software and drivers you might have installed, that were not installed on the machine you exported winsock from.

Yes hollystiles- you've exactly and correctly grokked the concept of Microsoft's LSP (Layered Service Provider) extensions. :)

Additionally, what you stated is essentially true:

You said you were instructed to import winsock from another computer, that's fine but means you may need to re-install some things like the driver for your network card.

Importing the winsock entries from someone else's registry is not a recommendation I've ever seen suggested nor one that I would suggest, as the contents of those registry keys can definitely vary between different computers.

Quite honestly, it looks to me as though you aren't dealing with a winsock issue at all this time around, but more of a DHCP-related problem instead.I only gave the winsock repair instructions to be on the safe side.

If you've only got one or a few computers connected to the router, it's usually more reliable overall to turn off the router's DHCP server feature and just assign all of the computers a static address. That will eliminate DHCP-related problems such as lease renewal times, the inability of the computers to obtain correct IP info from the DHCP server, etc.

Excellent work mrZ- your log is clean now. :)

How are things working now? Did that seem to have fixed everything, or are you still experiencing some problems?

For all of you programmers out there- please don't Trout Slap me too hard for the following explanation; coding is definitely not one of my areas of expertise...

On a very basic level, message handlers are pieces of code that tell a program (or Windows itself) what to do when different events occur in your system.

A common example of an "event" would be the action of a user clicking their mouse on a certain button within one of the program's windows. When a user does that, the program needs to know:

- that some button actually has been clicked.
- which exact button has been clicked.
- what action it should perform when that specific button is clicked.

The fact that the user has clicked a button in one of the program's windows, which exact button it was, and other information concerning the specific event, is transmitted from the program's window to the program itself via a chunk of data called a "message".

Included in (or accessible to) the program are pieces of code called "event handlers" or "message handlers" which contain instructions on what to do when the program is notified via the message that an event has occurred.
Based on the information contained in a given message, an appropriate message handler is located, and the processing of the action(s) that should occur in response to that message are then processed by the handler.

The fact that you mention the A drive is not recognized either suggests maybe the problem is with not the cables...

One common mistake people often make is to plug the floppy's ribbon cable into the back of the drive upside down. On most floppy drives, it's a pretty easy mistake to make.

For the hard drive:

- Check the ribbon cable carefully to make sure it isn't damaged or loosely/incorrectly connected to the drive and motherboard.

- Try replacing the ribbon cable; new ones are cheap.

- The controller circuitry on t drive itself could be going bad. Try adding the drive to another computer as a slave/secondary drive and see if it works there.

- If it isn't the drive or cable, it may be a problem with the IDE controller circuitry on the motherboard as hollystiles suggested.

Killbox handy tool, yes? :mrgreen:

Glad you nailed it; your log is clean now.

Why not just disable DHCP and manually assign the machine a static IP?

In terms of resetting/repairing your Winsock stack, there is a utility called WinsockXP fix which can restore your Windows winsock defaults.

An alternate manual method is described toward the end of this article:
http://support.microsoft.com/kb/811259

And another possible method is here:
http://support.microsoft.com/kb/299357

I´m going to do this several times today to see what happens and I will report back.

When you repost, please include the contents of the log/report files or at least tell us what SpyBot and AAW are finding. Some reported items do not necessarilly point to actual infections, but rather to areas/settings in your system which present a possible security or privacy threat. Some of these items (like the famous "DSO exploit" reported by SpyBot) are not things that the anti-spyware/anti-virus programs can correct themselves, and therefore will keep recurring in your scans.

Try this:

1. Download The Pocket Killbox from this site: http://www.subratam.org/main/index.php?option=com_content&task=view&id=19&Itemid=41.

- Unzip the download and open the Killbox program.

- Click on the button with the folder icon just to the right of the "Full path of file to delete" box, browse to the C:\WINDOWS\SYSTEM\IFFE.DLL file, hilight the file, and then click OK in the browse window.

- Select the "Delete on reboot" option, put a check in the "Unregister dll before deleting" box, and then click the button with the red circle and "X" icon.

- Choose Yes in the resulting two confirmation dialog pop-ups to reboot the computer and complete the deletion.

2. Once the system has rebooted, search for iffe.dll to see if the Killbox was able to delete the file. Hopefully the dll will be gone.

3. Judging from the log entries, you should find copies of the K2OO.0U file in the following folders:

C:\Windows\Start Menu\Programs\StartUp
c:\windows\all users\start menu\programs\startup

When you look for the file, make sure you have Explorer set to show all files as I indicated eariler. Delete all instances of the file if you find them.

4. Run HJT again and post a new log.

1. When did you install the BulletProofSoft utility?

All of the "010" entries in your log indicate that the BPS program has gotten itself pretty well integrated into your network stack; it might be the root of the connection-sharing problem.

2. Your log indicates that your versions of Windows and Internet Explorer are not up to date. You should go to Microsoft's Windows Update site and install all of the current critcal fixes and updates. Don't install Service Pack 2 yet, but at least get Service Pack 1 and all related updates/fixes.

3. Aside from the numerous "010" entries, there is nothing else amiss in your log. In terms of the Google redirect- check your C:\WINDOWS\system32\drivers\etc\hosts file for any suspicious IP address-to-URL mapping entries.

A normal hosts file will contain only some comment lines (which begin with a "#") and the following IP->URL map line:

127.0.0.1 localhost

If there are further entries in the hosts file, they should probably be deleted.

Yikes- judging from all of the " C:\Program Files\Internet Explorer\iexplore.exe" log entries, you've got about 25 instances of Internet Explorer running!

You need to close all instances of IE before proceeding with HijackThis fixes:

- Hit Ctrl+Alt+Delete and then hit "T" to open the Task Manager.
- Click on the Processes tab, hilight each and every individual instance of IEXPLORE.EXE and click on the "End Process" button for each one.

Watch the Processes window carefully. If IEXPLORE.exe entries keep automatically regenerating themselves, you'll have to reboot into Safe Mode and see if that keeps IE from starting/running. (You get to the safe mode boot option by hitting the F8 key as your computer is starting up.)

Once you're sure IE isn't running:

1. Have HJT fix:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKCU\..\Run: [KBqpRhMFQ] jgd2cqag.exe
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll

2. Reboot into safe mode if you're not there already.

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Search for and delete any and all copies of the following files:
jgd2cqag.exe
vbsys2.dll

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not …

Hi trandill,

You need to start your own thread for that question. We ask that members not "piggyback" their questions onto a thread started by another member.
Also- please include a HijackThis log in your new thread; it will give us a good idea of what sort of "nasties" are lurking in your system.

1. Have HJT fix:

O2 - BHO: (no name) - {47FF45A1-9F67-11D9-9C0E-00045FD38E58} - C:\WINDOWS\SYSTEM\IFFE.DLL
O4 - Startup: K2OO.0U
O4 - Global Startup: K2OO.0U
O18 - Filter: text/html - {47FF45A0-9F67-11D9-9C0E-0004309F2BC3} - C:\WINDOWS\SYSTEM\IFFE.DLL
O18 - Filter: text/plain - {47FF45A0-9F67-11D9-9C0E-0004309F2BC3} - C:\WINDOWS\SYSTEM\IFFE.DLL

Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up) and:

1. Set Windows to show hidden files.
- Open My Computer.
- Click View menu then click Folder Options.
- Select the View tab.
- Scroll to the "Hidden files" section Click "Show all files."
- Uncheck "Hide file extensions for known file types"
- Click OK.

2. Locate and delete the following files:
C:\WINDOWS\SYSTEM\IFFE.DLL
K2OO.0U

3. Delete the entire contents of all Temp, Temporary, and Temporary Internet Files folders.

4. Empty your Recycle Bin and reboot normally.

5. Run HJT again and post a new log.

It is labeled default and under type it just says reg sz with nothing else and no value. Should this be there?

Yes, it should be there. The "(Default)" value exists in most (and perhaps all) Registry keys.

Make sure that Internet Explorer is not running, run HJT again, and have it fix:

O4 - HKLM\..\Run: [windows] iexplore.exe
O4 - HKLM\..\RunServices: [windows] iexplore.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Although your log currently shows no signs of malicious infections, if the IE "Run" entries in HijackThis automagically reappear at some point, I'd start suspecting foul play.

Try the integral AOL browser - for some reason that seems to work OK.

But that would just be a workaround, not a fix, for the real problem.

Norton picked up MHTML.Redir.Exploit . It can't quarantine it or delete it. What do I do?

The exploit itself is an MHTML-handling flaw/weakness in Windows, and can be taken advantage of through both Internet Explorer and Outlook Express. Microsoft has released a fix for the Outlook vulnerability, but I don't think the IE side of things has been patched yet.

Merijn's free BugOff utility can disable the vulnerable MHTML functions of IE and Outlook (as well as other vulnerabilities in Windows); you might want to give it a try.

The files that get identified as being associated with the exploit are usually in your Temporary Internet Files folder; emptying the entire contents of that folder should remove the current suspect(s). Flushing your TIF folder is a good thing to do as a routine clean up measure, because corrupt, infected, or simply space-wasting files can accumulate in that folder. Here's a more complete drill:

- Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal …

OK, thanks- that helps.

I need to log off for the night now though, but I'll come back to this tomorrow.

Cool- glad we could help. :) Give us a shout if you run in to further problems.

Just FYI- a couple of us here also work at this Linux support site. We've got a lot of helpful, knowledgeable members there who would also be more than willing to help.

Variants of the NetBus trojan have been around since about 1988; I'm surprised your Norton anti-virus hasn't been able to clean it. Do you have the latest virus definition updates installed?

The Netbus trojans are of the type that allow others to remotely control your computer, so yes- I'd say that constitutes a threat. Norton's firewall may be blocking its communication, but the beast is still active, and that's a Bad Thing.

1. Install the most current updates for Norton and run a full virus scan if you haven't done so already. If you have run a scan but Norton was unable to clean the infection, give us the details from Norton's report/log file.

2. Here are some free online scans that you can perform; I'd suggest doing at least two of them:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.ravantivirus.com/scan/
http://us.mcafee.com/root/mfs/default.asp?cid=9913
http://www.bitdefender.com/scan/licence.php

3. If none of the above solutions work:

Download HijackThis:

http://www.majorgeeks.com/download3155.html

Once downloaded, follow these instructions to install and run the program:

-------------------------------------------------------------------------------------------------------------------

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in …

1. In addition to KAV, were you able to download and run the Microsoft utility? If not, please do so now and post a new log.

Also:

You have morphing/changing "O20 - Winlogon Notify:" entries in your log, which indicate an infection that HJT alone isn't going to be able to fix.

Please do the following:

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

make[1]: Entering directory `/usr/local/src/412-2/coredrv'
cc -DLINUX -Wall -O -I /usr/src/linux/include -I../inc -c -o coredrv.o coredrv.c
make[1]: cc: Command not found

The make command is looking for the "cc" compiler (in order to create the coredev.o file), but is apparently not finding it. That initial failure is the cause of the subsequent installation errors.

Chances are that you may not have the cc compiler installed, or that the gcc compiler is installed instead of cc. Use the following two commands to determine this:

which cc
which gcc

If the "which" command reports that neither compiler can be found, you'll have to install them; they should be available in the Development packages on your install CDs.

If which indicates that gcc is installed instead of cc, you need to make a cc symlink that points to gcc. Asumming that gcc lives in /usr/bin/ on your system, you would do:

ln -s /usr/bin/gcc /usr/bin/cc

Obviously, if gcc lives in a different directory on your machine, replace the /usr/bin/gcc path above with the path that's correct for you.

Hi jayboy,

The following two entries in your log are responsible for IE starting automatically when Windows starts:

O4 - HKLM\..\Run: [windows] iexplore.exe
O4 - HKLM\..\RunServices: [windows] iexplore.exe

There are also a couple of other things in the log which should be cleaned up, but first:

Your log indicates that you are using an outdated version (1.98.2) of HijackThis. Please download the latest version (1.99.1) using the link in my sig below, install and run the new version, and post the log it generates.

Tried the safe mode you said but just got list of drivers etc.

It's normal to see that list of drivers when you're booting into Safe Mode. On some systems however, this phase of the safe mode boot process can take a very long time, causing you to think that the system has frozen. Try it again, but this time just let the system sit and think about things for a longer period of time. Also- watch the hard drive's activity light on the front of the machine and listen for the grumbling sounds of hard drive activity; if you can see or hear even occational indications of activity, the system may not really be hanging.

You certainly could have an infected system, but that wouldn't be one of my first suspicions in terms of the cause of the fragmentation and free space issues. I don't know of any infections which specifically cause the problems you describe, and such symptoms are usually more indicative of something like file or file-table corruption.

However, have you been able to run any anti-virus/anti-spyware utilities on the system? If so, what (if anything) did they find?

Could the controller card for that ide channel be bad?

Yes, it's a possibility.

I tried hooking up the cdrom and hdd to the same channel (the hdd's one), but it wont get past POST or let me enter setup before locking up.

Did you make sure to set the Master/Slave jumpers on both drives correctly when you added the CD to the hard drive's IDE channel? The hard drive should be jumpered as Master and the CD-ROM jumpered as Slave; if they aren't set that way, you'll have a device conflict which can cause the lock-up you're experiencing.

Found a disk that give me a virus cheker antispam etc and installed it.

What exact product was that? Were you able to run any of the checks, or did the system start freezing before you could even do that?

See if the system will run if you boot Windows in Safe Mode. (you get to the safe mode boot option by hitting the F8 key as your computer is starting up). When Windows boots into Safe Mode, it loads only a bare minimum of drivers, processes/programs, etc., but that will at least get you to a place where we can do some initial looking around and troubleshooting.

Try this:

- Download and unzip The Pocket Killbox: http://www.subratam.org/main/index.php?option=com_content&task=view&id=19&Itemid=41

- Open the program, click on the folder button to the right of the "Full Path of File to Delete" box, and browse to the msohev.dll file. Hilight the file and then click OK.

- Select "delete on reboot" and put a check in the "unregister dll before deleting" box.

- Click the red button with the "X" in it and then choose Yes in the next two dialog boxes that pop up to reboot and complete the deletion process.

If the killbox is able to do its job, msohev.dll should be gone after the reboot.

That "we" didn't include me because I wasn't aware of this!

Well why not?
Ya' know Danny- if you just stopped having a real life, and started spending all of your free time online like crunchie and I do, you would know these things. :mrgreen:

natenatmom,

The last log you posted looks like it's only a partial; there should be more to it. Can you try again please?

I hope the Easter Bunny was extra specially nice to you.

Lol.
Unfortunately, the Easter Bunny was extra specially mean to me this Sunday- he had me fixing a client's "blowed up" computer for half the day.
Damn lop-eared, cotton-tailed #$^%&#$@! :mrgreen:

Seriously though- your log is squeaky clean now; glad we could help you get things cleaned up. :)

You have morphing/changing "O20 - Winlogon Notify:" entries in your log, which indicate an infection that HJT alone isn't going to be able to fix.

Please do the following:

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

i cant evem use safe mode to undo the delete

Ouch; that's not good.

What exact version of Windows are you using? That will determine your repair options.

That log does indicate some cleaning is necessary

"Some" cleaning? That would be an understatement, Danny.... Yuck!

ineedshelp,

Aside from some pretty nasty infestation, the log also indicates that your friend is running a rather old version (1.98.2) of HijackThis. Please download the lastest version (1.99.1), follow dlh6213's instructions above, and post the fresh log.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.10.5:1812

What's up with the entry above?
That entry seems to indicate that you're using a RADIUS authentication server whose IP address is 192.168.10.5. Please tell us more about that (and your network setup as a whole); it could be part of the problem.

Some of your logs have shown signs of the evil Bube.d infection. You should run a scan/fix with KAV anti-virus and Microsoft Antispyware; they're currently the only programs we know of which can actually deal with the infection. Please read CalamityJane's post in the link below for description of the infection and directions for using the KAV and MS Antispyware utilities:

http://www2.dslreports.com/forum/remark,12688162~mode=flat

Once you do the scans/fixes, run HJT again and post a fresh log

You may have some corruption in one of the Automatic Update components or folders. In the second post in the following link there's a list of instructions which might help clear things up:

http://www2.allusenet.org/pages/45426.html