Windows Security Alert - Application cannot be executed. The file wu

[bexcboo]

Hi there,

My husband has been on my computer and has now caught some type of virus! Joy...

First of all, I get a bubble type pop up in the bottom right hand corner. "Windows Security Alert - Application cannot be executed. The file wuauclt.exe is infected. Do you want to activate your antivirus software now?"

Then I get a message in the middle of my screen. "Spyware Alert! - Your computer is infected by spware - 34 serious threats have been found while scanning your files and registry. Is is strongly recommended that you disinfect your computer and activate Realtime secure protection against future intrusions." It then gives me options to "Activate Your antivirus software or Stay Unprotected"

Next is a message similar to the second, but in the bottom right again. "Infiltration Alert - Your computer is being attacked by an Internet Virus. It could be a password-stealing attack, a trojan - dropper or similar.
Details
Attack from:129.91.88.141, port 47444
Attacked port: 58620
Threat: Win32/Nugel.E"

I can't see the rest as the first pop up is blocking it.

Then my Windows Security Center pops up and tells me my firewall is off, and my virus protection is out of date.

I think this is 'fake' as my anti virus software isn't detecting anything. I am using the Free AVG Anti Virus. Updated to the most possible for the free one.

I have looked at the post of what to do before asking a question, and this is my results.

Step 1: Cannot find anything weird.
Step 2: Cannot download
Step 3: Can download, save to desktop, but when I open "C:/Documents and Settings/Compaq_Owner/Desktop/SUPERAntiSpyware.exe is not a valid Win32 application.
Step 4: Can download, save to desktop, but I can't open.
Step 5: Can download, save to desktop, but I can't open.
Step 6: Didn't complete as I couldn't complete the first steps.

Any help would be appreciated. =)

I am in New Zealand and it is now 2010. So Happy New Year to all. =)

Bex

Also, I can use the internet on the broken computer through mozilla, but not internet explorer. Internet explorer keeps on opening tabs for "*censored*.com" Everytime I try to open something I've downloaded to the desktop.

Edit: As I went to shut down my computer, I was able to install SUPERAntiSpyware and Malwarebytes' Anti-Malware (MBAM), so they are currently scanning my computer. I will update once the scans have finished.

Edit 2: I am sorry for 'bumping' this thread. I didn't know how else to post my logs.

[Saving space, attachment deleted by admin]

[bexcboo]

Step 4: Malwarebytes Scan Log

Malwarebytes' Anti-Malware 1.43
Database version: 3458
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

1/01/2010 4:04:28 a.m.
mbam-log-2010-01-01 (04-04-28).txt

Scan type: Quick Scan
Objects scanned: 186099
Time elapsed: 1 hour(s), 15 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vytrsntk (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vytrsntk (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\pdfupd.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Local Settings\Temporary Internet Files\Content.IE5\TIYHMZS2\ms307[1].exe (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.

[bexcboo]

Step 3: SUPERAntiSpyware Log

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/01/2010 at 07:43 AM

Application Version : 4.32.1000

Core Rules Database Version : 4379
Trace Rules Database Version: 1978

Scan type       : Complete Scan
Total Scan Time : 04:52:29

Memory items scanned      : 435
Memory threats detected   : 0
Registry items scanned    : 6454
Registry threats detected : 40
File items scanned        : 259242
File threats detected     : 83

Trojan.Agent/Gen-FakeSpy[Broad-1]
   [vytrsntk] C:\DOCUMENTS AND SETTINGS\COMPAQ_OWNER\LOCAL SETTINGS\APPLICATION DATA\VJDUHE\NKNRSYSGUARD.EXE
   C:\DOCUMENTS AND SETTINGS\COMPAQ_OWNER\LOCAL SETTINGS\APPLICATION DATA\VJDUHE\NKNRSYSGUARD.EXE
   [vytrsntk] C:\DOCUMENTS AND SETTINGS\COMPAQ_OWNER\LOCAL SETTINGS\APPLICATION DATA\VJDUHE\NKNRSYSGUARD.EXE
   C:\WINDOWS\Prefetch\NKNRSYSGUARD.EXE-04FAEE7A.pf

Adware.Tracking Cookie
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@adultadworld[1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@imrworldwide[2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@xiti[1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@apmebf[1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@tripod[1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@freepornsite[1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@atdmt[2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@my-sex-box[2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@realsexscandals[2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@maxporn[2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@findmybudgethost[2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@fuckingfreemovies[2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@statcounter[2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@bizrate[2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@partypoker[2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@thefind[2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@dmtracker[1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@reclaimsexafterbirth[1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@wholesalediscountsunglasses[1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@clickbank[1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@web-stat[1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@pornex[2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@azjmp[2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][3].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@allrealitypass[1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\compaq_owner@pornhub[1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][4].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Compaq_Owner\Cookies\[email protected][1].txt

Rogue.Agent/Gen
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#knkd
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#aazalirt
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#skaaanret
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#jungertab
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#zibaglertz
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#iddqdops
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#ronitfst
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#tobmygers
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#jikglond
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#tobykke
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#klopnidret
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#jiklagka
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#salrtybek
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#seeukluba
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#jrjakdsd
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#krkdkdkee
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#dkewiizkjdks
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#dkekkrkska
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#rkaskssd
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#kuruhccdsdd
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#krujmmwlrra
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#kkwknrbsggeg
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#ktknamwerr
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#iqmcnoeqz
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#ienotas
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#krkmahejdk
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#otpeppggq
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#krtawefg
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#oranerkka
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#kitiiwhaas
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#otowjdseww
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#otnnbektre
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#oropbbsee
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#irprokwks
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#ooorjaas
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#id
   HKU\S-1-5-21-3724783626-2127148245-1533579847-1008\SOFTWARE\AVSCAN#ready

[bexcboo]

Ok. Since running the Malwarebytes Anti-Malware and SUPERAntiSpyware I no longer have pop ups, but I have heard that just cause they are gone, doesn't mean the virus is gone. So here is my Hijack This log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:24:30 a.m., on 1/01/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\InterVideo\MSIPVS\WinScheduler.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_NZ&c=63&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_NZ&c=63&bd=PRESARIO&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trademe.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_NZ&c=63&bd=PRESARIO&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.xtramsn.co.nz/0SEENNZ/SAOS01?FORM=TOOLBR
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Program Files\InterVideo\MSIPVS\WinScheduler.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - c:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.stumbleupon.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www4.snapfish.co.nz/SnapfishActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1ca84e898c683ca) (gupdate1ca84e898c683ca) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 12395 bytes

[SuperDave]

Hello bexcboo and welcome to Computer Hope Forum. My name is Superdave but you can just call me SD. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log

[bexcboo]

Hi SD,

Thanks for helping me. =)

I Disabled/Removed Windows Messenger.

I didn't have either of those entries in Hijack This.

Attached is my ESET Online Scan Log.

Thanks again. =)

Bex

[Saving space, attachment deleted by admin]

[SuperDave]

Hello bexcboo. It looks good. If there are no other issues, let's do some clean-up

You can uninstall HJT but keep SAS and MBAM. Update them and run them about once per week to keep your computer clean.

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

To turn off Windows XP System Restore:

NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.

1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives"
5. Click Apply.
6.  When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows XP System Restore:

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
5. Click Apply, and then click OK.

Looking over your log it seems you don't have any evidence of a third party firewall.

Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.

Remember only install ONE firewall

1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor
3) Agnitum Outpost
4) PC Tools Firewall Plus

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smooth.
Safe Surfing!

[bexcboo]

Done. =)

Thank you so much SD. =)

[amarkon]

Hi SD,

I read your previous posts. I downloaded rkill (all 4 files), mbam, SuperAntispyware,  HJTInstall.
I ran rkill first, but as with other exes, the windown opens and immediately closes. I do not know whether it ran correctly. Immediately i ran exeHelper. Please find the logs below.

I tried to installed mbam, SuperAntispyware,  HJTInstall. But i could install mbam only. But after installation, I am not able to open and run the software..because of the same reason "Application cannot be executed. The file ......is infected". Please help me restore my computer.

============
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as amarendra on 04/11/2010 at 14:05:18.


Processes terminated by Rkill or while it was running:


===========================

exeHelper by Raktor
Build 20100329
Run at 14:05:32exeHelper by Raktor
Build 20100329
Run at 14:12:18 on

==============================

[Sn3akyP3t3]

Bexcboo, please follow guidance by SD.  I am not a trained specialist in this field, but I have experience with cleaning student machines at work.  Here is my 2 cents:

I would submit the following two suspicious files to Jotti.org to verify clean.  They don't look like legit apps to me.
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
I see they could be related to Punkbuster, but since it is running as a service and shows unknown owner I would check it out.

Also, it looks like you are running AVG version 8.  This is an outdated version.  I would upgrade AVG or uninstall it to switch to another excellent free alternative such as Avast or Antivir.

Lastly, I would also include Spybot Search and Destroy in your toolkit.  Just make sure that when you install it you uncheck the "teatimer" option.  Be sure to update then perform immunizations prior to scanning with it.