On January 16, 2011 I noticed that when I navigate to the Microsoft Update website (www.update.microsoft.com) using my IE 8 browser that I received a error number 0x8DDD0002 (must be logged on as an Administrator) (see attached .jpg). Every time I visit this site using IE 8 my Windows Event Viewer generates a DistributedCOM error (Event ID 10016) stating that I do not have Local Activation permission for the COM Server application with CLSID {E60687F7-01A1-40AA-86AC-DB1CBF673334}, which I discovered is the Windows Update Agent service (wuauserv) (see attached .txt file).
Prior to January 16, 2011 when I ran Windows Update from my Start menu, the GUI used to say "You receive updates for: Windows and other Microsoft Products" and if I went into the Windows Update settings there used to be a check box saying "Give me updates for Microsoft products and check for new optional Microsoft software when I update Windows" that I could enable or disable. Regrettably, I disabled this check box a few weeks ago and now I am no longer able to re-configure Windows Update to deliver optional patches for Microsoft products (e.g., MS Works, MS Silverlight, etc.), although it still seems to deliver updates for my Windows OS.
I contacted Microsoft Support and some of the fixes they suggested (listed below) have just compounded the problem. Here are some other symptoms I'm currently seeing:
1. NIS 2011 firewall reports that I am connected to a protected network 127.0.0.0/125.0.0.0 (which I chose to trust) and a newly detected network on adapter "Software Loopback Interface 1 (IP address 127.0.0.1)". I checked my Hosts file at C:\Windows\System32\drivers\etc\ and confirmed that the Hosts file only contains the following two default entries for Windows Vista:
127.0.0.1 localhost
::1 localhost
I confirmed in the Norton NIS/NAV forum that it is not normal behavior for the NIS 2011 firewall to report 127.0.0.0 as a protected network.
2. When I try to run HijackThis, there is no "Run as Administrator" option if I right click on the desktop shortcut. If I proceed with the scan, HijackThis reports that "For some reason your system denied write access to the Hosts file" and the information for item O1 - Hosts: ::1 localhosts in the scan says that "A change in the 'Hosts' system file Windows uses to lookup domain names before querying internet DNS services, effectively making Windows believe that 'auto.search.windows.com' has a different IP address that it really has and making IE open the wrong page whenever you enter an invalid domain name in the IE address bar" (see attached .jpgs). I am unable to create the HijackThis log automatically in the default C:\Program Files\Trend Micro\HijackThis\ folder but I was able to manually save a copy of the log in my user Documents folder.
3. The SYSTEM and Administrators groups do not have any permissions for several folders in my C:\Windows\ and C:\Program Files\ (including C:\Windows\System32), although the Users group still has Read & Execute permissions. I have been unable to determine if this is normal, but it might explain why my Windows Update Agent service (wuauserv) does not have local activation permissions and why HijackThis cannot access the system Hosts file.
--------
Some of the fixes I attempted that have had no effect or made the problem worse:
1. Full reset of my IE 8 browser (Tools | Internet Options | Advanced | Reset Internet Explorer Settings)
2. Aggressive reset of Windows Update using Ms FixIT tool (http://support.microsoft.com/kb/971058)
3. Repair of Windows Files and Folders using MS FixIT tool (http://support.micro...lder_diag/en-us)
I also ran the System File Checker (sfc /scannow) and peformed a thorough DiskCheck to check for hard drive errors, and both scans reported no errors. I do not have a Windows Vista DVD (my HP laptop has a recovery partition on D: drive) and I don't know if choosing a Windows Repair from my boot-up options (i.e., by hitting F8 during boot-up) would just roll back my Windows Vista OS back to SP1 or if it would remove all my third-party software as well. I no longer have a system restore point created prior to January 16, 2011.
I have attached a copy of my HijackThis Uninstall list and pasted the contents of my HijackThis scan log below.
--------
Vista Home Premium 32-bit SP2 * IE 8 * Firefox 3.6.13 * NIS 2011 v. 18.5.0.125 * MBAM v. 1.5.1.1100 * HijackThis v. 2.0.4
HP Pavilion dv6835ca, Intel Core2Duo CPU T5550 @ 1.83 GHz, 3.0 GB RAM, NVIDIA GeForce 8400 GS
--------
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:13:11 AM, on 04/02/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18999)
Boot mode: Normal
Running processes:
C:\Windows\SYSTEM32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\iTunes\iTunesHelper.exe
c:\Windows\System32\wbem\unsecapp.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: DigitalPersona Personal Extension - {395610AE-C624-4f58-B89E-23733EA00F9A} - C:\Program Files\DigitalPersona\Bin\DpOtsPluginIe8.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\18.5.0.125\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\18.5.0.125\IPS\IPSBHO.DLL
O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\18.5.0.125\coIEPlg.dll
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.updat...b?1295533249443
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1263496178158
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1295533886492
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.h...tDetection2.cab
O16 - DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} - http://h20264.www2.h...osticsVista.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHostW.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Norton Internet Security (NIS) - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
--
End of file - 7336 bytes