Suspected explorer.exe issue

Hi,
I am currently dealing with my very first virus (lucky me!), and would greatly appreciate any help I can get!
I'm running Windows Vista, and I was running Trend Micro Titanium until about 36 hours ago.
I'm not completely sure what it is that I have, but it is blocking just about every anti-virus program I throw at it. It will not allow me to open Trend at all, and it will not allow me to scan using Malwarebytes (though it will block things for me for a limited period of time.) It won't allow me to install AVG at all.
The notices I get from Malwarebytes (while it's working) say that they are blocking outgoing connection attempts from explorer.exe to several different IP addresses (which I can post here if it would be helpful).
I am also getting queries from the system asking if I want to open navcancl, which it says is an ieframe.dll
Furthermore, my Google search results are being tampered with, and sending me to all sorts of scammy looking search engines (reloading the page generally takes me to the correct URL though).
I have tried opening Trend and Malwarebytes in Safe Mode, but that has also failed. Malwarebytes will open, but will quit about 5 seconds after I start scanning (as soon as it gets to the infected file, I suspect).

I have also tried all three of the diagnostic tools recommended in the "read before posting" sticky, but two of them quit before they finished (OTL and Avast), and the third just sat there saying "collecting information" and then "preparing done!" but it didn't give me a notepad document?

Any insights into what I might try next?
Thank you!!!

Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*****************************************************************
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
Save Rkill to your desktop.

There are 7 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator


You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.exe
* Rkill.com
* Rkill.scr
* WiNlOgOn.exe
* uSeRiNiT.exe
* iExplore.exe
* eXplorer.exe
Once you've gotten one of them to run then try to immediately run the following.
**********************************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
*************************************************************
Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Hi Dave!

Thanks for your help.
I just have two quick questions about your instructions:
- Security Check is appearing as an .exe, not a .zip. Is that correct?
- How long does it usually take for Security Check to work? I had some success with rkill (in that it seems to have produced a log?), but Security Check doesn't go past the "Preparing Done" stage, and has yet to provide a notepad file.

Thanks!

Security Check is appearing as an .exe, not a .zip. Is that correct?
- How long does it usually take for Security Check to work? I had some success with rkill (in that it seems to have produced a log?), but Security Check doesn't go past the "Preparing Done" stage, and has yet to provide a notepad file.

Yes, I will have to change my canned speech for Security Check. It took five minutes to run it on my computer. Please just skip Security Check for the moment and tell me what Anti-Virus are you running on your computer. I saw a reference to Kaspersky but I wasn't sure.
The important thing is to try to run MBAM and post the log.

Hi Dave,
I just rebooted because I was having no luck getting a.) Security Check to tell me anything or b.) getting (already installed) Malwarebytes to run. I uninstalled Malwarebytes before restarting, and then rebooted - now I can't get any of the 7 Rkills to work. I see the little black box pop up, but it goes away immediately. After that, their icons change to unknown data file (as opposed to exe) icons, and a tiny box in the corner showing two people (one in a green shirt, one in a blue shirt) appears. I then cannot do anything more with the files, because "Windows cannot access the specified device."

I have also tried to reinstall MBAM, but 4 seconds into the scan, the window closes. It seems that by rebooting things I've actually made everything much worse. I wonder if the reason I got Rkill working before was because MBAM was working in the background (blocking IP connections, but the console wouldn't open).

Two questions: would switching to Safe Mode help at all? And should I turn off Spybot? (the only utility that's continued to work through all of this) Spybot isn't giving me any errors or popups, but I thought it might be possible that it was blocking things in the background.

I was using Trend Micro Titanium, but I haven't been able to open it at all since I got whatever this is.

would switching to Safe Mode help at all?

Please try running MBAM in Safe Mode.

Save these instructions so you can have access to them while in Safe Mode.

Please click here to download AVP Tool by Kaspersky.

• Save it to your desktop.
  
• Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
  
• Double click the setup file to run it.
  
• Click Next to continue.
  
• Accept the License agreement and click on next.
  
• It will, by default, install it to your desktop folder. Click Next.
  
• It will then open a box There will be a tab that says Automatic scan.
  
• Under Automatic scan make sure these are checked.
  
  
• Hidden Startup Objects
  
• System Memory
  
• Disk Boot Sectors.
  
• My Computer.
  
• Also any other drives (Removable that you may have)
  

Leave the rest of the settings as they appear as default.
•Then click on Scan at the to right hand Corner.
•It will automatically Neutralize any objects found.
•If some objects are left un-neutralized then click the button that says Neutralize all
•If it says it cannot be neutralized then choose the delete option when prompted.
•After that is done click on the reports button at the bottom and save it to file name it Kas.
•Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

Hi Dave,
I will try Kaspersky tomorrow. I had some success running Malwarebytes in Safe Mode.
I'm not sure why it says "no action taken," as I did ask it to remove the infected items.

The log was as follows:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7622

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.19120

10/10/2011 10:15:18 PM
mbam-log-2011-10-10 (22-15-12).txt

Scan type: Full scan (C:\|)
Objects scanned: 349273
Time elapsed: 49 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d3850283 (Backdoor.0Access) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\2197980627:746257788.exe (Backdoor.0Access) -> No action taken.

Can you run MBAM again but this time in Normal Mode?

Hi Dave,
I ran Kaspersky in safe mode last night - it took about 12 hrs, but it worked. Mostly it seemed to be finding Win32 Trojans. I saved the log, but it doesn't seem to include the things it removed? I'm concerned I saved the wrong log. This one lists which files were "OK" and which were "Locked," but I don't see any listing for the ones it removed or disinfected. There were some parts that it was going to remove upon restart, but I think it was unable to do so. I believe the error was kl1. Most items it found I was either able to disinfect or delete though. (There were probably around 15?)
I have tried running MBAM in normal mode, and while it's running in the background, the console still won't load. It's stopped giving me the error about not having permission to access it when I try to open it though.

It seems like things are getting better, but obviously there are still problems. Should I re-try all of those initial diagnostics again, and see if I can get them to work?

Ok. Let's try running this one.

Download DDS from HERE or HERE and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.
* Save both reports to your desktop.
* The instructions here ask you to attach the Attach.txt.



1) DDS.txt
2) Attach.txt
Instead of attaching, please copy/past both logs into your Thread

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copying and pasting it into the reply.

•Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE .Then post your DDS logs. (DDS.txt and Attach.txt )

Hi Dave,
That worked!
My logs are as follows:
Attach.txt:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 4/4/2008 1:06:54 AM
System Uptime: 10/12/2011 7:23:41 PM (1 hours ago)
.
Motherboard: Quanta | | 30BB
Processor: Intel(R) Core(TM) Duo CPU T2450 @ 2.00GHz | U2E1 | 2000/533mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 186 GiB total, 17.579 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.0
Adobe Shockwave Player
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Audacity 1.3.12 (Unicode)
Bonjour
Cake Mania Back to the Bakery (remove only)
Compatibility Pack for the 2007 Office system
Conexant HD Audio
CutePDF Writer 2.8
Diaper Dash
Farm Craft FINAL 1.00
Farm Mania 2
Google Chrome
Hauppauge MCE XP/Vista Software Encoder (2.0.25149)
Hewlett-Packard Active Check
Hewlett-Packard Asset Agent for Health Check
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Doc Viewer
HP QuickTouch 1.00 C4
HP Update
HP User Guides 0087
HP Wireless Assistant
HPNetworkAssistant
Intel(R) Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
iTunes
Java Auto Updater
Java(TM) 6 Update 2
Java(TM) 6 Update 22
Java(TM) 6 Update 26
LAME v3.98.3 for Audacity
LiveUpdate (Symantec Corporation)
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Motorola SM56 Data Fax Modem
Mozilla Firefox (3.6.23)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
My HP Games
Mystery P.I. Series
OpenOffice.org 3.3
Paradise Pet Salon 1.00
QuickTime
RCA USB Cable Modem
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Semagic (remove only)
Skype Toolbars
Skype™ 5.3
Spybot - Search & Destroy
Synaptics Pointing Device Driver
Trend Micro Titanium
Trend Micro Titanium Internet Security 2012
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Viewpoint Media Player
VLC media player 1.1.5
WeatherBug Gadget
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Player Firefox Plugin
WinRAR archiver
.
==== Event Viewer Messages From Past Week ========
.
10/8/2011 7:01:43 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.1.7 for the Network Card with network address 001B77AF6E64 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
10/8/2011 6:53:45 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.0.2 for the Network Card with network address 001B77AF6E64 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
10/8/2011 6:18:50 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 24.246.56.4 for the Network Card with network address 001B2483457B has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
10/8/2011 11:16:22 PM, Error: Service Control Manager [7034] - The Trend Micro Solution Platform service terminated unexpectedly. It has done this 1 time(s).
10/6/2011 9:43:37 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.0.2 for the Network Card with network address 001B77AF6E64 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
10/6/2011 10:12:31 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 24.246.56.4 for the Network Card with network address 001B2483457B has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
10/5/2011 8:01:49 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Wlansvc service.
10/5/2011 10:02:05 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Netman service.
10/12/2011 8:30:08 PM, Error: cdrom [11] - The driver detected a controller error on \Device\CdRom0.
10/12/2011 7:38:02 PM, Error: Service Control Manager [7000] - The Trend Micro Solution Platform service failed to start due to the following error: Access is denied.
10/12/2011 7:27:39 PM, Error: Service Control Manager [7000] - The hpqwmiex service failed to start due to the following error: hpqwmiex is not a valid Win32 application.
10/12/2011 7:26:19 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the HP Health Check Service service to connect.
10/12/2011 7:26:19 PM, Error: Service Control Manager [7000] - The HP Health Check Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
10/12/2011 7:24:25 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
10/12/2011 7:24:25 PM, Error: Service Control Manager [7000] - The Lavasoft Ad-Aware Service service failed to start due to the following error: Access is denied.
10/12/2011 7:24:25 PM, Error: Service Control Manager [7000] - The Intel(R) Matrix Storage Event Monitor service failed to start due to the following error: Intel(R) Matrix Storage Event Monitor is not a valid Win32 application.
10/12/2011 7:24:25 PM, Error: Service Control Manager [7000] - The {22D78859-9CE9-4B77-BF18-AC83E81A9263} service failed to start due to the following error: The system cannot find the file specified.
10/12/2011 7:24:15 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "193" attempting to start the service hpqwmiex with arguments "-Service" in order to run the server: {F5539356-2F02-40D4-999E-FA61F45FE12E}
10/11/2011 8:28:00 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
10/11/2011 8:27:56 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr tdx tmactmon tmcomm tmevtmgr tmtdi Wanarpv6
10/11/2011 8:27:56 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
10/11/2011 8:27:56 PM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
10/11/2011 8:27:56 PM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
10/11/2011 8:27:56 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
10/11/2011 8:27:56 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
10/11/2011 8:27:56 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
10/11/2011 8:27:56 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
10/11/2011 8:27:56 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
10/11/2011 8:27:56 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
10/11/2011 8:27:56 PM, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
10/11/2011 8:27:56 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
10/11/2011 8:27:56 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
10/11/2011 8:27:56 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
10/11/2011 8:27:54 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
10/11/2011 8:27:54 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
10/11/2011 8:27:19 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
10/11/2011 8:27:18 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
10/11/2011 8:27:18 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
10/11/2011 8:27:15 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
10/11/2011 8:27:07 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
10/11/2011 7:07:35 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the iPod Service service to connect.
10/11/2011 7:07:35 PM, Error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
10/11/2011 7:07:35 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
10/11/2011 7:07:28 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Bonjour Service service to connect.
10/11/2011 7:07:28 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Apple Mobile Device service to connect.
10/11/2011 7:07:28 PM, Error: Service Control Manager [7000] - The Bonjour Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
10/11/2011 7:07:28 PM, Error: Service Control Manager [7000] - The Apple Mobile Device service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
10/11/2011 7:03:30 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the MBAMService service to connect.
10/11/2011 7:03:30 PM, Error: Service Control Manager [7000] - The MBAMService service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
10/10/2011 8:53:05 PM, Error: EventLog [6008] - The previous system shutdown at 8:51:20 PM on 10/10/2011 was unexpected.
10/10/2011 7:14:10 PM, Error: EventLog [6008] - The previous system shutdown at 7:11:54 PM on 10/10/2011 was unexpected.
10/10/2011 12:47:32 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: spldr tmactmon tmcomm tmevtmgr tmtdi Wanarpv6
10/10/2011 1:55:53 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the service.
10/10/2011 1:55:23 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Lavasoft Ad-Aware Service service.
10/10/2011 1:21:39 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
.
==== End Of File ===========================

DDS.txt
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.19120 BrowserJavaVersion: 1.6.0_26
Run by user at 20:28:52 on 2011-10-12
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2037.872 [GMT -4:00]
.
AV: Trend Micro Titanium Internet Security 2012 *Disabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92}
SP: Trend Micro Titanium Internet Security 2012 *Disabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\wermgr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
uWinlogon: Shell=c:\users\user\appdata\local\d3850283\X
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\amsp\module\20004\2.0.1313\6.8.1066\TmIEPlg.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: TmBpIeBHO Class: {bbacbafd-fa5e-4079-8b33-00eb9f13d4ac} - c:\program files\trend micro\amsp\module\20002\7.0.1081\7.0.1081\TmBpIe32.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [HPAdvisor] c:\program files\hewlett-packard\hp advisor\HPAdvisor.exe autoRun
uRun: [Google Update] "c:\users\user\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [OnScreenDisplay] c:\program files\hewlett-packard\hp quicktouch\HPKBDAPP.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [WAWifiMessage] c:\program files\hewlett-packard\hp wireless assistant\WiFiMsg.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Trend Micro Client Framework] "c:\program files\trend micro\uniclient\uifrmwrk\UIWatchDog.exe"
mRun: [Trend Micro Titanium] "c:\program files\trend micro\titanium\uiframework\uiWinMgr.exe" -set Silent "1" SplashURL ""
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\users\user\appdata\roaming\micros~1\windows\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Copy to Semagic - c:\program files\semagic\copy.htm
IE: Semagic - c:\program files\semagic\link.htm
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {F8E691A0-C92E-4E42-9CDA-62FC07A9483B} - hxxp://actiftp.hosting4less.com/ACTIGENERAL/AP&Manual/Live%20Demo/nvUnifiedControl.ocx
TCP: DhcpNameServer = 206.248.154.22 206.248.154.170
TCP: Interfaces\{1829FCCC-0BEE-433F-80B9-3F0B23F5AF2B} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{6754F76E-8113-4255-8C8B-FF4345C704E3} : DhcpNameServer = 206.248.154.22 206.248.154.170
TCP: Interfaces\{72D79DB3-4379-45A7-B7C0-BBF2FD889230} : DhcpNameServer = 192.168.15.1
TCP: Interfaces\{7E1F5287-0332-477E-9796-279538148D1B} : DhcpNameServer = 206.248.154.22 206.248.154.170
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - c:\program files\trend micro\amsp\module\20002\7.0.1081\7.0.1081\TmBpIe32.dll
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\amsp\module\20004\2.0.1313\6.8.1066\TmIEPlg.dll
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\user\appdata\roaming\mozilla\firefox\profiles\ay1clkml.default\
FF - prefs.js: browser.search.selectedEngine - search
FF - component: c:\program files\mozilla firefox\extensions\{82af8dca-6de9-405d-bd5e-43525bdad38a}\components\SkypeFfComponent.dll
FF - component: c:\program files\trend micro\amsp\module\20002\7.0.1081\7.0.1081\firefoxextension\components\TmBpFf3.dll
FF - component: c:\program files\trend micro\amsp\module\20004\fxext\firefoxextension\components\TmFFExt.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\users\user\appdata\local\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - Ext: Skype extension: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Copy to Semagic: copytosemagic@semagic.sourceforge.net - %profile%\extensions\copytosemagic@semagic.sourceforge.net
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Delicious Bookmarks: {2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9} - %profile%\extensions\{2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Trend Micro BEP Firefox Extension: {38783831-6098-4faa-A9C9-1EE1E343F4D2} - c:\program files\trend micro\amsp\module\20002\7.0.1081\7.0.1081\firefoxextension
FF - Ext: Trend Micro NSC Firefox Extension: {22C7F6C6-8D67-4534-92B5-529A0EC09405} - c:\program files\trend micro\amsp\module\20004\fxext\firefoxextension
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-10-10 64512]
R1 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2011-10-2 68368]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-10-11 366152]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-10-11 22216]
S2 Amsp;Trend Micro Solution Platform;c:\program files\trend micro\amsp\coreServiceShell.exe [2011-10-2 200632]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-8-18 2151640]
S3 tmeevw;tmeevw;c:\windows\system32\drivers\tmeevw.sys [2011-10-2 55056]
S3 tmnciesc;tmnciesc;c:\windows\system32\drivers\tmnciesc.sys [2011-10-2 171280]
S3 USB_NDISXP;RCA USB Digital Cable Modem Driver;c:\windows\system32\drivers\NetRcaCmXP.sys [2011-10-6 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-10-11 23:22:34 -------- d-----w- c:\programdata\Kaspersky Lab
2011-10-11 23:09:04 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-11 02:19:37 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-10-11 00:51:00 288 ----a-w- c:\users\user\appdata\roaming\5A303521.reg
2011-10-10 23:59:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware5
2011-10-10 17:56:49 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-10-10 17:52:59 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-10-10 17:52:53 -------- d-----w- c:\program files\Lavasoft
2011-10-10 17:21:26 -------- d--h--w- c:\programdata\Common Files
2011-10-10 17:21:11 -------- d-----w- c:\programdata\MFAData
2011-10-10 17:19:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware4
2011-10-10 16:54:21 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-10-10 16:54:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-10-10 16:52:06 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware3
2011-10-09 21:40:08 -------- d-----w- c:\users\user\appdata\roaming\Malwarebytes
2011-10-09 21:40:01 -------- d-----w- c:\programdata\Malwarebytes
2011-10-09 21:39:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-09 03:01:59 22032 ----a-w- c:\windows\DCEBoot.exe
2011-10-09 03:01:52 -------- d-sh--w- c:\users\user\appdata\local\d3850283
2011-10-07 00:49:34 -------- d-----w- c:\users\user\appdata\local\Microsoft Games
2011-10-06 22:53:26 45056 ----a-w- c:\windows\RmCable.exe
2011-10-06 22:53:26 14336 ----a-w- c:\windows\system32\drivers\NetRcaCmXP.sys
2011-10-02 16:29:15 -------- d-----w- c:\users\user\appdata\local\Trend Micro
2011-10-02 16:19:45 55056 ----a-w- c:\windows\system32\drivers\tmeevw.sys
2011-10-02 16:19:44 171280 ----a-w- c:\windows\system32\drivers\tmnciesc.sys
2011-10-02 16:19:43 92432 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2011-10-02 16:18:18 81168 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2011-10-02 16:18:18 68368 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2011-10-02 16:18:18 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-10-02 16:16:59 56 ----a-w- c:\windows\system32\SupportTool.exe.bat
2011-09-15 23:41:46 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-09-15 23:41:37 2048 ----a-w- c:\windows\system32\tzres.dll
.
==================== Find3M ====================
.
2011-10-11 23:53:16 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2011-07-23 11:04:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-07-23 11:00:05 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-07-23 10:59:52 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-07-23 10:59:34 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-07-23 10:59:34 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-07-23 10:03:47 385024 ----a-w- c:\windows\system32\html.iec
2011-07-23 09:27:04 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-07-23 09:25:38 1638912 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 20:30:04.81 ===============

The logs show that you only have 17.5 Gb of free space on your C drive. MS requires 15% or more (28 Gb) in order to function properly. You will need to find some way of freeing up some space on that drive. You can do that by uninstalling unused programs and off-loading important files, pictures, videos and music to DVD's or an external harddrive.

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
************************************************
You have Viewpoint installed.

Viewpoint Media Player/Manager/Toolbar is considered as Foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

More information:

* ViewMgr.exe - Useless
* Viewpoint to Plunge Into Adware

It is suggested to remove the program now. Go to Start > Control Panel > Add/Remove Programs - (Vista & Win7 is Programs and Features) and remove the following programs if present.

* Viewpoint
* Viewpoint Manager
* Viewpoint Media Player
* Viewpoint Toolbar
* Viewpoint Experience Technology
***********************************************
Download OTL to your desktop.

* Open OTL
* Copy and Paste the following text in the codebox into the Custom Scans/Fixes window.



* Click Run Fix
* OTLI2 may ask to reboot the machine. Please do so if asked.
* Click OK
* A report will open. Copy and Paste that report in your next reply.
*****************************************************
Download ComboFix by sUBs from one of the below links. Be sure to save it to the Desktop.

link # 1
Link # 2
If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Right-click combofix.exe and select Run as Administrator and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix login your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

Hi Dave,
OTL results were:
========== OTL ==========
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.29.1 log created on 10132011_212126



I only barely caught what it said before restarting, but ComboFix said I had a "Zero Success (Access?) RootKit" issue, which it implied was not particularly desirable. Its log was as follows:

ComboFix 11-10-13.05 - user 10/13/2011 21:51:32.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2037.1159 [GMT -4:00]
Running from: c:\users\user\Downloads\ComboFix.exe
AV: Trend Micro Titanium Internet Security 2012 *Disabled/Updated* {7193B549-236F-55EE-9AEC-F65279E59A92}
SP: Trend Micro Titanium Internet Security 2012 *Disabled/Updated* {CAF254AD-0555-5A60-A05C-CD200262D02F}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Messenger\msnmsgr.exe
c:\programdata\ntuser.dat
c:\windows\$NtUninstallKB12025$
c:\windows\$NtUninstallKB12025$\3170416929
c:\windows\$NtUninstallKB12025$\3548709507\@
c:\windows\$NtUninstallKB12025$\3548709507\click.tlb
c:\windows\$NtUninstallKB12025$\3548709507\L\qnbwvoto
c:\windows\$NtUninstallKB12025$\3548709507\loader.tlb
c:\windows\$NtUninstallKB12025$\3548709507\U\@00000001
c:\windows\$NtUninstallKB12025$\3548709507\U\@000000c0
c:\windows\$NtUninstallKB12025$\3548709507\U\@000000cb
c:\windows\$NtUninstallKB12025$\3548709507\U\@000000cf
c:\windows\$NtUninstallKB12025$\3548709507\U\@80000000
c:\windows\$NtUninstallKB12025$\3548709507\U\@800000c0
c:\windows\$NtUninstallKB12025$\3548709507\U\@800000cb
c:\windows\$NtUninstallKB12025$\3548709507\U\@800000cf
c:\windows\{2521BB91-29B1-4d7e-9137-AC9875D77735}
c:\windows\system32\KBL.LOG
c:\windows\system32\service
c:\windows\system32\service\02012011_TIS17_SfFniAU.log
c:\windows\system32\service\09042011_TIS17_SfFniAU.log
c:\windows\system32\service\13112010_TIS17_SfFniAU.log
c:\windows\system32\service\17092011_TIS17_SfFniAU.log
c:\windows\system32\service\18102010_TIS17_SfFniAU.log
c:\windows\system32\service\23102010_TIS17_SfFniAU.log
c:\windows\system32\service\23112010_TIS17_SfFniAU.log
c:\windows\system32\service\28112010_TIS17_SfFniAU.log
c:\windows\system32\service\29112010_TIS17_SfFniAU.log
.
.
((((((((((((((((((((((((( Files Created from 2011-09-14 to 2011-10-14 )))))))))))))))))))))))))))))))
.
.
2011-10-14 02:03 . 2011-10-14 02:04 -------- d-----w- c:\users\user\AppData\Local\temp
2011-10-14 02:03 . 2011-10-14 02:03 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-10-14 01:21 . 2011-10-14 01:21 -------- d-----w- C:\_OTL
2011-10-13 01:08 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-11 23:22 . 2011-10-11 23:22 -------- d-----w- c:\programdata\Kaspersky Lab
2011-10-11 00:51 . 2011-10-11 00:51 288 ----a-w- c:\users\user\AppData\Roaming\5A303521.reg
2011-10-10 17:56 . 2011-10-10 17:56 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-10-10 17:52 . 2011-08-18 19:25 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-10-10 17:52 . 2011-10-10 17:52 -------- d-----w- c:\program files\Lavasoft
2011-10-10 17:52 . 2011-10-10 17:52 -------- d-----w- c:\programdata\Lavasoft
2011-10-10 17:21 . 2011-10-10 17:21 -------- d--h--w- c:\programdata\Common Files
2011-10-10 17:21 . 2011-10-10 17:47 -------- d-----w- c:\programdata\MFAData
2011-10-10 16:54 . 2011-10-10 17:19 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-10-10 16:54 . 2011-10-10 16:55 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-10-09 21:40 . 2011-10-09 21:40 -------- d-----w- c:\users\user\AppData\Roaming\Malwarebytes
2011-10-09 21:40 . 2011-10-09 21:40 -------- d-----w- c:\programdata\Malwarebytes
2011-10-09 21:39 . 2011-10-13 01:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-09 03:01 . 2011-10-09 03:01 22032 ----a-w- c:\windows\DCEBoot.exe
2011-10-09 03:01 . 2011-10-11 23:40 -------- d-sh--w- c:\users\user\AppData\Local\d3850283
2011-10-07 00:49 . 2011-10-07 00:59 -------- d-----w- c:\users\user\AppData\Local\Microsoft Games
2011-10-06 22:53 . 2007-01-09 12:32 45056 ----a-w- c:\windows\RmCable.exe
2011-10-06 22:53 . 2006-06-02 11:17 14336 ----a-w- c:\windows\system32\drivers\NetRcaCmXP.sys
2011-10-02 16:29 . 2011-10-02 16:29 -------- d-----w- c:\users\user\AppData\Local\Trend Micro
2011-10-02 16:19 . 2011-10-01 17:54 55056 ----a-w- c:\windows\system32\drivers\tmeevw.sys
2011-10-02 16:19 . 2011-10-01 17:54 171280 ----a-w- c:\windows\system32\drivers\tmnciesc.sys
2011-10-02 16:19 . 2011-10-01 17:54 92432 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2011-10-02 16:18 . 2011-10-01 17:54 81168 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2011-10-02 16:18 . 2011-10-01 17:54 68368 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2011-10-02 16:18 . 2011-10-01 17:54 205072 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-10-02 16:16 . 2011-10-02 16:16 56 ----a-w- c:\windows\system32\SupportTool.exe.bat
2011-09-15 23:41 . 2011-08-10 12:14 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-09-15 23:41 . 2011-07-11 13:25 2048 ----a-w- c:\windows\system32\tzres.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-11 23:53 . 2011-06-21 15:24 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2011-07-23 11:04 . 2011-08-11 04:47 916480 ----a-w- c:\windows\system32\wininet.dll
2011-07-23 11:00 . 2011-08-11 04:47 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-07-23 10:59 . 2011-08-11 04:47 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-07-23 10:59 . 2011-08-11 04:47 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-07-23 10:59 . 2011-08-11 04:47 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-07-23 10:03 . 2011-08-11 04:47 385024 ----a-w- c:\windows\system32\html.iec
2011-07-23 09:27 . 2011-08-11 04:47 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-07-23 09:25 . 2011-08-11 04:47 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-19 09:05 . 2010-10-04 01:46 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1033512]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-17 634880]
"RtHDVCpl"="RtHDVCpl.exe" [2007-10-09 4702208]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-10-24 178712]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 554320]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-09 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 480560]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-08 311296]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-10-01 129304]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-10-01 1300672]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 {22D78859-9CE9-4B77-BF18-AC83E81A9263};{22D78859-9CE9-4B77-BF18-AC83E81A9263};c:\program files\HP\QuickPlay\000.fcl [x]
R2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe coreFrameworkHost.exe [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-10-10 2151640]
R3 tmeevw;tmeevw;c:\windows\system32\DRIVERS\tmeevw.sys [2011-10-01 55056]
R3 tmnciesc;tmnciesc;c:\windows\system32\DRIVERS\tmnciesc.sys [2011-10-01 171280]
R3 USB_NDISXP;RCA USB Digital Cable Modem Driver;c:\windows\system32\DRIVERS\NetRcaCmXP.sys [2006-06-02 14336]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2011-08-18 64512]
S1 tmevtmgr;tmevtmgr;c:\windows\system32\DRIVERS\tmevtmgr.sys [2011-10-01 68368]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-490879474-3836233771-2906635997-1000Core.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-02 02:06]
.
2011-10-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-490879474-3836233771-2906635997-1000UA.job
- c:\users\user\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-02 02:06]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
IE: Copy to Semagic - c:\program files\Semagic\copy.htm
IE: Semagic - c:\program files\Semagic\link.htm
TCP: DhcpNameServer = 206.248.154.22 206.248.154.170
DPF: {F8E691A0-C92E-4E42-9CDA-62FC07A9483B} - hxxp://actiftp.hosting4less.com/ACTIGENERAL/AP&Manual/Live%20Demo/nvUnifiedControl.ocx
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ay1clkml.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - Ext: Skype extension: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}
FF - Ext: Copy to Semagic: copytosemagic@semagic.sourceforge.net - %profile%\extensions\copytosemagic@semagic.sourceforge.net
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Delicious Bookmarks: {2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9} - %profile%\extensions\{2fa4ed95-0317-4c6a-a74c-5f3e3912c1f9}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Trend Micro BEP Firefox Extension: {38783831-6098-4faa-A9C9-1EE1E343F4D2} - c:\program files\Trend Micro\AMSP\Module\20002\7.0.1081\7.0.1081\firefoxextension
FF - Ext: Trend Micro NSC Firefox Extension: {22C7F6C6-8D67-4534-92B5-529A0EC09405} - c:\program files\Trend Micro\AMSP\module\20004\FxExt\firefoxextension
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-HPAdvisor - c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
AddRemove-ViewpointMediaPlayer - c:\program files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-13 22:04
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{22D78859-9CE9-4B77-BF18-AC83E81A9263}]
"ImagePath"="\??\c:\program files\HP\QuickPlay\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-10-13 22:07:20
ComboFix-quarantined-files.txt 2011-10-14 02:07
.
Pre-Run: 23,334,678,528 bytes free
Post-Run: 24,295,075,840 bytes free
.
- - End Of File - - 2AE812BEB311F15AA1EF2C742A8791F4

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
  
• Click on the Log tab.
  
• In the Write to log box select the following items.
  
  
  
  • Process << Selected
    
  • Kernel Modules << Selected
    
  • SSDT << Selected
    
  • Kernel Hooks << Selected
    
  • IRP Hooks << NOT Selected
    
  • Ports << NOT Selected
    
  • Hidden Files << Selected
    
  
  
• At the bottom of the page
  
  
  
  • Hidden Objects Only << Selected
    
  
  
• Click on the Create Log button on the bottom right.
  
• After a few seconds a new window should appear.
  
• Select Scan Root Drive. Click on the Start button.
  
• When it is complete a new window will appear to indicate that the scan is finished.
  
• The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
  

Hi Dave,
I seem to be running into problems again - SysProt "unexpectedly stops working" a minute or so after I start the scan.
Should I be disabling anti-virus software for this scan?

Please try this one.

* Download the following tool: RootRepeal - Rootkit Detector
* Direct download link is here: RootRepeal.zip

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.

* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.

Hi Dave,
I seem to be having some problems with RootRepeal too. It gets to winsxs\Manifests, and then it seems to hang. The first time the program stopped working altogether, and the second time (after getting caught at that point for 30 mins or so), I tried to pause it to see if I could generate a log for what it had scanned up to that point. Unfortunately, it was unable to pause, and the program stopped working.

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Hi Dave, the results were:
C:\Documents and Settings\user\Documents\Stuff\Programs\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application deleted - quarantined
C:\Documents and Settings\user\Documents\Stuff\Stuff\Install_AIM.exe Win32/Adware.WBug.A application deleted - quarantined

That looks good. How's your computer working? Any other issues?

Hi Dave,
The weird activity has settled down - no more Internet problems, and Malwarebytes is no longer reporting malware attempts to access the internet.

I still can't get Trend Micro to load at all (should I attempt a reinstall? it shows me the opening screen, but the console never appears, and it won't load at startup), and there are still a lot of inaccessible folders that I believe were created after I got the virus.

I'm also wondering how to tell if there's still a RootKit issue? I thought that one of the scans identified it, but wasn't able to fix it?

I'm still concerned because you were not able to run an anti-rootkit scan. Please try this one.

Perform an anti-rootkit (ARK) scan with one of the following:
•AVG Anti-Rootkit

Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
•Disconnect from the Internet or physically unplug you Internet cable connection.
•Clean out your temporary files.
•Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
•Temporarily disable your anti-virus and real-time anti-spyware protection.
•After starting the scan, do not use the computer until the scan has completed.
•When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.
Note: Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. You should not be alarmed if you see any hidden entries created by these software programs after performing a scan.

Hi Dave,
I performed the scan as you suggested.
The program wouldn't load on its own, but it worked when I ran it as an administrator? I'm not sure what that's about.
The rootkit scan did not find anything. Since I already had everything disabled though, I decided to run the full scan too - and it would not complete. It stopped working when it got to the application data section. (and at the exact same spot when I tried it again).

I still can't get Trend Micro to load at all (should I attempt a reinstall? it shows me the opening screen, but the console never appears, and it won't load at startup),

Yes, please reinstall it and let me know what happens.

Let's run a few more scans to see what turns up.

Please download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it



Click the "Scan" button to start scan

Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives



On completion of the scan click save log, save it to your desktop and post in your next reply

Hi Dave,
The log says:
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-10-19 19:33:51
-----------------------------
19:33:51.077 OS Version: Windows 6.0.6002 Service Pack 2
19:33:51.077 Number of processors: 2 586 0xE0C
19:33:51.081 ComputerName: USER-PC UserName: user
19:33:55.889 Initialize success
19:35:12.555 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
19:35:12.557 Disk 0 Vendor: Hitachi_ BBDA Size: 190782MB BusType: 3
19:35:12.585 Disk 0 MBR read successfully
19:35:12.588 Disk 0 MBR scan
19:35:12.592 Disk 0 unknown MBR code
19:35:12.599 Disk 0 scanning sectors +390716865
19:35:12.673 Disk 0 scanning C:\Windows\system32\drivers
19:35:20.757 Service scanning
19:35:22.457 Modules scanning
19:35:34.813 Disk 0 trace - called modules:
19:35:34.849 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll usbhub.sys tcpip.sys NETIO.SYS iaStor.sys
19:35:34.854 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86282658]
19:35:34.858 3 CLASSPNP.SYS[883aa8b3] -> nt!IofCallDriver -> [0x8486a940]
19:35:34.862 5 acpi.sys[806996bc] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x84870028]
19:35:35.210 Scan finished successfully
19:36:08.345 Disk 0 MBR has been saved successfully to "C:\Users\user\Documents\MBR.dat"
19:36:08.351 The log file has been saved successfully to "C:\Users\user\Documents\aswMBR.txt"


Will try reinstall of Trend next.

Hi Dave,
Just wanted to provide an update: I have been trying all afternoon to reinstall Trend, and it is not working.
It is suggesting that I have a corrupted

Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)

and that I need to install/update it to complete the installation.

I have tried a fresh uninstall/reinstall of both Trend and this Microsoft Visual component, but it's still giving me this error.

Do you think that this is something the RootKit did?

Do you think that this is something the RootKit did?.

Anything is possible. Please try this. Download and install MSE from MS and see if it will install. Also, get all your Windows updates.

Microsoft Security Essentials for Windows Vista\Windows 7 -

Hi Dave,
It installed. I seem to be having trouble with the updates though - apparently they have been failing for a while now.
There are multiple security updates that are failing to install. Is there anything I can do about this?

Please run a full scan with MSE and let me know if it finds anything.