54 replies to this topic

[Mattwardinterglaze]

Hi there I recently posted a topic but then read what i had to do before posting a topic, for some reason my trend pc cillan is not working properly, and when i try to uninstall and reinstall it pops up with windows installer is not working properly, I have also tried to log into various web sites and it says that the security has expired? and it wont let me log in, i have done everything in the pre hjt log instructions and done it in the same order as instructed, here are the logs, any help about this virus/malware would be extremely helpful as i am freaking out because i do my internet banking on this computer, thanks Matt


P.S the panda active scan said that my antivirus (trend micro pc cillan 14) was not working..thanks...Matt



MBAM LOG



Malwarebytes' Anti-Malware 1.30
Database version: 1321
Windows 5.1.2600 Service Pack 3

22/11/2009 4:30:41 PM
mbam-log-2009-11-22 (16-30-41).txt

Scan type: Quick Scan
Objects scanned: 56414
Time elapsed: 4 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Panda active Scan Results




;*******************************************************************************
********************************************************************************
*
*******************
ANALYSIS: 2009-11-22 18:26:49
PROTECTIONS: 2
MALWARE: 5
SUSPECTS: 4
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
Trend Micro PC-Cillin Internet Security 14 14.10.1051 No No
Trend Micro Internet Security 2008 14.10.1051 No No
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00366244 Application/NirCmd.A HackTools No 0 Yes No C:\Documents and Settings\Owner\Desktop\New Folder\MI3\DATA\nircmd.zip[nircmd.exe]
00366244 Application/NirCmd.A HackTools No 0 Yes No C:\Documents and Settings\Owner\Desktop\New Folder\MI3\DATA\nircmd.exe
01048936 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\Owner\My Documents\GameSpy Arcade\Services\_common\PortraitLoader.dll
01176994 Bck/VB.XB Virus/Trojan No 0 Yes No C:\Documents and Settings\Owner\Desktop\New Folder\MI3\DATA\nircmd.zip[nircmdc.exe]
02310881 Generic Trojan Virus/Trojan No 0 Yes No C:\Program Files\Nero\NeroKey.exe
02974895 Adware/SaveNow Adware No 0 Yes No C:\Program Files\DAEMON Tools Pro\dtprohlp.dll
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location c
;===============================================================================
================================================================================
=
===================
No C:\Documents and Settings\Owner\DoctorWeb\Quarantine\A0030739.exe c
No C:\Documents and Settings\Owner\DoctorWeb\Quarantine\psexec.cfexe c
No C:\Documents and Settings\Owner\My Documents\ComboFix.exe[32788R22FWJFW\psexec.cfexe] c
No C:\Program Files\OptusNet DSL Internet\DSC.exe c
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description c
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================





HijackThis Log:\




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:29:36 PM, on 22/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Trend Micro Antifraud Toolbar - {06647158-359E-4D10-A8DE-E6145DA90BE9} - C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll
O3 - Toolbar: Trend Micro Antifraud Toolbar - {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll
O4 - HKLM\..\Run: [pccguide.exe] C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3253] command /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8933] cmd /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB1986] command /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8052] cmd /c del "C:\WINDOWS\SchedLgU.Txt"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-1935655697-2077806209-839522115-1003\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1935655697-2077806209-839522115-1003\..\RunOnce: [SpybotDeletingB1986] command /c del "C:\WINDOWS\SchedLgU.Txt" (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://dev.srtest.co.../sysreqlab3.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1221816248468
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcp.../pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{8971FCB1-16B4-403B-AA00-19B076156F41}: NameServer = 211.29.132.12,198.142.0.51
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Unknown owner - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe (file missing)
O23 - Service: SessionLauncher - Unknown owner - (no file)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Owner/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.gif

--
End of file - 9343 bytes

[1972vet]

It looks like you've run combofix already. Have you? If so, did you take this on yourself or did someone instruct you to do so?

Open HijackThis. Click-->Open the Misc Tools section-->Open Uninstall Manager-->Save list...and save the list to your Desktop, then close HijackThis.

A notepad file will open. Copy and paste the content of that text file back here on your next reply. Thanks!

[Mattwardinterglaze]

Hey there, I run combofix myself in a act of desperation but it failed to have the desired affect, i have done wht you instructed and here are the results, thanks for helping me out! ...Matt

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Common File Installer
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Illustrator CS2
Adobe Photoshop CS2
Adobe Reader 8.1.2
Adobe Stock Photos 1.0
Adobe SVG Viewer 3.0
Apple Mobile Device Support
Apple Software Update
Call of Duty Game of the Year Edition
ConvertXtoDVD 3.0.0.1
DirectXInstallService
Diskeeper Lite
DVD Shrink 3.2
EAX Unified
Google Earth
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Document Viewer 5.3
HP Extended Capabilities 5.3
HP Image Zone 5.3
HP Imaging Device Functions 5.3
HP PSC & OfficeJet 5.3.A
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
Intel A/V Codecs V2.0
iPod for Windows 2005-10-12
iTunes
Java™ 6 Update 5
Java™ 6 Update 7
Logitech Audio Echo Cancellation Component
Logitech QuickCam
Logitech Video Enumerator
Logitech® Camera Driver
Magic ISO Maker v5.4 (build 0239)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.0.3)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Nero 6 Ultra Edition
Nimo Codecs Pack v4.33 (Remove Only)
ninemsn Internet Software
Nokia Connectivity Cable Driver
Nokia Lifeblog 2.1
Nokia MTP driver
Nokia PC Connectivity Solution
Nokia PC Suite
Nokia Software Launcher
NVIDIA Drivers
NVIDIA WDM Drivers
OptusNet DSL
Panda ActiveScan 2.0
QuickTime
Realtek High Definition Audio Driver
Roxio Activation Module
ScummVM 0.10.0
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB955936)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB955470)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB958644)
Siemens Subscriber Networks SpeedStream DSL
Skype™ 3.6
Spybot - Search & Destroy
System Requirements Lab
TuneUp Utilities 2008
UMVPLStandalone
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb957258)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
VDMSound
Vista Codec Package
Windows Driver Package - Nokia Modem (06/12/2006 6.81.0.21)
Windows Imaging Component
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Resource Kit Tools - SubInAcl.exe
Windows XP Service Pack 3
WinRAR archiver
XpertVision 5.5

[1972vet]

Quote

...for some reason my trend pc cillan is not working properly, and when i try to uninstall and reinstall it pops up with windows installer is not working properly, I have also tried to log into various web sites and it says that the security has expired? and it wont let me log in...

Your Trend Micro PC cillan isn't working properly because it's not installed according to your "Installed Programs" listing that you posted.

You can download the latest windows installer Here but you'll have to run the windows validation tool to download it. After installation, try to reinstall your Trend Micro product.

Since it's not listed in your add/remove programs list it's pointless to try an uninstall. The installation evidently, is damaged and the uninstall string is absent...reinstalling the software over itself should correct the issue. If You receive an option during the installation to either Unstall, modify, or repair. Select "Repair".


What do you use this program for...are you a game software developer?:
ScummVM 0.10.0

...and is this software licensed or has the trial period expired? By the way, if you consider yourself a novice, I would not recommend such software:
TuneUp Utilities 2008

You should uninstall the following outdated software:
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Reader 8.1.2
Java™ 6 Update 5
Java™ 6 Update 7


If you can't live without it, you can download the latest version of the Adobe Acrobat and reader Here. Personally, I use Foxit reader. It's very much the same, uses very little resources, and takes up little disk space.

Download the latest Java version Here.

OK...now, to business. Your log, strangely enough, seems to indicate that your version of windows is either Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows 98 Second Edition, or Microsoft Windows Millennium Edition (Me), although your installed software listing shows otherwise. Has this copy of windows been validated, activated and registered?

If you did not create the Desktop Component listed here, then you can run HijackThis again and check this entry:
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Owner/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.gif

Also, please post the log you produced the last time your ran combofix. Thanks!

[Mattwardinterglaze]

Okay...

I tried to download the installer but it prompted me saying(setup has detected that the servgice pack version of this system is newer than the update you are applying.there is no need to install this update,

when i tried to download the latest jave this come up on firefox

Secure Connection Failed


cds.sun.com uses an invalid security certificate.

The certificate expired on 15/05/2009 9:59 AM.

(Error code: sec_error_expired_certificate)



* This could be a problem with the server's configuration, or it could be someone trying to impersonate the server.

* If you have connected to this server successfully in the past, the error may be temporary, and you can try again lat

Or you can add an exception…



ScummVM 0.10.0 is a program i have to run to play a game for some reason Im not a software game developer, do you think this program is dangerous?



OS:Windows that is running on my system had been validated registered and activated,


Whenever is try to uninstall trend anti virus this message pops up:

The windows installer service could not be accessed. this can occur if you are running windows in safe mode. or if the windows Installer is not correctly installed. contact your support personnel for assistance.


O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Owner/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.gif has been checked with hijack this and deleted,


i use the tuneup utilites to clean up my hard drive and de frag my registry but if you dont recomend it i can uninstall it,

and also the combo fix log you requested hope this helps thanks again..Matt P.S the date on my computer was wrong (weird)




ComboFix 08-10-24.02 - Owner 2009-11-22 16:20:30.5 - NTFSx86

Running from: C:\Documents and Settings\Owner\My Documents\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\nvsvc32.exe
.
---- Previous Run -------
.
C:\Program Files\internet explorer\svchost.exe

.
((((((((((((((((((((((((( Files Created from 2009-10-22 to 2009-11-22 )))))))))))))))))))))))))))))))
.

2009-11-21 15:57 . 2009-11-21 15:57 <DIR> d-------- C:\WINDOWS\LastGood
2009-11-21 15:57 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2009-11-21 15:56 . 2009-11-21 15:56 <DIR> d-------- C:\Program Files\Panda Security
2009-11-21 15:54 . 2008-10-22 16:10 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2009-11-21 15:54 . 2008-10-22 16:10 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2009-11-21 14:19 . 2009-11-21 14:19 80 --a------ C:\WINDOWS\wininit.ini
2009-11-21 13:07 . 2009-11-21 15:42 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-21 04:54 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2009-11-21 04:42 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2009-11-20 06:52 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso
2009-11-20 05:49 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2009-11-20 05:49 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-03-26 22:12 87,608 ----a-w C:\Documents and Settings\Owner\Application Data\inst.exe
2008-03-26 22:12 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2008-03-03 09:46 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-09-06 09:38 639,003 --sha-w C:\WINDOWS\system32\VCfhknpo.ini2
2008-06-03 07:48 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008060320080604\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe" [2006-04-03 897089]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-08 576320]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 8523776]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-07-08 600896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\Documents and Settings\\All Users\\Application Data\\TuneUp Software\\TuneUp Utilities\\WinStyler\\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-05-25 15:22 63040 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I263"= I263_32.drv
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= divxa32.acm
"msacm.lameacm"= LameACM.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_SZ msv1_0
Notification Packages REG_MULTI_SZ scecli scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"Gainward"=C:\Program Files\XpertVision\TBPanel.exe /A
"RTHDCPL"=RTHDCPL.EXE
"Alcmtr"=ALCMTR.EXE
"nwiz"=nwiz.exe /install
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Call of Duty Game of the Year Edition\\CoDMP.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\WINDOWS\\system32\\rundll32.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - CATCHME
*Newly Created Service* - MBAMSWISSARMY
.
Contents of the 'Scheduled Tasks' folder

2009-11-21 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe [2008-04-16 10:59]

2008-10-23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 18:57]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\h8aard2r.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://au.yahoo.com/
FF -: plugin - c:\Program Files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30716.0.dll
FF -: plugin - c:\Program Files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - C:\Program Files\VistaCodecPack\QT\Plugins\npqtplugin.dll
FF -: plugin - C:\Program Files\VistaCodecPack\QT\Plugins\npqtplugin2.dll
FF -: plugin - C:\Program Files\VistaCodecPack\QT\Plugins\npqtplugin3.dll
FF -: plugin - C:\Program Files\VistaCodecPack\QT\Plugins\npqtplugin4.dll
FF -: plugin - C:\Program Files\VistaCodecPack\QT\Plugins\npqtplugin5.dll
FF -: plugin - C:\Program Files\VistaCodecPack\QT\Plugins\npqtplugin6.dll
FF -: plugin - C:\Program Files\VistaCodecPack\QT\Plugins\npqtplugin7.dll
FF -: plugin - C:\Program Files\VistaCodecPack\rm\browser\plugins\nppl3260.dll
FF -: plugin - C:\Program Files\VistaCodecPack\rm\browser\plugins\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-22 16:20:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\DOCUME~1\Owner\LOCALS~1\Temp\TMP4352$.TMP 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2009-11-22 16:21:38
ComboFix-quarantined-files.txt 2009-11-22 05:21:29

Pre-Run: 160,886,800,384 bytes free
Post-Run: 160,935,821,312 bytes free

156 --- E O F --- 2009-11-19 22:05:45

[Mattwardinterglaze]

Sorry Mate i downloaded the latest windows installer (4.5) and then tried to uninstall trend anti virus but pop up message sill occurs...cheers Matt

[1972vet]

Please delete the existing ComboFix.exe from your desktop and download the latest version following these instructions:
Download the latest combofix utility from This Webpage...and read through the instructions there for running the tool.

***Important Note***
Please read through the guidance on that web page carefully and thoroughly...and install the Recovery Console. Using this tool without the Recovery Console installed is NOT RECOMMENDED.

The Windows Recovery Console will allow you to boot into a special recovery (repair) mode that is not otherwise available. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It's a simple procedure that will only take a few moments.

Once installed, a blue screen prompt should appear that reads as follows:

The Recovery Console was successfully installed.

When you see that screen, please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you located here:
C:\Combofix.txt

Next, please open Notepad.

Copy and paste the text in the code box below into the blank Notepad:

DeQuarantine::
C:\Qoobox\Quarantine\C:\WINDOWS\system32\nvsvc32.exe
Quit::

Save the file to your desktop and name it CFScript.txt

Next, drag the CFScript.txt into the ComboFix.exe and it will run again automatically...When finished, it will produce a log for you, C:\DeQuarantine.txt.

Please post back the following on your next reply:

C:\ComboFix.txt
C:\DeQuarantine.txt
New HijackThis log.

[Mattwardinterglaze]

okay i did everything you instructed but combo fix did not make a de quarantine file for some reason, also should i be running in recovery console or normal windows mode? here are the logs you requested hope this helps...cheers Matt




ComboFix 08-10-27.01 - Owner 2008-10-28 7:33:50.8 - NTFSx86

Command switches used :: C:\Documents and Settings\Owner\My Documents\CFScript.txt
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-09-27 to 2008-10-27 )))))))))))))))))))))))))))))))
.

2009-11-21 15:56 . 2009-11-21 15:56 <DIR> d-------- C:\Program Files\Panda Security
2009-11-21 14:19 . 2009-11-22 17:08 126 --a------ C:\WINDOWS\wininit.ini
2009-11-21 13:07 . 2009-11-21 15:42 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-10-31 12:21 . 2008-10-16 03:34 337,408 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-27 16:54 . 2008-10-27 16:57 <DIR> d-------- C:\Documents and Settings\Owner\.SunDownloadManager
2008-10-27 16:39 . 2008-10-27 16:39 <DIR> d-------- C:\Program Files\NOS
2008-10-27 16:39 . 2008-10-27 16:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NOS
2008-10-15 14:52 . 2008-09-15 23:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-15 14:52 . 2008-09-08 21:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-15 14:51 . 2008-08-14 21:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 14:51 . 2008-08-14 21:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 14:51 . 2008-08-14 20:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 14:51 . 2008-08-14 20:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-09-28 10:20 . 2008-10-14 18:53 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\DivX
2008-09-28 10:19 . 2008-10-20 15:36 <DIR> d-------- C:\Program Files\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-23 05:12 --------- d-----w C:\Program Files\ScummVM
2009-11-21 04:54 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2009-11-21 04:42 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2009-11-20 06:52 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso
2008-10-31 21:40 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-10-31 20:12 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-10-27 08:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-10-27 06:16 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-10-27 06:15 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-10-23 08:22 --------- d-----w C:\Documents and Settings\Owner\Application Data\Skype
2008-10-23 08:01 --------- d-----w C:\Documents and Settings\Owner\Application Data\skypePM
2008-10-22 05:10 38,496 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-22 05:10 15,504 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-10-15 04:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-10-14 02:47 --------- d-----w C:\Program Files\Java
2008-09-19 23:37 --------- d-----w C:\Program Files\Google
2008-09-18 05:42 --------- d-----w C:\Documents and Settings\Owner\Application Data\GetRightToGo
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-09-06 02:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:09 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-03-26 22:12 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2008-03-03 09:46 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-06-03 07:48 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008060320080604\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-11-22_16.21.15.81 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 09:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2008-05-18 19:33:20 4,445,184 -c----w C:\WINDOWS\system32\dllcache\msi.dll
+ 2008-05-18 14:57:42 95,744 -c----w C:\WINDOWS\system32\dllcache\msiexec.exe
+ 2008-05-18 19:33:20 332,800 -c----w C:\WINDOWS\system32\dllcache\msihnd.dll
+ 2008-04-16 14:43:24 2,560 -c----w C:\WINDOWS\system32\dllcache\msimsg.dll
+ 2008-05-18 19:33:20 18,944 -c----w C:\WINDOWS\system32\dllcache\msisip.dll
- 2008-04-13 19:42:00 2,843,136 ----a-w C:\WINDOWS\system32\msi.dll
+ 2008-05-18 19:33:20 4,445,184 ----a-w C:\WINDOWS\system32\msi.dll
- 2008-04-13 19:42:30 78,848 ----a-w C:\WINDOWS\system32\msiexec.exe
+ 2008-05-18 14:57:42 95,744 ----a-w C:\WINDOWS\system32\msiexec.exe
- 2008-04-13 19:42:00 271,360 ----a-w C:\WINDOWS\system32\msihnd.dll
+ 2008-05-18 19:33:20 332,800 ----a-w C:\WINDOWS\system32\msihnd.dll
- 2008-04-13 11:09:44 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
+ 2008-04-16 14:43:24 2,560 ----a-w C:\WINDOWS\system32\msimsg.dll
- 2008-04-13 19:42:00 15,360 ----a-w C:\WINDOWS\system32\msisip.dll
+ 2008-05-18 19:33:20 18,944 ----a-w C:\WINDOWS\system32\msisip.dll
- 2009-11-21 04:49:57 72,608 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-10-27 20:26:03 72,608 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2009-11-21 04:49:57 445,302 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-10-27 20:26:03 445,302 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-11-30 11:18:51 17,272 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-29 18:39:22 17,272 ------w C:\WINDOWS\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe" [2006-04-03 897089]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-08 576320]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 8523776]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-07-08 600896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\Documents and Settings\\All Users\\Application Data\\TuneUp Software\\TuneUp Utilities\\WinStyler\\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-05-25 15:22 63040 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I263"= I263_32.drv
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= divxa32.acm
"msacm.lameacm"= LameACM.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"Gainward"=C:\Program Files\XpertVision\TBPanel.exe /A
"RTHDCPL"=RTHDCPL.EXE
"Alcmtr"=ALCMTR.EXE
"nwiz"=nwiz.exe /install
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Call of Duty Game of the Year Edition\\CoDMP.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2008-10-27 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe [2008-04-16 10:59]

2008-10-23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 18:57]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-28 07:34:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-28 7:35:40
ComboFix-quarantined-files.txt 2008-10-27 20:35:28
ComboFix2.txt 2008-10-27 20:16:09
ComboFix3.txt 2008-10-27 20:03:49
ComboFix4.txt 2009-11-22 05:21:39

Pre-Run: 156,893,175,808 bytes free
Post-Run: 156,859,170,816 bytes free

171 --- E O F --- 2009-11-19 22:05:45












Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:51:01 AM, on 28/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Trend Micro Antifraud Toolbar - {06647158-359E-4D10-A8DE-E6145DA90BE9} - C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll
O3 - Toolbar: Trend Micro Antifraud Toolbar - {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll
O4 - HKLM\..\Run: [pccguide.exe] C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-1935655697-2077806209-839522115-1003\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://dev.srtest.co.../sysreqlab3.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1221816248468
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcp.../pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{8971FCB1-16B4-403B-AA00-19B076156F41}: NameServer = 211.29.132.12,198.142.0.51
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Unknown owner - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe (file missing)
O23 - Service: SessionLauncher - Unknown owner - (no file)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 8860 bytes

[1972vet]

Did you disable your AVG before running combofix? Did you receive a message something on the order of:
At the end of the process, after the log appeared, Notepad gives you a dialog box with "Cannot find the \DeQuarantine.txt file. Do you want to create a new file?"

[Mattwardinterglaze]

IS the AVG the antivirus? if so i cant seem to shut it down even though it isnt working properly, and the prompt to make a new file didn't pop at all....cheers mate Matt

[1972vet]

My apologies Mattwardinterglaze,

I had confused your log with another I am currently working...in fact I'm juggling logs from 13 different users at the moment and lost track of who is who. One other user had gotten excited at the first time he had seen some progress that he quickly installed AVG right in the middle of the fix and that's who I had you confused with.

We need to back-pedal just a bit. Looking back over this entire thread I see where I mistakenly offered you the download link for the Windows installer for Windows XPSP2 and prior...You can download the Windows installer for service pack 3 Here.

After successful download and installation, try once more to reinstall your Trend Micro Security. If you are successful at repairing that installation then please reboot at that point to properly record those changes to the hard disk.

When the system comes back up, and before continuing, please remember to disable all security software that is running as instructed previously so as not to interfere with the running of Combofix:

Now we need to run the cfscript again as we did in the previous instruction but be sure to copy and paste again as outlined below since the previous instruction for this particular step we took contained an error by failing to include required spacing properly between these commands:

Copy and paste the text in the code box below into a blank Notepad:

DeQuarantine::
C:\Qoobox\Quarantine\C:\WINDOWS\system32\nvsvc32.exe

Quit::

Save the file to your desktop and name it CFScript.txt

Next, drag the CFScript.txt into the ComboFix.exe and it will run again automatically...When finished, it will produce a log for you, C:\DeQuarantine.txt.

Please post that log in your next reply along with a new HijackThis log. Thanks!

[Mattwardinterglaze]

okay now i have tries to update my windows installer following the link you provided and chose this file to download :For Windows XP Service Pack 2 and Windows XP Service Pack 3 (32-bit platforms):
x86 Platform: WindowsXP-KB942288-v3-x86.exe which matches my operating system but when i try to run the file i get a pop up saying: the version of windows you have installed does not match the update you are trying to install. but there is only one file there that matches my system! ...Matt

[Mattwardinterglaze]

sorry sorry sorry mate it was the right one ill post your requested files soon Matt...

[Mattwardinterglaze]

yea mate i have updated the installer but the same pop up appears when i try to uninstall my trend anti virus....matt

[1972vet]

Mattwardinterglaze, on Oct 28 2008, 05:03 PM, said:

yea mate i have updated the installer but the same pop up appears when i try to uninstall my trend anti virus....matt

The instructions didn't say a thing about uninstalling...try re-installing. Also, where are the requested logs?

[Mattwardinterglaze]

Hey mate i made the file with the code you posted it went through the cycle but again didnt post the de quarntine file again, here is the log for como fix:

ComboFix 08-10-28.01 - Owner 2008-10-29 10:57:43.12 - NTFSx86

Running from: C:\Documents and Settings\Owner\My Documents\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\My Documents\CFScript.txt
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-28 )))))))))))))))))))))))))))))))
.

2009-11-21 15:56 . 2009-11-21 15:56 <DIR> d-------- C:\Program Files\Panda Security
2009-11-21 14:19 . 2009-11-22 17:08 126 --a------ C:\WINDOWS\wininit.ini
2009-11-21 13:07 . 2009-11-21 15:42 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-10-31 12:21 . 2008-10-16 03:34 337,408 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll
2008-10-27 16:54 . 2008-10-27 16:57 <DIR> d-------- C:\Documents and Settings\Owner\.SunDownloadManager
2008-10-27 16:39 . 2008-10-27 16:39 <DIR> d-------- C:\Program Files\NOS
2008-10-27 16:39 . 2008-10-27 16:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NOS
2008-10-15 14:52 . 2008-09-15 23:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys
2008-10-15 14:52 . 2008-09-08 21:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys
2008-10-15 14:51 . 2008-08-14 21:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-15 14:51 . 2008-08-14 21:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-10-15 14:51 . 2008-08-14 20:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2008-10-15 14:51 . 2008-08-14 20:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-09-28 10:20 . 2008-10-14 18:53 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\DivX
2008-09-28 10:19 . 2008-10-20 15:36 <DIR> d-------- C:\Program Files\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-23 05:12 --------- d-----w C:\Program Files\ScummVM
2009-11-21 04:54 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2009-11-21 04:42 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2009-11-20 06:52 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso
2008-10-31 21:40 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-10-31 20:12 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-10-28 22:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-10-27 06:16 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-10-27 06:15 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-10-23 08:22 --------- d-----w C:\Documents and Settings\Owner\Application Data\Skype
2008-10-23 08:01 --------- d-----w C:\Documents and Settings\Owner\Application Data\skypePM
2008-10-22 05:10 38,496 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-22 05:10 15,504 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-10-15 04:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-10-14 02:47 --------- d-----w C:\Program Files\Java
2008-09-19 23:37 --------- d-----w C:\Program Files\Google
2008-09-18 05:42 --------- d-----w C:\Documents and Settings\Owner\Application Data\GetRightToGo
2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys
2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-09-06 02:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 10:09 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:33 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-03-26 22:12 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2008-03-03 09:46 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-06-03 07:48 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008060320080604\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-11-22_16.21.15.81 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 09:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2008-05-18 19:33:20 4,445,184 -c----w C:\WINDOWS\system32\dllcache\msi.dll
+ 2008-05-18 14:57:42 95,744 -c----w C:\WINDOWS\system32\dllcache\msiexec.exe
+ 2008-05-18 19:33:20 332,800 -c----w C:\WINDOWS\system32\dllcache\msihnd.dll
+ 2008-04-16 14:43:24 2,560 -c----w C:\WINDOWS\system32\dllcache\msimsg.dll
+ 2008-05-18 19:33:20 18,944 -c----w C:\WINDOWS\system32\dllcache\msisip.dll
- 2008-04-13 19:42:00 2,843,136 ----a-w C:\WINDOWS\system32\msi.dll
+ 2008-05-18 19:33:20 4,445,184 ----a-w C:\WINDOWS\system32\msi.dll
- 2008-04-13 19:42:30 78,848 ----a-w C:\WINDOWS\system32\msiexec.exe
+ 2008-05-18 14:57:42 95,744 ----a-w C:\WINDOWS\system32\msiexec.exe
- 2008-04-13 19:42:00 271,360 ----a-w C:\WINDOWS\system32\msihnd.dll
+ 2008-05-18 19:33:20 332,800 ----a-w C:\WINDOWS\system32\msihnd.dll
- 2008-04-13 11:09:44 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
+ 2008-04-16 14:43:24 2,560 ----a-w C:\WINDOWS\system32\msimsg.dll
- 2008-04-13 19:42:00 15,360 ----a-w C:\WINDOWS\system32\msisip.dll
+ 2008-05-18 19:33:20 18,944 ----a-w C:\WINDOWS\system32\msisip.dll
- 2009-11-21 04:49:57 72,608 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-10-28 21:49:39 72,608 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2009-11-21 04:49:57 445,302 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-10-28 21:49:39 445,302 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-11-30 11:18:51 17,272 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-29 18:39:22 17,272 ------w C:\WINDOWS\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-08 576320]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 8523776]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-07-08 600896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\Documents and Settings\\All Users\\Application Data\\TuneUp Software\\TuneUp Utilities\\WinStyler\\tu_logonui.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2007-05-25 15:22 63040 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I263"= I263_32.drv
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= divxa32.acm
"msacm.lameacm"= LameACM.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"Gainward"=C:\Program Files\XpertVision\TBPanel.exe /A
"RTHDCPL"=RTHDCPL.EXE
"Alcmtr"=ALCMTR.EXE
"nwiz"=nwiz.exe /install
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
"pccguide.exe"=C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Call of Duty Game of the Year Edition\\CoDMP.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2008-10-28 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe [2008-04-16 10:59]

2008-10-23 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 18:57]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-29 10:58:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-29 10:59:09
ComboFix-quarantined-files.txt 2008-10-28 23:59:03
ComboFix2.txt 2008-10-28 10:00:19
ComboFix3.txt 2008-10-28 09:57:16
ComboFix4.txt 2008-10-28 09:31:56
ComboFix5.txt 2008-10-28 23:57:24

Pre-Run: 156,684,689,408 bytes free
Post-Run: 156,769,193,984 bytes free

173 --- E O F --- 2009-11-19 22:05:45



And the hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:30 AM, on 29/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Trend Micro Antifraud Toolbar - {06647158-359E-4D10-A8DE-E6145DA90BE9} - C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll
O3 - Toolbar: Trend Micro Antifraud Toolbar - {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-1935655697-2077806209-839522115-1003\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://dev.srtest.co.../sysreqlab3.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1221816248468
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcp.../pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{8971FCB1-16B4-403B-AA00-19B076156F41}: NameServer = 211.29.132.12,198.142.0.51
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Unknown owner - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe (file missing)
O23 - Service: SessionLauncher - Unknown owner - (no file)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 8671 bytes

[Mattwardinterglaze]

Hey there agian, just kind of wondering is there a way i could manually remove the trend pc cillian antivirus or will it be too much of a hassle? thanks again...Matt

[1972vet]

Did you try reinstalling the antivirus application like I suggested several times now?

For now, let's uninstall Spybot Search and Destroy...try reinstalling your antivirus application. Post back the results.

[Mattwardinterglaze]

Okay i have uninstalled Spybot and restarted my pc tried to reinstall trend anti virus and still getting that same popup about the windows installer for some reason, and when i click on the trend anti virus submenu the same message saying: no nework device found or there is a conflict with existing antivirus or security software. to enable full product funcionality uninstall conflicting software or connect to a network and restart the program.

and then i says: unable to read the configuration restart your computer and try again error=7413-238 hr=0x80040154

hope this helps mate...Matt

[1972vet]

Copy and paste the following into a blank NotePad:

sc start ServiceLayer
sc stop Tmntsrv
sc stop TmPfw
sc stop tmproxy
sc stop PcCtlCom
sc delete Tmntsrv
sc delete TmPfw
sc delete tmproxy
sc delete PcCtlCom


Click File-->Save as and name the file delservice.bat

Under "Save as type" Select "all files" and save it to your Desktop.
Double-click the delservice.bat file on your Desktop. When the batch completes, delete the .bat file.

Run HijackThis again and check the box next to the following entries that may still exist:
O2 - BHO: Trend Micro Antifraud Toolbar - {06647158-359E-4D10-A8DE-E6145DA90BE9} - C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Trend Micro Antifraud Toolbar - {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O23 - Service: SessionLauncher - Unknown owner - (no file)
The entry below is affiliated with PunkBuster software and is seen as malicious by Prevx (and others). It is known to cause heartburn for some users. If you remove it, the game will not function but keeping it may cause you continued problems...you decide.
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

Now close all windows (that includes this browser window)...leaving only the HijackThis application's window open, click the Fix Checked button.

Locate and delete the associated Trend Micro Internet Security Suite folder...please be careful NOT to delete the Trend Micro HijackThis folder.

Reboot the computer.

Install the following software:
BOClean
Avira Antivir
...allow the software to install using all default recommendations.
Once you have completed installing both applications, navigate the software and find the manual update feature. Run manual updates for both until no more updates are found. Reboot the computer again into safe mode. Open the Avira Antivir and run a complete system scan. Allow the software to quarantine whatever it complains of. Reboot back to your normal windows user mode and post back your results along with a fresh HijackThis log. Let's also have a run down of any other issues that are still present. Thanks!