PDA

View Full Version : Cannot install any Antivirus Software



athanaso77
2007-02-26, 23:54
Hi there,

Some days ago I noticed that my TrendMicro Internet Security software dissapeared from showing near the clock. I tried to open it but nothing. So i uninstalled it and tried to install again but nothing. It says "The system cannot find the file specified". Now, i can't install any of Antivirus software.
Additionally, system restore doesn't work any more. I also tried to boot in safe mode but system restarts. Here i post the results from the HijackThis Logfile:

Logfile of HijackThis v1.99.1
Scan saved at 7:46:36 μμ, on 25/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Qdmnt\cdisk.exe
C:\Program Files\Qdmnt\caud.exe
C:\Program Files\Qdmnt\cctr.exe
C:\Program Files\Qdmnt\cenv.exe
C:\Program Files\Qdmnt\cinp.exe
C:\Program Files\Qdmnt\clan.exe
C:\Program Files\Qdmnt\cos.exe
C:\Program Files\Qdmnt\ctalk.exe
C:\Program Files\Qdmnt\cvid.exe
C:\Program Files\Qdmnt\demon.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Qdmnt\regclnt.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Qdmnt\clwarn.exe
C:\Program Files\Qdmnt\cbios.exe
C:\Program Files\Qdmnt\cmb.exe
C:\Program Files\Qdmnt\cmem.exe
C:\Program Files\Qdmnt\cserv.exe
C:\Program Files\Qdmnt\alarm.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Qdmnt\qdmstart.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\SAGEM\CONN-X SAGEM Fast 800\dslmon.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\mIRC\mirc.exe
C:\Documents and Settings\Giannis\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.metacrawl.ws/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://mail.upatras.gr/src/login.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.metacrawl.ws/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [QdmStart] C:\Program Files\Qdmnt\qdmstart.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: Today.lnk = C:\Program Files\Today Application\Today.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Δημιουργία Αγαπημένου κινητής συσκευής... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Έρευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144677846486
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F3FCE98-3CDD-4F39-9DC4-9F79F505E92B}: NameServer = 195.170.0.1 195.170.2.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{4F3FCE98-3CDD-4F39-9DC4-9F79F505E92B}: NameServer = 195.170.0.1 195.170.2.2
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: winyxm32 - winyxm32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Alarm - Unknown owner - C:\Program Files\Qdmnt\clwarn.exe
O23 - Service: AMON - Eset - H:\Portable NOD32 Antivirus\amon.sys
O23 - Service: CDisk - Unknown owner - C:\Program Files\Qdmnt\cdisk.exe
O23 - Service: ComAud - Unknown owner - C:\Program Files\Qdmnt\caud.exe
O23 - Service: ComBios - Unknown owner - C:\Program Files\Qdmnt\cbios.exe
O23 - Service: ComCtr - Unknown owner - C:\Program Files\Qdmnt\cctr.exe
O23 - Service: ComEnv - Unknown owner - C:\Program Files\Qdmnt\cenv.exe
O23 - Service: ComInp - Unknown owner - C:\Program Files\Qdmnt\cinp.exe
O23 - Service: ComLan - Unknown owner - C:\Program Files\Qdmnt\clan.exe
O23 - Service: ComMB - Unknown owner - C:\Program Files\Qdmnt\cmb.exe
O23 - Service: ComMem - Unknown owner - C:\Program Files\Qdmnt\cmem.exe
O23 - Service: ComOs - Unknown owner - C:\Program Files\Qdmnt\cos.exe
O23 - Service: CompuerServ - Unknown owner - C:\Program Files\Qdmnt\cserv.exe
O23 - Service: ComTalk - Unknown owner - C:\Program Files\Qdmnt\ctalk.exe
O23 - Service: ComVid - Unknown owner - C:\Program Files\Qdmnt\cvid.exe
O23 - Service: Demon - Unknown owner - C:\Program Files\Qdmnt\demon.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Monitor - Unknown owner - C:\Program Files\Qdmnt\alarm.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)
O23 - Service: RegClnt - Unknown owner - C:\Program Files\Qdmnt\regclnt.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

I will be waiting for your comments!
Thanks in advance

athanaso77
2007-02-27, 22:32
Any help for me?!?!?!
Please!!!

athanaso77
2007-02-28, 16:32
I supposed things were different in this forum! I don't understand why do you keep ignoring me and my problem!
Nevermind... everything in life is a bumerang! What you give... is what you get!

Mr_JAk3
2007-03-01, 21:49
Hi athanaso77 and welcome to the Forums :)

Sorry for the delay... You replied to your own topic and that is why your topic got overlooked, we look for zero reply topics...

If you still need help:


Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

athanaso77
2007-03-05, 17:51
Hi Mr_JAk3,

the text is too long to paste here. 1752019 chars are too many more than 20000 allowed here. Should i uncheck anything of the option in GMER?

Please help me because my PC has problem!

Thanks in Advance!

Mr_JAk3
2007-03-05, 20:03
Hi again :)

Could you please upload the whole GMER log to eg RapidShare (http://rapidshare.com/)
Then post the link to your log to me :bigthumb:

athanaso77
2007-03-06, 07:34
Can i send it tou you with an e-mail? I have never used rapidshare upload before.
Thanks!

Mr_JAk3
2007-03-06, 09:29
Ok you can send it via email to: mrjake (at) mbnet.fi

athanaso77
2007-03-06, 20:28
Hi Mr_JAk3,

I have already sent you the e-mail of the GMER results.

I am looking forward for your commens.
Thanks in advance.

Mr_JAk3
2007-03-06, 21:23
Ok good, now we'll get rid of the bug.

Run a new rootkit scan with GMER.

When you see the following process(es) on the list:

Process C:\WINDOWS\system32\hldrrr.exe
Process C:\WINDOWS\system32\wintems.exe


Rigthclick it with your mouse and a menu will open. Choose "Kill Process" from the list. You need to do this one by one.

When you see the following files on the list:
File C:\Documents and Settings\Giannis\Application Data\hidires\hidr.exe
File C:\Documents and Settings\Giannis\Application Data\hidires\m_hook.sys
File C:\WINDOWS\system32\hldrrr.exe
File C:\WINDOWS\system32\wintems.exe


Rigthclick those with your mouse and a menu will open. Choose "Delete file" from the list. You need to do this one by one.

When you see the following service on the list:

Service C:\Documents and Settings\Giannis\Application Data\hidires\m_hook.sys

Rigthclick it with your mouse and a menu will open. Choose "Delete the service" from the list.
If GMER asks for a reboot allow it to do it.

Then close GMER and restart your computer.

Run a new scan with GMER but don't use your computer during the scan.
When the scan has finished please copy/upload the results to me along with a fresh HijackThis log.

:bigthumb:

athanaso77
2007-03-07, 23:38
Hi there,
I did what you told me and everything gone right.
But... my PC runs much worst!
- It has become extremely slow, in start up and all the time! Whatever i do it freezes all the time!
- I cannot uninstall iolo System Mechanic 7. Error: "There was an error during unregistering of service provider" :mad:
- Microsoft Active Sync does not connect anymore to my PDA
- And finally... I HAVE LOST EVERY SOUND!!! :oops: I hear nothing even when everything (hardware and software) is set correctly!

I am so dissappointed that i am one step before format! :sad:

I doupt if there is any hope for help!!!
Thanks anyway. :sad:

Mr_JAk3
2007-03-08, 11:11
Hi again :)

You're still infected so it is normal that the computer is running badly. I didn't say that you're clean. Please post the logs I requested if you want to continue the cleaning :bigthumb:

If you want to reformat, I'll give instructions for that.

athanaso77
2007-03-11, 16:45
Hi again,
Finally my PC hard disk drives became inaccessible!

But, i format it, installed Vista and i like it!

Thanks anyway.
Bye!

Mr_JAk3
2007-03-11, 21:51
Ok nice to hear that the problem is solved.

As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.

Glad we could help :2thumb: