Expert: Brian Benosky - 2/16/2009

Question
QUESTION: Hi again Brian,
The All-Experts site here said I had already posted to you too many followups about the question, and said I needed to ask a new question.  Anyway, thanks for reading over that Combo-Fix info at the link I provided, and for your comments regarding it.  At this point my question to you would be whether if I do run the Combo-Fix whether I should beforehand go ahead and download and pre-install the Windows XP Restore Console from Microsoft (since I don't have my XP discs) as it seems recommended to have this installed before running the Combo-Fix.  Also, you mentioned I could get the updated Genuine Windows Validation Tool from the link you provided (could you provide me that link once more?).  And should I try getting that updated tool installed on my pc and then running Windows Update before doing running the Combo-Fix, or should I do both? Also, I haven't tried yet, but if I try to download the Combo-Fix program from any of the three sites provided and all of them are blocked by my Trend Micro, please advise what I might do then to finally be able to download the program?   Thanks again for your time and assistance!

ANSWER: Hi Steve

You may already have the Recovery Console installed, but if you do not, ComboFix will guide you on the install process.  The link for WGA is:
http://www.download.windowsupdate.com/msdownload/update/v3-19990518/cabpool/wind
My suggestion is to first disable Trend, download and run ComboFix (installing the Recovery Console if needed), then try to run Windows Updates.  If that does not work, use the method I described in the last post to fix and update WGA.

Brian

---------- FOLLOW-UP ----------

QUESTION: Hi Brian,
I disabled Trend and then downloaded and ran ComboFix (did need to install Recovery Console during the process), then tried to run Windows Updates.  Guess what?  It works now!  I didn't even need to use the manual method to fix and update WGA.  I wonder what the underlying problems were that ComboFix was apparently able to detect/repair, and if if fact those problems were likely a result of my computer's recent encounters with those Trojans I described, even though the Trend Micro program had apparently quarantined one, and as well the Malwarebytes program which quarantined the others?  I'm sure hoping now that any and all potentially harmful or troublesome traces of that particular malware are eradicated now.  So far so good, Windows Update is working again and the pc is not exhibiting any other visible unusual behavior.  Not too sure if I'm very confident anymore of my Trend Micro security suite, which up until these recent episodes has otherwise seemed to reliably protect my home pcs for seven years now. Any other specific software recommendations you may have in that regard or any comments to that effect would be welcome!  Thanks for helping me get updates back; for all I could tell it was just the beginning sign of some malware infection getting worse and causing continued and worsening problems, and I definitely could do without that.

ANSWER: Hi Steve

I'm glad that ComboFix did the job.  I would like to check the log located at C:\ComboFix.txt, and to check a new HijackThis log.  This is to make sure no stray infection entries are leftover.  It will also tell me what ComboFix detected and fixed to restore your WGA updates.  Trend Micro Internet Security is an above average suite giving you everything you need to stay safe on the internet.  That said, no security program is perfect, and I would say that seven years clean with only this recent problem is a darn good track record.  Be vigilant with your virus definition and Windows updates and you should be fine.  Use Malwarebytes about once a month to run a full scan to clean out anything that may get past Trend.  After posting me the log file, you can remove ComboFix by clicking Start->Run->then type combofix /u and hit Enter.  Note the space between the x and the /.

Brian

---------- FOLLOW-UP ----------

QUESTION: Hi Brian,
Below is my ComboFix log as well as a new HijackThis log.  Please let me know if you can whether there are may be any leftover entries from infection, and what it may have been that Combo-Fix was able to detect to repair my Windows Update functionality.  Also, you mentioned I could go ahead and remove ComboFix now; I'm just curious why I would necessarily want to remove it if it is possible I may need to use the program again in the future?  thanks.

ComboFix 09-02-15.01 - Steve 2009-02-15 17:39:43.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.991.684 [GMT -9:00]
Running from: c:\documents and settings\Steve\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*
* Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\windows\patch.exe
c:\windows\system32\encapi32.dll
c:\windows\system32\init32.exe
c:\windows\Temp\scsF.tmp

.
(((((((((((((((((((((((((   Files Created from 2009-01-16 to 2009-02-16  )))))))))))))))))))))))))))))))
.

2009-02-14 19:52 . 2009-02-14 19:52   <DIR>   d--------   c:\documents and settings\Steve\Application Data\Malwarebytes
2009-02-14 19:51 . 2009-02-14 19:52   <DIR>   d--------   c:\program files\Malwarebytes' Anti-Malware
2009-02-14 19:51 . 2009-02-14 19:51   <DIR>   d--------   c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2009-02-14 19:51 . 2009-02-11 10:19   38,496   --a------   c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-14 19:51 . 2009-02-11 10:19   15,504   --a------   c:\windows\system32\drivers\mbam.sys
2009-02-08 07:26 . 2009-02-08 07:36   <DIR>   d--------   c:\documents and settings\Administrator
2009-01-31 12:33 . 2009-01-31 12:33   <DIR>   d--------   c:\program files\FileZilla FTP Client
2009-01-31 12:33 . 2009-02-02 17:38   <DIR>   d--------   c:\documents and settings\Steve\Application Data\FileZilla
2009-01-31 11:55 . 2009-01-31 12:27   <DIR>   d--------   c:\program files\GoFTP
2009-01-31 11:55 . 2004-03-09 00:00   224,016   --a------   c:\windows\system32\TABCTL32.OCX

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-14 01:23   ---------   d-----w   c:\program files\Microsoft Money
2009-01-13 19:59   ---------   d-----w   c:\program files\HP
2009-01-13 02:24   ---------   d-----w   c:\documents and settings\Roberta\Application Data\OfficeGuardian
2009-01-12 20:11   ---------   d-----w   c:\documents and settings\Steve\Application Data\OfficeGuardian
2009-01-12 18:26   ---------   d-----w   c:\program files\Greetings Workshop
2008-12-28 16:35   410,984   ----a-w   c:\windows\system32\deploytk.dll
2008-12-28 16:35   ---------   d-----w   c:\program files\Java
2007-11-13 17:52   67,701,085   ----a-w   c:\program files\openofficeorg3.cab
2007-11-13 17:52   3,395,341   ----a-w   c:\program files\openofficeorg4.cab
2007-11-13 17:47   17,646,967   ----a-w   c:\program files\openofficeorg2.cab
2007-11-13 17:46   18,827,152   ----a-w   c:\program files\openofficeorg1.cab
2007-11-13 17:45   4,363,776   -c--a-w   c:\program files\openofficeorg23.msi
2007-11-13 17:45   217   -c--a-w   c:\program files\setup.ini
2005-02-01 07:01   1,934,096   -c--a-w   c:\program files\dMC-r11.exe
2002-03-11 09:06   1,822,520   ----a-w   c:\program files\instmsiw.exe
2002-03-11 08:45   1,708,856   ----a-w   c:\program files\instmsia.exe
2001-09-29 01:00   164,864   -c--a-w   c:\program files\UNWISE.EXE
2008-09-04 16:14   32,768   -csha-w   c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090420080905\index.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-03-20 213936]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-28 136600]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.MSNAUDIO"= msnaudio.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative MediaSource Go]
--------- 2006-11-09 09:19 204800 c:\program files\Creative\MediaSource5\Go\CTCMSGoU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 15:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a--c--- 2004-05-12 14:18 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2005-02-16 22:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-08-06 09:03 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVMixerTray]
--a--c--- 2004-06-03 20:51 131072 c:\program files\NVIDIA Corporation\NvMixer\NvMixerTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2005-01-12 02:01 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:*:Disabled:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:*:Disabled:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:*:Disabled:@xpsp2res.dll,-22017

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-02-15 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-02-15 333328]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-04-20 52240]
S3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2008-04-20 488768]
S3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2008-04-20 648456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2b58af80-d9c5-11dd-a481-000ea675f2f2}]
\Shell\AutoRun\command - E:\StarterOfficeGuardian.exe
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Cognac - c:\docume~1\Steve\LOCALS~1\Temp\perce.jpg.exe
MSConfigStartUp-Creative Detector - c:\program files\Creative\MediaSource\Detector\CTDetect.exe
MSConfigStartUp-Handy Backup 6 - c:\program files\Novosoft\Handy Backup\hbagent.exe
MSConfigStartUp-DXDllRegExe - dxdllreg.exe
MSConfigStartUp-Logitech Utility - Logi_MwX.Exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.att.net/
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
Trusted Zone: aol.com\free
TCP: {68782A14-677A-4EA7-8BC3-72D1C8A32C37} = 209.112.128.2 204.17.139.2
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-15 17:40:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-329068152-1788223648-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-02-15 17:42:10
ComboFix-quarantined-files.txt  2009-02-16 02:42:00

Pre-Run: 52,106,190,848 bytes free
Post-Run: 52,100,567,040 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

152   --- E O F ---   2009-02-12 16:11:21



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:13 AM, on 2/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Steve\Desktop\hijakthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio2/downloads/sysinfo.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.lynden.com/aml/sars/mgaxctrl.cab?Version=6,5,5,15
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_si
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp.com/rdqaio/downloads/msxml4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15035/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{68782A14-677A-4EA7-8BC3-72D1C8A32C37}: NameServer = 209.112.128.2 204.17.139.2
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 5983 bytes

Answer
Hi Steve

Sorry I could not get back to you yesterday.  Your HJT log file is clean now, so your computer is infection-free.  You were, however, infected with a nasty rootkit which avoided detection and installed a few trojans:
http://www.prevx.com/filenames/X339560249098740191-X1/INIT322EEXE.html
http://www.prevx.com/filenames/X544733331679083107-X1/PERCE2EJPG2EEXE.html
http://www.prevx.com/filenames/1656666053019721298-X1/PATCH2EEXE.html
ComboFix has deleted them, so why remove the program?  Combofix by sUBs was never intended to be used the same way that that software such as Malwarebytes Antimalware is.  The program does not have definitions which are updated regularly, hence the need to download the entire program.  The real power of ComboFix comes not as a general purpose malware remover.  ComboFix is useful because it provides to the experienced malware expert a convenient graphic front-end to powerful computer scripts, which can damage a computer if not used properly. It is because of its scripting strengths, and its in-depth reporting logs, that it must be run under guidance.
In any event, I hope I have helped you in this instance and please come back if you need further help.  Cheers!

Brian