Trend Micro PC-cillin anomalies after Koobface worm infection

I have a Windows Vista laptop that had a Koobface Worm infection.  I used MalwareBytes to clean it.  After a half a dozen passes it tests clean of any malware.  I also tested using MS Malicious Software Removal Tool and it tests clean also.  

When I got the machine the PC-cillin's last definitions update was in early March.  When I tried to manually update it, it gave me an information screen that said "The feature is still loading. Please wait a moment, and then try again", and would not update.  After I cleaned the worm with MalwareBytes, I eventually was able to get the virus definitions to update.

After that, everything appeared to be normal.  An automatic scan from PC-cillin started and I was about ready to return the laptop to it's owner.   I figured I'd run one last scan using the PC-cillin, but when I started the scan I was getting the same "The feature is still loading. Please wait a moment, and then try again" error when trying to manually start a scan or manually trying to do a definitions update.  There appears to be no trace of infections that I can detect through MalwareBytes, MS MRT, or HijackThis, but the Trend Micro PC-cillin is not working as it should.   I am attaching files for your inspection... Any ideas?
Thanks
mbam-log-2010-04-20--19-30-07-.txt
mbam-log-2010-04-20--19-38-21-.txt
mbam-log-2010-04-20--20-38-46-.txt
mbam-log-2010-04-23--14-27-52-.txt
hijackthis.log
PC-cillin-2.doc
PC-cillin.doc
dwar08Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

optomaCommented:
From Hijackthis, this entry looks suspect:
O1 - Hosts: 85.13.206.115 u07012010u.com

Run Hitmanpro
http://www.surfright.nl/en/hitmanpro

Run Eset online scan:
Check "scan archives"
Under advanced settings-check all three boxes
Attach logfile here
C:\Program Files\EsetOnlineScanner\log.txt
http://www.eset.com/onlinescan/
0
dwar08Author Commented:
I ran the Hitmanpro and Eset online scans as you mentioned... Logs are attached... The first runs through produced a lot of hits but after a few passes they both came up clean with the exception of a file from the Hitmanpro called rpcnet.dll.  After a couple of clean passes I was able to run the PC-cillin, do an update and run a full scan.  It's scan found no infections.   I was again about to release it to the customer, when I noticed the pc-cillin icon was not in the task tray again.  I tried to run a manual update and scan and it went back to giving the same error.  It appears to be reinfecting the machine from somewhere. I have the system restore points shut off.  It also appears that Windows defender has some problems.  When I try to run it, it tells me it is disabled through a group policy.  I ran another Eset scan (2.5 hrs) and it was clean, but the Hitmanpro scan came back with hits again.
Thanks,

eset.txt
0
dwar08Author Commented:
Additional Log file
hitmanpro3log.xml
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

optomaCommented:
Ok, run these>remember to right click and run as administrator for all

ExeHelper>trend may flag this as bad>ignore warning/allow file to run!
http://raktor.net/exeHelper/exeHelper.com

Tdsskiller
http://support.kaspersky.com/viruses/solutions?qid=208280684

Combofix>disable trend's scanner shields before running
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post their complete logfiles after
0
dwar08Author Commented:
After running Combofix and rebooting it allowed me to get into the PC-cillin console and do an update one time... After logging user off and logging in as different user on same laptop it went back to giving me original error....

Attached  are the Logs

Thanks for your help
ComboFixLog.txt
exehelperlog.txt
0
dwar08Author Commented:
TDSSKiller Log attached (I keep hitting Enter before I get all the files attached... Sorry)
report.txt
0
optomaCommented:
>Norton appears to be still there.
Use its removal tool
ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe

>Is Hitmanpro still reporting the single infection?

>Run Dr Web cureit to make sure nothing was missed as machine appears to have been heavily riddled! Post its logfile
http://www.freedrweb.com/download+cureit/

>Trend may have to be taken off and reinstalled if still having same issue afterwards
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dwar08Author Commented:
In the end I had to remove the Trend Micro PC-cillin... It appears to be conflicting with some other program.. It will not load consistantly on POR.  The single file that HitmanPro was detecting appears to be related to the LoJack that is on the Laptop.  It tested clean and I installed Avast A/V on it and all appears to be well...
Thanks for your help....
0
optomaCommented:
No prob :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.