hi guys,

i need your help! trend micro housecall cannot delete this problem... any idea how i can rectify it? any help is greatly appreciated..

below is my log file from HijactThis

Logfile of HijackThis v1.99.1
Scan saved at 9:44:26 AM, on 11/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\trafkbdy.exe
C:\WINDOWS\system32\brwconf.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\mmc.exe
C:\Documents and Settings\James\My Documents\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://aa.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://asia.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Dictionary.com - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O2 - BHO: (no name) - {40A2988E-C954-4DDE-BD08-453191805BB9} - C:\WINDOWS\system32\durvil1.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Domain Helper - {B8A5DE1C-BC13-4DD2-BF00-7BE3C603F9F2} - C:\WINDOWS\system32\DomainHelper.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lxwda2a9] RUNDLL32.EXE w1700447.dll,n 006da2a30000000a1700447
O4 - HKLM\..\Run: [keyboard] c:\\kybrdff_e56.exe
O4 - HKLM\..\Run: [newname] c:\\nwnmff_e56.exe
O4 - HKLM\..\Run: [windows] C:\\windows_e56.exe
O4 - HKLM\..\Run: [{C9-9D-DE-E6-ZN}] C:\windows\system32\nmdsregk.exe SED001
O4 - HKLM\..\Run: [vdylqisA] C:\WINDOWS\vdylqisA.exe
O4 - HKLM\..\Run: [defender] c:\\dfndrff_e56.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [brwdiag] C:\WINDOWS\system32\brwconf.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SybaseCentral43] "c:\progra~1\sybase\asa90\shared\Sybase Central 4.3\win32\scjview.exe" -preload
O4 - HKCU\..\Run: [DBISQL9] c:\progra~1\sybase\asa90\win32\dbisqlg.exe -preload
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [kbdru] C:\WINDOWS\system32\kbdru.exe
O4 - HKCU\..\Run: [keylbi32] C:\WINDOWS\system32\keylbi32.exe
O4 - HKCU\..\Run: [dpnlobby] C:\WINDOWS\system32\dpnlobby.exe
O4 - HKCU\..\Run: [dfrgres] C:\WINDOWS\system32\dfrgres.exe
O4 - HKCU\..\Run: [kbdhela2] C:\WINDOWS\system32\kbdhela2.exe
O4 - HKCU\..\Run: [divx_xx07] C:\WINDOWS\system32\divx_xx07.exe
O4 - HKCU\..\Run: [mscat32] C:\WINDOWS\system32\mscat32.exe
O4 - HKCU\..\Run: [explorer] C:\WINDOWS\explorer.exe
O4 - HKCU\..\Run: [fxsasn12] C:\WINDOWS\system32\fxsasn12.exe
O4 - HKCU\..\Run: [msxml2r] C:\WINDOWS\system32\msxml2r.exe
O4 - HKCU\..\Run: [wmpsrcwp] C:\WINDOWS\system32\wmpsrcwp.exe
O4 - HKCU\..\Run: [sprio600] C:\WINDOWS\system32\sprio600.exe
O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS\loader261953.exe
O4 - HKCU\..\Run: [Winstm] C:\WINDOWS\loader267750.exe
O4 - HKCU\..\Run: [Winstn] C:\WINDOWS\loader267750.exe
O4 - HKCU\..\Run: [Winstz] C:\WINDOWS\loader267750.exe
O4 - HKCU\..\Run: [Winstk] C:\WINDOWS\loader267750.exe
O4 - HKCU\..\Run: [Winstq] C:\WINDOWS\loader267750.exe
O4 - HKCU\..\Run: [Winstv] C:\WINDOWS\loader267750.exe
O4 - HKCU\..\Run: [Winsth] C:\WINDOWS\loader267750.exe
O4 - HKCU\..\Run: [Winstx] C:\WINDOWS\loader267750.exe
O4 - HKCU\..\Run: [Winsts] C:\WINDOWS\loader267750.exe
O4 - HKCU\..\Run: [Winsty] C:\WINDOWS\loader267750.exe
O4 - HKCU\..\Run: [Winstj] C:\WINDOWS\loader267750.exe
O4 - HKCU\..\Run: [Winstr] C:\WINDOWS\loader267750.exe
O4 - HKCU\..\Run: [mfc42u] C:\WINDOWS\system32\mfc42u.exe
O4 - HKCU\..\Run: [ltfil13n] C:\WINDOWS\system32\ltfil13n.exe
O4 - HKCU\..\Run: [Winstp] C:\WINDOWS\loader267750.exe
O4 - HKCU\..\Run: [Winstg] C:\WINDOWS\loader267750.exe
O4 - HKCU\..\Run: [Winstl] C:\WINDOWS\loader267750.exe
O4 - HKCU\..\Run: [Winstw] C:\WINDOWS\loader267750.exe
O4 - HKCU\..\Run: [Winstc] C:\WINDOWS\loader267750.exe
O4 - HKCU\..\Run: [IEXPLORE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152322004513
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} - http://www.autodesk.com/global/dwfviewer/installer/DwfViewerSetup.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup162.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{232458D4-CFCC-461F-9687-84D071F8423F}: NameServer = 203.120.90.60,203.120.90.90
O17 - HKLM\System\CS1\Services\Tcpip\..\{232458D4-CFCC-461F-9687-84D071F8423F}: NameServer = 203.120.90.60,203.120.90.90
O17 - HKLM\System\CS2\Services\Tcpip\..\{232458D4-CFCC-461F-9687-84D071F8423F}: NameServer = 203.120.90.60,203.120.90.90
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: e1.dll c:\windows\system32\ldcore.dll icmufecl.dll confbrw.dll brwstat.dll
O20 - Winlogon Notify: brwmgr - C:\WINDOWS\SYSTEM32\brwmgr32.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: trafkbdy - C:\WINDOWS\system32\trafkbdy.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adaptive Server Anywhere - WSDbServer (ASANYs_WSDbServer) - iAnywhere Solutions, Inc. - c:\progra~1\sybase\asa90\WIN32\DBSRV9.EXE
O23 - Service: d3drm.exe - Unknown owner - C:\WINDOWS\system32\d3drm.exe (file missing)
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: hpzcoi11.exe - Unknown owner - C:\WINDOWS\system32\hpzcoi11.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

First download AVG Anti-Spyware from HERE (http://www.ewido.net/en/download/) and save that file to your desktop.
This is a 30 day trial of the program
Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.

Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

2. Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your desktop.
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C:) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE (http://metallica.geekstogo.com/alcanshorty.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

4. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

5. IMPORTANT: Do not open any other windows or programs while AVG Anti-spyware is scanning, it may interfere with the scanning proccess:[list]
Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close AVG Anti-Spyware and reboot your system back into Normal Mode.


6. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png and select alcanshorty.bfu
Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Reboot into normal windows and post the contents of the AVG Anti-Spyware text report that you saved and a new HiJackThis log.

Hi thanks for replying. i did all as instructed. here is my current hijackthislog

Logfile of HijackThis v1.99.1
Scan saved at 3:28:17 PM, on 11/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\progra~1\sybase\asa90\WIN32\DBSRV9.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~2\PccGuide.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\windows\system32\nmdsregk.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\progra~1\sybase\asa90\shared\Sybase Central 4.3\win32\scjview.exe
C:\progra~1\sybase\asa90\win32\dbisqlg.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\keylbi32.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\James\Desktop\hijackthis\HijackThis.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\PROGRA~1\3M\PSNLite\PSNGive.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://aa.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://asia.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Dictionary.com - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O2 - BHO: (no name) - {40A2988E-C954-4DDE-BD08-453191805BB9} - C:\WINDOWS\system32\durvil1.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Domain Helper - {B8A5DE1C-BC13-4DD2-BF00-7BE3C603F9F2} - C:\WINDOWS\system32\DomainHelper.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lxwda2a9] RUNDLL32.EXE w1700447.dll,n 006da2a30000000a1700447
O4 - HKLM\..\Run: [{C9-9D-DE-E6-ZN}] C:\windows\system32\nmdsregk.exe SED001
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [brwdiag] C:\WINDOWS\system32\brwconf.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SybaseCentral43] "c:\progra~1\sybase\asa90\shared\Sybase Central 4.3\win32\scjview.exe" -preload
O4 - HKCU\..\Run: [DBISQL9] c:\progra~1\sybase\asa90\win32\dbisqlg.exe -preload
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [kbdru] C:\WINDOWS\system32\kbdru.exe
O4 - HKCU\..\Run: [keylbi32] C:\WINDOWS\system32\keylbi32.exe
O4 - HKCU\..\Run: [dfrgres] C:\WINDOWS\system32\dfrgres.exe
O4 - HKCU\..\Run: [kbdhela2] C:\WINDOWS\system32\kbdhela2.exe
O4 - HKCU\..\Run: [mscat32] C:\WINDOWS\system32\mscat32.exe
O4 - HKCU\..\Run: [explorer] C:\WINDOWS\explorer.exe
O4 - HKCU\..\Run: [fxsasn12] C:\WINDOWS\system32\fxsasn12.exe
O4 - HKCU\..\Run: [msxml2r] C:\WINDOWS\system32\msxml2r.exe
O4 - HKCU\..\Run: [wmpsrcwp] C:\WINDOWS\system32\wmpsrcwp.exe
O4 - HKCU\..\Run: [sprio600] C:\WINDOWS\system32\sprio600.exe
O4 - HKCU\..\Run: [Winstn] C:\WINDOWS\loader267750.exe
O4 - HKCU\..\Run: [Winstk] C:\WINDOWS\loader267750.exe
O4 - HKCU\..\Run: [Winstv] C:\WINDOWS\loader267750.exe
O4 - HKCU\..\Run: [Winstx] C:\WINDOWS\loader267750.exe
O4 - HKCU\..\Run: [Winsty] C:\WINDOWS\loader267750.exe
O4 - HKCU\..\Run: [Winstr] C:\WINDOWS\loader267750.exe
O4 - HKCU\..\Run: [mfc42u] C:\WINDOWS\system32\mfc42u.exe
O4 - HKCU\..\Run: [ltfil13n] C:\WINDOWS\system32\ltfil13n.exe
O4 - HKCU\..\Run: [Winstg] C:\WINDOWS\loader267750.exe
O4 - HKCU\..\Run: [Winstw] C:\WINDOWS\loader267750.exe
O4 - HKCU\..\Run: [IEXPLORE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152322004513
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} - http://www.autodesk.com/global/dwfviewer/installer/DwfViewerSetup.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup162.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{232458D4-CFCC-461F-9687-84D071F8423F}: NameServer = 203.120.90.60,203.120.90.90
O17 - HKLM\System\CS1\Services\Tcpip\..\{232458D4-CFCC-461F-9687-84D071F8423F}: NameServer = 203.120.90.60,203.120.90.90
O17 - HKLM\System\CS2\Services\Tcpip\..\{232458D4-CFCC-461F-9687-84D071F8423F}: NameServer = 203.120.90.60,203.120.90.90
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: e1.dll c:\windows\system32\ldcore.dll icmufecl.dll confbrw.dll brwstat.dll
O20 - Winlogon Notify: brwmgr - C:\WINDOWS\SYSTEM32\brwmgr32.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: trafkbdy - C:\WINDOWS\system32\trafkbdy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adaptive Server Anywhere - WSDbServer (ASANYs_WSDbServer) - iAnywhere Solutions, Inc. - c:\progra~1\sybase\asa90\WIN32\DBSRV9.EXE
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: d3drm.exe - Unknown owner - C:\WINDOWS\system32\d3drm.exe (file missing)
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: hpzcoi11.exe - Unknown owner - C:\WINDOWS\system32\hpzcoi11.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

hm,m odd, how about the avg antispyware scan report ?

did you do it while in safe mode as instructed ?

here it is

yes i did it in safe mode

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:15:47 PM 11/15/2006

+ Scan result:



C:\WINDOWS\system32\9.exe -> Downloader.Agent.axb : Cleaned with backup (quarantined).
C:\WINDOWS\system32\divx_xx07.exe -> Downloader.Agent.axb : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dpnlobby.exe -> Downloader.Agent.axb : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ѕymbols\wowexec.exe -> Downloader.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\cmsetacl.exe -> Downloader.Reqlook.k : Cleaned with backup (quarantined).
C:\WINDOWS\system32\hpzcoi11.exe -> Downloader.Reqlook.k : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kbddv.exe -> Downloader.Reqlook.k : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mfcsubs.exe -> Downloader.Reqlook.k : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ncobjapi.exe -> Downloader.Reqlook.k : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ntmarta.exe -> Downloader.Reqlook.k : Cleaned with backup (quarantined).
C:\WINDOWS\system32\scesrv.exe -> Downloader.Reqlook.k : Cleaned with backup (quarantined).
C:\WINDOWS\system32\snmpapi.exe -> Downloader.Reqlook.k : Cleaned with backup (quarantined).
C:\Documents and Settings\James\Local Settings\Temp\Temporary Internet Files\Content.IE5\XKZE3A42\eztzfplv[1].htm -> Downloader.Small.coy : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ldcore.dll -> Downloader.Small.dxm : Cleaned with backup (quarantined).
[1008] c:\windows\system32\ldcore.dll -> Downloader.Small.dxm : Cleaned with backup (quarantined).
[1660] c:\windows\system32\ldcore.dll -> Downloader.Small.dxm : Cleaned with backup (quarantined).
[1664] c:\windows\system32\ldcore.dll -> Downloader.Small.dxm : Cleaned with backup (quarantined).
[336] c:\windows\system32\ldcore.dll -> Downloader.Small.dxm : Cleaned with backup (quarantined).
[440] c:\windows\system32\ldcore.dll -> Downloader.Small.dxm : Cleaned with backup (quarantined).
[492] c:\windows\system32\ldcore.dll -> Downloader.Small.dxm : Cleaned with backup (quarantined).
[504] c:\windows\system32\ldcore.dll -> Downloader.Small.dxm : Cleaned with backup (quarantined).
[656] c:\windows\system32\ldcore.dll -> Downloader.Small.dxm : Cleaned with backup (quarantined).
[756] c:\windows\system32\ldcore.dll -> Downloader.Small.dxm : Cleaned with backup (quarantined).
[884] c:\windows\system32\ldcore.dll -> Downloader.Small.dxm : Cleaned with backup (quarantined).
[924] c:\windows\system32\ldcore.dll -> Downloader.Small.dxm : Cleaned with backup (quarantined).
C:\WINDOWS\vdylqisA.exe -> Downloader.VB.ang : Cleaned with backup (quarantined).
C:\WINDOWS\vdylqis.exe -> Dropper.Agent.mu : Cleaned with backup (quarantined).
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8Z1WALTH\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\WINDOWS\loader267750.exe -> Hijacker.Small.lt : Cleaned with backup (quarantined).
C:\Documents and Settings\James\Cookies\james@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\James\Cookies\james@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\system@creative.paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\system@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned.
C:\Documents and Settings\James\Cookies\james@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\James\Cookies\james@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\WINDOWS\system32\config\systemprofile\Cookies\system@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\James\t3st.bmp -> Trojan.HideProc.g : Cleaned with backup (quarantined).
C:\WINDOWS\system32\t3st.bmp -> Trojan.HideProc.g : Cleaned with backup (quarantined).
C:\WINDOWS\system32\durvil1.exe -> Trojan.Kolweb.b : Cleaned with backup (quarantined).
C:\Documents and Settings\James\Local Settings\Temp\Temporary Internet Files\Content.IE5\XKZE3A42\jnrurxfce[1].txt -> Trojan.Sinowal.bh : Cleaned with backup (quarantined).
C:\WINDOWS\system32\msasvc.exe -> Trojan.Sinowal.bh : Cleaned with backup (quarantined).
C:\WINDOWS\system32\icmufecl.dll -> Worm.Warezov : Cleaned with backup (quarantined).
C:\WINDOWS\system32\trafkbdy.exe -> Worm.Warezov.df : Cleaned with backup (quarantined).
C:\WINDOWS\m1.2.exe -> Worm.Warezov.dq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\trafkbdy.dll -> Worm.Warezov.et : Cleaned with backup (quarantined).


::Report end

hi.. what do u mean by odd?

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


after combofix:

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, Click Options > Change settings
Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
Back at the main window, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found: http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.



so post combofix report, drweb cureit report and a fresh hjt log when you return

Due to lack of responses this thread is closed
If you still need assistance a new log will be needed, send me or Tashi a PM (personal message) and we will re-open it.