I tried lots of different spyware apps/techniques...


so I got hijack this and heres the info:

Logfile of HijackThis v1.99.1
Scan saved at 6:40:49 AM, on 12/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\AEIWLSTA.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Security Stronghold\True Sword\Infected\DvzIncMsgr.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\DJ Karagen\Desktop\New Folder\TOKENMON.EXE
C:\Documents and Settings\DJ Karagen\Desktop\New Folder\procexp.exe
C:\Program Files\NavNT\VPC32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\DJ Karagen\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://(null)/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: C:\WINDOWS\adsldpbf.dll - {EEE7178C-BBC3-4153-9DDE-CD0E9AB1B5B6} - C:\WINDOWS\adsldpbf.dll
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE START
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Security Stronghold\True Sword\Infected\DvzIncMsgr.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = ?
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - [url]http://www.alternatiff.com/install/00/alttiff.cab[/url]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=39204[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119627248294[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{43FFEA12-9079-42A8-9CB1-C812361B2736}: NameServer = 68.116.46.115,68.189.122.19,68.185.34.67
O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O21 - SSODL: uxAzCKyM - {6CC29E8D-C668-3427-D881-29AA7FF75218} - C:\WINDOWS\system32\xjg.dll
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

Before we dive in here, please post what you did to this point and what symptoms you are having.

at first I was looking for a driver, then my comp started loading hella carp when I opened a site. It then did the change your background and user privlidges and try to install spydoctor or something like that.

I would get the red X circle on my taskbar while telling me I have spyware.

My network Icon shows massive transmitting and recieving while no net apps are open. My network monitoring software (net limiter) shows no activity, yet the packets flow in-out.

I ran microsoft anti apyware (newest version with newest updates, it found about 30 things.

I then ran my norton, nothing came up.

after that I downloaded Ad-aware SE and it found about 3 more items.... my MS antiapyware is blocking some system startup changes and things now, but the obvious activity of spyware is still present...

I then ran the free online trend micro spyware scan... it found a crapload and cleaned em...

I still have issues with my datastream and I know my pc is still infected.

This is where I stand....

O2 - BHO: C:\WINDOWS\adsldpbf.dll - {EEE7178C-BBC3-4153-9DDE-CD0E9AB1B5B6} - C:\WINDOWS\adsldpbf.dll
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Security Stronghold\True Sword\Infected\DvzIncMsgr.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{43FFEA12-9079-42A8-9CB1-C812361B2736}: NameServer = 68.116.46.115,68.189.122.19,68.185.34.67
O21 - SSODL: uxAzCKyM - {6CC29E8D-C668-3427-D881-29AA7FF75218} - C:\WINDOWS\system32\xjg.dll
I uninstalled the truesword program... it didnt do ****.
are the things on my list here that look fishy and suspect to me.... I just want opinions from people who use this tool.

I have never had a problem with this kind of spyware before... it's rather perturbing.

Please download, install, and update the NEW free version of Ewido trojan scanner (http://www.ewido.net/en/download/):


When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

When you run Ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.

From the main Ewido screen, click on update in the left menu, then click the Start update button.

After the update finishes (the status bar at the bottom will display "Update successful")


Perform a full system scan and fix all that it finds.

Re-boot and post back an ewido log and a new Hijackthis log.

I'll be gone for a few hours so Budfred may hop in to finish if not, I'll get to this later today.

ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:26:14 AM, 12/30/2005
+ Report-Checksum: BBF68501

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{31EE3286-D785-4E3F-95FC-51D00FDABC01} -> Downloader.Delf.aeo : Cleaned with backup
[876] C:\WINDOWS\system32\msupdate32.dll -> Backdoor.Delf.ald : Cleaned with backup
[3060] C:\WINDOWS\system32\browsela.dll -> Downloader.Delf.aeo : Cleaned with backup
C:\Documents and Settings\DJ Karagen\Cookies\dj karagen@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\DJ Karagen\Cookies\dj karagen@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\DJ Karagen\Cookies\dj karagen@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\DJ Karagen\Cookies\dj karagen@microsofteup.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\DJ Karagen\Cookies\dj karagen@microsoftwga.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\DJ Karagen\Cookies\dj karagen@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\DJ Karagen\Cookies\dj karagen@statse.webtrendslive[1].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\DJ Karagen\Cookies\dj karagen@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\DJ Karagen\Cookies\dj karagen@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\DJ Karagen\Local Settings\Temp\dmx43.tmp -> Worm.Locksky.q : Cleaned with backup
:mozilla.35:C:\Documents and Settings\JaredKaragen\Application Data\Mozilla\Firefox\Profiles\default.1pw\cookies. txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.36:C:\Documents and Settings\JaredKaragen\Application Data\Mozilla\Firefox\Profiles\default.1pw\cookies. txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.37:C:\Documents and Settings\JaredKaragen\Application Data\Mozilla\Firefox\Profiles\default.1pw\cookies. txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.38:C:\Documents and Settings\JaredKaragen\Application Data\Mozilla\Firefox\Profiles\default.1pw\cookies. txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.98:C:\Documents and Settings\JaredKaragen\Application Data\Mozilla\Firefox\Profiles\default.1pw\cookies. txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.99:C:\Documents and Settings\JaredKaragen\Application Data\Mozilla\Firefox\Profiles\default.1pw\cookies. txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.100:C:\Documents and Settings\JaredKaragen\Application Data\Mozilla\Firefox\Profiles\default.1pw\cookies. txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.101:C:\Documents and Settings\JaredKaragen\Application Data\Mozilla\Firefox\Profiles\default.1pw\cookies. txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.102:C:\Documents and Settings\JaredKaragen\Application Data\Mozilla\Firefox\Profiles\default.1pw\cookies. txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.103:C:\Documents and Settings\JaredKaragen\Application Data\Mozilla\Firefox\Profiles\default.1pw\cookies. txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.207:C:\Documents and Settings\JaredKaragen\Application Data\Mozilla\Firefox\Profiles\default.1pw\cookies. txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
:mozilla.262:C:\Documents and Settings\JaredKaragen\Application Data\Mozilla\Firefox\Profiles\default.1pw\cookies. txt -> Spyware.Cookie.Realtracker : Cleaned with backup
:mozilla.265:C:\Documents and Settings\JaredKaragen\Application Data\Mozilla\Firefox\Profiles\default.1pw\cookies. txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.266:C:\Documents and Settings\JaredKaragen\Application Data\Mozilla\Firefox\Profiles\default.1pw\cookies. txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.267:C:\Documents and Settings\JaredKaragen\Application Data\Mozilla\Firefox\Profiles\default.1pw\cookies. txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.268:C:\Documents and Settings\JaredKaragen\Application Data\Mozilla\Firefox\Profiles\default.1pw\cookies. txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.269:C:\Documents and Settings\JaredKaragen\Application Data\Mozilla\Firefox\Profiles\default.1pw\cookies. txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.275:C:\Documents and Settings\JaredKaragen\Application Data\Mozilla\Firefox\Profiles\default.1pw\cookies. txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.276:C:\Documents and Settings\JaredKaragen\Application Data\Mozilla\Firefox\Profiles\default.1pw\cookies. txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.277:C:\Documents and Settings\JaredKaragen\Application Data\Mozilla\Firefox\Profiles\default.1pw\cookies. txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.286:C:\Documents and Settings\JaredKaragen\Application Data\Mozilla\Firefox\Profiles\default.1pw\cookies. txt -> Spyware.Cookie.Spylog : Cleaned with backup

C:\Documents and Settings\JaredKaragen\Local Settings\Temp\2.qtdfmp -> Not-A-Virus.Hoax.Win32.Renos.aj : Cleaned with backup
C:\Documents and Settings\JaredKaragen\Local Settings\Temp\5.qtdfmp -> Downloader.Small.cdc : Cleaned with backup
C:\Documents and Settings\JaredKaragen\Local Settings\Temp\7.qtdfmp -> Downloader.Small.atl : Cleaned with backup
C:\Documents and Settings\JaredKaragen\Local Settings\Temp\cgavybsa.exe -> Downloader.FakeAntiSpyware : Cleaned with backup
C:\Documents and Settings\JaredKaragen\Local Settings\Temp\dmx2C.tmp -> Worm.Locksky.q : Cleaned with backup
C:\Documents and Settings\JaredKaragen\Local Settings\Temp\dmx2D.tmp -> Worm.Locksky.q : Cleaned with backup
C:\Documents and Settings\JaredKaragen\Local Settings\Temp\dmx6.tmp -> Worm.Locksky.q : Cleaned with backup
C:\Documents and Settings\JaredKaragen\Local Settings\Temp\maxdd.game -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\JaredKaragen\Local Settings\Temp\vx1.game -> Dropper.Agent.afj : Cleaned with backup
C:\Documents and Settings\JaredKaragen\Local Settings\Temp\vx4.game -> Downloader.Small.cah : Cleaned with backup
C:\Documents and Settings\JaredKaragen\Local Settings\Temp\vx6.game -> Downloader.Small.aqu : Cleaned with backup
C:\Documents and Settings\JaredKaragen\Local Settings\Temporary Internet Files\Content.IE5\41I3896B\mm[2].js -> Spyware.Chitika : Cleaned with backup
C:\Documents and Settings\JaredKaragen\Local Settings\Temporary Internet Files\Content.IE5\O56RSTIJ\xp_0031[1].exe -> Worm.Locksky.q : Cleaned with backup
C:\Documents and Settings\JaredKaragen\Local Settings\Temporary Internet Files\Content.IE5\OHI7CLMZ\get2[1] -> Dropper.Agent.ol : Cleaned with backup
C:\Documents and Settings\JaredKaragen\Local Settings\Temporary Internet Files\Content.IE5\OHI7CLMZ\ise5[1].php -> Downloader.FakeAntiSpyware : Cleaned with backup
C:\Documents and Settings\JaredKaragen\Start Menu\Programs\SpySheriff -> Spyware.SpySheriff : Cleaned with backup
C:\Documents and Settings\JaredKaragen\Start Menu\Programs\SpySheriff\SpySheriff.lnk -> Spyware.SpySheriff : Cleaned with backup
C:\Documents and Settings\JaredKaragen\temp.bak -> Worm.Locksky.q : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll -> Logger.Small.dg : Cleaned with backup
C:\Program Files\Security Stronghold\True Sword\Infected\winstall.exe -> Not-A-Virus.Hoax.Win32.Renos.aj : Cleaned with backup
C:\WINDOWS\adsldpbf.dll -> Downloader.Delf.lh : Cleaned with backup
C:\WINDOWS\alt.exe -> Hijacker.Delf.eb : Cleaned with backup
C:\WINDOWS\g7525609.dll -> Downloader.Delf.aeo : Cleaned with backup
C:\WINDOWS\sachostx.exe -> Worm.Locksky.q : Cleaned with backup
C:\WINDOWS\system32\browsela.dll -> Downloader.Delf.aeo : Cleaned with backup
C:\WINDOWS\system32\maxd64.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\system32\msupdate32.dll -> Backdoor.Delf.ald : Cleaned with backup
C:\WINDOWS\system32\vxgame6.exe -> Downloader.Small.aqu : Cleaned with backup
C:\WINDOWS\system32\vxh8jkdq2.exe -> Not-A-Virus.Hoax.Win32.Renos.aj : Cleaned with backup
C:\WINDOWS\system32\vxh8jkdq5.exe -> Downloader.Small.cdc : Cleaned with backup
C:\WINDOWS\system32\vxh8jkdq7.exe -> Downloader.Small.atl : Cleaned with backup
C:\WINDOWS\warnhp.html -> Hijacker.WallpaperChange : Cleaned with backup
F:\Cracking Toolz\9x_int09.zip/INT09MON.COM -> Logger.Int09 : Cleaned with backup
F:\Cracking Toolz\9x_int09.zip/AWOL.COM -> Not-A-Virus.Tool.AnotherWay : Cleaned with backup
F:\Cracking Toolz\Ghost.Keylogger.v3.73.WinAll.Cracked-CONCEPT\cptgk373.zip/concept.rar/cracked.rar/syncagent.EXE -> Logger.GhostKeyLogger.c : Cleaned with backup
F:\Cracking Toolz\udp666.zip/udp666.exe -> Not-A-Virus.Flooder.UDP.VB.a : Cleaned with backup
F:\Emulation\N64\Nintendo 64\GO\GO.exe -> Trojan.Butano : Cleaned with backup
F:\Hacking\netd3001.exe/netdc.exe -> Not-A-Virus.Flooder.Vb.P : Cleaned with backup
F:\Hacking\netd3001.exe/netd.exe -> Not-A-Virus.Flooder.VB.p : Cleaned with backup
F:\Hacking\netd3001.exe/netdc.exe -> Not-A-Virus.Flooder.Vb.P : Cleaned with backup
F:\Hacking\netd3001.exe/netd.exe -> Not-A-Virus.Flooder.VB.p : Cleaned with backup
F:\Hacking\PortScan.zip/PORTSCAN.EXE -> Not-A-Virus.Tool.Scanner.Scan.11 : Cleaned with backup
F:\Hacking\X-Scan-v2.3-en.rar/dat\cgi.lst -> Not-A-Virus.Exploit.IIS.WebDir : Cleaned with backup
F:\Hacking\X-Scan-v2.3-en.rar/Xscan.exe -> Not-A-Virus.HackTool.XScan.23 : Cleaned with backup
F:\Unsorted Crap\_=!Hack Software!=_\Hacken voordummies\Hacken voordummies\John\16 Bit Version\run\john-k6.zip/john.exe -> Not-A-Virus.HackTool.John : Cleaned with backup
F:\Unsorted Crap\_=!Hack Software!=_\Hacken voordummies\Hacken voordummies\John\16 Bit Version\run\john-mmx.zip/john.exe -> Not-A-Virus.HackTool.John : Cleaned with backup
F:\Unsorted Crap\_=!Hack Software!=_\Hacken voordummies\Hacken voordummies\John\16 Bit Version\run\john.exe -> Not-A-Virus.HackTool.John : Cleaned with backup
F:\Unsorted Crap\_=!Hack Software!=_\Hacken voordummies\Hacken voordummies\John\16 Bit Version\run\john.exe.1 -> Not-A-Virus.HackTool.John : Cleaned with backup
F:\Unsorted Crap\_=!Hack Software!=_\Hacken voordummies\Hacken voordummies\John\john.exe -> Not-A-Virus.HackTool.John : Cleaned with backup
F:\Unsorted Crap\_=!Hack Software!=_\Hacken voordummies\Hacken voordummies\WWWhack\patch.exe -> Not-A-Virus.HackTool.WwwHack.a : Cleaned with backup
F:\Unsorted Crap\_=!Hack Software!=_\^Hacking_toolz^\john-16w\john-16w\john-16\run\john-k6.zip/john.exe -> Not-A-Virus.HackTool.John : Cleaned with backup
F:\Unsorted Crap\_=!Hack Software!=_\^Hacking_toolz^\john-16w\john-16w\john-16\run\john-mmx.zip/john.exe -> Not-A-Virus.HackTool.John : Cleaned with backup
F:\Unsorted Crap\_=!Hack Software!=_\^Hacking_toolz^\john-16w\john-16w\john-16\run\john.exe -> Not-A-Virus.HackTool.John : Cleaned with backup
F:\Unsorted Crap\_=!Hack Software!=_\^Hacking_toolz^\john-16w\john-16w.zip/john-16/run/john.exe -> Not-A-Virus.HackTool.John : Cleaned with backup
F:\Unsorted Crap\_=!Hack Software!=_\^Hacking_toolz^\john-16w\john-16w.zip/john-16/run/john-k6.zip/john.exe -> Not-A-Virus.HackTool.John : Cleaned with backup
F:\Unsorted Crap\_=!Hack Software!=_\^Hacking_toolz^\john-16w\john-16w.zip/john-16/run/john-mmx.zip/john.exe -> Not-A-Virus.HackTool.John : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 11:01:43 AM, on 12/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\AEIWLSTA.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Security Stronghold\True Sword\Infected\DvzIncMsgr.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\mmc.exe
C:\Documents and Settings\DJ Karagen\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://(null)/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: C:\WINDOWS\adsldpbf.dll - {EEE7178C-BBC3-4153-9DDE-CD0E9AB1B5B6} - C:\WINDOWS\adsldpbf.dll (file missing)
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [AEIWLSTA.EXE] AEIWLSTA.EXE START
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Security Stronghold\True Sword\Infected\DvzIncMsgr.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = ?
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - [url]http://www.alternatiff.com/install/00/alttiff.cab[/url]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url]http://go.microsoft.com/fwlink/?linkid=39204[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119627248294[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135956914796[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{43FFEA12-9079-42A8-9CB1-C812361B2736}: NameServer = 68.116.46.115,68.189.122.19,68.185.34.67
O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O21 - SSODL: uxAzCKyM - {6CC29E8D-C668-3427-D881-29AA7FF75218} - C:\WINDOWS\system32\xjg.dll
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

It looks like most things are cleaned up, but a few things remain... Please open and HJT scan and put checks by:

O2 - BHO: C:\WINDOWS\adsldpbf.dll - {EEE7178C-BBC3-4153-9DDE-CD0E9AB1B5B6} - C:\WINDOWS\adsldpbf.dll (file missing)
O20 - Winlogon Notify: browsela - C:\WINDOWS\system32\browsela.dll
O20 - Winlogon Notify: msupdate - msupdate32.dll (file missing)
O21 - SSODL: uxAzCKyM - {6CC29E8D-C668-3427-D881-29AA7FF75218} - C:\WINDOWS\system32\xjg.dll

If you did not set this up yourself, fix this one too:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://(null)/

Close all open windows except HJT and press Fix checked....

Find and delete:

C:\WINDOWS\system32\browsela.dll
C:\WINDOWS\system32\xjg.dll

You will need to do a search to find this one:

msupdate32.dll

Reboot and post a fresh HJT log with an update on how things are going...

Well, to put it simply, I started getting strange errors on my HD worse and worse every hour I had it on.

it got to the point where dll's like hal.dll, and other system files would randomly be bad for no aparent reason and keep windoes from booting.

It was impossible to re-install the OS without getting some strange and horrific file errors that disable the computer. I was only able to fix the problem by making a new partation.... so all my stuff gone...

but I used GDBNT to get some of my stuff back (about 1/2 of what was there that I wanted to save was corrupted).

thanks for the help =/ I guess it was a worst case scenario.

Actually, if you had posted back earlier, I had found a fix that probably would have fixed this without having to nuke it... In order to avoid this happening again, I strongly recommend that you read this and use the techniques noted for protection:

http://www.pcguide.com/vb/showthread.php?t=43169

Here is my prevention speech to help avoid future infection:

This is a good time to set up protection against further
attacks. Read the article linked below about "How did I
get infected". You need an antivirus that is updated, a
good firewall (a router firewall is not enough) and a
spyware blocker like SpywareBlaster and also IE-Spyads.
All of these have good free versions available... be very
cautious about any security software that advertises in
popups or other intrusive ways, they are not only usually
useless, but also often have malware in them....

http://forums.spywareinfo.com/index.php?showtopic=60955

I couldn't even get windows to stay loaded.... it kept having weird issues like something fractal happened to the file allocation tables.... everything mixed up and not linking properly...

it got to the point where system files reported as bad, even after being replaced with recovery console....

it got bad....

a repartation was the only way... hele messed up, but I got some data back.... I lost alot of downloads but they come in fast anyways. (Mainly Videos etc)