On my machine, Spybot's Teatimer rejects a registry change about once every second from a program called "Winsync". Location is shown as "C:\Windows\ ppipay.exe reg_r" (end overruns space in Teatimer box). However there is no such file as "ppipay" or "winsync" found on my machine when searching for them.
Also, if this cryptic process is running and trying to write to the registry then why does it not show up in the Task Manager? What does show up is something called "raswex". If I kill this process it comes back within seconds. A Google (and Microsoft Knowledge Base) search on the terms "raswex" and "ppipay" shows nothing found. Winsync shows up as a valid process name but it may be hijacked by Malware which seems to be the case I have.
Hijack-This shows these in a scan but "Fixing" them only works for a few seconds and then they are back.
So to summarize my questions: Why does the name shown in the Spybot box not show up in the list of running processes in the Task Manager?
Also, has anyone ever heard of raswex or ppipay?
I'd like to fix the problem myself if I could understand it better. Although we are all extremely greatful for the expert moderators on this forum I would hope they would spread the knowledge about what is going on inside the Malware battle so their work load would be eased.
PS - if none of this makes sense and you just want me to post a Hijack log then please tell me.
Thank you, much.
DGW

Hi williad

That sounds like qoologic


Please disable SpybotSD TeaTimer
To disable SpybotSD TeaTimer:
Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on Resident icon and Uncheck the box next to Teatimer.
"resident tea timer"protection of all-over system settings) active"
Close SpyBot.
Dont turn it back un untill instructed

Please go here and follow instructions.
Before you post a log
http://forums.spybot.info/showthread.php?t=288
Post the hjt log here in this thread.
Someone will then take a look at the system and advise you.

Thanks for suggesting a good virus scan first. Because I'm on dialup and never open email attatchments I wrongly assumed that I wouldn't be infected. The last virus scan I did months ago showed nothing. So I updated the database (takes over an hour on dialup) and ran the scan. Found 2 viruses and 62 trojans. Could not fix 2 of them: W32/Poebot.dam and some kind of thing called New Malware.j. The trojans found were Prutec (this was the "raswex" process), E2Give, Qoolaid, Downloader (RK,FL and VG), QLowZones-38 and Proxy-FBSR.
BTW, Spybot continues to run the TeaTimer even after unchecking the box.
So here is my current Hijack This scan log:

Logfile of HijackThis v1.99.1
Scan saved at 11:07:16 PM, on 1/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\firewall.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.usadatanet.net
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.srh.noaa.gov/data/forecasts/CTZ002.php?warncounty=CTC003&city=Hartford"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\cmz5yl38.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\cmz5yl38.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\System32\nsd4.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Network Firewall] C:\WINDOWS\system32\firewall.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\ppipay.exe reg_run
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

Thanks !

Hi

Please repeat disabling tea timer, also you might need right click on its icon in the tray and choose exit.

Start Hijackthis and place a check next to these items If there.
Close all browser windows and shut down all other programs that show in the taskbar.(even Folders)
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\System32\nsd4.dll
O4 - HKLM\..\Run: [Windows Network Firewall] C:\WINDOWS\system32\firewall.exe
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download FindQoologic.zip save it to your Desktop.
from here
http://downloads.subratam.org/Find-Qoologic.zip

Extract (unzip) the files inside Preferably here C:\
Open the FindQoologic folder.
Locate and double-click the Find-Qoologic.bat file to run it.
wait until a text opens, post it in a reply to your thread.

OK, did all that. Here is what the text file says:
Find Qoologic last edited 01/08/2006
Running from
C:\
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»» Search by size and name»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
.....
Check for missing files
.....
.....
End check for missing files
.....
VXD Check
.....
End vxd check
Please post this in the forum
-------------------------------------------------------------
That didn't seem to find anything so I did another Hijack scan which is posted below: (Please ignore the clock setting: It is never correct. Not sure why; the Battery is OK.)
------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 1:40:15 PM, on 1/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.usadatanet.net
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.srh.noaa.gov/data/forecasts/CTZ002.php?warncounty=CTC003&city=Hartford"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\cmz5yl38.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\cmz5yl38.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - (no file)
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\ppipay.exe reg_run
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

It seems like this thing is real tenacious. Thanks for your continued help!
Deane

Hi

Thats odd it started but then went to a check, somehting is missing
Please Go here and use the approprient fix for
your system then run find qoologic again and choose option 1.
http://www.tech-forums.net/computer/topic/29806.html
Then restart your pc and run findqooligic again please

Over the weekend I tried to run FindQuolaid again. I got the same text report as above but in watching the DOS window I noticed it said "The system cannot find the path specified" about 50 times. The last line said "Could not find C:\Peek1.txt" I tried turning on continuous virus checking of all file changes and re-booted. When it came up the Spybot resident was doing it's thing again with "Winsync". I right clicked and stopped it. Within a few seconds the Virus checker reported finding AND DELETING the mysterious ppipay.exe file. The strange thing is it said the associated application was Spybot TeaTimer ! Could this file have been hiding as the TeaTimer??
I ran Hijack This again and the scan looked clean to me. What do you think?
_________________________________
Logfile of HijackThis v1.99.1
Scan saved at 8:57:48 AM, on 1/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.usadatanet.net
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.srh.noaa.gov/data/forecasts/CTZ002.php?warncounty=CTC003&city=Hartford"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\cmz5yl38.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\cmz5yl38.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - (no file)
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

Thanks!

Hi

Turn off tea timer and leave it off untill we are finished with this thread please.

Did you go to that link and use the fix for your paticular system then try findqoologic again ?

If not lets skip that and use Ewido, download, install and update but it needs to be ran while in safe mode and dont open any folders while it is scanning or the infection might come back.
http://www.ewido.net/en/download/

Lonny, as I mentioned above, TeaTimer is unchecked in Spybot but it always comes up after a reboot. I have to turn it off with a right-click, Exit.
But it just runs in the background now that the malware seems to be gone.
That link you gave me for XP contains 3 files. There are no .exe files. Am I to run the .BAT file?
I downloaded Ewido and will run it tonight on my machine..
Thanks.

Hi There are no exe's here ?
http://www.tech-forums.net/computer/topic/29806.html
very simple instructions provided there, anyway skip that and install ewido

Try this for tea timer turn it back on within SpyBot then turn it off again by unchecking that option, now rightclick on its tray icon (if its still there) and choose exit, it shouldnt then start with windows.


Yes use ewido

>Hi There are no exe's here ?
>http://www.tech-forums.net/computer/topic/29806.html

No there are no exe files in the archive. The zipped archive
XPProfiles.exe contains only command.com, autoexec.nt and
config.nt.
Will try Ewido tonight.

Thanks for pointing that out.
Its a self extracting file and will put the files where they need to be when ran

Wow, this stuff is tenacious! Here is what happened last night. I shut off the TeaTimer as you suggested and then started a Ewido scan. It was running slowly so I let it run overnight. This morning it had found and fixed 162 "items". The report is below. But also, the virus checker had deleted Quoolaid about 8 times
AND the TeaTimer was running continuously blocking a register change from some [[long string of numbers] entity. I have the modem set to "Never dial a connection" so I don't think anything happened overnight.
______________________________________________
(can't upload the scan because it is 48KB).

Anyway it looks like there are still demons lurking.

Hi

You might need to split that ewido report into two or three files then attach them.
I suggest you uninstall SpyBot for now since tea timer wont turn off properly., you mention it might have interfeared I have to assume you did not run ewido while the pc was in safe mode as was suggested

Rats! I thought of it the next morning that I forgot to run it in safe mode.
So I tried that last night. Ewido is a very nice program. It only found one additonal item in safe mode. Here is the report:
---------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:37:02 PM, 1/24/2006
+ Report-Checksum: 83A2881C

+ Scan result:

F:\System Volume Information\_restore{1830E30D-8FBD-43D4-87B9-AF351FE8CC1D}\RP1\A0004417.dll -> Spyware.NewDotNet : Cleaned with backup


::Report End
--------------------------------------------------------
And here is the latest Hijack This scan (after reboot to normal mode):
--------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:05:09 PM, on 1/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.usadatanet.net
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.srh.noaa.gov/data/forecasts/CTZ002.php?warncounty=CTC003&city=Hartford"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\cmz5yl38.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\cmz5yl38.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - (no file)
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
------------------- END -------------------------------
What is this item ?
O2 - BHO: (no name) - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - (no file)
Looks strange because there is no file identification.

Thanks Lonny!

Hi

Yes that BHO should be fixed

C:\WINDOWS\system32\firewall.exe < is that file still there ?

Your missing a normal item at the location below, thats why findqoologic didnt work
probaly have problems with other software as well, if you would like to repair it
make and import this registry file

Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.


REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers]
"VDD"=hex(7):00


Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.

Tried that registry fix but it made no difference in the way that FindQuoologic ran. Still listed about 50 lines of "can't find file path" as above.

I ran Hijack This and killed that suspicious line. We'll watch to
see if it returns. The computer seems to be humming along fine now.
Latest HJ scan:
-----------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 6:40:43 PM, on 1/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.usadatanet.net
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.srh.noaa.gov/data/forecasts/CTZ002.php?warncounty=CTC003&city=Hartford"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\cmz5yl38.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\cmz5yl38.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

Thanks !!

Your logs looks fine, Curious where were you running findqoologic from ?

From the root drive C: as you suggested in message 4.

Thanks for all the help!!!!
I learned a lot and will be much more
watchful in the future about running scans.
Deane

Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let Me or Tashi know.

SpyBot updates came out today, dont forget the get them.