Hey all, Thanks for the input. Guess i should have specified what had already been done before i posted originally :) The bug i posted about (which still eludes me) had already dodged the following cocktail of tools and detections: Shredder AASE SBSD 1.4 beta PestPatrol (i forget what version) TDS-3 plus... a healthy dose of manual surgery (when i say "delete on reboot", that's what i mean you nasty little bug!) This was a Win2k Pro PC with NAV 04 installed at the time of infection (and of course, NAV was no help). This machine was a bloody shipwreck (you'd love the logs) when i got my hands on it, and this last bug is the sole survivor of my surgery. It impresses me. You should have seen what happened when i plugged it back into a live internet connection.... All immunizations and protections enabled in SBSD and SpywareBlaster. It laughed at these and went right back to work. TeaTimer noted most of its nefarious activity once it phoned home, but TeaTimer scares the customers :) This PC will require more manual surgery at a later date. Still scratching my head and swearing a little. I don't like getting beat. C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ninr.exe O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\vkviza.exe O20 - Winlogon Notify: Shell Extensions - C:\WINNT\system32\mvj2l91o1.dll (yes, the 9-character random filename appears to be consistent) This bug impressed me. Keep thinking gang, and thank you Sabertooth for yanking my chain and giving me some ideas i hadn't thought about yet (but i haven't gone completely stupid...win2k pc, no system restore, and i always unhide all files just in hopes of finding something good - haha) :) Consider your chain yanked back :) Its good to see all of you again. Peace kids. AOSCLAY PEBKAC, baby

Welcome back, my friend. Glad to see your posts again! Take care... ~Tommyo

Get some tech skills ya tard... LOL!!!! KTTD P.S. Clay is a personal friend of mine so don't blow a fuse folks.

Welcome back BetterInternet/vx2/Transponder/look2me, newest qoologic/narrator rootkit trojan? Found a example post for you to work with. http://castlecops.com/postp504086.html I could dig up some more find it tools, no good without instructions though. Abnormal

i dont know how you do your manual removal it might be just the same as my manual removal tech. but normally i stop system restore (which u said there is none) boot the machine into safe mode, search the for the file on the machine, delete any reference to it (if it still dont let me delete i do it from CMD PRMPT, and if that dont work i hook the drive into another machine as slave and kill it there) now you maybe be able to blow away the file but where you issue probably lies is in the registry, i would then search the registry for any reference of that file with the .exe on the end and then without the .exe on the end, note any other location that i find fromt the keys that it pulls up before i blow that whole key away, delete all references and restart and see what happens, sometimes it takes a few times cuz some of the spyware BS like to hide itself in the key (i dont remember which one it is) under an alternate name that it recreates itself in the registry startup and recreating the file...i hope that can help you out a little bit if not, hey it was worth a shot right... Complete Computer Service Inc. NW Indiana

Now i feel loved! :) Hey Kevin, Abs, tommy o (and you too josh, though we've not met). First bug it brings back in (after everything else is cleaned) is ABetterInternet. Starbucks ads! Lots of them. LOL. And who says there isn't big money in adware? Oh well, i'll go back tomorrow and do more surgery on it. Unfortunately, its a customer's machine, so i'll have to FFR it before too long (can't play with it indefinately). And you all know i HATE that. Kevin, Abs, Tommy O (and you josh)... good to see all of you again, even though Kevin is a loser and mildy retarded. :) Thanks for the look, guys. AOSCLAY PEBKAC, baby

man starbucks is the shiznit, dissapoints me that they gots to SPAM... Complete Computer Service Inc. NW Indiana