Pop up

Hello

I am wondering if anyone can tell me how to get rid of this
My Sisters Boyfriend was on yahoo and someone told him to go see their profile when he did A download thing came up (him not knowing anybetter clicked ok)so It downloaded it then hit cancel so he says LOL but anyways now everytime she goes to Yahoo messenger and looks up someones profile the page os this Sexcam.exe comes up we did a search on pc found it deleted it and It keeps coming up we did a virus scan all clean and also I ran Spysweeper still nothing.I went into the search deleted all that had sexcam.exe in it but It still comes up any help would be great as she has children doesnt want that sexcam thing coming up it displays the website
thanks

 

HijackThis
Post back with any questions on the above.
SpyBot Search & Destroy is the best.

 

Thanks She allready used Spyweepeer and it found stuff but it still keeps hpapening isnt Hijackthis and Spybot the same thing as Spysweeper.

 

The may appear to be the same thing, but the reality is that Spysweeper is not very good at all.
HijackThis is real good at removing Browser Hijackers, these are sometime installed as BHO's [Browser Helper Objects]. It will also show everything that is starting up, in hidden places that does not show up in Msconfig, by clicking on Config, click on Misc Tools, then Generate StartUpLog List.
On Spysweeper, according to this page;
SpySweeper doesn't claim to do anything especially revolutionary, but it does claim to do everything we were looking for. It let us down, detecting only 7 out of 20 pieces of spyware and clashing with Norton AntiVirus.
and
Troublingly, SpySweeper missed some well-known spyware applications, including Aureate/Radiate, eZula, and Web3000. Despite Webroot's claim to remove key loggers and Trojan horses, the product didn't remove NetObserve, WinWhatWhere, or NetBus.
Spybot is the best, and it is absolutely free, and Spysweeper is paid for. There are several folks here that would recommend HijackThis and Spybot over anything out there.

 

I did the hijackthis on my computer it gave me all this looks all ok but not sure HELP lol
StartupList report, 10/19/2003, 5:44:46 PM
StartupList version: 1.52
Started from : C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AOL 8.0\aoltray.exe
C:\Paltalk\pnetaware.exe
C:\Program Files\ICQ\Icq.exe
C:\Program Files\Kazaa Lite K++\avipreview.exe
C:\Program Files\Kazaa Lite K++\avipreview.exe
C:\Program Files\AOL 8.0\waol.exe
C:\Program Files\AOL 8.0\shellmon.exe
C:\Program Files\AOL COMPANION\COMPANION.EXE
C:\Program Files\nanoCom Corporation\iSpQ VideoChat\iSpQVideoChat62.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
PalNetaware.lnk = C:\Paltalk\pnetaware.exe
Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
AOL Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

hpsysdrv = c:\windows\system\hpsysdrv.exe
KBD = C:\HP\KBD\KBD.EXE
Recguard = C:\WINDOWS\SMINST\RECGUARD.EXE
NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
IgfxTray = C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
PS2 = C:\WINDOWS\system32\ps2.exe
NAV Agent = C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
QD FastAndSafe =
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Microsoft Works Update Detection = C:\Program Files\Microsoft Works\WkDetect.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

ICQ = C:\Program Files\ICQ\Icq.exe -trayboot

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\sstext3d.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
NAV Helper - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

ISP signup reminder 2.job
ISP signup reminder 3.job
Norton AntiVirus - Scan my computer.job
Norton SystemWorks One Button Checkup.job
Registration reminder 2.job
Registration reminder 3.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[MSSecurityAdvisor Class]
InProcServer32 = C:\WINDOWS\System32\mssecadv.dll
CODEBASE = http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1066164927171

[BQMWebMessage.WebMessage]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\BQMWebMessage.ocx
CODEBASE = http://community.bestqm.com/bqm/BQMWebMessage.CAB

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab

[BQMWebMessage.WebMessage]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.1\BQMWebMessage.ocx
CODEBASE = http://community.bestqm.com/bqm/BQMWebMessage.CAB

[WSDownloader Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\WSDOWN~1.OCX
CODEBASE = http://www.webshots.com/samplers/WSDownloader.ocx

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37741.7806134259

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab

[NPX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\npx.ocx
CODEBASE = http://kr.pristontale.com/nprotect/nprotect/npx.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[MSN Chat Control 4.5]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MSNChat45.ocx
CODEBASE = http://fdl.msn.com/public/chat/msnchat45.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\DOCUME~1\Owner\LOCALS~1\Temp\Jgl_Rt\jesterrun0.dll||C:\WINDOWS\System32\_000007_.tmp||C:\WINDOWS\System32\_000008_.tmp||c:\ba66f67251dcd895dc696f||c:\efb30bdfa86e09a373345cdb237b88a2||c:\0ebb0767f049eed07c4c044321ca7d


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 7,958 bytes
Report generated in 0.125 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

C:\Paltalk\pnetaware.exe
http://www.pestpatrol.com/PestInfo/p/paltalk.asp
You do have Adware on your system. Use Spybot.

 

I use Paltalk alot and I dont understand what that last post ment I dont use adware I used spysweeper

 

I wasn't referring to Ad-Aware, but to adware, spyware, malware and the like.

Adware: Software that brings ads to your computer. Such ads may or may not be targeted, but are "injected" and/or popup, and are not merely displayed within the form of an ad-sponsored application.

PalTalk contains third party advertising delivered and serviced by DoubleClick, which PalTalk confirms as their "Web advertising partner ". Once you register with PalTalk, you will receive email solicitations from whatever companies are associated with both PalTalk, and DoubleClick. Once enrolled, you are offered the opportunity to unsubscribe from the PalTalk mailing list, but once you have been loaded onto other mailing lists you will have to unsubscribe from them too.

Additionally, communications may be monitored and any form of your communication may be found published at another site for another purpose. Additionally, you waive all rights to any personal images sent through PalTalk to another user.

Paltalk uses a combination of disk drive serial number and the physical MAC address on your NIC card to identify you.

If you want to keep using an ineffective program like Spysweeper, that is your choice. I can understand you wanting to use it because you paid for it, but you got what you paid for.
Spyware/Hijacked is some good reading.

 

OK Thanks
But I till havent gotten rid of the sexcam.exe on her computer "MINE DOES NOT HAVE IT" her PC does and she has tried everything,Spysweeper,Spybot,Highjackthis,Uwipe,Pestcontrol etc etc this darn thing is still there.She has gone to MSconfig,Task manager.
If anyone has any idea Please let us know on what to do
thanks

 

Yes, post her StartUpLog on here, or get her to come here. If she is using XP or ME, she may need to disable System Restore to completely remove it. When it is renabled, and new Restore Point will be created.

 

Hijackthis says Logfile of HijackThis v1.97.3
Scan saved at 9:26:47 AM, on 10/21/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\PROGRA~1\NORTON~1\NO634B~1\navapw32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\WINDOWS\5122.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\BL9I.exe
C:\WINDOWS\System32\BL9I.exe
C:\WINDOWS\System32\BL9I.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\BL9I.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RDSHOST.exe
C:\WINDOWS\system32\sessmgr.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\rsvp.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe
C:\Documents and Settings\BORNYESTERDAY\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hispeed.rogers.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hispeed.rogers.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hispeed.rogers.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = /ttp:cache:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell.com/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-5F8507C5F4E9} - C:\WINDOWS\iempg.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: RHSI Toolbar - {4DF5B116-4FD9-4039-B377-1130953A980F} - C:\Program Files\Rogers Hi-Speed Internet\RHSI Toolbar\ToolBand.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NO634B~1\navapw32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe "
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [YM] C:\WINDOWS\5122.exe
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers Hi-Speed Internet\RHSI SelfHealing\SHS.exe" /background
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hispeed.rogers.com
O16 - DPF: ConferenceRoom Java Client - http://chat.privatefeeds.com:8000/java/cr.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

 

Start up log :

StartupList report, 10/21/2003, 9:32:53 AM
StartupList version: 1.52
Started from : C:\Documents and Settings\BORNYESTERDAY\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\PROGRA~1\NORTON~1\NO634B~1\navapw32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\WINDOWS\5122.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\BL9I.exe
C:\WINDOWS\System32\BL9I.exe
C:\WINDOWS\System32\BL9I.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\BL9I.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RDSHOST.exe
C:\WINDOWS\system32\sessmgr.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\rsvp.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe
C:\Documents and Settings\BORNYESTERDAY\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\Program Files\ICQ\Icq.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LVCOMS = C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
NAV Agent = C:\PROGRA~1\NORTON~1\NO634B~1\navapw32.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
wcmdmgr = C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
MessengerPlus2 = "C:\Program Files\Messenger Plus! 2\MsgPlus.exe "
Microsoft Works Update Detection = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
MSConfig = C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

YM = C:\WINDOWS\5122.exe
RHSI SHS = "C:\Program Files\Rogers Hi-Speed Internet\RHSI SelfHealing\SHS.exe" /background

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

ICQ = C:\Program Files\ICQ\Icq.exe -trayboot

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\webshots.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

NAV Helper - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - C:\WINDOWS\iempg.dll - {FFFFFFFF-FFFF-FFFF-FFFF-5F8507C5F4E9}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Norton SystemWorks One Button Checkup.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[MSN Chat Control 4.5]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MSNChat45.ocx
CODEBASE = http://fdl.msn.com/public/chat/msnchat45.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 5,523 bytes
Report generated in 0.070 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

those are from the sexcam.exe
We did a complete reinstall and so far its gone hope for good.I will post if anything changes we ddi a reformat then went to yahoo and its gone so hope this worked was the only other Option I could think of
thanks again