what is wefed.biz

hi everyone hope some of you may be able to help
problem: abouut 5 weeks ago i had to disconnect my modem and disable my ethernet adapter to troubleshoot a problem i then opened IE and a window opened stating "you or a program is trying to connect to the internet :wefed.biz" when i reconnected to the internet i looked it up and found it was related to the bagz32 worm family i ran specific bagz detection software and various anti virus and spyware programs although i have always had both norton firewall and anti_vir on my computer nothing was detected except the regular cookies by adaware i also ran hijack this but nothing unusual was in the results either
After setting norton to detect the wefed.biz connections and monitiring them through norton firewall i decided to block the connection in either direction on all ports thats when my real problems have started. All automatic security updates for anti virus, norton, windows , kerio ,adaware, spybot, spywareblaster,and avg have stopped working and unable to detect the internet connection however all browser functions work as normal and i can manually download all the updates apart from windows which is nearly totally automated
i am getting approx 125 attempts per hour to connect to wefed.biz all blocked i then tried to connect to the website and immediately got hit with a dropper worm when i permitted connections again if i allow connection to wefed.biz i now get regular virus attempts and what seems to be remotely started viruses which appear to run over the internetmostly of the bot variants, popup ads for patchnow.exe, xpfix.com and my computer gets a remote call to shut down via "lsa.shell"
all updated virus removal software doesnt find any virus at all and spyware programs have not discovered any trojans just the occassional cookies hijack this also shows nothing
so can any one help me in finding what wefed.biz is about and where it would be located in the file system theres nothing in the registry either and hkeyLM run parameters dont have anything unusual in them gong to give it a week or 2 before formatting network drives and starting again

 

does anyone know if there is new variants of the bagz worm or is anyone else having problems with popups and system shutdowns where they cannot stay connected to the internet and problems with updates

 

hi chaslang i had already tried about 85% of what was in your post but i have now tried it all and updated the stuff i had which is a pain because it wont autodownload
anyway after taking the 4 or so hrs to run it all back to back it came up with 14 data miner cookies and 3 alexa registry entries which was detected by the updated adaware absolutely no other virus was found on my system as i have run all of these things in the last 5 weeks and yes superhidden folders were on view and services were stopped
but on reboot the blocked connection attempts to wefed.biz are still there
the site you gave me for info was ok but the computer associates website gives a lot more detail
incidentally if i didnt have this domain or site manually blocked i wouldnt even know it was there on my computer it appears to redirect all security updates through the site
any way where do i post the hijack this log for inspection iv already confirmed the nameserver is my isp which is cableinet

 

here is the hijack this logfile hope you c something in that i have missed
p.s.
i have win xp booting from d drive with windows1 as sysroot to stop default entry syware
c: drive boots win98

 

one of my main problems is auto downloading security updates which is fine for anti vir programs but how do you save the windows updates to disk then execute them if i disable the block to wefed.biz then a remote call that lsa.shell is shutting down then my computer shuts down via ntauthority so running is ok but certain downloads crash my system
but any way i fdisked and reformatted an old harddisk i had and installed win 98 then updated to 98se and installed norton firewall but being in a silly mood i connected it to the network to upload avg, spybot, hijack this and adaware from this comp so on startup when i blocked wefed.biz it was already on that comp too as was pong.ug66.biz both showing in the firewall though none of the other sites related to bagz showed up (i default blocked all the sites related to it) so whatever it is migrates through networks, anyway the connection attempt to wefed.biz only happens if i log on to win98 via client for ms networks if i cancel the logon and let windows boot in to the default user it does not try to connect until i start Iexplore as soon as rnaapp is started then wefed and pong shows in the firewall when i ran a search for rnaapp it showed a file called ".~~C" at this point i had not connected to the internet and a rnaapp.hlp file 19.6kb which only said "this file is not meant for browsing" the .~~C file could not be opened or scanned as it was reported as didnt exist, babylonia worm checks showed nothing
at this point i installed the modem for direct connection but when i tried to connect the modem dialled and connected but iexplorer refused to display any web page so i permitted the wefed.biz access and the first thing i was hit with was cookies from "atdmt.com" one named as the computer name colin@atdmt.com the first cookies i blocked through firewall but 5 came through anyway pong.ugg66.biz was still blocked but no farther attempts were made to connect to that site
after this my computer connected to msn.com and acted normally letting me in to all sites and auto updates worked fine there has been no remote shutdowns and it has not slowed down but connection to wefed.biz is definitely still there
so is it possible that wefed.biz is goverment spyware or am i just sounding silly at this point or is it connected to atdmt.com
anyway here is the hijack this file from that comp i am going to reformat the drive again and install win98 with no connection to the network this time and see what happens if reformatting is the only cure until some anti vir company releases definitions for it just dont like losing all comp data this way

 

i have read all the posts for removal of bagz and manually checked the registry for them i also know that wefed.biz is based in canada and the ipp address for it is 205.209.184.222 the webpage for pong.biz is forbidden and i reckon the ug66 is a subdomain of pong .biz that is based in sweden pong.biz has an ip address of 193.0.253.26 (i have done a little research in to it)also know that bagz stops web access by modifying the hosts file but my host file and lmhost file is empty iv even tried selecting all to make sure it isnt modified with white fonts against the white background and like i said if i enable wefed.biz or permit it access on all ports then i can autodownload there are several posts that are showing symtoms of what is happening to my network how about trying to block wefed.biz on some firewalls to see if it just my computer or if it is a larger problem after all new viruses and spyware have to be discovered somehow