seanvdb

Hey Dak, Everything is coming up clean. One thing though. Zone Alarm keeps blocking "Generic Host Process (Win32 Services)" from accepting connections from the internet at IP addresses: 24.200.241.37 : DNS 24.200.243.189 : DNS 24.201.245.77 : DNS What does this mean (i.e. is it bad? I tried connecting to them and couldnt do so via my browser.)

I ran Kapersky again after deleting my junk folders, and it did nothing. It found some new stuff in some exe files, but I've deleted those. One that threw me off was this one: C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614 I've had this version of IRC since I bought this computer... I can't see how it's a virus now and not 2 years ago (or during the 1st scan).

Okay, this makes me quite happy: ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Tuesday, January 03, 2006 14:49:42 Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 3/01/2006 Kaspersky Anti-Virus database records: 158615 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ Scan Statistics: Total number of scanned objects: 127933 Number of viruses found: 7 Number of infected objects: 47 Number of suspicious objects: 0 Duration of the scan process: 4101 sec Infected Object Name - Virus Name C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Junk/[From "Raul D. Dailey" <rauldaileyqj@klomp.de>][Date Sat, 04 Sep 2004 09:35:31 -0300]/text/[From "Dewitt Shannon" <d.shannon@telebucaramanga.net.co>][Date Tue, 01 Feb 2005 01:20:54 -0500]/text/[From eBay <supprefnum644565637137@ebay.com>][Date Sun, 24 Jul 2005 22:55:35 -0600]/html Infected: Trojan-Spy.HTML.Bayfraud.hn C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Junk/[From "Raul D. Dailey" <rauldaileyqj@klomp.de>][Date Sat, 04 Sep 2004 09:35:31 -0300]/text/[From "Dewitt Shannon" <d.shannon@telebucaramanga.net.co>][Date Tue, 01 Feb 2005 01:20:54 -0500]/text/[From eBay Inc <identdep_op9@ebay.com>][Date Wed, 03 Aug 2005 23:24:06 -0500]/html Infected: Trojan-Spy.HTML.Bayfraud.hn C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Junk/[From "Raul D. Dailey" <rauldaileyqj@klomp.de>][Date Sat, 04 Sep 2004 09:35:31 -0300]/text/[From "Dewitt Shannon" <d.shannon@telebucaramanga.net.co>][Date Tue, 01 Feb 2005 01:20:54 -0500]/text/[From "Lillie C. Kaufman" <l_kaufman@look.ca>][Date Sun, 28 Aug 2005 17:46:56 +0100]/text/[From eBay Inc <custservice_72@ebay.com>][Date Wed, 31 Aug 2005 19:33:37 +0500]/html Infected: Trojan-Spy.HTML.Bayfraud.hn C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Junk/[From "Raul D. Dailey" <rauldaileyqj@klomp.de>][Date Sat, 04 Sep 2004 09:35:31 -0300]/text/[From "Dewitt Shannon" <d.shannon@telebucaramanga.net.co>][Date Tue, 01 Feb 2005 01:20:54 -0500]/text/[From "Lillie C. Kaufman" <l_kaufman@look.ca>][Date Sun, 28 Aug 2005 17:46:56 +0100]/text Infected: Trojan-Spy.HTML.Bayfraud.hn C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Junk/[From "Raul D. Dailey" <rauldaileyqj@klomp.de>][Date Sat, 04 Sep 2004 09:35:31 -0300]/text/[From "Dewitt Shannon" <d.shannon@telebucaramanga.net.co>][Date Tue, 01 Feb 2005 01:20:54 -0500]/text Infected: Trojan-Spy.HTML.Bayfraud.hn C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Junk/[From "Raul D. Dailey" <rauldaileyqj@klomp.de>][Date Sat, 04 Sep 2004 09:35:31 -0300]/text Infected: Trojan-Spy.HTML.Bayfraud.hn C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Junk Infected: Trojan-Spy.HTML.Bayfraud.hn C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Trash/[From eBay Inc <custservice_72@ebay.com>][Date Wed, 31 Aug 2005 19:33:37 +0500]/html Infected: Trojan-Spy.HTML.Bayfraud.hn C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Trash Infected: Trojan-Spy.HTML.Bayfraud.hn C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 13:40:31 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 14:43:47 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Tue, 31 Aug 2004 14:32:0 ... . ... /[From Seanvdb <seanvdb@iaehv.nl>][Date Mon, 12 Sep 2005 20:35:45 + ... /price.cpl Infected: Email-Worm.Win32.Bagle.ct C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 13:40:31 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 14:43:47 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Tue, 31 Aug 2004 14:32:0 ... . ... /[From Seanvdb <seanvdb@iaehv.nl>][Date Mon, 12 Sep 2005 20:35:45 +0200]/price.zip Infected: Email-Worm.Win32.Bagle.ct C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 13:40:31 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 14:43:47 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Tue, 31 Aug 2004 14:32:0 ... ... /[From marybeth@payments.certapay.com][Date Sun, 17 Apr 2005 21:28:06 -0600]/UNNAMED Infected: Email-Worm.Win32.Bagle.ct C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 13:40:31 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 14:43:47 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Tue, 31 Aug 2004 14:32:0 ... /[From don reddick <donreddick@cogeco.ca>][Date Wed, 27 Oct 2004 21:46:31 -0400]/UNNAMED Infected: Email-Worm.Win32.Bagle.ct C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 13:40:31 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 14:43:47 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Tue, 31 Aug 2004 14:32:03 -0400]/UNNAMED Infected: Email-Worm.Win32.Bagle.ct C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 13:40:31 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 14:43:47 -0400]/UNNAMED Infected: Email-Worm.Win32.Bagle.ct C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 13:40:31 -0400]/UNNAMED Infected: Email-Worm.Win32.Bagle.ct C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED Infected: Email-Worm.Win32.Bagle.ct C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text Infected: Email-Worm.Win32.Bagle.ct C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox Infected: Email-Worm.Win32.Bagle.ct C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From update@paypal.com <service@paypal.com>][Date Wed, 5 Oct 2005 23:30:20 -0700 (PDT)]/html Infected: Trojan-Spy.HTML.Paylap.cd C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From update@paypal.com <service@paypal.com>][Date Thu, 6 Oct 2005 04:14:37 -0700 (PDT)]/html Infected: Trojan-Spy.HTML.Paylap.cd C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From update@paypal.com<service@paypal.com>][Date Fri, 14 Oct 2005 16:06:54 +0800 (CST)]/html Infected: Trojan-Spy.HTML.Paylap.cd C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "info@paypal.com" <info@paypal.com>][Date Thu, 03 Nov 2005 12:48:32 -0700]/html Infected: Trojan-Spy.HTML.Paylap.ad C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "info@paypal.com" <info@paypal.com>][Date Thu, 17 Nov 2005 01:10:33 -0500]/html Infected: Trojan-Spy.HTML.Paylap.ad C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Bank of the West® Online Banking" <eTimeBanker@bankofthewest.com>][Date Tue, 29 Nov 2005 05:59:11 -0300]/html Infected: Trojan-Spy.HTML.Paylap.ad C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "info@paypal.com" <info@paypal.com>][Date Tue, 29 Nov 2005 23:33:14 -0600]/html Infected: Trojan-Spy.HTML.Paylap.ad C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Paypal" <service@paypal.com>][Date Thu, 1 Dec 2005 07:14:44 +0500 (YEKT)]/text/[spam]Dear Infected: Trojan-Spy.HTML.Paylap.gj C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Paypal" <service@paypal.com>][Date Thu, 1 Dec 2005 07:14:44 +0500 (YEKT)]/text Infected: Trojan-Spy.HTML.Paylap.gj C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "info@paypal.com" <info@paypal.com>][Date Sun, 04 Dec 2005 04:18:54 -0200]/html Infected: Trojan-Spy.HTML.Paylap.ad C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "update@paypal.com" <service@email.paypal.com>][Date Mon, 05 Dec 2005 19:20:49 -0700]/html Infected: Trojan-Spy.HTML.Paylap.cd C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "paypal" <paypal@service.com>][Date Fri, 09 Dec 2005 09:20:26 +0300]/html Infected: Trojan-Spy.HTML.Paylap.gl C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "service@email.paypal.com" <service@paypal.com>][Date Sat, 10 Dec 2005 23:24:27 +0500]/html Infected: Trojan-Spy.HTML.Paylap.cd C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 D ... /[From S ... /[From "PayPal" <service@paypal.com>][Date Sat, 17 Dec 2005 12:52:02 +0000 (UTC)]/html Infected: Trojan-Spy.HTML.Paylap.gv C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 D ... /[From Stylish replica watches from famous brands][Date Sat, 17 Dec 2005 10:15:40 -0500 (EST)]/html Infected: Trojan-Spy.HTML.Paylap.gv C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 Dec . ... /[From " ... /[From "Kiara" <alex1ag@ezweb.ne.jp>][Date Sat, 17 Dec 2005 15:08:53 +0000]/html Infected: Trojan-Spy.HTML.Paylap.gv C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 Dec . ... /[From "iw6dq" <hxfnqycfcyr@hotmail.com>][Date Sat, 17 Dec 2005 08:03:31 -0500 (EST)]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.gv C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 Dec . ... /[From "Kevin Tovar" <lea.washington74g@gmail.com>][Date Sat, 17 Dec 2005 04:21:47 -0800]/text Infected: Trojan-Spy.HTML.Paylap.gv C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 Dec . ... /[From "trfscu" <dyucoholtbe@hotmail.com>][Date Sat, 17 Dec 2005 06:21:19 -0500 (EST)]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.gv C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 Dec ... /[From "hiea70es" <zexadfsjgst@hotmail.com>][Date Sat, 17 Dec 2005 04:58:46 -0500 (EST)]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.gv C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 Dec 2005 03:15:25 ... /[From "Jacki" <hiergo@ebina-cash.com>][Date Sat, 17 Dec 2005 09:03:15 +0000]/html Infected: Trojan-Spy.HTML.Paylap.gv C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 Dec 2005 03:15:25 -0500]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.gv C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html Infected: Trojan-Spy.HTML.Paylap.gv C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html Infected: Trojan-Spy.HTML.Paylap.gv C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html Infected: Trojan-Spy.HTML.Paylap.gv C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "PayPal" <service@paypal.com>][Date Sat, 17 Dec 2005 18:54:21 -0800]/html Infected: Trojan-Spy.HTML.Paylap.gv C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html Infected: Trojan-Spy.HTML.Paylap.gv C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk Infected: Trojan-Spy.HTML.Paylap.gv Scan process completed. Mostly because I don't open attachments, and most of it is marked as junk. The problem? The Junk.sbd folders are completely empty. Couldn't I just delete everything via thunderbird instead? Also, here's my last HJT log before I install zonealarm. ------------- Logfile of HijackThis v1.99.1 Scan saved at 2:53:41 PM, on 1/3/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\PROGRA~1\ICQ\ICQ.exe C:\Program Files\MessengerPlus! 3\MsgPlus.exe C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Netropa\Onscreen Display\OSD.exe C:\WINDOWS\system32\CTSVCCDA.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\explorer.exe C:\hijackthis\HijackThis.exe C:\Program Files\Mozilla Thunderbird\thunderbird.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: Brandimensions - {be8d24ef-2dc5-47b8-9821-df8c05203783} - C:\WINDOWS\system32\mscoree.DLL O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127183387522 O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37500.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe ----

Hey Dak, Thanks again for the help. I moreso meant the difference between zone alarm and the other one you offered, but since I have some experience with Zone Alarm, I will stick with that one. I've also uninstalled those two spyware programs you mentioned... I had already done spybouncer, as spy sweeper turned up virtual bouncer, and I assumed they were linked. Trend Micro Anti-Spyware is picked up some registry keys, but no trojans or active problems, so thinks are looking up. I'm going to run Kaspersky, post an HJT log, and then install zone alarm and hopefully be finished with problems!

Hey Dak, A few more things (I want to be absolutely sure). I'm going to cancel my CC anyway, since that's easy to do. I have (obviously) avoided doing any online banking since I got this (for fear of problems). I accessed Amazon (the only place I do online shopping on my credit card), but did not actually do any purchasing. I assume that would be reason enough to cancel it? Also, of the two firewalls, which would you recommend the most? I currently use the XP firewall. I have used Zonealarm in the past, but haven't in awhile; it caused massive problems uninstalling because i neglected to read the proper uninstallation procedures. I re-ran blacklight and it ran 'properly'. I ran ScanSpyware, and it picked up haxdoor-BC (log is below). I've deleted everything in the log, and running it twice more turns up nothing. ------- Application Information ======================= Application Version: ScanSpyware v3.8 build 3.8.0.4 Original Database: pests12-09-05.db Updated Database: ssdb010206.db Current Date: Tuesday, January 03, 2006 10:21:23 AM __________________________________________________ Directories recognized: ======================= __________________________________________________ Files recognized: ================= [HAXDOOR-BC] C:\WINDOWS\system32\ps.a3d [spytech shadow] C:\WINDOWS\unvise32.exe [Visual Zip Password Recovery Processor] C:\WINDOWS\UnGins.exe [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Services\_common\country_icons.psd [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Services\_gspyder\stg_legend.psd [GameSpy Arcade] C:\Program Files\GameSpy Arcade\pw32.dll [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Profiles\countries.ini [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Skins\(default2)\gsg_radar.avi [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Skins\(default2)\peer_list_checkbox.psd [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Skins\(default2)\peer_list_chicklets.psd [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Skins\(default2)\peer_list_icons.psd [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Skins\(default2)\peer_list_icons_sm.psd [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Skins\(default2)\service_menu_bg.psd [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Skins\(default2)\service_tab+.tga [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Skins\(default2)\stg_border_main.psd [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Custom\halflife\cstrike\mod_cs.psd [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Custom\halflife\tfc\mod_tfc.psd [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Custom\quake3\excessive\mod_excessive.psd [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Custom\quake3\osp\mod_osp.psd [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Custom\quake3\q3f\mod_q3f.psd [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Custom\quake3\rocketarena3\mod_ra3.psd [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Custom\quake3\wfa\mod_wfa.psd [GameSpy Arcade] C:\Program Files\GameSpy Arcade\Custom\ut\Swat\mod_swat.psd __________________________________________________ Registry keys recognized: ========================= [GAIN] HKEY_USERS\.default\software\microsoft\systemcertificates\trustedpublisher\ctls [GAIN] HKEY_USERS\.default\software\microsoft\systemcertificates\trustedpublisher\crls __________________________________________________ Registry values recognized: =========================== __________________________________________________ Cookies recognized: =================== [VX2] c:\documents and settings\sean{y}\cookies\sean{y}@serviceswitching[1].txt [Tracking Cookies] c:\documents and settings\sean{y}\cookies\sean{y}@img.wmp10.elsitiodc[1].txt __________________________________________________ ---------- Ewido is running again, and it picked up some cookies and backdoor.haxdoor.dw (do these things multiply?!) EDIT: It found this yesterday... today only picked up cookies. I overreacted! (thank god) spybouncer picked up 3 things (I cleaned them all out - locate.com in system32, bpmnt.dll in windows, and some file called ncase.zip in docsandsettings/allusers/apps/spybot/recovery... i cleaned out the whole folder. I guess my question is; without completely formatting, is it possible to know when i'll be clean?

I left rootkitreveal all night, it turned up nothing (and finished properly!). About the credit card 'lately', do you mean within the time that I was infected? I can see the passwords that attemped to be sent to some IP address... none of them are important. By the way, thanks for all your help! Also, when I ran F-secure again, I got this: 01/03/06 00:47:48 [info]: BlackLight Engine 1.0.30 initialized 01/03/06 00:47:48 [info]: OS: 5.1 build 2600 (Service Pack 2) 01/03/06 00:47:48 [Note]: 7019 4 01/03/06 00:47:48 [Note]: 7005 0 01/03/06 00:47:51 [Error]: 6024 4 01/03/06 00:47:51 [Error]: 6024 4 01/03/06 00:47:51 [Note]: 7006 0 01/03/06 00:47:51 [Note]: 7011 1468 01/03/06 00:47:51 [Error]: 6024 4 01/03/06 00:47:51 [Error]: 6024 4 01/03/06 00:47:51 [Note]: 7018 2280 01/03/06 00:47:51 [Error]: 6024 4 01/03/06 00:47:52 [Note]: FSRAW library version 1.7.1014 01/03/06 00:49:46 [Note]: 7007 0 Then I ran it again this morning, and got this: 01/03/06 07:45:07 [info]: BlackLight Engine 1.0.30 initialized 01/03/06 07:45:07 [info]: OS: 5.1 build 2600 (Service Pack 2) 01/03/06 07:45:07 [Note]: 7019 4 01/03/06 07:45:07 [Note]: 7005 0 01/03/06 07:45:08 [Note]: 7006 0 01/03/06 07:45:08 [Note]: 7011 1460 01/03/06 07:45:08 [Note]: FSRAW library version 1.7.1014 01/03/06 07:45:24 [Note]: 7007 0 Why the difference?? ------------ And one more. Are you familiar with spy sweeper? My log came up clean, but the session log has some wierd 'cannot open file' lines.. some of which look important. ******** 12:27 AM: | Start of Session, Tuesday, January 03, 2006 | 12:27 AM: Spy Sweeper started 12:27 AM: Sweep initiated using definitions version 594 12:27 AM: Starting Memory Sweep 12:29 AM: Memory Sweep Complete, Elapsed Time: 00:02:03 12:29 AM: Starting Registry Sweep 12:29 AM: Registry Sweep Complete, Elapsed Time:00:00:05 12:29 AM: Starting Cookie Sweep 12:29 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00 12:29 AM: Starting File Sweep 12:29 AM: Warning: Failed to open file "c:\pagefile.sys". Access is denied 12:30 AM: Warning: Failed to open file "c:\windows\system32\config\system.log". The process cannot access the file because it is being used by another process 12:30 AM: Warning: Failed to open file "c:\windows\system32\config\software.log". The process cannot access the file because it is being used by another process 12:30 AM: Warning: Failed to open file "c:\windows\system32\config\default.log". The process cannot access the file because it is being used by another process 12:30 AM: Warning: Failed to open file "c:\windows\system32\config\security". The process cannot access the file because it is being used by another process 12:30 AM: Warning: Failed to open file "c:\windows\system32\config\sam". The process cannot access the file because it is being used by another process 12:30 AM: Warning: Failed to open file "c:\windows\system32\config\sam.log". The process cannot access the file because it is being used by another process 12:30 AM: Warning: Failed to open file "c:\windows\system32\config\security.log". The process cannot access the file because it is being used by another process 12:30 AM: Warning: Failed to open file "c:\windows\system32\config\system". The process cannot access the file because it is being used by another process 12:30 AM: Warning: Failed to open file "c:\windows\system32\config\software". The process cannot access the file because it is being used by another process 12:30 AM: Warning: Failed to open file "c:\windows\system32\config\default". The process cannot access the file because it is being used by another process 12:32 AM: Warning: Failed to open file "c:\windows\softwaredistribution\datastore\datastore.edb". The process cannot access the file because it is being used by another process 12:32 AM: Warning: Failed to open file "c:\windows\softwaredistribution\datastore\logs\edb.log". The process cannot access the file because it is being used by another process 12:32 AM: Warning: Failed to open file "c:\windows\softwaredistribution\datastore\logs\tmp.edb". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat.log". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat.log". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa04611cd-51b9-4e0e-b5ad-d6850e5ca7c1.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6d1617da-7500-4190-aa49-1056e8ced64f.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs07c96578-cde1-4e37-9a3e-67243c115089.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse6f826d8-65d6-46a4-b8aa-a61dbfb4ef18.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs525be769-7bfd-4ecb-ab75-4304424ab1c5.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs85cfbe53-a9fe-409e-a244-d785f1045768.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9e09d479-aec1-42b2-b3c5-28cb5b24159d.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscscba2abfd-9f26-4432-b583-514617dc3132.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3e255f07-391a-4fdb-930c-5a502f5d2145.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4ecdf5c5-0383-4b95-beea-8656e8491cf1.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8bb97229-0bfc-4fc4-a804-b0480137fa0c.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse2053657-99a5-41fa-bd8e-43ba5decd8de.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5cab9924-08f9-4d06-bfb6-04e75bd69d97.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9e3c49a3-f1ea-4ae0-830e-95eaf5ccbb38.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd52da5d2-e6b2-496c-b1dc-441e6a4533af.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd2717140-6547-4f87-8187-e2705138c8ab.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5995cf24-070f-4dbe-91f8-7963e39162f0.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb0efdadc-dbb0-4b9f-979d-20b01269aed0.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs0f36c81c-24ec-4e8c-9b90-adef1450ce6f.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse84a3fea-a8ea-4443-897f-9e74b141bc40.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb74e340f-2fbd-4d39-8664-01444efda0b9.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd69f9a45-4436-4099-ad9e-aa3e788d6a8a.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs22f45b9a-594e-4ade-9b1d-0aef09d78d5c.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs520db8d2-69cf-424f-8487-651536829d9d.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9fb53135-3726-425e-9d4b-e2ea6a3c0cf9.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs18e22a39-68e9-4e69-9d44-67e2de4b7b29.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs80f4ac60-7c81-4255-8ff3-a0ea8fbb3470.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs0874bbc4-3e99-4da1-b649-337bf146ed8e.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5a7359f3-cf20-4496-8afc-15df8917c610.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4a9def0a-038f-4c5b-aff6-a17d8e604761.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5413472f-6dee-4abf-8605-87911d18cdd7.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsdb83788e-1afb-4fb1-a616-733761c91a13.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs56a55bfa-27c2-4924-972d-306efe931e53.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc7598b86-d95d-41d9-adc1-ab7faf9fde06.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse25ae2a4-c393-4491-8120-b0e2c62b8019.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs71ef6db1-d0ef-4bbf-b850-a1fcd6fa132c.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs349e39d5-26a0-44c3-b543-25e759764ef2.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1d6fe8da-6389-4360-9e44-69f6d05e6c2a.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs34cee29b-c709-43d2-ba37-8692232e13d6.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf35fbdc7-3cec-4904-9589-00748cded26a.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9595c62d-d43d-4682-9915-03dfaaeea1c0.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs23c577ee-a781-4fb9-a101-bbb2f03f81fa.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs931a7c27-b062-4538-9590-6231623133ce.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscscf0b2117-670d-4bb3-9696-8d48ccc9b9ad.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc0a92b9f-abdb-4490-ad21-33d3e42af2c3.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs42fd231e-7432-4a03-81f7-4cbc06db512b.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb78850ff-6663-4894-b7e6-2814deb9fe22.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs464a5efc-c519-422b-8784-e599dd9aae39.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7a4c43cb-b641-4ed3-9405-7c06af8be29d.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs37195f61-630e-40e1-bacc-0d2488c0a332.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5e57ed0b-bbd2-4ab8-b56e-f5e93d041246.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscseb7a8dc8-470c-4dbc-b3dd-d025e68de323.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5eb6fa97-232d-4c5f-8c04-9e6008622ecd.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs95d0d3c4-69c8-44e4-9bbe-8acc68c573d1.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs27be3179-321c-4b87-8340-d7792e42479b.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc97ae475-15bc-479a-b907-445fa1bd2050.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs56e515cf-2705-421d-96f5-efc8eed245d4.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs268fa4ed-3c2f-4f35-bfc8-485d20d6120e.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8a36bf97-15fb-45d5-9502-c97e6105c831.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4e00c349-099f-45ff-83da-2ff238899e2f.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4ce61656-5030-4064-b9e3-32ab1ea0b950.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3e61758a-5676-409e-84a1-155bfe5612cf.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsdc575891-3dd4-4d7a-87ff-0054ff4d2f94.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsfc7b6b57-4e80-439e-a632-63638eb14b3b.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1fbc2e1c-423e-4d26-a195-4b6238995c5c.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs405c527a-2e64-4a8a-93be-3e530f408ddc.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9ab45659-3562-4608-8865-020847b3f89a.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1bda4722-762b-4160-b9b0-603d7e5c5bbd.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs864c9de5-64d2-440d-9887-f2fbb5aa5b08.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsfc539b49-f7a0-46ad-9818-ce7f6c155866.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs52246228-35e4-4d0d-8433-d7a2df03a433.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb46bcce5-e075-44ef-abaf-0fcb218ff370.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3f499987-0a4f-488a-86b5-59e6598f825a.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs085ee804-25f8-41a9-abc0-4ad5a351a534.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc8675eda-db55-423b-851d-907bf6f46cc4.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6919210d-8b36-4b1c-a24c-48e5f463f053.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7a8131d4-90a0-4c5b-bdc7-1779ce9ceb03.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9a4fee37-b814-4aaa-90e2-9e0996cf8897.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa7076c26-e6c3-4604-a9f9-b54c7e32c8e4.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsfefabc05-dcf2-46c7-9817-d3a29a22b683.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs778d93e4-773f-4e4e-ad80-0624da758879.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6f90e108-c4f2-446d-b3d9-034cd6227909.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6c5161e4-fabf-4287-8286-61c4176736ff.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3d3535ff-c6ab-4676-8e41-f344c9b8bf02.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsea2ee99e-02ba-4016-a5c6-13717d68e8f5.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3ee2e3a5-358d-4f04-938c-45eb1ceabf1f.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb5e0ba62-81bd-4bbf-8453-fa0c434cfdd2.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc3a19561-e3a3-4af8-812f-4bf9bbe60622.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf0ae2cf1-e37a-41de-876d-6db7776e1071.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsdd1a6913-c5ab-49cf-8da0-70945fb5540b.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs38218858-55ca-4682-9c25-12d50d1173dc.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5d2c61ce-7393-442e-b419-d08ec85e7be7.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2dbe2914-c73a-4d63-81e0-bbbdc5c02cd5.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2f941ed9-f9bd-4af9-9877-ba6fc47d825a.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs58c02038-2d73-4b60-ad8e-a336872eef85.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs01482778-8b7a-443f-a703-89d3bdaf5cca.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs73c7fb77-39a2-4bd3-93c7-68ac507fae4f.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5467a04f-7af2-436c-b054-b61c9534695b.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5985e3f0-00a9-488b-a701-1c730eabd89c.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs37056552-7429-4ce5-85cb-f0e4a45a8510.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs75a95e14-e548-4310-b881-6f4ba3c47f75.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa00c8857-cf20-472b-8878-b2cdd3d39239.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa380a375-5446-48eb-a51e-d4a2a177e5dd.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc968be48-da0f-4673-a43a-e1ea7d61cbf3.tmp". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\sean{y}\ntuser.dat". The process cannot access the file because it is being used by another process 12:35 AM: Warning: Failed to open file "c:\documents and settings\sean{y}\ntuser.dat.log". The process cannot access the file because it is being used by another process 12:37 AM: Warning: Failed to open file "c:\documents and settings\sean{y}\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process 12:37 AM: Warning: Failed to open file "c:\documents and settings\sean{y}\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process 12:37 AM: Warning: Failed to open file "c:\documents and settings\sean{y}\local settings\temp\~dfbd4b.tmp". The process cannot access the file because it is being used by another process 12:46 AM: File Sweep Complete, Elapsed Time: 00:17:32 12:46 AM: Full Sweep has completed. Elapsed time 00:19:42 12:46 AM: Traces Found: 0 Mostly the system32/config errors scare me. What if I ran it in safe mode?? I checked the files with unlocker; the system32/config files seem to be used by each other (SAM with SAM.log, SYSTEM with SYSTEM.log, etc.). Is that normal?

rootkit still locks up here: HKLM\SYSTEM\WPA\StartHash-XT33R8KXVF2JY7 Im going to leave it running overnight and see what comes of it. Here are the results from the l2mfix: L2MFIX find log 122705 These are the registry keys present ********************************************************************************** Winlogon/notify: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent] "DLLName"="Ati2evxx.dll" "Asynchronous"=dword:00000000 "Impersonate"=dword:00000001 "Lock"="AtiLockEvent" "Logoff"="AtiLogoffEvent" "Logon"="AtiLogonEvent" "Disconnect"="AtiDisConnectEvent" "Reconnect"="AtiReConnectEvent" "Safe"=dword:00000000 "Shutdown"="AtiShutdownEvent" "StartScreenSaver"="AtiStartScreenSaverEvent" "StartShell"="AtiStartShellEvent" "Startup"="AtiStartupEvent" "StopScreenSaver"="AtiStopScreenSaverEvent" "Unlock"="AtiUnLockEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\ 6c,00,00,00 "Logoff"="ChainWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] "Asynchronous"=dword:00000000 "Impersonate"=dword:00000000 "DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Logoff"="CryptnetWlxLogoffEvent" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] "DLLName"="cscdll.dll" "Logon"="WinlogonLogonEvent" "Logoff"="WinlogonLogoffEvent" "ScreenSaver"="WinlogonScreenSaverEvent" "Startup"="WinlogonStartupEvent" "Shutdown"="WinlogonShutdownEvent" "StartShell"="WinlogonStartShellEvent" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] "DLLName"="wlnotify.dll" "Logon"="SCardStartCertProp" "Logoff"="SCardStopCertProp" "Lock"="SCardSuspendCertProp" "Unlock"="SCardResumeCertProp" "Enabled"=dword:00000001 "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "StartShell"="SchedStartShell" "Logoff"="SchedEventLogOff" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] "Logoff"="WLEventLogoff" "Impersonate"=dword:00000000 "Asynchronous"=dword:00000001 "DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] "DLLName"="WlNotify.dll" "Lock"="SensLockEvent" "Logon"="SensLogonEvent" "Logoff"="SensLogoffEvent" "Safe"=dword:00000001 "MaxWait"=dword:00000258 "StartScreenSaver"="SensStartScreenSaverEvent" "StopScreenSaver"="SensStopScreenSaverEvent" "Startup"="SensStartupEvent" "Shutdown"="SensShutdownEvent" "StartShell"="SensStartShellEvent" "PostShell"="SensPostShellEvent" "Disconnect"="SensDisconnectEvent" "Reconnect"="SensReconnectEvent" "Unlock"="SensUnlockEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] "Asynchronous"=dword:00000000 "DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\ 6c,00,6c,00,00,00 "Impersonate"=dword:00000000 "Logoff"="TSEventLogoff" "Logon"="TSEventLogon" "PostShell"="TSEventPostShell" "Shutdown"="TSEventShutdown" "StartShell"="TSEventStartShell" "Startup"="TSEventStartup" "MaxWait"=dword:00000258 "Reconnect"="TSEventReconnect" "Disconnect"="TSEventDisconnect" [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] "DLLName"="wlnotify.dll" "Logon"="RegisterTicketExpiredNotificationEvent" "Logoff"="UnregisterTicketExpiredNotificationEvent" "Impersonate"=dword:00000001 "Asynchronous"=dword:00000001 [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier] "Asynchronous"=dword:00000000 "DllName"="WRLogonNTF.dll" "Impersonate"=dword:00000001 "Lock"="WRLock" "StartScreenSaver"="WRStartScreenSaver" "StartShell"="WRStartShell" "Startup"="WRStartup" "StopScreenSaver"="WRStopScreenSaver" "Unlock"="WRUnlock" "Shutdown"="WRShutdown" "Logoff"="WRLogoff" "Logon"="WRLogon" ********************************************************************************** useragent: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform] "SV1"="" ********************************************************************************** Shell Extension key: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved] "{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders" "{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler" "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension" "{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension" "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player" "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension" "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes" "{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension" "{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler" "{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler" "{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler" "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"="UnlockerShellExtension" "{e82a2d71-5b2f-43a0-97b8-81be15854de8}"="ShellLink for Application References" "{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}"="Shell Icon Handler for Application References" "{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band" "{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration" ********************************************************************************** HKEY ROOT CLASSIDS: ********************************************************************************** Files Found are not all bad files: C:\WINDOWS\SYSTEM32\ spmsg.dll Wed Oct 12 2005 6:12:26p ..... 14,048 13.72 K hashlib.dll Tue Nov 15 2005 12:12:08p A.... 117,976 115.21 K gdi32.dll Wed Oct 5 2005 10:09:36p A.... 280,064 273.50 K browseui.dll Wed Nov 23 2005 8:06:34p A.... 1,022,464 998.50 K axaltocm.dll Fri Oct 28 2005 11:49:40p ..... 133,120 130.00 K sirenacm.dll Wed Oct 12 2005 5:11:06p A.... 118,784 116.00 K wrlzma.dll Wed Dec 14 2005 7:17:16p A.... 17,920 17.50 K gcunco~1.dll Tue Nov 15 2005 12:12:06p A.... 95,448 93.21 K gccoll~1.dll Tue Nov 15 2005 12:12:08p A.... 126,680 123.71 K mshtmled.dll Thu Oct 20 2005 10:39:30p A.... 448,512 438.00 K basecsp.dll Fri Oct 28 2005 4:40:16p ..... 96,792 94.52 K bcsprsrc.dll Fri Oct 28 2005 11:49:40p ..... 25,600 25.00 K ifxcardm.dll Fri Oct 28 2005 11:49:40p ..... 151,552 148.00 K esent.dll Thu Oct 20 2005 5:20:04p A.... 1,082,368 1.03 M wininet.dll Thu Oct 20 2005 10:39:30p A.... 658,432 643.00 K urlmon.dll Fri Nov 4 2005 10:16:28p A.... 609,280 595.00 K shlwapi.dll Thu Oct 20 2005 10:39:30p A.... 473,600 462.50 K shdocvw.dll Wed Nov 30 2005 10:59:30p A.... 1,492,480 1.42 M pngfilt.dll Thu Oct 20 2005 10:39:30p A.... 39,424 38.50 K mstime.dll Thu Oct 20 2005 10:39:30p A.... 530,944 518.50 K msrating.dll Thu Oct 20 2005 10:39:30p A.... 146,432 143.00 K mshtml.dll Wed Nov 23 2005 8:06:34p A.... 3,015,680 2.88 M inseng.dll Thu Oct 20 2005 10:39:28p A.... 96,256 94.00 K iepeers.dll Thu Oct 20 2005 10:39:28p A.... 251,392 245.50 K dxtrans.dll Thu Oct 20 2005 10:39:28p A.... 205,312 200.50 K danim.dll Fri Nov 4 2005 10:16:24p A.... 1,054,208 1.00 M cdfview.dll Thu Oct 20 2005 10:39:26p A.... 151,040 147.50 K extmgr.dll Thu Oct 20 2005 10:39:28p ..... 55,808 54.50 K msgplu~1.dll Wed Oct 12 2005 8:48:22a A.... 45,640 44.57 K wrlogo~1.dll Wed Dec 14 2005 7:17:20p A.... 492,544 481.00 K 30 items found: 30 files, 0 directories. Total of file sizes: 13,049,800 bytes 12.44 M Locate .tmp files: No matches found. ********************************************************************************** Directory Listing of system files: Volume in drive C has no label. Volume Serial Number is 1F60-12D5 Directory of C:\WINDOWS\System32 02/20/2004 12:27 PM <DIR> Microsoft 02/20/2004 11:08 AM <DIR> dllcache 0 File(s) 0 bytes 2 Dir(s) 48,757,702,656 bytes free ------------------------ And the results from jotti.org. There were two sections. I think the 2nd section does not pertain to me, but I pasted it just in case. Service load: 0% 100% File: iexplore.exe Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) MD5 e7484514c0464642be7b4dc2689354c8 Packers detected: - Scanner results AntiVir Found nothing ArcaVir Found nothing Avast Found nothing AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found nothing NOD32 Found nothing Norman Virus Control Found nothing UNA Found nothing VBA32 Found nothing PART TWO: Last file scanned at least one scanner reported something about: CRAGGLE_SEARCH[10].rar, detected by: Scanner Malware name AntiVir Adware-Spyware/Craagle.18 adware ArcaVir X Avast X AVG Antivirus Generic.GMX BitDefender X ClamAV X Dr.Web X F-Prot Antivirus X Fortinet X Kaspersky Anti-Virus not-a-virus:AdWare.Win32.Craagle.18 NOD32 X Norman Virus Control X UNA Adware.Craagle.18 VBA32 AdWare.Win32.Craagle.18 You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives We are not affiliated with any third parties that conduct tests using this service. Thanks so much, you guys are super helpful!

I'm pretty sure the haxdoor came in with a crack I was using... though I didnt notice it had downloaded two executables, and only bothered to check one of them for viruses before I ran it (I'm an idiot). Here's the information you wanted. I finally got a version of spy sweeper that does more than just scan (for 14 days anyway), so I removed those instances in the registry. I don't know if anything is still here... hopefully someone here can answer!! ---------------------------- 01/02/06 23:15:53 [info]: BlackLight Engine 1.0.30 initialized 01/02/06 23:15:53 [info]: OS: 5.1 build 2600 (Service Pack 2) 01/02/06 23:15:53 [Note]: 7019 4 01/02/06 23:15:53 [Note]: 7005 0 01/02/06 23:15:55 [Note]: 7006 0 01/02/06 23:15:56 [Note]: 7011 1428 01/02/06 23:15:56 [Note]: FSRAW library version 1.7.1014 01/02/06 23:16:03 [Note]: 7007 0 ------------------------------ Logfile of HijackThis v1.99.1 Scan saved at 11:17:15 PM, on 1/2/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\WINDOWS\system32\CTSVCCDA.EXE C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\CTHELPER.EXE C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\MessengerPlus! 3\MsgPlus.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\PROGRA~1\ICQ\ICQ.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe C:\Program Files\Netropa\Onscreen Display\OSD.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\BitComet\BitComet.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\explorer.exe C:\hijackthis\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: Brandimensions - {be8d24ef-2dc5-47b8-9821-df8c05203783} - C:\WINDOWS\system32\mscoree.DLL O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127183387522 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe -------------------------- That O20 is back though, except with a different file name... ahhhh!

Rootkit revealer also tries to start a windows service when I open it: A Windows service is a program that can run automatically if enabled. This change generally occurs when software is installed. You can allow this change if it is recognized and expected. Name: Sysinternals Rootkitrevealer Publisher: Sysinternals - http://www.sysinternals.com Path: C:\DOCUME~1\Sean{y}\LOCALS~1\Temp\KNHBWQXPINSZOERGTS.exe Is that ok?

I've deleted all the associated files, run ewido etc in safemode. Everything is gone except a set of registry files that spysweeper is picking up. They are: HKLM\system\currentcontrolset\control\safeboot\minimal\avpe32.sys\ (1 subtrace) HKLM\system\currentcontrolset\control\safeboot\minimal\avpe64.sys\(1 subtrace) HKLM\system\currentcontrolset\control\safeboot\network\avpe32.sys\(1 subtrace) HKLM\system\currentcontrolset\control\safeboot\network\avpe64.sys\(1 subtrace) HKLM\system\currentcontrolset\services\avpe32\ (12 subtraces) HKLM\system\currentcontrolset\services\avpe64\ (12 subtraces) Can I delete them? Also, at 5:24pm, i got two 'mail returned to sender' emails with a bunch of my passwords that were going to some IP address. This is the AVG E-mail Scanner program. I'm sorry to have to inform you that the message returned below could not be delivered to one or more destinations. ------------------------------------------------------------------- Cannot open smtp connection to '192.168.1.100' Connect: No connection could be made because the target machine actively refused it. (10061) ------------------------------------------------------------------- Your e-mail message is being returned to you in the next part of this message. Try to send the message again. Should you need assistance, please contact your administrator or your Internet service provider. If there are only registry files left, how can I still be sending emails out with my passwords?

Also, here is a rootkitrevealer log. I noticed in the other thread that a user named Dak mentioned that the new haxdoor viruses have keyword loggers. Thunderbird tried to send an email with a bunch of passwords of mine to some random email address (but failed). It didn't send my online banking one, but it'd be nice to get rid of this soon! I was going to post the revealer, but it: Gets stuck on HKLM\SYSTEM\WPA\StartHash-XT33R8KXVF2JY7 Been like that for 10 minutes.

I was infected with a virus last night (avpe32.dll). AVG won't remove it. I've scanned with spysweeper (found it but wouldnt delete (as it's a trial version)), ewido, spybot, adaware, microsoft antispyware, and panda activescan. Ewido repeatedly pops up the Backdoor.Haxdoor.dw infection. I can't manually delete the file from c:\WINDOWS\system32, because it isn't showing up there. Im posting because someone else had a similar problem and you guys were able to help him. I've booted to safemode and used apropos.exe as well. I've posted an HJT log as well as the log file from aprospos.exe. --------------------- Log of AproposFix v1 ************ Running from directory: C:\Documents and Settings\Sean{y}\Desktop\aproposfix ************ Registry entries found: ************ No service found! Removing hidden folder: No folder found! Deleting files: Backing up files: Done! Removing registry entries: REGEDIT4 Done! Finished! ------------------- Logfile of HijackThis v1.99.1 Scan saved at 12:53:41 PM, on 1/2/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe C:\WINDOWS\system32\CTHELPER.EXE C:\WINDOWS\System32\alg.exe C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\PROGRA~1\ICQ\ICQ.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Netropa\Onscreen Display\OSD.exe C:\WINDOWS\system32\CTSVCCDA.EXE C:\Program Files\MessengerPlus! 3\MsgPlus.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\explorer.exe C:\hijackthis\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: Brandimensions - {be8d24ef-2dc5-47b8-9821-df8c05203783} - C:\WINDOWS\system32\mscoree.DLL O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127183387522 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: avpe32 - C:\WINDOWS\SYSTEM32\avpe32.dll O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe -------------------- The O20 which is the file just keeps coming back!