seanvdb
-
Posts
12 -
Joined
-
Last visited
Content Type
Profiles
Forums
Events
Posts posted by seanvdb
-
-
I ran Kapersky again after deleting my junk folders, and it did nothing.
It found some new stuff in some exe files, but I've deleted those.
One that threw me off was this one:
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614
I've had this version of IRC since I bought this computer... I can't see how it's a virus now and not 2 years ago (or during the 1st scan).
0 -
Okay, this makes me quite happy:
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, January 03, 2006 14:49:42
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 3/01/2006
Kaspersky Anti-Virus database records: 158615
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
Scan Statistics:
Total number of scanned objects: 127933
Number of viruses found: 7
Number of infected objects: 47
Number of suspicious objects: 0
Duration of the scan process: 4101 sec
Infected Object Name - Virus Name
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Junk/[From "Raul D. Dailey" <rauldaileyqj@klomp.de>][Date Sat, 04 Sep 2004 09:35:31 -0300]/text/[From "Dewitt Shannon" <d.shannon@telebucaramanga.net.co>][Date Tue, 01 Feb 2005 01:20:54 -0500]/text/[From eBay <supprefnum644565637137@ebay.com>][Date Sun, 24 Jul 2005 22:55:35 -0600]/html Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Junk/[From "Raul D. Dailey" <rauldaileyqj@klomp.de>][Date Sat, 04 Sep 2004 09:35:31 -0300]/text/[From "Dewitt Shannon" <d.shannon@telebucaramanga.net.co>][Date Tue, 01 Feb 2005 01:20:54 -0500]/text/[From eBay Inc <identdep_op9@ebay.com>][Date Wed, 03 Aug 2005 23:24:06 -0500]/html Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Junk/[From "Raul D. Dailey" <rauldaileyqj@klomp.de>][Date Sat, 04 Sep 2004 09:35:31 -0300]/text/[From "Dewitt Shannon" <d.shannon@telebucaramanga.net.co>][Date Tue, 01 Feb 2005 01:20:54 -0500]/text/[From "Lillie C. Kaufman" <l_kaufman@look.ca>][Date Sun, 28 Aug 2005 17:46:56 +0100]/text/[From eBay Inc <custservice_72@ebay.com>][Date Wed, 31 Aug 2005 19:33:37 +0500]/html Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Junk/[From "Raul D. Dailey" <rauldaileyqj@klomp.de>][Date Sat, 04 Sep 2004 09:35:31 -0300]/text/[From "Dewitt Shannon" <d.shannon@telebucaramanga.net.co>][Date Tue, 01 Feb 2005 01:20:54 -0500]/text/[From "Lillie C. Kaufman" <l_kaufman@look.ca>][Date Sun, 28 Aug 2005 17:46:56 +0100]/text Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Junk/[From "Raul D. Dailey" <rauldaileyqj@klomp.de>][Date Sat, 04 Sep 2004 09:35:31 -0300]/text/[From "Dewitt Shannon" <d.shannon@telebucaramanga.net.co>][Date Tue, 01 Feb 2005 01:20:54 -0500]/text Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Junk/[From "Raul D. Dailey" <rauldaileyqj@klomp.de>][Date Sat, 04 Sep 2004 09:35:31 -0300]/text Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Junk Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Trash/[From eBay Inc <custservice_72@ebay.com>][Date Wed, 31 Aug 2005 19:33:37 +0500]/html Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Trash Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 13:40:31 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 14:43:47 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Tue, 31 Aug 2004 14:32:0 ... . ... /[From Seanvdb <seanvdb@iaehv.nl>][Date Mon, 12 Sep 2005 20:35:45 + ... /price.cpl Infected: Email-Worm.Win32.Bagle.ct
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 13:40:31 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 14:43:47 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Tue, 31 Aug 2004 14:32:0 ... . ... /[From Seanvdb <seanvdb@iaehv.nl>][Date Mon, 12 Sep 2005 20:35:45 +0200]/price.zip Infected: Email-Worm.Win32.Bagle.ct
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 13:40:31 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 14:43:47 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Tue, 31 Aug 2004 14:32:0 ... ... /[From marybeth@payments.certapay.com][Date Sun, 17 Apr 2005 21:28:06 -0600]/UNNAMED Infected: Email-Worm.Win32.Bagle.ct
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 13:40:31 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 14:43:47 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Tue, 31 Aug 2004 14:32:0 ... /[From don reddick <donreddick@cogeco.ca>][Date Wed, 27 Oct 2004 21:46:31 -0400]/UNNAMED Infected: Email-Worm.Win32.Bagle.ct
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 13:40:31 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 14:43:47 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Tue, 31 Aug 2004 14:32:03 -0400]/UNNAMED Infected: Email-Worm.Win32.Bagle.ct
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 13:40:31 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 14:43:47 -0400]/UNNAMED Infected: Email-Worm.Win32.Bagle.ct
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 13:40:31 -0400]/UNNAMED Infected: Email-Worm.Win32.Bagle.ct
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED Infected: Email-Worm.Win32.Bagle.ct
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text Infected: Email-Worm.Win32.Bagle.ct
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox Infected: Email-Worm.Win32.Bagle.ct
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From update@paypal.com <service@paypal.com>][Date Wed, 5 Oct 2005 23:30:20 -0700 (PDT)]/html Infected: Trojan-Spy.HTML.Paylap.cd
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From update@paypal.com <service@paypal.com>][Date Thu, 6 Oct 2005 04:14:37 -0700 (PDT)]/html Infected: Trojan-Spy.HTML.Paylap.cd
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From update@paypal.com<service@paypal.com>][Date Fri, 14 Oct 2005 16:06:54 +0800 (CST)]/html Infected: Trojan-Spy.HTML.Paylap.cd
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "info@paypal.com" <info@paypal.com>][Date Thu, 03 Nov 2005 12:48:32 -0700]/html Infected: Trojan-Spy.HTML.Paylap.ad
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "info@paypal.com" <info@paypal.com>][Date Thu, 17 Nov 2005 01:10:33 -0500]/html Infected: Trojan-Spy.HTML.Paylap.ad
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Bank of the West® Online Banking" <eTimeBanker@bankofthewest.com>][Date Tue, 29 Nov 2005 05:59:11 -0300]/html Infected: Trojan-Spy.HTML.Paylap.ad
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "info@paypal.com" <info@paypal.com>][Date Tue, 29 Nov 2005 23:33:14 -0600]/html Infected: Trojan-Spy.HTML.Paylap.ad
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Paypal" <service@paypal.com>][Date Thu, 1 Dec 2005 07:14:44 +0500 (YEKT)]/text/[spam]Dear Infected: Trojan-Spy.HTML.Paylap.gj
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Paypal" <service@paypal.com>][Date Thu, 1 Dec 2005 07:14:44 +0500 (YEKT)]/text Infected: Trojan-Spy.HTML.Paylap.gj
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "info@paypal.com" <info@paypal.com>][Date Sun, 04 Dec 2005 04:18:54 -0200]/html Infected: Trojan-Spy.HTML.Paylap.ad
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "update@paypal.com" <service@email.paypal.com>][Date Mon, 05 Dec 2005 19:20:49 -0700]/html Infected: Trojan-Spy.HTML.Paylap.cd
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "paypal" <paypal@service.com>][Date Fri, 09 Dec 2005 09:20:26 +0300]/html Infected: Trojan-Spy.HTML.Paylap.gl
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "service@email.paypal.com" <service@paypal.com>][Date Sat, 10 Dec 2005 23:24:27 +0500]/html Infected: Trojan-Spy.HTML.Paylap.cd
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 D ... /[From S ... /[From "PayPal" <service@paypal.com>][Date Sat, 17 Dec 2005 12:52:02 +0000 (UTC)]/html Infected: Trojan-Spy.HTML.Paylap.gv
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 D ... /[From Stylish replica watches from famous brands][Date Sat, 17 Dec 2005 10:15:40 -0500 (EST)]/html Infected: Trojan-Spy.HTML.Paylap.gv
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 Dec . ... /[From " ... /[From "Kiara" <alex1ag@ezweb.ne.jp>][Date Sat, 17 Dec 2005 15:08:53 +0000]/html Infected: Trojan-Spy.HTML.Paylap.gv
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 Dec . ... /[From "iw6dq" <hxfnqycfcyr@hotmail.com>][Date Sat, 17 Dec 2005 08:03:31 -0500 (EST)]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.gv
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 Dec . ... /[From "Kevin Tovar" <lea.washington74g@gmail.com>][Date Sat, 17 Dec 2005 04:21:47 -0800]/text Infected: Trojan-Spy.HTML.Paylap.gv
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 Dec . ... /[From "trfscu" <dyucoholtbe@hotmail.com>][Date Sat, 17 Dec 2005 06:21:19 -0500 (EST)]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.gv
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 Dec ... /[From "hiea70es" <zexadfsjgst@hotmail.com>][Date Sat, 17 Dec 2005 04:58:46 -0500 (EST)]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.gv
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 Dec 2005 03:15:25 ... /[From "Jacki" <hiergo@ebina-cash.com>][Date Sat, 17 Dec 2005 09:03:15 +0000]/html Infected: Trojan-Spy.HTML.Paylap.gv
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 Dec 2005 03:15:25 -0500]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.gv
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html Infected: Trojan-Spy.HTML.Paylap.gv
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html Infected: Trojan-Spy.HTML.Paylap.gv
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html Infected: Trojan-Spy.HTML.Paylap.gv
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "PayPal" <service@paypal.com>][Date Sat, 17 Dec 2005 18:54:21 -0800]/html Infected: Trojan-Spy.HTML.Paylap.gv
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html Infected: Trojan-Spy.HTML.Paylap.gv
C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk Infected: Trojan-Spy.HTML.Paylap.gv
Scan process completed.
Mostly because I don't open attachments, and most of it is marked as junk. The problem? The Junk.sbd folders are completely empty. Couldn't I just delete everything via thunderbird instead?
Also, here's my last HJT log before I install zonealarm.
-------------
Logfile of HijackThis v1.99.1
Scan saved at 2:53:41 PM, on 1/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\hijackthis\HijackThis.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Brandimensions - {be8d24ef-2dc5-47b8-9821-df8c05203783} - C:\WINDOWS\system32\mscoree.DLL
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127183387522
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37500.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
----
0 -
Hey Dak,
Thanks again for the help.
I moreso meant the difference between zone alarm and the other one you offered, but since I have some experience with Zone Alarm, I will stick with that one.
I've also uninstalled those two spyware programs you mentioned... I had already done spybouncer, as spy sweeper turned up virtual bouncer, and I assumed they were linked.
Trend Micro Anti-Spyware is picked up some registry keys, but no trojans or active problems, so thinks are looking up.
I'm going to run Kaspersky, post an HJT log, and then install zone alarm and hopefully be finished with problems!
0 -
Hey Dak,
A few more things (I want to be absolutely sure).
I'm going to cancel my CC anyway, since that's easy to do. I have (obviously) avoided doing any online banking since I got this (for fear of problems). I accessed Amazon (the only place I do online shopping on my credit card), but did not actually do any purchasing. I assume that would be reason enough to cancel it?
Also, of the two firewalls, which would you recommend the most? I currently use the XP firewall. I have used Zonealarm in the past, but haven't in awhile; it caused massive problems uninstalling because i neglected to read the proper uninstallation procedures.
I re-ran blacklight and it ran 'properly'.
I ran ScanSpyware, and it picked up haxdoor-BC (log is below). I've deleted everything in the log, and running it twice more turns up nothing.
-------
Application Information
=======================
Application Version: ScanSpyware v3.8 build 3.8.0.4
Original Database: pests12-09-05.db
Updated Database: ssdb010206.db
Current Date: Tuesday, January 03, 2006 10:21:23 AM
__________________________________________________
Directories recognized:
=======================
__________________________________________________
Files recognized:
=================
[HAXDOOR-BC]
C:\WINDOWS\system32\ps.a3d
[spytech shadow]
C:\WINDOWS\unvise32.exe
[Visual Zip Password Recovery Processor]
C:\WINDOWS\UnGins.exe
[GameSpy Arcade]
C:\Program Files\GameSpy Arcade\Services\_common\country_icons.psd
[GameSpy Arcade]
C:\Program Files\GameSpy Arcade\Services\_gspyder\stg_legend.psd
[GameSpy Arcade]
C:\Program Files\GameSpy Arcade\pw32.dll
[GameSpy Arcade]
C:\Program Files\GameSpy Arcade\Profiles\countries.ini
[GameSpy Arcade]
C:\Program Files\GameSpy Arcade\Skins\(default2)\gsg_radar.avi
[GameSpy Arcade]
C:\Program Files\GameSpy Arcade\Skins\(default2)\peer_list_checkbox.psd
[GameSpy Arcade]
C:\Program Files\GameSpy Arcade\Skins\(default2)\peer_list_chicklets.psd
[GameSpy Arcade]
C:\Program Files\GameSpy Arcade\Skins\(default2)\peer_list_icons.psd
[GameSpy Arcade]
C:\Program Files\GameSpy Arcade\Skins\(default2)\peer_list_icons_sm.psd
[GameSpy Arcade]
C:\Program Files\GameSpy Arcade\Skins\(default2)\service_menu_bg.psd
[GameSpy Arcade]
C:\Program Files\GameSpy Arcade\Skins\(default2)\service_tab+.tga
[GameSpy Arcade]
C:\Program Files\GameSpy Arcade\Skins\(default2)\stg_border_main.psd
[GameSpy Arcade]
C:\Program Files\GameSpy Arcade\Custom\halflife\cstrike\mod_cs.psd
[GameSpy Arcade]
C:\Program Files\GameSpy Arcade\Custom\halflife\tfc\mod_tfc.psd
[GameSpy Arcade]
C:\Program Files\GameSpy Arcade\Custom\quake3\excessive\mod_excessive.psd
[GameSpy Arcade]
C:\Program Files\GameSpy Arcade\Custom\quake3\osp\mod_osp.psd
[GameSpy Arcade]
C:\Program Files\GameSpy Arcade\Custom\quake3\q3f\mod_q3f.psd
[GameSpy Arcade]
C:\Program Files\GameSpy Arcade\Custom\quake3\rocketarena3\mod_ra3.psd
[GameSpy Arcade]
C:\Program Files\GameSpy Arcade\Custom\quake3\wfa\mod_wfa.psd
[GameSpy Arcade]
C:\Program Files\GameSpy Arcade\Custom\ut\Swat\mod_swat.psd
__________________________________________________
Registry keys recognized:
=========================
[GAIN]
HKEY_USERS\.default\software\microsoft\systemcertificates\trustedpublisher\ctls
[GAIN]
HKEY_USERS\.default\software\microsoft\systemcertificates\trustedpublisher\crls
__________________________________________________
Registry values recognized:
===========================
__________________________________________________
Cookies recognized:
===================
[VX2]
c:\documents and settings\sean{y}\cookies\sean{y}@serviceswitching[1].txt
[Tracking Cookies]
c:\documents and settings\sean{y}\cookies\sean{y}@img.wmp10.elsitiodc[1].txt
__________________________________________________
----------
Ewido is running again, and it picked up some cookies and backdoor.haxdoor.dw (do these things multiply?!) EDIT: It found this yesterday... today only picked up cookies. I overreacted! (thank god)
spybouncer picked up 3 things (I cleaned them all out - locate.com in system32, bpmnt.dll in windows, and some file called ncase.zip in docsandsettings/allusers/apps/spybot/recovery... i cleaned out the whole folder.
I guess my question is; without completely formatting, is it possible to know when i'll be clean?
0 -
I left rootkitreveal all night, it turned up nothing (and finished properly!).
About the credit card 'lately', do you mean within the time that I was infected? I can see the passwords that attemped to be sent to some IP address... none of them are important.
By the way, thanks for all your help!
Also, when I ran F-secure again, I got this:
01/03/06 00:47:48 [info]: BlackLight Engine 1.0.30 initialized
01/03/06 00:47:48 [info]: OS: 5.1 build 2600 (Service Pack 2)
01/03/06 00:47:48 [Note]: 7019 4
01/03/06 00:47:48 [Note]: 7005 0
01/03/06 00:47:51 [Error]: 6024 4
01/03/06 00:47:51 [Error]: 6024 4
01/03/06 00:47:51 [Note]: 7006 0
01/03/06 00:47:51 [Note]: 7011 1468
01/03/06 00:47:51 [Error]: 6024 4
01/03/06 00:47:51 [Error]: 6024 4
01/03/06 00:47:51 [Note]: 7018 2280
01/03/06 00:47:51 [Error]: 6024 4
01/03/06 00:47:52 [Note]: FSRAW library version 1.7.1014
01/03/06 00:49:46 [Note]: 7007 0
Then I ran it again this morning, and got this:
01/03/06 07:45:07 [info]: BlackLight Engine 1.0.30 initialized
01/03/06 07:45:07 [info]: OS: 5.1 build 2600 (Service Pack 2)
01/03/06 07:45:07 [Note]: 7019 4
01/03/06 07:45:07 [Note]: 7005 0
01/03/06 07:45:08 [Note]: 7006 0
01/03/06 07:45:08 [Note]: 7011 1460
01/03/06 07:45:08 [Note]: FSRAW library version 1.7.1014
01/03/06 07:45:24 [Note]: 7007 0
Why the difference??
------------
And one more. Are you familiar with spy sweeper? My log came up clean, but the session log has some wierd 'cannot open file' lines.. some of which look important.
********
12:27 AM: | Start of Session, Tuesday, January 03, 2006 |
12:27 AM: Spy Sweeper started
12:27 AM: Sweep initiated using definitions version 594
12:27 AM: Starting Memory Sweep
12:29 AM: Memory Sweep Complete, Elapsed Time: 00:02:03
12:29 AM: Starting Registry Sweep
12:29 AM: Registry Sweep Complete, Elapsed Time:00:00:05
12:29 AM: Starting Cookie Sweep
12:29 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
12:29 AM: Starting File Sweep
12:29 AM: Warning: Failed to open file "c:\pagefile.sys". Access is denied
12:30 AM: Warning: Failed to open file "c:\windows\system32\config\system.log". The process cannot access the file because it is being used by another process
12:30 AM: Warning: Failed to open file "c:\windows\system32\config\software.log". The process cannot access the file because it is being used by another process
12:30 AM: Warning: Failed to open file "c:\windows\system32\config\default.log". The process cannot access the file because it is being used by another process
12:30 AM: Warning: Failed to open file "c:\windows\system32\config\security". The process cannot access the file because it is being used by another process
12:30 AM: Warning: Failed to open file "c:\windows\system32\config\sam". The process cannot access the file because it is being used by another process
12:30 AM: Warning: Failed to open file "c:\windows\system32\config\sam.log". The process cannot access the file because it is being used by another process
12:30 AM: Warning: Failed to open file "c:\windows\system32\config\security.log". The process cannot access the file because it is being used by another process
12:30 AM: Warning: Failed to open file "c:\windows\system32\config\system". The process cannot access the file because it is being used by another process
12:30 AM: Warning: Failed to open file "c:\windows\system32\config\software". The process cannot access the file because it is being used by another process
12:30 AM: Warning: Failed to open file "c:\windows\system32\config\default". The process cannot access the file because it is being used by another process
12:32 AM: Warning: Failed to open file "c:\windows\softwaredistribution\datastore\datastore.edb". The process cannot access the file because it is being used by another process
12:32 AM: Warning: Failed to open file "c:\windows\softwaredistribution\datastore\logs\edb.log". The process cannot access the file because it is being used by another process
12:32 AM: Warning: Failed to open file "c:\windows\softwaredistribution\datastore\logs\tmp.edb". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa04611cd-51b9-4e0e-b5ad-d6850e5ca7c1.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6d1617da-7500-4190-aa49-1056e8ced64f.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs07c96578-cde1-4e37-9a3e-67243c115089.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse6f826d8-65d6-46a4-b8aa-a61dbfb4ef18.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs525be769-7bfd-4ecb-ab75-4304424ab1c5.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs85cfbe53-a9fe-409e-a244-d785f1045768.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9e09d479-aec1-42b2-b3c5-28cb5b24159d.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscscba2abfd-9f26-4432-b583-514617dc3132.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3e255f07-391a-4fdb-930c-5a502f5d2145.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4ecdf5c5-0383-4b95-beea-8656e8491cf1.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8bb97229-0bfc-4fc4-a804-b0480137fa0c.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse2053657-99a5-41fa-bd8e-43ba5decd8de.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5cab9924-08f9-4d06-bfb6-04e75bd69d97.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9e3c49a3-f1ea-4ae0-830e-95eaf5ccbb38.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd52da5d2-e6b2-496c-b1dc-441e6a4533af.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd2717140-6547-4f87-8187-e2705138c8ab.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5995cf24-070f-4dbe-91f8-7963e39162f0.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb0efdadc-dbb0-4b9f-979d-20b01269aed0.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs0f36c81c-24ec-4e8c-9b90-adef1450ce6f.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse84a3fea-a8ea-4443-897f-9e74b141bc40.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb74e340f-2fbd-4d39-8664-01444efda0b9.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd69f9a45-4436-4099-ad9e-aa3e788d6a8a.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs22f45b9a-594e-4ade-9b1d-0aef09d78d5c.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs520db8d2-69cf-424f-8487-651536829d9d.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9fb53135-3726-425e-9d4b-e2ea6a3c0cf9.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs18e22a39-68e9-4e69-9d44-67e2de4b7b29.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs80f4ac60-7c81-4255-8ff3-a0ea8fbb3470.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs0874bbc4-3e99-4da1-b649-337bf146ed8e.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5a7359f3-cf20-4496-8afc-15df8917c610.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4a9def0a-038f-4c5b-aff6-a17d8e604761.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5413472f-6dee-4abf-8605-87911d18cdd7.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsdb83788e-1afb-4fb1-a616-733761c91a13.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs56a55bfa-27c2-4924-972d-306efe931e53.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc7598b86-d95d-41d9-adc1-ab7faf9fde06.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse25ae2a4-c393-4491-8120-b0e2c62b8019.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs71ef6db1-d0ef-4bbf-b850-a1fcd6fa132c.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs349e39d5-26a0-44c3-b543-25e759764ef2.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1d6fe8da-6389-4360-9e44-69f6d05e6c2a.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs34cee29b-c709-43d2-ba37-8692232e13d6.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf35fbdc7-3cec-4904-9589-00748cded26a.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9595c62d-d43d-4682-9915-03dfaaeea1c0.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs23c577ee-a781-4fb9-a101-bbb2f03f81fa.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs931a7c27-b062-4538-9590-6231623133ce.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscscf0b2117-670d-4bb3-9696-8d48ccc9b9ad.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc0a92b9f-abdb-4490-ad21-33d3e42af2c3.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs42fd231e-7432-4a03-81f7-4cbc06db512b.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb78850ff-6663-4894-b7e6-2814deb9fe22.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs464a5efc-c519-422b-8784-e599dd9aae39.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7a4c43cb-b641-4ed3-9405-7c06af8be29d.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs37195f61-630e-40e1-bacc-0d2488c0a332.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5e57ed0b-bbd2-4ab8-b56e-f5e93d041246.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscseb7a8dc8-470c-4dbc-b3dd-d025e68de323.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5eb6fa97-232d-4c5f-8c04-9e6008622ecd.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs95d0d3c4-69c8-44e4-9bbe-8acc68c573d1.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs27be3179-321c-4b87-8340-d7792e42479b.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc97ae475-15bc-479a-b907-445fa1bd2050.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs56e515cf-2705-421d-96f5-efc8eed245d4.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs268fa4ed-3c2f-4f35-bfc8-485d20d6120e.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8a36bf97-15fb-45d5-9502-c97e6105c831.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4e00c349-099f-45ff-83da-2ff238899e2f.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4ce61656-5030-4064-b9e3-32ab1ea0b950.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3e61758a-5676-409e-84a1-155bfe5612cf.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsdc575891-3dd4-4d7a-87ff-0054ff4d2f94.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsfc7b6b57-4e80-439e-a632-63638eb14b3b.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1fbc2e1c-423e-4d26-a195-4b6238995c5c.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs405c527a-2e64-4a8a-93be-3e530f408ddc.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9ab45659-3562-4608-8865-020847b3f89a.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1bda4722-762b-4160-b9b0-603d7e5c5bbd.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs864c9de5-64d2-440d-9887-f2fbb5aa5b08.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsfc539b49-f7a0-46ad-9818-ce7f6c155866.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs52246228-35e4-4d0d-8433-d7a2df03a433.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb46bcce5-e075-44ef-abaf-0fcb218ff370.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3f499987-0a4f-488a-86b5-59e6598f825a.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs085ee804-25f8-41a9-abc0-4ad5a351a534.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc8675eda-db55-423b-851d-907bf6f46cc4.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6919210d-8b36-4b1c-a24c-48e5f463f053.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7a8131d4-90a0-4c5b-bdc7-1779ce9ceb03.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9a4fee37-b814-4aaa-90e2-9e0996cf8897.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa7076c26-e6c3-4604-a9f9-b54c7e32c8e4.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsfefabc05-dcf2-46c7-9817-d3a29a22b683.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs778d93e4-773f-4e4e-ad80-0624da758879.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6f90e108-c4f2-446d-b3d9-034cd6227909.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6c5161e4-fabf-4287-8286-61c4176736ff.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3d3535ff-c6ab-4676-8e41-f344c9b8bf02.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsea2ee99e-02ba-4016-a5c6-13717d68e8f5.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3ee2e3a5-358d-4f04-938c-45eb1ceabf1f.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb5e0ba62-81bd-4bbf-8453-fa0c434cfdd2.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc3a19561-e3a3-4af8-812f-4bf9bbe60622.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf0ae2cf1-e37a-41de-876d-6db7776e1071.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsdd1a6913-c5ab-49cf-8da0-70945fb5540b.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs38218858-55ca-4682-9c25-12d50d1173dc.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5d2c61ce-7393-442e-b419-d08ec85e7be7.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2dbe2914-c73a-4d63-81e0-bbbdc5c02cd5.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2f941ed9-f9bd-4af9-9877-ba6fc47d825a.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs58c02038-2d73-4b60-ad8e-a336872eef85.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs01482778-8b7a-443f-a703-89d3bdaf5cca.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs73c7fb77-39a2-4bd3-93c7-68ac507fae4f.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5467a04f-7af2-436c-b054-b61c9534695b.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5985e3f0-00a9-488b-a701-1c730eabd89c.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs37056552-7429-4ce5-85cb-f0e4a45a8510.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs75a95e14-e548-4310-b881-6f4ba3c47f75.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa00c8857-cf20-472b-8878-b2cdd3d39239.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa380a375-5446-48eb-a51e-d4a2a177e5dd.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc968be48-da0f-4673-a43a-e1ea7d61cbf3.tmp". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\sean{y}\ntuser.dat". The process cannot access the file because it is being used by another process
12:35 AM: Warning: Failed to open file "c:\documents and settings\sean{y}\ntuser.dat.log". The process cannot access the file because it is being used by another process
12:37 AM: Warning: Failed to open file "c:\documents and settings\sean{y}\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
12:37 AM: Warning: Failed to open file "c:\documents and settings\sean{y}\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
12:37 AM: Warning: Failed to open file "c:\documents and settings\sean{y}\local settings\temp\~dfbd4b.tmp". The process cannot access the file because it is being used by another process
12:46 AM: File Sweep Complete, Elapsed Time: 00:17:32
12:46 AM: Full Sweep has completed. Elapsed time 00:19:42
12:46 AM: Traces Found: 0
Mostly the system32/config errors scare me. What if I ran it in safe mode?? I checked the files with unlocker; the system32/config files seem to be used by each other (SAM with SAM.log, SYSTEM with SYSTEM.log, etc.). Is that normal?
0 -
rootkit still locks up here: HKLM\SYSTEM\WPA\StartHash-XT33R8KXVF2JY7
Im going to leave it running overnight and see what comes of it.
Here are the results from the l2mfix:
L2MFIX find log 122705
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]
"Asynchronous"=dword:00000000
"DllName"="WRLogonNTF.dll"
"Impersonate"=dword:00000001
"Lock"="WRLock"
"StartScreenSaver"="WRStartScreenSaver"
"StartShell"="WRStartShell"
"Startup"="WRStartup"
"StopScreenSaver"="WRStopScreenSaver"
"Unlock"="WRUnlock"
"Shutdown"="WRShutdown"
"Logoff"="WRLogoff"
"Logon"="WRLogon"
**********************************************************************************
useragent:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"="UnlockerShellExtension"
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}"="ShellLink for Application References"
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}"="Shell Icon Handler for Application References"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"
**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:
C:\WINDOWS\SYSTEM32\
spmsg.dll Wed Oct 12 2005 6:12:26p ..... 14,048 13.72 K
hashlib.dll Tue Nov 15 2005 12:12:08p A.... 117,976 115.21 K
gdi32.dll Wed Oct 5 2005 10:09:36p A.... 280,064 273.50 K
browseui.dll Wed Nov 23 2005 8:06:34p A.... 1,022,464 998.50 K
axaltocm.dll Fri Oct 28 2005 11:49:40p ..... 133,120 130.00 K
sirenacm.dll Wed Oct 12 2005 5:11:06p A.... 118,784 116.00 K
wrlzma.dll Wed Dec 14 2005 7:17:16p A.... 17,920 17.50 K
gcunco~1.dll Tue Nov 15 2005 12:12:06p A.... 95,448 93.21 K
gccoll~1.dll Tue Nov 15 2005 12:12:08p A.... 126,680 123.71 K
mshtmled.dll Thu Oct 20 2005 10:39:30p A.... 448,512 438.00 K
basecsp.dll Fri Oct 28 2005 4:40:16p ..... 96,792 94.52 K
bcsprsrc.dll Fri Oct 28 2005 11:49:40p ..... 25,600 25.00 K
ifxcardm.dll Fri Oct 28 2005 11:49:40p ..... 151,552 148.00 K
esent.dll Thu Oct 20 2005 5:20:04p A.... 1,082,368 1.03 M
wininet.dll Thu Oct 20 2005 10:39:30p A.... 658,432 643.00 K
urlmon.dll Fri Nov 4 2005 10:16:28p A.... 609,280 595.00 K
shlwapi.dll Thu Oct 20 2005 10:39:30p A.... 473,600 462.50 K
shdocvw.dll Wed Nov 30 2005 10:59:30p A.... 1,492,480 1.42 M
pngfilt.dll Thu Oct 20 2005 10:39:30p A.... 39,424 38.50 K
mstime.dll Thu Oct 20 2005 10:39:30p A.... 530,944 518.50 K
msrating.dll Thu Oct 20 2005 10:39:30p A.... 146,432 143.00 K
mshtml.dll Wed Nov 23 2005 8:06:34p A.... 3,015,680 2.88 M
inseng.dll Thu Oct 20 2005 10:39:28p A.... 96,256 94.00 K
iepeers.dll Thu Oct 20 2005 10:39:28p A.... 251,392 245.50 K
dxtrans.dll Thu Oct 20 2005 10:39:28p A.... 205,312 200.50 K
danim.dll Fri Nov 4 2005 10:16:24p A.... 1,054,208 1.00 M
cdfview.dll Thu Oct 20 2005 10:39:26p A.... 151,040 147.50 K
extmgr.dll Thu Oct 20 2005 10:39:28p ..... 55,808 54.50 K
msgplu~1.dll Wed Oct 12 2005 8:48:22a A.... 45,640 44.57 K
wrlogo~1.dll Wed Dec 14 2005 7:17:20p A.... 492,544 481.00 K
30 items found: 30 files, 0 directories.
Total of file sizes: 13,049,800 bytes 12.44 M
Locate .tmp files:
No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 1F60-12D5
Directory of C:\WINDOWS\System32
02/20/2004 12:27 PM <DIR> Microsoft
02/20/2004 11:08 AM <DIR> dllcache
0 File(s) 0 bytes
2 Dir(s) 48,757,702,656 bytes free
------------------------
And the results from jotti.org. There were two sections. I think the 2nd section does not pertain to me, but I pasted it just in case.
Service load:
0% 100%
File: iexplore.exe
Status:
OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 e7484514c0464642be7b4dc2689354c8
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found nothing
PART TWO:
Last file scanned at least one scanner reported something about: CRAGGLE_SEARCH[10].rar, detected by:
Scanner Malware name
AntiVir Adware-Spyware/Craagle.18 adware
ArcaVir X
Avast X
AVG Antivirus Generic.GMX
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus not-a-virus:AdWare.Win32.Craagle.18
NOD32 X
Norman Virus Control X
UNA Adware.Craagle.18
VBA32 AdWare.Win32.Craagle.18
You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.
Thanks so much, you guys are super helpful!
0 -
I'm pretty sure the haxdoor came in with a crack I was using... though I didnt notice it had downloaded two executables, and only bothered to check one of them for viruses before I ran it (I'm an idiot).
Here's the information you wanted. I finally got a version of spy sweeper that does more than just scan (for 14 days anyway), so I removed those instances in the registry. I don't know if anything is still here... hopefully someone here can answer!!
----------------------------
01/02/06 23:15:53 [info]: BlackLight Engine 1.0.30 initialized
01/02/06 23:15:53 [info]: OS: 5.1 build 2600 (Service Pack 2)
01/02/06 23:15:53 [Note]: 7019 4
01/02/06 23:15:53 [Note]: 7005 0
01/02/06 23:15:55 [Note]: 7006 0
01/02/06 23:15:56 [Note]: 7011 1428
01/02/06 23:15:56 [Note]: FSRAW library version 1.7.1014
01/02/06 23:16:03 [Note]: 7007 0
------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:17:15 PM, on 1/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Brandimensions - {be8d24ef-2dc5-47b8-9821-df8c05203783} - C:\WINDOWS\system32\mscoree.DLL
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127183387522
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
--------------------------
That O20 is back though, except with a different file name... ahhhh!
0 -
Rootkit revealer also tries to start a windows service when I open it:
A Windows service is a program that can run automatically if enabled. This change generally occurs when software is installed. You can allow this change if it is recognized and expected.
Name: Sysinternals Rootkitrevealer
Publisher: Sysinternals - http://www.sysinternals.com
Path: C:\DOCUME~1\Sean{y}\LOCALS~1\Temp\KNHBWQXPINSZOERGTS.exe
Is that ok?
0 -
I've deleted all the associated files, run ewido etc in safemode. Everything is gone except a set of registry files that spysweeper is picking up. They are:
HKLM\system\currentcontrolset\control\safeboot\minimal\avpe32.sys\ (1 subtrace)
HKLM\system\currentcontrolset\control\safeboot\minimal\avpe64.sys\(1 subtrace)
HKLM\system\currentcontrolset\control\safeboot\network\avpe32.sys\(1 subtrace)
HKLM\system\currentcontrolset\control\safeboot\network\avpe64.sys\(1 subtrace)
HKLM\system\currentcontrolset\services\avpe32\ (12 subtraces)
HKLM\system\currentcontrolset\services\avpe64\ (12 subtraces)
Can I delete them?
Also, at 5:24pm, i got two 'mail returned to sender' emails with a bunch of my passwords that were going to some IP address.
This is the AVG E-mail Scanner program.
I'm sorry to have to inform you that the message returned
below could not be delivered to one or more destinations.
-------------------------------------------------------------------
Cannot open smtp connection to '192.168.1.100'
Connect: No connection could be made because the target machine actively refused it. (10061)
-------------------------------------------------------------------
Your e-mail message is being returned to you in the next part of this
message. Try to send the message again.
Should you need assistance, please contact your administrator or your
Internet service provider.
If there are only registry files left, how can I still be sending emails out with my passwords?
0 -
Also, here is a rootkitrevealer log. I noticed in the other thread that a user named Dak mentioned that the new haxdoor viruses have keyword loggers. Thunderbird tried to send an email with a bunch of passwords of mine to some random email address (but failed). It didn't send my online banking one, but it'd be nice to get rid of this soon!
I was going to post the revealer, but it:
Gets stuck on HKLM\SYSTEM\WPA\StartHash-XT33R8KXVF2JY7
Been like that for 10 minutes.
0 -
I was infected with a virus last night (avpe32.dll). AVG won't remove it.
I've scanned with spysweeper (found it but wouldnt delete (as it's a trial version)), ewido, spybot, adaware, microsoft antispyware, and panda activescan. Ewido repeatedly pops up the Backdoor.Haxdoor.dw infection. I can't manually delete the file from c:\WINDOWS\system32, because it isn't showing up there.
Im posting because someone else had a similar problem and you guys were able to help him. I've booted to safemode and used apropos.exe as well. I've posted an HJT log as well as the log file from aprospos.exe.
---------------------
Log of AproposFix v1
************
Running from directory:
C:\Documents and Settings\Sean{y}\Desktop\aproposfix
************
Registry entries found:
************
No service found!
Removing hidden folder:
No folder found!
Deleting files:
Backing up files:
Done!
Removing registry entries:
REGEDIT4
Done!
Finished!
-------------------
Logfile of HijackThis v1.99.1
Scan saved at 12:53:41 PM, on 1/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Brandimensions - {be8d24ef-2dc5-47b8-9821-df8c05203783} - C:\WINDOWS\system32\mscoree.DLL
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127183387522
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: avpe32 - C:\WINDOWS\SYSTEM32\avpe32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
--------------------
The O20 which is the file just keeps coming back!
0
Virus
in Computer Science
Posted
Hey Dak,
Everything is coming up clean.
One thing though. Zone Alarm keeps blocking "Generic Host Process (Win32 Services)" from accepting connections from the internet at IP addresses:
24.200.241.37 : DNS
24.200.243.189 : DNS
24.201.245.77 : DNS
What does this mean (i.e. is it bad? I tried connecting to them and couldnt do so via my browser.)