seanvdb

January 5, 2006

Hey Dak,

Everything is coming up clean.

One thing though. Zone Alarm keeps blocking "Generic Host Process (Win32 Services)" from accepting connections from the internet at IP addresses:

24.200.241.37 : DNS

24.200.243.189 : DNS

24.201.245.77 : DNS

What does this mean (i.e. is it bad? I tried connecting to them and couldnt do so via my browser.)

January 3, 2006

I ran Kapersky again after deleting my junk folders, and it did nothing.

It found some new stuff in some exe files, but I've deleted those.

One that threw me off was this one:

C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.614

I've had this version of IRC since I bought this computer... I can't see how it's a virus now and not 2 years ago (or during the 1st scan).

January 3, 2006

Okay, this makes me quite happy:

-------------------------------------------------------------------------------

KASPERSKY ON-LINE SCANNER REPORT

Tuesday, January 03, 2006 14:49:42

Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)

Kaspersky On-line Scanner version: 5.0.67.0

Kaspersky Anti-Virus database last update: 3/01/2006

Kaspersky Anti-Virus database records: 158615

-------------------------------------------------------------------------------

Scan Settings:

Scan using the following antivirus database: standard

Scan Archives: true

Scan Mail Bases: true

Scan Target - My Computer:

A:\

C:\

D:\

E:\

F:\

G:\

Scan Statistics:

Total number of scanned objects: 127933

Number of viruses found: 7

Number of infected objects: 47

Number of suspicious objects: 0

Duration of the scan process: 4101 sec

Infected Object Name - Virus Name

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Junk/[From "Raul D. Dailey" <rauldaileyqj@klomp.de>][Date Sat, 04 Sep 2004 09:35:31 -0300]/text/[From "Dewitt Shannon" <d.shannon@telebucaramanga.net.co>][Date Tue, 01 Feb 2005 01:20:54 -0500]/text/[From eBay <supprefnum644565637137@ebay.com>][Date Sun, 24 Jul 2005 22:55:35 -0600]/html Infected: Trojan-Spy.HTML.Bayfraud.hn

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Junk/[From "Raul D. Dailey" <rauldaileyqj@klomp.de>][Date Sat, 04 Sep 2004 09:35:31 -0300]/text/[From "Dewitt Shannon" <d.shannon@telebucaramanga.net.co>][Date Tue, 01 Feb 2005 01:20:54 -0500]/text/[From eBay Inc <identdep_op9@ebay.com>][Date Wed, 03 Aug 2005 23:24:06 -0500]/html Infected: Trojan-Spy.HTML.Bayfraud.hn

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Junk/[From "Raul D. Dailey" <rauldaileyqj@klomp.de>][Date Sat, 04 Sep 2004 09:35:31 -0300]/text/[From "Dewitt Shannon" <d.shannon@telebucaramanga.net.co>][Date Tue, 01 Feb 2005 01:20:54 -0500]/text/[From "Lillie C. Kaufman" <l_kaufman@look.ca>][Date Sun, 28 Aug 2005 17:46:56 +0100]/text/[From eBay Inc <custservice_72@ebay.com>][Date Wed, 31 Aug 2005 19:33:37 +0500]/html Infected: Trojan-Spy.HTML.Bayfraud.hn

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Junk/[From "Raul D. Dailey" <rauldaileyqj@klomp.de>][Date Sat, 04 Sep 2004 09:35:31 -0300]/text/[From "Dewitt Shannon" <d.shannon@telebucaramanga.net.co>][Date Tue, 01 Feb 2005 01:20:54 -0500]/text/[From "Lillie C. Kaufman" <l_kaufman@look.ca>][Date Sun, 28 Aug 2005 17:46:56 +0100]/text Infected: Trojan-Spy.HTML.Bayfraud.hn

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Junk/[From "Raul D. Dailey" <rauldaileyqj@klomp.de>][Date Sat, 04 Sep 2004 09:35:31 -0300]/text/[From "Dewitt Shannon" <d.shannon@telebucaramanga.net.co>][Date Tue, 01 Feb 2005 01:20:54 -0500]/text Infected: Trojan-Spy.HTML.Bayfraud.hn

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Junk/[From "Raul D. Dailey" <rauldaileyqj@klomp.de>][Date Sat, 04 Sep 2004 09:35:31 -0300]/text Infected: Trojan-Spy.HTML.Bayfraud.hn

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Junk Infected: Trojan-Spy.HTML.Bayfraud.hn

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Trash/[From eBay Inc <custservice_72@ebay.com>][Date Wed, 31 Aug 2005 19:33:37 +0500]/html Infected: Trojan-Spy.HTML.Bayfraud.hn

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.cogeco.ca\Trash Infected: Trojan-Spy.HTML.Bayfraud.hn

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 13:40:31 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 14:43:47 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Tue, 31 Aug 2004 14:32:0 ... . ... /[From Seanvdb <seanvdb@iaehv.nl>][Date Mon, 12 Sep 2005 20:35:45 + ... /price.cpl Infected: Email-Worm.Win32.Bagle.ct

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 13:40:31 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 14:43:47 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Tue, 31 Aug 2004 14:32:0 ... . ... /[From Seanvdb <seanvdb@iaehv.nl>][Date Mon, 12 Sep 2005 20:35:45 +0200]/price.zip Infected: Email-Worm.Win32.Bagle.ct

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 13:40:31 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 14:43:47 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Tue, 31 Aug 2004 14:32:0 ... ... /[From marybeth@payments.certapay.com][Date Sun, 17 Apr 2005 21:28:06 -0600]/UNNAMED Infected: Email-Worm.Win32.Bagle.ct

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 13:40:31 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 14:43:47 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Tue, 31 Aug 2004 14:32:0 ... /[From don reddick <donreddick@cogeco.ca>][Date Wed, 27 Oct 2004 21:46:31 -0400]/UNNAMED Infected: Email-Worm.Win32.Bagle.ct

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 13:40:31 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 14:43:47 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Tue, 31 Aug 2004 14:32:03 -0400]/UNNAMED Infected: Email-Worm.Win32.Bagle.ct

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 13:40:31 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 14:43:47 -0400]/UNNAMED Infected: Email-Worm.Win32.Bagle.ct

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED/[From Alice <alice@lumleyscooks.co.uk>][Date Mon, 09 Aug 2004 13:40:31 -0400]/UNNAMED Infected: Email-Worm.Win32.Bagle.ct

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text/[From ZoomOnres <OnRes@flyzoom.com>][Date Tue, 20 Jul 2004 10:55:24 -0400]/UNNAMED Infected: Email-Worm.Win32.Bagle.ct

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox/[From Antigen_160O@videotron.ca][Date Mon, 19 Jul 2004 07:16:39 -0400]/text Infected: Email-Worm.Win32.Bagle.ct

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\pop.videotron.ca\Inbox Infected: Email-Worm.Win32.Bagle.ct

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From update@paypal.com <service@paypal.com>][Date Wed, 5 Oct 2005 23:30:20 -0700 (PDT)]/html Infected: Trojan-Spy.HTML.Paylap.cd

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From update@paypal.com <service@paypal.com>][Date Thu, 6 Oct 2005 04:14:37 -0700 (PDT)]/html Infected: Trojan-Spy.HTML.Paylap.cd

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From update@paypal.com<service@paypal.com>][Date Fri, 14 Oct 2005 16:06:54 +0800 (CST)]/html Infected: Trojan-Spy.HTML.Paylap.cd

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "info@paypal.com" <info@paypal.com>][Date Thu, 03 Nov 2005 12:48:32 -0700]/html Infected: Trojan-Spy.HTML.Paylap.ad

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "info@paypal.com" <info@paypal.com>][Date Thu, 17 Nov 2005 01:10:33 -0500]/html Infected: Trojan-Spy.HTML.Paylap.ad

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Bank of the West® Online Banking" <eTimeBanker@bankofthewest.com>][Date Tue, 29 Nov 2005 05:59:11 -0300]/html Infected: Trojan-Spy.HTML.Paylap.ad

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "info@paypal.com" <info@paypal.com>][Date Tue, 29 Nov 2005 23:33:14 -0600]/html Infected: Trojan-Spy.HTML.Paylap.ad

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Paypal" <service@paypal.com>][Date Thu, 1 Dec 2005 07:14:44 +0500 (YEKT)]/text/[spam]Dear Infected: Trojan-Spy.HTML.Paylap.gj

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Paypal" <service@paypal.com>][Date Thu, 1 Dec 2005 07:14:44 +0500 (YEKT)]/text Infected: Trojan-Spy.HTML.Paylap.gj

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "info@paypal.com" <info@paypal.com>][Date Sun, 04 Dec 2005 04:18:54 -0200]/html Infected: Trojan-Spy.HTML.Paylap.ad

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "update@paypal.com" <service@email.paypal.com>][Date Mon, 05 Dec 2005 19:20:49 -0700]/html Infected: Trojan-Spy.HTML.Paylap.cd

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "paypal" <paypal@service.com>][Date Fri, 09 Dec 2005 09:20:26 +0300]/html Infected: Trojan-Spy.HTML.Paylap.gl

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "service@email.paypal.com" <service@paypal.com>][Date Sat, 10 Dec 2005 23:24:27 +0500]/html Infected: Trojan-Spy.HTML.Paylap.cd

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 D ... /[From S ... /[From "PayPal" <service@paypal.com>][Date Sat, 17 Dec 2005 12:52:02 +0000 (UTC)]/html Infected: Trojan-Spy.HTML.Paylap.gv

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 D ... /[From Stylish replica watches from famous brands][Date Sat, 17 Dec 2005 10:15:40 -0500 (EST)]/html Infected: Trojan-Spy.HTML.Paylap.gv

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 Dec . ... /[From " ... /[From "Kiara" <alex1ag@ezweb.ne.jp>][Date Sat, 17 Dec 2005 15:08:53 +0000]/html Infected: Trojan-Spy.HTML.Paylap.gv

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 Dec . ... /[From "iw6dq" <hxfnqycfcyr@hotmail.com>][Date Sat, 17 Dec 2005 08:03:31 -0500 (EST)]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.gv

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 Dec . ... /[From "Kevin Tovar" <lea.washington74g@gmail.com>][Date Sat, 17 Dec 2005 04:21:47 -0800]/text Infected: Trojan-Spy.HTML.Paylap.gv

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 Dec . ... /[From "trfscu" <dyucoholtbe@hotmail.com>][Date Sat, 17 Dec 2005 06:21:19 -0500 (EST)]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.gv

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 Dec ... /[From "hiea70es" <zexadfsjgst@hotmail.com>][Date Sat, 17 Dec 2005 04:58:46 -0500 (EST)]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.gv

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 Dec 2005 03:15:25 ... /[From "Jacki" <hiergo@ebina-cash.com>][Date Sat, 17 Dec 2005 09:03:15 +0000]/html Infected: Trojan-Spy.HTML.Paylap.gv

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html/[From "rll444444" <wlfsbanubyj@hotmail.com>][Date 17 Dec 2005 03:15:25 -0500]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.gv

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html/[From "Ashanti" <tei@earthmatters.org>][Date Sat, 17 Dec 2005 07:14:19 +0000]/html Infected: Trojan-Spy.HTML.Paylap.gv

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html/[From "Stanford" <info@videotron.ca>][Date Sat, 17 Dec 2005 05:46:59 +0000]/html Infected: Trojan-Spy.HTML.Paylap.gv

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "Shanell" <aig8282@mobilephonecatalogue.com>][Date Sat, 17 Dec 2005 02:21:53 +0000]/html Infected: Trojan-Spy.HTML.Paylap.gv

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html/[From "PayPal" <service@paypal.com>][Date Sat, 17 Dec 2005 18:54:21 -0800]/html Infected: Trojan-Spy.HTML.Paylap.gv

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk/[From "Renae" <info@insliq.com>][Date Sat, 17 Dec 2005 00:23:12 +0000]/html Infected: Trojan-Spy.HTML.Paylap.gv

C:\Documents and Settings\Sean{y}\Application Data\Thunderbird\Profiles\default\k8qtjpdx.slt\Mail\mail.affsys-1.com\Junk Infected: Trojan-Spy.HTML.Paylap.gv

Scan process completed.

Mostly because I don't open attachments, and most of it is marked as junk. The problem? The Junk.sbd folders are completely empty. Couldn't I just delete everything via thunderbird instead?

Also, here's my last HJT log before I install zonealarm.

-------------

Logfile of HijackThis v1.99.1

Scan saved at 2:53:41 PM, on 1/3/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\PROGRA~1\ICQ\ICQ.exe

C:\Program Files\MessengerPlus! 3\MsgPlus.exe

C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\Program Files\Netropa\Onscreen Display\OSD.exe

C:\WINDOWS\system32\CTSVCCDA.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\ewido anti-malware\ewidoguard.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\explorer.exe

C:\hijackthis\HijackThis.exe

C:\Program Files\Mozilla Thunderbird\thunderbird.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O3 - Toolbar: Brandimensions - {be8d24ef-2dc5-47b8-9821-df8c05203783} - C:\WINDOWS\system32\mscoree.DLL

O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"

O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab

O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127183387522

O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37500.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

----

January 3, 2006

Hey Dak,

Thanks again for the help.

I moreso meant the difference between zone alarm and the other one you offered, but since I have some experience with Zone Alarm, I will stick with that one.

I've also uninstalled those two spyware programs you mentioned... I had already done spybouncer, as spy sweeper turned up virtual bouncer, and I assumed they were linked.

Trend Micro Anti-Spyware is picked up some registry keys, but no trojans or active problems, so thinks are looking up.

I'm going to run Kaspersky, post an HJT log, and then install zone alarm and hopefully be finished with problems!

January 3, 2006

Hey Dak,

A few more things (I want to be absolutely sure).

I'm going to cancel my CC anyway, since that's easy to do. I have (obviously) avoided doing any online banking since I got this (for fear of problems). I accessed Amazon (the only place I do online shopping on my credit card), but did not actually do any purchasing. I assume that would be reason enough to cancel it?

Also, of the two firewalls, which would you recommend the most? I currently use the XP firewall. I have used Zonealarm in the past, but haven't in awhile; it caused massive problems uninstalling because i neglected to read the proper uninstallation procedures.

I re-ran blacklight and it ran 'properly'.

I ran ScanSpyware, and it picked up haxdoor-BC (log is below). I've deleted everything in the log, and running it twice more turns up nothing.

-------

Application Information

=======================

Application Version: ScanSpyware v3.8 build 3.8.0.4

Original Database: pests12-09-05.db

Updated Database: ssdb010206.db

Current Date: Tuesday, January 03, 2006 10:21:23 AM

__________________________________________________

Directories recognized:

=======================

__________________________________________________

Files recognized:

=================

[HAXDOOR-BC]

C:\WINDOWS\system32\ps.a3d

[spytech shadow]

C:\WINDOWS\unvise32.exe

[Visual Zip Password Recovery Processor]

C:\WINDOWS\UnGins.exe

[GameSpy Arcade]

C:\Program Files\GameSpy Arcade\Services\_common\country_icons.psd

[GameSpy Arcade]

C:\Program Files\GameSpy Arcade\Services\_gspyder\stg_legend.psd

[GameSpy Arcade]

C:\Program Files\GameSpy Arcade\pw32.dll

[GameSpy Arcade]

C:\Program Files\GameSpy Arcade\Profiles\countries.ini

[GameSpy Arcade]

C:\Program Files\GameSpy Arcade\Skins\(default2)\gsg_radar.avi

[GameSpy Arcade]

C:\Program Files\GameSpy Arcade\Skins\(default2)\peer_list_checkbox.psd

[GameSpy Arcade]

C:\Program Files\GameSpy Arcade\Skins\(default2)\peer_list_chicklets.psd

[GameSpy Arcade]

C:\Program Files\GameSpy Arcade\Skins\(default2)\peer_list_icons.psd

[GameSpy Arcade]

C:\Program Files\GameSpy Arcade\Skins\(default2)\peer_list_icons_sm.psd

[GameSpy Arcade]

C:\Program Files\GameSpy Arcade\Skins\(default2)\service_menu_bg.psd

[GameSpy Arcade]

C:\Program Files\GameSpy Arcade\Skins\(default2)\service_tab+.tga

[GameSpy Arcade]

C:\Program Files\GameSpy Arcade\Skins\(default2)\stg_border_main.psd

[GameSpy Arcade]

C:\Program Files\GameSpy Arcade\Custom\halflife\cstrike\mod_cs.psd

[GameSpy Arcade]

C:\Program Files\GameSpy Arcade\Custom\halflife\tfc\mod_tfc.psd

[GameSpy Arcade]

C:\Program Files\GameSpy Arcade\Custom\quake3\excessive\mod_excessive.psd

[GameSpy Arcade]

C:\Program Files\GameSpy Arcade\Custom\quake3\osp\mod_osp.psd

[GameSpy Arcade]

C:\Program Files\GameSpy Arcade\Custom\quake3\q3f\mod_q3f.psd

[GameSpy Arcade]

C:\Program Files\GameSpy Arcade\Custom\quake3\rocketarena3\mod_ra3.psd

[GameSpy Arcade]

C:\Program Files\GameSpy Arcade\Custom\quake3\wfa\mod_wfa.psd

[GameSpy Arcade]

C:\Program Files\GameSpy Arcade\Custom\ut\Swat\mod_swat.psd

__________________________________________________

Registry keys recognized:

=========================

[GAIN]

HKEY_USERS\.default\software\microsoft\systemcertificates\trustedpublisher\ctls

[GAIN]

HKEY_USERS\.default\software\microsoft\systemcertificates\trustedpublisher\crls

__________________________________________________

Registry values recognized:

===========================

__________________________________________________

Cookies recognized:

===================

[VX2]

c:\documents and settings\sean{y}\cookies\sean{y}@serviceswitching[1].txt

[Tracking Cookies]

c:\documents and settings\sean{y}\cookies\sean{y}@img.wmp10.elsitiodc[1].txt

__________________________________________________

----------

Ewido is running again, and it picked up some cookies and backdoor.haxdoor.dw (do these things multiply?!) EDIT: It found this yesterday... today only picked up cookies. I overreacted! (thank god)

spybouncer picked up 3 things (I cleaned them all out - locate.com in system32, bpmnt.dll in windows, and some file called ncase.zip in docsandsettings/allusers/apps/spybot/recovery... i cleaned out the whole folder.

I guess my question is; without completely formatting, is it possible to know when i'll be clean?

January 3, 2006

I left rootkitreveal all night, it turned up nothing (and finished properly!).

About the credit card 'lately', do you mean within the time that I was infected? I can see the passwords that attemped to be sent to some IP address... none of them are important.

By the way, thanks for all your help!

Also, when I ran F-secure again, I got this:

01/03/06 00:47:48 [info]: BlackLight Engine 1.0.30 initialized

01/03/06 00:47:48 [info]: OS: 5.1 build 2600 (Service Pack 2)

01/03/06 00:47:48 [Note]: 7019 4

01/03/06 00:47:48 [Note]: 7005 0

01/03/06 00:47:51 [Error]: 6024 4

01/03/06 00:47:51 [Note]: 7006 0

01/03/06 00:47:51 [Note]: 7011 1468

01/03/06 00:47:51 [Error]: 6024 4

01/03/06 00:47:51 [Note]: 7018 2280

01/03/06 00:47:51 [Error]: 6024 4

01/03/06 00:47:52 [Note]: FSRAW library version 1.7.1014

01/03/06 00:49:46 [Note]: 7007 0

Then I ran it again this morning, and got this:

01/03/06 07:45:07 [info]: BlackLight Engine 1.0.30 initialized

01/03/06 07:45:07 [info]: OS: 5.1 build 2600 (Service Pack 2)

01/03/06 07:45:07 [Note]: 7019 4

01/03/06 07:45:07 [Note]: 7005 0

01/03/06 07:45:08 [Note]: 7006 0

01/03/06 07:45:08 [Note]: 7011 1460

01/03/06 07:45:08 [Note]: FSRAW library version 1.7.1014

01/03/06 07:45:24 [Note]: 7007 0

Why the difference??

------------

And one more. Are you familiar with spy sweeper? My log came up clean, but the session log has some wierd 'cannot open file' lines.. some of which look important.

********

12:27 AM: | Start of Session, Tuesday, January 03, 2006 |

12:27 AM: Spy Sweeper started

12:27 AM: Sweep initiated using definitions version 594

12:27 AM: Starting Memory Sweep

12:29 AM: Memory Sweep Complete, Elapsed Time: 00:02:03

12:29 AM: Starting Registry Sweep

12:29 AM: Registry Sweep Complete, Elapsed Time:00:00:05

12:29 AM: Starting Cookie Sweep

12:29 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00

12:29 AM: Starting File Sweep

12:29 AM: Warning: Failed to open file "c:\pagefile.sys". Access is denied

12:30 AM: Warning: Failed to open file "c:\windows\system32\config\system.log". The process cannot access the file because it is being used by another process

12:30 AM: Warning: Failed to open file "c:\windows\system32\config\software.log". The process cannot access the file because it is being used by another process

12:30 AM: Warning: Failed to open file "c:\windows\system32\config\default.log". The process cannot access the file because it is being used by another process

12:30 AM: Warning: Failed to open file "c:\windows\system32\config\security". The process cannot access the file because it is being used by another process

12:30 AM: Warning: Failed to open file "c:\windows\system32\config\sam". The process cannot access the file because it is being used by another process

12:30 AM: Warning: Failed to open file "c:\windows\system32\config\sam.log". The process cannot access the file because it is being used by another process

12:30 AM: Warning: Failed to open file "c:\windows\system32\config\security.log". The process cannot access the file because it is being used by another process

12:30 AM: Warning: Failed to open file "c:\windows\system32\config\system". The process cannot access the file because it is being used by another process

12:30 AM: Warning: Failed to open file "c:\windows\system32\config\software". The process cannot access the file because it is being used by another process

12:30 AM: Warning: Failed to open file "c:\windows\system32\config\default". The process cannot access the file because it is being used by another process

12:32 AM: Warning: Failed to open file "c:\windows\softwaredistribution\datastore\datastore.edb". The process cannot access the file because it is being used by another process

12:32 AM: Warning: Failed to open file "c:\windows\softwaredistribution\datastore\logs\edb.log". The process cannot access the file because it is being used by another process

12:32 AM: Warning: Failed to open file "c:\windows\softwaredistribution\datastore\logs\tmp.edb". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat.log". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat.log". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa04611cd-51b9-4e0e-b5ad-d6850e5ca7c1.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6d1617da-7500-4190-aa49-1056e8ced64f.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs07c96578-cde1-4e37-9a3e-67243c115089.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse6f826d8-65d6-46a4-b8aa-a61dbfb4ef18.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs525be769-7bfd-4ecb-ab75-4304424ab1c5.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs85cfbe53-a9fe-409e-a244-d785f1045768.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9e09d479-aec1-42b2-b3c5-28cb5b24159d.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscscba2abfd-9f26-4432-b583-514617dc3132.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3e255f07-391a-4fdb-930c-5a502f5d2145.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4ecdf5c5-0383-4b95-beea-8656e8491cf1.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8bb97229-0bfc-4fc4-a804-b0480137fa0c.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse2053657-99a5-41fa-bd8e-43ba5decd8de.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5cab9924-08f9-4d06-bfb6-04e75bd69d97.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9e3c49a3-f1ea-4ae0-830e-95eaf5ccbb38.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd52da5d2-e6b2-496c-b1dc-441e6a4533af.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd2717140-6547-4f87-8187-e2705138c8ab.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5995cf24-070f-4dbe-91f8-7963e39162f0.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb0efdadc-dbb0-4b9f-979d-20b01269aed0.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs0f36c81c-24ec-4e8c-9b90-adef1450ce6f.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse84a3fea-a8ea-4443-897f-9e74b141bc40.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb74e340f-2fbd-4d39-8664-01444efda0b9.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsd69f9a45-4436-4099-ad9e-aa3e788d6a8a.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs22f45b9a-594e-4ade-9b1d-0aef09d78d5c.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs520db8d2-69cf-424f-8487-651536829d9d.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9fb53135-3726-425e-9d4b-e2ea6a3c0cf9.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs18e22a39-68e9-4e69-9d44-67e2de4b7b29.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs80f4ac60-7c81-4255-8ff3-a0ea8fbb3470.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs0874bbc4-3e99-4da1-b649-337bf146ed8e.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5a7359f3-cf20-4496-8afc-15df8917c610.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4a9def0a-038f-4c5b-aff6-a17d8e604761.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5413472f-6dee-4abf-8605-87911d18cdd7.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsdb83788e-1afb-4fb1-a616-733761c91a13.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs56a55bfa-27c2-4924-972d-306efe931e53.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc7598b86-d95d-41d9-adc1-ab7faf9fde06.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscse25ae2a4-c393-4491-8120-b0e2c62b8019.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs71ef6db1-d0ef-4bbf-b850-a1fcd6fa132c.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs349e39d5-26a0-44c3-b543-25e759764ef2.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1d6fe8da-6389-4360-9e44-69f6d05e6c2a.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs34cee29b-c709-43d2-ba37-8692232e13d6.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf35fbdc7-3cec-4904-9589-00748cded26a.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9595c62d-d43d-4682-9915-03dfaaeea1c0.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs23c577ee-a781-4fb9-a101-bbb2f03f81fa.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs931a7c27-b062-4538-9590-6231623133ce.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscscf0b2117-670d-4bb3-9696-8d48ccc9b9ad.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc0a92b9f-abdb-4490-ad21-33d3e42af2c3.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs42fd231e-7432-4a03-81f7-4cbc06db512b.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb78850ff-6663-4894-b7e6-2814deb9fe22.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs464a5efc-c519-422b-8784-e599dd9aae39.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7a4c43cb-b641-4ed3-9405-7c06af8be29d.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs37195f61-630e-40e1-bacc-0d2488c0a332.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5e57ed0b-bbd2-4ab8-b56e-f5e93d041246.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscseb7a8dc8-470c-4dbc-b3dd-d025e68de323.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5eb6fa97-232d-4c5f-8c04-9e6008622ecd.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs95d0d3c4-69c8-44e4-9bbe-8acc68c573d1.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs27be3179-321c-4b87-8340-d7792e42479b.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc97ae475-15bc-479a-b907-445fa1bd2050.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs56e515cf-2705-421d-96f5-efc8eed245d4.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs268fa4ed-3c2f-4f35-bfc8-485d20d6120e.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs8a36bf97-15fb-45d5-9502-c97e6105c831.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4e00c349-099f-45ff-83da-2ff238899e2f.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs4ce61656-5030-4064-b9e3-32ab1ea0b950.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3e61758a-5676-409e-84a1-155bfe5612cf.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsdc575891-3dd4-4d7a-87ff-0054ff4d2f94.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsfc7b6b57-4e80-439e-a632-63638eb14b3b.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1fbc2e1c-423e-4d26-a195-4b6238995c5c.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs405c527a-2e64-4a8a-93be-3e530f408ddc.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9ab45659-3562-4608-8865-020847b3f89a.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs1bda4722-762b-4160-b9b0-603d7e5c5bbd.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs864c9de5-64d2-440d-9887-f2fbb5aa5b08.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsfc539b49-f7a0-46ad-9818-ce7f6c155866.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs52246228-35e4-4d0d-8433-d7a2df03a433.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb46bcce5-e075-44ef-abaf-0fcb218ff370.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3f499987-0a4f-488a-86b5-59e6598f825a.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs085ee804-25f8-41a9-abc0-4ad5a351a534.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc8675eda-db55-423b-851d-907bf6f46cc4.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6919210d-8b36-4b1c-a24c-48e5f463f053.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs7a8131d4-90a0-4c5b-bdc7-1779ce9ceb03.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs9a4fee37-b814-4aaa-90e2-9e0996cf8897.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa7076c26-e6c3-4604-a9f9-b54c7e32c8e4.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsfefabc05-dcf2-46c7-9817-d3a29a22b683.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs778d93e4-773f-4e4e-ad80-0624da758879.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6f90e108-c4f2-446d-b3d9-034cd6227909.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs6c5161e4-fabf-4287-8286-61c4176736ff.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3d3535ff-c6ab-4676-8e41-f344c9b8bf02.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsea2ee99e-02ba-4016-a5c6-13717d68e8f5.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs3ee2e3a5-358d-4f04-938c-45eb1ceabf1f.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsb5e0ba62-81bd-4bbf-8453-fa0c434cfdd2.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc3a19561-e3a3-4af8-812f-4bf9bbe60622.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsf0ae2cf1-e37a-41de-876d-6db7776e1071.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsdd1a6913-c5ab-49cf-8da0-70945fb5540b.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs38218858-55ca-4682-9c25-12d50d1173dc.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5d2c61ce-7393-442e-b419-d08ec85e7be7.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2dbe2914-c73a-4d63-81e0-bbbdc5c02cd5.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs2f941ed9-f9bd-4af9-9877-ba6fc47d825a.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs58c02038-2d73-4b60-ad8e-a336872eef85.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs01482778-8b7a-443f-a703-89d3bdaf5cca.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs73c7fb77-39a2-4bd3-93c7-68ac507fae4f.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5467a04f-7af2-436c-b054-b61c9534695b.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs5985e3f0-00a9-488b-a701-1c730eabd89c.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs37056552-7429-4ce5-85cb-f0e4a45a8510.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscs75a95e14-e548-4310-b881-6f4ba3c47f75.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa00c8857-cf20-472b-8878-b2cdd3d39239.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsa380a375-5446-48eb-a51e-d4a2a177e5dd.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\localservice\application data\webroot\spy sweeper\temp\sscsc968be48-da0f-4673-a43a-e1ea7d61cbf3.tmp". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\sean{y}\ntuser.dat". The process cannot access the file because it is being used by another process

12:35 AM: Warning: Failed to open file "c:\documents and settings\sean{y}\ntuser.dat.log". The process cannot access the file because it is being used by another process

12:37 AM: Warning: Failed to open file "c:\documents and settings\sean{y}\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process

12:37 AM: Warning: Failed to open file "c:\documents and settings\sean{y}\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process

12:37 AM: Warning: Failed to open file "c:\documents and settings\sean{y}\local settings\temp\~dfbd4b.tmp". The process cannot access the file because it is being used by another process

12:46 AM: File Sweep Complete, Elapsed Time: 00:17:32

12:46 AM: Full Sweep has completed. Elapsed time 00:19:42

12:46 AM: Traces Found: 0

Mostly the system32/config errors scare me. What if I ran it in safe mode?? I checked the files with unlocker; the system32/config files seem to be used by each other (SAM with SAM.log, SYSTEM with SYSTEM.log, etc.). Is that normal?

January 3, 2006

rootkit still locks up here: HKLM\SYSTEM\WPA\StartHash-XT33R8KXVF2JY7

Im going to leave it running overnight and see what comes of it.

Here are the results from the l2mfix:

L2MFIX find log 122705

These are the registry keys present

**********************************************************************************

Winlogon/notify:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]

"DLLName"="Ati2evxx.dll"

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000001

"Lock"="AtiLockEvent"

"Logoff"="AtiLogoffEvent"

"Logon"="AtiLogonEvent"

"Disconnect"="AtiDisConnectEvent"

"Reconnect"="AtiReConnectEvent"

"Safe"=dword:00000000

"Shutdown"="AtiShutdownEvent"

"StartScreenSaver"="AtiStartScreenSaverEvent"

"StartShell"="AtiStartShellEvent"

"Startup"="AtiStartupEvent"

"StopScreenSaver"="AtiStopScreenSaverEvent"

"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\

6c,00,00,00

"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

"Asynchronous"=dword:00000000

"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\

6c,00,6c,00,00,00

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier]

"Asynchronous"=dword:00000000

"DllName"="WRLogonNTF.dll"

"Impersonate"=dword:00000001

"Lock"="WRLock"

"StartScreenSaver"="WRStartScreenSaver"

"StartShell"="WRStartShell"

"Startup"="WRStartup"

"StopScreenSaver"="WRStopScreenSaver"

"Unlock"="WRUnlock"

"Shutdown"="WRShutdown"

"Logoff"="WRLogoff"

"Logon"="WRLogon"

**********************************************************************************

useragent:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

"SV1"=""

**********************************************************************************

Shell Extension key:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"

"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"

"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"

"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"

"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"

"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"

"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"

"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"

"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"

"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"

"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"="UnlockerShellExtension"

"{e82a2d71-5b2f-43a0-97b8-81be15854de8}"="ShellLink for Application References"

"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}"="Shell Icon Handler for Application References"

"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"

"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"

**********************************************************************************

HKEY ROOT CLASSIDS:

**********************************************************************************

Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\

spmsg.dll Wed Oct 12 2005 6:12:26p ..... 14,048 13.72 K

hashlib.dll Tue Nov 15 2005 12:12:08p A.... 117,976 115.21 K

gdi32.dll Wed Oct 5 2005 10:09:36p A.... 280,064 273.50 K

browseui.dll Wed Nov 23 2005 8:06:34p A.... 1,022,464 998.50 K

axaltocm.dll Fri Oct 28 2005 11:49:40p ..... 133,120 130.00 K

sirenacm.dll Wed Oct 12 2005 5:11:06p A.... 118,784 116.00 K

wrlzma.dll Wed Dec 14 2005 7:17:16p A.... 17,920 17.50 K

gcunco~1.dll Tue Nov 15 2005 12:12:06p A.... 95,448 93.21 K

gccoll~1.dll Tue Nov 15 2005 12:12:08p A.... 126,680 123.71 K

mshtmled.dll Thu Oct 20 2005 10:39:30p A.... 448,512 438.00 K

basecsp.dll Fri Oct 28 2005 4:40:16p ..... 96,792 94.52 K

bcsprsrc.dll Fri Oct 28 2005 11:49:40p ..... 25,600 25.00 K

ifxcardm.dll Fri Oct 28 2005 11:49:40p ..... 151,552 148.00 K

esent.dll Thu Oct 20 2005 5:20:04p A.... 1,082,368 1.03 M

wininet.dll Thu Oct 20 2005 10:39:30p A.... 658,432 643.00 K

urlmon.dll Fri Nov 4 2005 10:16:28p A.... 609,280 595.00 K

shlwapi.dll Thu Oct 20 2005 10:39:30p A.... 473,600 462.50 K

shdocvw.dll Wed Nov 30 2005 10:59:30p A.... 1,492,480 1.42 M

pngfilt.dll Thu Oct 20 2005 10:39:30p A.... 39,424 38.50 K

mstime.dll Thu Oct 20 2005 10:39:30p A.... 530,944 518.50 K

msrating.dll Thu Oct 20 2005 10:39:30p A.... 146,432 143.00 K

mshtml.dll Wed Nov 23 2005 8:06:34p A.... 3,015,680 2.88 M

inseng.dll Thu Oct 20 2005 10:39:28p A.... 96,256 94.00 K

iepeers.dll Thu Oct 20 2005 10:39:28p A.... 251,392 245.50 K

dxtrans.dll Thu Oct 20 2005 10:39:28p A.... 205,312 200.50 K

danim.dll Fri Nov 4 2005 10:16:24p A.... 1,054,208 1.00 M

cdfview.dll Thu Oct 20 2005 10:39:26p A.... 151,040 147.50 K

extmgr.dll Thu Oct 20 2005 10:39:28p ..... 55,808 54.50 K

msgplu~1.dll Wed Oct 12 2005 8:48:22a A.... 45,640 44.57 K

wrlogo~1.dll Wed Dec 14 2005 7:17:20p A.... 492,544 481.00 K

30 items found: 30 files, 0 directories.

Total of file sizes: 13,049,800 bytes 12.44 M

Locate .tmp files:

No matches found.

**********************************************************************************

Directory Listing of system files:

Volume in drive C has no label.

Volume Serial Number is 1F60-12D5

Directory of C:\WINDOWS\System32

02/20/2004 12:27 PM <DIR> Microsoft

02/20/2004 11:08 AM <DIR> dllcache

0 File(s) 0 bytes

2 Dir(s) 48,757,702,656 bytes free

------------------------

And the results from jotti.org. There were two sections. I think the 2nd section does not pertain to me, but I pasted it just in case.

Service load:

0% 100%

File: iexplore.exe

Status:

OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)

MD5 e7484514c0464642be7b4dc2689354c8

Packers detected:

-

Scanner results

AntiVir

Found nothing

ArcaVir

Found nothing

Avast

Found nothing

AVG Antivirus

Found nothing

BitDefender

Found nothing

ClamAV

Found nothing

Dr.Web

Found nothing

F-Prot Antivirus

Found nothing

Fortinet

Found nothing

Kaspersky Anti-Virus

Found nothing

NOD32

Found nothing

Norman Virus Control

Found nothing

UNA

Found nothing

VBA32

Found nothing

PART TWO:

Last file scanned at least one scanner reported something about: CRAGGLE_SEARCH[10].rar, detected by:

Scanner Malware name

AntiVir Adware-Spyware/Craagle.18 adware

ArcaVir X

Avast X

AVG Antivirus Generic.GMX

BitDefender X

ClamAV X

Dr.Web X

F-Prot Antivirus X

Fortinet X

Kaspersky Anti-Virus not-a-virus:AdWare.Win32.Craagle.18

NOD32 X

Norman Virus Control X

UNA Adware.Craagle.18

VBA32 AdWare.Win32.Craagle.18

You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives

We are not affiliated with any third parties that conduct tests using this service.

Thanks so much, you guys are super helpful!

January 3, 2006

I'm pretty sure the haxdoor came in with a crack I was using... though I didnt notice it had downloaded two executables, and only bothered to check one of them for viruses before I ran it (I'm an idiot).

Here's the information you wanted. I finally got a version of spy sweeper that does more than just scan (for 14 days anyway), so I removed those instances in the registry. I don't know if anything is still here... hopefully someone here can answer!!

----------------------------

01/02/06 23:15:53 [info]: BlackLight Engine 1.0.30 initialized

01/02/06 23:15:53 [info]: OS: 5.1 build 2600 (Service Pack 2)

01/02/06 23:15:53 [Note]: 7019 4

01/02/06 23:15:53 [Note]: 7005 0

01/02/06 23:15:55 [Note]: 7006 0

01/02/06 23:15:56 [Note]: 7011 1428

01/02/06 23:15:56 [Note]: FSRAW library version 1.7.1014

01/02/06 23:16:03 [Note]: 7007 0

------------------------------

Logfile of HijackThis v1.99.1

Scan saved at 11:17:15 PM, on 1/2/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\WINDOWS\system32\CTSVCCDA.EXE

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\ewido anti-malware\ewidoguard.exe

C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\CTHELPER.EXE

C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\Program Files\MessengerPlus! 3\MsgPlus.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\PROGRA~1\ICQ\ICQ.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe

C:\Program Files\Netropa\Onscreen Display\OSD.exe

C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\BitComet\BitComet.exe