I cannot open "any" text documents. If I try, a virus found warning comes up, which I generally send the following to the vault:

trojan horse clicker.zm,
trojan horse startpage.14.aq,
c:\windows\system\f98er24s8u.dll

having done this, I still cannot open any text doc's, and recently, I can't even open microsoft XL (computer tell's me my resources are dangerously low, and I need to reboot my system entirely).

If I press cntl-alt-del and bring up running processes, I have in the background

mydi.hta and
winoldapp

I've tried free scanners such as AVG, ad-aware, Xoftspy - they cannot seem to catch it. If anybody has some angle on this, I would be eternally grateful!

EPL

There are no viruses in txt files.

1st thing I would do is go to file types and associate hta with EDIT. This mydi.hta sounds like bad news.

Reboot in DOS and rename mydi.hta to mydi.ht-

See if that helps.

If at first you don't succeed, you're about average.

M2

Download cwshredder from this link http://cwshredder.net/bin/CWShredder.exe then run it after you run the Start Page fix.

To remove startpage download http://www.derbilk.de/SpSeHjfix109.zip to the desktop and then
right click a blank part of desktop & select new folder, call it spfix
unzip the file into that folder.

Disconnect from the net and Close All Open Programs.
Run 'SpSeHjfix'. and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage.

Now run cwshredder and press the fix button.

Please post a Hijack This log so that the files associated with the virus/spyware/hijacker can be identified. You can download Hijack This at this link http://www.tomcoyote.org/hjt/ then place it into a folder of it's on, such as C:\HJT, so that back up copies can be made and not clutter your desktop or other folders and the backup copies of deleted items can be easily located if needed.

Once saved double click HijackThis.exe, and press "Scan". When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, Ctrl-A to Select All, and copy its contents into the text editor at this forum.

Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly.

Hello M2 & jabuck,
Thanks a mill for all the info. I'm very excited about trying to rid these problems once and for all. Have not had a chance to implement, but I will and will keep you posted.

EPL

Ok, did everything as instructed, here's the hijack this log. Thx. EPL

Logfile of HijackThis v1.99.1
Scan saved at 10:51:56 AM, on 3/18/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\SYMPATICO\ACCESS MANAGER\APP\ENTERNET.EXE
C:\ANTIVIRUS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cashx.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.cashx.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.cashx.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.cashx.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cashinterchange.com/solutions.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.411.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.cashx.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.cashx.ca
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.cashx.ca
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.cashx.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - - (no file)
O1 - Hosts: 3466709097 auto.search.msn.com
O1 - Hosts: 3466709097 search.msn.com
O1 - Hosts: 3466709097 sitefinder.verisign.com
O1 - Hosts: 3466709097 sitefinder-idn.verisign.com
O1 - Hosts: 3466709097 www.your.com your.com
O1 - Hosts: 3466709097 com.org
O1 - Hosts: 3466690378 ad.doubleclick.net
O1 - Hosts: 3466690378 view.atdmt.com
O1 - Hosts: 3466690378 click.atdmt.com
O1 - Hosts: 3466690378 leader.linkexchange.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: (no name) - {8E718888-423F-11D2-876E-00A0C9082467} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O8 - Extra context menu item: @hoc - http://ns.athoc.com/sps/local/menu.asp
O8 - Extra context menu item: Web Search - c:\windows\ex.htm
O9 - Extra button: @hoc - {92D7F110-7F20-11d3-8157-0090278B20DE} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: @hoc - {92D7F110-7F20-11d3-8157-0090278B20DE} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra button: Dell Home - {C1E7B5E0-BAFC-11D4-8931-000103225042} - http://www.dellnet.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {3E149130-1B20-11D3-97A8-00A0CC2274C2} (Burst Source Filter) - http://www.burst.com/f/sales/pages/BurstWMP.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw8fd.law8.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.105/2431fb07b53e3265d216/netzip/RdxIE.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! WebCam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {71CA4411-45EC-4608-B9D7-6D4B6A9D1BB4} (Attenza System Profiler) - http://service.dell.com/dell/SystemProfiler.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {7160FB1B-3DE0-4C42-81F0-41B4269990B0} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v12/ticker.cab
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://meetings.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://www.netlantique.com:2213/activex/AMC.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O18 - Protocol: burst - {2F2BA850-6714-11D4-8D0D-00B0D02A5D4E} - C:\WINDOWS\SYSTEM\BURSTSOURCEFILTER.AX

Run HT again,close all windows and browsers except HT, place a check to the left of the following items and press "fix checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cashx.ca If you have installed cashx delete all except the first R1 otherwise delete them all

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.cashx.ca

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.cashx.ca

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.cashx.ca

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cashinterchange.com/solutions.asp

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.411.ca

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.cashx.ca

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.cashx.ca

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,(Default) = http://www.cashx.ca

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.cashx.ca

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - URLSearchHook: (no name) - - (no file)

O1 - Hosts: 3466709097 auto.search.msn.com

O1 - Hosts: 3466709097 search.msn.com

O1 - Hosts: 3466709097 sitefinder.verisign.com

O1 - Hosts: 3466709097 sitefinder-idn.verisign.com

O1 - Hosts: 3466709097 www.your.com your.com

O1 - Hosts: 3466709097 com.org

O1 - Hosts: 3466690378 ad.doubleclick.net

O1 - Hosts: 3466690378 view.atdmt.com

O1 - Hosts: 3466690378 click.atdmt.com

O1 - Hosts: 3466690378 leader.linkexchange.com

O3 - Toolbar: (no name) - {8E718888-423F-11D2-876E-00A0C9082467} - (no file)

O8 - Extra context menu item: @hoc - http://ns.athoc.com/sps/local/menu.asp
O8 - Extra context menu item: Web Search - c:\windows\ex.htm

O9 - Extra button: Dell Home - {C1E7B5E0-BAFC-11D4-8931-000103225042} - http://www.dellnet.com (file missing) (HKCU)

O16 - DPF: {3E149130-1B20-11D3-97A8-00A0CC2274C2} (Burst Source Filter) - http://www.burst.com/f/sales/pages/BurstWMP.cab

O18 - Protocol: burst - {2F2BA850-6714-11D4-8D0D-00B0D02A5D4E} - C:\WINDOWS\SYSTEM\BURSTSOURCEFILTER.AX

Reboot into safe mode by following the directions reboot into Safe Mode

Set up the computer to view hidden files by following the directions Here

While still in safe mode navigate to and delete these files if found:

c:\windows\ex.htm

C:\WINDOWS\SYSTEM\BURSTSOURCEFILTER.AX

Reboot into normal mode and post a new HT log.

Jabuck,
Cashx.ca and cashinterchange... are legite sites. Still Delete them?

EPL

Not neccessary to delete them if legit

Hi Jabuck,
OK, did everything, here are the results:

a) could not find/delete either of the files
c:\windows\ex.htm
C:\WINDOWS\SYSTEM\BURSTSOURCEFILTER.AX

b) Noticed in HT, the following entries
O9 - Extra button: @hoc - {92D7F110-7F20-11d3-8157-0090278B20DE} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: @hoc - {92D7F110-7F20-11d3-8157-0090278B20DE} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL

Would these be part of the @Hoc toolbar? That seemed to be somewhat of a nuisance 1-2 years ago? Not sure if you're familiar with it.

c) here's the new HT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:34:05 PM, on 3/19/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\ANTIVIRUS\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O9 - Extra button: @hoc - {92D7F110-7F20-11d3-8157-0090278B20DE} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: @hoc - {92D7F110-7F20-11d3-8157-0090278B20DE} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw8fd.law8.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.105/2431fb07b53e3265d216/netzip/RdxIE.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! WebCam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {71CA4411-45EC-4608-B9D7-6D4B6A9D1BB4} (Attenza System Profiler) - http://service.dell.com/dell/SystemProfiler.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {7160FB1B-3DE0-4C42-81F0-41B4269990B0} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v12/ticker.cab
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://meetings.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://www.netlantique.com:2213/activex/AMC.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe

EPL

It probably is. It won't hurt anything to remove it with HT. Also remove these:

O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.105/2431fb07b53e3265d216/netzip/RdxIE.cab

O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -

Hi,
I'm assuming at this point, we've cleaned up everything. time to try and open a text file? Here's the log...

Logfile of HijackThis v1.99.1
Scan saved at 8:55:55 AM, on 3/20/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\SYMPATICO\ACCESS MANAGER\APP\ENTERNET.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\ANTIVIRUS\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cashinterchange.com/solutions.asp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw8fd.law8.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {71CA4411-45EC-4608-B9D7-6D4B6A9D1BB4} (Attenza System Profiler) - http://service.dell.com/dell/SystemProfiler.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {7160FB1B-3DE0-4C42-81F0-41B4269990B0} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v12/ticker.cab
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://meetings.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe

EPL

Your log looks good, how is the computer running.

Well,
Could be a little more work. Tried opening a text file, and AVG popped up the following "virus detected" messages:

c:\windows\system\F98ER24S8U.DLL (trojan horse Clicker.zm)
c:\windows\system\checking.exe (trojan horse startpage.14.aq)

NASTY!!

Ran HT again, here's new log:

Logfile of HijackThis v1.99.1
Scan saved at 9:38:39 PM, on 3/20/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\SYMPATICO\ACCESS MANAGER\APP\ENTERNET.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\MSHTA.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\ANTIVIRUS\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cashinterchange.com/solutions.asp
O1 - Hosts: 3466709097 auto.search.msn.com
O1 - Hosts: 3466709097 search.msn.com
O1 - Hosts: 3466709097 sitefinder.verisign.com
O1 - Hosts: 3466709097 sitefinder-idn.verisign.com
O1 - Hosts: 3466709097 www.your.com your.com
O1 - Hosts: 3466709097 com.org
O1 - Hosts: 3466690378 ad.doubleclick.net
O1 - Hosts: 3466690378 view.atdmt.com
O1 - Hosts: 3466690378 click.atdmt.com
O1 - Hosts: 3466690378 leader.linkexchange.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Windows Shell Library Loader] checking shell32.dll /c /set
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw8fd.law8.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {71CA4411-45EC-4608-B9D7-6D4B6A9D1BB4} (Attenza System Profiler) - http://service.dell.com/dell/SystemProfiler.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {7160FB1B-3DE0-4C42-81F0-41B4269990B0} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v12/ticker.cab
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://meetings.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe

This "Checking.exe" file seems to only surface when I try to open a .txt file?

New idea's?

EPL

From safe mode navigate to and delete these files (the ones found by avg):

c:\windows\system\F98ER24S8U.DLL

c:\windows\system\checking.exe

Then rboot to normal mode and try the .txt files again.

Well, I think I'm starting go back to the "out of my mind" scenario. Here's what happened:

a) rebooted in safe mode, but could not find files (probably because AVG moved then to the virus vault)

b) re-opened txt files, and "ignored" virus vault - reboot in safe, found both files, and deleted them.

c) reboot in normal mode, opened txt files, and got the same virus detection for both files!

If it helps, the f98...dll properties indicate company name "McSoft" and internal name "Stopzilla" - don't know if you've heard of them?

Also, seems like a number of the HT log entries re-surfaced, such as ...

O1 - Hosts: 3466709097 sitefinder.verisign.com
O1 - Hosts: 3466709097 sitefinder-idn.verisign.com
O1 - Hosts: 3466709097 www.your.com your.com
O1 - Hosts: 3466709097 com.org
O1 - Hosts: 3466690378 ad.doubleclick.net
O1 - Hosts: 3466690378 view.atdmt.com
O1 - Hosts: 3466690378 click.atdmt.com
O1 - Hosts: 3466690378 leader.linkexchange.com

Also, the following...
O4 - HKLM\..\Run: [Windows Shell Library Loader] checking shell32.dll /c /set

Would "checking.exe" and "checking shell..." be related?

Not sure of this "extra button"...
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

finally, this website looks a little off-kilter. If you know what this is, great, I sure as *&#(* don't!

O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe

Plan B ????

If you wanted to call me, I have a toll free 800 number! Located in EST, so would have to make it sometime Tuesday. Tell me what you think.

EPL

Yes those are bad files/HT items

Search for and delete these files in safe mode the post another HT log and let me known if you found the files and which ones you found.

C:\WINDOWS\System\sqlici.dll

C:\WINDOWS\System\suchost.exe

C:\WINDOWS\System\sefpnt.dll

C:\WINDOWS\System\f98er24s8u.dll

C:\WINDOWS\winln.exe

Jabuck

Thx for reply. I could not find, nor delete ANY of the following files:

C:\WINDOWS\System\sqlici.dll
C:\WINDOWS\System\suchost.exe
C:\WINDOWS\System\sefpnt.dll
C:\WINDOWS\System\f98er24s8u.dll
C:\WINDOWS\winln.exe

Note, 2 possible pieces of new info, not sure if they're related, but I'll let you consider their worthiness.

a) I recall some time ago, when this .txt/virus issue surfaced, that I read some info re: a virus that "names itself" as wordpad.exe, and when you open a .txt file, the o/s opens the executable, but instead it's the virus?

b) 1 month ago, my ISP had some tech difficulties (I had no DSL) which required hardware changes at their end. During the trouble shooting phase, they asked me to go to dos mode, and gave me a dos prompt command that brought up a listing of my com port details. Apparently, there were 2 IP addresses connected to my com ports, which surprised the ISP, because they insisted there should only be 1 (theirs). I'm wondering what the 2nd connection might be? Is it related to these viruses, is there a constant feed? How is it engaged?...yada, yada, yada.

Back to mainstream. I did delete the "rogue" HT entries, and here's the new log file.

Logfile of HijackThis v1.99.1
Scan saved at 7:39:16 PM, on 3/22/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\ANTIVIRUS\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cashinterchange.com/solutions.asp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Windows Shell Library Loader] checking shell32.dll /c /set
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw8fd.law8.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {71CA4411-45EC-4608-B9D7-6D4B6A9D1BB4} (Attenza System Profiler) - http://service.dell.com/dell/SystemProfiler.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {7160FB1B-3DE0-4C42-81F0-41B4269990B0} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v12/ticker.cab
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://meetings.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe

All info helps, 98 is usually harder to remove the files on because the newer tools are just not made for it.

Reboot into safe mode and set the computer up to view hidden files.

Run HT again and remove these items:

O4 - HKLM\..\Run: [Windows Shell Library Loader] checking shell32.dll /c /set

O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) - http://fdl.msn.com/public/investor/v12/invinstl.exe

O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe

Search for a delete these files if found:

C:\WINDOWS\sys.reg

C:\WINDOWS\system.css

Next while still insafe mode do a manual search for for the following files and delete all instances if found:

hp.htm

load.bat

srch.reg

While still in safe mode run cwshredder.

Boot into normal mode. Try the text files and post a new HT log.

Morning Jabuck,
I feel like we're getting there, but just when I've got my fingers crossed, that virus keeps popping up! Here's the latest...

a) Deleted the 3 HT items as requested
b) Found and deleted 2 files which were

C:\WINDOWS\system.css
srch.reg

c) Could not find/delete the following

C:\WINDOWS\sys.reg
hp.htm
load.bat

d) Ran cwshredder, and it fixed 1 item which was cws.loadbat (related to load.bat?)

e) reboot in Normal mode, opened a txt file, and "they're back". Here's the log

Logfile of HijackThis v1.99.1
Scan saved at 9:55:39 AM, on 3/23/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\MSHTA.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\ANTIVIRUS\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cashinterchange.com/solutions.asp
O1 - Hosts: 3466709097 auto.search.msn.com
O1 - Hosts: 3466709097 search.msn.com
O1 - Hosts: 3466709097 sitefinder.verisign.com
O1 - Hosts: 3466709097 sitefinder-idn.verisign.com
O1 - Hosts: 3466709097 www.your.com your.com
O1 - Hosts: 3466709097 com.org
O1 - Hosts: 3466690378 ad.doubleclick.net
O1 - Hosts: 3466690378 view.atdmt.com
O1 - Hosts: 3466690378 click.atdmt.com
O1 - Hosts: 3466690378 leader.linkexchange.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Windows Shell Library Loader] checking shell32.dll /c /set
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw8fd.law8.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {71CA4411-45EC-4608-B9D7-6D4B6A9D1BB4} (Attenza System Profiler) - http://service.dell.com/dell/SystemProfiler.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://meetings.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

F) I'm curious about these "hosts"

1) O1 - Hosts: 3466709097 To my knowledge, I don't use msn, have any defaults, etc
2) O1 - Hosts: 3466690378 These look like problems, the ad.click., etc. I'm not even connected to the internet when I ran these.

G) These 2 files "always" pop up after the virus

C:\WINDOWS\SYSTEM\MSHTA.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD

I checked them both out, they seem to be microsoft files?

What do you think...Are we making progress? How difficult is this compared to the other problems you solve? Look forward to next steps.

P.S. I used to use XL daily, but for several months now, if I try to open, computer tells me "no resources", I have to shut everything down, and actually, everything locks up and I have to soft boot, without the ability to even shut down XL. Coincidence?

EPL

Lets try a removal tool that may work.

Download aboutbuster from this link http://www.malwarebytes.org/AboutBuster.zip

Then unzip all files from the zip folder to your desktop. If you need an unzipper you can download one at this link Camunzip Start Aboutbuster by double-clicking on the aboutbuster.exe icon and then click on the Update button to check for new updates. If any updates exist, please install them. Exit AboutBuster and reboot into safe mode. Once in safe mode double-click on the aboutbuster.exe icon again and click on the Begin Removal button. When it has finished scanning you will see a message stating that the Scan Completed and you should press OK. When the next information window opens press the Exit button. Then finally press the OK button again when it tells you a log has been saved.

Run the scan one more time.

While still in safe mode run HT again and remove these items:

O1 - Hosts: 3466709097 auto.search.msn.com

O1 - Hosts: 3466709097 search.msn.com

O1 - Hosts: 3466709097 sitefinder.verisign.com

O1 - Hosts: 3466709097 sitefinder-idn.verisign.com

O1 - Hosts: 3466709097 www.your.com your.com

O1 - Hosts: 3466709097 com.org

O1 - Hosts: 3466690378 ad.doubleclick.net

O1 - Hosts: 3466690378 view.atdmt.com

O1 - Hosts: 3466690378 click.atdmt.com

O1 - Hosts: 3466690378 leader.linkexchange.com

O4 - HKLM\..\Run: [Windows Shell Library Loader] checking shell32.dll /c /set

Reboot into normal mode and try the text files again.

I was getting excited about the new tool, but what ever is invading my system is definately winning. Did as told, ran aboutbuster 2X, rebooted, opened .txt files (actually 3 times), and same f98'er and company came up. Interesting - the WINOA386.MOD and MSHTA.EXE come up for each occurance of opening a txt file? Anyway, here's the new log.

Logfile of HijackThis v1.99.1
Scan saved at 10:55:23 PM, on 3/23/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\MSHTA.EXE
C:\WINDOWS\SYSTEM\MSHTA.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\MSHTA.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\PROGRAM FILES\SYMPATICO\ACCESS MANAGER\APP\ENTERNET.EXE
C:\WINDOWS\SYSTEM\MSHTA.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\ANTIVIRUS\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cashinterchange.com/solutions.asp
O1 - Hosts: 3466709097 auto.search.msn.com
O1 - Hosts: 3466709097 search.msn.com
O1 - Hosts: 3466709097 sitefinder.verisign.com
O1 - Hosts: 3466709097 sitefinder-idn.verisign.com
O1 - Hosts: 3466709097 www.your.com your.com
O1 - Hosts: 3466709097 com.org
O1 - Hosts: 3466690378 ad.doubleclick.net
O1 - Hosts: 3466690378 view.atdmt.com
O1 - Hosts: 3466690378 click.atdmt.com
O1 - Hosts: 3466690378 leader.linkexchange.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Windows Shell Library Loader] checking shell32.dll /c /set
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw8fd.law8.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {71CA4411-45EC-4608-B9D7-6D4B6A9D1BB4} (Attenza System Profiler) - http://service.dell.com/dell/SystemProfiler.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://meetings.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

At 19 responses, I'm assuming this is one of the more challenging problems?

EPL

It is getting interesting. It is a variant of coolwebsearch, maybe we can corner it up.

Please download Dllcompare from this link http://downloads.subratam.org/DllCompare.exe

Save it to the desktop and run it. Click "Run Locate.com" to scan for DLL files.

When the scan is finished, click "Compare".

Finally, when that is complete, click "Make a Log of What Was Found".

Please post the entire contents of the logfile along with a new HT log.

Next download this Spysweeper 2 week free trial http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129&ac=spyll

Click Download Now to download the program.

Install it. Once the program is installed, it will open.

It will prompt you to update to the latest definitions, click Yes.

Once the definitions are installed, click Options on the left side.

Click the Sweep Options tab.

Under What to Sweep please put a check next to the following:

Sweep Memory

Sweep Registry

Sweep Cookies

Sweep All User Accounts

Enable Direct Disk Sweeping

Sweep Contents of Compressed Files

Sweep for Rootkits

Please UNCHECK Do not Sweep System Restore Folder.

Click Sweep Now on the left side.

Click the Start button.

When it's done scanning, click the Next button.

Make sure everything has a check next to it, then click the Next button.

It will remove all of the items found.

Click Session Log in the upper right corner, copy everything in that window.

Click the Summary tab and click Finish.

Paste the contents of the session log you copied into your next reply.

Hello Jabuck,
Coolwebsearch sounds familiar!
Here's the log of dllcompare, note that when I clicked "make a log file", our friend f98...dll came up (unlike HT). Also, I ran the program for my entire C: drive incl sub-directories, the default was c:\windows\system. Not sure if I should have done that, but I don't think it hurt. Here's the log file.

* DLLCompare Log version()
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\PROGRA~1\ACCESS~1\mspcx32.dll Fri Apr 23 1999 10:22:00p ...H. 53,248 52.00 K
C:\PROGRA~1\ACCESS~1\HYPERT~1\hypertrm.dll Fri Apr 23 1999 10:22:00p ...H. 491,520 480.00 K
C:\PROGRA~1\ACCESS~1\HYPERT~1\hticons.dll Fri Apr 23 1999 10:22:00p ...H. 40,960 40.00 K
________________________________________________

3,365 items found: 3,364 files (3 H/S), 1 directory.
Total of file sizes: 731,476,613 bytes 697.59 M

--------------------End log---------------------
Here's HT:

Logfile of HijackThis v1.99.1
Scan saved at 10:31:02 AM, on 3/25/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\PROGRAM FILES\SYMPATICO\ACCESS MANAGER\APP\ENTERNET.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\MSHTA.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\ANTIVIRUS\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cashinterchange.com/solutions.asp
O1 - Hosts: 3466709097 auto.search.msn.com
O1 - Hosts: 3466709097 search.msn.com
O1 - Hosts: 3466709097 sitefinder.verisign.com
O1 - Hosts: 3466709097 sitefinder-idn.verisign.com
O1 - Hosts: 3466709097 www.your.com your.com
O1 - Hosts: 3466709097 com.org
O1 - Hosts: 3466690378 ad.doubleclick.net
O1 - Hosts: 3466690378 view.atdmt.com
O1 - Hosts: 3466690378 click.atdmt.com
O1 - Hosts: 3466690378 leader.linkexchange.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [Windows Shell Library Loader] checking shell32.dll /c /set
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw8fd.law8.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {71CA4411-45EC-4608-B9D7-6D4B6A9D1BB4} (Attenza System Profiler) - http://service.dell.com/dell/SystemProfiler.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://meetings.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

Will run spysweeper and re-post. Thx.

EPL

The dllCompare post was clean.

Try this startpage removal tool, but please run spysweeper first as it may kill the bad files.

Please go to this link http://www.derbilk.de/404.html and download SpSeHjfix109.zip, and save it to your desktop.

Create a new folder called SpSeFix, and extract the files to this new folder.

Double click the SpSeHFix icon and then follow instructions given in the window.

Once the scan is done, and the machine has rebooted, please post a new HJT log, along with the log created by the tool, which will be located in the folder.

This is a long one! Maybe that's good, maybe that's bad. Also, during the middle of the scan, I had my internet connection open, and some other adware pop-up virus showed up, a webpage called www.webpage-eliminator... Should I have run the scan with internnet "closed"?

********
10:56 AM: | Start of Session, Saturday, March 25, 2006 |
10:56 AM: Spy Sweeper started
10:56 AM: Sweep initiated using definitions version 641
10:56 AM: Starting Memory Sweep
11:00 AM: Memory Sweep Complete, Elapsed Time: 00:03:41
11:00 AM: Starting Registry Sweep
11:00 AM: Found Adware: coolwebsearch (cws)
11:00 AM: HKLM\software\microsoft\windows\currentversion\run\ || windows shell library loader (ID = 112467)
11:00 AM: Found Adware: iemozg
11:00 AM: HKCR\typelib\{ce7c3ce2-4b15-11d1-0bed-709549c10000}\ (9 subtraces) (ID = 128106)
11:00 AM: HKLM\software\classes\typelib\{ce7c3ce2-4b15-11d1-0bed-709549c10000}\ (9 subtraces) (ID = 128107)
11:00 AM: Found Adware: metadirect
11:00 AM: HKLM\software\microsoft\windows\currentversion\uninstall\keywords\ (2 subtraces) (ID = 135003)
11:01 AM: Found Adware: ilookup
11:01 AM: HKU\.DEFAULT\software\share_docs\ (60 subtraces) (ID = 128458)
11:01 AM: Registry Sweep Complete, Elapsed Time:00:01:11
11:01 AM: Starting Cookie Sweep
11:01 AM: Found Spy Cookie: sympaticoca cookie
11:01 AM: default@service.sympatico[1].txt (ID = 3484)
11:01 AM: Found Spy Cookie: belnk cookie
11:01 AM: default@belnk[1].txt (ID = 2292)
11:01 AM: default@dist.belnk[2].txt (ID = 2293)
11:01 AM: Found Spy Cookie: banner cookie
11:01 AM: default@banner[1].txt (ID = 2276)
11:01 AM: Found Spy Cookie: ru4 cookie
11:01 AM: default@edge.ru4[2].txt (ID = 3269)
11:01 AM: Found Spy Cookie: adrevolver cookie
11:01 AM: default@adrevolver[2].txt (ID = 2088)
11:01 AM: Found Spy Cookie: casalemedia cookie
11:01 AM: default@casalemedia[1].txt (ID = 2354)
11:01 AM: default@sympatico[2].txt (ID = 3483)
11:01 AM: Found Spy Cookie: realmedia cookie
11:01 AM: default@realmedia[2].txt (ID = 3235)
11:01 AM: Found Spy Cookie: addynamix cookie
11:01 AM: default@ads.addynamix[2].txt (ID = 2062)
11:01 AM: Found Spy Cookie: advertising cookie
11:01 AM: default@advertising[1].txt (ID = 2175)
11:01 AM: Found Spy Cookie: falkag cookie
11:01 AM: default@as-us.falkag[2].txt (ID = 2650)
11:01 AM: Found Spy Cookie: 247realmedia cookie
11:01 AM: default@247realmedia[1].txt (ID = 1953)
11:01 AM: Found Spy Cookie: burstbeacon cookie
11:01 AM: default@www.burstbeacon[2].txt (ID = 2335)
11:01 AM: Found Spy Cookie: atwola cookie
11:01 AM: default@atwola[1].txt (ID = 2255)
11:01 AM: Found Spy Cookie: server.iad.liveperson cookie
11:01 AM: default@server.iad.liveperson[2].txt (ID = 3341)
11:01 AM: Found Spy Cookie: servedby advertising cookie
11:01 AM: default@servedby.advertising[1].txt (ID = 3335)
11:01 AM: Found Spy Cookie: 2o7.net cookie
11:01 AM: default@2o7[1].txt (ID = 1957)
11:01 AM: Found Spy Cookie: questionmarket cookie
11:01 AM: default@questionmarket[1].txt (ID = 3217)
11:01 AM: Found Spy Cookie: web-stat cookie
11:01 AM: default@server3.web-stat[2].txt (ID = 3649)
11:01 AM: Found Spy Cookie: fastclick cookie
11:01 AM: default@fastclick[1].txt (ID = 2651)
11:01 AM: Found Spy Cookie: burstnet cookie
11:01 AM: default@burstnet[2].txt (ID = 2336)
11:01 AM: Found Spy Cookie: tacoda cookie
11:01 AM: default@tacoda[1].txt (ID = 6444)
11:01 AM: Found Spy Cookie: tribalfusion cookie
11:01 AM: default@tribalfusion[1].txt (ID = 3589)
11:01 AM: default@tribalfusion[2].txt (ID = 3589)
11:01 AM: Found Spy Cookie: atlas dmt cookie
11:01 AM: default@atdmt[2].txt (ID = 2253)
11:01 AM: default@advertising[2].txt (ID = 2175)
11:01 AM: Found Spy Cookie: bluestreak cookie
11:01 AM: default@bluestreak[1].txt (ID = 2314)
11:01 AM: Found Spy Cookie: linksynergy cookie
11:01 AM: default@linksynergy[1].txt (ID = 2926)
11:01 AM: Found Spy Cookie: overture cookie
11:01 AM: default@perf.overture[1].txt (ID = 3106)
11:01 AM: default@chumtv.122.2o7[1].txt (ID = 1958)
11:01 AM: default@as-us.falkag[1].txt (ID = 2650)
11:01 AM: Found Spy Cookie: onestat.com cookie
11:01 AM: default@stat.onestat[2].txt (ID = 3098)
11:01 AM: Cookie Sweep Complete, Elapsed Time: 00:00:04
11:01 AM: Starting File Sweep
11:02 AM: Warning: Failed to open file "c:\windows\win386.swp". The process cannot access the file because
it is being used by another process
11:03 AM: color.css (ID = 54527)
11:03 AM: system.sam (ID = 54527)
11:03 AM: Found Adware: sicro dialer
11:03 AM: switchagreement.txt (ID = 76024)
11:03 AM: defcolors.txt (ID = 54527)
11:10 AM: Found Adware: cws-aboutblank
11:10 AM: gmg.dll (ID = 55368)
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5622-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5623-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5624-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5625-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5626-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5627-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5628-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5629-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac562a-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac562b-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac562c-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac562d-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac562e-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac562f-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5630-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5631-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5632-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5633-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5634-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5635-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5636-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5637-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5638-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5639-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac563a-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac563b-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac563c-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac563d-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac563e-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac563f-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5640-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5641-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5642-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5643-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5644-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5645-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5646-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5647-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5648-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5649-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac564a-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac564b-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac564c-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac564d-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac564e-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac564f-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5650-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5651-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5652-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5653-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5654-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5655-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5656-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5657-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5658-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5659-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac565a-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac565b-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac565c-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac565d-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac565e-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac565f-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5660-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5661-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5662-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5663-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5664-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5665-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5666-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5667-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5668-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5669-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac566a-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac566b-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac566c-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac566d-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac566e-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac566f-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5670-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5671-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5672-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5673-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5674-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5675-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5676-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5677-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5678-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac5679-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac567a-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac567b-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac567c-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac567d-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\windows\application data\webroot\spy sweeper\temp\sscsc5ac567e-bbed-11da-8939-0080c6ea8772.tmp". The process cannot access the file because
it is being used by another process
11:15 AM: Warning: Failed to open file "c:\