Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
Bookedspace, rootkits and popups in XP Bookedspace, rootkits and popups in XP
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
 
Thread Tools
Old 05-11-2007, 09:00 AM   #1 (permalink)
Registered User
 
Join Date: May 2007
Posts: 8
OS: Win XP SP2


Bookedspace, rootkits and popups in XP
We're running XP SP2. We had AVG Free on the computer but did something silly and started getting lots of pop-ups. I think someone clicked on a fake pop-up pretending to be a microsoft virus cleaner and installed a trojan.

We started getting continuous pop-ups and the computer will often shut-down while running a full-system scan with a number of different spyware detectors. I was unable to run the PandaSoftware online update. The computer rebooted while trying to do the scan. I've had the same problem with Ad-Aware and other spyware scanners. Sometimes the system will just reboot when trying to do a scan, while I'm connected to the internet.

Running in safe mode allows me to run an Ad-Aware full system scan. The scan showed BOOKEDSPACE objects in the Quarantine after cleaning.


Whenever I'm connected to the internet, a netstat -n in the command line shows tons of random connections to outside ip addresses that I don't recognize.

I've also run AVG Anti Rootkit Free and it found the following:

C:\WINDOWS\system32\windev-17c5-56ad.sys Hidden Driver File
C:\WINDOWS\system32\windev-17c5-56ad.sys Hidden File
C:\WINDOWS\system32\windev-peers.ini Hidden File

I ran Deckard's System Scanner. (extra.txt is attached.) Here is my log file:

Deckard's System Scanner v20070426.43
Run by Ash on 2007-05-11 at 08:51:39
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
59: 2007-05-11 14:51:43 UTC - RP845 - Deckard's System Scanner Restore Point
58: 2007-05-11 09:44:22 UTC - RP844 - System Checkpoint
57: 2007-05-10 09:00:22 UTC - RP843 - Software Distribution Service 2.0
56: 2007-05-10 00:11:14 UTC - RP842 - System Checkpoint
55: 2007-05-08 22:31:40 UTC - RP841 - System Checkpoint


-- First Restore Point --
1: 2007-03-10 08:54:31 UTC - RP787 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Ash.exe) -------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:52:40 AM, on 5/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\soundman.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Documents and Settings\Ash\Desktop\dss.exe
C:\spyware\SPYWAR~1\HIJACK~1\Ash.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E72A1F1C-9523-45BA-9479-658A56D20972}: NameServer = 205.171.3.65,205.171.2.65
O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 VIAPFD - c:\windows\system32\drivers\viapfd.sys <Not Verified; VIA Technologies. Inc.; VIA PFD driver>
R2 CINEMSUP (Software Cinemaster NT4.0 Driver) - c:\windows\system32\drivers\cinemsup.sys <Not Verified; Divicore Inc.; Software CineMaster NT 4/Win2K>
R2 DgiVecp (Team MFP Comm Driver) - c:\windows\system32\drivers\dgivecp.sys <Not Verified; DeviceGuys, Inc.; DeviceGuys, Inc. Team MFP for Windows NT, 9x, and 3.1>
R2 mrtRate - c:\windows\system32\drivers\mrtrate.sys <Not Verified; Marimba, Inc.; Rate Sensing Manager>
R2 SetupNT - c:\windows\system32\setupnt.sys

S1 core - c:\windows\system32\drivers\core.sys (file missing)
S2 windbg48 - c:\windows\system32\windbg48.sys (file missing)
S2 windev-17c5-56ad - c:\windows\system32\windev-17c5-56ad.sys (file missing)
S3 NPF (Netgroup Packet Filter) - c:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 winvnc (VNC Server) - "c:\program files\tightvnc\winvnc.exe" -service <Not Verified; Constantin Kaplinsky; TightVNC Win32 Server>

S3 Adobe Version Cue CS2 - "c:\program files\adobe\adobe version cue cs2\bin\versioncuecs2.exe" -win32service <Not Verified; Adobe Systems Incorporated; Adobe Version Cue CS2>


-- Files created between 2007-04-11 and 2007-05-11 -----------------------------

2007-05-11 07:23:47 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-05-11 06:33:33 0 d-------- C:\spyware
2007-05-10 06:55:34 0 d--hs---- C:\FOUND.002
2007-05-10 06:45:16 0 d--hs---- C:\FOUND.001
2007-05-09 17:30:04 0 d-------- C:\Documents and Settings\Ash\Application Data\TrojanHunter
2007-05-09 17:02:01 0 d-------- C:\Program Files\TrojanHunter 4.6
2007-05-09 13:21:36 0 d-------- C:\ie-spyad
2007-05-08 21:51:26 1 --a------ C:\WINDOWS\system32\kr_done1
2007-05-08 09:23:57 0 d-------- C:\Documents and Settings\LocalService\Application Data\Mozilla
2007-05-08 09:21:52 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2007-05-08 09:21:44 0 dr------- C:\Documents and Settings\LocalService\Favorites
2007-05-08 09:21:34 0 d-------- C:\Documents and Settings\LocalService\Application Data\Identities
2007-05-08 09:21:24 179200 --a------ C:\WINDOWS\system32\flash.exe
2007-05-08 09:20:58 348160 --a------ C:\WINDOWS\cfg32.exe <Not Verified; ; SCA Application>
2007-05-08 09:20:56 0 d-------- C:\Program Files\Ofb11
2007-05-08 09:20:47 8464 --a------ C:\WINDOWS\system32\sporder.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
2007-05-08 09:20:34 0 d-------- C:\Temp
2007-05-08 09:20:19 10129 --a------ C:\WINDOWS\system32\win32.exe
2007-05-08 06:16:20 167 --a------ C:\WINDOWS\system32\wincrc32ie.dll
2007-05-02 20:01:08 6144 --a------ C:\WINDOWS\system32\perfc000.dat
2007-05-01 21:02:52 0 dr-h----- C:\Documents and Settings\Ash\Recent
2007-05-01 20:22:19 0 d-------- C:\Program Files\CCleaner
2007-04-28 10:41:47 0 d-------- C:\Program Files\Lavasoft
2007-04-28 10:39:12 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard


-- Find3M Report ---------------------------------------------------------------

2007-05-08 09:24:06 16 --a------ C:\Documents and Settings\Ash\Application Data\.rdr.ini
2007-05-04 18:42:50 208992 --a------ C:\Documents and Settings\Ash\Application Data\GDIPFONTCACHEV1.DAT
2007-04-03 20:36:16 0 d--h----- C:\Documents and Settings\Ash\Application Data\Move Networks
2007-03-23 19:58:08 0 d-------- C:\Program Files\ExtractNow
2007-02-27 17:48:20 36 --a------ C:\WINDOWS\system32\avp.dat


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{AE7CD045-E861-484f-8273-0445EE161910} C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"GW Port Controller"="C:\\Program Files\\Samsung\\SmarThru\\PORTCTRL.EXE"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"SoundMan"="soundman.exe"
"Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"WinVNC"="\"C:\\Program Files\\TightVNC\\WinVNC.exe\" -servicehelper"
"SsAAD.exe"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
"Adobe Version Cue CS2"="\"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\ControlPanel\\VersionCueCS2Tray.exe\""
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Adobe Acrobat 7.0\\Distillr\\Acrotray.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ATI Launchpad"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"Wallpaper"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="C:\WINDOWS\system32\perfc000.dat"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command D:\LaunchU3.exe -a


-- Hosts -----------------------------------------------------------------------

127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 www.abcsearcher.com #[Spamdexing][Microsoft.Strider]
127.0.0.1 abc-search.info
127.0.0.1 www.abx4.com #[Adware.ABXToolbar]
127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]
127.0.0.1 phpadsnew.abac.com
127.0.0.1 a.abnad.net
127.0.0.1 b.abnad.net
127.0.0.1 c.abnad.net #[IE-SpyAd]

14843 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-05-11 at 08:53:56 ---------
Attached Files
File Type: txt extra.txt (15.1 KB, 1 views)
aaaaathatsfivea is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-13-2007, 03:07 AM   #2 (permalink)
Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic
 
Glaswegian's Avatar
 
Join Date: Sep 2005
Location: Glasgow
Posts: 21,771
OS: Win XP Pro SP3

My System

Blog Entries: 10
Send a message via MSN to Glaswegian
Re: Bookedspace, rootkits and popups in XP
Hi and welcome to TSF.

My name is Iain and I will be helping you clean your system.

I see you also posted here

http://boards.cexx.org/index.php?topic=16133.msg66341

Please make sure you follow only one set of instructions – any fix can be extremely confusing if there are two different helpers working on the one log. You may end up with an unusable system. Whichever one you follow, please advise the other Forum that your problem is being dealt with – this will save our time and yours.


You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your log is clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed.


Show Hidden Files
Go to My Computer > Tools > Folder Options > View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System files and Folders are showing / visible. Uncheck the Hide protected operating system files option.



Downloads
Please download Cleanup! or use this Alternate Link if the main link does not work and install it. You will use this later.
*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does NOT make backups. If you have any files in any TEMP directory and you need to keep them, then please MOVE THEM NOW!


I see you already have AVG Anti Spyware. Please update AVG to the latest definition files.
  • Double-click the icon on Desktop to launch AVG Anti Spyware.
  • On the top of the main screen click Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"
When you have finished updating, EXIT AVG Anti Spyware. DO NOT scan yet.



Please download combofix.exe to your desktop.
Alternate link.

IMPORTANT - You must place combofix on your desktop!!


Double click combofix.exe & follow the prompts.

When finished, the tool will produce a log for you at c:\combofix.txt. Post that log in your next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.




Disable TrojanHunter Guard
Disable TrojanHunter Guard by right clicking on the icon in your System Tray. Make sure that the program, TrojanHunter itself, is also closed/not running. You can re-enable it later.




Services

Go to Start > Run and copy and paste the following line into the box

sc stop core

then click OK

Now repeat the copy and paste for this line

sc delete core

and click OK

Please repeat the above for the following two services, replacing the word in red with the following, one at a time:

windbg48
windev-17c5-56ad




Reboot
Reboot your system in Safe Mode.
  • Restart the computer. The computer begins processing a set of instructions known as BIOS.
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8 (dependent on your system this may be F5 or another key)
  • Instead of Windows loading as normal, a menu should appear
  • Use the arrow key to highlight Safe Mode and press Enter.



Uninstall Programmes
Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if present):

J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
Java 2 Runtime Environment, SE v1.4.2_06 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142060}

They are outdated versions of Java and no longer required.




HijackThis Entries
Open Hijack This and click on Scan. Check the following entries (if they still exist) (make sure you do not miss any)

O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat

Please remember to close all other windows, including browsers then click Fix checked.




File Deletions
Delete the following Files indicated in RED if they still exist.

C:\WINDOWS\system32\kr_done1
C:\WINDOWS\system32\flash.exe
C:\WINDOWS\system32\win32.exe
C:\WINDOWS\system32\wincrc32ie.dll
C:\WINDOWS\system32\perfc000.dat




Run CleanUp!
*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does NOT make backups. If you have any files in any TEMP directory and you need to keep them, then please MOVE THEM NOW!

Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows:

Click Options
Move the slider button down to Custom CleanUp!
Check the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
  • Click on the “Temporary Files” tab and uncheck the box for “Scan drives for file matching” if it’s checked.

Click OK, Press the CleanUp! button to start the program and DO NOT REBOOT when prompted.
Note: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these BEFORE running CleanUp! If you have a 64 bit Operating System do NOT run Cleanup and let me know as we will use another utility.




Run AVG Anti Spyware
Run AVG with it's updated definitions (...it's important that all windows must be closed)
  • Click Scanner
  • Click on the Scan tab
  • Click Complete System Scan to begin scanning.
  • When the scan is complete click Recommended Action and change it to Quarantine
  • Then click Apply all actions
Once finished, click the Save report button, then click Save Report As and save it to your desktop.

NOTE: AVG scan may require an hour.



Reboot
Reboot your system in Normal Mode.



Online Scan
Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan




Logs required
c:\combofix.txt
AVG Log
Panda Log
HijackThis Log

Please also let me know how your system is performing now and if you have any specific problems.
__________________
Iain - Defender of the Haggis and all things Scottish.
I don't help by PM - post in the Forums.



Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::5 Steps For Infected PCs
Glaswegian is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-13-2007, 11:59 AM   #3 (permalink)
Registered User
 
Join Date: May 2007
Posts: 8
OS: Win XP SP2


Re: Bookedspace, rootkits and popups in XP
THANK YOU!

I ran through everything, with a few gliches. I had to go restart the process a few times. Pop-ups are not appearing, at least not yet. But I see that the PandaSoftware scan discovered a couple of things.

So here is what I did:

Show Hidden files - done
Cleanup download - done - on desktop
AVG updated - done with problems - I tried several times but got. "Sorry, the server is not ready to serve, please try again later." But I have the definitions from yesterday.
combofix on desktop - done - on desktop
TrojanHunter Guard - disabled
services stop and delete - done (success on windev-17c5-56ad and windbg48 - core not installed as a service)
reboot in safe mode - done
remove programs - did not work - "The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance."
HijackThis - error trying to uninstall perfc000.dat - tried restarting from beginning of instructions but still didn't work.
File Deletions - Done
kr_done1 - deleted
flash.exe - deleted
win32.exe did not exist
wincrc32ie.dll - deleted
perfc000.dat (there was also a perfc009.dat that I did not touch)
Run CleanUp! - Done - Rebooted by accident so started again from beginning of instructions just in case

Forgot to RUN combofix the first time (only put it on desktop expecting to use it later) - restarted all instructions at this point.

Tried to update AVG again - did work again.
Ran Combofix - computer rebooted automatically and placed combofix.txt on C:\
Disabled TrojanHunter Guard - done
Serviced Stop and Delete - none of the services were installed
removed programs - this time before rebooting in safe mode
reboot in safe mode - done
HijackThis - This time O20 - AppInit_DLLs: C:\WINDOWS\system32\perfc000.dat was not in list.
File Deletions - none of the files existed. (perfc009.dat was still there - didn't touch it)
Run CleanUp! - done
AVG Anti Spyware - Scan Completed - nothing found


Here are the logs:

PandaSoftware Scan


Incident Status Location

Adware:adware/powerstrip Not disinfected Windows Registry
Adware:adware/statblaster Not disinfected Windows Registry
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NIRCMD.EXE
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Ash\Desktop\ComboFix.exe[ComboFixT\nircmd.exe]


ComboScan log:

"Ash" - 2007-05-13 7:49:55 Service Pack 2
ComboFix 07-05.13.V - Running from: "C:\Documents and Settings\Ash\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\cfg32.exe
C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\config\system~1\applic~1\install.dat
C:\WINDOWS\ws386.ini
C:\WINDOWS\system32\windev-peers.ini
C:\WINDOWS\system32\perfc000.dat
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\perfc000.dat


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_ASPI113210
-------\LEGACY_CORE
-------\LEGACY_NPF
-------\LEGACY_WINCOM32
-------\NPF


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-13 ))))))))))))))))))))))))))))))))))


2007-05-13 07:29 16,384 --a------ C:\WINDOWS\431x.exe
2007-05-11 08:45 <DIR> d-------- C:\Deckard
2007-05-11 07:23 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-05-11 06:33 <DIR> d-------- C:\spyware
2007-05-10 06:55 <DIR> d--hs---- C:\FOUND.002
2007-05-10 06:45 <DIR> d--hs---- C:\FOUND.001
2007-05-09 17:30 <DIR> d-------- C:\DOCUME~1\Ash\APPLIC~1\TrojanHunter
2007-05-09 17:02 <DIR> d-------- C:\Program Files\TrojanHunter 4.6
2007-05-09 13:21 <DIR> d-------- C:\ie-spyad
2007-05-09 06:43 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-09 06:25 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-05-08 09:20 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2007-05-08 09:20 <DIR> d-------- C:\Temp
2007-05-08 09:20 <DIR> d-------- C:\Program Files\Ofb11
2007-05-01 20:22 <DIR> d-------- C:\Program Files\CCleaner
2007-04-28 10:41 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-28 10:39 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-05 00:42:50 208,992 ----a-w C:\DOCUME~1\Ash\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-04-04 02:36:16 -------- d--h--w C:\DOCUME~1\Ash\APPLIC~1\Move Networks
2007-03-24 01:58:08 -------- d-----w C:\Program Files\ExtractNow
2007-03-17 13:43:02 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-27 23:48:20 36 ----a-w C:\WINDOWS\system32\avp.dat
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{AE7CD045-E861-484f-8273-0445EE161910}=C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 02:13]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"GW Port Controller"="C:\\Program Files\\Samsung\\SmarThru\\PORTCTRL.EXE"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"SoundMan"="soundman.exe"
"Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"WinVNC"="\"C:\\Program Files\\TightVNC\\WinVNC.exe\" -servicehelper"
"SsAAD.exe"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
"Adobe Version Cue CS2"="\"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\ControlPanel\\VersionCueCS2Tray.exe\""
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Adobe Acrobat 7.0\\Distillr\\Acrotray.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23]
"GW Port Controller"="C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE" [2003-01-30 13:12]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-04-23 13:15]
"SoundMan"="soundman.exe" [])
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2006-09-14 13:38]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-18 11:58]
"WinVNC"="C:\Program Files\TightVNC\WinVNC.exe" [2003-08-01 18:28]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2005-01-24 19:58]
"Adobe Version Cue CS2"="C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 18:58]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 06:20]
"THGuard"="C:\Program Files\TrojanHunter 4.6\THGuard.exe" [2007-04-22 15:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="" [])

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ATI Launchpad"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 08:13]


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0




[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
WudfServiceGroup WUDFSvc\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command D:\LaunchU3.exe -a

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fc09f320-c86d-11db-a1b0-00119523806a}]
Shell\AutoRun\command D:\LaunchU3.exe -a

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~


********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-13 07:56:28
Windows 5.1.2600 Service Pack 2 FAT

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-13 7:57:10 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-13 07:57


Hijack this log


Logfile of HijackThis v1.99.1
Scan saved at 8:10:16 AM, on 5/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\spyware\Spyware removal\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E72A1F1C-9523-45BA-9479-658A56D20972}: NameServer = 205.171.3.65,205.171.2.65
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)


AVG report

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

A V G A n t i - S p y w a r e - S c a n R e p o r t

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

+ C r e a t e d a t : 9 : 2 8 : 3 5 A M 5 / 1 3 / 2 0 0 7

+ S c a n r e s u l t :

N o t h i n g f o u n d .

: : R e p o r t e n d
aaaaathatsfivea is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-13-2007, 02:14 PM   #4 (permalink)
Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic
 
Glaswegian's Avatar
 
Join Date: Sep 2005
Location: Glasgow
Posts: 21,771
OS: Win XP Pro SP3

My System

Blog Entries: 10
Send a message via MSN to Glaswegian
Re: Bookedspace, rootkits and popups in XP
Hi again

Good work. Since you ran combofix first, it took out many of the things I asked you to look for – that’s the beauty of the tool. Panda is fine – just a couple of parts of combofix and some orphaned Registry entries. Looks really good now.


Delete the following File indicated in RED if it still exists.

C:\WINDOWS\431x.exe

Note: If it resists, you may have to boot to Safe Mode to delete it.



Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky WebScanner

Next Click on Kaspersky Online Scanner


A Welcome screen will appear - click 'Accept' at the bottom. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
  • Extended
Scan Options:
  • Scan Archives
  • Scan Mail Bases
Click OK

Now under select a target to scan: Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Take note of the name(s) and location(s) of any file(s) it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.


Please post back with the Kaspersky Log and a fresh HijackThis Log. Please also let me know how your system is performing now and if you have any specific problems. In order to provide you with the best possible help, please ensure that HijackThis logs are produced only while in Normal Mode.
__________________
Iain - Defender of the Haggis and all things Scottish.
I don't help by PM - post in the Forums.



Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::5 Steps For Infected PCs
Glaswegian is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-13-2007, 06:07 PM   #5 (permalink)
Registered User
 
Join Date: May 2007
Posts: 8
OS: Win XP SP2


Re: Bookedspace, rootkits and popups in XP
Thanks Again! The computer seems fine, but it appears that Kaspersky found a lot more stuff. Although some of it in already in Quarantine. I'll let you decide.

Here's what I did:

deleted 431x.exe - deleted without problem
Went to the Kaspersky WebScanner page and clicked online scanner
I changed the appropriate settings and let the scan run.

It took 2 hours or so but it did come back with the following:


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, May 13, 2007 5:52:44 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 14/05/2007
Kaspersky Anti-Virus database records: 318480
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 80347
Number of viruses found: 14
Number of infected objects: 189 / 0
Number of suspicious objects: 8
Duration of the scan process: 0225

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AVG7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BraveSentry1.zip/xpupdate.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BraveSentry1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip/dlh9jkd1q2.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Ash\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Ash\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Ash\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ash\Local Settings\History\History.IE5\MSHist012007051320070514\index.dat Object is locked skipped
C:\Documents and Settings\Ash\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ash\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Ash\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ash\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ash\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Ash\My Documents\Ashleigh\Old Outlook Backup\Outlook Backup\Hotmail - Bulk Mail.dbx/[From DeltaItinerary <DeltaItinerary@delta...>][Date Mon, 13 May 2002 12:25:09 -0400]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Ash\My Documents\Ashleigh\Old Outlook Backup\Outlook Backup\Hotmail - Bulk Mail.dbx/[From DeltaItinerary <DeltaItinerary@delta...>][Date Mon, 13 May 2002 12:25:09 -0400]/bgcolor.scr Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\Ash\My Documents\Ashleigh\Old Outlook Backup\Outlook Backup\Hotmail - Bulk Mail.dbx/[From dan_hannon <dan_hannon@hotmail.com>][Date Mon, 13 May 2002 1431 -0400]/UNNAMED/picacu.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\Ash\My Documents\Ashleigh\Old Outlook Backup\Outlook Backup\Hotmail - Bulk Mail.dbx/[From dan_hannon <dan_hannon@hotmail.com>][Date Mon, 13 May 2002 1431 -0400]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\Ash\My Documents\Ashleigh\Old Outlook Backup\Outlook Backup\Hotmail - Bulk Mail.dbx/[From DeltaItinerary <DeltaItinerary@delta...>][Date Mon, 13 May 2002 12:25:09 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Ash\My Documents\Ashleigh\Old Outlook Backup\Outlook Backup\Hotmail - Bulk Mail.dbx/[From DeltaItinerary <DeltaItinerary@delta...>][Date Mon, 13 May 2002 12:25:09 -0400]/UNNAMED/bgcolor.scr Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\Ash\My Documents\Ashleigh\Old Outlook Backup\Outlook Backup\Hotmail - Bulk Mail.dbx/[From DeltaItinerary <DeltaItinerary@delta...>][Date Mon, 13 May 2002 12:25:09 -0400]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\Ash\My Documents\Ashleigh\Old Outlook Backup\Outlook Backup\Hotmail - Bulk Mail.dbx/[From dan_hannon <dan_hannon@hotmail.com>][Date Mon, 13 May 2002 1431 -0400]/UNNAMED/picacu.exe Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\Ash\My Documents\Ashleigh\Old Outlook Backup\Outlook Backup\Hotmail - Bulk Mail.dbx/[From dan_hannon <dan_hannon@hotmail.com>][Date Mon, 13 May 2002 1431 -0400]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\Ash\My Documents\Ashleigh\Old Outlook Backup\Outlook Backup\Hotmail - Bulk Mail.dbx Mail MS Outlook 5: infected - 7, suspicious - 2 skipped
C:\Documents and Settings\Ash\My Documents\downloads\tightvnc-1.2.9-setup.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h skipped
C:\Documents and Settings\Ash\My Documents\downloads\tightvnc-1.2.9-setup.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
C:\Documents and Settings\Ash\My Documents\downloads\tightvnc-1.2.9-setup.exe Inno: infected - 2 skipped
C:\Documents and Settings\Ash\My Documents\Jeff\backup\backup 11_10_04.zip/Documents and Settings/Jeff/My Documents/downloads/tightvnc-1.3dev5-setup.exe/data0001 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.d skipped
C:\Documents and Settings\Ash\My Documents\Jeff\backup\backup 11_10_04.zip/Documents and Settings/Jeff/My Documents/downloads/tightvnc-1.3dev5-setup.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.d skipped
C:\Documents and Settings\Ash\My Documents\Jeff\backup\backup 11_10_04.zip/Documents and Settings/Jeff/My Documents/downloads/tightvnc-1.3dev5-setup.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.d skipped
C:\Documents and Settings\Ash\My Documents\Jeff\backup\backup 11_10_04.zip/Documents and Settings/Jeff/My Documents/downloads/tightvnc-1.3dev5-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.d skipped
C:\Documents and Settings\Ash\My Documents\Jeff\backup\backup 11_10_04.zip/Documents and Settings/Jeff/My Documents/downloads/vnc-3.3.7-x86_win32.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\Documents and Settings\Ash\My Documents\Jeff\backup\backup 11_10_04.zip/Documents and Settings/Jeff/My Documents/downloads/vnc-3.3.7-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\Documents and Settings\Ash\My Documents\Jeff\backup\backup 11_10_04.zip/Documents and Settings/Jeff/My Documents/downloads/vnc-3.3.7-x86_win32.exe/data0004 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\Documents and Settings\Ash\My Documents\Jeff\backup\backup 11_10_04.zip/Documents and Settings/Jeff/My Documents/downloads/vnc-3.3.7-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\Documents and Settings\Ash\My Documents\Jeff\backup\backup 11_10_04.zip/Documents and Settings/Jeff/My Documents/Jeff/utils/VNCviewer.zip/vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
C:\Documents and Settings\Ash\My Documents\Jeff\backup\backup 11_10_04.zip/Documents and Settings/Jeff/My Documents/Jeff/utils/VNCviewer.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
C:\Documents and Settings\Ash\My Documents\Jeff\backup\backup 11_10_04.zip ZIP: infected - 10 skipped
C:\Documents and Settings\Ash\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ash\Application Data\Thunderbird\Profiles\g2orsv56.default\Mail\mail.carrotseedcards.com\Trash/[From "support@carrotseedcards.com" <support@carrotseedcards.com>][Date Wed, 09 Nov 2005 06:20:06 +0500]/UNNAMED/[From webmaster@carrotseedcards.com][Date Sun, 13 Nov 2005 18:26:33 -0500]/UNNAMED/[From Kidpowercs@aol.com][Date Fri, 11 Nov 2005 18:11:17 EST]/UNNAMED/[From The Editor <editor@WWW-GOTO.COM>][Date Fri, 18 Nov 2005 01:37:52 +0100]/text/ ... /[From from quoted-printable to 8bit by mail14c0.megamailservers.com id k7AJocrB030198][Date Thu, 10 Aug 2006 15:50:33 -0400 ... /data.hta Infected: Worm.Win32.Feebs.gen skipped
C:\Documents and Settings\Ash\Application Data\Thunderbird\Profiles\g2orsv56.default\Mail\mail.carrotseedcards.com\Trash/[From "support@carrotseedcards.com" <support@carrotseedcards.com>][Date Wed, 09 Nov 2005 06:20:06 +0500]/UNNAMED/[From webmaster@carrotseedcards.com][Date Sun, 13 Nov 2005 18:26:33 -0500]/UNNAMED/[From Kidpowercs@aol.com][Date Fri, 11 Nov 2005 18:11:17 EST]/UNNAMED/[From The Editor <editor@WWW-GOTO.COM>][Date Fri, 18 Nov 2005 01:37:52 +0100]/text/ ... /[From from quoted-printable to 8bit by mail14c0.megamailservers.com id k7AJocrB030198][Date Thu, 10 Aug 2006 15:50:33 -0400 (EDT)]/UNNAMED Infected: Worm.Win32.Feebs.gen skipped
C:\Documents and Settings\Ash\Application Data\Thunderbird\Profiles\g2orsv56.default\Mail\mail.carrotseedcards.com\Trash/[From "support@carrotseedcards.com" <support@carrotseedcards.com>][Date Wed, 09 Nov 2005 06:20:06 +0500]/UNNAMED/[From webmaster@carrotseedcards.com][Date Sun, 13 Nov 2005 18:26:33 -0500]/UNNAMED/[From Kidpowercs@aol.com][Date Fri, 11 Nov 2005 18:11:17 EST]/UNNAMED/[From The Editor <editor@WWW-GOTO.COM>][Date Fri, 18 Nov 2005 01:37:52 +0100]/text/[From "Nat ... /[From from quoted-printa ... /[From Steph Haaland <steph_haaland@yahoo.com>][Date Thu, 22 Jun 2006 17:30:46 -0700 (PDT)]/UNNAMED Infected: Worm.Win32.Feebs.gen skipped
C:\Documents and Settings\Ash\Application Data\Thunderbird\Profiles\g2orsv56.default\Mail\mail.carrotseedcards.com\Trash/[From "support@carrotseedcards.com" <support@carrotseedcards.com>][Date Wed, 09 Nov 2005 06:20:06 +0500]/UNNAMED/[From webmaster@carrotseedcards.com][Date Sun, 13 Nov 2005 18:26:33 -0500]/UNNAMED/[From Kidpowercs@aol.com][Date Fri, 11 Nov 2005 18:11:17 EST]/UNNAMED/[From The Editor <editor@WWW-GOTO.COM>][Date Fri, 18 Nov 2005 01:37:52 +0100]/text/[From "Nat ... /[From from quoted-printable t ... /[From Sarah Altonen <saaltonen@peoplepc.com>][Date Wed, 5 Jul 2006 16:57:30 -0400 (EDT)]/html Infected: Worm.Win32.Feebs.gen skipped
C:\Documents and Settings\Ash\Application Data\Thunderbird\Profiles\g2orsv56.default\Mail\mail.carrotseedcards.com\Trash/[From "support@carrotseedcards.com" <support@carrotseedcards.com>][Date Wed, 09 Nov 2005 06:20:06 +0500]/UNNAMED/[From webmaster@carrotseedcards.com][Date Sun, 13 Nov 2005 18:26:33 -0500]/UNNAMED/[From Kidpowercs@aol.com][Date Fri, 11 Nov 2005 18:11:17 EST]/UNNAMED/[From The Editor <editor@WWW-GOTO.COM>][Date Fri, 18 Nov 2005 01:37:52 +0100]/text/[From "Nat ... /[From from quoted-printable to . . ... /[From "Lisa /(PTI/)" <lisa@pti-services.com>][Date Thu, 20 Jul 2006 22:39:19 -0600]/text Infected: Worm.Win32.Feebs.gen skipped
C:\Documents and Settings\Ash\Application Data\Thunderbird\Profiles\g2orsv56.default\Mail\mail.carrotseedcards.com\Trash/[From "support@carrotseedcards.com" <support@carrotseedcards.com>][Date Wed, 09 Nov 2005 06:20:06 +0500]/UNNAMED/[From webmaster@carrotseedcards.com][Date Sun, 13 Nov 2005 18:26:33 -0500]/UNNAMED/[From Kidpowercs@aol.com][Date Fri, 11 Nov 2005 18:11:17 EST]/UNNAMED/[From The Editor <editor@WWW-GOTO.COM>][Date Fri, 18 Nov 2005 01:37:52 +0100]/text/[From "Nat ... /[From from quoted-printable to . ... /[From diane craven <craven1dia@yahoo.com>][Date Sat, 8 Jul 2006 21:29:28 -0700 (PDT)]/text Infected: Worm.Win32.Feebs.gen skipped
C:\Documents and Settings\Ash\Application Data\Thunderbird\Profiles\g2orsv56.default\Mail\mail.carrotseedcards.com\Trash/[From "support@carrotseedcards.com" <support@carrotseedcards.com>][Date Wed, 09 Nov 2005 06:20:06 +0500]/UNNAMED/[From webmaster@carrotseedcards.com][Date Sun, 13 Nov 2005 18:26:33 -0500]/UNNAMED/[From Kidpowercs@aol.com][Date Fri, 11 Nov 2005 18:11:17 EST]/UNNAMED/[From The Editor <editor@WWW-GOTO.COM>][Date Fri, 18 Nov 2005 01:37:52 +0100]/text/[From "Nat ... /[From from quoted-printable to ... /[ ... /[From D Jaeger <djaeger@club-internet.fr>][Date Mon, 10 Jul 2006 20:24:59 +0200]/text Infected: Worm.Win32.Feebs.gen skipped
C:\Documents and Settings\Ash\Application Data\Thunderbird\Profiles\g2orsv56.default\Mail\mail.carrotseedcards.com\Trash/[From "support@carrotseedcards.com" <support@carrotseedcards.com>][Date Wed, 09 Nov 2005 06:20:06 +0500]/UNNAMED/[From webmaster@carrotseedcards.com][Date Sun, 13 Nov 2005 18:26:33 -0500]/UNNAMED/[From Kidpowercs@aol.com][Date Fri, 11 Nov 2005 18:11:17 EST]/UNNAMED/[From The Editor <editor@WWW-GOTO.COM>][Date Fri, 18 Nov 2005 01:37:52 +0100]/text/[From "Nat ... /[From from quoted-printable to ... /[From "Claire Lindsay" <Claire@Tsongausa.com>][Date Mon, 10 Jul 2006 09:02:24 -0600]/UNNAMED Infected: Worm.Win32.Feebs.gen skipped
C:\Documents and Settings\Ash\Application Data\Thunderbird\Profiles\g2orsv56.default\Mail\mail.carrotseedcards.com\Trash/[From "support@carrotseedcards.com" <support@carrotseedcards.com>][Date Wed, 09 Nov 2005 06:20:06 +0500]/UNNAMED/[From webmaster@carrotseedcards.com][Date Sun, 13 Nov 2005 18:26:33 -0500]/UNNAMED/[From Kidpowercs@aol.com][Date Fri, 11 Nov 2005 18:11:17 EST]/UNNAMED/[From The Editor <editor@WWW-GOTO.COM>][Date Fri, 18 Nov 2005 01:37:52 +0100]/text/[From "Nat ... /[From from quoted-printable to 8bit by mail116.megamailservers.com id k1AKHceB028606][Date Fri, 10 Feb 2006 13:17:33 -0700]/text Infected: Worm.Win32.Feebs.gen skipped
C:\Documents and Settings\Ash\Application Data\Thunderbird\Profiles\g2orsv56.default\Mail\mail.carrotseedcards.com\Trash/[From "support@carrotseedcards.com" <support@carrotseedcards.com>][Date Wed, 09 Nov 2005 06:20:06 +0500]/UNNAMED/[From webmaster@carrotseedcards.com][Date Sun, 13 Nov 2005 18:26:33 -0500]/UNNAMED/[From Kidpowercs@aol.com][Date Fri, 11 Nov 2005 18:11:17 EST]/UNNAMED/[From The Editor <editor@WWW-GOTO.COM>][Date Fri, 18 Nov 2005 01:37:52 +0100]/text/[From "Natalie Yungner" <nataliekp@qwest.net>] . . ... /[From "Lisa / ... /[From Kidpowercs@aol.com][Date Tue, 24 Jan 2006 10:10:34 EST]/UNNAMED Infected: Worm.Win32.Feebs.gen skipped
C:\Documents and Settings\Ash\Application Data\Thunderbird\Profiles\g2orsv56.default\Mail\mail.carrotseedcards.com\Trash/[From "support@carrotseedcards.com" <support@carrotseedcards.com>][Date Wed, 09 Nov 2005 06:20:06 +0500]/UNNAMED/[From webmaster@carrotseedcards.com][Date Sun, 13 Nov 2005 18:26:33 -0500]/UNNAMED/[From Kidpowercs@aol.com][Date Fri, 11 Nov 2005 18:11:17 EST]/UNNAMED/[From The Editor <editor@WWW-GOTO.COM>][Date Fri, 18 Nov 2005 01:37:52 +0100]/text/[From "Natalie Yungner" <nataliekp@qwest.net>] . . ... /[From "Lisa /(PTI/)" <lisa@pti-services.com>][Date Fri, 13 Jan 2006 01:40:01 -0700]/text Infected: Worm.Win32.Feebs.gen skipped
C:\Documents and Settings\Ash\Application Data\Thunderbird\Profiles\g2orsv56.default\Mail\mail.carrotseedcards.com\Trash/[From "support@carrotseedcards.com" <support@carrotseedcards.com>][Date Wed, 09 Nov 2005 06:20:06 +0500]/UNNAMED/[From webmaster@carrotseedcards.com][Date Sun, 13 Nov 2005 18:26:33 -0500]/UNNAMED/[From Kidpowercs@aol.com][Date Fri, 11 Nov 2005 18:11:17 EST]/UNNAMED/[From The Editor <editor@WWW-GOTO.COM>][Date Fri, 18 Nov 2005 01:37:52 +0100]/text/[From "Natalie Yungner" <nataliekp@qwest.net>] . . ... /[From doreen bell <dab29@yahoo.com>][Date Sun, 18 Dec 2005 14:26:37 -0800 (PST)]/UNNAMED Infected: Worm.Win32.Feebs.gen skipped
C:\Documents and Settings\Ash\Application Data\Thunderbird\Profiles\g2orsv56.default\Mail\mail.carrotseedcards.com\Trash/[From "support@carrotseedcards.com" <support@carrotseedcards.com>][Date Wed, 09 Nov 2005 06:20:06 +0500]/UNNAMED/[From webmaster@carrotseedcards.com][Date Sun, 13 Nov 2005 18:26:33 -0500]/UNNAMED/[From Kidpowercs@aol.com][Date Fri, 11 Nov 2005 18:11:17 EST]/UNNAMED/[From The Editor <editor@WWW-GOTO.COM>][Date Fri, 18 Nov 2005 01:37:52 +0100]/text/[From "Natalie Yungner" <nataliekp@qwest.net>] . ... /[From Darius Rydahl <drydahl@cso.atmel.com>][Date Mon, 19 Dec 2005 09:25:58 -0700]/UNNAMED Infected: Worm.Win32.Feebs.gen skipped
C:\Documents and Settings\Ash\Application Data\Thunderbird\Profiles\g2orsv56.default\Mail\mail.carrotseedcards.com\Trash/[From "support@carrotseedcards.com" <support@carrotseedcards.com>][Date Wed, 09 Nov 2005 06:20:06 +0500]/UNNAMED/[From webmaster@carrotseedcards.com][Date Sun, 13 Nov 2005 18:26:33 -0500]/UNNAMED/[From Kidpowercs@aol.com][Date Fri, 11 Nov 2005 18:11:17 EST]/UNNAMED/[From The Editor <editor@WWW-GOTO.COM>][Date Fri, 18 Nov 2005 01:37:52 +0100]/text/[From "Natalie Yungner" <nataliekp@qwest.net>] ... /[From "Natalie Yun ... /[From Kidpowercs@aol.com][Date Fri, 2 Dec 2005 14:25:50 EST]/UNNAMED Infected: Worm.Win32.Feebs.gen skipped
C:\Documents and Settings\Ash\Application Data\Thunderbird\Profiles\g2orsv56.default\Mail\mail.carrotseedcards.com\Trash/[From "support@carrotseedcards.com" <support@carrotseedcards.com>][Date Wed, 09 Nov 2005 06:20:06 +0500]/UNNAMED/[From webmaster@carrotseedcards.com][Date Sun, 13 Nov 2005 18:26:33 -0500]/UNNAMED/[From Kidpowercs@aol.com][Date Fri, 11 Nov 2005 18:11:17 EST]/UNNAMED/[From The Editor <editor@WWW-GOTO.COM>][Date Fri, 18 Nov 2005 01:37:52 +0100]/text/[From "Natalie Yungner" <nataliekp@qwest.net>] ... /[From "Natalie Yungner" <nataliekp@qwest.net>][Date Thu, 10 Nov 2005 10:11:36 -0700]/UNNAMED Infected: Worm.Win32.Feebs.gen skipped
C:\Documents and Settings\Ash\Application Data\Thunderbird\Profiles\g2orsv56.default\Mail\mail.carrotseedcards.com\Trash/[From "support@carrotseedcards.com" <support@carrotseedcards.com>][Date Wed, 09 Nov 2005 06:20:06 +0500]/UNNAMED/[From webmaster@carrotseedcards.com][Date Sun, 13 Nov 2005 18:26:33 -0500]/UNNAMED/[From Kidpowercs@aol.com][Date Fri, 11 Nov 2005 18:11:17 EST]/UNNAMED/[From The Editor <editor@WWW-GOTO.COM>][Date Fri, 18 Nov 2005 01:37:52 +0100]/text/[From "Natalie Yungner" <nataliekp@qwest.net>][Date Fri, 4 Nov 2005 13 ... /[From