R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 10:26 AM 14336]
R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [10/6/2008 6:16 PM 82696]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [9/18/2008 12:09 PM 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2/12/2009 4:52 PM 104328]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [1/20/2009 7:16 PM 172032]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [10/5/2008 8:15 PM 33752]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [3/19/2008 11:11 PM 13352]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [12/1/2008 7:08 PM 27904]
S3 ntportio;ntportio; [x]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
Akamai REG_MULTI_SZ Akamai
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{90ab394e-99cd-11dd-aefa-001bb9bc6506}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com g:
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc15549d-c432-11dc-bf87-001bb9bc6506}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com g:
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc15549e-c432-11dc-bf87-001bb9bc6506}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com h:
.
Contents of the 'Scheduled Tasks' folder
2009-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1659004503-2146901713-839522115-1003.job
- c:\documents and settings\ace\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-25 11:12]
2009-05-13 c:\windows\Tasks\User_Feed_Synchronization-{8FF5E086-A276-4C2E-8EE8-A375FE0F689A}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 21:35]
.
- - - - ORPHANS REMOVED - - - -
BHO-{A057A204-BACC-4D26-C39E-35F1D2A32EC8} - (no file)
BHO-{C1B58917-66F7-42A6-B068-1A166E45FB37} - (no file)
WebBrowser-{4724C5D8-DFA7-417A-A2F5-1EABFEE9B4AC} - (no file)
WebBrowser-{A057A204-BACC-4D26-C39E-35F1D2A32EC8} - (no file)
Notify-WgaLogon - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.co.in/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.searchgateway.net/search-Google-Gateway.php?sa=Search+Here&client=pub-4642981363251965&forid=1&ie=ISO-8859-1&oe=ISO-8859-1&cof=GALT%3A%23008000%3BGL%3A1%3BDIV%3A%23336699%3BVLC%3A663399%3BAH%3Acenter%3BBGC%3AFFFFFF%3BLBGC%3A336699%3BALC%3A0000FF%3BLC%3A0000FF%3BT%3A000000%3BGFNT%3A0000FF%3BGIMP%3A0000FF%3BFORID%3A11&q=%s
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {BDF43518-8EE6-418C-9110-714B8BF8B4EA} = 202.56.215.54,202.56.215.55
DPF: {B9F79165-A264-4C4A-A211-133A5E8D647F} - hxxp://app.airtel.in/ehealthcheck/fscax.cab
FF - ProfilePath - c:\documents and settings\ace\Application Data\Mozilla\Firefox\Profiles\ua3ndsa6.default\
FF - prefs.js: keyword.URL - hxxp://in.search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\documents and settings\ace\Application Data\Mozilla\Firefox\Profiles\ua3ndsa6.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - plugin: c:\documents and settings\ace\Application Data\Mozilla\Firefox\Profiles\ua3ndsa6.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\ace\Application Data\Mozilla\Firefox\Profiles\ua3ndsa6.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
FF - plugin: c:\documents and settings\ace\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\ace\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\MOZILL~1\plugins\np_gp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npExentCtl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\VLC\npvlc.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-13 19:11
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1659004503-2146901713-839522115-1003\Software\YourCompanyName\YourProductName\Version*]
"VersionData"=hex:0c,42,46,f6,23,bc,3e,2d,7a,2e,97,ca,8b,29,77,15,00,f2,c3,72,
58,b5,be,94,1f,90,16,e0,3a,99,33,1e,44,b0,15,57,a9,8e,58,50,89,88,82,88,9d,\
.
Completion time: 2009-05-13 19:14
ComboFix-quarantined-files.txt 2009-05-13 13:44
Pre-Run: 10,819,313,664 bytes free
Post-Run: 12,204,498,944 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
466 --- E O F --- 2009-05-12 15:12
R2 BDVEDISK;BDVEDISK;c:\program files\BitDefender\BitDefender 2009\BDVEDISK.sys [10/6/2008 6:16 PM 82696]
R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [9/18/2008 12:09 PM 111112]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2/12/2009 4:52 PM 104328]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe [1/20/2009 7:16 PM 172032]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [10/5/2008 8:15 PM 33752]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [3/19/2008 11:11 PM 13352]
S3 Ndisprot;ArcNet NDIS Protocol Driver;c:\windows\system32\drivers\ndisprot.sys [12/1/2008 7:08 PM 27904]
S3 ntportio;ntportio; [x]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
Akamai REG_MULTI_SZ Akamai
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{90ab394e-99cd-11dd-aefa-001bb9bc6506}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com g:
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc15549d-c432-11dc-bf87-001bb9bc6506}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com g:
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc15549e-c432-11dc-bf87-001bb9bc6506}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL resycled\boot.com h:
.
Contents of the 'Scheduled Tasks' folder
2009-05-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1659004503-2146901713-839522115-1003.job
- c:\documents and settings\ace\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-25 11:12]
2009-05-13 c:\windows\Tasks\User_Feed_Synchronization-{8FF5E086-A276-4C2E-8EE8-A375FE0F689A}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 21:35]
.
- - - - ORPHANS REMOVED - - - -
BHO-{A057A204-BACC-4D26-C39E-35F1D2A32EC8} - (no file)
BHO-{C1B58917-66F7-42A6-B068-1A166E45FB37} - (no file)
WebBrowser-{4724C5D8-DFA7-417A-A2F5-1EABFEE9B4AC} - (no file)
WebBrowser-{A057A204-BACC-4D26-C39E-35F1D2A32EC8} - (no file)
Notify-WgaLogon - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.co.in/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.searchgateway.net/search-Google-Gateway.php?sa=Search+Here&client=pub-4642981363251965&forid=1&ie=ISO-8859-1&oe=ISO-8859-1&cof=GALT%3A%23008000%3BGL%3A1%3BDIV%3A%23336699%3BVLC%3A663399%3BAH%3Acenter%3BBGC%3AFFFFFF%3BLBGC%3A336699%3BALC%3A0000FF%3BLC%3A0000FF%3BT%3A000000%3BGFNT%3A0000FF%3BGIMP%3A0000FF%3BFORID%3A11&q=%s
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {BDF43518-8EE6-418C-9110-714B8BF8B4EA} = 202.56.215.54,202.56.215.55
DPF: {B9F79165-A264-4C4A-A211-133A5E8D647F} - hxxp://app.airtel.in/ehealthcheck/fscax.cab
FF - ProfilePath - c:\documents and settings\ace\Application Data\Mozilla\Firefox\Profiles\ua3ndsa6.default\
FF - prefs.js: keyword.URL - hxxp://in.search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\documents and settings\ace\Application Data\Mozilla\Firefox\Profiles\ua3ndsa6.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
FF - component: c:\program files\Mozilla Firefox\components\FFComm.dll
FF - plugin: c:\documents and settings\ace\Application Data\Mozilla\Firefox\Profiles\ua3ndsa6.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\ace\Application Data\Mozilla\Firefox\Profiles\ua3ndsa6.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
FF - plugin: c:\documents and settings\ace\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\ace\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\progra~1\MOZILL~1\plugins\np_gp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npExentCtl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\VLC\npvlc.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-13 19:11
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1659004503-2146901713-839522115-1003\Software\YourCompanyName\YourProductName\Version*]
"VersionData"=hex:0c,42,46,f6,23,bc,3e,2d,7a,2e,97,ca,8b,29,77,15,00,f2,c3,72,
58,b5,be,94,1f,90,16,e0,3a,99,33,1e,44,b0,15,57,a9,8e,58,50,89,88,82,88,9d,\
.
Completion time: 2009-05-13 19:14
ComboFix-quarantined-files.txt 2009-05-13 13:44
Pre-Run: 10,819,313,664 bytes free
Post-Run: 12,204,498,944 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
466 --- E O F --- 2009-05-12 15:12