Trojan Horse Downloader .agent.apko [c:\windows\system32\x]

zakimak
edited December 2008 in Malware talk

Trojan horse Downloader .Agent.APKO [C:\windows\system32\x] ... Can someone tell me how i can safely get rid of this pest?!! I am currently using [removed] and am unable to get rid of it. Although [removed] tells me that this is a virus, the moment i heal it or remove it ...its gone but after a moment or so the virus is back. After using [removed], SpyBot and Anti-Malware I am still unable to remove it. So I am planning to install BitDefender...but will it remove the virus??

Comments

  • gavilaso
    edited December 2008
    Trojan horse Downloader .Agent.APKO [C:\windows\system32\x] ... Can someone tell me how i can safely get rid of this pest?!! I am currently using [removed] and am unable to get rid of it. Although [removed] tells me that this is a virus, the moment i heal it or remove it ...its gone but after a moment or so the virus is back. After using [removed], SpyBot and Anti-Malware I am still unable to remove it. So I am planning to install BitDefender...but will it remove the virus??


    I have the same problem, and mine said it is a Crypt.AWU trojan and i'm using [removed] 8. network edition.. i'm paying for 40 licenses so if bitdefender fix thi problem i will also move to them and request a full refund to [removed]...

  • kgarcia
    edited December 2008
    I have the same problem, and mine said it is a Crypt.AWU trojan and i'm using [removed] 8. network edition.. i'm paying for 40 licenses so if bitdefender fix thi problem i will also move to them and request a full refund to avg...


    I also have the same problem! I have run many programs like [removed], Malware, etc and it seems impossible to remove this beast! Please I need some help as well! Thanks

  • rootkit
    rootkit ✭✭✭
    edited December 2008

    Download: http://subs.geekstogo.com/ComboFix.exe and save it on your Desktop.


    Open Notepad and copy/paste the text in the quotebox below into it:


    File::


    c:\windows\system32\winhelp.exe


    c:\windows\system32\winssv.exe


    c:\windows\system32\LiveMssngr.exe


    c:\windows\system32\sysmsvc.exe


    c:\windows\system32\quicktime.exe


    c:\windows\system32\ntlansec.exe


    c:\windows\system32\open.exe


    c:\windows\system32\wt.exe


    c:\windows\system32\x.exe


    c:\windows\system32\y.exe


    c:\windows\system32\i


    c:\windows\system\netstat.exe


    c:\windows\Tasks\At1.job


    C:\WINDOWS\system32\drivers\etc\hosts


    c:\windows\IE4 Error Log.txt


    c:\windows\system32\_000006_.tmp.dll


    c:\windows\system32\_000007_.tmp.dll


    c:\windows\system32\_000008_.tmp.dll


    c:\windows\system32\_000013_.tmp.dll


    c:\windows\system32\_000014_.tmp.dll


    c:\windows\system32\Cache


    c:\windows\system32\csrsc.exe


    c:\windows\system32\drivers\etc\hosts


    c:\windows\system32\drivers\npf.sys


    c:\windows\system32\h@tkeysh@@k.dll


    c:\windows\system32\i


    c:\windows\system32\mlnmp.ini


    c:\windows\system32\packet.dll


    c:\windows\system32\wpcap.dll


    Save this as:


    CFScript.txt


    Drag CFScript.txt into ComboFix.exe


    CFScript.gif


    Then post the resultant log here.

  • recovered
    edited January 2009

    hi crysty, i also have the same problem, and have done as you requested and here are my results.


    ComboFix 09-01-10.03 - G 2009-01-11 17:35:31.2 - NTFSx86


    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.1046 [GMT -8:00]


    Running from: c:\documents and settings\G\Desktop\ComboFix\ComboFix.exe


    Command switches used :: c:\documents and settings\G\Desktop\ComboFix\CFScript.txt


    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)


    * Created a new restore point


    FILE ::


    c:\windows\IE4 Error Log.txt


    c:\windows\system\netstat.exe


    c:\windows\system32\_000006_.tmp.dll


    c:\windows\system32\_000007_.tmp.dll


    c:\windows\system32\_000008_.tmp.dll


    c:\windows\system32\_000013_.tmp.dll


    c:\windows\system32\_000014_.tmp.dll


    c:\windows\system32\Cache


    c:\windows\system32\csrsc.exe


    c:\windows\system32\drivers\etc\hosts


    c:\windows\system32\drivers\npf.sys


    c:\windows\system32\h@tkeysh@@k.dll


    c:\windows\system32\i


    c:\windows\system32\LiveMssngr.exe


    c:\windows\system32\mlnmp.ini


    c:\windows\system32\ntlansec.exe


    c:\windows\system32\open.exe


    c:\windows\system32\packet.dll


    c:\windows\system32\quicktime.exe


    c:\windows\system32\sysmsvc.exe


    c:\windows\system32\winhelp.exe


    c:\windows\system32\winssv.exe


    c:\windows\system32\wpcap.dll


    c:\windows\system32\wt.exe


    c:\windows\system32\x.exe


    c:\windows\system32\y.exe


    c:\windows\Tasks\At1.job


    .


    ((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))


    .


    2009-01-06 16:14 . 2009-01-06 16:14 <DIR> d-------- c:\documents and settings\G\Application Data\Malwarebytes


    2009-01-06 16:14 . 2009-01-06 16:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes


    2009-01-06 16:14 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys


    2009-01-06 16:14 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys


    2009-01-06 16:04 . 2009-01-08 12:12 <DIR> d-------- c:\documents and settings\Administrator


    2009-01-04 05:37 . 2009-01-04 05:37 73,728 --a------ c:\windows\system32\javacpl.cpl


    2008-12-30 16:13 . 2008-12-30 16:13 <DIR> d-------- c:\program files\iPod


    2008-12-30 16:13 . 2008-12-30 16:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}


    2008-12-29 13:48 . 2008-12-29 13:48 <DIR> d-------- c:\documents and settings\G\Application Data\DivX


    2008-12-29 13:47 . 2008-11-21 13:47 129,784 --------- c:\windows\system32\pxafs.dll


    2008-12-26 16:00 . 2008-12-26 16:05 <DIR> d-------- c:\documents and settings\G\Application Data\Xfire


    2008-12-25 22:55 . 2004-08-04 04:00 1,689,088 ---h---t- c:\windows\system32\5a978b0.dll


    2008-12-25 22:55 . 2004-08-04 04:00 1,689,088 ---h---t- c:\windows\system32\2444c880.dll


    2008-12-25 22:55 . 2004-08-04 04:00 1,689,088 ---h---t- c:\windows\system32\1e204c57.dll


    2008-12-25 22:55 . 2004-08-04 04:00 1,689,088 ---h---t- c:\windows\system32\1949490.dll


    2008-12-25 22:55 . 2004-08-04 04:00 82,944 ---h---t- c:\windows\system32\8080bfb.dll


    2008-12-25 22:55 . 2004-08-04 04:00 82,944 ---h---t- c:\windows\system32\15705438.dll


    2008-12-25 22:55 . 2004-08-04 04:00 82,944 ---h---t- c:\windows\system32\1287a21e.dll


    2008-12-25 22:55 . 2004-08-04 04:00 82,944 ---h---t- c:\windows\system32\124ad60.dll


    2008-12-25 22:53 . 2004-08-04 04:00 1,689,088 ---h---t- c:\windows\system32\66590c7.dll


    2008-12-25 22:53 . 2004-08-04 04:00 1,689,088 ---h---t- c:\windows\system32\271e7ac1.dll


    2008-12-25 22:53 . 2004-08-04 04:00 82,944 ---h---t- c:\windows\system32\44f93a0.dll


    2008-12-25 22:53 . 2004-08-04 04:00 82,944 ---h---t- c:\windows\system32\1f5eaea.dll


    2008-12-21 17:47 . 2008-12-21 17:47 268 --ah----- C:\sqmdata03.sqm


    2008-12-21 17:47 . 2008-12-21 17:47 244 --ah----- C:\sqmnoopt02.sqm


    2008-12-19 19:41 . 2004-08-04 00:56 21,504 --a------ c:\windows\system32\hidserv.dll


    2008-12-19 19:41 . 2004-08-04 00:56 21,504 --a--c--- c:\windows\system32\dllcache\hidserv.dll


    2008-12-19 19:41 . 2004-08-03 22:58 14,848 --a------ c:\windows\system32\drivers\kbdhid.sys


    2008-12-19 19:41 . 2004-08-03 22:58 14,848 --a--c--- c:\windows\system32\dllcache\kbdhid.sys


    2008-12-19 19:41 . 2001-08-17 13:48 12,160 --a------ c:\windows\system32\drivers\mouhid.sys


    2008-12-19 19:41 . 2001-08-17 13:48 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys


    2008-12-19 19:41 . 2001-08-17 14:02 9,600 --a------ c:\windows\system32\drivers\hidusb.sys


    2008-12-19 19:41 . 2001-08-17 14:02 9,600 --a--c--- c:\windows\system32\dllcache\hidusb.sys


    2008-12-17 17:59 . 2009-01-04 05:37 410,984 --a------ c:\windows\system32\deploytk.dll


    2008-12-14 19:46 . 2008-12-14 19:46 <DIR> d-------- c:\program files\TeamViewer


    2008-12-12 11:18 . 2008-12-12 11:18 87,336 --a------ c:\windows\system32\dns-sd.exe


    2008-12-12 11:11 . 2008-12-12 11:11 61,440 --a------ c:\windows\system32\dnssd.dll


    .


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    2009-01-12 00:14 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP


    2009-01-11 04:59 --------- d-----w c:\documents and settings\G\Application Data\BPFTP


    2009-01-10 18:01 --------- d-----w c:\program files\KalOnlineEng


    2009-01-09 18:40 --------- d-----w c:\program files\Bonjour


    2009-01-04 13:31 --------- d-----w c:\program files\Java


    2009-01-03 21:25 --------- d-----w c:\documents and settings\G\Application Data\U3


    2009-01-02 04:47 --------- d-----w c:\program files\Apple Software Update


    2008-12-31 00:13 --------- d-----w c:\program files\Common Files\Apple


    2008-12-29 01:08 --------- d-----w c:\documents and settings\G\Application Data\LimeWire


    2008-12-24 12:43 --------- d-----w c:\program files\Copy of KalOnlineEng


    2008-12-15 03:47 --------- d-----w c:\documents and settings\G\Application Data\TeamViewer


    2008-12-15 03:30 --------- d-----w c:\documents and settings\G\Application Data\Skype


    2008-12-15 02:19 --------- d-----w c:\documents and settings\G\Application Data\skypePM


    2008-12-11 20:38 42,320 ----a-w c:\windows\system32\xfcodec.dll


    2008-12-04 07:41 --------- d-----w c:\documents and settings\G\Application Data\Aim


    2008-12-03 11:44 --------- d-----w c:\documents and settings\All Users\Application Data\Adobe Systems


    2008-12-03 11:41 --------- d-----w c:\program files\Common Files\Adobe Systems Shared


    2008-12-03 11:41 --------- d-----w c:\program files\Common Files\Adobe


    2008-12-03 11:31 --------- d-----w c:\program files\Yahoo!


    2008-12-03 11:12 --------- d-----w c:\program files\Common Files\AVSMedia


    2008-12-03 11:12 --------- d-----w c:\documents and settings\G\Application Data\AVS4YOU


    2008-12-03 11:11 --------- d-----w c:\documents and settings\All Users\Application Data\AVS4YOU


    2008-12-01 00:11 --------- d-----w c:\program files\Google


    2008-11-25 01:31 --------- d--h--w c:\program files\InstallShield Installation Information


    2008-11-25 00:47 --------- d-----w c:\program files\Common Files\Macrovision Shared


    2008-11-21 21:47 524,288 ----a-w c:\windows\system32\DivXsm.exe


    2008-11-21 21:47 43,528 ------w c:\windows\system32\drivers\pxhelp20.sys


    2008-11-21 21:47 3,596,288 ----a-w c:\windows\system32\qt-dx331.dll


    2008-11-21 21:47 120,056 ------w c:\windows\system32\PxCpyI64.exe


    2008-11-21 21:47 118,520 ------w c:\windows\system32\PxInsI64.exe


    2008-11-21 21:46 200,704 ----a-w c:\windows\system32\ssldivx.dll


    2008-11-21 21:46 1,044,480 ----a-w c:\windows\system32\libdivx.dll


    2008-11-21 21:44 161,096 ----a-w c:\windows\system32\DivXCodecVersionChecker.exe


    2008-11-21 21:44 12,288 ----a-w c:\windows\system32\DivXWMPExtType.dll


    2008-11-18 05:30 --------- d-----w c:\documents and settings\G\Application Data\Ventrilo


    2008-11-18 05:29 --------- d-----w c:\program files\Common Files\Wise Installation Wizard


    2008-11-15 10:46 --------- d-----w c:\program files\Common Files\INCA Shared


    2008-11-15 10:45 --------- d--h--w c:\documents and settings\G\Application Data\ijjigame


    2008-07-16 14:03 23 ----a-w c:\documents and settings\G\jagex_runescape_preferences.dat


    2008-01-07 02:49 16,384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat


    2008-01-07 02:49 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat


    2008-01-07 02:49 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008010620080107\index.dat


    2008-01-07 02:49 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat


    .


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    .


    *Note* empty entries & legit default entries are not shown


    REGEDIT4


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]


    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "AVG8_TRAY"="d:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]


    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]


    "ShowDeskFix"="shell32" [X]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]


    "AppInit_DLLs"=avgrsstx.dll


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]


    "VIDC.XFR1"= xfcodec.dll


    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]


    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk


    backup=c:\windows\pss\Microsoft Office.lnkCommon Startup


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]


    --a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]


    --a------ 2004-08-04 04:00 15360 c:\windows\system32\ctfmon.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]


    --a------ 2006-11-13 13:39 1289000 c:\program files\Microsoft ActiveSync\wcescomm.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]


    --a------ 2008-02-28 16:07 1828136 c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]


    --a------ 2008-11-20 13:20 290088 d:\program files\iTunes\iTunesHelper.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]


    --a------ 2001-11-29 01:00 28672 c:\program files\Creative\SBLive\Program\ADGJDet.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]


    --a------ 2008-02-18 15:29 2221352 c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]


    --a------ 2008-02-28 08:59 570664 c:\program files\Common Files\Nero\Lib\NeroCheck.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]


    --a------ 2008-11-04 10:30 413696 d:\program files\QuickTime Alternative\QTTask.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]


    --a------ 2009-01-04 05:37 136600 c:\program files\Java\jre6\bin\jusched.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]


    --------- 2000-05-11 01:00 90112 c:\windows\Updreg.EXE


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]


    --a------ 2006-10-18 20:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]


    "WMPNetworkSvc"=2 (0x2)


    "WLSetupSvc"=3 (0x3)


    "Viewpoint Manager Service"=2 (0x2)


    "usnjsvc"=3 (0x3)


    "NMIndexingService"=3 (0x3)


    "JavaQuickStarterService"=2 (0x2)


    "iPod Service"=3 (0x3)


    "gupdate1c91964958fad58"=2 (0x2)


    "Bonjour Service"=2 (0x2)


    "FirebirdServerDefaultInstance"=3 (0x3)


    "FirebirdGuardianDefaultInstance"=2 (0x2)


    "PLFlash DeviceIoControl Service"=2 (0x2)


    "Nero BackItUp Scheduler 3"=2 (0x2)


    "wuauserv"=2 (0x2)


    "wscsvc"=2 (0x2)


    "SharedAccess"=2 (0x2)


    "SENS"=2 (0x2)


    "RemoteRegistry"=2 (0x2)


    "FastUserSwitchingCompatibility"=3 (0x3)


    "Ati HotKey Poller"=2 (0x2)


    [HKEY_LOCAL_MACHINE\software\microsoft\security center]


    "AntiVirusDisableNotify"=dword:00000001


    "UpdatesDisableNotify"=dword:00000001


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]


    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=


    "%windir%\\system32\\sessmgr.exe"=


    "c:\\Program Files\\Messenger\\msmsgs.exe"=


    "d:\\Program Files\\SpacialAudio\\SAMBC\\SAMBC.exe"=


    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=


    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=


    "c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=


    "c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=


    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=


    "c:\\Program Files\\AIM6\\aim6.exe"=


    "d:\\Program Files\\AVG\\AVG8\\avgupd.exe"=


    "d:\\Program Files\\AVG\\AVG8\\avgemc.exe"=


    "d:\\Program Files\\AIM95\\aim.exe"=


    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=


    "d:\\Program Files\\iTunes\\iTunes.exe"=


    "d:\\Program Files\\LimeWire\\LimeWire.exe"=


    "d:\\Program Files\\Steam\\Steam.exe"=


    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=


    "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=


    "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager


    "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager


    "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application


    "c:\\ijji\\ENGLISH\\u_gunz.exe"=


    "d:\\Program Files\\Ventrilo\\Ventrilo.exe"=


    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=


    "d:\\Program Files\\BitLord\\BitLord.exe"=


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


    "5900:TCP"= 5900:TCP:vnc5900


    "5800:TCP"= 5800:TCP:vnc5800


    "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service


    R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-05-10 97928]


    R3 EuMusDesignVirtualAudioCableWdm;Virtual Audio Cable (WDM);c:\windows\system32\drivers\vrtaucbl.sys [2008-11-05 42752]


    R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-01-14 21632]


    R4 avg8emc;AVG8 E-mail Scanner;d:\progra~1\AVG\AVG8\avgemc.exe [2008-07-04 875288]


    R4 avg8wd;AVG8 WatchDog;d:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-04 231704]


    R4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-05-10 76040]


    S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys --> c:\windows\system32\drivers\ScreamingBAudio.sys [?]


    S4 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbguard.exe -s [?]


    S4 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s --> c:\program files\Firebird\Firebird_1_5\bin\fbserver.exe -s [?]


    S4 gupdate1c91964958fad58;Google Update Service (gupdate1c91964958fad58);c:\program files\Google\Update\GoogleUpdate.exe [2008-09-18 133104]


    S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-04-19 24652]


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]


    \Shell\AutoRun\command - G:\LaunchU3.exe -a


    .


    Contents of the 'Scheduled Tasks' folder


    2009-01-09 c:\windows\Tasks\AppleSoftwareUpdate.job


    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]


    2009-01-11 c:\windows\Tasks\GoogleUpdateTaskMachine.job


    - c:\program files\Google\Update\GoogleUpdate.exe [2008-09-18 00:00]


    .


    .


    ------- Supplementary Scan -------


    .


    uStart Page = hxxp://google.com/


    uInternet Settings,ProxyOverride = *.local


    IE: E&xport to Microsoft Excel - d:\progra~1\MICROS~1\Office10\EXCEL.EXE/3000


    FF - ProfilePath - c:\documents and settings\G\Application Data\Mozilla\Firefox\Profiles\9m6f8qqj.default\


    FF - prefs.js: browser.startup.homepage - google.com


    FF - component: c:\program files\Google\Google Gears\Firefox\components\gears.dll


    FF - plugin: c:\program files\Google\Update\1.2.133.33\npGoogleOneClick7.dll


    FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll


    FF - plugin: d:\program files\DivX\DivX Content Uploader\npUpload.dll


    FF - plugin: d:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll


    FF - plugin: d:\program files\iTunes\Mozilla Plugins\npitunes.dll


    FF - plugin: d:\program files\kSolo\npAVX.dll


    FF - plugin: d:\program files\Real Alternative\browser\plugins\nppl3260.dll


    FF - plugin: d:\program files\Real Alternative\browser\plugins\nprpjplug.dll


    .


    **************************************************************************


    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net


    Rootkit scan 2009-01-11 17:38:38


    Windows 5.1.2600 Service Pack 2 NTFS


    scanning hidden processes ...


    scanning hidden autostart entries ...


    scanning hidden files ...


    **************************************************************************


    .


    --------------------- LOCKED REGISTRY KEYS ---------------------


    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|é•A~*]


    "AB141C35E9F4BF344B9FC010BB17F68A"=""


    .


    --------------------- DLLs Loaded Under Running Processes ---------------------


    - - - - - - - > 'winlogon.exe'(616)


    c:\windows\system32\avgrsstx.dll


    c:\windows\system32\Ati2evxx.dll


    - - - - - - - > 'lsass.exe'(724)


    c:\windows\system32\avgrsstx.dll


    .


    Completion time: 2009-01-11 17:42:14


    ComboFix-quarantined-files.txt 2009-01-12 01:40:56


    Pre-Run: 42,706,411,520 bytes free


    Post-Run: 42,690,572,288 bytes free


    284