Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

avicapq.dll and skssonbc.sys virus files


  • Please log in to reply
5 replies to this topic

#1 kirschner5

kirschner5

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 02 January 2009 - 06:37 PM

This is a friends computer that is having the issue. I'm trying to help them out. I don't know much of the history of the computer, but I know they used to have problems with popups in the past, and have not had any anti-virus for quite some time. I installed AVG free, downloaded a ton of updates from Microsoft, and was just doing a general cleanup. AVG showed the problem first, it's Resident Shield shows a warning every time a new IE window gets opened. The warning is... "C:\windows\system32\avicapq.dll.....Virus found Win32/Heur....Detected on open". AVG is unable to remove the threat though. So I installed the 30 day version of UnHackMe and ran the rootkit detector. It found the same problem, along with another file..."C:\windows\system32\drivers\skssonbc.sys". UnHackMe is also unsuccessful at removing the files, when I restart the computer for the clean to take effect, there is a VERY brief error screen that pops up during startup, and I can see that the avicapq.dll file is mentioned in the error, but the error screen is very brief and I cannot read the whole thing. After the restart, the UnHackMe rootkit detector finds the same problems, and nothing gets fixed. I don't know what the actual virus is, or if I'm just at the tip of the iceberg. Any and all help is awesome! Thanks in advance!




DDS (Version 1.1.0) - NTFSx86
Run by Owner at 17:15:22.48 on Fri 01/02/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2022.1554 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Owner.YOUR-42BA0533C6\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.sterlingautobrokers.com/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5268E
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {59553DF7-9DE6-4584-866E-C65DE16F8110} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
BHO: {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - No File
BHO: : {8e092056-aed5-4ffc-a568-cac2b5ed4981} - c:\windows\system32\avicapq.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {12DA1BC4-5384-42fd-A119-3C99D2D146A2} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [UnHackMe Monitor] c:\program files\unhackme\hackmon.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe"
uRun: [Power2GoExpress] NA
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [MSI Configuration] msiconf.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [qe0ikrm] c:\windows\system32\qe0ikrm.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [NMSSupport] "c:\program files\common files\intel\inteldh\nms\support\IntelHCTAgent.exe" /startup
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [IntelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" BOOT
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [CCUTRAYICON] c:\program files\intel\inteldh\ccu\CCU_TrayIcon.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxdev.dll
Notify: vvfpwmky - avicapq.dll
AppInit_DLLs: avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 skssonbc;skssonbc;c:\windows\system32\drivers\skssonbc.sys [2006-6-17 23424]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-31 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-31 26824]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-31 231704]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2008-12-31 34760]
S2 dequerso;Audio Stub Controller;c:\windows\system32\svchost.exe -k netsvcs [2006-6-17 14336]

=============== Created Last 30 ================

2009-01-02 16:51 <DIR> --d----- c:\program files\Trend Micro
2008-12-31 15:29 268,648 a------- c:\windows\system32\mucltui.dll
2008-12-31 15:29 27,496 a------- c:\windows\system32\mucltui.dll.mui
2008-12-31 13:12 <DIR> --dshr-- C:\desktop.ini
2008-12-31 13:12 <DIR> --dshr-- C:\comment.htt
2008-12-31 13:12 <DIR> --dshr-- C:\autorun.inf
2008-12-31 12:50 34,760 a------- c:\windows\system32\drivers\Partizan.sys
2008-12-31 12:50 32,480 a------- c:\windows\system32\Partizan.exe
2008-12-31 12:50 2 a--shrot c:\windows\winstart.bat
2008-12-31 12:50 12,752 a------- c:\windows\system32\drivers\UnHackMeDrv.sys
2008-12-31 12:50 <DIR> --d----- c:\program files\UnHackMe
2008-12-31 12:27 <DIR> --d-h--- C:\$AVG8.VAULT$
2008-12-31 12:26 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-12-31 12:26 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2008-12-31 12:26 <DIR> --d----- c:\windows\system32\drivers\Avg
2008-12-31 12:26 <DIR> --d----- c:\program files\AVG
2008-12-31 12:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-12-31 11:56 459,264 -c------ c:\windows\system32\dllcache\msfeeds.dll
2008-12-31 11:56 52,224 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-31 11:56 2,455,488 -c------ c:\windows\system32\dllcache\ieapfltr.dat
2008-12-31 11:56 383,488 -c------ c:\windows\system32\dllcache\ieapfltr.dll
2008-12-31 11:56 267,776 -c------ c:\windows\system32\dllcache\iertutil.dll
2008-12-31 11:56 63,488 -c------ c:\windows\system32\dllcache\icardie.dll
2008-12-31 11:56 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe
2008-12-31 11:56 991,232 -c------ c:\windows\system32\dllcache\ieframe.dll.mui
2008-12-31 11:56 6,066,176 -c------ c:\windows\system32\dllcache\ieframe.dll
2008-12-31 11:38 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2008-12-31 11:08 <DIR> --d----- c:\windows\system32\scripting
2008-12-31 11:08 <DIR> --d----- c:\windows\system32\en
2008-12-31 11:08 <DIR> --d----- c:\windows\system32\bits
2008-12-31 11:08 <DIR> --d----- c:\windows\l2schemas
2008-12-31 11:06 <DIR> --d----- c:\windows\ServicePackFiles
2008-12-18 12:58 3,067,904 -------- c:\windows\system32\SET14C4.tmp

==================== Find3M ====================

2008-12-31 11:10 86,811 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 14:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:07 208,744 a------- c:\windows\system32\muweb.dll

============= FINISH: 17:15:58.79 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:01 PM

Posted 11 January 2009 - 07:00 AM

Hello Kirschner5 and welcome to Bleeping Computer,

Sorry for the delay, but the forum really has been swamped lately.

Please download ComboFix from one of the locations below, and save it to your Desktop.

Link
Link
Link

Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 kirschner5

kirschner5
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 11 January 2009 - 03:47 PM

Thanks. I will be performing the recommended tasks tomorrow, and I'll be sure to let you know if any further assistance is needed.

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:01 PM

Posted 11 January 2009 - 05:51 PM

No problem, Kirschner5 :thumbsup:

But please post the requested logs,
so I can check for leftovers.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 kirschner5

kirschner5
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:06:01 AM

Posted 22 January 2009 - 07:38 PM

Sorry it took me so long. I had a hard time getting back out here to my friends house to finish up. Here is the Combofix log as requested. Please let me know if everything looks good! I really appreciate the help, and so do the family that owns the computer! :thumbsup:


ComboFix 09-01-21.04 - Owner 2009-01-22 18:23:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2022.1529 [GMT -6:00]
Running from: c:\documents and settings\Owner.YOUR-42BA0533C6\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Cody & Caleb\Application Data\DriveCleaner Free
c:\documents and settings\Cody & Caleb\Application Data\DriveCleaner Free\Logs\update.log
c:\documents and settings\Cody & Caleb\err.log
c:\documents and settings\Cody & Caleb\ResErrors.log
c:\documents and settings\Owner.YOUR-42BA0533C6\Application Data\DriveCleaner Free
c:\documents and settings\Owner.YOUR-42BA0533C6\Application Data\DriveCleaner Free\Logs\update.log
c:\documents and settings\Owner.YOUR-42BA0533C6\err.log
c:\documents and settings\Owner.YOUR-42BA0533C6\ResErrors.log
c:\windows\system32\appcert
c:\windows\system32\avicapq.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DEQUERSO
-------\Service_dequerso


((((((((((((((((((((((((( Files Created from 2008-12-23 to 2009-01-23 )))))))))))))))))))))))))))))))
.

2009-01-20 20:20 . 2009-01-20 20:20 62 --a------ c:\windows\wininit.ini
2009-01-19 18:36 . 2009-01-20 20:22 <DIR> d-------- c:\program files\U.B. Funkeys
2009-01-19 18:36 . 2009-01-20 20:40 186,592 --a------ c:\windows\system32\drivers\windrvr6.sys
2009-01-02 16:51 . 2009-01-02 16:51 <DIR> d-------- c:\program files\Trend Micro
2008-12-31 15:29 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-12-31 15:29 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-12-31 13:12 . 2008-12-31 13:12 <DIR> dr-hs---- C:\desktop.ini
2008-12-31 13:12 . 2008-12-31 13:12 <DIR> dr-hs---- C:\comment.htt
2008-12-31 12:50 . 2008-12-31 12:51 <DIR> d-------- c:\program files\UnHackMe
2008-12-31 12:50 . 2008-12-31 12:50 34,760 --a------ c:\windows\system32\drivers\Partizan.sys
2008-12-31 12:50 . 2008-12-31 12:50 32,480 --a------ c:\windows\system32\Partizan.exe
2008-12-31 12:50 . 2008-12-22 15:56 12,752 --a------ c:\windows\system32\drivers\UnHackMeDrv.sys
2008-12-31 12:50 . 2008-12-31 12:50 (2) -rahs-ot- c:\windows\winstart.bat
2008-12-31 12:27 . 2009-01-21 12:27 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-31 12:26 . 2009-01-22 15:59 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-31 12:26 . 2008-12-31 12:26 <DIR> d-------- c:\program files\AVG
2008-12-31 12:26 . 2008-12-31 12:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-31 12:26 . 2008-12-31 12:26 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-31 12:26 . 2008-12-31 12:26 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-31 11:56 . 2008-10-16 14:38 6,066,176 -----c--- c:\windows\system32\dllcache\ieframe.dll
2008-12-31 11:56 . 2007-04-17 03:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat
2008-12-31 11:56 . 2007-03-07 23:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui
2008-12-31 11:56 . 2008-10-16 14:38 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll
2008-12-31 11:56 . 2008-10-16 14:38 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll
2008-12-31 11:56 . 2008-10-16 14:38 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll
2008-12-31 11:56 . 2008-10-16 14:38 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll
2008-12-31 11:56 . 2008-10-16 14:38 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-31 11:56 . 2008-10-16 07:11 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe
2008-12-31 11:38 . 2008-12-31 11:38 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2008-12-31 11:08 . 2008-12-31 11:08 <DIR> d-------- c:\windows\system32\scripting
2008-12-31 11:08 . 2008-12-31 11:08 <DIR> d-------- c:\windows\system32\en
2008-12-31 11:08 . 2008-12-31 11:08 <DIR> d-------- c:\windows\system32\bits
2008-12-31 11:08 . 2008-12-31 11:08 <DIR> d-------- c:\windows\l2schemas
2008-12-31 11:06 . 2008-12-31 11:08 <DIR> d-------- c:\windows\ServicePackFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-19 21:18 --------- d-----w c:\documents and settings\Owner.YOUR-42BA0533C6\Application Data\U3
2009-01-16 14:33 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-31 18:36 --------- d--ha-w c:\documents and settings\All Users\Application Data\GTek
2008-12-31 17:42 --------- d-----w c:\program files\Microsoft Works
2008-12-31 16:52 --------- d-----w c:\program files\Yahoo!
2008-12-31 16:51 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-31 16:51 --------- d-----w c:\program files\CyberLink
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-03 22:29 30 ----a-w c:\documents and settings\Cody & Caleb\jagex_runescape_preferences.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E092056-AED5-4FFC-A568-CAC2B5ED4981}]
2009-01-22 18:27 104448 --a------ c:\windows\system32\avicapq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"UnHackMe Monitor"="c:\program files\UnHackMe\hackmon.exe" [2008-12-22 231648]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-25 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-09 139264]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-06-23 81920]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-07-13 9134080]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-06-23 98304]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 49152]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-06-23 86016]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 c:\windows\arpwrmsg.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 282624]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-11-10 724992]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2006-10-19 110080]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-10-19 293888]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan\0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
NA [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
--a------ 2008-12-31 12:26 1261336 c:\progra~1\AVG\AVG8\avgtray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"80:TCP"= 80:TCP:@xpsp2res.dll,-22009
"8078:TCP"= 8078:TCP:@xpsp2res.dll,-22009
"37252:TCP"= 37252:TCP:@xpsp2res.dll,-22009
"39700:TCP"= 39700:TCP:@xpsp2res.dll,-22009

R0 skssonbc;skssonbc;c:\windows\system32\drivers\skssonbc.sys [2006-06-17 23424]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-31 97928]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-31 231704]
S0 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2008-12-31 34760]

--- Other Services/Drivers In Memory ---

*Deregistered* - UnHackMeDrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{230bc847-480c-11db-9517-806d6172696f}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7458034f-e59f-11dd-8089-001676cb3389}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8fa7d36-4ba5-11dd-bf71-001676cb3389}]
\Shell\AutoRun\command - J:\InstallTomTomHOME.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e52e7bf8-f6bc-11db-bd47-001676cb3389}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-11-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2006-11-09 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-04-13 18:12]

2006-11-09 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-04-13 18:12]
.
- - - - ORPHANS REMOVED - - - -

BHO-{59553DF7-9DE6-4584-866E-C65DE16F8110} - (no file)
HKCU-Run-TomTomHOME.exe - c:\program files\TomTom HOME 2\HOMERunner.exe
HKLM-Run-qe0ikrm - c:\windows\system32\qe0ikrm.exe
HKLM-Run-NMSSupport - c:\program files\Common Files\Intel\IntelDH\NMS\Support\IntelHCTAgent.exe
HKLM-Run-CCUTRAYICON - c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
HKLM-Run-SigmatelSysTrayApp - sttray.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.sterlingautobrokers.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5268E
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-22 18:27:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\ELService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2009-01-22 18:33:38 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2009-01-23 00:33:35

Pre-Run: 224,954,937,344 bytes free
Post-Run: 225,774,792,704 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

223 --- E O F --- 2009-01-16 14:33:14

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:01 PM

Posted 23 January 2009 - 05:37 AM

Hello Kirschner5,

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:http://www.bleepingcomputer.com/forums/t/191587/avicapqdll-and-skssonbcsys-virus-files/
KillAll::
Collect::
c:\windows\system32\avicapq.dll
c:\windows\system32\drivers\skssonbc.sys
Driver::
skssonbc
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E092056-AED5-4FFC-A568-CAC2B5ED4981}]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh DDS log.

ComboFix wil generate a zipped file, similar to C:\Qoobox\Quarantine\[9]Submit@Date_Time.zip.
Upon reboot, and if an active connection is available, it will attempt to automatically upload the malware sample for further investigation. Please allow this if one of your security programs pops up a warning.
In the event the upload fails, the sample can still be uploaded by double clicking the C:\CF-Submit.htm file (opens browser window) and click OK to start the upload. :thumbsup:

Still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users