AV Security Suite

Hi. I'm about at my wit's end and would love some help.

I got the AV Security Suite spyware a while back and have removed it with instructions online and MalwareBytes. I've scanned my computer with AVG anti-virus and MalwareBytes afterward and no warning popped up. But a rundll error keeps popping up at start-up now, plus the computer keeps shutting down at odd intervals.

Message: Error loading C:\Windows\asdiSC40.dll
The specified module could not be found

Help please. Thanks.

Hi LChan,

Welcome to GeekPolice Forums! I'm Crush but, you can call me Chris too and I will be helping you with your Malware issues.

A few things to keep in mind as we progress:

1. We are all volunteer staff here so we log in and assess threads when real life, work, family, and other obligations permit. Additionally, we are located all over the world. There may be a bit of a time delay due to this.

2. Malware Removal threads are very time intensive. Each entry must be researched until it can be said with 100% certainty whether or not it can stay or needs to be removed. Sometimes additional work is needed to weed out suspect entries

3. This may turn into a long ordeal but, rest assured we will stay with you until you are completely disinfected.

4. Only Tech Officers, Global Moderators, Administrators, and Malware Advisors are allowed to give advice on removing malware from your computer. Do not run any tools unless specifically asked to by a member of one of these usergroups

5. If you are not the original poster of this thread DO NOT run any fixes given to the poster in this thread. They are all custom tailored specifically to this user. It could prove to be disastrous.

6. Please keep responding until I give you the "All Clear". Absence of symptoms does not mean that everything is clear.

7. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

8. If you have any questions or issues please stop and ask! We are all here to help.

---

IMPORTANT: Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.


If you follow these instructions, everything should go smoothly .

Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

To do this click , then click Preferences. Make sure Always notify me of replies is set to Yes

---

With that out of the way:

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  
• Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
  

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
  
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.
  

Other things to include in your reply:
MBAM Scans

Is this right?

~[Filtered]~

Normal
0






~[Filtered]~


Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1470.964 [GMT -7:00]


Running from: c:\documents and settings\Lira\My
Documents\Downloads\Commy.exe


AV: AVG Anti-Virus Free *On-access scanning disabled*
(Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}


.





((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


.





c:\documents and settings\Lira\Local Settings\Application
Data\{A496F45F-7A80-4AFD-9605-6312A9B68FCF}


c:\documents and settings\Lira\Local Settings\Application
Data\{A496F45F-7A80-4AFD-9605-6312A9B68FCF}\chrome.manifest


c:\documents and settings\Lira\Local Settings\Application
Data\{A496F45F-7A80-4AFD-9605-6312A9B68FCF}\chrome\content\_cfg.js


c:\documents and settings\Lira\Local Settings\Application
Data\{A496F45F-7A80-4AFD-9605-6312A9B68FCF}\chrome\content\overlay.xul


c:\documents and settings\Lira\Local Settings\Application
Data\{A496F45F-7A80-4AFD-9605-6312A9B68FCF}\install.rdf


c:\windows\ihowunik.dll


c:\windows\Uninstall.ini





.


(((((((((((((((((((((((((
Files Created from 2010-05-26 to 2010-06-26 )))))))))))))))))))))))))))))))


.





2010-06-25 09:17 . 2010-06-25 09:17 118432 ----a-w- c:\documents and
settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat


2010-06-25 07:20 . 2010-06-25 07:20 -------- d-----w- C:\FOUND.005


2010-06-25 03:56 . 2010-06-25 03:56 -------- d-----w- C:\FOUND.004


2010-06-25 02:46 . 2010-06-25 02:46 -------- d-----w- C:\FOUND.003


2010-06-25 01:06 . 2010-06-25 01:06 -------- d-----w- c:\program files\Gravity


2010-06-21 23:06 . 2008-04-14 00:12 116224 ----a-w- c:\windows\system32\dllcache\xrxwiadr.dll


2010-06-21 23:06 . 2001-08-18 05:36 23040 ----a-w- c:\windows\system32\dllcache\xrxwbtmp.dll


2010-06-21 23:06 . 2008-04-14 00:12 18944 ----a-w- c:\windows\system32\dllcache\xrxscnui.dll


2010-06-21 23:06 . 2001-08-18 05:37 27648 ----a-w- c:\windows\system32\dllcache\xrxftplt.exe


2010-06-21 23:06 . 2001-08-18 05:37 4608 ----a-w- c:\windows\system32\dllcache\xrxflnch.exe


2010-06-21 23:06 . 2001-08-18 05:37 99865 ----a-w- c:\windows\system32\dllcache\xlog.exe


2010-06-21 23:06 . 2001-08-17 19:11 16970 ----a-w- c:\windows\system32\dllcache\xem336n5.sys


2010-06-21 23:06 . 2004-08-04 05:29 19455 ----a-w- c:\windows\system32\dllcache\wvchntxx.sys


2010-06-21 23:06 . 2008-04-13 18:46 19200 ----a-w- c:\windows\system32\dllcache\wstcodec.sys


2010-06-21 23:06 . 2004-08-04 05:29 12063 ----a-w- c:\windows\system32\dllcache\wsiintxx.sys


2010-06-21 23:06 . 2008-04-14 00:12 8192 ----a-w- c:\windows\system32\dllcache\wshirda.dll


2010-06-21 23:04 . 2001-08-17 19:13 19528 ----a-w- c:\windows\system32\dllcache\w840nd.sys


2010-06-21 23:03 . 2001-08-17 20:28 793598 ----a-w- c:\windows\system32\dllcache\usr1806.sys


2010-06-21 23:02 . 2001-08-17 19:51 166784 ----a-w- c:\windows\system32\dllcache\tridxpm.sys


2010-06-21 23:01 . 2001-08-17 19:51 138528 ----a-w- c:\windows\system32\dllcache\tgiulnt5.sys


2010-06-21 23:00 . 2001-08-18 05:36 41472 ----a-w- c:\windows\system32\dllcache\sw_effct.dll


2010-06-21 22:59 . 2001-08-17 20:53 9600 ----a-w- c:\windows\system32\dllcache\sonymc.sys


2010-06-21 22:58 . 2001-08-17 19:12 91294 ----a-w- c:\windows\system32\dllcache\skfpwin.sys


2010-06-21 22:57 . 2001-08-17 20:48 17664 ----a-w- c:\windows\system32\dllcache\sermouse.sys


2010-06-21 22:56 . 2001-08-17 19:50 41216 ----a-w- c:\windows\system32\dllcache\s3mt3d.sys


2010-06-21 22:55 . 2001-08-17 20:51 19584 ----a-w- c:\windows\system32\dllcache\rasirda.sys


2010-06-21 22:54 . 2001-08-17 20:53 7168 ----a-w- c:\windows\system32\dllcache\pnrmc.sys


2010-06-21 22:53 . 2001-08-18 05:36 41984 ----a-w- c:\windows\system32\dllcache\ovui2rc.dll


2010-06-21 22:52 . 2001-08-18 05:36 123776 ----a-w- c:\windows\system32\dllcache\nv3.dll


2010-06-21 22:51 . 2001-08-18 05:36 59104 ----a-w- c:\windows\system32\dllcache\n9i128v2.dll


2010-06-21 22:50 . 2001-08-17 21:02 35200 ----a-w- c:\windows\system32\dllcache\msgame.sys


2010-06-21 22:49 . 2001-08-18 05:36 58880 ----a-w- c:\windows\system32\dllcache\m3092dc.dll


2010-06-21 22:48 . 2001-08-17 20:49 26624 ----a-w- c:\windows\system32\dllcache\irstusb.sys


2010-06-21 22:47 . 2001-08-17 21:06 154496 ----a-w- c:\windows\system32\dllcache\icam4usb.sys


2010-06-21 22:46 . 2001-08-18 05:36 9759 ----a-w- c:\windows\system32\dllcache\hsf_inst.dll


2010-06-21 22:45 . 2001-08-17 21:02 2688 ----a-w- c:\windows\system32\dllcache\hidswvd.sys


2010-06-21 22:44 . 2001-08-17 19:10 22090 ----a-w- c:\windows\system32\dllcache\fem556n5.sys


2010-06-21 22:43 . 2001-08-17 19:17 629952 ----a-w- c:\windows\system32\dllcache\eqn.sys


2010-06-21 22:42 . 2008-04-13 18:40 8320 ----a-w- c:\windows\system32\dllcache\dlttape.sys


2010-06-21 22:41 . 2001-08-17 19:12 117760 ----a-w- c:\windows\system32\dllcache\d100ib5.sys


2010-06-21 22:40 . 2001-08-17 19:13 27164 ----a-w- c:\windows\system32\dllcache\ce3n5.sys


2010-06-21 22:39 . 2001-08-17 19:48 36128 ----a-w- c:\windows\system32\dllcache\banshee.sys


2010-06-21 22:38 . 2008-04-13 18:46 48128 ----a-w- c:\windows\system32\dllcache\61883.sys


2010-06-21 22:38 . 2008-04-13 18:40 12288 ----a-w- c:\windows\system32\dllcache\4mmdat.sys


2010-06-21 22:38 . 2001-08-17 21:55 689216 ----a-w- c:\windows\system32\dllcache\3dfxvs.dll


2010-06-21 22:38 . 2001-08-17 19:48 148352 ----a-w- c:\windows\system32\dllcache\3dfxvsm.sys


2010-06-21 22:38 . 2004-08-04 12:00 11264 ----a-w- c:\windows\system32\dllcache\1394vdbg.sys


2010-06-21 22:38 . 2001-08-17 20:28 762780 ----a-w- c:\windows\system32\dllcache\3cwmcru.sys


2010-06-21 22:38 . 2004-08-04 12:00 53248 ----a-w- c:\windows\system32\dllcache\1394bus.sys


2010-06-21 22:38 . 2001-08-17 21:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll


2010-06-21 21:08 . 2010-06-21 21:08 -------- d-sh--w- c:\documents and
settings\Administrator\PrivacIE


2010-06-21 20:07 . 2010-06-21 20:07 -------- d-----w- C:\WTablet


2010-06-20 05:19 . 2010-06-26 22:53 0 ----a-w- c:\documents and
settings\Administrator\Local Settings\Application Data\prvlcl.dat


2010-06-20 05:17 . 2010-06-20 05:17 -------- d-----w- c:\documents and
settings\Administrator\Local Settings\Application Data\Mozilla


2010-06-20 05:10 . 2010-06-20 05:10 -------- d-----w- c:\documents and settings\All
Users\Application Data\TEMP


2010-06-20 04:48 . 2010-06-26 22:47 120 ----a-w- c:\windows\Phiqexomino.dat


2010-06-20 04:48 . 2010-06-26 07:10 0 ----a-w- c:\windows\Pdetukoge.bin


2010-06-20 04:46 . 2010-06-20 04:46 -------- d-----w- c:\documents and settings\Lira\Local
Settings\Application Data\vlixsrccy


2010-06-12 02:55 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll


2010-06-12 02:49 . 2010-06-12 02:49 29512 ----a-w- c:\documents and settings\All
Users\Application Data\avg9\update\backup\avgmfx86.sys


2010-06-12 02:49 . 2010-06-12 02:49 242896 ----a-w- c:\documents and settings\All
Users\Application Data\avg9\update\backup\avgtdix.sys


2010-05-31 05:20 . 2010-05-31 05:20 -------- d-----w- C:\FOUND.002





.


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


.


2010-06-26 22:53 . 2010-02-27 09:02 0 ----a-w- c:\documents and settings\Lira\Local
Settings\Application Data\prvlcl.dat


2010-06-26 01:38 . 2010-05-22 08:26 2828 --sha-w- c:\documents and settings\All
Users\Application Data\KGyGaAvL.sys


2010-06-26 01:38 . 2010-05-22 08:26 2828 --sha-w- c:\documents and settings\All
Users\Application Data\KGyGaAvL.sys


2010-06-12 02:49 . 2009-06-03 23:47 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys


2010-06-12 02:49 . 2009-06-03 23:47 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys


2010-05-23 03:04 . 2010-05-23 03:04 -------- d-----w- c:\program files\Common Files\Corel


2010-05-23 03:04 . 2010-05-23 03:04 -------- d-----w- c:\program files\Common
Files\Protexis


2010-05-23 00:47 . 2010-05-23 00:47 -------- d-----w- c:\documents and
settings\Administrator\Application Data\Malwarebytes


2010-05-22 08:55 . 2010-05-22 08:26 88 --sh--r- c:\documents and settings\All
Users\Application Data\491F0982A5.sys


2010-05-22 08:55 . 2010-05-22 08:26 88 --sh--r- c:\documents and settings\All
Users\Application Data\491F0982A5.sys


2010-05-22 03:56 . 2010-05-22 03:56 503808 ----a-w- c:\documents and settings\Lira\Application
Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6e2d60e3-n\msvcp71.dll


2010-05-22 03:56 . 2010-05-22 03:56 499712 ----a-w- c:\documents and settings\Lira\Application
Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6e2d60e3-n\jmc.dll


2010-05-22 03:56 . 2010-05-22 03:56 348160 ----a-w- c:\documents and settings\Lira\Application
Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-6e2d60e3-n\msvcr71.dll


2010-05-21 22:11 . 2009-06-12 02:20 50280 ----a-w- c:\documents and settings\Lira\Local
Settings\Application Data\GDIPFONTCACHEV1.DAT


2010-05-15 22:33 . 2010-05-15 22:33 -------- d-----w- c:\program files\Finale NotePad 2008


2010-05-08 21:01 . 2010-05-08 21:01 -------- d-----w- c:\documents and settings\Lira\Application
Data\Malwarebytes


2010-05-08 21:01 . 2010-05-08 21:01 -------- d-----w- c:\documents and settings\All
Users\Application Data\Malwarebytes


2010-05-08 21:01 . 2010-05-08 21:01 -------- d-----w- c:\program files\Malwarebytes'
Anti-Malware


2010-05-06 10:41 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll


2010-05-02 05:22 . 2004-08-04 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys


2010-04-29 22:39 . 2010-05-08 21:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys


2010-04-29 22:39 . 2010-05-08 21:01 20952 ----a-w- c:\windows\system32\drivers\mbam.sys


2010-04-20 05:30 . 2004-08-04 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll


2010-03-31 07:16 . 2010-03-31 07:16 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll


2010-03-31 07:10 . 2010-03-31 07:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe


2009-12-12 01:03 . 2009-08-28 02:11 119808 ----a-w- c:\program files\mozilla
firefox\components\GoogleDesktopMozilla.dll


.





((((((((((((((((((((((((((((((((((((( Reg Loading Points
))))))))))))))))))))))))))))))))))))))))))))))))))


.


.


*Note* empty entries & legit default entries are not
shown


REGEDIT4





[HKEY_LOCAL_MACHINE\~\Browser Helper
Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]


2008-11-18 19:58 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll





[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\Toolbar]


"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"=
"c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]





[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]


[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]





[HKEY_CURRENT_USER\Software\Microsoft\Internet
Explorer\Toolbar\Webbrowser]


"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"=
"c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-18 333192]





[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]


[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]





[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


"Aim6"="c:\program files\AIM6\aim6.exe"
[2009-05-19 49968]


"msnmsgr"="c:\program files\Windows
Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]





[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


"LaunchApp"="Alaunch" [X]


"SynTPLpr"="c:\program
files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 98394]


"SynTPEnh"="c:\program
files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 688218]


"SoundMan"="SOUNDMAN.EXE" [2005-02-24
77824]


"AGRSMMSG"="AGRSMMSG.exe" [2004-10-08
88363]


"SiSPower"="SiSPower.dll" [2005-02-26
49152]


"SiS Windows
KeyHook"="c:\windows\system32\keyhook.exe" [2005-03-04 32768]


"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE"
[2004-08-04 208952]


"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe"
[2004-08-04 59392]


"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE"
[2004-08-04 455168]


"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE"
[2004-08-04 455168]


"PCMService"="c:\program
files\Arcade\PCMService.exe" [2005-03-10 49152]


"LManager"="c:\program files\Launch
Manager\QtZgAcer.EXE" [2005-10-12 315392]


"SunJavaUpdateSched"="c:\program
files\Java\jre6\bin\jusched.exe" [2009-06-22 148888]


"Google Desktop Search"="c:\program
files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-12-12 30192]


"EPSON Stylus CX3800
Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE"
[2005-02-07 98304]


"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe"
[2010-06-12 2065248]





c:\documents and settings\All Users\Start
Menu\Programs\Startup\


Utility Tray.lnk - c:\windows\system32\sistray.exe [2005-1-4
331776]


Microsoft Office.lnk - c:\program files\Microsoft
Office\Office\OSA9.EXE [1999-2-17 65588]





[HKEY_LOCAL_MACHINE\software\microsoft\windows
nt\currentversion\winlogon\notify\avgrsstarter]


2010-03-19 00:34 12464 ----a-w- c:\windows\system32\avgrsstx.dll





[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]


"%windir%\\system32\\sessmgr.exe"=


"%windir%\\Network Diagnostic\\xpnetdiag.exe"=


"c:\\Program Files\\Common
Files\\AOL\\Loader\\aolload.exe"=


"c:\\Program Files\\AIM6\\aim6.exe"=


"c:\\Program Files\\Messenger\\MSMSGS.EXE"=


"c:\\Program Files\\ASUS\\Data Sync
Station\\Bragi.exe"=


"c:\\Program Files\\ASUS\\Data Sync
Station\\Clotho.exe"=


"c:\\Program Files\\Google\\Google Desktop
Search\\GoogleDesktop.exe"=


"c:\\Program Files\\Windows
Live\\Messenger\\wlcsdk.exe"=


"c:\\Program Files\\Windows
Live\\Messenger\\msnmsgr.exe"=


"c:\\Program Files\\Skype\\Plugin
Manager\\skypePM.exe"=


"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=


"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=


"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=


"c:\\Program Files\\Skype\\Phone\\Skype.exe"=


"c:\\Program Files\\Java\\JRE6\\BIN\\java.exe"=





R1 AvgLdx86;AVG AVI Loader Driver
x86;c:\windows\system32\drivers\avgldx86.sys [6/3/2009 4:47 PM 216200]


R1 AvgTdiX;AVG8 Network
Redirector;c:\windows\system32\drivers\avgtdix.sys [6/3/2009 4:47 PM 242896]


R2 avg9emc;AVG Free E-mail Scanner;c:\program
files\AVG\AVG9\avgemc.exe [3/18/2010 5:33 PM 916760]


R2 avg9wd;AVG Free WatchDog;c:\program
files\AVG\AVG9\avgwdsvc.exe [3/18/2010 5:34 PM 308064]


R2
TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [6/9/2009
4:35 PM 2789160]


R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys
[6/9/2009 4:35 PM 15656]


S3 GoogleDesktopManager-110309-193829;Google Desktop Manager
5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
[8/27/2009 7:11 PM 30192]


.


Contents of the 'Scheduled Tasks' folder


.


.


------- Supplementary Scan -------


.


uStart Page = hxxp://www.google.com/


uInternet Settings,ProxyServer = http=127.0.0.1:5555


uInternet Settings,ProxyOverride =


uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s


FF - ProfilePath - c:\documents and settings\Lira\Application
Data\Mozilla\Firefox\Profiles\5j30q49v.default\


FF - component: c:\program
files\AVG\AVG9\Firefox\components\avgssff.dll


FF - plugin: c:\program files\Mozilla
Firefox\plugins\npFoxitReaderPlugin.dll


FF - HiddenExtension: Microsoft .NET Framework Assistant:
{20a82645-c095-46ed-80e3-08825760534b} -
c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation
Foundation\DotNetAssistantExtension\





---- FIREFOX POLICIES ----


c:\program files\Mozilla Firefox\greprefs\security-prefs.js
-
pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref",
true);


c:\program files\Mozilla Firefox\greprefs\security-prefs.js
- pref("security.ssl.renego_unrestricted_hosts", "");


c:\program files\Mozilla Firefox\greprefs\security-prefs.js
- pref("security.ssl.treat_unsafe_negotiation_as_broken", false);


c:\program files\Mozilla Firefox\greprefs\security-prefs.js
- pref("security.ssl.require_safe_negotiation", false);


c:\program files\Mozilla Firefox\greprefs\all.js -
pref("ui.use_native_colors", true);


c:\program files\Mozilla Firefox\greprefs\all.js -
pref("network.IDN.whitelist.lu", true);


c:\program files\Mozilla Firefox\greprefs\all.js -
pref("network.IDN.whitelist.nu", true);


c:\program files\Mozilla Firefox\greprefs\all.js -
pref("network.IDN.whitelist.nz", true);


c:\program files\Mozilla Firefox\greprefs\all.js -
pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);


c:\program files\Mozilla Firefox\greprefs\all.js -
pref("network.IDN.whitelist.xn--p1ai", true);


c:\program files\Mozilla Firefox\greprefs\all.js -
pref("network.IDN.whitelist.xn--mgbayh7gpa", true);


c:\program files\Mozilla Firefox\greprefs\all.js -
pref("network.IDN.whitelist.tel", true);


c:\program files\Mozilla Firefox\greprefs\all.js -
pref("network.auth.force-generic-ntlm", false);


c:\program files\Mozilla Firefox\greprefs\all.js -
pref("network.proxy.type", 5);


c:\program files\Mozilla Firefox\greprefs\all.js -
pref("dom.ipc.plugins.timeoutSecs", 10);


c:\program files\Mozilla Firefox\greprefs\all.js -
pref("svg.smil.enabled", false);


c:\program files\Mozilla Firefox\greprefs\all.js -
pref("accelerometer.enabled", true);


c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name",
"chrome://browser/locale/browser.properties");


c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description",
"chrome://browser/locale/browser.properties");


c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("plugins.update.notifyUser", false);


c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("dom.ipc.plugins.enabled.nptest.dll", true);


c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("dom.ipc.plugins.enabled.npswf32.dll", true);


c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("dom.ipc.plugins.enabled.npctrl.dll", true);


c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);


c:\program files\Mozilla Firefox\defaults\pref\firefox.js -
pref("dom.ipc.plugins.enabled", false);


.


- - - - ORPHANS REMOVED - - - -





HKCU-Run-Hsekihumevixi - c:\windows\asdiSC40.dll


HKLM-Run-Uyotuhe - c:\windows\ihowunik.dll











**************************************************************************





catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware
detector by Gmer, http://www.gmer.net


Rootkit scan 2010-06-26 16:02


Windows 5.1.2600 Service Pack 3 FAT NTAPI





scanning hidden processes ...





scanning hidden autostart entries ...





scanning hidden files ...






scan completed successfully


hidden files: 0





**************************************************************************


.


--------------------- DLLs Loaded Under Running Processes
---------------------





- - - - - - - > 'explorer.exe'(3796)


c:\windows\system32\WININET.dll


c:\program files\CyberLink\Shared Files\CLRCEngine.dll


c:\windows\system32\ieframe.dll


c:\windows\system32\webcheck.dll


.


------------------------ Other Running Processes
------------------------


.


c:\program files\AVG\AVG9\avgchsvx.exe


c:\program files\AVG\AVG9\avgrsx.exe


c:\program files\AVG\AVG9\avgcsrvx.exe


c:\acer\eManager\anbmServ.exe


c:\program files\Java\jre6\bin\jqs.exe


c:\windows\system32\PSIService.exe


c:\program files\Common Files\Protexis\License
Service\PsiService_2.exe


c:\windows\system32\WTablet\Pen_TabletUser.exe


c:\program files\AVG\AVG9\avgnsx.exe


c:\windows\SOUNDMAN.EXE


c:\windows\AGRSMMSG.exe


c:\windows\system32\Rundll32.exe


c:\program files\AVG\AVG9\avgcsrvx.exe


c:\windows\system32\wscntfy.exe


.


**************************************************************************


.


Completion time: 2010-06-26
16:04:58 - machine was rebooted


ComboFix-quarantined-files.txt 2010-06-26 23:04





Pre-Run: 112,560,340,992 bytes free


Post-Run: 113,461,723,136 bytes free





WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe


[boot loader]


timeout=2


default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS


[operating systems]


c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery
Console" /cmdcons


multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft
Windows XP Home Edition" /noexecute=optin /fastdetect





- - End Of File - -
528AF2F88F449D2A77ACB5216C13D555

And the log from the Malwarebytes scan:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4244

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/26/2010 2:02:21 PM
mbam-log-2010-06-26 (14-02-21).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 182369
Time elapsed: 36 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hi LChan,

Could you attach the log please? The forum is doing odd things to it.

Yup, sure. Thanks again for this.

Hi LChan,

No problem at all . Glad I can help.

There is a potentially unwanted pieces of software I have detected on your PC called AskBar

More information here:
http://www.what-is-exe.com/filenames/askbar-dll.html

We usually deem this optional to remove. But, I strongly suggest you do so by going to Control Panel > Add / Remove Programs and uninstalling it. Reboot your PC after uninstallation is complete.

Then, navigate to the following directory and delete it if it is still present:
c:\program files\AskBarDis\
========

Re-running ComboFix to remove infections:

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   Folder::
   c:\documents and settings\Lira\Local Settings\Application Data\vlixsrccy
   
   File::
   c:\documents and settings\All Users\Application Data\491F0982A5.sys
   c:\documents and settings\All Users\Application Data\491F0982A5.sys
   
   Registry::
   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "LaunchApp"=-
   
   DDS::
   uInternet Settings,ProxyServer = http=127.0.0.1:5555
   uInternet Settings,ProxyOverride =
   

4. Save this as CFscript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFscript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.

I actually don't see it on the Add or Remove Program list. Is it ok to go straight to the directory and uninstall it from there?

Does it show up in your browser as a toolbar? If not, it is likely just a leftover entry.

In any event, please move on to the next step to remove infections with combofix

ComboFix 10-06-26.02 - Lira 06/27/2010 0:12.2.1 - FAT32x86~[Filtered]~

Ick. Attaching it instead. And no, it didn't show up on my browser at all.

Hi LChan,

Running any better now?

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic
  

Yup. It's running much better. ~[Filtered]~

Did you post a log? looks like something was filtered. I'm going to check on this with the rest of the staff and see what the issue is here

Huh. That was weird. I didn't. All I said was that I'll have to do the scan and pasting of the log tomorrow.

Wonky things going on on GeekPolice tonight...let me tell you

I look forward to your reply.

What can I say, electronics just go on a fritz around me.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=865973f23ee93a4e8bec1459d88aeded
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-06-27 05:15:22
# local_time=2010-06-27 10:15:22 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1024 16777175 100 0 33496334 33496334 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=55344
# found=3
# cleaned=3
# scan_time=3375
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP294\A0034733.exe a variant of Win32/Adware.RegistryEasy application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{B6387AD4-48E1-4511-AA40-A245D4C401AE}\RP294\A0035824.dll a variant of Win32/Cimag.CK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\ihowunik.dll.vir a variant of Win32/Cimag.CK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Hm. Can I delete the quarantined files?

Hi LChan,

Congratulations!! Your PC is all clean!

To uninstall ComboFix

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in ComboFix /uninstall

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

• Then, press Enter, or click OK.
  
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

There are many things you can do to keep this from happening again. You can think of a computer like a car. It requires basic maintenance to keep in tip top shape and ready to go. Would you drive your car 100,000 miles without changing the oil? The same principle applies here.

Cleaning

Now that your PC is free of malware, it is important to clean up your PC. There are several good free cleaners available. You should make sure to clean up your temp files regularly, at least once a week.

ATF Cleaner
CCleaner

Defragmenting Your Hard Disk

Over time your PC can become fragmented, Windows comes with a defragmenting utility, however, it is very slow, and there are other options available.

To use the defragmenter included with Windows either go to Start/Run and type dfrg.msc, hit enter; or
right-click My Computer, choose Manage, Storage, Disk Defragmenter.

In the Defragmenter utility, select your main partition/HD, generally C:\ and select analyze . The analysis report will tell you whether or not your disk needs to be defragmented, if it does, click defragment. Be patient, this can take a long time.

Repeat for multiple partitions/hard disks.

System Restore Cleanup Instructions

If you are using Windows ME or XP then it is good to disable and re-enable system restore to make sure there are no infected files left in a restore point. (All restore points will be deleted that way)
You can find instructions on how to disable and re-enable system restore here:

Windows ME System Restore Guide

Windows XP System Restore Guide

Reading Tip:
Computer Health
Keep Your System Updated

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

Install the updates immediately, if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

To update Windows and office

Go to Start > All Programs > Microsoft Update

Alternatively, you can visit the link below to update Windows and Office products.

Microsoft Update

If you are forgetful, you can change some settings so that you will be informed of updates. Here's how:

1. Go to Start > Control Panel > Automatic Updates
2. Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
3. Select Download updates for me, but let me chose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.4. Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.

Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.

Be careful when opening attachments and downloading files.

1. Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
2. Never open emails from unknown senders.
3. Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These are called hoaxes. The email addresses used in the hoaxes can be easily spoofed. Check the antivirus vendor websites to be sure.
4. Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.

Surf safely

Many security exploits on websites are directed to users of Internet Explorer and Firefox.

If you use Firefox, try the No-script Add On - which, by default, disables all scripts on all websites. If you trust the website, you can manually allow scripts to work.

Backup regularly

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft Article to learn how to backup. Follow This Article by Microsoft to restore your backups.

Alternatively, you can use 3rd-party programs to back up your data. Examples of these can be found at
Bleeping Computer

Avoid P2P

I see you have P2P software installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

Prevent A Re-infection

1. Winpatrol

Winpatrol is a heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features Here

You can get a Free Copy of Winpatrol or use the Plus Version for more features.

You can read Win Patrol FAQ if you run into problems.

2. Hosts File

A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your PC will look up the website's IP address before you can view the website.

Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

Here are some Hosts files:
MVPS Hosts File
Blue Tack’s Hosts File
Blue Tack’s Hosts Manager

3. Spybot Search and Destroy

Spybot Search & Destroy is another program for scanning spyware and adware. You are strongly encouraged to run a scan at least once per week.

Spybot Search & Destroy can be downloaded from here.

If you need help in using Spybot Search & Destroy, you can read Spybot Search and Destroy tutorial at Bleeping Computer.

4. SiteHound Toolbar

SiteHound is a toolbar that warns you if you go to a site that is known to scam people, that has potentially lots of viruses or spyware or other questionable content. If you know the site, you can enter it; if you don't, it will bring you back to the previous page. Currently, SiteHound works for Internet Explorer and Firefox only.

====

Stand Up and Be Counted ---> Malware Complaints<--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
============================================================
See this page for more info about malware and prevention.
Thank you for choosing GeekPolice. Please see this page if you would like to leave feedback or contribute to our site.
Before the thread is archived, do you have any more questions?

Happy surfing and stay clean!

Yay! Thank you. You totally saved my skin.

No problem. Glad I could help