Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

imsinsl.dll


  • Please log in to reply
5 replies to this topic

#1 Gigantic Squirrel

Gigantic Squirrel

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 08 July 2010 - 06:54 AM

Hi There,

Windows XP Pro / Avast! antivirus

I have this item in my start up system config:

START UP ITEM: imsinsl
COMMAND: rundl32.exe"C:/WINDOWS/imsnsl.dll",Startup
LOCATION: Startup


I have this totally annoying malware that I am assuming is related where I select an item on a Google page through Firefox for say "Vintage Mondolo Bicycle parts" and one of many different search directories come up EXAMPLE: "AreaConnect Yellow Pages and Search Guide" or an advertisement for a completely unrelated item. The bug then will not allow me to go back to the Google page.

I have run a Malwarebytes full scan on my C: Drive after updates ( 14 items removed ) as well as Spybot ( 1 item ) to no avail. A check on the internet for this malware brings up "imsins.exe" issues but no "imsinsl.dll" so this may be fairly new.


Thanks for taking the time to help... :thumbsup:

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,384 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:49 PM

Posted 08 July 2010 - 10:36 AM

Please post the complete results of your MBAM scan for review.

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
      -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose Copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Logs are saved to the following locations:
-- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs
-- Vista, Windows 7, 2008: C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs


Please follow these instructions: How to remove the TDSS, TDL3 rootkit using TDSSKiller

If that does not work, then download Norman TDSS Cleaner and save to your Desktop.
  • Double-click on Norman_TDSS_Cleaner.exe to run the tool.
  • Read the agreement and click Accept.
  • When the program window opens, click Start scan.
  • After the scan has finished, a log file named NFix_date_time (i.e. NFix_2009-06-22_07-08-56.log) will be created on your desktop with the results.
  • Copy and paste the contents of that file in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Gigantic Squirrel

Gigantic Squirrel
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 08 July 2010 - 11:44 AM

I have had Firefox open during my scans. Is it crucial that I have it and any other programs turned off? I'm also running Photoshop, Illustrator and a Sign program simultaneously.

I've done 2 scans:




#1


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4291

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/8/2010 2:46:33 AM
mbam-log-2010-07-08 (02-46-33).txt

Scan type: Full scan (C:\|)
Objects scanned: 258264
Time elapsed: 55 minute(s), 38 second(s)

Memory Processes Infected: 5
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
C:\Documents and Settings\Tom\Local Settings\Temp\GSPMYXSHys.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\program files\common files\Adobe\adobe version cue cs3\Server\plugins\com.adobe.versioncue.systemintegration_3.1.0\os\win32\x86\systemintegrationadobe.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\Documents and Settings\Tom\Local Settings\Temp\GSPMYXSHys.exe (Trojan.FakeAlert) -> Unloaded process successfully.
C:\program files\Adobe\adobe photoshop cs3\Plug-Ins\Parser\photoshopepsparser.exe (Trojan.FakeAlert) -> Unloaded process successfully.
c:\program files\videohome\GrabBeeX\mfc71installer1002.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\diggcghmrottbvizw (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\logointernational (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobeversion (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobeepsparser (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Tom\Local Settings\Temp\GSPMYXSHys.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\program files\common files\Adobe\adobe version cue cs3\Server\plugins\com.adobe.versioncue.systemintegration_3.1.0\os\win32\x86\systemintegrationadobe.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\program files\Adobe\adobe photoshop cs3\Plug-Ins\Parser\photoshopepsparser.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\program files\videohome\GrabBeeX\mfc71installer1002.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.



#2


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4291

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/8/2010 8:14:21 AM
mbam-log-2010-07-08 (08-14-21).txt

Scan type: Full scan (C:\|)
Objects scanned: 257380
Time elapsed: 55 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\RECYCLER\NPROTECT\00031032.EXE (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\NPROTECT\00031033.EXE (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\RECYCLER\NPROTECT\00031034.EXE (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,384 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:49 PM

Posted 08 July 2010 - 11:57 AM

The speed and ability to complete an anti-virus or anti-malware scan depends on a variety of factors.
  • The program itself and how its scanning engine is designed to scan: using a signature database vs heuristic scanning or a combination of both.
  • Options to scan for spyware, adware, riskware and potentially unwanted programs (PUPS).
  • Options to scan memory, boot sectors, registry and alternate data streams (ADS).
  • Type of scan performed: Deep, Quick or Custom scanning.
  • What action has to be performed when malware is detected.
  • A computer's hard drive size.
  • Disk used capacity (number of files to include temporary files) that have to be scanned.
  • Types of files (.exe, .dll, .sys, .cab, archived, compressed, packed, email, etc) that are scanned.
  • Whether external drives are included in the scan.
  • Competition for and utilization of system resources by the scanner.
  • Other running processes and programs in the background.
  • Interference from malware.
  • Interference from the user.
To speed up your scans, uninstall unnecessary programs, clean out the temporary files or use ATF Cleaner first, temporarily disable any other real-time protection tools, close all open programs and do not use the computer during the scan.

Continue with the rest of my instructions.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Gigantic Squirrel

Gigantic Squirrel
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:49 PM

Posted 08 July 2010 - 02:54 PM




I ran the TDSS Rootkill and the screen looked like this after the scan:


Posted Image



So far this seems to have rooted out the evil demon...

Quietman may in fact be a genius... THANKS!!! :thumbsup:

I'll report back if I have any further problems.






I still have the imsinl.dll and also anilofejnures.dll on my System Configuration Utilities (Start/Run/type in msconfig) that looks like this:


Posted Image







which I have left unchecked otherwise I get dialogue boxes for each that look like this at startup:


Posted Image






Of course since they are unchecked I get the System Utilities box every time on start up that looks like this:


Posted Image



... Oy. No big deal but it would be nice if I could get rid of them... don't know if it's worthy of a new topic as it seems a bit like whining about a hangnail.





Thanks Again Q7... You Guys ROCK!!!









#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,384 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:49 PM

Posted 08 July 2010 - 05:19 PM

The message "You have used the System Configuration Utility..." is normal after using MSConfig and easily prevented. When you alter something in MSConfig you are prompted at the next start up with a notice that explains that you have used the System Configuration Utility. Check the "Don't show this message or launch the System Configuration Utility when Windows starts" box to prevent future warnings from appearing.

It's not unusual to receive such an error(s) when "booting up" after using anti-virus and other security scanning tools to remove a malware infection.

RunDLL32.exe is a legitimate Windows file that executes/loads .dll (Dynamic Link Library) modules which too can be legitimate or sometimes malware related. A RunDLL "Error loading..." or "specific module could not be found" message usually occurs when the .dll file(s) that was set to run at startup in the registry has been deleted. Windows is trying to load this file(s) but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry still remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.
  • Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this. Vista users refer to these instructions.)
  • Open the folder and double-click on autoruns.exe to launch it.
  • Please be patient as it scans and populates the entries.
  • When done scanning, it will say Ready at the bottom.
  • Scroll through the list and look for a startup entry related to the file(s) in the error message.
  • If found, right-click on the entry and choose delete.
  • Reboot your computer and see if the startup error returns.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users