boka1

23 Posts

5559

June 2nd, 2010 09:00

Redirected searches

Google search shows multiple hits and clicking on a particular hit will more often than not be redirected to some random site, sometimes ask.com but not always. The redirects will happen for a period of time, several hours, then for some reason will not happen for several hours then all of a sudden reappear. The url link can be copied to the address bar and this almost always goes to the correct link. I am running xp-pro SP3 with the latest updates on a Dell T7400 and IE6. Kaspersky Internet security with latest database and with the filters set to max. I started experencing this problem about 60 days ago and have been trying to get rid of it. 3 weeks ago unloaded KAS according to directions from KAS service tech. Downloaded MalwareBytes and ran without KAS loaded, MB found two trojans Trojan.agent and Trojan.Fake Alert. which were sucessfully quanantined and deleted. Also downloaded and ran superantispyware which ran to completion and found nothing. KAS was reinstalled and full system scan run with no problems. This was done several weeks ago and the system appeared to be fine. Also cleaned disk and deleted all previous restore files. Over the last week the redirects have reappeared. I have rerun MB and superantispyware as well as full scans with KAS with no anomalies found. The T7400 is on a network with 2 other machines connected to the internet with a cable modem. All of the other machines are running KAS with latest updates. MB and Superantispyware were also run on these machines and on one KAS was unloaded as described above. Neither of these machines are seeing a redirect problem.

I restarted the T7400 and generated the hijackThis log below; Thanks for your assistance in resolving this. Not sure if word wrap is on or off or where to set this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:25:24 AM, on 6/2/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell SAS RAID Storage Manager\MegaPopup\Popup.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe
C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Sentinel Web\Sentinel.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Sentinel Web\OPTISAFE_Service.Exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Retrospect\Retrospect 7.6\retrorun.exe
C:\Sentinel Web\UPSInt.exe
C:\Program Files\Silicon Image\3124-W-I32-R SATARAID5\SATARaid5ConfigService.exe
C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Dell SAS RAID Storage Manager\Framework\VivaldiFramework.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\Program Files\Dell SAS RAID Storage Manager\JRE\bin\javaw.exe
C:\Program Files\Dell SAS RAID Storage Manager\MegaMonitor\mrmonitor.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080311
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080311
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080311
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ievkbd.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Popup] "C:\Program Files\Dell SAS RAID Storage Manager\MegaPopup\Popup.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04e\BrStDvPt.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SecureClean4RegManager] "C:\Program Files\WhiteCanyon\SecureClean 4\scregmanager4.exe"
O4 - HKLM\..\Run: [SecureClean4Tray] "C:\Program Files\WhiteCanyon\SecureClean 4\sctray4.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [UPSMON] C:\Sentinel Web\Sentinel.exe
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: SATARaid5Manager.lnk = ?
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: &Virtual keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtbbho.dll
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,C:\DOCUME~1\ALLUSE~1\AVP9\mzvkbd3.dll,C:\DOCUME~1\ALLUSE~1\AVP9\kloehk.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MRMonitor (MegaMonitorSrv) - Unknown owner - C:\Program Files\Dell SAS RAID Storage Manager\MegaMonitor\mrmonitor.exe
O23 - Service: SSMFramework (MSMFramework) - Unknown owner - C:\Program Files\Dell SAS RAID Storage Manager\Framework\VivaldiFramework.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OPTISAFEService - Unknown owner - C:\Sentinel Web\OPTISAFE_Service.Exe
O23 - Service: Retrospect Launcher (RetroLauncher) - EMC Corporation - C:\Program Files\Retrospect\Retrospect 7.6\retrorun.exe
O23 - Service: Retrospect Helper - EMC Corporation - C:\Program Files\Retrospect\Retrospect 7.6\rthlpsvc.exe
O23 - Service: SATARaid5 Configuration Service (SATARaid5 Config Service) - Unknown owner - C:\Program Files\Silicon Image\3124-W-I32-R SATARAID5\SATARaid5ConfigService.exe
O23 - Service: SCWatch 4.0 - WhiteCanyon Inc. - C:\Program Files\WhiteCanyon\SecureClean 4\scwatch4.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe

--
End of file - 10507 bytes

Responses(45)

boka1

23 Posts

0

June 13th, 2010 16:00

I do not use acronis to make image backups but rather to clone c:drive.
I make a cloned drive and store it offsite. I have 2 drives I rotate cloning
about 2 weeks apart. I keep no data files on C only applications. The cloned drive can be used to replace a corrupted C drive by copying the cloned drive back to the corrupted C:. Since C is a mirrored array failure of a drive that cannot be recovered is remote, this is the reason to do bi-weekly. Have not considered malware as a reason for backups. Would appreciate input on the issue.

C:\WINDOWS\System32\msimsgh.dll
updoading this file to Virusscan generates error in Virusscan.
This scan was requested previously and it generted the same error

C:\WINDOWS\Rdibmsgy.INI

VirSCAN.org Scanned Report :
Scanned time   : 2010/06/13 16:43:14 (CDT)
Scanner results: Scanners did not find malware!
File Name      : Rdibmsgy.INI
File Size      : 230 byte
File Type      : ASCII text, with CRLF line terminators
MD5            : ec776f5ee79b7c674cb4e915fdeacaac
SHA1           : c6b86d1b303370abf428ca8c725f5843906374de
Online report : http://virscan.org/report/d56e670eeb1dd915f7e06b8db8507a22.html

Scanner        Engine Ver      Sig Ver           Sig Date    Time   Scan result
a-squared      5.0.0.11        20100612060110    2010-06-12 5.19   -
AhnLab V3      2010.06.13.00   2010.06.13        2010-06-13 1.14   -
AntiVir        8.2.2.6         7.10.8.62         2010-06-11 0.25   -
Antiy          2.0.18          20100611.4748539 2010-06-11 0.02   -
Arcavir        2009            201006130741      2010-06-13 0.02   -
Authentium     5.1.1           201006131335      2010-06-13 1.27   -
AVAST!         4.7.4           100613-2          2010-06-13 0.00   -
AVG            8.5.793         271.1.1/2934      2010-06-13 0.23   -
BitDefender    7.90123.6184856 7.32194           2010-06-14 3.90   -
ClamAV         0.96.1          11182             2010-06-12 0.00   -
Comodo         3.13.579        5088              2010-06-13 0.85   -
CP Secure      1.3.0.5         2010.06.14        2010-06-14 0.01   -
Dr.Web         5.0.2.3300      2010.06.14        2010-06-14 8.05   -
F-Prot         4.4.4.56        20100613          2010-06-13 1.27   -
F-Secure       7.02.73807      2010.06.12.02     2010-06-12 0.08   -
Fortinet       4.1.133         12.49             2010-06-13 0.12   -
GData          21.344/21.117   20100613          2010-06-13 7.14   -
ViRobot        20100611        2010.06.11        2010-06-11 0.36   -
Ikarus         T3.1.01.84      2010.06.13.76058 2010-06-13 6.64   -
JiangMin       13.0.900        2010.06.13        2010-06-13 1.18   -
Kaspersky      5.5.10          2010.06.13        2010-06-13 0.03   -
KingSoft       2009.2.5.15     2010.6.13.13      2010-06-13 0.60   -
McAfee         5400.1158       6012              2010-06-13 16.12 -
Microsoft      1.5802          2010.06.13        2010-06-13 6.63   -
Norman         6.04.12         6.04.00           2010-06-13 6.03   -
Panda          9.05.01         2010.06.13        2010-06-13 1.88   -
Trend Micro    9.120-1004      7.240.03          2010-06-13 0.02   -
Quick Heal     10.00           2010.06.12        2010-06-12 1.49   -
Rising         20.0            22.51.06.01       2010-06-13 0.20   -
Sophos         3.07.1          4.54              2010-06-14 3.46   -
Sunbelt        3.9.2424.2      6443              2010-06-13 7.15   -
Symantec       1.3.0.24        20100612.003      2010-06-12 0.33   -
nProtect       20100612.01     8630066           2010-06-12 7.78   -
The Hacker     6.5.2.0         v00298            2010-06-12 0.30   -
VBA32          3.12.12.5       20100611.0805     2010-06-11 2.65   -
VirusBuster    4.5.11.10       10.126.80/2047839 2010-06-13 2.35   -

C:\WINDOWS\loc2.INI
http://virscan.org/report/0bbc092c4b72006b0ce57c5bad7d8513.html
VirSCAN.org Scanned Report :
Scanned time   : 2010/06/13 16:46:42 (CDT)
Scanner results: Scanners did not find malware!
File Name      : loc2.INI
File Size      : 41 byte
File Type      : ASCII text, with CRLF line terminators
MD5            : 5c1db2450e22e39b6b4d8410da508230
SHA1           : 6fd9c765954c528f3587f19291f8ff31d4d1a1c7
Online report : http://virscan.org/report/0bbc092c4b72006b0ce57c5bad7d8513.html

Scanner        Engine Ver      Sig Ver           Sig Date    Time   Scan result
a-squared      5.0.0.11        20100612060110    2010-06-12 12.59 -
AhnLab V3      2010.06.13.00   2010.06.13        2010-06-13 2.52   -
AntiVir        8.2.2.6         7.10.8.63         2010-06-13 0.27   -
Antiy          2.0.18          20100611.4748539 2010-06-11 0.02   -
Arcavir        2009            201006130741      2010-06-13 0.02   -
Authentium     5.1.1           201006131335      2010-06-13 1.35   -
AVAST!         4.7.4           100613-2          2010-06-13 0.00   -
AVG            8.5.793         271.1.1/2936      2010-06-14 0.24   -
BitDefender    7.90123.6184865 7.32196           2010-06-14 3.94   -
ClamAV         0.96.1          11182             2010-06-12 0.00   -
Comodo         3.13.579        5088              2010-06-13 0.84   -
CP Secure      1.3.0.5         2010.06.14        2010-06-14 0.01   -
Dr.Web         5.0.2.3300      2010.06.14        2010-06-14 8.06   -
F-Prot         4.4.4.56        20100613          2010-06-13 1.27   -
F-Secure       7.02.73807      2010.06.12.02     2010-06-12 10.49 -
Fortinet       4.1.133         12.49             2010-06-13 0.13   -
GData          21.344/21.117   20100613          2010-06-13 6.96   -
ViRobot        20100611        2010.06.11        2010-06-11 0.38   -
Ikarus         T3.1.01.84      2010.06.13.76058 2010-06-13 6.68   -
JiangMin       13.0.900        2010.06.13        2010-06-13 1.21   -
Kaspersky      5.5.10          2010.06.13        2010-06-13 0.03   -
KingSoft       2009.2.5.15     2010.6.13.13      2010-06-13 0.62   -
McAfee         5400.1158       6012              2010-06-13 16.20 -
Microsoft      1.5802          2010.06.13        2010-06-13 6.50   -
Norman         6.04.12         6.04.00           2010-06-13 6.01   -
Panda          9.05.01         2010.06.13        2010-06-13 1.88   -
Trend Micro    9.120-1004      7.240.03          2010-06-13 0.02   -
Quick Heal     10.00           2010.06.12        2010-06-12 1.50   -
Rising         20.0            22.51.06.01       2010-06-13 0.20   -
Sophos         3.07.1          4.54              2010-06-14 3.41   -
Sunbelt        3.9.2424.2      6443              2010-06-13 7.44   -
Symantec       1.3.0.24        20100612.003      2010-06-12 0.19   -
nProtect       20100612.01     8630066           2010-06-12 7.89   -
The Hacker     6.5.2.0         v00298            2010-06-12 0.31   -
VBA32          3.12.12.5       20100611.0805     2010-06-11 2.63   -
VirusBuster    4.5.11.10       10.126.80/2047839 2010-06-13 2.34   -

C:\WINDOWS\System32\msimsgh.dll

as before generates ERROR:can't find upload file

C:\WINDOWS\System32\eyykoc3.dll
http://virscan.org/report/87e75ab105d18b3b9afb474e43701287.html

VirSCAN.org Scanned Report :
Scanned time   : 2010/06/13 16:53:15 (CDT)
Scanner results: Scanners did not find malware!
File Name      : eyykoc3.dll
File Size      : 204 byte
File Type      : ASCII text
MD5            : 245021bdfc40b6825208cda97f64c641
SHA1           : 7d00610919c39bdce8aebea7ab6b67e4691f1ac6
Online report : http://virscan.org/report/87e75ab105d18b3b9afb474e43701287.html

Scanner        Engine Ver      Sig Ver           Sig Date    Time   Scan result
a-squared      5.0.0.11        20100612060110    2010-06-12 5.10   -
AhnLab V3      2010.06.13.00   2010.06.13        2010-06-13 1.15   -
AntiVir        8.2.2.6         7.10.8.63         2010-06-13 0.25   -
Antiy          2.0.18          20100611.4748539 2010-06-11 0.02   -
Arcavir        2009            201006130741      2010-06-13 0.02   -
Authentium     5.1.1           201006131335      2010-06-13 1.29   -
AVAST!         4.7.4           100613-2          2010-06-13 0.00   -
AVG            8.5.793         271.1.1/2936      2010-06-14 0.23   -
BitDefender    7.90123.6184865 7.32196           2010-06-14 3.91   -
ClamAV         0.96.1          11182             2010-06-12 0.00   -
Comodo         3.13.579        5088              2010-06-13 0.84   -
CP Secure      1.3.0.5         2010.06.14        2010-06-14 0.01   -
Dr.Web         5.0.2.3300      2010.06.14        2010-06-14 7.91   -
F-Prot         4.4.4.56        20100613          2010-06-13 1.27   -
F-Secure       7.02.73807      2010.06.12.02     2010-06-12 0.09   -
Fortinet       4.1.133         12.49             2010-06-13 0.12   -
GData          21.344/21.117   20100613          2010-06-13 6.93   -
ViRobot        20100611        2010.06.11        2010-06-11 0.36   -
Ikarus         T3.1.01.84      2010.06.13.76059 2010-06-13 6.67   -
JiangMin       13.0.900        2010.06.13        2010-06-13 1.17   -
Kaspersky      5.5.10          2010.06.13        2010-06-13 0.03   -
KingSoft       2009.2.5.15     2010.6.13.13      2010-06-13 0.60   -
McAfee         5400.1158       6012              2010-06-13 16.12 -
Microsoft      1.5802          2010.06.13        2010-06-13 6.49   -
Norman         6.04.12         6.04.00           2010-06-13 6.01   -
Panda          9.05.01         2010.06.13        2010-06-13 1.73   -
Trend Micro    9.120-1004      7.240.03          2010-06-13 0.02   -
Quick Heal     10.00           2010.06.12        2010-06-12 1.53   -
Rising         20.0            22.51.06.01       2010-06-13 0.20   -
Sophos         3.07.1          4.54              2010-06-14 3.40   -
Sunbelt        3.9.2424.2      6443              2010-06-13 9.11   -
Symantec       1.3.0.24        20100612.003      2010-06-12 0.22   -
nProtect       20100612.01     8630066           2010-06-12 7.92   -
The Hacker     6.5.2.0         v00298            2010-06-12 0.31   -
VBA32          3.12.12.5       20100611.0805     2010-06-11 2.68   -
VirusBuster    4.5.11.10       10.126.80/2047839 2010-06-13 2.35   -

C:\WINDOWS\System32\xbp3i2y.dll
http://virscan.org/report/af61af2bf11b0df9b3e9f7d998ebfbc3.html

VirSCAN.org Scanned Report :
Scanned time   : 2010/06/13 16:57:37 (CDT)
Scanner results: Scanners did not find malware!
File Name      : xbp3i2y.dll
File Size      : 16 byte
File Type      : data
MD5            : 3019223e0cef8ab2193280966700e25b
SHA1           : d6b0da40bbf8837ca40ea23157ac08a7511a5e73
Online report : http://virscan.org/report/af61af2bf11b0df9b3e9f7d998ebfbc3.html

Scanner        Engine Ver      Sig Ver           Sig Date    Time   Scan result
a-squared      5.0.0.11        20100612060110    2010-06-12 5.23   -
AhnLab V3      2010.06.13.00   2010.06.13        2010-06-13 1.28   -
AntiVir        8.2.2.6         7.10.8.63         2010-06-13 0.26   -
Antiy          2.0.18          20100611.4748539 2010-06-11 0.02   -
Arcavir        2009            201006130741      2010-06-13 0.02   -
Authentium     5.1.1           201006131335      2010-06-13 1.29   -
AVAST!         4.7.4           100613-2          2010-06-13 0.00   -
AVG            8.5.793         271.1.1/2936      2010-06-14 0.22   -
BitDefender    7.90123.6184865 7.32196           2010-06-14 3.95   -
ClamAV         0.96.1          11182             2010-06-12 0.00   -
Comodo         3.13.579        5088              2010-06-13 0.85   -
CP Secure      1.3.0.5         2010.06.14        2010-06-14 0.01   -
Dr.Web         5.0.2.3300      2010.06.14        2010-06-14 8.36   -
F-Prot         4.4.4.56        20100613          2010-06-13 1.32   -
F-Secure       7.02.73807      2010.06.12.02     2010-06-12 10.40 -
Fortinet       4.1.133         12.49             2010-06-13 0.13   -
GData          21.344/21.117   20100613          2010-06-13 7.08   -
ViRobot        20100611        2010.06.11        2010-06-11 0.38   -
Ikarus         T3.1.01.84      2010.06.13.76059 2010-06-13 6.73   -
JiangMin       13.0.900        2010.06.13        2010-06-13 1.25   -
Kaspersky      5.5.10          2010.06.13        2010-06-13 0.03   -
KingSoft       2009.2.5.15     2010.6.13.13      2010-06-13 0.61   -
McAfee         5400.1158       6012              2010-06-13 16.34 -
Microsoft      1.5802          2010.06.13        2010-06-13 6.60   -
Norman         6.04.12         6.04.00           2010-06-13 6.01   -
Panda          9.05.01         2010.06.13        2010-06-13 1.86   -
Trend Micro    9.120-1004      7.240.03          2010-06-13 0.02   -
Quick Heal     10.00           2010.06.12        2010-06-12 1.54   -
Rising         20.0            22.51.06.01       2010-06-13 0.24   -
Sophos         3.07.1          4.54              2010-06-14 3.51   -
Sunbelt        3.9.2424.2      6443              2010-06-13 8.66   -
Symantec       1.3.0.24        20100612.003      2010-06-12 0.26   -
nProtect       20100612.01     8630066           2010-06-12 8.11   -
The Hacker     6.5.2.0         v00298            2010-06-12 0.33   -
VBA32          3.12.12.5       20100611.0805     2010-06-11 2.76   -
VirusBuster    4.5.11.10       10.126.80/2047839 2010-06-13 2.34   -

C:\WINDOWS\System32\nkrq9sz.dll
http://virscan.org/report/c29c1b319fe2beb58fe8c3a877ecb90e.html

VirSCAN.org Scanned Report :
Scanned time   : 2010/06/13 17:00:41 (CDT)
Scanner results: Scanners did not find malware!
File Name      : nkrq9sz.dll
File Size      : 16 byte
File Type      : data
MD5            : 7895de8bf08cf5f7de33dcfa0eb5bdd9
SHA1           : 6854c756d06c4f9d1d9bb2a6664cec996c24ebdf
Online report : http://virscan.org/report/c29c1b319fe2beb58fe8c3a877ecb90e.html

Scanner        Engine Ver      Sig Ver           Sig Date    Time   Scan result
a-squared      5.0.0.11        20100612060110    2010-06-12 5.27   -
AhnLab V3      2010.06.13.00   2010.06.13        2010-06-13 1.48   -
AntiVir        8.2.2.6         7.10.8.63         2010-06-13 0.26   -
Antiy          2.0.18          20100611.4748539 2010-06-11 0.02   -
Arcavir        2009            201006130741      2010-06-13 0.02   -
Authentium     5.1.1           201006131335      2010-06-13 1.34   -
AVAST!         4.7.4           100613-2          2010-06-13 0.00   -
AVG            8.5.793         271.1.1/2936      2010-06-14 0.23   -
BitDefender    7.90123.6184865 7.32196           2010-06-14 3.96   -
ClamAV         0.96.1          11182             2010-06-12 0.00   -
Comodo         3.13.579        5088              2010-06-13 0.83   -
CP Secure      1.3.0.5         2010.06.14        2010-06-14 0.01   -
Dr.Web         5.0.2.3300      2010.06.14        2010-06-14 7.96   -
F-Prot         4.4.4.56        20100613          2010-06-13 1.34   -
F-Secure       7.02.73807      2010.06.12.02     2010-06-12 9.92   -
Fortinet       4.1.133         12.49             2010-06-13 0.10   -
GData          21.344/21.117   20100613          2010-06-13 17.16 -
ViRobot        20100611        2010.06.11        2010-06-11 0.36   -
Ikarus         T3.1.01.84      2010.06.13.76059 2010-06-13 6.65   -
JiangMin       13.0.900        2010.06.13        2010-06-13 1.20   -
Kaspersky      5.5.10          2010.06.13        2010-06-13 0.03   -
KingSoft       2009.2.5.15     2010.6.13.13      2010-06-13 0.62   -
McAfee         5400.1158       6012              2010-06-13 16.13 -
Microsoft      1.5802          2010.06.13        2010-06-13 6.47   -
Norman         6.04.12         6.04.00           2010-06-13 6.03   -
Panda          9.05.01         2010.06.13        2010-06-13 9.16   -
Trend Micro    9.120-1004      7.240.03          2010-06-13 0.02   -
Quick Heal     10.00           2010.06.12        2010-06-12 2.60   -
Rising         20.0            22.51.06.01       2010-06-13 0.24   -
Sophos         3.07.1          4.54              2010-06-14 3.44   -
Sunbelt        3.9.2424.2      6443              2010-06-13 7.76   -
Symantec       1.3.0.24        20100612.003      2010-06-12 0.26   -
nProtect       20100612.01     8630066           2010-06-12 8.19   -
The Hacker     6.5.2.0         v00298            2010-06-12 0.31   -
VBA32          3.12.12.5       20100611.0805     2010-06-11 2.65   -
VirusBuster    4.5.11.10       10.126.80/2047839 2010-06-13 3.02   -

C:\WINDOWS\System32\iwbv2ab.dll
http://virscan.org/report/ddd804e60dbf2cb39e1e6dae4c51202d.html
VirSCAN.org Scanned Report :
Scanned time   : 2010/06/13 17:04:07 (CDT)
Scanner results: Scanners did not find malware!
File Name      : iwbv2ab.dll
File Size      : 16 byte
File Type      : data
MD5            : 7b21331b6dd382b60d8546c085edccf9
SHA1           : 621c9dd1c25ba1958dbd89f594296c718644d2b9
Online report : http://virscan.org/report/ddd804e60dbf2cb39e1e6dae4c51202d.html

Scanner        Engine Ver      Sig Ver           Sig Date    Time   Scan result
a-squared      5.0.0.11        20100612060110    2010-06-12 5.62   -
AhnLab V3      2010.06.13.00   2010.06.13        2010-06-13 1.52   -
AntiVir        8.2.2.6         7.10.8.63         2010-06-13 0.25   -
Antiy          2.0.18          20100611.4748539 2010-06-11 0.02   -
Arcavir        2009            201006130741      2010-06-13 0.02   -
Authentium     5.1.1           201006131335      2010-06-13 1.28   -
AVAST!         4.7.4           100613-2          2010-06-13 0.00   -
AVG            8.5.793         271.1.1/2936      2010-06-14 0.23   -
BitDefender    7.90123.6184865 7.32196           2010-06-14 3.91   -
ClamAV         0.96.1          11182             2010-06-12 0.00   -
Comodo         3.13.579        5088              2010-06-13 0.90   -
CP Secure      1.3.0.5         2010.06.14        2010-06-14 0.01   -
Dr.Web         5.0.2.3300      2010.06.14        2010-06-14 7.92   -
F-Prot         4.4.4.56        20100613          2010-06-13 1.29   -
F-Secure       7.02.73807      2010.06.12.02     2010-06-12 4.78   -
Fortinet       4.1.133         12.49             2010-06-13 0.11   -
GData          21.344/21.117   20100613          2010-06-13 8.64   -
ViRobot        20100611        2010.06.11        2010-06-11 0.38   -
Ikarus         T3.1.01.84      2010.06.13.76059 2010-06-13 6.66   -
JiangMin       13.0.900        2010.06.13        2010-06-13 1.21   -
Kaspersky      5.5.10          2010.06.13        2010-06-13 0.03   -
KingSoft       2009.2.5.15     2010.6.13.13      2010-06-13 0.60   -
McAfee         5400.1158       6012              2010-06-13 16.20 -
Microsoft      1.5802          2010.06.13        2010-06-13 6.55   -
Norman         6.04.12         6.04.00           2010-06-13 6.01   -
Panda          9.05.01         2010.06.13        2010-06-13 22.15 -
Trend Micro    9.120-1004      7.240.03          2010-06-13 0.02   -
Quick Heal     10.00           2010.06.12        2010-06-12 1.67   -
Rising         20.0            22.51.06.01       2010-06-13 0.23   -
Sophos         3.07.1          4.54              2010-06-14 3.44   -
Sunbelt        3.9.2424.2      6443              2010-06-13 7.23   -
Symantec       1.3.0.24        20100612.003      2010-06-12 0.22   -
nProtect       20100612.01     8630066           2010-06-12 8.97   -
The Hacker     6.5.2.0         v00298            2010-06-12 0.40   -
VBA32          3.12.12.5       20100611.0805     2010-06-11 2.67   -
VirusBuster    4.5.11.10       10.126.80/2047839 2010-06-13 2.35   -

C:\WINDOWS\System32\auz705e.dll
http://virscan.org/report/da3198de1e9c7bb56e9191b492868e3d.html

VirSCAN.org Scanned Report :
Scanned time   : 2010/06/13 17:08:59 (CDT)
Scanner results: Scanners did not find malware!
File Name      : auz705e.dll
File Size      : 16 byte
File Type      : data
MD5            : 155f6d0742f9fef4c6dea6df0729bed6
SHA1           : aa8ac71e45c7492bfc12de4b79821c87c0038270
Online report : http://virscan.org/report/da3198de1e9c7bb56e9191b492868e3d.html

Scanner        Engine Ver      Sig Ver           Sig Date    Time   Scan result
a-squared      5.0.0.11        20100612060110    2010-06-12 5.19   -
AhnLab V3      2010.06.13.00   2010.06.13        2010-06-13 1.24   -
AntiVir        8.2.2.6         7.10.8.63         2010-06-13 0.26   -
Antiy          2.0.18          20100611.4748539 2010-06-11 0.02   -
Arcavir        2009            201006130741      2010-06-13 0.02   -
Authentium     5.1.1           201006131335      2010-06-13 1.29   -
AVAST!         4.7.4           100613-2          2010-06-13 0.00   -
AVG            8.5.793         271.1.1/2936      2010-06-14 0.23   -
BitDefender    7.90123.6184865 7.32196           2010-06-14 3.94   -
ClamAV         0.96.1          11182             2010-06-12 0.00   -
Comodo         3.13.579        5089              2010-06-13 0.84   -
CP Secure      1.3.0.5         2010.06.14        2010-06-14 0.01   -
Dr.Web         5.0.2.3300      2010.06.14        2010-06-14 7.90   -
F-Prot         4.4.4.56        20100613          2010-06-13 1.30   -
F-Secure       7.02.73807      2010.06.12.02     2010-06-12 2.92   -
Fortinet       4.1.133         12.49             2010-06-13 0.10   -
GData          21.344/21.117   20100613          2010-06-13 12.52 -
ViRobot        20100611        2010.06.11        2010-06-11 0.37   -
Ikarus         T3.1.01.84      2010.06.13.76059 2010-06-13 6.62   -
JiangMin       13.0.900        2010.06.13        2010-06-13 1.49   -
Kaspersky      5.5.10          2010.06.13        2010-06-13 0.03   -
KingSoft       2009.2.5.15     2010.6.13.13      2010-06-13 0.84   -
McAfee         5400.1158       6012              2010-06-13 16.20 -
Microsoft      1.5802          2010.06.14        2010-06-14 7.33   -
Norman         6.04.12         6.04.00           2010-06-13 6.01   -
Panda          9.05.01         2010.06.13        2010-06-13 2.06   -
Trend Micro    9.120-1004      7.240.03          2010-06-13 0.03   -
Quick Heal     10.00           2010.06.12        2010-06-12 1.58   -
Rising         20.0            22.51.06.01       2010-06-13 0.96   -
Sophos         3.07.1          4.54              2010-06-14 3.40   -
Sunbelt        3.9.2424.2      6443              2010-06-13 8.48   -
Symantec       1.3.0.24        20100612.003      2010-06-12 0.33   -
nProtect       20100612.01     8630066           2010-06-12 9.65   -
The Hacker     6.5.2.0         v00298            2010-06-12 0.35   -
VBA32          3.12.12.5       20100611.0805     2010-06-11 2.64   -
VirusBuster    4.5.11.10       10.126.80/2047839 2010-06-13 2.39   -

kevin27_b3d29f

1.5K Posts

0

June 14th, 2010 05:00

Hi,

We need to confirm whether the file that keeps giving the error is malicious or not. But all in all i'm not seeing much of anything in the logs.

Please go to Virus Total where you will see a browse button in the middle of the screen.

Click the Browse button
Locate the following file(s)

C:\WINDOWS\System32\msimsgh.dll

Click Send File
Post Reports back to this thread

Note: you may need to show hidden files to locate the files requested:

Go to Start>Search and at the top select Tools>Folder Options
Select the View tab
Look for "Hidden files and folders"
Select "Show hidden files and folders"
Click on Apply.
Next go to the side of the Search box and select All files and folders. Go down to More advanced options.
Be sure the first three boxes are selected:

Search System folders
Search Hidden Files and folders
Search SubFolders

Remember to hide hidden files/folders by reversing the action when you have finished

Then please try uploading the file to Jotti, please click the browse button and then navigate to C:\WINDOWS\System32\msimsgh.dll and then please click upload.

Post back the Virus Total and the Jotti reports back to me with a report of any problems you continuing to have.

Thanks
K27

boka1

23 Posts

0

June 14th, 2010 06:00

The virus total web site suggest sending the file via email as the site is under high workload at the moment. File C:\WINDOWS\System32\msimsgh.dll was located, the system will not let me attach this file to the email. I get the messge "you don't have appropriate permission to perform this operation". The file shows to be read only, I used the properties buton to change this read-only attribute and get an "Access is denied" response.

I attempted to copy to a flash drive and get "cannnot copy msimsgh: access is denied Make sure the disk is not full or write-protected and that the file is not currently in use. Kaspersky was disabeled and the same message is generated when the copy is attempted.

Sending directly to the site results in messge "0 bytes size received"

sending this to jotti status shows "File is empty (0 bytes)!"

kevin27_b3d29f

1.5K Posts

0

June 14th, 2010 12:00

I would like to take a closer look at the file(s) in question.

Please go to THIS page to upload the file(s).

Once there please copy/paste this threads web address to the Link to topic where this file was requested: diaglouge box.

Then please click the BROWSE button and navigate to the following file(s) (NOTE: Only one file can be uploaded at a time)

C:\WINDOWS\System32\t1r8egj.dll
C:\WINDOWS\System32\msimsgh.dll

And then please click the Send File button.

You will then see this message: Your file was successfully submitted. Please let the user helping you know that you have submitted the file.

Please post back and let me know when the file has been uploaded.

Please Disable all Anti-virus/Anti-Spyware/FireWall on your machine(instructions via links below)

I'd like us to scan your machine with ESET OnlineScan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
1. Click on to download the ESET Smart Installer. Save it to your desktop.
2. Double click on the icon on your desktop.
Check
Click the button.
Accept any security warnings from your browser.
Check
Push the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the button.
Push

Please post back with the ESET log,
To let me know you have uploaded the file,
And all symptoms you are still having <--- Important

Thanks.

boka1

23 Posts

0

June 14th, 2010 14:00

As requested the files below were uploaded to THIS, all seem fine here with the upload, the thread was pasted in the appropriate box. K27 was listed as the requesting advisor in the comments box.

C:\WINDOWS\System32\t1r8egj.dll
C:\WINDOWS\System32\msimsgh.dll

ESET online scanner is runing all presets accepted including fix problems found and scan archives was checked

boka1

23 Posts

0

June 14th, 2010 16:00

ESET ran to completion and found no threats, no file was available to save.

kevin27_b3d29f

1.5K Posts

0

June 14th, 2010 23:00

I have received the files and will take a closer look when I get home from work tonight.

Please reply to this topic with a list of any/all problems you are still having

boka1

23 Posts

0

June 15th, 2010 10:00

Redirects from google are gone. The connection for IE to the internet is still very slow. I can disable Kaspersly and the connection is almost immediate, as it should be. I really appreciate the assistance and persistance you have offered and shown in getting me this far.

Discussed earlier in this thread was removing remnants of StopZilla which I had previously loaded and then removed using Control Panel, would still like to take care of this. If you can recommend additional malware/virus/spyware software that will run concurrently with Kaspersky it would be much appreciated.

also would like to know what application the C:\WINDOWS\System32\msimsgh.dll file belongs to, I got zero hits at microsofts site and nothing on google. Looked at several other machines I have running xp and this file does not exist on them.

kevin27_b3d29f

1.5K Posts

0

June 15th, 2010 13:00

Your Welcome.

We will now take care of the left over items from StopZilla and I am going to have Combofix zip the file up and upload it to me automatically.

What ever that file is it is very clever, when ever it is uploaded it always uploads as 0 bytes yet in all the logs it is 075,776 bytes. This and the fact that you have no permissions over the file and there is absolutely no info on google worries me. If the file still uploads as 0 or uploads fully and comes back as malicious then we will take it out.

Please delete you version of ComboFix (just right click the desktop file and click delete) as it will now be outdated. Then please download a fresh copy from HERE.

Please remember to save Combofix directly to the DESKTOP.

PLEASE BE SURE TO DISABLE ALL PROTECTIVE SOFTWARE THAT IS RUNNING ON YOUR MACHINE BEFORE RUNNING COMBO-FIX, SO THAT COMBO-FIX IS NOT HINDERED IN ITS REMOVAL PROCESS

Please Disable all Anti-virus/Anti-Spyware/FireWall on your machine(instructions via links below)

Next we are going to run Combo-Fix in a slightly different way

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quote box below into it:

Quote:

http://en.community.dell.com/support-forums/virus-spyware/f/3521/t/19334615.aspx

File::
c:\windows\system32\Temp.tmp
c:\windows\system32\drivers\kgpcpy.cfg
C:\STOPzilla_Setup.exe
C:\SZKGFS.dat
c:\gcags\_nti40\bin\search.exe

Folder::
c:\program files\Common Files\iS3

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\gcags\\_nti40\\bin\\search.exe"=-

Suspect::[108]c:\windows\system32\msimsgh.dll

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Thanks
K27.

boka1

23 Posts

0

June 16th, 2010 21:00

K27 Was away for a day and just got back in.

Updated combofix as directed, Log below

2010-06-02 20:26 . 2010-06-02 20:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-02 20:26 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-23 14:17 . 2010-05-23 14:17 -------- d-----w- c:\program files\Trend Micro
2010-05-21 22:15 . 2010-05-21 22:15 503808 ----a-w- c:\documents and settings\Robert Chancellor\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-38e47637-n\msvcp71.dll
2010-05-21 22:15 . 2010-05-21 22:15 499712 ----a-w- c:\documents and settings\Robert Chancellor\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-38e47637-n\jmc.dll
2010-05-21 22:15 . 2010-05-21 22:15 348160 ----a-w- c:\documents and settings\Robert Chancellor\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-38e47637-n\msvcr71.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-17 02:48 . 2008-04-05 13:42 -------- d-----w- c:\documents and settings\Robert Chancellor\Application Data\HPAppData
2010-06-17 02:04 . 2009-04-01 14:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Retrospect
2010-06-14 20:11 . 2010-05-07 18:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2010-06-14 12:37 . 2008-03-15 01:55 101720 ----a-w- c:\documents and settings\Robert Chancellor\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-09 22:26 . 2008-04-06 20:21 1882904 ----a-w- c:\windows\system32\AutoPartNt.exe
2010-06-08 14:15 . 2008-03-15 02:07 8 ----a-w- c:\windows\system32\nvModes.dat
2010-06-02 20:26 . 2010-05-11 00:47 -------- d-----w- c:\documents and settings\Robert Chancellor\Application Data\Malwarebytes
2010-06-02 20:26 . 2010-05-11 00:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-30 21:27 . 2008-03-11 03:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-13 12:07 . 2008-03-11 03:44 -------- d-----w- c:\program files\Google
2010-05-07 19:08 . 2010-05-07 19:08 932368 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\profiles-1-6.dll
2010-05-07 19:08 . 2010-05-07 19:08 678416 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\content_interpreter-1-1.dll
2010-05-07 19:08 . 2010-05-07 19:08 604688 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\gsg-3-9.dll
2010-05-07 19:08 . 2010-05-07 19:08 1096208 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\filtration-4-6.dll
2010-05-07 19:08 . 2010-05-07 19:08 522768 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\database-1-5.dll
2010-05-07 19:08 . 2010-05-07 18:45 97549 ----a-w- c:\windows\system32\drivers\klick.dat
2010-05-07 19:08 . 2010-05-07 18:45 113933 ----a-w- c:\windows\system32\drivers\klin.dat
2010-05-07 19:08 . 2010-05-07 19:08 397328 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\oeas.dll
2010-05-07 19:08 . 2010-05-07 19:08 17936 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\kloehk.dll
2010-05-07 19:08 . 2010-05-07 19:08 109072 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mzvkbd3.dll
2010-05-07 19:08 . 2010-05-07 19:08 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\fssync.dll
2010-05-07 19:07 . 2010-05-07 19:07 315408 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\sys\i386\5.1\klif.sys
2010-05-07 18:44 . 2008-03-15 03:21 -------- d-----w- c:\program files\Kaspersky Lab
2010-05-07 18:33 . 2010-05-07 18:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-04-24 15:32 . 2008-06-04 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Rose Point Navigation Systems
2010-04-22 22:43 . 2008-03-15 03:44 57 ----a-w- c:\documents and settings\All Users\Application Data\Brother\BrLog\BrCollectDir\BR_cat.bat
2010-04-22 21:39 . 2010-04-22 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix
2010-04-20 23:01 . 2008-03-17 13:45 -------- d-----w- c:\program files\Schlumberger
2010-04-19 12:30 . 2008-10-15 13:04 -------- d-----w- c:\program files\Security Task Manager
2010-04-18 21:25 . 2010-04-18 21:25 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-04-17 21:41 . 2010-04-17 21:41 75776 --sha-r- c:\windows\system32\msimsgh.dll
2010-04-14 04:49 . 2008-03-15 03:47 0 ----a-w- c:\windows\brdfxspd.dat
2004-02-14 02:26 . 2008-03-17 17:46 1221120 ----a-w- c:\program files\TXTPAD32.EXE
2010-01-24 18:45 . 2008-03-15 03:21 47233568 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-01-24 18:45 . 2008-03-15 03:21 2179104 --sha-w- c:\windows\system32\drivers\fidbox2.dat
.

(((((((((((((((((((((((((((((   SnapShot@2010-06-10_14.48.54   )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-15 13:06 . 2010-06-15 13:06 21504              c:\windows\Installer\3a1fc05.msi
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-08-30 178712]
"Popup"="c:\program files\Dell SAS RAID Storage Manager\MegaPopup\Popup.exe" [2007-07-20 77922]
"UPSMON"="c:\sentinel web\Sentinel.exe" [2007-07-17 430080]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe" [2009-10-21 340456]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-14 8523776]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SATARaid5Manager.lnk - c:\windows\Installer\{E4D034E1-7643-4E63-928F-22174534B470}\_607517601492A67A51EB97.exe [2008-3-18 1206]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-05-27 20:05 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\docume~1\ALLUSE~1\AVP9\mzvkbd3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
2008-04-10 01:14 136472 ----a-w- c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
2007-10-31 01:11 909208 ----a-w- c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-02 18:05 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2007-05-24 13:03 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2004-04-14 20:04 40960 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2005-06-10 09:21 217088 ----a-w- c:\program files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MP10_EnsureFileVer]
2008-04-14 00:12 208896 ----a-w- c:\windows\inf\unregmp2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-01-14 00:31 8523776 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2004-04-14 19:46 57393 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 14:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecureClean4RegManager]
2004-06-04 16:48 1262592 ----a-w- c:\program files\WhiteCanyon\SecureClean 4\SCRegManager4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecureClean4Tray]
2004-06-04 16:56 1568768 ----a-w- c:\program files\WhiteCanyon\SecureClean 4\SCTray4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
2004-05-25 14:16 49152 ------w- c:\program files\Brother\Brmfl04e\BrStDvPt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2009-08-13 21:53 1036288 ----a-w- c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-09 10:19 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
2008-04-10 01:11 2595792 ----a-w- c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TrkWks"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell SAS RAID Storage Manager\\MegaPopup\\popup.exe"=
"c:\\Program Files\\Common Files\\SafeNet Sentinel\\Sentinel Protection Server\\WinNT\\spnsrvnt.exe"=
"c:\\Program Files\\Retrospect\\Retrospect 7.6\\Retrospect.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 9:18 PM 36880]
R0 Si3124r5;SiI-3124 SoftRaid 5 Controller;c:\windows\system32\drivers\Si3124r5.sys [3/18/2008 8:48 PM 207152]
R2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [6/20/2007 2:30 PM 79168]
R3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [3/14/2008 10:49 PM 2944]
R3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [3/14/2008 10:47 PM 61952]
R3 BrUsbMdm;Brother MFC USB Fax Only Modem;c:\windows\system32\drivers\BrUsbMdm.sys [3/14/2008 10:49 PM 11008]
R3 BrUsbScn;Brother MFC USB Scanner driver;c:\windows\system32\drivers\BrUsbScn.sys [3/14/2008 10:49 PM 10368]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [3/13/2008 7:02 PM 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 2:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 7:39 PM 19472]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.SYS --> c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/5/2010 9:50 PM 135664]
S2 OPTISAFEService;OPTISAFEService;c:\sentinel web\OPTISAFE_Service.exe [3/31/2009 1:39 PM 369664]
S2 SATARaid5 Config Service;SATARaid5 Configuration Service;c:\program files\Silicon Image\3124-W-I32-R SATARAID5\SATARaid5ConfigService.exe [10/5/2005 6:19 PM 131072]
.
Contents of the 'Scheduled Tasks' folder

2010-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 02:50]

2010-06-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 02:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=0080311
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;T7400
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Anti-Banner - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2010\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-16 21:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3813320134-2193633439-4158524474-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1460)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'lsass.exe'(1520)
c:\windows\system32\relog_ap.dll
.
Completion time: 2010-06-16 21:56:24
ComboFix-quarantined-files.txt 2010-06-17 02:56
ComboFix2.txt 2010-06-10 14:50

Pre-Run: 259,459,997,696 bytes free
Post-Run: 259,435,257,856 bytes free

- - End Of File - - 7520B34B7C43B672DDCE63CDDFA85F01

kevin27_b3d29f

1.5K Posts

0

June 17th, 2010 01:00

Hi,

The top of the log is missing, please repost it for me.

Thanks.

boka1

23 Posts

0

June 17th, 2010 05:00

sorry about that

ComboFix 10-06-16.02 - Robert Chancellor 06/16/2010 21:51:24.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2558.1948 [GMT -5:00]
Running from: c:\documents and settings\Robert Chancellor\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Robert Chancellor\Desktop\CFScript.txt
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FILE ::
"c:\gcags\_nti40\bin\search.exe"
"C:\STOPzilla_Setup.exe"
"C:\SZKGFS.dat"
"c:\windows\system32\drivers\kgpcpy.cfg"
"c:\windows\system32\Temp.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\gcags\_nti40\bin\search.exe
c:\program files\Common Files\iS3
c:\program files\Common Files\iS3\Anti-Spyware\sgdfull.rsf
C:\STOPzilla_Setup.exe
C:\SZKGFS.dat
c:\windows\system32\drivers\kgpcpy.cfg
c:\windows\system32\prsgrc.dll
c:\windows\system32\Temp.tmp

.
((((((((((((((((((((((((( Files Created from 2010-05-17 to 2010-06-17 )))))))))))))))))))))))))))))))
.

2010-06-15 11:27 . 2010-06-15 11:27 133648 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.736\mmpprtc.dll
2010-06-15 11:27 . 2010-06-15 11:27 133720 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.736\mmpprtc.dll
2010-06-14 20:15 . 2010-06-14 20:15 -------- d-----w- c:\program files\ESET
2010-06-08 18:30 . 2010-06-08 18:30 63488 ----a-w- c:\documents and settings\Robert Chancellor\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-08 18:30 . 2010-06-08 18:30 52224 ----a-w- c:\documents and settings\Robert Chancellor\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-08 18:30 . 2010-06-08 18:30 117760 ----a-w- c:\documents and settings\Robert Chancellor\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-08 18:30 . 2010-06-08 18:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-08 18:29 . 2010-06-09 15:24 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-08 18:29 . 2010-06-08 18:29 -------- d-----w- c:\documents and settings\Robert Chancellor\Application Data\SUPERAntiSpyware.com
2010-06-02 20:26 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-02 20:26 . 2010-06-02 20:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-02 20:26 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-23 14:17 . 2010-05-23 14:17 -------- d-----w- c:\program files\Trend Micro
2010-05-21 22:15 . 2010-05-21 22:15 503808 ----a-w- c:\documents and settings\Robert Chancellor\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-38e47637-n\msvcp71.dll
2010-05-21 22:15 . 2010-05-21 22:15 499712 ----a-w- c:\documents and settings\Robert Chancellor\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-38e47637-n\jmc.dll
2010-05-21 22:15 . 2010-05-21 22:15 348160 ----a-w- c:\documents and settings\Robert Chancellor\Application Data\Sun\Java\Deployment\cache\6.0\46\f84c6ae-38e47637-n\msvcr71.dll