PDA

View Full Version : ibm00001.exe message - please help with removal.



Dayzee
2007-02-06, 18:46
I've done a SnD scan in normal and safe modes and it did seem to remove what I think was the problem from my husbands PC running Windows ME. However I've still got this message on start up, about not finding the ibm00001.exe file

Followed the Bofore you post advice so here is the Hijack This log and an online scan log.

HJT

Logfile of HijackThis v1.99.1
Scan saved at 16:22:15, on 06/02/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\TV VIEWER\TVWAKEUP.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TV VIEWER\ANNCLIST.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\ISSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUSCHEDULERSVC.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\CTFMON.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\ADBLOCKING\NSMDTR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Mega! - {8BC6346B-FFB0-4435-ACE3-FACA6CD77816} - C:\WINDOWS\TEMP\MegaHost.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [stonedrv] c:\windows\system\stonedrv.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\RunServices: [TVWakeup] C:\Progra~1\TVView~1\tvwakeup.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [VidSvr]
O4 - HKLM\..\RunServices: [Announcements] C:\Program Files\TV Viewer\annclist.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [MDM7] "C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE"
O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system\stonedrv.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ISSVC] "C:\Program Files\Norton Internet Security\ISSVC.exe"
O4 - HKLM\..\RunServices: [ccProxy] C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ALU Scheduler Service] C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [stonedrv] c:\windows\system\stonedrv.exe
O4 - Startup: Reboot.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

and the online scan report - I used PANDA one

Incident Status Location
Potentially unwanted tool:Application/Reboot.A Not disinfected C:\WINDOWS\StartMenu\Programs\StartUp\Reboot.exe Adware:adware/megasearch Not disinfected C:\WINDOWS\TEMP\MEGAHOST.DLL Virus:trj/torpig.a Disinfected Operating system Spyware:Cookie/Cgi-bin Not disinfected C:\WINDOWS\Cookies\rob@cgi-bin[1].txt Spyware:Cookie/BurstNet Not disinfected C:\WINDOWS\Cookies\rob@burstnet[2].txt Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\Cookies\rob@atwola[1].txt Spyware:Cookie/Cgi-bin Not disinfected C:\WINDOWS\Cookies\rob@cgi-bin[6].txt Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\Cookies\rob@atwola[2].txt Spyware:Cookie/NewMedia Not disinfected C:\WINDOWS\Cookies\rob@anm.co[1].txt Spyware:Cookie/Yadro Not disinfected C:\WINDOWS\Cookies\rob@yadro[1].txt Spyware:Cookie/Cgi-bin Not disinfected C:\WINDOWS\Cookies\rob@cgi-bin[5].txt Spyware:Cookie/Toplist Not disinfected C:\WINDOWS\Cookies\rob@toplist[1].txt Spyware:Cookie/BurstNet Not disinfected C:\WINDOWS\Cookies\rob@burstnet[1].txt Spyware:Cookie/Ccbill Not disinfected C:\WINDOWS\Cookies\rob@ccbill[2].txt Spyware:Cookie/Itrack Not disinfected C:\WINDOWS\Cookies\rob@ilead.itrack[1].txt Adware:Adware/BestSearch Not disinfected
C:\WINDOWS\4nohe1ew.exe Potentially unwanted tool:Application/KillApp.A Not disinfected C:\hmycwnv.exe Potentially unwanted tool:Application/KillApp.A Not disinfected C:\sxldhn.exe


Hope you can help - fondest regards to you all - Deb Connolly

pskelley
2007-02-08, 16:51
Hi Deb Connolly and welcome to the forum, owning a old Compaq 7360 with Windows 98SEW on it I have good feelings about the OS and I take it online once and a while, like a sunny Sunday for a test drive, but I am loaded with security and I still worry a little, because I know what you know, that Microsoft no longer supports the OS and it is just a matter of time before it gets infected with regular use. Having said all of that, you are infected. Here is the item:
O4 - HKLM\..\Run: [stonedrv] c:\windows\system\stonedrv.exe
read about it here and make sure you read under all tabs:
http://www.sophos.com/security/analyses/trojcosiaml.html
more information if needed:
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=stonedrv
Another problem is that most of the new trools will not run on the OS and the junk must be manually removed, there are a couple of trojan scans that will run and we will see if they are needed, if you want to clean up this computer, let's start like this:

1) Use the instructions for your System to show hidden files and folder or you may not see the bad file.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

2) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

C:\PROGRAM FILES\COMMON FILES\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O2 - BHO: Mega! - {8BC6346B-FFB0-4435-ACE3-FACA6CD77816} - C:\WINDOWS\TEMP\MegaHost.dll
O4 - HKLM\..\Run: [stonedrv] c:\windows\system\stonedrv.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\SYSTEM\MOSEARCH\BIN\MOSEARCH.EXE
O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system\stonedrv.exe
O4 - HKCU\..\Run: [stonedrv] c:\windows\system\stonedrv.exe
(if you have any idea why the next item is there, you may leave it)
O4 - Startup: Reboot.exe

Close all programs but HJT and all browser windows, then click on "Fix Checked"

3) RIGHT Click on Start then click on Explore. Locate and delete these items:

c:\windows\system\stonedrv.exe <<< delete that file

C:\PROGRANM FILES~1\COMMON FILES~1\SYSTEM\MOSEARCH\ <<< delete that folder if there

4) Follow these instructions, I suggest you delete what Windows suggests.
http://spyware-free.us/tutorials/cleanmgr/

Restart the computer and post a new HJT log and let me know about any issues.
This file: ibm00001.exe is a very nasty item, let's hope it is gone, if not we will need to find and delete it.


This stuff is not malware but if you do not use it, follow the advice in the links.

C:\PROGRAM FILES\TV VIEWER\TVWAKEUP.EXE
http://www.bleepingcomputer.com/startups/tvwakeup.exe-5893.html
C:\PROGRAM FILES\TV VIEWER\ANNCLIST.EXE
http://www.bleepingcomputer.com/startups/Annclist.exe-276.html

Thanks

tashi
2007-02-19, 07:12
As the information requested has not been provided, this topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.