PDA

View Full Version : Ibm00001.exe Issues



Gpooj
2006-05-02, 23:19
Hello, my sister has severely destroyed her computer by trying to search for music through web pages... she's as bright as a wet paper bag.

Every time it boots up an error shows that Ibm00001.exe cannot be found. I can't find where it's being called to run at all though.
Anyway, I've tried scanning it over with Spybot, AdAware, and even some registry repair utility.

The thing is runnnig horribly and I suspect that it's a huge mess (The constant Trojan warnings from the antivirus tip me off, of course, when I scan the thing the antivirus thinks everything is fine). The following is her HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 4:20:32 PM, on 5/2/2006
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\PCCTLCOM.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\TMPFW.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\PCCGUIDE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\USBSTORAGE\USBDETECTOR.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\ORTEK\VERSATO\VERSATO.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ORTEK\VERSATO\MEDIAPLAYER.EXE
C:\PROGRAM FILES\ORTEK\VERSATO\OSD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\TMPROXY.EXE
C:\WINDOWS\DESKTOP\DOWNLOADS\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [mshtb.exe] C:\WINDOWS\SYSTEM\mshtb.exe.exe
O4 - HKLM\..\Run: [sndraw32] C:\WINDOWS\SYSTEM\sndraw32.exe
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [PcCtlCom] C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\PCCTLCOM.EXE
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [mshtb.exe] C:\WINDOWS\SYSTEM\mshtb.exe.exe
O4 - HKLM\..\RunServices: [sndraw32] C:\WINDOWS\SYSTEM\sndraw32.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [mshtb.exe] C:\WINDOWS\SYSTEM\mshtb.exe.exe
O4 - HKCU\..\Run: [sndraw32] C:\WINDOWS\SYSTEM\sndraw32.exe
O4 - Startup: Versato.lnk = C:\Program Files\Ortek\Versato\Versato.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk.disabled
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://bluecoat.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab

Any help would be greatly appreciated.

CalamityJane
2006-05-06, 15:14
Hi Gpooj,

Ibm00001.exe is associated with one of the many Torpig trojan variants
http://www.sophos.com/virusinfo/analyses/search-results/?search=Ibm00001&action=search

She needs to take any and all precautions to protect any accounts, passwords, any sensitive data on that PC, as Torpig is a remote access trojan, allowing an intruder to access the computer and often contains a keylogger and/or password stealer.

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

What is a backdoor or remote access trojan?
Read this article.
Danger: Remote Access Trojans
http://www.microsoft.com/technet/security/alerts/info/virusrat.mspx

You need to get a good online AV scan as the trojan has possibly disabled or impaired any security software installed on the compromised computer. Any of the following will scan and clean the computer for free using the online AV scanner.

eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx
(if prompted, please *allow* Active X and the install of software - this is needed to scan your system)
It will take a while to download the updates needed, and then you'll be presented with a screen to scan your system.

Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com

Panda's Active Scan
http://www.pandasoftware.com/products/activescan.htm
...........................................
Scan with HijackThis and checkmark these entries, then press the *fix checked* button. These are likely trojan files as well

O4 - HKLM\..\Run: [mshtb.exe] C:\WINDOWS\SYSTEM\mshtb.exe.exe

O4 - HKLM\..\Run: [sndraw32] C:\WINDOWS\SYSTEM\sndraw32.exe

O4 - HKLM\..\RunServices: [mshtb.exe] C:\WINDOWS\SYSTEM\mshtb.exe.exe

O4 - HKLM\..\RunServices: [sndraw32] C:\WINDOWS\SYSTEM\sndraw32.exe

O4 - HKCU\..\Run: [mshtb.exe] C:\WINDOWS\SYSTEM\mshtb.exe.exe

O4 - HKCU\..\Run: [sndraw32] C:\WINDOWS\SYSTEM\sndraw32.exe

And delete these files:

C:\WINDOWS\SYSTEM\sndraw32.exe

C:\WINDOWS\SYSTEM\mshtb.exe.exe


Please save the report from the online AV scans and post the results back here.

Gpooj
2006-05-06, 15:51
Thanks, I'll give that a try.

One thing I forgot to mention earlier though. I have scanned with housecall a few days ago, but it didn't detect anything.

I'll do all that again though and post the results here.

CalamityJane
2006-05-06, 15:54
Ok, we'll be here :)

Gpooj
2006-05-07, 02:34
I removed those 6 HijackThis entries, however, I couldn't find either of those files on my computer.

Here are the results for the eTrust scan:

WININET.DLL Win32.Alemod.H cannot cure C:\WINDOWS\SYSTEM\

Here are the results for Panda Activescan:

Incident Status Location

Virus:W32/Smitfraud.D Disinfected Operating system
Adware:adware/secure32 Not disinfected c:\program files\secure32.html
Spyware:spyware/betterinet Not disinfected c:\windows\inf\BIINI.INF
Adware:adware/cws.msconfd Not disinfected c:\windows\hh.htt
Adware:adware/sidesearch Not disinfected C:\WINDOWS\Application Data\Lycos
Adware:adware/vog Not disinfected Windows Registry
Adware:adware/alfacleaner Not disinfected Windows Registry
Adware:adware/ncase Not disinfected Windows Registry
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\SYSTEM\Mx0O1.dll
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\INF\BIA.INF
Spyware:Cookie/2o7 Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\whlmvn8f.slt\cookies.txt[.microsofteup.112.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\whlmvn8f.slt\cookies.txt[.2o7.net/]
Spyware:Cookie/PointRoll Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\whlmvn8f.slt\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Apmebf Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\whlmvn8f.slt\cookies.txt[.apmebf.com/]
Spyware:Cookie/Falkag Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\whlmvn8f.slt\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/Falkag Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\whlmvn8f.slt\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Atwola Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\whlmvn8f.slt\cookies.txt[.atwola.com/]
Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\whlmvn8f.slt\cookies.txt[.belnk.com/]
Spyware:Cookie/bravenetA Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\whlmvn8f.slt\cookies.txt[.bravenet.com/]
Spyware:Cookie/BurstNet Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\whlmvn8f.slt\cookies.txt[.burstnet.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\whlmvn8f.slt\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Com.com Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\whlmvn8f.slt\cookies.txt[.com.com/]
Spyware:Cookie/did-it Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\whlmvn8f.slt\cookies.txt[.did-it.com/]
Spyware:Cookie/Go Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\whlmvn8f.slt\cookies.txt[.go.com/]
Spyware:Cookie/Maxserving Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\whlmvn8f.slt\cookies.txt[.maxserving.com/]
Spyware:Cookie/Overture Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\whlmvn8f.slt\cookies.txt[.overture.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\whlmvn8f.slt\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\whlmvn8f.slt\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\WINDOWS\Application Data\Mozilla\Profiles\default\whlmvn8f.slt\cookies.txt[server.iad.liveperson.net/hc/66693905]
Spyware:Cookie/Mediaplex Not disinfected C:\WINDOWS\Cookies\user@mediaplex[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\WINDOWS\Cookies\user@apmebf[2].txt
Spyware:Cookie/QkSrv Not disinfected C:\WINDOWS\Cookies\user@qksrv[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\WINDOWS\Cookies\user@tribalfusion[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\WINDOWS\Cookies\user@server.iad.liveperson[1].txt
Security Risk:HackTool/Gendel.A Not disinfected C:\WINDOWS\gendel32.exe

For some reason Trend Housecall wouldn't run properly for me this time. I get this error in the Java console:
2006-05-06 19:29:49.230 SEVERE [java:hc.Config] Failed to verify domain "http://housecall65.trendmicro.com/housecall/ui-cached/html/default/banner.xml?locale=en_US&impl=applet/html/java", HouseCall Server rejected!
I still get the error "Cannot find ibm0001.exe or one of its components" on startup, I can't figure out where it's being called at all...

Also, during those two online scans her antivirus (Trend Micro PCCillin Internet Security 2006) popped up and quarantined a bunch of DLLs and an executale called update.exe in the "Internet Explorer" program file.

Again, thanks for your help.

CalamityJane
2006-05-07, 03:18
Next steps:

1. Print out or save to notepad these instructions as we will need to do most steps offline and in SAFE MODE (so you won't have this window open to see the instruction from)

2. Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!).
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

3 Download, install, and update Ewido AntiMalware (get the free trial version)
http://www.ewido.net/en/download/

a. Install Ewido AntiMalware

b. Launch Ewido, there should be a big yellowE icon on your desktop, double-click it.

c. The program will prompt you to update click the OK button

d. The program will now go to the main screen

e. On the left hand side of the main screen click on Update

f. Click on Start. The update will start and a progress bar will show the updates being installed.

g. Do not scan yet. We'll do that later in SAFE MODE. After updating close Ewido and any open programs.

4. Reboot into Safe Mode
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406?OpenDocument&src=sec_doc_nam)

5. Once in safe mode, start Ewido AntiMalware

a. Click on scanner

b. Click on *complete system scan*

c. Let the program scan the machine.

d. While the scan is in progress you will be prompted to clean the first infected file it finds. Choose Remove, then put a check next to Perform action on all infections in the left corner of the box so you don't have to sit and watch Ewido the whole time.
Checkmark the box: *Create encrypted backup in the quarantine* (recommended)

Click OK.

When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.


6. Open the SmitfraudFix folder and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.
........................
7. Reboot back to normal mode.

8. Now please scan again with HijackThis to produce a log. Post that log in a new topic along with the Ewido log you saved earlier.

Logs needed in your next post are:

rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed

Ewido Scan report

Fresh HijackThis log

Gpooj
2006-05-08, 23:24
Unfortunately I am running Windows 98SE and am unable to install those applications.

Gpooj
2006-05-09, 04:38
I booted in safe mode anyway for the sake of scanning with spybot and ad-aware in a safe environment.

After cleaning whatever they found I did a fresh HijackThis scan, here is the logfile:

Logfile of HijackThis v1.99.1
Scan saved at 9:37:01 PM, on 5/8/2006
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\PCCTLCOM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\TMPFW.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\USBSTORAGE\USBDETECTOR.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\PCCGUIDE.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\ORTEK\VERSATO\VERSATO.EXE
C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ORTEK\VERSATO\MEDIAPLAYER.EXE
C:\PROGRAM FILES\ORTEK\VERSATO\OSD.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\TMPROXY.EXE
C:\WINDOWS\DESKTOP\DOWNLOADS\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [PcCtlCom] C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\PCCTLCOM.EXE
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\RunServices: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Versato.lnk = C:\Program Files\Ortek\Versato\Versato.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk.disabled
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://bluecoat.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

I am still prompted that ibm00001.exe or one of its components could not be found although I believe I had deleted its registry entry.

CalamityJane
2006-05-10, 03:50
I apologize, you are running Win98 - and I forgot about that!

Please download and run this free tool to produce a log for the ibm00002.exe problem:

Download Silent runners here (follow the instructions on that page)
http://www.silentrunners.org/sr_scriptuse.html

If you have antivirus script protection, please allow it (silentrunners.vbs) to run. While waiting, a box will say done.
Wait until there is a All Done message !!, Then open and post the log next to it.

Gpooj
2006-05-10, 05:41
Below is the Silentrunners log file:

"Silent Runners.vbs", revision 45, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"msnmsgr" = ""C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"Tweak UI" = "RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp" [MS]
"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
"USBDetector" = "C:\USBStorage\USBDetector.exe" ["ali"]
"pccguide.exe" = ""C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"" ["Trend Micro Incorporated."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"SAgent2ExePath" = "C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe" ["SEIKO EPSON CORPORATION"]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"SchedulingAgent" = "C:\WINDOWS\SYSTEM\mstask.exe" [MS]
"PcCtlCom" = "C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\PCCTLCOM.EXE" ["Trend Micro Incorporated."]
"Tweak UI" = "RUNDLL32.EXE TWEAKUI.CPL,TweakLogon" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{00020D75-0000-0000-C000-000000000046}" = "Windows Messaging"
-> {HKLM...CLSID} = "Inbox"
\InProcServer32\(Default) = "C:\Program Files\Windows Messaging\mlshext.dll" [MS]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec Directcd Shell Extension"
-> {HKLM...CLSID} = "Adaptec Directcd Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adaptec\DirectCD\shellex.dll" ["Adaptec"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]
"{2E9D3540-211C-11d0-A5F2-00A0248C37BE}" = "Nero Shell Extension Property Sheet"
-> {HKLM...CLSID} = "Nero Shell Extension Property Sheet"
\InProcServer32\(Default) = "C:\Program Files\Ahead\nero\neroshx.dll" ["Ahead Software AG"]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXSHLEX.DLL" ["Alcohol Soft Development Team"]
"{48F45200-91E6-11CE-8A4F-0080C81A28D4}" = "TMD Shell Extension"
-> {HKLM...CLSID} = "TMD Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Trend Micro\Internet Security 2006\Tmdshell.dll" ["Trend Micro Incorporated."]
"{771A9DA0-731A-11CE-993C-00AA004ADB6C}" = "VBPropSheet"
-> {HKLM...CLSID} = "VBPropSheet"
\InProcServer32\(Default) = "C:\Program Files\Trend Micro\Internet Security 2006\VBProp.dll" ["Trend Micro Incorporated."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]
HexWorkshopContextMenu\(Default) = "{7bc80fe0-4b41-11cf-8fba-444553540000}"
-> {HKLM...CLSID} = "Hex Workshop Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\BreakPoint Software\Hex Workshop 3.1\hwext.dll" ["BreakPoint Software, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


WIN.INI & SYSTEM.INI launch points:
-----------------------------------

SYSTEM.INI
[boot]
INFECTION WARNING! "shell=explorer.exe ibm00001.exe" [MS], [file not found]
"SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\BLANKS~1.SCR" (Blank Screen.scr) [MS]


Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"Versato" -> shortcut to: "C:\Program Files\Ortek\Versato\Versato.exe" ["WayTech Development, Inc."]
"Exif Launcher" -> shortcut to: "C:\Program Files\Exif Launcher\QuickDCF.exe" ["FUJI PHOTO FILM CO., LTD."]
INFECTION WARNING! "EPSON Status Monitor 3 Environment Check 2.lnk.disabled" [null data]


Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\msafd.dll [MS], 1 - 3
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 4 - 5
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 6 - 9


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{2FDEF853-0759-11D4-A92E-006097DBED37}\
"ButtonText" = "Encarta Encyclopedia"
"MenuText" = "Encarta Encyclopedia"
"Script" = "C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM" [null data]

{5DA9DE80-097A-11D4-A92E-006097DBED37}\
"ButtonText" = "Define"
"MenuText" = "Define"
"Script" = "C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM" [null data]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
EPSON USB Printer Port Monitor\Driver = "EPUSBMN.DLL" ["SEIKO EPSON CORPORATION"]
USBPortMonitor\Driver = "usbmon.dll" [MS]
HPLJ1020LM\Driver = "ZLhp1020.DLL" ["Zenographics, Inc."]
EPSON V5 Monitor\Driver = "EBPMON.DLL" ["SEIKO EPSON CORPORATION"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 40 seconds, including 13 seconds for message boxes)


Hmm, looks like that annoying startup is in system.ini... I wonder why I couldn't find it before.

CalamityJane
2006-05-10, 05:54
Go to Start > Run and type in the box: sysedit
and click ok.

A bunch of windows will open. Click on C:\Windows\System.ini and scroll down until you find the below line:

shell=explorer.exe ibm00003.exe

When you find it, remove ibm00003.exe so that the line reads:

shell=explorer.exe

and save your changes (File + Save)

Reboot and let us know if you still have a problem.

Gpooj
2006-05-11, 02:11
Well that did it, no more error message.

I assume that her anti-virus crippled the trojan and just left its startup prompt. The only thing that worries me now is that her computer seems to take longer than ever to boot up (ever since I installed the visual basic component that allowed the silentrunners script to run) and whenever I power down I get the message "There is 1 user connected to your computer, shutting down will disconnect them". That kinda worries me because I get that error even if it's the only computer powered on in the home network.

So, does that last HijackThis log give her a clean bill of health?

CalamityJane
2006-05-12, 22:13
The ibm00003.exe entry never did show in the HijackThis log, as we could only see it in the Silent Runners log. Can you run Silent Runners again to see if it is now gone?

Also, the issue that eTrust found is still unresolved I think. Her wininet.dll file may be still be infected (different infection from the ibm00003 problem). If eTrust can't clean it, you'll need to get replacement copy. Follow the instructions on this page for Windows 98 and the possible infected wininet.dll
http://noahdfear.geekstogo.com/

While you're on that page, it also has a tool (SmitRem.exe) that will run on Win98 - so give that one a try as well. Copy the log it makes post the results of SmitRem back here please. That should also show us the status of the wininet.dll file

Gpooj
2006-05-13, 02:30
The Smit Remover didn't seem to have made a log file at all.

Here is the new log file from Silent Runners:

"Silent Runners.vbs", revision 45, http://www.silentrunners.org/
Operating System: Windows 98
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"msnmsgr" = ""C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"Tweak UI" = "RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp" [MS]
"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
"USBDetector" = "C:\USBStorage\USBDetector.exe" ["ali"]
"pccguide.exe" = ""C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"" ["Trend Micro Incorporated."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"SAgent2ExePath" = "C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe" ["SEIKO EPSON CORPORATION"]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"SchedulingAgent" = "C:\WINDOWS\SYSTEM\mstask.exe" [MS]
"PcCtlCom" = "C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\PCCTLCOM.EXE" ["Trend Micro Incorporated."]
"Tweak UI" = "RUNDLL32.EXE TWEAKUI.CPL,TweakLogon" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{00020D75-0000-0000-C000-000000000046}" = "Windows Messaging"
-> {HKLM...CLSID} = "Inbox"
\InProcServer32\(Default) = "C:\Program Files\Windows Messaging\mlshext.dll" [MS]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec Directcd Shell Extension"
-> {HKLM...CLSID} = "Adaptec Directcd Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adaptec\DirectCD\shellex.dll" ["Adaptec"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]
"{2E9D3540-211C-11d0-A5F2-00A0248C37BE}" = "Nero Shell Extension Property Sheet"
-> {HKLM...CLSID} = "Nero Shell Extension Property Sheet"
\InProcServer32\(Default) = "C:\Program Files\Ahead\nero\neroshx.dll" ["Ahead Software AG"]
"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"
-> {HKLM...CLSID} = "AlcoholShellEx"
\InProcServer32\(Default) = "C:\PROGRA~1\ALCOHO~1\ALCOHO~1\AXSHLEX.DLL" ["Alcohol Soft Development Team"]
"{48F45200-91E6-11CE-8A4F-0080C81A28D4}" = "TMD Shell Extension"
-> {HKLM...CLSID} = "TMD Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Trend Micro\Internet Security 2006\Tmdshell.dll" ["Trend Micro Incorporated."]
"{771A9DA0-731A-11CE-993C-00AA004ADB6C}" = "VBPropSheet"
-> {HKLM...CLSID} = "VBPropSheet"
\InProcServer32\(Default) = "C:\Program Files\Trend Micro\Internet Security 2006\VBProp.dll" ["Trend Micro Incorporated."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]
HexWorkshopContextMenu\(Default) = "{7bc80fe0-4b41-11cf-8fba-444553540000}"
-> {HKLM...CLSID} = "Hex Workshop Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\BreakPoint Software\Hex Workshop 3.1\hwext.dll" ["BreakPoint Software, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\PROGRAM FILES\WINRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


WIN.INI & SYSTEM.INI launch points:
-----------------------------------

SYSTEM.INI
[boot]
"SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\BLANKS~1.SCR" (Blank Screen.scr) [MS]


Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"Versato" -> shortcut to: "C:\Program Files\Ortek\Versato\Versato.exe" ["WayTech Development, Inc."]
"Exif Launcher" -> shortcut to: "C:\Program Files\Exif Launcher\QuickDCF.exe" ["FUJI PHOTO FILM CO., LTD."]
INFECTION WARNING! "EPSON Status Monitor 3 Environment Check 2.lnk.disabled" [null data]


Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\msafd.dll [MS], 1 - 3
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 4 - 5
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 6 - 9


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{2FDEF853-0759-11D4-A92E-006097DBED37}\
"ButtonText" = "Encarta Encyclopedia"
"MenuText" = "Encarta Encyclopedia"
"Script" = "C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM" [null data]

{5DA9DE80-097A-11D4-A92E-006097DBED37}\
"ButtonText" = "Define"
"MenuText" = "Define"
"Script" = "C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM" [null data]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
EPSON USB Printer Port Monitor\Driver = "EPUSBMN.DLL" ["SEIKO EPSON CORPORATION"]
USBPortMonitor\Driver = "usbmon.dll" [MS]
HPLJ1020LM\Driver = "ZLhp1020.DLL" ["Zenographics, Inc."]
EPSON V5 Monitor\Driver = "EBPMON.DLL" ["SEIKO EPSON CORPORATION"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 30 seconds, including 7 seconds for message boxes)

CalamityJane
2006-05-13, 03:36
The smitrem log would named: smitfiles.txt located on the hard drive:
C:\smitfiles.txt

If still not found, let's get the wininet.dll file scanned here:
Virus Total
http://www.virustotal.com/

Using the browse button on the site, browse to the file,
C:\WINDOWS\SYSTEM\WININET.DLL
highlight it and choose *open* then and hit the submit button. Wait until all the scans are done. Copy the results and post them back here please.

The Silent Runners log looked ok! :)

Gpooj
2006-05-14, 07:07
Ok, looks like it did make a log file afterall.
Here it is:


smitRem © log file
version 2.8

by noahdfear


Windows 98 [Version 4.10.2222]


Running from
C:\WINDOWS\Desktop\Downloads\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="C:\WINDOWS\SYSTEM\BROWSEUI.DLL"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="C:\WINDOWS\SYSTEM\BROWSEUI.DLL"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~




~~~ Icons in system folder ~~~



~~~ Windows directory ~~~

warnhp.html


~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~



~~~~ wininet.dll ~~~~

wininet.dll Present!!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Starting registry repairs
Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="C:\WINDOWS\SYSTEM\BROWSEUI.DLL"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="C:\WINDOWS\SYSTEM\BROWSEUI.DLL"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~




~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~





~~~~ wininet.dll ~~~~

wininet.dll Clean!! :)

CalamityJane
2006-05-18, 15:44
Oops, sorry for the delay, I missed seeing your reply here.

Did you get the scan at Virus Total on this file:
C:\WINDOWS\SYSTEM\WININET.DLL

Hopefully it came up clean? If not let me know.

Everything looks fine. How is everything looking on your end?

Gpooj
2006-05-21, 00:52
When I scan that file I don't get any virus warnings.

Everything looks fine on my end, for some reason the thing is still running horribly and freezes randomly at odd moments.

Even after Defrag...
Well, it's most likely because of the beast of an Anti-Virus running on that thing.

Thanks for all your help. I really appreciate all the effort you people put into this forum, it's a great help.

CalamityJane
2006-05-21, 02:24
Ok, that's good then if it scanned clean :)

I can't see anything further. Does everthing look ok on your end?

tashi
2006-05-26, 06:29
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a pm and provide a link to the thread. :)

Applies only to the original topic starter.