I tried to download a "free" program to download a song and my antivirus program lit up. It found TROJ_ADLOAD.KH; TROJ_SPYWAD.AL; TSPY_SINOWAL.AH; and TROJ_GENERIC. This gave me ibm0003.exe; ibm0003.dll; ibm0001.dll and ibm0004.dll. Most of those were in C:\Windows\Temporary internet files. I also had C:\cthsga.exe and C:\ybkcan.exe that were infected. I've quarantined and deleted all of these. However, on start up I get the "Windows cannot find ibm0003.exe or it is mispelled in the run file or a program that is already running cannot locate it." I've run spybot search and destroy (and reactivated imunize); pccillian; NoAdware;and Ad-ware 6.0. I can't figure out what is looking for ibm0003.exe and was hoping you could look at my Hijack This log and identify it or head me in the right direction.

I appreciate your time and efforts - Titan.

Logfile of HijackThis v1.99.1
Scan saved at 12:11:35 AM, on 9/11/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCGUIDE.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\FASTLANE\IPCLIENT.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\ACCELERATOR\ELINKACC.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\TMPROXY.EXE
C:\WINDOWS\DESKTOP\COMPUTER ADMIN\JDCS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink Network, Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: ElnkPubBHO Class - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TOOLBAR\ELNKPUB.DLL
O2 - BHO: ElnkScamBHO Class - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TOOLBAR\ESCAMBLK.DLL
O2 - BHO: ElnkProtectionBHO Class - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TOOLBAR\PROTCTIE.DLL
O2 - BHO: ElnkLegacyUninstBHO Class - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TOOLBAR\UNINSTTB.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [PcCtlCom] C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL (file missing)
O18 - Protocol: stash - {44D81A5B-F195-11D2-A3D7-000086335B27} - C:\PROGRAM FILES\EARTHLINK 5.0\STASH100.DLL

Hello and sorry for the wait.

If you have not resolved the problem, we have this sticky topic:

If you have waited four days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836)

Tashi, Thnx for the response. Realize I'm not real computer litterate here, lol, and I'm guessing I'm suppose to reply here -

I looked at another post from 9-12-06 "ibm00003" and saw the following from LonnieRJones:

Go to Start > Run and type in the box:
notepad C:\Windows\System.ini
and click ok.
On this line
shell=explorer.exe ibm00003.exe
remove ibm00003.exe so that the line reads only:

shell=explorer.exe

Exit notepad and save your changes (File + Save)

I did this also and I no longer get the ibm0003.exe pop-up. However, I've been getting other pop-ups now about kernell32.dll causing an error and EXPSRV causing an error so if possible I'd like someone to look at my Hijack This file and tell me if I need to delete some items. From looking at other posts I believe I need to - but don't want to remove something that is harmless or worse -- needed. I just updated my antivirus/firewall program as they had expired 10-7-06. Here is another run of Hijack This and thnx again for your help and if I was supposed to post this elsewhere plz let me know:

Logfile of HijackThis v1.99.1
Scan saved at 4:49:20 PM, on 9/16/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\PCCTLCOM.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\TMPFW.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\PCCGUIDE.EXE
C:\PROGRAM FILES\LOGITECH\WINGMAN PROFILER\LWPEVNTM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\FASTLANE\IPCLIENT.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\ACCELERATOR\ELINKACC.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\TMPROXY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\COMPUTER ADMIN\JDCS\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EarthLink Network, Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: ElnkPubBHO Class - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TOOLBAR\ELNKPUB.DLL
O2 - BHO: ElnkScamBHO Class - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TOOLBAR\ESCAMBLK.DLL
O2 - BHO: ElnkProtectionBHO Class - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TOOLBAR\PROTCTIE.DLL
O2 - BHO: ElnkLegacyUninstBHO Class - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TOOLBAR\UNINSTTB.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [Lwinst Run Profiler] C:\Program Files\Logitech\WingMan Profiler\Lwtest.exe /detect /quiet /launch "C:\Program Files\Logitech\WingMan Profiler\Lwpevntm.exe"
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ConMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [PcCtlCom] C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2006\PCCTLCOM.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL (file missing)
O18 - Protocol: stash - {44D81A5B-F195-11D2-A3D7-000086335B27} - C:\PROGRAM FILES\EARTHLINK 5.0\STASH100.DLL

Hello

You did good so far, i dont think the other error is spyware/malware related though

However, I've been getting other pop-ups now about kernell32.dll causing an error and EXPSRV causing an error
next time you see it write it down word for word and what you were doing at the time it happend.

Hello - when I do a normal start-up and let everything load, the desktop appears, etc. I then log onto the internet and after I get the "you are now connected to the internet" I often remove several icons from my tool bar/task panel for programs I don't usually use i.e. the scanner, kodak photo program, Q-Quick Time, etc. The error message will appear either as I'm connecting to the internet or just a few minutes after connecting. It says, "EXPSRV has caused an error in <unknow> EXPSRV will now close. Restart your computer if the problem continues." After I tell this ok I often get another error message, "Kernel32 has caused an error in USER.EXE. Kernel32 will now close. Restart your computer if the problem continues." I did a Cntrl Alt Delete to see what was not running and found Task Panel [Not Responding] and Em Exec [not responding]. I'm not sure either of those matter as the second time it gave me the errors and I said ok, Cntrl Alt Delete didn't show any program not responding. Also, I hadn't removed anything from the tool bar/task panel the second time and still got the msgs. I need to note that I don't get the error messages every time I access the internet -- but I did not get them before the problem with the virus's and ibm0003.exe. I just want to make sure I didn't loose a needed command or something after quarantineing the virus's and deleting them. Thnx again.
Titan

Not sure i understand, Your moving items from the quicklaunch toolbar ?

How often are you seeing the error's ?


Try reinstalling earthlinks software, starting the Uninstall might offer an option to repair try that, if no option to repair Uninstall it reboot the PC and install again. It could be trends software causing the error, simple to find by reinstalling.

removing the ibm00003 file's did not cause the current problem.

Hey LonnyRJones - thnx for your help and input. I've done a selective start up and don't run the programs on start-up that I don't use. I haven't had the error messages since doing this. If I find I'm needing to run these programs and get the error messages then I will uninstall earthlink, etc. Again, I appreciate your help and thank you - Titan

Think Prevention:
Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month

To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279

Sufe safe

As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Glad we could help. :)