As requested, my HJT log

[kaylasdad99]

In this thread, I was advised to follow the instructions in the malware removal page. Accordingly, I downloaded and ran a scan on BitDefender. FWIW, the scan failed to successfully disinfect any file, and it failed to delete one (C:\\WINDOWS\SYSTEM\ibm00008.dll, if it makes any difference).

Anyway, I continued by running HiJackThis, and here is the resultant logfile:

Logfile of HijackThis v1.99.1
Scan saved at 11:46:29 PM, on 11/29/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\WINDOWS\SYSTEM\CIJ3P2PS.EXE
C:\PROGRAM FILES\COMMON FILES\ROXIO SHARED\PROJECT SELECTOR\PROJSELECTOR.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/channel/START
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [CompaqPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [CIJ3P2PSERVER] CIJ3P2PS.EXE
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt3_x.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/game...s/y/vpt0_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409

So, does it look like anything else needs to be taken care of? And is taking care of it likely to result in spybot being able to complete a scan in less than 48 hours?

I do appreciate your assistance.

[LonnyRJones]

Hi

Go here and submit that file
Submit a file--VirusTotal: http://www.virustotal.com/flash/index_en.html
C:\\WINDOWS\SYSTEM\ibm00008.dll
And report back with the findings

[kaylasdad99]

Thank you. I shall do so when I get home from work.

[kaylasdad99]

Hi

Go here and submit that file
Submit a file--VirusTotal: http://www.virustotal.com/flash/index_en.html
C:\\WINDOWS\SYSTEM\ibm00008.dll
And report back with the findings

Okey dokey, here it is. It won't let me link to the results, I see on preview, so I will C & P.

This is a report processed by VirusTotal on 12/01/2005 at 04:45:33 (CET) after scanning the file "ibm00008.dll" file.
Antivirus Version Update Result
AntiVir 6.32.0.6 11.30.2005 TR/Spy.Torpig.E.1.B
Avast 4.6.695.0 11.29.2005 no virus found
AVG 718 11.29.2005 no virus found
Avira 6.32.0.6 11.30.2005 TR/Spy.Torpig.E.1.B
BitDefender 7.2 12.01.2005 Trojan.Spy.Small.B
CAT-QuickHeal 8.00 11.30.2005 no virus found
ClamAV devel-20051108 11.29.2005 no virus found
DrWeb 4.33 11.30.2005 Trojan.PWS.Gamma
eTrust-Iris 7.1.194.0 12.01.2005 no virus found
eTrust-Vet 11.9.1.0 11.30.2005 no virus found
Fortinet 2.48.0.0 12.01.2005 no virus found
F-Prot 3.16c 11.30.2005 no virus found
Ikarus 0.2.59.0 11.30.2005 no virus found
Kaspersky 4.0.2.24 12.01.2005 Trojan-Spy.Win32.Small.dg
McAfee 4640 11.30.2005 PWS-JA
NOD32v2 1.1309 11.30.2005 no virus found
Norman 5.70.10 11.30.2005 no virus found
Panda 8.02.00 11.30.2005 no virus found
Sophos 4.00.0 12.01.2005 no virus found
Symantec 8.0 12.01.2005 no virus found
TheHacker 5.9.1.046 11.29.2005 no virus found
VBA32 3.10.5 11.30.2005 no virus found



VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.> Go to: Home Contact En español
--------------------------------------------------------------------------------
www.virustotal.com :: ©Hispasec Sistemas 2004,05 :: e-mail info@virustotal.com

Well, I don't know what it means. I hope it means something to you. And thanks again.

[LonnyRJones]

Hi

Manualy delete that file.
Are there any other problems ?

[kaylasdad99]

Hi

Manualy delete that file.
Are there any other problems ?

Thank you. I have manually deleted it.

As to problems, not really. But yesterday, and today, when I booted my system, I got a dialog box with the following message:

Cannot find the file ibm00007.exe (or one of its components). Make sure the path and filename are correct and that all required libraries are available.

I note that this filename differs from the infected one by one character and a filename extension. This did not prevent the computer from booting normally. When I went to Windows Explorer to delete ibm00008.dll, I found ibm00007.dll* right next to it in C:\WINDOWS\SYSTEM. But a search for ibm00007.exe yields nothing.

Is this something I should be concerned about? If so, is there a site that might make the file available for download? Not that I'm too lazy to hunt for my installation disk, but I am kinda lazy. :D

Thanks in advance.

*.dll , that must be the required library the dialog box was talking about, right? Don't spare my feelings if I'm off the mark; this is pure speculation.

[LonnyRJones]

Lets check
Download rand1038's registry search tool
http://tomcoyote.org/rand1038/vbscript/RegScan.zip
Extract the file run RegScan.vbs paste in the bolded below(to avoid mistakes dont type), wait for a text to open and post the results

ibm00007.exe,ibm00008.dll,ibm0000

Wait for a text to open
Note: Your antivirus script protection might interfear, its safe, please allow it to run.

[kaylasdad99]

No matches to your search terms: "ibm00007.exe,ibm00008.dll,ibm0000" were found.The search took 10 seconds.

Also, I got an error message: Regedit has performed an illegal operation and must be shut down. The details were:

REGEDIT caused an invalid page fault in
module REGEDIT.EXE at 0167:00405c5e.
Registers:
EAX=00000001 CS=0167 EIP=00405c5e EFLGS=00010246
EBX=81971065 SS=016f ESP=0065fde0 EBP=61746144
ECX=c159b430 DS=016f ESI=00000000 FS=1c9f
EDX=bffc9490 ES=016f EDI=00000000 GS=0000
Bytes at CS:EIP:
8e 46 06 26 ff 75 12 26 8a 45 14 2a e4 50 e8 1b
Stack dump:
00000000 00000000 0040b9d5 00000000 00000000 81971065 00000000 0065fe38 00000000 81971274 00550000 0040b77c 00000000 81971274 00550000 0065ff78

And the antivirus script protection didn't have anything to say about it.

[LonnyRJones]

Check this folder and let us know the contents

C:\Program Files\Common Files\Microsoft Shared\Web Folders\

[kaylasdad99]

Two items:

Msonsext.dll
Ragent.dll

And at this point, I will be retiring for the evening. Thank you for your efforts of this evening, and I look forward to seeing your response when I get in to work tomorrow.