As requested, my HJT log

[LonnyRJones]

Good , those are fine.

Let us know of any problems or if you see that (cannot find) error again.

[kaylasdad99]

Will do. Thank you once again.

[kaylasdad99]

I haven't encountered anything that seems to be a problem (I haven't yet tried to perform a task and been refused access to it, that is), but I do still get the "cannot find file" notification for ibm00007 every time I start the computer.

For clarity's sake, I might as well mention that I shut down the computer after each day's use. And my internet connection is dialup.

[LonnyRJones]

Lets get a silent runners report

Download and run Silentrunners.Vbs post the log it creates please
http://www.silentrunners.org/sr_scriptuse.html click no to not skip the suplimentry searchs
Wait until there is a All Done message !!, Then open and post the log next to it. Your antivirus script protection might interfear or alert, please allow it to run after a bit box will say done.

[kaylasdad99]

Hmm. It told me that it couldn't recognize my OS and invited me to email the author with the information that my WINVER.EXE file version was 4.0.0.1111 (even though it's really 4.00.1111). When I did I got an email back with the following:

Hello,

You're using a Windows version, Windows 95 SR2 (OEM), that was never
available in stores. To get my script to run, use this version:

http://www.aaronoff.com/misc_files/S...s%20R42D00.vbs

regards, Andy

On Sun 04 Dec 2005 at 01:51 +0100 (Paris time), you wrote:
> WINVER.EXE file version = 4.0.0.1111

I hit the link, and it downloaded another version of the application, which in turn, requires me to download Windows Management Instrumentation (WMI) CORE 1.5 (Windows 95/98) from this site. As I'm typing this post, I am in the process of downloading the latest offering.

Any idea why my system tells me that it's WIN98, and the WINVER.EXE file is telling total strangers that it's WIN95? I'm beginning to think I may be getting in over my head. You haven't steered me wrong yet, though, so I'm going to proceed with this next download and hope for the best.

[kaylasdad99]

On second thought: I just tried to start the installation wizard for the Windows Management Instrumentation (WMI) download. The first thing it told me was that if I install it, I won't be able to remove it.

So before I do, I'd like your opinion on whether this is a safe path for me to embark upon. I'm particularly concerned with the issue of why my OS identifies itself as WIN98, but carries a WINVER.EXE file supposedly identifying it as a mutant form of WIN95.

Thank you for your continued assistance.

[LonnyRJones]

Hi
Was your PC originaly win 95 ?

Yes continue with the MS wmi installation, might need another (small) install to, the script will inform you if its needed.

Afterwards Id try the original silentrunners.vbs to see if it will run, if not use the other he suggested.

[kaylasdad99]

No, it still insisted on running the modified version.

That said, here is the result of the operation:

"Silent Runners.vbs", revision 42D00, http://www.silentrunners.org/
Operating System: Windows 95 SR2 (OEM)
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SystemTray" = "SysTray.Exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"C-Media Mixer" = "Mixer.exe /startup" ["C-Media Electronic Inc. (www.cmedia.com.tw)"]
"CompaqPrinTray" = "PrinTray.exe" ["Lexmark"]
"CIJ3P2PSERVER" = "CIJ3P2PS.EXE" [","]
"projselector" = ""C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r" ["Roxio"]
"RoxioEngineUtility" = ""C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"" ["Roxio"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX" ["("]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Exchange"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Windows Messaging\mlshext.dll" [MS]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Explode"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office\olkfstub.dll" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\My Documents\My Pictures\Brown Family.bmp"


WIN.INI & SYSTEM.INI launch points:
-----------------------------------

SYSTEM.INI
[boot]
INFECTION WARNING! "shell=explorer.exe ibm00007.exe" [MS], [file not found]
"SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\FLYING~1.SCR" (Flying Windows.scr) [MS]


Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"Office Startup" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA.EXE -b" [MS]
"Microsoft Find Fast" -> shortcut to: "C:\Program Files\Microsoft Office\Office\FINDFAST.EXE" [MS]
INFECTION WARNING! "PowerReg Scheduler.exe" ["4"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Compaq IJ300 LanguageMonitor\Driver = "cij3lgmn.dll" ["Compaq Computer Corp. "]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 19 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 17 seconds.
---------- (total run time: 63 seconds)

Anything useful?

[LonnyRJones]

Hi

Copy this file to your desktop as a backup
c:\windows\SYSTEM.INI
right-click and rename the one in the windows folder to system.ini.txt
Open it and remove Only "ibm00007.exe"
exit and save , now rename it back to normal >> "system.ini"

That should solve the problem

[kaylasdad99]

And so it did. Thank you once again for a marvelous job, LonnyRJones.
:D
Now it's off to see if spybot will complete a scan in under a week. I hope my next login is tovisit one of the social forums to chew the fat.