On start-up I get the following error message every time:
"Windows cannot find 'ibm00001.exe'. You may have typed the name incorrectly in the Run dialog, or another open program cannot find a system file. "
I ran Norton Antivirus with the latest definitions, and found Trojan.Anserin, which is associated with the ibm0001.exe and ibm0000x.dll files. I followed the Symantec removal instructions, and it all seemed to work, except one part. The instructions said:
Navigate to the subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
In the right pane, set the value:
"Shell" = "Explorer.exe"
But I could not find this subkey on my computer. There was no subfolder called Winlogon in the ...\CurrentVersion folder.
Anyway, I followed all the rest of the instructions, and I have since rerun Norton without finding any viruses. I also ran Pandascan and just found some tracking cookies and Altnet Signing Module, which I removed. I ran Spybot as well, and just found cookies. I ran TrojanHunter and found nothing.
I went into the virus history on Norton, and discovered that it had found Backdoor.Jeem and Downloader.Trojan in the recent past. I deleted the files associated with these virus. Based on my registry, it doesn't look like I am infected with either virus.
Anyway, I am still getting the ibm0001.exe error message every time I startup. I've looked in the startup list under MSCONFIG, but can't find anything suspicious.
Below is my HiJackThis log.
I'd really appreciate any help you can give me.
Thank you.
David
Logfile of HijackThis v1.99.1
Scan saved at 8:24:01 PM, on 30/07/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\THOTKEY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\Tools_95\Register\REMIND.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\ALISNDMG.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TPWRTRAY.EXE
C:\WINDOWS\SYSTEM\TFNCKY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.5\THGUARD.EXE
C:\PROGRAM FILES\TOSHIBA\NETDEVSW\NETDEVSW.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\TOOLS_95\IMGICON.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALONEMESSAGECENTER.EXE
C:\PROGRAM FILES\COFFEECUP SOFTWARE\COFFEECUP PRIVACY CLEANER\PRIVACYCLEANERREG.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPC32.EXE
C:\PROGRAM FILES\A-SQUARED\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F1 - win.ini: load=C:\TOOLS_95\REGISTER\remind.exe
F1 - win.ini: run=hpfsched
O2 - BHO: Yahoo! Companion BHO - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_0_2_6.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: IEHlprObj Class - {1180A2DB-22AD-4EC4-85D2-8C4CE8FA35FC} - C:\WINDOWS\SYSTEM\MOZ030715S.DLL (file missing)
O2 - BHO: TChkBHO Class - {AE9AEFA8-4E8C-48FD-BEE5-5866AFBABF4F} - C:\WINDOWS\SYSTEM\ILGLCOO.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\YCOMP5_0_2_6.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] irmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ALiSndMgr] ALiSndMg.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton AntiVirus\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.5\THGUARD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [THotkey] C:\WINDOWS\SYSTEM\THotkey.exe
O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton AntiVirus\rtvscn95.exe
O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton AntiVirus\defwatch.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Network Device Switch.lnk = C:\Program Files\TOSHIBA\NetDevSW\NetDevSW.exe
O4 - Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Startup: Iomega Watch.lnk = C:\Tools_95\IOWATCH.EXE
O4 - Startup: Iomega Startup Options.lnk = C:\Tools_95\IMGSTART.EXE
O4 - Startup: Iomega Disk Icons.lnk = C:\Tools_95\imgicon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_0_2_6.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speeder...meInstaller.exe
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potb_x.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 142.227.51.1