Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Unique Situation: Need Your Probelm Solving Help! - Ibm00001.exe

  • This topic is locked This topic is locked
3 replies to this topic

#1 Benjy


  • Members
  • 1 posts
  • Local time:03:42 AM

Posted 14 November 2005 - 04:49 PM

Ok, so a week ago, I somehow got infected with spyware sherriff (i think it's called). I followed the instructions on the self help page. I got rid of most of my problems, in stages: first, I got rid of the most annoying part, the error message about ibm00001.exe that kept popping up every 30 seconds. I then was able to fix the active desktop problem and error message. As of right now, my computer looks fine. The ibm00001.exe still appears once when I initally log into windows, but then goes away. The only problem that I currently have is that when I try to launch a program like itunes or AIM, the program starts, but then closes by itself after about 30 seconds or so, without any error message. Someone please help! Here is my hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 1:33:31 PM, on 11/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://aimtoday.aol.com/_ads/adsPopup2.htm?0
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: {A20CC53E-61FE-4788-85FF-A0F9C9B4C2A9} - {93989C8B-BD5F-4783-A470-EB07F08E83C7} - C:\WINDOWS\system32\winapic32.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: {92E1B3F7-0546-421E-9835-904D25B7BA66} - {C4F147D7-BF25-488E-A12B-EFD43E7029BF} - C:\WINDOWS\system32\winvbie.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Windows Updates - {A20CC53E-61FE-4788-85FF-A0F9C9B4C2A9} - C:\WINDOWS\system32\msiedp32.dll
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [PadTouch] "C:\Program Files\TOSHIBA\PadTouch\PadExe.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Mediafour XPlay Tray Notification Icon] C:\Program Files\Mediafour\XPlay\XPTRYICN.EXE
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.1\MMKEYBD.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Startup: palmOne Registration.lnk = C:\Program Files\palmOne\register.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Alarm Manager.LNK = C:\Program Files\palmOne\AlarmApp.exe
O4 - Global Startup: INFCACHE.1
O4 - Global Startup: WPC11 Config Utility.lnk = ?
O4 - Global Startup: WPC11CFG.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11CFG.HLP
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: MacDrive-iTunes compatibility - C:\Program Files\Common Files\Mediafour\MacDriveiTunesPatch.dll
O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\system32\msctl32.dll
O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINDOWS\system32\qemljigm.dll (file missing)
O21 - SSODL: SysTray.Exsn - {2368D1FC-2F5C-4f1b-B124-E67214FC78E2} - C:\WINDOWS\system32\bepafgfg.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Windows - Unknown owner - C:\WINNT\srvany.exe

BC AdBot (Login to Remove)


#2 RavenMind


  • Members
  • 21 posts
  • Local time:05:42 AM

Posted 18 November 2005 - 04:30 AM

Hi and welcome to Bleeping Computer!

Let me apologize for nobody getting back to you sooner. As you can see, we're pretty busy around here.

I am currently reviewing your log, and will be back to address your problem A.S.A.P. Please note that this is under the supervision of a fully certified Analyst.

Please subscribe to this thread by going to the top & clicking on Options > Track this topic, so that you are notified when a reply has been made.

Please be patient with me during this time.

Thank you,


#3 RavenMind


  • Members
  • 21 posts
  • Local time:05:42 AM

Posted 19 November 2005 - 02:41 AM

Hello again, and thank you for being patient while I reviewed your log!

I’m seriously concerned about the integrity of your system. I’m seeing at least one keylogger/password stealer, and a couple of backdoor Trojans. In the interest of denying outside access to your computer, I suggest you completely disconnect it from the internet after you have downloaded the tools for this fix. Also because of the potential password theft, I urge you to use another computer and change the passwords to any site you have visited with this machine. Especially any financial institutions! You may also want to consider changing your login ID to any sensitive sites such as banks, credit card companies etc. I would suggest doing this immediately.

Now please copy then paste this page into Notepad & save it.
You may also want to print out a copy of these instructions so you can refer back to them offline. You may be asked to download some tools/programs, so please stay in Normal Mode unless otherwise directed. At the end of the fix you may choose to delete these tools, or keep them for future use.

Your Internet Explorer favorites (bookmarks) may have been compromised by some of the malware on your system. I would suggest either deleting them all & rebuilding them from scratch, or else go into the properties for each one & making sure they haven’t been changed to redirect you to a malicious site.

Please disable Norton’s script blocking service for the duration of this fix.
  • Enable the viewing of hidden files/folders:

    Go to My Computer > Tools > Folder Options > “View” tab. Enable “Show hidden files and folders”, and Un-checkHide protected operating system files

  • Downloads:

    smitRem.exe – Save the file to Desktop, then double click it’s icon to extract it to it’s own folder, (again on Desktop).

    Ewido Security Suite: -Download & install Ewido, then update it's database. Do not run it yet.

    AdAware SE Personal - Download and install the program, keeping the default options. However, some of the settings will need to be changed before your first scan.
    • Close ALL windows except Ad-Aware SE.
    • Click on the ‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
    • Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:
      • In the ‘General’ window make sure the following are selected in green:
        • Under [Safety]:
          • Automatically save log-file
        • Automatically quarantine objects prior to removal
        • Safe Mode (always request confirmation)
      • Under [Definitions]:
        • Prompt to update outdated definitions - set the [number of days]
    • Click on the ‘Scanning’ button on the left and select in green:
      • Under [Driver, Folders & Files]:
        • Scan Within Archives
      • Under Select drives & folders to scan:
        • choose all hard drives
      • Under [Memory & Registry]: all green
        • Scan Active Processes
        • Scan Registry
        • Deep Scan Registry
        • Scan my IE favorites for banned URL’s
        • Scan my Hosts file
    • Click on the [‘Advanced’] button on the left and select in green:
      • Under [Shell Integration]:
        • Move deleted files to recycle bin
      • Under [Logfile Detail Level]: all green
        • include addtional object information
        • DESELECT - include negligible objects information
        • include environment information
      • Under [Alternate Data Streams]:
        • Don't log streams smaller than 0 bytes
        • Don't log ADS with the following names: [CA_INOCULATEIT]
    • Click the ‘Tweak’ button and select in green:
      • Under [Scanning Engine]:
        • Unload recognized processes during scanning
        • Scan registry for all users instead of current user only
      • Under [Cleaning Engine]:
        • Let Windows remove files in use at next reboot
      • Under [Log Files]:
        • Include basic Ad-aware SE settings in logfile
        • Include additional Ad-aware SE settings in logfile
        • Please do not Select: Include Module list in logfile
    • Click on ‘Proceed’ to save the settings.
    • Exit the program. We will run it later.
  • Completely disconnect from the internet now.

  • Reboot into Safe Mode.

    Restart the computer. While it’s booting up, tap the F8 key until a numbered menu appears. Choose “Safe Mode”, press Enter, and Windows will continue to load.

  • End Running Processes:

    Make sure to close any open browsers. Go into HijackThis and click Config > Misc. Tools > Open Process Manager
    Select the following, and click Kill Process:


  • Program Removals:

    Uninstall the following entries via the Add/Remove panel, (Start > Settings > Control Panel > Add/Remove Programs). Some programs may not appear, do not be alarmed, but please check for each.

    Wild Tangent
    or PowerSearch toolbar for IE
    KeenValue is supplied by eUniverse sites, such as thunderdownloads.com, myfreecursors.com, cursorzone.com and mycoolscreen.com. Please avoid these sites and especially do not download anything from them.

  • HijackThis Entry Fixes:

    Now run a scan in HijackThis. Place a check mark next to the following entries if they still exist:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
    F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
    O2 - BHO: {A20CC53E-61FE-4788-85FF-A0F9C9B4C2A9} - {93989C8B-BD5F-4783-A470-EB07F08E83C7} - C:\WINDOWS\system32\winapic32.dll (file missing)
    O2 - BHO: {92E1B3F7-0546-421E-9835-904D25B7BA66} - {C4F147D7-BF25-488E-A12B-EFD43E7029BF} - C:\WINDOWS\system32\winvbie.dll (file missing)
    O3 - Toolbar: Windows Updates - {A20CC53E-61FE-4788-85FF-A0F9C9B4C2A9} - C:\WINDOWS\system32\msiedp32.dll
    O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
    O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: INFCACHE.1
    O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINDOWS\system32\qemljigm.dll (file missing)
    O21 - SSODL: SysTray.Exsn - {2368D1FC-2F5C-4f1b-B124-E67214FC78E2} - C:\WINDOWS\system32\bepafgfg.dll (file missing)

    Please make sure to close all open windows & browsers, then click Fix Checked.

  • File Deletions:

    Delete the following FILES indicated in RED and FOLDERS indicated in BLUE, if they still exist.

    NOTE: If the full path to the file is not listed, then you should do a Search. (”Start” > “Search” > “For files or folders…” > “All files & folders”)

    C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
    C:\Program Files\Common files\updmgr
    PowerReg Scheduler.exe

  • smitRem:

    Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
    Wait for the tool to complete and disk cleanup to finish.

    The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please copy & paste that log in your next reply.

  • Run a Scan with AdAware:
    • Launch AdAware
    • Click ‘Start’
    • Choose 'Perform Full System Scan'
    • DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
    • Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
    • If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
    • Right-click on the list and choose [Select All]
    • Click the [Next] button to finish removing the items that were found.
    • Close AdAware.
  • Ewido Scan:

    Run Ewido:
    • Click "Scanner"
    • Click "Complete System Scan" to begin scanning.
    • Click "OK" when prompted to clean files
    • With the first file it prompts to clean, select the option - "Perform action on all infections", choose "Clean" and click "OK".
    • Once finished, click the Save Report button
    • Save the report to your desktop
    Close Ewido

  • Reboot into Normal Mode, and reconnect to the internet.

  • Online Scan:

    Using Internet Explorer, perform on online scan with Panda ActiveScan
    ** click on "Free use ActiveScan" located on the top right hand corner
    • Click Scan your PC & a 'pop up' window will appear. (Ensure that your pop up blocker doesn't block it.)
    • Click Scan Now
    • Enter your e-mail address & click Scan Now
      It will begin downloading Panda’s 8 MB ActiveX control. (Be sure your Internet Explorer settings will accept the ActiveX)
    Begin the scan by selecting My Computer
    • If it finds any malware, it will offer you a report.
    • Click on see report. Then click Save report
Please post the following items in your next reply:
  • Fresh HJT log run in Normal mode
  • smitfiles.txt
  • Ewido scan report
  • Panda scan report
  • How is your computer behaving now?

#4 tetonbob


  • Malware Response Team
  • 797 posts
  • Local time:06:42 AM

Posted 10 December 2005 - 03:05 PM

* * * * * * * * *

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

* * * * * * * * *
Practice Safe Surfing

Proud Member of UNITE since 2006

Microsoft MVP Consumer Security 2009 - 2015

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users