Trojan.Anserin - Can't remove infected dll files

Posted on 2006-05-05
Last Modified: 2008-11-10
My father has managed to get himself infected with the Anserin Trojan:

He has Symantec Corporate 10.0 running on his laptop.

I have talked him through booting into safe mode, scanning and fixing, but the two files (ibm0004.exe and ibm00003.exe) will not delete - comes up saying that the file has been left alone as it could not be cleaned or removed.

If I get him to go through windows and try, he gets: "cannot delete ibm0004.exe access is denied"

I don't understand how it can still be locked in Safe Mode. I have had him delete the registry keys, so the virus shouldn't be launching anymore.

Any suggestions as to how to get rid of these files?

Question by:arrowtech
    LVL 47

    Expert Comment

    1. Please download SmitfraudFix:
    Extract the content (a folder named SmitfraudFix) to your Desktop.
    Next, please reboot your computer in Safe Mode by rebooting the computer,
    and repeatedly tapping the F8 key as the pc starts. Choose "Safe Mode" from
    the options listed.
    Once in Safe Mode, open the SmitfraudFix folder again and double-click
    Select option #2 - Clean by typing 2 and press "Enter" to delete infected
    You will be prompted : "Registry cleaning - Do you want to clean the
    registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove
    the Desktop background and clean registry keys associated with the
    The tool will now check if wininet.dll is infected. You may be prompted to
    replace the infected file (if found); answer "Yes" by typing Y and press
    The tool may need to restart your computer to finish the cleaning process;
    if it doesn't, please restart it into Normal Windows.
    2. If problem persist, download HijackThis 1.99.1
    Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet, just upload the logfile created, go here and paste your Hijackthis log,
    then at the bottom left corner click "paste"
    Copy the address/url and post it here:

    Or copy and paste the log at;
    and click "Analyse", click "Save".  Post the link to the saved list here.

    3. Or try:
    Download and install the free version of Ewido anti-malware.
    Update first then scan in safe mode.


    Author Comment

    If the OS still has the files locked in safe mode, how are these tools going to help that?
    LVL 47

    Expert Comment

    the file is locked even in safe mode because it loads even before windows loads, so it will always be locked.
    Another way to do it is to use a tool that will delete it before windows loads.
    That file is in fact part of smitfraud infection which smitrem used to be able to remove but since smitrem is no longer updated by its creator I suggested Smitfraudfix.exe.

    If you post a hijackthis log I'm fairly sure that the entry in F2 line or 02 line will be there.
    Try Smitfraudfix first, then if its still there, post a hijackthis log so we'll see the entry.

     Can you post the exact path and filename of those 2 files?
    LVL 32

    Accepted Solution

    Here is what I suggest:

    First locate the files named ibm0004.exe and ibm00003.exe (probably in c:\windows or c:\windows\system32)


    (0) If running XP Home, boot in safe mode, if XP Pro, then start with step (1)

    (1) Right click on the file (e.g. ibm0004.exe) in Windows Explorer or My Computer, select Properties

    (2) Click on the Security tab.

    (3) Click on the Advanced button.

    (4) Uncheck the box labeled "Inherit from Parent...", then click "Remove"

    (5) Repeat steps (1) to (4) for the other file

    (6) Close all windows.

    (7) Reboot.

    After reboot the file(s) will be unable to run (because no one can access them any more). The symptoms should be gone.

    At this point you can clean up with a standard anti-spyware program. I would recommend the ones suggested by rpggamergirl above.

    When all seems OK please still do run HiJackThis and anayze the log, and if anything bad is still there then send us the link to the analyzed log (see item (2) in the post by rpggamergirl above).


    Expert Comment

    You have TWO option:
    You are not allowed to delete a file that is used. This is how things should be - it is not always the case.

    You may use the registry entry: "RUNONCE" - not "RUN"!
    Specify a new "Key Value" - give it a nasty name - any name.
    Here you enter "DEL C:\WINNT\System32\<yourfile>.dll" as in
    silly REG_SZ DEL c:\winnt\System32\ogb00023.dll

    exit regedit and reboot.

    The alternative is to enter the same commend in c:\AUTOEXEC.BAT - this still exists and is used... and may be used to delete the file before your computer has started and the virus reinstalled itself.

    Howver - this seems to be adware - that re-installs itself. Check yout Host file for multiple entries of - should only be "localhost". One of these installs iteself and plays around with your network definitions, uses multiple hosts and you need both a poper firewall and virus removal tool to get rid of it...
    Good luck ! - Zonelab is an OK firewall, that also contains a scanner (better are around but..) it is "free" for 2-3 weeks, enough to get rid of your problem.
    But beware: Some adware are no so mean that the easiest way out is to remove all temporary browser files, all files that you are not 100% certain should be there, and reinstall the os. I keep W2KAS on drive D - with MS Office.

    Author Comment

    r-k had what I needed to just get rid of those files - the scans can wait for now - it was phone support for my father so I just wanted to make sure the exe and dlls were removed, and stop the Symantec pop-up notifications.

    One thing - your steps forgot to put permissions back on the files again after the reboot - somone who didn't know what they were doing and were just following steps wouldn't know to do that and would just get Access Denied again.

    Thanks everyone for the help - I enjoyed knuthf's suggestions as well, but they came to late to try.

    LVL 32

    Expert Comment

    "your steps forgot to put permissions back on the files again after the reboot"

    Good point, and glad you raised it. In most cases, it is OK to change permissions back after the reboot and then delete the files. However, there are cases where it may be better to leave the files alone. For example, there might be a hidden program that may re-create the files if you delete them. Then again, even if deleting the files is OK, it does no harm to leave them there - so long as permissions stay removed, they can't run, and even the AV programs will ignore them.

    It was with this reasoning that I omitted the final step of deleting the files. In your case, if you deleted them and they did not appear, then that is a good thing.


    Author Comment

    No problems, all makes sense.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    Suggested Solutions

    HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
    Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now